Slashdot Mirror

An anonymous reader writes "At the TechEd Europe keynote today, Microsoft launched Visual Studio 2005 Beta 1. With it, they also released a set of five 'Express Editions' of Visual Studio. These currently free applications offer a student and hobbyist-oriented version of Visual Studio, and are available in C#, C++, VB, Web Developer, and SQL flavors. Each download weighs in at right around 50MB and features tools, documentation, and starter kits. There's been multiple posts and more information on this announcement over at MSDN Blogs, too." Update: 06/29 13:57 GMT by S : A clarification from the Express FAQ: Although the Beta Express products are currently free to download: "We have not announced pricing and licensing and will not do so until next calendar year."

dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"

hidden_fire asks: "I recently got a job as a Web Programmer at a web company that hosts many sites. The company had many badly firewalled Windows and Linux servers without any security patches, and a shared administrator password. I warned them that they needed to improve their security, but was ignored until a hacker kindly emailed them proof that their credit-card server was compromised, and the Sasser Worm took us offline. Now, I've been allowed to rebuild the compromised box and tighten our firewalling, but our other servers show many signs of possibly being compromised including unexplained outgoing traffic, a Linux kernel lockup, strange ports being open, and performance issues. I think we are possibly providing hosting for undetectable spammers but the boss thinks I'm paranoid, and says that I need to be working on paying work, not security. Has anybody else been in this situation? How can I detect these guys if their tools don't show in virus scans?"

uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?

Richard W.M. Jones writes "Huw Lynes wrote an interesting report from Microsoft's "Get The Facts" show in London (earlier Slashdot story). Along with the report he provides some analysis of their apparent strategy, which includes equating "Shared Source" with "Open Source" and making out that Linux isn't free."

jakobgrimstveit writes "After about three years of hard work, Skolelinux (with its own cute Tux-with-bag-mascot) 1.0 is released to the public. The distribution was started as a reaction to how much the Norwegian schools and the government relied on systems using closed source. Skolelinux is meant to be an easy way to set up a large and secure network of LTSP thin clients (normally PXE boot) for regular users. The Skolelinux-organization won the Norwegian Free Software Prize in 2002. The distribution is based in Debian GNU/Linux, and is also being used and evaluated [1] [2] several places in Africa due to its low demands for the client PC. Kudos to the developers and good luck!"

Mz6 writes "Microsoft has launched its 'Get the Facts' road show -- the tech equivalent of a political battle bus -- to tour the country and convince the wavering that Redmond is as at least cheap and as secure as its open-source rival and to spread the word that Windows is better than Linux. Nick McGrath, Microsoft's head of platform strategy, described the campaign as 'a reality check we're bringing out', aiming to tackle the 'myths' surrounding Linux. Microsoft's road show will be in Edinburgh on June 17, Manchester on June 29 and Newport on July 7."

An anonymous reader writes "MozillaZine is reporting that the Mozilla Foundation and Opera Software have formed a working group to develop specifications for Web applications. The new Web Hypertext Application Technology Working Group is working on specs for Web Forms 2.0, Web Apps 1.0 and Web Controls 1.0, among others. This is being done outside of the W3C, with the hope of getting a viable alternative to Longhorn's XAML available soon. Another reason for working outside the W3C could be the rift between Mozilla/Opera and other W3C members over what technologies Web applications solutions such be based on: Mozilla/Opera favour a backwards-compatible HTML-based standard, others are looking towards to XForms and SVG. It will be interesting to see if any other browser developers jump on board WHATWG." This story builds on our recent story concerning the group.

An anonymous reader writes "A new virus is on the prowl that can infect your Windows XP/2K system and record every key you hit on your keyboard. The keys are then sent back to the virus creator where he/she can steal your passwords and credit card information. The virus named, Korgo, started showing up in the last week of May but it now has at least six different variants. To protect yourself from this nasty virus, Microsoft is urging all users to download the KB835732 Security Update. As with the Sasser worm, you'll get the Korgo virus without even knowing it. It does not arrive by email, but simply by being connected to a network or to the Internet without having a patched machine or a properly configured firewall."

An anonymous reader writes "Microsoft today officially announced the public availability of Windows Media Player 10 Technical Beta. These screenshots reveal how Microsoft is integrating music service subscriptions such as Napster and video service subscription from CinemaNow. Is Microsoft trying to start competing with iTunes with this new music service integration?"

baxissimo asks: "I've played around with Python a bit, and as a scripting language I quite like it. So I sat down the other day to see if I could use it to make a modest OpenGL/GUI application on Windows. The short story is I gave up. I couldn't get the Python IDE I had to run--but that didn't stop me. At first I just shrugged my shoulders and said to myself 'Ah, who needs it? I've got emacs,' and then proceeded to waste a few hours trying to cobble together an app that would run before it dawned on me that Python without a decent IDE is definitely not easier to use than C++ with an IDE. So is anyone out there actually using Python to make serious apps? What tools are you using?" "I've heard the wxPython bindings are nice for the GUI bits, so I downloaded those, and pyOpenGL, and numPy, and PIL, etc. The only recommendation I really saw anywhere for an IDE was for boaConstructor, so I got that. Unfortunately it only spit out a useless error messages on startup and died. What I'd really like to start doing is creating C++/Python hybrids, but given that I was unable to successfully debug a pure Python app, I'm wondering what it's going to be like when my bugs might be in either language. How do people deal with this? What tools help you get the job done? If there's nothing free that works, are there any commercial IDE's worth the money?"

An anonymous reader writes "Microsoft has decided to extend product support on business and developer products effective June 1, 2004. Mainstream support remains unchanged at 5 years, extended support is greatly extended from 2 to 5 years and Online self-help support is extended from 8 to 10 years. I have to say kudos to Microsoft on this one."

George Kaspiris writes "It seems the Cyberathlete Professional League (CPL) has announced a 2005 'CPL World Tour' with one million dollars in cash prizes, the largest cash prize ever for professional videogaming. The tour will include ten worldwide stops." There'll be more information revealed at the CPL World Championships (which includes Counter-Strike, Unreal Tournament 2004, Call Of Duty, Halo PC, and Painkiller tournaments) in Texas this July, and over at independent eSports site Gotfrag, reaction has been largely positive, with commenters arguing "competitive gaming could become kinda like the PGA Tour", although another commenter worries: "Right now, there are far too few teams and players... that have the [financial or scheduling] ability to follow this series of tournaments around."

Chilltowner asks: "I'm trying to get local (US) maps together for a community project. I want to able to modify and annotate the maps and provide them free to the public, creating a derivative open work. They also need to be accurate down to the street level and no more than 10 years out of date. I've been searching around for maps available in the public domain or under open licenses, like the Creative Commons licenses allowing derivative works. I've looked at the National Atlas, but the maps, though interesting, aren't detailed enough with street information. The topographical and aerial image maps available through that site are from Terraserver, which are copyrighted to Microsoft. Plus, I really just need simple vector road maps, not USGS rasters. I tried looking at the Census Bureau's TIGER line data, but I can't make heads or tails of it. Are there maps available through other agencies (national or international)? Are there Free/Open-Source Software projects that are making use of public data to build street-level maps for free (as in speech) use?"

Supp0rtLinux writes "It appears that Lindows/Linspire has finally made some headway against Microsoft in the Netherlands. According this article, the Judge ruled that Linspire's continued, but minimal use of 'Lindows' for legal and trademark purposes doesn't violate Microsoft's trademark. With the US court date on this issue coming up soon, one can only wonder if Microsoft will have effectively cut off its nose to spite its face. And following immediately on the heels of today's Netherlands news, the latest Michael's Minutes from Linspire pegs all the blame for virus problems on Microsoft and basically says that Linux (well, Lindows anyway) is the cure."

An anonymous reader submits "CNET's news.com is reporting 'An ongoing effort to consolidate antispam authentication schemes took a big step forward with the merging of Sender Policy Framework (SPF) and Microsoft's Caller ID for E-mail.' This is potentially good news." For more background, here are three previous mentions of Microsoft's proposed Caller ID-style system.

NetWizard writes "Following on the heels of Yahoo submitting DomainKeys, Microsoft decided to submit their "Caller ID" anti-spam proposal as a draft to the IETF. This proposal tries to tie in IP addresses to the domain of the sender just like SPF does. To make things even more interesting, looks like SPF and MSFT's Caller-ID proposals are merging. On a related note, Yahoo submitted an IPR disclosure for DomainKeys to the IETF."

h0tblack writes "While many have heard about the XNA 'game software development platform' from Microsoft's announcements at GDC earlier this year, the full scope of their plans are only just becoming clear. Eurogamer has a surprisingly candid interview with J Allard covering the latest plans from Redmond. XNA isn't a rehash of DirectX tools for the Xbox2, PC and WinCE devices after all, it's a full-on assault on the gaming world, with the prize being complete dominance of the market. The site also has a BitTorrent of the interview, since it was originally recorded in video form."

h0tblack writes "While many have heard about the XNA 'game software development platform' from Microsoft's announcements at GDC earlier this year, the full scope of their plans are only just becoming clear. Eurogamer has a surprisingly candid interview with J Allard covering the latest plans from Redmond. XNA isn't a rehash of DirectX tools for the Xbox2, PC and WinCE devices after all, it's a full-on assault on the gaming world, with the prize being complete dominance of the market. The site also has a BitTorrent of the interview, since it was originally recorded in video form."

kylea writes "Office 2004 for Mac OS X has finally been released. From the Apple page: The latest improvements to the Office productivity suite promise new approaches to create, manage and distribute your projects. New features and tools in the programs help you get work done more efficiently. And now you can extend your reach beyond Office with greatly improved AppleScript support."

mgoulding writes "IBM is expected to announce a software bundle targeted to business users that will challenge the Microsoft Office package. Unlike Office, the email, word-processing, spreadsheet, and database products will be accessible to Linux, Unix, and heldheld users through a web server. NewsFeed posts the story from CNET." It's certainly something that's been tried before - witness sites like MyWebOS (no longer existing).

News for nerds writes "According to the internetnews.com report, Microsoft's technology evangelist Robert Scoble said in his blog and interview that while he is a user of Firefox it can be improved if Mozilla developers take advantage of Longhorn technologies such as XAML, Avalon and WinFS, instead of making it only within GNOME/Mozilla coalition."

GabrielStrange writes "I've been thinking for a while now that I'd like to own some sort of portable device on which I could read e-Texts. This device should be able to read both simple text files (i.e. Project Gutenberg e-Texts) and more complex formats, like Plucker, Acrobat or Microsoft Reader. It should have a fairly high-res display with a backlight that would be easy on the eyes... but doesn't particularly need to be a color display. I'd like it to work with at least one (if not both) of the machines on my desktop, which run Linux 2.6 and MacOS X Panther... And to use a USB port. And I'd like it to have a built in, rechargeable battery, because I already have enough devices to worry about batteries for. And, of course, I don't want to pay very much for it. Anyone got any recommendations for such a device? It's proving to be almost impossible to even obtain an actual list of devices that have these features."

grooveFX points to this CRN article which starts "After a year of tackling the Windows security nightmare, Microsoft has killed its Next-Generation Secure Computing Base (NGSCB) project and later this year plans to detail a revised security plan for Longhorn, the next major version of Windows, company executives said..." grooveFX writes "Glad to see they actually listen to the gripes from the media and users." Update: 05/05 19:13 GMT by T : phil reed writes "Oops. According to this article on Microsoft Watch, Microsoft really isn't giving up on NGSCB (aka 'Palladium') after all. Microsoft spent much of Day 2 of its Windows Hardware Engineering Conference (WinHEC) here refuting a published report claiming the company has axed its Next Generation Secure Computing Base (NGSCB) security technology."

AArnott writes "Ximian has just released beta 1 of its open-source implementation of Microsoft .NET platform. Mono allows .NET applications to run on Linux, Mac OS X, Unix, Windows. Mono 1.0 is slated for release on June 30, 2004." sjanes71 adds "The first 'beta' always gets heaps of attention, and this is the first of three planned for the Mono project. Some of the new features touted for this release that updates Mono v0.31 include a faster interpreter, a global assembly cache, support for the StrongARM and HPPA platforms, generics support in the VM and C# compiler and an early alpha of System.Windows.Forms. C# and .NET is Microsoft's answer to Sun Microsystem's Java platform and Project Mono aims to create the Open Source, cross-platform version of Microsoft's new development environment."

Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."

Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."

jg21 writes "So Linux made it onto Steve Ballmer's radar screen at last? No mention last year, in his annual strategy memo, but this year there's sentence after sentence - summarized at LinuxWorld this morning - which means, I guess, that 50,000-plus more folks around the world now will be aware of open source...he sent it to everyone in the company! Interestingly, in his public-facing CEO memo, distributed the same day as the internal one, Ballmer in contrast mentions Linux just once. What is it that conjurers call this, ah yes - distraction strategy?"

atari_kid writes "For who didn't know Microsoft has a internal blogging service, which is becoming popular with their employees. And even some of their high level managers have their own blog like Chris Pratley, a group program manager (GPM) for Word2002 (OfficeXP) project. Mr. Pratley just blogged on his 'personal philosophical' conversion from a Mac geek to a Microsoft devotee & his interesting perspective on the 'Word Processor' wars of the mid-90's and why Microsoft won."

An anonymous reader submits "According to a recent mailing list post by Harry Katz who is the Program Manager of Exchange at Microsoft, they plan to submit MSFT's "Caller ID" proposal to the IETF: 'I want to inform members of the MARID working group that Microsoft will shortly be submitting the Caller ID for E-mail specification to the IETF as an Informational RFC. We request that the Caller ID specification be considered an input document to the working group's deliberations.'"

FortranDragon writes "Microsoft has made the command line toolkit for Visual C++ available for a free download. You can use the toolkit to build applications and redistribute them if you want (though you should read the EULA for the details, as always). This is a nice boon for those that have to deal with cross-platform compatibility, especially since Microsoft has tried to make Visual C++ more conformant to the ISO C++ standard. Go forth and compile your favorite OSS or FS programs today. ;-)"

An anonymous reader writes "SearchEnterpriseLinux.com is featuring an interview with Novell/Ximian's Nat Friedman on the increasing interest about the Linux desktop. Quote from the interview - "A day doesn't go by when I don't talk to a Fortune 1000 customer from the financial services market, automotives or others that are not looking at dipping their feet into the Linux desktop." And by the way, both Nat Friedman and Miguel de Icaza's April 12th blog entry have a picture of Miguel and Nat dancing with David Vaskevitch, CTO of Microsoft. Now that's something you don't get to see everyday!"

weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data. The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.

theodp writes "Microsoft is paying $440 million to InterTrust to settle a three-year-old patent infringement lawsuit over DRM technology for protecting music, movies and other digital content against piracy. Under the settlement agreement, customers can use Microsoft products and services without a license from InterTrust. Developers, however, may need a license from InterTrust for other uses, including the combination of Microsoft technology with third-party technology." C.J. adds a link to the New York Times' coverage of the settlement.

xandroid writes "Just a couple days after talking about free hardware, Bill Gates has sent an email to customers saying that Microsoft will continue to focus on security, titled 'A Microsoft Progress Report: Security' (MSNBC story, PC Magazine story, Google News' related stories). The email mentions that fast-spreading and destructive viruses and worms are 'threatening the potential of technology to advance business productivity, commerce and communication', but says that to counter the threats, Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. He also talks about the XP Service Pack 2, and says that Microsoft is 'working with microprocessor companies, including Intel and AMD, to help Windows...support hardware-enforced data execute protection (also known as NX, or no execute)'." Reader Zephyr_in writes "Macworld reports that the beta-release of Longhorn is likely to be postponed to early 2005 because Microsoft is concentrating first on a security-focused update (SP2) to Windows XP. Earlier this week Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"

xandroid writes "Just a couple days after talking about free hardware, Bill Gates has sent an email to customers saying that Microsoft will continue to focus on security, titled 'A Microsoft Progress Report: Security' (MSNBC story, PC Magazine story, Google News' related stories). The email mentions that fast-spreading and destructive viruses and worms are 'threatening the potential of technology to advance business productivity, commerce and communication', but says that to counter the threats, Microsoft will make 'major investments in customer education and partnerships that will help make the computing environment safer and more secure'. He also talks about the XP Service Pack 2, and says that Microsoft is 'working with microprocessor companies, including Intel and AMD, to help Windows...support hardware-enforced data execute protection (also known as NX, or no execute)'." Reader Zephyr_in writes "Macworld reports that the beta-release of Longhorn is likely to be postponed to early 2005 because Microsoft is concentrating first on a security-focused update (SP2) to Windows XP. Earlier this week Gates said Longhorn is 'not a date-driven release.' and said the speculation that the operating system will come out in 2006 is 'probably valid.'"

mtr writes "An interesting article uncovering some embarassing and amusing PR practices of our friendly software giant had been recently published by Michael Zalewski. The author recovered change tracking information from all the DOCs published on microsoft.com, and came up with something to cheer you up. It's funny when it happens to others - but even better if it fires back on themselves. Read the full story here."

Roblimo writes "If you're using Microsoft Office and considering a switch to (free) OpenOffice.org, Microsoft would like you to read their Open Office Competitive Guide first, in which they tell you how much better/faster/cheaper MS Office is than OOo. Taran Rampepersad, an IT consultant in Trinidad, believes this "Competitive Guide" is nothing but FUD, so he wrote a detailed rebuttal to it -- and released his article under the FDL so you can feel free to republish his piece or share it with anyone you like, however you like." A followup to this story. Newsforge and Slashdot are both part of OSDN.

sander writes "As noted on linxfr.org, Microsoft has published a competitive guide on OpenOffice.org 1.1 vs Microsoft Office. Some of the weirder things they claim in it is that by choosing MS Office over OpenOffice.org one is protected from the threat of viruses. But the giant seems to be sweating -- and with a good reason."

An anonymous reader writes "The Unlimited Freedom blog has published a new article describing 'interesting' uses of Trusted Computing. (Google cache here). Trusted Computing, as implemented in Microsoft's NGSCB (Palladium) or the Trusted Computing Group (TCPA), has been one of the most controversial technology proposals of recent years, to put it mildly. But the article on Unlimited Freedom offers a new perspective. The author examines 12 different applications which could benefit from access to Trusted Computing technology. And most of them are uncontroversial or would actually improve privacy and anonymity. Among the examples listed are multi-player games, online casinos, P2P networks, anonymous remailers, distributed computing and mobile agents. The analysis provides an interesting contrast to the usual focus on Trusted Computing's impact on control over digital content."

Thanks to GameSpot for its story revealing that Microsoft is unveiling its XNA game software development platform later this morning at the Game Developer's Conference in San Jose. XNA is "designed for use with future iterations of all Microsoft game platforms, including Windows, Xbox, and Windows Mobile-based devices" to make simultaneous platform development easier and cheaper, and the company is also expected to announce "Xbox Live-style functionality for billing, security, and matchmaking being made available to Windows developers... [and] the introduction of controllers that are compatible with all Windows and Xbox game players" as part of this move. IGN Xbox has an interview with Microsoft's Jay Allard and Dean Lester which explains XNA as being a cross-platform, evolving toolset that will ensure backwards compatibility, giving the example: "...[if] Adobe was writing an application for Win95, and then WinNT came out there were special features they could take advantages of -- they didn't have to throw it all away and start again." Update: 03/25 00:46 GMT by S : Microsoft has made the official XNA site public, including streaming video from unspecified next-generation games.

prostoalex writes "Why are networked computing environments so insecure? You've heard the story before - early computers were not designed to work in the network environment, and even most software written later was designed to work on benevolent networks. As Bruce Schneier says in the preface to Building Secure Software: How to Break Code, 'We wouldn't have to spend so much time, money and effort on network security if we didn't have such bad software security.'" Read on for prostoalex's review of Exploiting Software, which aims to balance that situation somewhat. Exploiting Software: How to Break Code author Greg Hoglund, Gary McGraw pages 512 publisher Addison Wesley Professional rating 8 reviewer Alex Moskalyuk ISBN 0201786958 summary Techniques and software used to attack applications.

What kind of secure are you after? There are many published titles on the topic of software security are numerous, but most of them follow certain patterns. Building Secure Software by Viega and McGraw was mainly concerned with proper techniques and general software engineering mindset without going into specifics. Then there was Writing Secure Code , by Howard and LeBlanc, which provided concrete examples and showed the "right way" to do secure coding. I heard the title instantly became a required reading at world's largest software corporation. It's currently in its second edition.

Secure Programming Cookbook for C/C++ by Viega and Messier, was the hands-on title for those developing C/C++ application with security in mind, as the cookbook recipes generally gave examples of good code, with each chapter providing some general background information on the topic discussed (I reviewed it on Slashdot in September last year).

Just in case you were wondering, the list above wasn't just retrieved by a quick search at Amazon. My Master's degree, completed last summer, dealt with the topic of software security, and those are the titles I've read preparing to write the theoretical part.

From the other side With the variety of books on how to write secure software, and what techniques to use to make existing software more secure, there was a niche for a book targeted specifically to those who wanted to break software. Black hat or white hat, the network security experts always had titles like Hacking Exposed to give them an idea of what was available in terms of techniques and methodologies used out there. For software security most of the articles and books generally would tell you something in the terms "do not use strcpy(), as it introduces buffer overruns".

Great, so I won't use strcpy(), did it make my application more secure? Is it more or less hack-proof? What if I am a tester and required to play with this aspect of the application to ensure the application's security before the product ships? Theoretically hanging out at proper IRC rooms and getting lifetime Phrack and 2600 subscriptions should be enough to cover you at the beginning, however, the learning curve here leaves much to be desired, let alone the fact you will probably be kicked out of the IRC rooms for asking n00b questions. Another path would be to take an expensive training course by someone with a name in the industry, but the price tag for those generally leaves out self-learners and those operating on limited budgets, which adds up to about 99% of software engineers and testers out there.

Exploiting Software to the rescue.

Exploiting Software fills the void that existed in this market. Eight chapters take you through the basics and some advanced techniques of attacking software applications with the purpose of executing arbitrary code supplied by an attacker (you).

The book mainly deals with Windows applications for x86 platforms, and some knowledge of C/C++ and Win32 API is required to go through the example applications. To automate some processes and demonstrate possible attacks the authors use Perl, so knowledge of that would help the reader, too. Some chapters, (e.g. the buffer overflow one) show disassembler output, and while you're not expected to read x86 ASM code as if it were English, knowledge of how the registers work and how the subprocedure calls are handled on this Intel architecture are required. After all, if potential attackers know it, you better familiarize yourself with some low-level code, too.

While discussing various possible attacks, the authors post different attack patterns. The patterns themselves usually appear in gray textboxes and talk about the possible exploit in general terms. After that, a series of attack examples follow, with specific descriptions on what can be done, and how. For example, the attack pattern on page 165 is titled "Leverage executable code in non-executable files." The following attack example is "Executable fonts," and it talks how the font files are generally treated by the Windows systems (they are a special form of DLLs). Thus it's possible to embed some executable code into a font library you're creating, for which the authors provide an example in Microsoft Visual Studio.

What's cool is that all the attack patterns are listed in a separate table of contents (alas, not on the Web site table of contents, which just lists the chapters and subchapters), so you can browse to the attack pattern you decide to learn about, read some general info about it and then study specific examples. The examples themselves are not in the table of contents, which I think is a mistake, as it would make searching for possible patterns much easier. After all, how are you supposed to know that "Informix database file system" (p. 189) is under "Relative path traversal" pattern? Well, unless you know specifically that the line http://[Informix database host]/ifx/?LO=../../../etc/ is the one discussed in the example, you would have to either go through the index hoping no omissions were made, or read the chapter in its entirety.

One of the best chapters of the book, Reverse Engineering and Program Understanding, which provides a good introduction into techniques used throughout the book, is available online from Addison Wesley. By having a free chapter you already have 1/8th of the book, but don't think that the low number of chapters makes this 512-page title an introductory book.

Target Audience

Looks like there are two major audiences and reading patterns for this book: those wanting to fix their systems ASAP and thus using Exploiting Software as a reference, and those using it as a text book to learn about security. I've discussed the organization of the book above, and the reference types will probably be more interested in patterns and examples. For a casual reader (although casual readers wouldn't generally pick up a title with C++, Perl, ASM and hex dumps spread around the chapters) this is a book with great educational value, from two authors who have discovered numerous security vulnerabilities themselves.

Exploiting Software is not an easy title to read. Addison-Wesley shipped me the manuscript copy a month before it hit the bookshelves in its final version, and I found myself going through about two pages an hour. The authors bring up sometimes unfamiliar Win32 APIs and occasionally use ready-made tools available on the Web, so generally I found myself visiting MSDN and Google a lot to read through available documentation and download the latest version of the tools used. The book doesn't come with a CD. Some of the stuff, like inserting a malicious BGP packet to exploit a Cisco router (p. 281) is not really testable at home, and I have some reservations about verifying the example with my employer's routers.

The book is probably apt for 2nd or 3rd year computer science students and above. Besides the variety of languages that I mentioned above, you need to be familiar with the basics of Intel architecture, and generally be fluent with terminology like "buffer," "stack," "syscall," "rootkit," etc., as this is not an "Introduction to..." title. From my experience, you probably won't read it from page 1 to page 512 understanding everything perfectly, but for anyone interested in security and those making a career in software development it looks like a bookshelf must-have.

I interviewed Gary McGraw on the current state of software security, the relevance of the topic to the issues beyond C/C++ and improper buffer usage, and future directions in security. Network World magazine also ran an interview with the McGraw in which he talks about the reception of the book at the RSA Conference, whether the economics is right to invest in building secure systems, and whether his book does more harm by providing a compendium of known exploits.

Alex has written numerous reviews of other software and security titles. You can read more of his opinions at his Web site. You can purchase Exploiting Software: How to Break Code from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Frustrated Son asks: "I assume that many Slashdot readers must serve as the IT staff for their parents. My folks get my old machines and just enough software to be productive. I try to protect my parents from the forces of evil by installing automatic OS updates, virus checkers, spyware blockers, pop-up blockers... But still I find that my parents end up with unwanted applications and dangerous software. What software or strategies do you use to protect your parents' PCs? Is it possible for inexperienced users to surf the net in safety?"

sammy baby writes "Software missing its ship date is commonplace enough that it's usually only mentioned for yuks. However, subscribers to Microsoft's Software Assurance program are discovering that it can have some very real repercussions. According to NetworkWorld, many licencees are discovering that due to slipping release dates, many thousands of dollars spent on these contracts have brought them zero return."

martensitic writes "Yahoo! posted this positive AP review of the newest version of a third-party PC app designed to compete with TiVo and Microsoft's Media Center. SnapStream 's 'Beyond TV 3' (sounds like something Fox would produce) allows streaming to standard web browsers for watching on other computers in your home, and promotes automatic commercial break recognition that has been downplayed in other products. (Previously mentioned here.)"

Denver_80203 writes "An article from InfoWorld states that the upcoming Windows XP Service Pack 2 could break some 'unsecure applications.' In a quote from Tony Goodhew, a product manager in Microsoft's developer group says 'It doesn't really matter how long it is going to take you to do the work; security is an important issue and developers need to start doing that work now.' Or: 'The great bulk of applications will not be affected by memory protection. The number one that leaps to mind is execution environments with just-in-time code generation. The .Net Framework is one.' Fortunately for us, they are offering a course to guide the unsecure masses."

An anonymous reader writes "SenseCam, touted as a visual diary of sorts by Microsoft Corp., is designed to be worn around the neck and take up to 2,000 images a 12-hour day automatically. The prototype responds to changes such as bright lights and sudden movements and might one day even respond to other stimuli such as heart rate or skin temperature -- to track medical problems as easily as to record a Hawaiian vacation."

Neophytus writes "The DVD Forum steering group has given preliminary backing to Microsoft's VC-9 codec along with H.264 and MPEG-2 as mandatory playback modes for HD-DVD players. Having this technology, the most fundamental part of Windows Media Player 9, in every new DVD player could well give Microsoft major leverage into the Cable and Satellite TV markets where currently MPEG2 dominates. The approval is pending an update in licencing terms and other conditions within 60 days."

gfilion writes "Microsoft has released a draft specification for Caller-ID for email, 'to address the widespread problem of domain spoofing' - the concept is similar to SPF, but is using XML. There's already an Caller-ID to SPF converter in the works. A few weeks ago, Microsoft discussed compatibility between the projects with Meng Weng Wong (SPF's project leader), but most SPF users are against using XML, so nothing has come of it thus far." We recently covered a brief article mentioning Microsoft's anti-spam work, though this is a clearer indication of their intentions. Update: 02/26 21:36 GMT by T : NewsForge is carrying a brief article with FSF counsel Eben Moglen's take on the draft; Moglen says it is "encumbered with unclear and unnecessary patent license claims."

slyall asks: "I work in the Network/System Admin team for an ISP. Our firm was recently bought by another company that has mandated that my team's desktops be switched over from Linux to Windows XP in the next few weeks. Some of us are have used Linux almost exclusively and going to Windows is a big change. Can people suggest any tips, books or websites to help Linux people shoved into the Windows world (especially those running lots of Linux and Cisco boxes)? We've all got years of experience on Linux but running Windows day to day is a big challenge. We don't yet know if the company will provide us with tools such as Cygwin or Windows Services for UNIX but we won't be allowed to install random programs and may not have admin access. We're not happy with the change but we're unable to stop it. What we are hoping to do is reduce the performance hit that the changeover is going to cause." This is probably one of those situations where a LiveCD-based distribution, for use in an emergency, might help.