In the past I have argued that vendors should close all known security holes. This week a reader wrote me with a somewhat interesting argument that I'm still slightly debating, although my overall conclusion stands: Vendors should close all known security holes, whether publicly discussed or not. The idea behind this is that any existing security vulnerability should be closed to strengthen the product and protect consumers. Sounds great, right?
Roger A. Grimes |
17 May |
Read more
I recently listened to a wonderful science program on National Public Radio discussing a book called Better: A Surgeon's Notes on Performance along with its author, Dr. Atul Gawande. The book discusses the reasons why some practitioners excel while others just meet the standards or perform poorly.
Roger A. Grimes |
30 Apr |
Read more
A few years ago, I had the privilege of seeing some root DNS servers in action at VeriSign's main headquarters. It's something I had wanted to do for over a decade, and I was literally slightly shaking with excitement (yes, I am that big of a geek).
Roger A. Grimes |
20 Feb |
Read more
It happened again! I got into yet another argument...er...heated discussion over the security of Microsoft Windows versus some other operating system. Usually it starts with some reader's knee-jerk emotional reaction -- saying "Windows sucks!" or something like that.
Roger A. Grimes |
08 Feb |
Read more
Many of today's computer passwords are stored and transmitted in a cryptographic hashed form. A strong password hash algorithm ensures that if the password hash is obtained by unauthorized parties that it is non-trivial to convert the hash back to the original plain text password (assuming the password is not trivial to guess at in the first place).
Roger A. Grimes |
11 Jan |
Read more
I can't believe my eyes. Eudora WorldMail Mail Management Server has an open exploit hole and Qualcomm says they have no plans to patch.
Roger A. Grimes |
11 Jan |
Read more
Most security solutions are a trade-off of ease-of-use versus security. As computer security measures grow in importance, previously uninterrupted legitimate processes get reined in or stopped altogether -- like my recommendation of not allowing non-admin users to install software without management approval. As companies grow more valuable, they are willing to accept higher levels of default security as measured against legitimate needs.
Roger A. Grimes |
08 Aug |
Read more
I had yet another computer journalist call me to ask if Vendor X's security solution was THE security product to solve all our security problems. I get a call or e-mail like this about once every two weeks. Usually they've read the vendor's own PR, another newspaper article, or even my own column touting a particular product.
Roger A. Grimes |
04 Jul |
Read more
Have you ever had one of those moments where something you knew to be certain was turned upside down and you learned you had been wrong ... for years? A lot of Bruce Schneier's writing gives me moments like that.
Roger A. Grimes |
30 May |
Read more
During my nearly two-decade computer security career, I've always been amazed by how many security myths are propagated as fact by readers, instructors, leaders, and writers.
Roger A. Grimes |
16 May |
Read more
SSL-evading Trojans bypass the secure and authenticated tunnel mechanisms that are the safety backbone of today's Internet banking and financial institutions. As with any Trojan, this type can do anything allowed by the user's security permissions.
Roger A. Grimes |
02 May |
Read more
Writing perfect secure code is hard. Daniel J. Bernstein has probably come the closest to it in practical, publicly released software. With his almost maniacal drive for security perfection, he has written multitudes of software that remain unbroken.
Roger A. Grimes |
13 Sep |
Read more
