A Blog for Graymad
Musings about ASP.NET and more...by G. Andrew Duthie
-
The consequences of poor security...
…apparently apply to l33t h4x0r5, too:
-
Aloha!
Greetings from Honolulu! Just completed an MSDN Security Briefing event here on Oahu. Very nice crowd, and lots of good questions. Of course, the beautiful weather is a nice added bonus. I went up to my hotel room earlier this morning to find a rainbow streaking across the sky over the ocean.
-
Want free software?
Haven’t got your copy of Visual Basic .NET yet? Want to get an extra copy? Well, you can pick up a copy of Visual Basic .NET 2003 Standard by viewing and rating 5 movies at http://msdn.microsoft.com/vbasic/atthemovies/. Seems like a pretty good deal to me.
-
MSDN Events
Today I finished up my week in the sunny Florida panhandle presenting security talks for MSDN. On Tuesday, I was in Pensacola. The folks there were great, and a fun crowd. I also had a good time with my group today in Fort Walton Beach (the actual event was in Mary Esther). In between, my wife and son and I got to spend a little time at the beach. My son, who just turned 1 year old, got to stick his toes in the sand for the first time. He wasn’t quite sure what to make of it at first, but warmed up to the beach after a while.
-
Running as Admin - Don't!
I’ve written about the problems of running your machine day-to-day as Administrator, and tips for making development as a non-Admin easier on a number of occasions. As a brief reminder, there are many viruses and other malware that would never have spread as widely as they did if the infected user had not been running as admin. Additionally, developers who run as admin when they develop and test software can inflict errors on those who use their software while running with lower privileges. And unfortunately, the ad-hoc “fix” for such problems often ends up being for that user to run with elevated privileges.
-
Tip for Visual Studio 2005
Useful tidbit from the MVP summit:
-
What is a buffer overrun?
Below is an excellent, yet brief, description of buffer overruns, which I found on the Microsoft bloggers feed on http://weblogs.asp.net. I do a demo of a buffer overrun in the Essentials of Application Security session, one of two I’m presenting at numerous locations in the eastern US. One of the things I find quite surprising is the relatively high percentage of C++ programmers in the sessions, and even more so, the relatively low percentage of them who’ve actually seen what a buffer overflow looks like. The fact that it’s so easy to code a buffer overflow makes me very glad that I use managed code. Now all I need to do is make sure that I’m not vulnerable to SQL Injection attacks (use stored procedures and good input validation) or Cross-site Scripting attacks (use good validation, and HTML encode all input before echoing it back to the browser).
-
Carl Franklin reports on another DPAPI wrapper,
this one in VB.NET:
-
First week of MSDN Security Goodness
I just finished up my first week of doing MSDN security briefings for Microsoft. I had a great time with the audiences in Albany, NY and Staten Island, NY. Both audiences were very attentive and asked some great questions. I’m looking forward to this week’s talks in Roanoke, VA, and Charlottesville, VA on Tuesday and Thursday of this week. So if you’re in those areas, and want to learn more about what you can do as a developer to create more secure applications, sign up, and come on down!
-
MSDE Scalability
Ever wanted the definitive answer on just exactly how MSDE limits performance and scalability? Well, you’re in luck, as Microsoft has now published a whitepaper describing how the governor in MSDE works. The short version is that the governor stalls connections for a few milliseconds on each logical read or write, once the limit of more than eight concurrent operations has been reached. The connection limit for MSDE is the same as for a standard SQL Server instance (32,767), but obviously the more concurrent connections, the more likely you are to reach the limit of 8 concurrent operations that triggers the workload governor. Read the paper for all the juicy details, including specifics on physical vs. logical reads/writes, and how/when the governor is activated. Good stuff.