Adventures with a certain Xen vulnerability (in the PVFB backend)

Here’s another post about a paper I’ve read recently. This time it’s not entirely for fun, but I still thought I’d write about this one, Adventures with a certain Xen vulnerability (in the PVFB backend). I’ve read a few security-related papers and articles. In general I’ve found that there’s a huge gap in quality (and …

Continue reading ‘Adventures with a certain Xen vulnerability (in the PVFB backend)’ »


Saddle, two SDDL related tools

I’ve just uploaded two small tools that makes it a little easier to deal with SDDL (Security Descriptor Description Language, this is a good resource for SDDL): saddle-ex – “extract” the security descriptor for a number of different kinds of objects saddle-pp – a pretty printer for an SDDL string Full build instructions are included. …

Continue reading ‘Saddle, two SDDL related tools’ »


Computer security and liability—my thoughts

Almost three years ago Bruce Schneier posted a blog entry on Computer Security and Liability. Since then he has repeated his opinion several times; one of the more high-profile occasions was in front of the House of Lords. Some people agree, others disagree. Until just a few days ago I disagreed with him on this …

Continue reading ‘Computer security and liability—my thoughts’ »


It is fair, at least for now…

I think it’d be better if Microsoft’s security specialists concentrated on improving security in their products (and possibly write about how they do it) rather than trying to make the rest of the world feel sorry for them. I’m sorry, but full disclosure is the fairest we have at the moment. Microsoft sits on a …

Continue reading ‘It is fair, at least for now…’ »


M$ Vista security, “integrity control”

Lately I’ve spent some time looking at Windows Vista security. Basically just trying to catch up with some of the changes introduced and mostly done through reading whatever I come across. I’ve spent only a little time actually playing with Vista though, and I’ve not gotten to the nitty-gritty since I haven’t written any code …

Continue reading ‘M$ Vista security, “integrity control”’ »


How to make sure corporate users choose bad passwords

Here’s a sure-fire way to make sure users choose bad passwords: Force passwords to have a minimum length. Come up with some arbitrary rules regarding “complexity” of the password. E.g. that it contains at least one upper-case character and one digit. Keep a history of passwords. Make it huge, say at least 20. Force users …

Continue reading ‘How to make sure corporate users choose bad passwords’ »