Tales from the Crypto

         Alun Jones (Security MVP Reconnect) writes about security, cryptography, SSL, PKI, and pretty much anything else that bothers him enough.

Archive for January, 2007

January 31, 2007

USB U3 – the device that lies.

Filed under: General Security @ 12:03 am

U3 USB devices sound like a great idea – a device that will run particular software when you plug it into a computer. How does it achieve this? Wisely recognising that most companies disable autorun on USB storage devices, because of the security risks, the framers of the U3 standard chose to create a device […]

January 29, 2007

Vulnerabilities and asset management

There’s a little buzz going around right now over Microsoft’s latest Security Advisory – “Vulnerability in Microsoft Word 2000 Could Allow Remote Code Execution”. A few people are irritated simply that there’s an attack doing the rounds, and yet there’s no patch to download. Sure there’s a patch – it’s called “Office 2003”. And in a […]

January 28, 2007

Vanishing Point Game, Seattle [Event 4]

17:45 – A couple drives down unfamiliar streets, looking for a place that they only believe is the right venue, based on an ability to throw GPS co-ordinates at Google Maps. [Yes, Google Maps, because I couldn’t figure out how to do that with Live Maps – irony.] 17:50 – Arrival at a sign that, in […]

January 26, 2007

How to send a close_notify at the end of an SSL connection

Filed under: SSL Tutorial @ 11:30 pm

One of the more confusing parts of writing code to correctly work an SSL connection is the final act – the closure. Here’s how to do it in Windows’ SChannel: // phCtx is the pointer to the context handle you’ve already been using for SSL. static DWORD dwshut=SCHANNEL_SHUTDOWN; SecBuffer sbshut={sizeof(dwshut), SECBUFFER_TOKEN, &dwshut}; SecBufferDesc sdshut={SECBUFFER_VERSION,1,&sbshut}; DWORD […]

SSL development gotchas.

Filed under: SSL Tutorial @ 11:14 pm

There are two behaviours in SSL that seem to catch out a number of people. The first is the use of close_notify. close_notify is an operation in SSL that terminates the SSL session, providing a definite end to the stream that is being protected. As it provides an HMAC summarising the entire communication so far, […]

ScreenSaverGracePeriod – how fast can you cross a training room?

We’re faced with an issue where presenters are losing their train of thought mid presentation because their slides are covered up by the screensaver – this would not be a significant problem, except that by the time they get back to wiggle the mouse, the workstation has been locked, and they have to type in […]

January 25, 2007

VanishingPoint VIP Party – am I invited?

So, I found some time this week to play the Vanishing Point Game that Microsoft has been using to promote Vista‘s launch. If you like puzzles, it’s really worth playing this, although I will have to admit there were a couple of places where I cheated collaborated with other players, who have posted hints and […]

January 24, 2007

Stupid crime does not pay.

Filed under: Miscellany - not security @ 2:49 pm

A lovely little story from the BBC this week – here are a couple of choice phrases to give you the flavour: Fourteen GPS tracking systems were stolen last week from a warehouse in Babylon, New York. They were to be used to help the city council track lorries. Police remotely activated the systems after […]

Trying to deploy an Outlook add-in

Even us grizzled security professionals occasionally have to give up when faced with a pile of security so incomprehensibly bizarre as to make life seem impossible. Recently, a member of our Security Council asked the simple question “instead of having us manually forward email to the junk mail filters, can we have a button that automatically […]

January 19, 2007

Visual Studio 2005 SP1 recommends /what/?

That’s a great way to ruin a message that several of us have been trying to push for several years – the suggestion here is that you should be an administrator because some of the things that you may want to do might require administrative privilege. That’s like suggesting you should turn up for your […]

Next Page »

© 2017 Tales from the Crypto   Provided by WPMU DEV -The WordPress Experts   Hosted by Microsoft MVPs