-
Hmm. Might be worth checking out just on the basis of the titles that are there (“M”, “The 39 Steps”…)
Month: April 2010
Next week: Austin, TX
You’ll be able to catch me in my professional capability twice next week. I’ll be giving a talk on Tuesday in Austin, TX to the Austin chapter of ISACA (the Information Systems Audit and Control Association) on “Best Practices for Application Risk Management.” The argument: the current frontier in securing sensitive data and systems isn’t the network, it’s the applications securing the data. But just as it’s hard to write secure code, even with conventional testing tools, it’s even harder to get a handle on the risk in code you didn’t write. And, of course, it’s the rare application these days that is 100% code that you wrote. I’ll talk about ways that large and small enterprises can get their arms around the application security challenge.
I’ll also be joining one of our customers to talk in more depth about a key part of Veracode’s application risk management capability, our developer elearning program and platform, in a webinar. If you are interested in learning how to improve application security before the application even gets written, this is a good one to check out.
Grab bag: SharePoint zero day
-
SharePoint Server 2007 has a cross site scripting vulnerability in the Help subsystem which is exploitable on any SharePoint 2007 site.
-
Awesome project: an online archive of the evolution of typography, starting with the incunabula.
Grab bag: Secrets and security
-
Putting the “crypt” in “crypto-Catholic.”
-
A collaborative and informal way to develop “misuse cases” and perform threat modeling.
-
How to think like a hacker–including leveraging social networking to get into your target.
Neverending loop
-
Interesting argument from Dave–big tech companies fail because they try to do all their innovation internally, and eventually they run out of brilliant folks to hire and end up with the “general talent pool.”
Google’s password system was targeted
-
Yet more evidence that perimeter defense systems are flawed. If you can’t secure applications at all layers of the stack, including the end user, you can’t secure your organization.
On the record
The BSO announced two new albums this week. I’m looking forward to hearing the Carter, and am ordering multiple copies of TFC: Celebrating the 40th Anniversary of the Tanglewood Festival Chorus. Not because it’s my chorus (I’m not on the disc–these were small group recordings that went through the year I started with the chorus), but because the repertoire is astonishing. A pair of Bruckner motets, including the Christus factus est, the Lotti Crucifixus, the Frank Martin Mass, and of course Copland’s In the Beginning.
Of course there’s a small irony–the cover photo shows the group holding music! But it’s a great image of a large Prelude concert group in Seiji Ozawa Hall. One of these days I’d love to be in that setting; our Prelude performances have been done by small groups since I joined the chorus, so I’ve never performed in Ozawa.
Grab bag: Monkeybagels!
-
This isn’t a bad description of my job, and my teams’ jobs, on a release to release basis.
-
Makes me wonder what the Boston papers are doing with their comments sections, if Rosenberg’s suggestion is on. Is anyone watching the store?
Apwnche
-
Significant XSS attack against Apache used to steal passwords from admins and contributors, and to root internal work projects. XSS is not a trivial defacement attack when it can be used to compromise something viewable by an administrator and steal their session cookie.
Happy birthday, Mr. Jefferson
Thomas Jefferson was born 267 years ago, on April 13, 1743. Seventy-six years later he would lay the cornerstone at the University of Virginia.
I’ll have a few more thoughts later about Mr. Jefferson, UVA, and Founder’s Day, but for now two thoughts from the man himself:
Determine never to be idle…It is wonderful how much may be done if we are always doing.
Enlighten the people, generally, and tyranny and oppressions of body and mind will vanish like spirits at the dawn of day.
Zero day, yo
-
And I quote, “Man, cousin, I'm about to put in the work,/assert authority. Administrative access: crack this./If your patches back in the past, this/0day gets you on a root trip. True crypt./Key file, I will keystyle shell code,/triple sevens all up on the ch mod.” Wack.
Adventure looking forward
Chris Baldwin’s brilliant comic (I won’t belittle it by calling it a “web comic”) Little Dee ended today. He’s been winding it down for months, so it’s no surprise that it’s over. What is a surprise to me is how resonant the ending is, even in its first two panels:
It’s tempting, as I start to see forty up on the horizon, to think that all my adventures and all the beauty are behind me. Weeks like last week, when my father in law was in and out of the hospital and I was forced by illness to withdraw from a Tanglewood Festival Chorus concert run that would have taken me to Carnegie Hall, seem to reinforce that thought.
But then I watch my family, and I catch my breath a little bit at all the beauty that is yet to come.
Grab bag: Foolishness, sputtering, and agendas
-
Nice roundup of foolish Apple, Mac, iPad and iPhone punditry.
-
Lies, damned lies, and statistics, or how claims that stimulus spending is biased toward Democratic congressional districts can be debunked by simply examining the relationship between the districts and what else is there (clue: state capitals!).
-
An excerpt from Clay Shirky’s “The Collapse of Complex Business Models.” When you hear someone sputtering to defend their old business model, think about whether it means anything more than a failure of their imagination.
-
Nice link to one of my favorite improbable typographic success stories. And the part quoted is even from before Jan Tschischold revolutionized the design of the line.
Spectating
-
The old University of Virginia Magazine, later the Virginia Spectator, is on Google Books now with some issues dating back to the mid 19th century.