October 2007 - Posts
31 October 2007
CryptAcquireContext with CRYPT_SILENT flag
I tried to open a file. I got accessed denied error. No problem, lemme check ACL and finally the “effective permission”. Oh! I have full access. Hmmm…..What could be wrong? OK, lemme see if the file is encrypted. Yes, it is. Do I have corresponding certificate?
Read More...
25 October 2007
SQL sevrer Lock table and Hollywood business
Could there be a security risk by locking a database table? Even if there is a risk, could it impact Hollywood? Consider this. Suppose you are running a website which provides movie tickets (Or DVD rental) booking service. As new movies are released,
Read More...
22 October 2007
IIS authentication methods
No, this is not yet another tutorial on how to use IIS authentications methods. This post is about how to find out "effective" authentication method. Q: In the pic below, what will be the authentication method used by IIS? If you took more than 2 seconds
Read More...
16 October 2007
Unnecessary authentication part II
Here is another example. I stumbled upon this website (see attached pic) which was asking me username, password AND HIP (captcha image) I hadn’t made any wrong password attempts and also checked it from my home connection. I just don’t understand why
Read More...
10 October 2007
DPAPI entropy tip and importance of obfuscation
Have you ever wondered why CryptProtectData function asks for "Optional Entropy"? Entropy in crypto world is defined as "randomness". Though is quite difficult for a computer to generate true random value, in this context of DPAPI one can choose a random
Read More...
03 October 2007
Unnecessary authentication
After a long time I called up my share broker customer support. They are India’s one of the best and biggest broker. I was greeted with an automated message “please dial your customer id”. I did. And then “please enter your PIN”. I did. And then comes
Read More...
Home
Email
Security is not a eight letter word
RSS 2.0
Atom 1.0
Recent Posts
[rant] SSL=Security
Forgot password security design
Security Summit 2007
CryptAcquireContext with CRYPT_SILENT flag
SQL sevrer Lock table and Hollywood business
Tags
authentication
Bad
code review
dpapi
efs
General
hash
iis
password
RMS
SSL
threats
tips
Archives
July 2008 (1)
February 2008 (1)
November 2007 (1)
October 2007 (6)
September 2007 (2)
April 2007 (1)
Search
Go
Links
Michael Howard
ACE team
This blog is provided "AS IS" with no warranties, and confers no rights. Opinions are not necessarily of Microsoft.
