French Regulators Say ‘Non’ to Windows 10’s Data Gathering

A French regulatory agency this week said the data Microsoft collects on users of Windows 10 is “excessive” and ordered the company to stop. The French National Data Protection Commission (CNIL), made the charge in a formal notice filed Wednesday. It gave Microsoft three months to change a number of data-gathering methods that the agency…

Java Security Updates May Not Actually Be Secure

With Java SE reportedly installed on 850 million PCs, the “Java Update Available” popup has become a well known nuisance.  But keeping software up-to-date is supposed to help protect us.  According to the FTC, Java updates might be an exception to that rule. The key issue is that Java updates have not always removed older…

Turn off the Attach Security Warning Dialog in Visual Studio

How many clicks has this dialog eaten out of your life? The idea for the warning is good because, you know, SECURITY. However, if you’re developing web apps or anything running in IIS, this gets old by the thousandth time you click the Attach button. It’s easy to turn off with an undocumented registry key.…

New Report Sites Significant Security Vulnerabilities in Android Devices

Security firm TrendMicro has released a new report that states that 75% of users are vulnerable to multiple attacks. In their latest Quarterly Security Roundup, TrendLabs calls out several key vulnerabilities in recent Android OS including the FakeID issue and Android Browser flaws.  The FakeID vulnerability was originally discovered earlier this year by BlueBox Labs and…

Comodo SSL Certificate Breach’s Potential Impact on Security Token Services and their Identity Providers

Recently, Iranian crackers used a username and password to make certificate requests from the Comodo Certificate Authority. These requests were successful and certificates were issued for 9 domains which are published on the Comodo Fraud Incident Report page: http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html  This issue is of particular importance to me because SSL is the primary mechanism by which…

Disabling the Visual Studio Source Server Security Warning Dialog

The estimable Ed Blankenship posted a must read article for everyone using TFS 2010: Source Server and Symbol Server Support in TFS 2010. Bookmark that article because it’s the one stop shop for all the best practices for symbol server, source indexing, and everything related to them for VS and TFS 2010. Once you get…

Silverlight on IE6: Nagging Security Bug

Do you have a wonderful Silverlight application that you enjoy running in all of the glorious browser flavors available, only to find out that some weird quirky issue pops up in our old friend, Internet Explorer version 6.0 (IE6)? Perhaps you were as puzzled as we were when IE6 would complain with a “Security warning:…

Security Implications Of Services Impersonating Callers

In my last post (Caller Impersonation for WCF Services Hosted Under IIS Appears Broken), I laid out my rationale for why I felt that the security of services impersonating a caller when hosted under IIS was broken. To be responsible, I feel it necessary to follow-up my previous assertion by noting that such a configuration…

.NET Questions regarding JIT compiler/strong-naming security

A reader of my books asked me some .NET Questions regarding JIT compiler/strong-naming security. I thought I’d share his questions and my answers with you: 1.    According to Microsoft documentation the Just In-Time Compiler takes the following attributes of the machine into account when producing the executable code.  Define how these factors alter the output. …

Congress to Up the Ante on Network Security

For more than a year now, I’ve been telling audiences to expect laws to be passed requiring companies to divulge breaches of network security. California already has such a law. Now Congress is debating a similar federal law that requires companies to let consumers know when personal data that could be used in identity theft is compromised…

Security Trimming and Health Monitoring, Oh My!

I wasn’t that excited about ASP.NET 2.0’s new site navigation infrastructure until I discovered security trimming. Security trimming enables site maps nodes to be selectively shown and hidden based on the role or roles that the requestor belongs to. For example, if you have an Admin link in your site’s navigation bar, you can tell…