Geeks With Blogs
Running with Code Like scissors, only more dangerous May 2007 Entries
Some follow-ups to the UAC exploit
The Windows Vista UAC exploit I recently published has garnered some attention as well as some criticism. I wanted to take a moment to reply to some of what I've seen in the press, in comments around the web, as well as the response from Microsoft. On some of the PC World/PC Magazine and their affiliates' web sites, there was a comment that "Pac-Man" should never require elevation (I use a Pac-Man clone as an example of what would otherwise be innocuous software in the whitepaper). This is true, ......

Posted On Saturday, May 26, 2007 2:13 AM

Windows Vista Exploit: Elevation of Unintended Code
A short couple of weeks ago, I criticized Microsoft's "Ten Immutable Laws of Security." The so-named Ten Laws leave Microsoft shielded from users who will be going approval-crazy under User Account Control (UAC) because they either don't know for sure how to respond to the dialog, what they did to cause the dialog to come up, or whether they really want to do whichever action is happening. I particularly criticized the "If a bad guy can convince you to run software on your computer..." law, which ......

Posted On Sunday, May 13, 2007 11:00 PM

C#: Determining if a file has a valid digital signature
One of the neat things Microsoft incorporated into Windows with the release of Internet Explorer 4 (which was provided for Windows 95 and Windows NT 4.0 with Service Pack 3) was the CryptoAPI, which provided not only services for secure hashing and stream ciphers, but also implemented Microsoft's Authenticode (r) code-signing verification. Authenticode is the technology that allows a Certification Authority (CA) such as Verisign to issue certificates to its clients in order to establish that software ......

Posted On Friday, May 4, 2007 1:19 PM

Beware overloaded operator ==
Tonight I was made aware of a bug in a library that I wrote that implements the cryptographic authentication sequences used by Blizzard Entertainment's gaming service. The user reported that his code simply stopped executing; it never occurred to me that he might just be swallowing an exception (particularly if his code was running on a secondary thread). But when I reviewed my code, I saw that all of my loops were deterministic, and although I had a couple lock { } blocks throughout the ......

Posted On Thursday, May 3, 2007 3:04 AM

Copyright © Robert Paveza | Powered by: