Category: linkblog

Nice introduction to one of the more conceptually rigorous concepts in product design.

The long, strange journey of Stephen Watt.

Pandora’s briefcase, or an extended argument on the perils of information asymmetry. Good WWII spycraft read from Gladwell.

Even in OSes with fully randomized address spaces and data execution protection, you can use return oriented programming to patch together malicious code from sequences of instructions that are in memory from common executables (“ransom note exploits”). The lesson: shift the game from focusing on injection vulnerabilities to minimizing the damage an attacker can cause. One of the best papers from SOURCE: Boston in 2010.

Hmm. Might be worth checking out just on the basis of the titles that are there (“M”, “The 39 Steps”…)

SharePoint Server 2007 has a cross site scripting vulnerability in the Help subsystem which is exploitable on any SharePoint 2007 site.

Awesome project: an online archive of the evolution of typography, starting with the incunabula.

Putting the “crypt” in “crypto-Catholic.”

A collaborative and informal way to develop “misuse cases” and perform threat modeling.

How to think like a hacker–including leveraging social networking to get into your target.

Interesting argument from Dave–big tech companies fail because they try to do all their innovation internally, and eventually they run out of brilliant folks to hire and end up with the “general talent pool.”

Yet more evidence that perimeter defense systems are flawed. If you can’t secure applications at all layers of the stack, including the end user, you can’t secure your organization.

This isn’t a bad description of my job, and my teams’ jobs, on a release to release basis.

Makes me wonder what the Boston papers are doing with their comments sections, if Rosenberg’s suggestion is on. Is anyone watching the store?

Significant XSS attack against Apache used to steal passwords from admins and contributors, and to root internal work projects. XSS is not a trivial defacement attack when it can be used to compromise something viewable by an administrator and steal their session cookie.

And I quote, “Man, cousin, I'm about to put in the work,/assert authority. Administrative access: crack this./If your patches back in the past, this/0day gets you on a root trip. True crypt./Key file, I will keystyle shell code,/triple sevens all up on the ch mod.” Wack.

Nice roundup of foolish Apple, Mac, iPad and iPhone punditry.

Lies, damned lies, and statistics, or how claims that stimulus spending is biased toward Democratic congressional districts can be debunked by simply examining the relationship between the districts and what else is there (clue: state capitals!).

An excerpt from Clay Shirky’s “The Collapse of Complex Business Models.” When you hear someone sputtering to defend their old business model, think about whether it means anything more than a failure of their imagination.

Nice link to one of my favorite improbable typographic success stories. And the part quoted is even from before Jan Tschischold revolutionized the design of the line.

The old University of Virginia Magazine, later the Virginia Spectator, is on Google Books now with some issues dating back to the mid 19th century.

Interesting discussion about the role of product management at Gmail. Look at the comments thread for how this approach is received by customers.

I swore I was done buying clever tshirts, but I may have to buy this tshirt.

’cause you have to figure that those red light cameras are doing OCR on the images before they insert them into a database… and that the developer never anticipated that the result might be an injection vector.

Nice illustrated guideline to mixing fonts.

Roundup of reactions to the passage of the healthcare reform legislation.

Interesting and useful roundup of Flash management tools.

Helpful graphic and text laying out the impacts of the health care legislation on the insured and the uninsured.

…Edward Tufte kills a kitten.