More errata than sendmail
jm February 26th, 2007
A couple of interesting errata, courtesy of Herr Doktor Professor rCs:
Continue Reading »
- Errata , Unix , Auditing , C/C++
- Comments(2)
Archive for February, 2007
Downtime & Couch Cushions
blog February 20th, 2007
Our service provider is performing maintenance, so TAoSSA.com may be unavailable on Wednesday 21 February sometime between 12AM EST (-0500 GMT) to 8AM. I guess this is what we get for basing our budget on the change we found in John’s couch cushions.
We expect the actual outage to be brief and weren’t planning on posting anything new during that period anyway. Besides, our Google rank proves that you really come here for only one thing: Death Bunnies. Fortunately they’re hosted elsewhere on redundant, fault-tolerant, load balanced servers.
Same-Origin Policy Part 2: Server-Provided Policies?
justin February 17th, 2007
Last week I presented an overview of the same-origin policy and different attacks against it. This week I’m going to take a cue from Robert Seacord and propose a solution to the problem. It’s probably not the ideal solution, but maybe it will start some discussion and lead to something more complete. I had also intended on exploring some related proposals first, but I’ve decided I’ll present my own idea before I start a debate on other suggestions.
Who needs ISBNs, anyway?
mark February 13th, 2007
Hi guys,
In a post we did recently, we pointed to informit, who is selling our book at a 40% discount. However, due to a mixup with ISBNs, both informit and AW Professional marked our book as unavailable, and so you were unable to actually purchase it at either of these sites. Well, the problems seems to have finally been resolved, and the sale still appears to be running. Get it while it’s hot!
Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF
justin February 8th, 2007
The last few years have seen a constant rise in vulnerabilities like cross-site scripting (XSS), HTTP response splitting, and cross-site request forgery (XSRF or CSRF). While the vectors and exploit of each of these vulnerability classes vary, they all have one common thread. Each of these vulnerabilities exploits trust shared between a user and a website by circumventing the same basic protection mechanism: the same-origin policy.
In my experience most developers—and even many security people—don’t really know what the same-origin policy is. Worse yet, the rise of AJAX and mash-ups seems to have turned same-origin into something developers are trying to break. Complicating the issue further are the weaknesses in most browsers’ implementations of same-origin, leaving open questions about the effectiveness of the policy itself. So, I’ve decided to try and capture all of the information surrounding same-origin in one place. I also have my own thoughts on the value of the model itself, but I’ll save those for the end.
Discounts and Death Bunnies
justin February 3rd, 2007
This is just a short post to let you know we haven’t forgotten the blog. Things have been pretty busy for the three of us and we haven’t had an opportunity to finish off any new content. The fact is that we still haven’t figured out that whole trick of referencing other people’s content while adding pithy summaries and unique insight.
Since there’s nothing new to show you at the moment I’ll try to bribe you instead. Informit has our book on sale for $32.99 right now, which is about $20 less than everywhere else. It’s almost like I’m giving you $20 out of my own pocket. Failing that, perhaps you’ll be distracted by our death bunnies.
