Stories by Roger A. Grimes

Roger A. Grimes's image

Should vendors close all security holes?

In the past I have argued that vendors should close all known security holes. This week a reader wrote me with a somewhat interesting argument that I'm still slightly debating, although my overall conclusion stands: Vendors should close all known security holes, whether publicly discussed or not. The idea behind this is that any existing security vulnerability should be closed to strengthen the product and protect consumers. Sounds great, right?

Roger A. Grimes | 17 May | Read more

How to become an exceptional security manager

I recently listened to a wonderful science program on National Public Radio discussing a book called Better: A Surgeon's Notes on Performance along with its author, Dr. Atul Gawande. The book discusses the reasons why some practitioners excel while others just meet the standards or perform poorly.

Roger A. Grimes | 30 Apr | Read more

DNS attack puts in perspective

A few years ago, I had the privilege of seeing some root DNS servers in action at VeriSign's main headquarters. It's something I had wanted to do for over a decade, and I was literally slightly shaking with excitement (yes, I am that big of a geek).

Roger A. Grimes | 20 Feb | Read more

Vulnerability counts do matter

It happened again! I got into yet another discussion over the security of Microsoft Windows versus some other operating system. Usually it starts with some reader's knee-jerk emotional reaction -- saying "Windows sucks!" or something like that.

Roger A. Grimes | 08 Feb | Read more

Handling password hashes

Many of today's computer passwords are stored and transmitted in a cryptographic hashed form. A strong password hash algorithm ensures that if the password hash is obtained by unauthorized parties that it is non-trivial to convert the hash back to the original plain text password (assuming the password is not trivial to guess at in the first place).

Roger A. Grimes | 11 Jan | Read more

Corporate security's evolution

Most security solutions are a trade-off of ease-of-use versus security. As computer security measures grow in importance, previously uninterrupted legitimate processes get reined in or stopped altogether -- like my recommendation of not allowing non-admin users to install software without management approval. As companies grow more valuable, they are willing to accept higher levels of default security as measured against legitimate needs.

Roger A. Grimes | 08 Aug | Read more

The real security solution

I had yet another computer journalist call me to ask if Vendor X's security solution was THE security product to solve all our security problems. I get a call or e-mail like this about once every two weeks. Usually they've read the vendor's own PR, another newspaper article, or even my own column touting a particular product.

Roger A. Grimes | 04 Jul | Read more

How SSL-evading Trojans work

SSL-evading Trojans bypass the secure and authenticated tunnel mechanisms that are the safety backbone of today's Internet banking and financial institutions. As with any Trojan, this type can do anything allowed by the user's security permissions.

Roger A. Grimes | 02 May | Read more

The buzz about fuzzers

Writing perfect secure code is hard. Daniel J. Bernstein has probably come the closest to it in practical, publicly released software. With his almost maniacal drive for security perfection, he has written multitudes of software that remain unbroken.

Roger A. Grimes | 13 Sep | Read more