Michael Howard, David LeBlanc and John Viega have written a book called The 19 Deadly Sins of Software Security, which is to be published soon.
It explains the most important security issues one encounters in the software industry in a Design Patterns-like format. Each software security Sin is structured according to the following sections: Overview, The Sin Explained, Sample Code Defect, Spotting the Defect Pattern, Spotting the Defect during Code Review, Testing the Defect during Test, Example Defects, Redemption Steps, Extra Defensive Measures, Other Resources, Summary.
The 19 chapters, or Sins, each 10-15 pages long:
(via Dana Epp)
The new release fixes a few bugs, but more importantly it fixes a security issue. All users are advised to upgrade.
Somebody got hacked by a complete fool without any sort of clue. What the attacker (i.e. script kiddie) tried to do (and how he failed) is actually quite funny IMHO.
E.g., after trying
rm -rf bash_history
(notice the missing dot in the filename) he wanted to be really sure and issued
Surely, his tracks are perfectly covered now. Nobody will ever know.
(via EDV - Ende Der Vernunft)
As most of you probably noticed, the design and structure of my homepage and my blog changed quite a bit a few days ago.
That was me upgrading to Drupal 4.6.1, which makes my life a lot easier, has a bunch of new features (e.g. my blog now has del.icio.us-like tags) and bugfixes, and most importantly fixes a serious security issue.
Two days ago I tried to help a bit with the new Drupal 4.6.2 release, which mainly fixes two major security problems. The first one is an issue with incorrect input validation, resulting in the DRUPAL-SA-2005-002 security advisory. The second one fixes a problem in the XML-RPC library shipped with Drupal (and Wordpress, and PostNuke, and...), resulting in DRUPAL-SA-2005-003.
It was quite a fun experience for me, the release was coordinated and discussed on IRC, we had lots of peer-review of the advisories and release-announcement, testing the patches etc. Thanks to all who participated and made this such a great experience.
I have updated my iptables scripts today, mostly minor improvements and documentation updates in fw_laptop. I also added a new script called fw_blockall, which literally blocks everything (incoming, outgoing, and forwarded packets, packet from/to localhost, pings). This might be useful sometimes.
Any comments and suggestions for improvements are highly welcome!