DISQUS

Is there a sales pitch that doesn’t imply blackmail?

Yes! "We'd like to do some contract pen testing for you."

I think you make a great point, though-the flaw is worse less than the sploit. I played with some similar ideas in http://www.emergentchaos.com/archives/2006/05/e...

To answer your first question, http://www.mashdump.com/1996-sergey-brin.jpg :)

You can, of course, google teh answer.

Since 2 of your three are targeted at software creators, I'm surprised that you don't list "test the hell out of your releases" or "be transparent about your test process."

Why isn't Rubyonrails part of the Ruby test suite?

I'm still thinking a little on the main question, but wanted to respond to cscott.

CScott, can you name a single engineering discipline which is "an end-state in itself?" All engineering is aimed at addressing business or social problems.

Do you mean pen testing isn't a science, or security isn't a science (scientific field)?

Thanks for the great review Jim!

To the point being discussed in the comments, my understanding of 1386 (and this is explicit in the preamble of the law) is that it was intended to allow people at risk of identity theft to protect themselves. The transparency it delivers is an unexpected consequence. As I'm sure readers of this blog are aware, designing such a mechanism is quite tricky, and anticipating all of the consequences is even harder.

He could do the honorable thing and refuse to work on the program. I'll pity him when he's not on the federal payroll.

Mr. Ptacek, I assign you one re-written link by 12/10. Your "deep packet inspection" label points at a data leak prevention article. WTF? Re-asssembly issues? :)

The goal of an entreprenuer is to maximize return on investment. Sometimes that entails recognizing that the market isn't developing as expected, and that the right thing to do is to sell the company.

Home runs may be the most dramatic, but if you've hit a double, trying to run home may end up with an out, rather than a double.

Jim, I'm surprised. It's only since 1984 that the government is allowed to tell us how to use words, and I'd have thought that having the spies redefine our language for us would have resulted in...different thoughts from you.

Adam

Glad you like the post Dave. It's the start of a series, and if there's things I don't cover, let me know. The goal is to talk about what worked and didn't, and how I've been fixing it.

I'd also think about scriptability and use of DRM functions, which are often way buggy because getting the crypto right is hard enough that it overloads people.

Technically, Mozilla.com is no longer a non-profit.

Tom:

We could start with a single question:

"Do you mandate any sort of security activity as part of your product development lifecycle?"

There's a follow-on, which is "please explain."

Since 90% of the vendors don't make it to the follow-on (yet), considerations of comparisons between explanations are secondary. But I'm happy to go there at length.

What about asking about their development practices?

I'm curious about the local lan only vulns. Why are they local lan only?

So? Who cares? You get bad auth, you get a new key warning.

so with regards to IM--technically, Ian Goldberg and Len Sassman and I'm forgetting a third author fixed the IM security problem with OTR.

There's a fascinating article in the new york times on expungement: "Expunged Criminal Records Live to Tell Tales." Even more so in Randal's case, since there's a tremendous amount of information on the web about his case.

Two great web sites that I'm surprised you didn't mention: EFF Legal guide for bloggers and Chilling Effects Clearinghouse.

So I'm curious...are little updates every day the right choice? There's an audience for whom that's great, and an audience that will get confused by a failure of consistency in what you put in front of them.

Should companies with the reach of either Google or MS be pushing that level of change into people's lives?

These are interesting tests. My personal metric is minutes to UI bug report, or minutes to deciding that a UI bug report would be ignored.

Usefully, most mac apps support a set of emacs keybindings, like ^N, ^P for next and previous lines, ^K and ^Y for kill and yank, etc.

They're subtle, but if you're used to them, it's amazingly useful.

Andy,

I'd love to see a chart that shows about hardening technologies, and what other operating systems are doing. The things that spring to mind are chroot, jails on BSD, Apparmor on linux. Systrace has been mentioned. (In that same containment goal, we could talk about mandatory integrity control in Vista, which is also not on the chart.)

What categories should be there, and what should be in the categories?

Adam
(Who also works at MS, but isn't an old timer like Johnson.)

Toby,

Encrypt it all for good security reasons, then exclaim "This damn IDS can't read encrypted packets!" and throw it away. It's a win/win!