A Blog for Graymad

If you’ve got friends or family who are the non-geek types, and need help with security, this might save you a few of those “how do I…?” phone calls…

Last week, Microsoft put up an updated Security at Home web site for home users. This is a great place to send your family and friends who are interested in security issues and in protecting their PCs. Check it out here:

 

Security at Home
Microsoft's new Security at Home site helps non-technical users by providing tips and tricks, how-tos, and the latest virus information without all the technical talk.

Related...

[Brian Johnson]

In a little less than a week, I’ll have an announcement to make here…watch this space!

Another example of why it’s a bad idea to run as an administrator on a day-to-day basis:

This update resolves a newly-discovered, publicly reported vulnerability. A remote code execution vulnerability exists in the way that the Windows Shell launches applications. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. However, significant user interaction is required to exploit this vulnerability. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

[Microsoft Security Bulletins]

As evidenced by a Linux kernel flaw that resulted in a DoS attack against Akamai, effectively denying access to large sites like Google, Yahoo, and Microsoft. Not gloating here, just observing that this demonstrates that all operating systems can be vulnerable to security issues. This also suggests that the “more eyes = more secure” assertion made by open source advocates is perhaps a little overstated. After all, the Linux kernel is probably one of the most read parts of the Linux codebase. If it’s possible to find a flaw in the kernel, what does that say for other parts of the codebase that are not as thouroughly vetted? Again, this is not about trashing Linux, it’s about being clear that security is an issue for everyone, it’s not just a Microsoft problem.

For those of you who might be interested, you may have noticed that on the schedule for my recent MSDN Security Briefing tour, was a stop in Honolulu, Hawaii. I had a great time there, as you might expect, though I did manage to get pretty badly sunburned (that’s what happens when you spend two hours in a futile attempt to teach yourself how to surf, without using any sunscreen). Here’s a couple of photos from the trip:

A Hawaiian rainbow, viewed from the balcony of my room:

Diamond Head, viewed from a surfboard off Waikiki Beach:

First, he helps put ASP.NET on the map. Now, Rob “invents” a term for a common computer malady…let’s give the man some Google juice. J

I've been working a lot lately on my laptop and I use the built-in eraser head mouse pointer; I just cannot stand the touchpad. After too many days my right-index finger will begin to ache -- as it's doing now -- from overuse. So I thought I'd look this condition up and when I didn't find one I decided to invent my own 'condition':

mousepointeritis (mouspointritis) a condition caused by repetitive use of an eraser-head mouse pointer as commonly found on laptops.

The sad part about this is rather putting my laptop down I just switch to a different finger for the mousepointer/eraserhead!

[Rob Howard’s Weblog]

The MSDN Security Briefings tour I was on is complete, as of this week. My sincere thanks to everyone who came out to listen and learn. I especially appreciate all the kind comments I received.

If you’re interested in getting the slides from the presentations, they’re available via the following links:

Essentials of Application Security

Writing Secure Code – Best Practices

If you have any trouble with the above links, or if you’d like to see the other slide decks that are available, you can find them here.

If you’d like to see the presentations I did (as well as two other related presentations) in their online version, go to:

Clinic 2806: Microsoft® Security Guidance Training for Developers

For additional online security training, go to:

https://www.microsoftelearning.com/security/

If you have any questions from the presentations, feel free to ping me via the Contact link on my blog.

This weekend, my thoughts and prayers are with those serving their country, and with those who have served in past conflicts. May those currently in harm’s way come home safely to their families and friends, and may we always honor and remember those whose sacrifices make freedom a reality, not just a nice idea.

One of the many Microsoft bloggers provides a workaround for those of us looking to debug ASP.NET applications without resorting to Admin privileges…a workaround that uses the predecessor of the Whidbey web server from ASP.NET Web Matrix to do debugging locally:

The debugger team has gotten many requests to debug ASP.NET applications as a non-admin. In Whidbey, the ASP.NET team did a good job solving this problem. Their solution is much nicer then mine. In the mean time, here is a way that you can get this scenario to work in the 7.1 IDE. I hope this helps. If it doesn't work for you, you can post a comment, but don't call PSS. This isn't supported.

…

 [greggm’s WebBlog]

 

Beats running as Admin… J

…apparently apply to l33t h4x0r5, too:

http://www.theinquirer.net/?article=16050

J

[via Michael Howard]