12 minutes read

The Anatomy of a Security Breach

Without going into too much detail, there is a guy who the security industry collectively hates.  When you hear a statement like that, the happy parts of our brains think this guy must be an underdog.  He must be awesome at what he does, and the big corporations hate him for it.  Or maybe he’s a world-renowned  hacker that nobody can catch. Suffice to say, neither are the case. Earlier today it appears that Greg Evans of LIGATT was, for lack of a better word, pwned.  His twitter account was broken into, his email was ransacked, and by the looks…

4 minutes read

Kerberos: Very Claims-y

I’ve always found Kerberos to be an interesting protocol.  It works by way of a trusted third party which issues secured tickets based on an authentication or previous session.   These tickets are used as proof of identity by asserting that the subject is who they claim to be. Claims authentication works on a similar principle, except instead of a ticket you have a token.  There are some major differences in implementation, but the theory is the same.  One of the reasons I find it interesting is that Kerberos was originally developed in 1983, and the underlying protocol called the Needham-Schroeder…

0 minutes Less than a minute read

WinFS

WinFS has been puttering around my idle thoughts lately.  Yep, weird. Why is it still available on MSDN and TechNet subscriptions? Food for thought.

8 minutes read

Bad User Interfaces are Insecure

The Best of Intentions So you’ve built this application.  It’s a brilliant application.  It’s design is spectacular, the architecture is flawless, the coding is clean and coherent, and you even followed the SDL best practices and created a secure application. There is one minor problem though.  The interface is terrible.  It’s not intuitive, and settings are poorly described in the options window.  A lot of people wouldn’t necessarily see this as a security issue, but more of an interaction bug — blame the UX people and get on with your day. Consider this (highly hyperbolic) options window though: How intuitive…

2 minutes read

Interesting Email Attack Method… Cannot Send Shipment

I’ve gotten two emails like this in the last week or so.  One was from DHL Shipping, and this one was from UPS.  Attached to the email was a zip, with what I presume to be a Trojan of some sort. The content of the email was: Dear customer! We were not able to deliver the postal package which was sent on the 28th of December in time because the recipient’s address is incorrect. Please print out the invoice copy attached and collect the package at our department. United Parcel Service of America. For a moment I thought the initial…

2 minutes read

A Thought on Windows Mobile 7

The other day while I was sitting in the airport in Washington, D.C., I had a random thought.  When the ZuneHD first hit the shelves people were talking about how Mobile 7 might borrow the look and feel.  It’s sleek, easy to use/easy to understand, and is very simple.  So I started thinking about what such an interface might look like.  This is something I did quickly.  Nothing was provided by Microsoft.  Nobody has said anything about Mobile 7 design (at least, not at that point, but nobody cared anyway).  This is simply something I thought the interface might look…

0 minutes Less than a minute read

Pictures from Techdays and FailCamp in Toronto

After getting my camera back from Mitch Garvis after Techdays and FailCamp in Toronto, I decided to upload photos from the events, and to my surprise there were some pretty good shots.  Here is what I came back with:

3 minutes read

The Boston Tea Party has gone Batty

This morning I saw an interesting post on Twitter.  Which in-and-of-itself is kinda amazing, but that’s not the point.  The post was on something called the Windows 7 Sins site.  It is a campaign created by the Free Software Foundation to highlight everything that is wrong philosophically with Windows 7.  Now, I’m all for philosophical debates, but this is just plain batty.  So what did I do?  I acted!  I emailed the FSF people at campaigns@fsf.org the following email: Ya know, if you sold software, you wouldn’t need to keep asking people for money. Basic principle of economics. Just sayin….