|
I no longer go in that scary place :shiver:
Microsoft ... the only place where VARIANT_TRUE != true
|
|
|
|
|
Well, he looks like a christmas tree
~RaGE();
I think words like 'destiny' are a way of trying to find order where none exists. - Christian Graus
Entropy isn't what it used to.
|
|
|
|
|
One project idea I have is to finally complete and share my mini blog (for my website).
Nothing special about that... the twist I was wondering about is, I want to use it to test and illustrate some possible security attack (and counter measure).
The thing is, I am no security expert, just got the bug recently! For some reason I suddenly found security sexy!
So, let me summarize, I want to have part 1: mini blog, part 2: various security attack.
However I am no security guru and I wanted it to be more like interactive. i.e. I have my first version of the article, people comment (with usual delicacy) "this is crap, you didn't even do security attack XYZ correctly" and then I update the sample with better security attack (and defense).
Is that a good concept?
|
|
|
|
|
On CP there has typically been a reluctance to demonstrate virus code or attack vectors in articles as it can lead to the site being classed as a hacking site. This would then get it blocked by many corporates.
It would completely depend on how [the article] it was written. Sometimes it is just easier to stay away from that area.
I have seen several articles removed over the years because of the potentially malicious content.
The best way would be to simply write the article in a way that says "How to protect yourself from XYZ attack", without actually showing how the attack is done.
Just my thoughts...
|
|
|
|
|
The other thing thing I was going to say was the mantra "Leave security to the experts" very much stands. If it is done wrong the consequences can be devasting as you know.
When you read articles [not necessary on this site] by individuals who have implemented their own crypography etc and see them get torn apart by the experts, it doesn't make pretty reading.
Even the experts get it wrong, there was recently an article on El Reg or somewhere like that, where the experts had written the most secure algorithm to date and it would take 'multiple life of universe' (or whatever extremely long time it was) to break. Another expert group analysed it and subsequently broke it in 2 hours.
|
|
|
|
|
To answer both your messages...
1. I am currently working as web developer, we have no particular "security expert" it is my (our?) duty to learn about web security when doing web development... leaving to some "other senior dev" is no excuse if no one steps up!
2. CodeProject could be categorized as hacking site, ... this is problematic!!
How can one better himself if any material is censored!?!
While I see the strength of that argument, in my defense I want to emphasize that, along with the attacks, I want to present counter measures! So this is more like an anti-hacking article!
Is that a good counter argument?
3. The fact that even security expert get security wrong is no excuse to stay ignorant!
4. Finally, I want to learn and share! If I can't share, can't you lat least point me to a place of learning of those things?!
All material I found by Googling or looking at MSDN were quite hard reading! The only nice reading I found was on my kindle book about ASP.NET MVC4!!!
|
|
|
|
|
|
Looks interesting! Thanks!
|
|
|
|
|
If you just search Amazon Books for "Hacking Exposed"[^] there are a whole series dedicated to different areas, where it is web/mobile/networks etc.
|
|
|
|
|
DaveAuld wrote: The other thing thing I was going to say was the mantra "Leave security to the experts" very much stands. What, are they going to review your code and make modifications where required?
You can only learn about security if you know how the lock is broken. I'll be posting a tip on keyloggers (including a link to a working example) later this week.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: What, are they going to review your code and make modifications where required?
Thats not where I was coming from.
I am refering to the instances where individual have written there own crypto libraries or some other implementation when recognised industry standard ones exist, thinking they are doing something clever, but in reality have opened massive holes.
Eddy Vluggen wrote: You can only learn about security if you know how the lock is broken
That is very true, but I personally wouldnt go writting articles on how to break the lock, and would stick to how to article that how to survive the lock picking attack.
We (I) don't want this site being block at worked, or I'll be severly bored!
|
|
|
|
|
DaveAuld wrote: Thats not where I was coming from. Granted
DaveAuld wrote: We (I) don't want this site being block at worked, ..that did not stop people from explaining how SQL injection works. I think that's a good thing. Even if a company decides to block CP with the argument that CP explains "SQL Injection". Where does one draw the line? How about cross-site scripting?
As for abuse, there's a lot of dangerous code out there. Any VB-script that shows how to execute a DOS-command combined with a DOS-manual is a potential security issue. It does not stand to reason to burn all old MS-DOS manuals.
It is actually WORSE to ban all information on lockpicking than it is to point how the lock on your door can be bypassed: you assume you're safe while you're not.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
|
When you write an article you have to respect the fact that there are people out-there who know better - real or imaginary...
But! - and this is most important - there are who know less than you. Learning is like climbing a ladder - you have to go over all the steps. So that part should not be a problem - you have a certain level of knowledge - share it!
About the security attacks/protections - IMHO do not detail the ways of attacks, describe them in a few words (focus on the damage) and move on to the most detailed explanation of the protections...
I'm not questioning your powers of observation; I'm merely remarking upon the paradox of asking a masked man who he is. (V)
|
|
|
|
|
Well it is very clear that I will only share attack for which I can provide a counter measure!
So that should be .. ok, I guess?!
Apparently there is a security by obscurity culture which has strong censorship power...
Beside I didn't plan to talk on any particular buffer overflow attack, just general way a crafty JavaScript attacker can circumvent your site security and how to go about out think him!
|
|
|
|
|
Sound all right!
But do not afraid - if someone will found it otherwise you will be hit and hit hard! It's the way of CPian life
I'm not questioning your powers of observation; I'm merely remarking upon the paradox of asking a masked man who he is. (V)
|
|
|
|
|
|
So you basically want to write articles about a subject as sensible as security without being an expert at it ?
I am not sure what to think about such an idea.
~RaGE();
I think words like 'destiny' are a way of trying to find order where none exists. - Christian Graus
Entropy isn't what it used to.
|
|
|
|
|
Very easy, do you think we should delete 87.3% of CodeProject's article? and tips and tricks?
(percentage carefully taken from the top of my hat!)
Same answer!
Now you know!
|
|
|
|
|
Yes, I totally think so.
~RaGE();
I think words like 'destiny' are a way of trying to find order where none exists. - Christian Graus
Entropy isn't what it used to.
|
|
|
|
|
Agree with Dave. Mention the attacks(SQL injection, DDOS attack, etc.,) briefly & explain the soltuion(s) with more details. Check these articles by @Espen-Harlinn [^] & @JocaPC [^]. I liked both articles very much so picked those for reference.
|
|
|
|
|
Thanks for the links, will have a look!
|
|
|
|
|
Mmm.. a little comment.. while you were helpful, and Espen Harlin was probably trying to be helpful too I think his communication is extremely bad!
Why?
Well, my first impression from his article is "don't bother with security, you are doing it wrong". With a strong emphasis on "don't bother".
I beg to differ! Personally I think some security is better than none and I will ignore the nay sayers and pursue my quest of knowledge accordingly!
|
|
|
|
|
I think it's not your cup of tea
Espen's article almost 3 years old. IIRC I think I have asked him to revise that article with more things.
Believe me, that article triggered me to research on many things related to security[^]
|
|
|
|
|
I like the second article much more!
I was thinking to expand some more on the same ideas!...
|
|
|
|