Michael Howard - How hackers operate

Posted By: The Channel 9 Team | Jul 26th, 2004 @ 2:54 PM | 19,234 Views | 10 Comments
How do bad guys work to figure out security holes? Michael Howard, Microsoft's top security guy, talks about how the bad guys go about their work.

This video is from an earlier interview we did. Here's the rest of the clips, just in case you missed them:

What are the top things the average person can do to protect themselves?

When does threat modeling come into play?

What if we had an unattackable system?

What isn't being taught well enough in college? Security!

There are people out there that really want to get you.
Rating:
0
0
#Jul 27th, 2004 @ 3:38 AM
Sathyaish Chakravarthy
Sathyaish Chakravarthy
Sathyaish
I always wanted to see more of Michael Howard videos amoung many others. I sometimes wonder if these Channel 9 guys are reading my mind, or something. Smiley

Isn't that Brad Abrams in the grey t-shirt, occupying the corner seat right behind Michael Howard?
#Jul 27th, 2004 @ 9:01 PM
Jacky.Chan
Jacky.Chan
Please tell me more.  I want to know how to write secure code.   I love this series of video.
#Jan 1st, 2005 @ 12:13 PM
Colin Angus Mackay
Colin Angus Mackay
Developer! Developer! Developer! comes to Scotland on the 10th May 2008
Michael Howard's videos are great. Is there any chance of getting this video in a downloadable form?

Thanks,
Colin.
#Jan 1st, 2005 @ 7:08 PM
scobleizer
scobleizer
I'm the video guy
Unfortunately I don't have this one in downloadable form. Sorry.
#Jun 1st, 2005 @ 6:41 PM
brian8480
brian8480
Just out of curiosity, what determines weather a video can be downloaded or not?

Cool video. I havent read "Writing Secure Code" yet but, this video makes me want to go grab a copy and definately work harder to keep the "sKrypt Kddyz" away from my work.

-Brian
#Jun 1st, 2005 @ 7:16 PM
mVPstar
mVPstar
I'm white because I smelt an onion.
brian8480 wrote:
Just out of curiosity, what determines weather a video can be downloaded or not?

Cool video. I havent read "Writing Secure Code" yet but, this video makes me want to go grab a copy and definately work harder to keep the "sKrypt Kddyz" away from my work.

-Brian


Heh, I have this book but can barely understand a good 60% of it due to my level of programming comprehension. Wink




mVPstar
#Jun 4th, 2005 @ 9:54 PM
arun_coorg
arun_coorg
New Inventions might change the thinking towards innovation.
Michael Howard's gives the power to think  about sec in real time .

Arun
#Jun 6th, 2005 @ 2:31 AM
AndyC
AndyC
Beer28 wrote:
basically, I'm trying to say that no one is going to use unchecked socket data as a malloc length or a memcpy length.

If they do, their app should not be used. And that's the importance of open source. 


And yet there are thousands of instances of it, sure in simple cases it's easy to spot but in others it's easy to miss. Buffer overflows are the #1 cause of security flaws in any operating system.

Open source is not a silver bullet to protecting against such exploits. Neither is managed code, although it is considerably better in this regard.
#Jun 6th, 2005 @ 1:21 PM
Maurits
Maurits
AKA Matthew van Eerde
I've learned through bitter experience to code as if I was under siege.  At every line of code, I ask myself... "What could go wrong here?  What assumptions am I making, and what happens if that assumption is wrong?"

90% of the time the answer is "the function will fail in some appropriate fashion."

10% of the time the answer is "the function will fail in this horribly dangerous or overdramatic fashion".  For example, a thread might, instead of sensibly dying with an error code, sit forever on an exclusive lock and tie up the rest of the application.

That 10% of the time is what allows hackers in.

Every function should consider its input to be malicious, and take steps to fail intelligently if it is.

It's odd that he mentioned Perl in the context of a hacker tool, because Perl offers one of the few truly useful features for data sanitation - "taint" mode.  This makes it very useful for easily writing secure daemon software.
Microsoft Communities