DISQUS

Matasano Chargen: How To Hide^H^H^Handle Security Problems in Your Products

  • tb · 1 year ago
    Tried and true.
  • Andre Gironda · 1 year ago
    This only thing that is *almost* as good as "How to Hide^H^H^Handle Security Problems in Your Products" is Michael Lynn's "programming rules 2.2":

    http://www.memestreams.net/users/abaddon/blogid...
  • Thomas Ptacek · 1 year ago
    Mike Lynn's rules are pretty awesome.
  • Stephen · 1 year ago
    Must be true. I seem to hear about one of these a week in my weekly security podcast subscriptions.
  • anonymous · 1 year ago
    Ten rules which my employer loves
  • PaulM · 1 year ago
    In 2002 I printed this off from sockpuppet.org and hung it in my cube. It was funny then. Today it feels tragically obvious.
  • Chris · 1 year ago
    Great essay. Thanks for reposting.
  • David LeBlanc · 1 year ago
    I once (around 1997) had a vendor tell me that buffer overruns in Windows were not exploitable. Really, not kidding. Only time I ever went public without a fix. It's in BUGTRAQ archives. I then got a nasty-gram from their lawyer in overnight mail.

    In comparison, Microsoft ('96 through '99) fixed everything I ever reported - about 50 or so issues - without arm-twisting (there was some debate, but that's OK). That played a major part in my decision to work at MS. (YMMV)
  • Dave G. · 1 year ago
    I'm not surprised to hear that in 1997. But even recently, you still see people arguing about exploitable overflows (Check Smail's last heap overflow) and try to utilize lawyers.
  • Thomas Ptacek · 1 year ago
    I heard --- from an absolutely huge vendor, of mission-critical IT infrastructure --- that buffer overflows weren't exploitable *because* they weren't Windows.