The Register: Tiny typo blamed for massive IE security fail

A rogue ampersand (“&”) created a security hole in a the MSVidCtl ActiveX control that hackers began exploiting early this month. A blog posting on Microsoft’s Security Development Lifecycle (SDL) by Michael Howard, a security program manager at Microsoft, explained that the minor typo corrupted the code used by the ActiveX control. This in turn created a buffer-overflow bug, he explains.

I think you could argue this is caused by a design fault in C++.

via Cafe con Leche: ReasonableAgreement.org

READ CAREFULLY. By [accepting this material|accepting this payment|accepting this business-card|viewing this t-shirt|reading this sticker] you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies (”BOGUS AGREEMENTS”) that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

Hard drive/flash drive combo shaped like a Popsicle. When you plug the flash drive into the hard drive, any files on the flash drive are synced to the hard drive.

Clever attack exploits fully-patched Linux kernel

This is the part I find interesting (emphasis added):

The vulnerability is located in several parts of Linux, including one that implements functions known as net/tun. Although the code correctly checks to make sure the tun variable doesn’t point to NULL, the compiler removes the lines responsible for that inspection during optimization routines. The result: When the variable points to zero, the kernel tries to access forbidden pieces of memory, leading to a compromise of the box running the OS.

That sounds like a bug in the compiler’s optimization routines.

Today I sent an open letter to Brad Englert, our new Interim Chief Operating Officer, about some issues we’re dealing with. Since it’s an open letter, I’m posting it here too.

An open letter to Brad Englert (pdf).

I want to emphasize that I started writing this letter before Brad was appointed ICOO; the problems I outline have been developing for a long time.

I was reading this article about the CTO of a company that makes an open-source Enterprise Service Bus saying that you shouldn’t use one unless you really need it, and I liked this quote:

Architects and developers using an ESB in these cases are probably engaging in “resume-driven development (RDD).” If anybody asks you if you’ve deployed an ESB in an application you’ve worked on you can say, yes. And then you can hope the hiring manager doesn’t ask if the application really required the technology.

“Resume-driven development.” I like that; I’ll have to remember it.