Comments for Analytical Engine http://www.analyticalengine.net Application Security, General Technology, and Geek Ramblings Wed, 09 Dec 2009 17:47:13 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on Do as I Say… by Joshbw http://www.analyticalengine.net/2009/12/do-as-i-say/comment-page-1/#comment-1317 Joshbw Wed, 09 Dec 2009 17:47:13 +0000 http://www.analyticalengine.net/?p=205#comment-1317 Incidentally, to further blemish myself, one thing correctly pointed out in the mediawiki bugzilla discussion that I *should* have thought about myself was that in terms of the verbose login messages, a change is pointless. There are numerous ways to discover valid user accounts, intentionally in the design of the application, so when it comes down to it it matters little that you can do so on the login page. Thus my complaints in that regard appear quite silly. Incidentally, to further blemish myself, one thing correctly pointed out in the mediawiki bugzilla discussion that I *should* have thought about myself was that in terms of the verbose login messages, a change is pointless. There are numerous ways to discover valid user accounts, intentionally in the design of the application, so when it comes down to it it matters little that you can do so on the login page.

Thus my complaints in that regard appear quite silly.

]]> Comment on Do as I Say… by Joshbw http://www.analyticalengine.net/2009/12/do-as-i-say/comment-page-1/#comment-1316 Joshbw Wed, 09 Dec 2009 17:38:49 +0000 http://www.analyticalengine.net/?p=205#comment-1316 Hey guys, do as I say, not as I do... and indeed, casual hypocracy is hard to combat. As I was writing this I certainly realized I was passing the buck. The security edge open source has over proprietary is that anyone who notices a problem can fix it (I think that is balanced by the fact that blackhats who have no intention of fixing a problem have a bit easier time finding them with access to the source), and indeed since I notice the problem I could certainly fix it myself. I plead hardware failure as an excuse, as my personal dev box is toast at the moment (come on generous tax return, Daddy needs a new computer) but I have gone and open bugs with the MediaWiki Project. In general though, as a consumer of multiple OSS projects myself I should do a better job giving back - they may be free of cost, but I really should recognize a level of obligation as a result of my use regardless. In terms of OWASP, the resources the organization provides are ones I have refered a multitude of developers to, and have in turn contributed to several pages, but certainly considering the utility it has provided me I owe some more back its way. <blockquote>In the early years of OWASP, we spent almost all of our time working on building an uber-secure CMS, at a *serious* cost to actually achieving our mission. So I think there’s an important lesson for developers here that security is not black-and-white. You always have to balance the cost to the business against the investment in security…and if that’s what developers take away from the OWASP site then I think we’ve done something good. </blockquote> Indeed that is something I fully understand. Security is just one business need among many, and the business needs to balance competing needs. I think an underlying message to my post is that security teams need to be reasonable in their security pronouncements - all to often security professionals like to speak in absolutes as if security considerations are on a higher pedistol when at the same time they implicitely understand that they themselves are weighing the security of their own properties relative to the other business considerations of their proprerties. In general I think those of us in the enterprise are obligated to live our examples - in our own projects find the right balance of security versus other considerations (or even security versus security. Often confidentiality, integrity, and availability are competing rather than complimentary concepts) and use that to inform our educations of the rest of the enterprise. Hey guys, do as I say, not as I do… and indeed, casual hypocracy is hard to combat. As I was writing this I certainly realized I was passing the buck. The security edge open source has over proprietary is that anyone who notices a problem can fix it (I think that is balanced by the fact that blackhats who have no intention of fixing a problem have a bit easier time finding them with access to the source), and indeed since I notice the problem I could certainly fix it myself. I plead hardware failure as an excuse, as my personal dev box is toast at the moment (come on generous tax return, Daddy needs a new computer) but I have gone and open bugs with the MediaWiki Project. In general though, as a consumer of multiple OSS projects myself I should do a better job giving back – they may be free of cost, but I really should recognize a level of obligation as a result of my use regardless.

In terms of OWASP, the resources the organization provides are ones I have refered a multitude of developers to, and have in turn contributed to several pages, but certainly considering the utility it has provided me I owe some more back its way.

In the early years of OWASP, we spent almost all of our time working on building an uber-secure CMS, at a *serious* cost to actually achieving our mission. So I think there’s an important lesson for developers here that security is not black-and-white. You always have to balance the cost to the business against the investment in security…and if that’s what developers take away from the OWASP site then I think we’ve done something good.

Indeed that is something I fully understand. Security is just one business need among many, and the business needs to balance competing needs. I think an underlying message to my post is that security teams need to be reasonable in their security pronouncements – all to often security professionals like to speak in absolutes as if security considerations are on a higher pedistol when at the same time they implicitely understand that they themselves are weighing the security of their own properties relative to the other business considerations of their proprerties. In general I think those of us in the enterprise are obligated to live our examples – in our own projects find the right balance of security versus other considerations (or even security versus security. Often confidentiality, integrity, and availability are competing rather than complimentary concepts) and use that to inform our educations of the rest of the enterprise.

]]> Comment on Do as I Say… by Jeff Williams http://www.analyticalengine.net/2009/12/do-as-i-say/comment-page-1/#comment-1315 Jeff Williams Wed, 09 Dec 2009 15:55:11 +0000 http://www.analyticalengine.net/?p=205#comment-1315 Thanks Josh! I think your basic point is right, and we should eat our own dogfood. Please remember that OWASP is an an all volunteer organization operating on a shoestring budget. We *have* given considerable support to a huge range of open source projects, including MediaWiki, Spring, Hudson, and many others. You should know that we have invested pretty heavily in the security of the OWASP site, with hardening, patching, configuration, custom plugins, etc... but there's obviously more we can do. In the early years of OWASP, we spent almost all of our time working on building an uber-secure CMS, at a *serious* cost to actually achieving our mission. So I think there's an important lesson for developers here that security is not black-and-white. You always have to balance the cost to the business against the investment in security...and if that's what developers take away from the OWASP site then I think we've done something good. Nevertheless, your point about the risk to the integrity of our message is a good one. So I have to ask - how about working with OWASP and MediaWiki to get the changes you want implemented? Thanks! Thanks Josh! I think your basic point is right, and we should eat our own dogfood.

Please remember that OWASP is an an all volunteer organization operating on a shoestring budget. We *have* given considerable support to a huge range of open source projects, including MediaWiki, Spring, Hudson, and many others. You should know that we have invested pretty heavily in the security of the OWASP site, with hardening, patching, configuration, custom plugins, etc… but there’s obviously more we can do.

In the early years of OWASP, we spent almost all of our time working on building an uber-secure CMS, at a *serious* cost to actually achieving our mission. So I think there’s an important lesson for developers here that security is not black-and-white. You always have to balance the cost to the business against the investment in security…and if that’s what developers take away from the OWASP site then I think we’ve done something good. Nevertheless, your point about the risk to the integrity of our message is a good one.

So I have to ask – how about working with OWASP and MediaWiki to get the changes you want implemented?

Thanks!

]]> Comment on Do as I Say… by Michael Coates http://www.analyticalengine.net/2009/12/do-as-i-say/comment-page-1/#comment-1314 Michael Coates Tue, 08 Dec 2009 19:44:46 +0000 http://www.analyticalengine.net/?p=205#comment-1314 Joshbw, OWASP is a non-profit organization completely run by volunteers who have the passion, skill and interest to pursue a particular area of application security for the betterment of everyone. As such, particular areas of OWASP have prospered due to a collaborative effort of generous volunteers. It sounds like you definitely have the passion and skill in this area and have highlighted an area which could be enhanced. Would you like to take the lead here and help the OWASP mission? -Michael Joshbw,
OWASP is a non-profit organization completely run by volunteers who have the passion, skill and interest to pursue a particular area of application security for the betterment of everyone. As such, particular areas of OWASP have prospered due to a collaborative effort of generous volunteers.

It sounds like you definitely have the passion and skill in this area and have highlighted an area which could be enhanced. Would you like to take the lead here and help the OWASP mission?

-Michael

]]> Comment on Forget Virus Scanners by Anonymous http://www.analyticalengine.net/2009/06/forget-virus-scanners/comment-page-1/#comment-1200 Anonymous Sat, 22 Aug 2009 08:52:46 +0000 http://www.analyticalengine.net/?p=196#comment-1200 Marcus Ranum comes to the same conclusion and plays with some various software here that does just that. http://www.ranum.com/security/computer_security/editorials/antivirus/index.html Marcus Ranum comes to the same conclusion and plays with some various software here that does just that.

http://www.ranum.com/security/computer_security/editorials/antivirus/index.html

]]> Comment on I really hope this is a joke by fuzion http://www.analyticalengine.net/2009/05/i-really-hope-this-is-a-joke/comment-page-1/#comment-1040 fuzion Sat, 23 May 2009 03:07:03 +0000 http://www.analyticalengine.net/?p=184#comment-1040 Of course its a joke... they're making fun of Netragard. Here's the template they used: http://www.netragard.com/pdfs/research/NETRAGARD-20090506-AIRCELL.txt Of course its a joke… they’re making fun of Netragard. Here’s the template they used:
http://www.netragard.com/pdfs/research/NETRAGARD-20090506-AIRCELL.txt

]]> Comment on I really hope this is a joke by Jim Manico http://www.analyticalengine.net/2009/05/i-really-hope-this-is-a-joke/comment-page-1/#comment-1039 Jim Manico Sat, 23 May 2009 00:46:33 +0000 http://www.analyticalengine.net/?p=184#comment-1039 You got to read it, it really IS a joke: - Cookie stealing - Cookie harassing - Cookie tampering - Tampering of harassed cookie - Harassing the thief tampering with cookies You got to read it, it really IS a joke:

- Cookie stealing
- Cookie harassing
- Cookie tampering
- Tampering of harassed cookie
- Harassing the thief tampering with cookies

]]> Comment on I really hope this is a joke by Jim Manico http://www.analyticalengine.net/2009/05/i-really-hope-this-is-a-joke/comment-page-1/#comment-1038 Jim Manico Sat, 23 May 2009 00:43:46 +0000 http://www.analyticalengine.net/?p=184#comment-1038 Comon man, just slap a little VA+WAF on top of that Webgoat mess and you will be 100% secure. Comon man, just slap a little VA+WAF on top of that Webgoat mess and you will be 100% secure.

]]> Comment on Bad Practices #412 by Pat Cahalan http://www.analyticalengine.net/2009/04/bad-practices-412/comment-page-1/#comment-1035 Pat Cahalan Wed, 06 May 2009 17:56:01 +0000 http://www.analyticalengine.net/?p=119#comment-1035 > So Please, quit asking for credentials to other sites- > don’t do what attackers do, otherwise you don’t give > people an easy way to distinguish between the two. ... amen, Brother Josh. Amen. > So Please, quit asking for credentials to other sites-
> don’t do what attackers do, otherwise you don’t give
> people an easy way to distinguish between the two.

… amen, Brother Josh. Amen.

]]> Comment on Quest for the perfect Geek Bag Part 1: Criteria by Analytical Engine » Blog Archive » Quest for the Perfect Geek Bag Part 5: Ogio Metro http://www.analyticalengine.net/2009/04/quest-for-the-perfect-geek-bag-part-1-criteria/comment-page-1/#comment-1033 Analytical Engine » Blog Archive » Quest for the Perfect Geek Bag Part 5: Ogio Metro Thu, 23 Apr 2009 21:10:20 +0000 http://www.analyticalengine.net/?p=128#comment-1033 [...] and all I can find very little to complain about. Almost all of my criteria are met by this beast, however I did stop using it. It is a heck of a thing to complain about, but [...] [...] and all I can find very little to complain about. Almost all of my criteria are met by this beast, however I did stop using it. It is a heck of a thing to complain about, but [...]

]]>