A Blog for Graymad

Greetings from Honolulu! Just completed an MSDN Security Briefing event here on Oahu. Very nice crowd, and lots of good questions. Of course, the beautiful weather is a nice added bonus. I went up to my hotel room earlier this morning to find a rainbow streaking across the sky over the ocean.

Haven’t got your copy of Visual Basic .NET yet? Want to get an extra copy? Well, you can pick up a copy of Visual Basic .NET 2003 Standard by viewing and rating 5 movies at http://msdn.microsoft.com/vbasic/atthemovies/. Seems like a pretty good deal to me.

Today I finished up my week in the sunny Florida panhandle presenting security talks for MSDN. On Tuesday, I was in Pensacola. The folks there were great, and a fun crowd. I also had a good time with my group today in Fort Walton Beach (the actual event was in Mary Esther). In between, my wife and son and I got to spend a little time at the beach. My son, who just turned 1 year old, got to stick his toes in the sand for the first time. He wasn’t quite sure what to make of it at first, but warmed up to the beach after a while.

I’ve written about the problems of running your machine day-to-day as Administrator, and tips for making development as a non-Admin easier on a number of occasions. As a brief reminder, there are many viruses and other malware that would never have spread as widely as they did if the infected user had not been running as admin. Additionally, developers who run as admin when they develop and test software can inflict errors on those who use their software while running with lower privileges. And unfortunately, the ad-hoc “fix” for such problems often ends up being for that user to run with elevated privileges.

Useful tidbit from the MVP summit:

Below is an excellent, yet brief, description of buffer overruns, which I found on the Microsoft bloggers feed on http://weblogs.asp.net. I do a demo of a buffer overrun in the Essentials of Application Security session, one of two I’m presenting at numerous locations in the eastern US. One of the things I find quite surprising is the relatively high percentage of C++ programmers in the sessions, and even more so, the relatively low percentage of them who’ve actually seen what a buffer overflow looks like. The fact that it’s so easy to code a buffer overflow makes me very glad that I use managed code. Now all I need to do is make sure that I’m not vulnerable to SQL Injection attacks (use stored procedures and good input validation) or Cross-site Scripting attacks (use good validation, and HTML encode all input before echoing it back to the browser).

this one in VB.NET: 

I just finished up my first week of doing MSDN security briefings for Microsoft. I had a great time with the audiences in Albany, NY and Staten Island, NY. Both audiences were very attentive and asked some great questions. I’m looking forward to this week’s talks in Roanoke, VA, and Charlottesville, VA on Tuesday and Thursday of this week. So if you’re in those areas, and want to learn more about what you can do as a developer to create more secure applications, sign up, and come on down!