The Archives


I’m Attending


Tag Archives: security

Time to Secure Your Cookies

Posted in: Programming by Steve on October 25, 2010

So I came across this article:

Wow, time to secure your sites.

Autotest in Ruby

Posted in: Programming by Steve on September 29, 2010

Getting constant feedback on the health of your system is always a great thing.  In rails, you can install a gem called autotest that can run your tests as you change your application and let you know if you have broken anything.

All you have to do is start a terminal window, and type “autotest”.  That’s it!  You get instant feedback on your tests!

ASP.NET Vunerability Fix Today

Posted in: Programming by Steve on September 28, 2010

Scott Guthrie announced on his blog that a fix from Microsoft will be available for download sometime today, and that the fix will be available through Windows Update in the coming week(s)

Please make sure to update your servers.

Update (3:00 PM)

Scott Guthrie has a post on all the fixes:

Home Security

Posted in: Home by Steve on September 22, 2010

A house near us was broken into last week.  It was during the middle of the day and they took a lot of the valuables from the house.  My wife and I are now on the lookout to make sure that we always have our house locked up and that we’re watching for shady people in our neighborhood.

I saw this comic from Ctrl-Alt-Del and LOL’d

ASP.NET Vunerability In Action

Posted in: Programming by Steve on September 20, 2010

Watch how easy it is for a hacker to use a script to get your machine keys, then exploit to get a file uploaded using DotNetNuke to execute on the server.

Scary stuff

See Scott Guthrie’s post on how fix your site.

ASP.NET Security Vunerability Fix

Posted in: Programming by Steve on September 19, 2010

In my previous post, ASP.NET Vulnerability, I wrote about an issue in ASP.NET that would allow someone to get information from your 500 errors.  Microsoft has a fix workaround for this issue. They recommend to change your web.config to not allow the “Yellow Screen of Death” and display a friendly message to end users on public servers.  To do this, you have to change the <customErrors> section of your web.config to look like this:

.NET 3.5 SP1 and later

[<location allowOverride="false">
    <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />

Earlier than .NET 3.5 SP1

[<location allowOverride="false">
    <customErrors mode="On" defaultRedirect="~/error.html" />

Additionally, either create a static error.html page in a location accessible to the end user or a ErrorPage.aspx that is defined in the bulletin from Microsoft.

ASP.NET Vulnerability

Posted in: General by Steve on September 14, 2010

Looks like there’s a AES encryption bug in ASP.NET applications that use Forms Authentication, Membership or Role Providers.

Details will be available on Friday, but this is very disconcerting because even if the person who found this wanted to, he/she would not be able to fix it.  Microsoft has to issue a patch and then test it, then release it (maybe).