Matasano Chargen - Latest Comments in How To Hide^H^H^Handle Security Problems in Your Productshttp://matasanochargen.disqus.com/enMon, 30 Jun 2008 19:12:48 -0000Re: How To Hide^H^H^Handle Security Problems in Your Productshttp://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/#comment-2324172I heard --- from an absolutely huge vendor, of mission-critical IT infrastructure --- that buffer overflows weren't exploitable *because* they weren't Windows.Thomas PtacekMon, 30 Jun 2008 19:12:48 -0000Re: How To Hide^H^H^Handle Security Problems in Your Productshttp://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/#comment-2324173I'm not surprised to hear that in 1997. But even recently, you still see people arguing about exploitable overflows (Check Smail's last heap overflow) and try to utilize lawyers.Dave G.Mon, 30 Jun 2008 16:17:07 -0000Re: How To Hide^H^H^Handle Security Problems in Your Productshttp://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/#comment-2324174I once (around 1997) had a vendor tell me that buffer overruns in Windows were not exploitable. Really, not kidding. Only time I ever went public without a fix. It's in BUGTRAQ archives. I then got a nasty-gram from their lawyer in overnight mail.<br><br>In comparison, Microsoft ('96 through '99) fixed everything I ever reported - about 50 or so issues - without arm-twisting (there was some debate, but that's OK). That played a major part in my decision to work at MS. (YMMV)David LeBlancMon, 30 Jun 2008 15:40:35 -0000Re: How To Hide^H^H^Handle Security Problems in Your Productshttp://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/#comment-2324171Great essay. Thanks for reposting.ChrisMon, 30 Jun 2008 13:49:42 -0000Re: How To Hide^H^H^Handle Security Problems in Your Productshttp://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/#comment-2324177In 2002 I printed this off from <a href="http://sockpuppet.org" rel="nofollow">sockpuppet.org</a> and hung it in my cube. It was funny then. Today it feels tragically obvious.PaulMFri, 27 Jun 2008 11:21:36 -0000Re: How To Hide^H^H^Handle Security Problems in Your Productshttp://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/#comment-2324178Ten rules which my employer lovesanonymousFri, 27 Jun 2008 08:44:42 -0000Re: How To Hide^H^H^Handle Security Problems in Your Productshttp://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/#comment-2324176Must be true. I seem to hear about one of these a week in my weekly security podcast subscriptions.StephenThu, 26 Jun 2008 19:29:49 -0000Re: How To Hide^H^H^Handle Security Problems in Your Productshttp://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/#comment-2324175Mike Lynn's rules are pretty awesome.Thomas PtacekThu, 26 Jun 2008 15:16:04 -0000Re: How To Hide^H^H^Handle Security Problems in Your Productshttp://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/#comment-2324180This only thing that is *almost* as good as "How to Hide^H^H^Handle Security Problems in Your Products" is Michael Lynn's "programming rules 2.2":<br><br><a href="http://www.memestreams.net/users/abaddon/blogid782712" rel="nofollow">http://www.memestreams.net/users/abaddon/blogid...</a>Andre GirondaThu, 26 Jun 2008 15:12:41 -0000Re: How To Hide^H^H^Handle Security Problems in Your Productshttp://www.matasano.com/log/1078/how-to-hidehhhandle-security-problems-in-your-products/#comment-2324179Tried and true.tbThu, 26 Jun 2008 14:42:51 -0000