tag:blogger.com,1999:blog-73991095062541073252024-02-19T07:12:50.496-08:00Voix SecurityDiscussing security with emphasis on privacy, cloud, social media, NIST 800 reports, .Net Security, Secure Coding.Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.comBlogger52125tag:blogger.com,1999:blog-7399109506254107325.post-3334364155194041592017-04-10T16:13:00.000-07:002017-04-11T14:53:13.787-07:00Performance of MD5, SHA1, SHA256, SHA384, and SHA512 with C#<span style="font-size: large;">Recently I ran a few performance calculations to see the differences of performance of MD5, SHA1, SHA256, SHA384, and SHA512. I ran the tests on my box with one code set. I compiled my code as a 32-bit program and as a 64-bit program. Besides the performance of each hashing algorithm, I wanted see the difference in 32-bit and 64-bit compiles would make. </span><br />
<span style="font-size: large;"></span><br />
<span style="font-size: large;"></span><br />
<span style="font-size: large;">My testing method consisted of the following method.</span><br />
<ul>
<li><span style="font-size: large;">CPU: Intel(R) Core (TM) i7-4700MQ CPU 2.40GHz</span></li>
<span style="font-size: large;">
</span>
<li><span style="font-size: large;">OS: Windows 7, 64-bit Operating System</span></li>
<span style="font-size: large;">
</span>
<li><span style="font-size: large;">Memory: 32.0 GB (31.6 GB usable)</span></li>
<span style="font-size: large;">
</span>
<li><span style="font-size: large;">Hash string size was 1K.</span></li>
<span style="font-size: large;">
</span>
<li><span style="font-size: large;">Ran in release mode, (not inside of Visual Studio, language used was C#)</span></li>
<span style="font-size: large;">
</span>
<li><span style="font-size: large;">Each hash string method was called 10,000 times with a different string to be hashed.</span></li>
<span style="font-size: large;">
</span>
<li><span style="font-size: large;">Time was accumulated in CPU ticks.</span></li>
<span style="font-size: large;">
</span>
<li><span style="font-size: large;">I ran each the program three times.</span></li>
<span style="font-size: large;">
</span></ul>
<div>
<span style="font-size: large;"> </span></div>
<span style="font-size: large;"></span><br />
<span style="font-size: large;">The one thing that stood out to me was SHA-256. I was surprised by the performance, the small difference between 32 and 64-bit programs and the actual time it took to create an SHA-256 hash. After spending some time on the internet I came up with the following.</span><br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoin4T-1A-OKQvLszRRR5tHREFiJQp3y3jP_M_aYjLItV_Hvd06D-NhyVdeckOuSYUyPVtgi4juHaXTwZ-Qa11_UQJVULQaBo8iWuHohBGdh8VZGkgAnc-yYgz7Qr8b8mbO6gqJUJcg_mX/s1600/Hashing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="497" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoin4T-1A-OKQvLszRRR5tHREFiJQp3y3jP_M_aYjLItV_Hvd06D-NhyVdeckOuSYUyPVtgi4juHaXTwZ-Qa11_UQJVULQaBo8iWuHohBGdh8VZGkgAnc-yYgz7Qr8b8mbO6gqJUJcg_mX/s640/Hashing.png" width="640" /></a></div>
<br />
<br />
<br />
<span style="font-size: large;">SHA-256 algorithm generates an almost-unique, fixed-size 256-bit (32-byte) hash. So even on a 64-bit machine where the word size is larger to push more data thru the transformations algorithm because SHA-256 is using a fix 32-byte data you do not see the larger difference between a 32 and 64 bit processors. One interesting note is Microsoft has not updated its core base class from which all implementations of cryptographic hash algorithms. The HashAlgorithm class is still is using 32-bit transformblocks. I am curious why Microsoft hasn't change to use a 64-bit transformblock. Would that improve the performance level? I would have thought Microssoft would have a 64-bit version of SHA256.</span><br />
<span style="font-size: large;"><br /></span><br />
<br />
<br />
<i><span style="font-size: large;"><strong>The largest takeaway here is "Do not use MD5 or SHA1". The difference in performance isn't going to hurt your application as much as using an outdated hashing algorithm will.</strong></span></i><br />
<br />
<br />
<br />
<h2>
<span style="font-size: large;">Code.</span></h2>
<h3>
Calling method to create a Hash string. All hashing followed the same template.</h3>
<br />
static Random random = new Random();<br />
static Int64 MaxIterations = 10000;<br />
static Int16 TotalHashLength = 1024;<br />
static void MD5()<br />
{<br />
MD5Hash md5Hash = new MD5Hash();<br />
for (int i = 0; i < MaxIterations - 1; i++)<br />
{<br />
md5Hash.CalculateHash(RandomString(TotalHashLength));<br />
}<br />
file.WriteLine("MD5 , {0}", md5Hash.TotalElapseTime().ToString());<br />
}<br />
<br />
<h3>
Each time an hash was created a different random string was created using lower, upper case, number and special printable characters.</h3>
<br />
static string RandomString(int length)<br />
{<br />
const string chars = "Aa0BbCcDd1+EeFf2_GgHh3(IiJj4)KkLl5*MmNn6&OoPp7^QqRr8%SsTt9#UuVv@WwXxYyZz!";<br />
StringBuilder sb = new StringBuilder();<br />
for (int i = 0; i < length; i++)<br />
{<br />
sb.Append(new string(Enumerable.Repeat(chars, 1).Select(s => s[random.Next(s.Length)]).ToArray()));<br />
}<br />
return sb.ToString();<br />
}<br />
<br />
<h3>
Main hashing calculation for MD5, other hashing methods follow this template.</h3>
<br />
private Stopwatch sw;<br />
private MD5 md5;<br />
private TimeSpan ElapseTime;<br />
<br />
public void CalculateHash(string input)<br />
{<br />
sw = Stopwatch.StartNew();<br />
md5 = MD5.Create();<br />
byte[] inputBytes = System.Text.Encoding.ASCII.GetBytes(input);<br />
byte[] hash = md5.ComputeHash(inputBytes););<br />
ElapseTime += sw.Elapsed;<br />
sw.Stop();<br />
}<br />
<br />
<br />
<br />
<br />
<span style="font-size: large;">For the complete code solution see my github page </span><a href="https://github.com/lwconklin/Hashing" target="_blank"><span style="font-size: large;"> https://github.com/lwconklin/Hashing</span></a>Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com2tag:blogger.com,1999:blog-7399109506254107325.post-7358658046202631942016-05-22T14:48:00.001-07:002016-05-22T14:48:08.351-07:00Saving SEC (Security Exchange Commission) one Google search at a time.<span style="font-size: large;">Saving SEC (Security Exchange Commission) one Google search at a time.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Can't really say this was a Google dork since I wasn't querying Google with a special search string. What happened was I was searching Google with my eyes wide open. I noticed in my search results that one of the items returned did not look like it belonged. Out of curiosity, I click on it. It took me a little while to realize what I was looking at. An SEC document that a business had submitted that includes among other data the business's bank name, the ABA (account routing number) and the account number and names of officials at the business. Enough information to make an attempt at hacking the bank account either thru a software or social engineering vulnerability that any good hacker could try.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The vulnerability was easy enough to prevent. Using OWASP Top Ten 2013 this vulnerability is A5 Security Misconfiguration, folders where the documents were stored had public access when the permissions should have been restricted. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">But here is the point. Easy vulnerabilities are not easy to keep in front of developers and system admins. Organizations need to keep security in front of their IT staff. One easy way to do this is support organizations like OWASP and promote them to your staff. OWASP has lots of training, chapters meeting, etc that can help keep security in front of IT folks.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">How do you or who do you notify that an organization has a cyber vulnerability? In my case, this wasn't easy. The SEC has the contact webmaster link. This wasn't really a website issue. The SEC website does have contact list but nothing on that page refers you to cyber vulnerabilities issues. I finally decided to use the SEC Tips, Complaints, and referrals website. I have checked and the vulnerability has been fixed. I have not received any correspondence from the SEC thanking me or telling me the vulnerability is fix.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Questions, </span><br />
<span style="font-size: large;">* Should organizations include a link if a visitor to the site sees something wrong with a website instead of the webmaster? </span><br />
<span style="font-size: large;">* What about alerting an organization to any security vulnerability? </span><br />
<span style="font-size: large;">* Should the US government and or commercial businesses have one common website to alert to for cyber issues? </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">We have the CVE but it isn't designed to alert organizations of a vulnerability while keeping the information private while the vulnerability is being fix. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">* Is this something that open source project can help with?</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Here is one of the documents I found. I have XXXX out information on the company, people names, and bank account information, and other IRS identifying information. I do undestand that some of the information in this document is public knowledge of a public traded company of the exchange. ABA and account number and bank names are should not be public information.</span><br />
<br />
-----BEGIN PRIVACY-ENHANCED MESSAGE-----<br />
Proc-Type: 2001,MIC-CLEAR<br />
Originator-Name: webmaster@www.sec.gov<br />
Originator-Key-Asymmetric:<br />
MFgwCgYEVQgBAQICAf8DSgAwRwJAW2sNKK9AVtBzYZmr6aGjlWyK3XmZv3dTINen<br />
TWSM7vrzLADbmYQaionwg5sDW3P6oaM5D3tdezXMm7z1T+B+twIDAQAB<br />
MIC-Info: RSA-MD5,RSA,<br />
MmS+lC5NujlDHwNjUELz3rLoMclvZ1nv4FS4aXJun+eNFZUZDpGo2eb7jUUMOpEs<br />
+b8xOtqa7/rPIkNQdE7oGA==<br />
<br />
<SEC-DOCUMENT>0001131312-07-000011.txt : 20070201<br />
<SEC-HEADER>0001131312-07-000011.hdr.sgml : 20070201<br />
<ACCEPTANCE-DATETIME>20070201154033<br />
ACCESSION NUMBER:<span class="Apple-tab-span" style="white-space: pre;"> </span>0001131312-07-000011<br />
CONFORMED SUBMISSION TYPE:<span class="Apple-tab-span" style="white-space: pre;"> </span>424B3<br />
PUBLIC DOCUMENT COUNT:<span class="Apple-tab-span" style="white-space: pre;"> </span>2<br />
FILED AS OF DATE:<span class="Apple-tab-span" style="white-space: pre;"> </span>20070201<br />
DATE AS OF CHANGE:<span class="Apple-tab-span" style="white-space: pre;"> </span>20070201<br />
<br />
FILER:<br />
<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>COMPANY DATA:<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>COMPANY CONFORMED NAME:<span class="Apple-tab-span" style="white-space: pre;"> </span>XXXXX OIL & GAS<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>CENTRAL INDEX KEY:<span class="Apple-tab-span" style="white-space: pre;"> </span>0009999999<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>STANDARD INDUSTRIAL CLASSIFICATION:<span class="Apple-tab-span" style="white-space: pre;"> </span>OIL AND GAS FIELD EXPLORATION SERVICES [1382]<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>IRS NUMBER:<span class="Apple-tab-span" style="white-space: pre;"> </span>200069999<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>STATE OF INCORPORATION:<span class="Apple-tab-span" style="white-space: pre;"> </span>DE<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>FISCAL YEAR END:<span class="Apple-tab-span" style="white-space: pre;"> </span>1231<br />
<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>FILING VALUES:<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>FORM TYPE:<span class="Apple-tab-span" style="white-space: pre;"> </span>424B3<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>SEC ACT:<span class="Apple-tab-span" style="white-space: pre;"> </span>1933 Act<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>SEC FILE NUMBER:<span class="Apple-tab-span" style="white-space: pre;"> </span>333-999999<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>FILM NUMBER:<span class="Apple-tab-span" style="white-space: pre;"> </span>075999999<br />
<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>BUSINESS ADDRESS:<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>STREET 1:<span class="Apple-tab-span" style="white-space: pre;"> </span>xxxxxxxxxxx<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>STREET 2:<span class="Apple-tab-span" style="white-space: pre;"> </span>xxxxxxxxxxx<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>CITY:<span class="Apple-tab-span" style="white-space: pre;"> </span>DALLAS<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>STATE:<span class="Apple-tab-span" style="white-space: pre;"> </span>TX<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>ZIP:<span class="Apple-tab-span" style="white-space: pre;"> </span>9999999<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>BUSINESS PHONE:<span class="Apple-tab-span" style="white-space: pre;"> </span>xxxxxxxxx<br />
<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>MAIL ADDRESS:<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>STREET 1:<span class="Apple-tab-span" style="white-space: pre;"> </span>xxxxxxxxxx<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>STREET 2:<span class="Apple-tab-span" style="white-space: pre;"> </span>xxxxxxxxxx<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>CITY:<span class="Apple-tab-span" style="white-space: pre;"> </span>DALLAS<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>STATE:<span class="Apple-tab-span" style="white-space: pre;"> </span>TX<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>ZIP:<span class="Apple-tab-span" style="white-space: pre;"> </span>999999<br />
</SEC-HEADER><br />
<DOCUMENT><br />
<TYPE>424B3<br />
<SEQUENCE>1<br />
<FILENAME>prossup4.htm<br />
<DESCRIPTION>SUPPLEMENT # 4<br />
<TEXT><br />
<HTML><br />
<HEAD><br />
<META CONTENT="text/html; charset=windows-1252"><br />
<META NAME="Generator" CONTENT="Microsoft Word 11.0"><br />
<TITLE>PROSSUP4</TITLE><br />
</HEAD><br />
<BODY><br />
<CENTER><TABLE BORDER=0 CELLSPACING=0 CELLPADDING=1 WIDTH=1300><br />
<TR><TD WIDTH="43%" VALIGN="TOP"><br />
<P ALIGN="LEFT">Prospectus Supplement No. 4</TD><br />
<TD WIDTH="14% "VALIGN="TOP"></TD><br />
<TD WIDTH="43%" VALIGN="TOP">Filed pursuant to Rule 424(b)(3)</TD><br />
</TR><br />
<TR><TD WIDTH="43%" VALIGN="TOP"><br />
<P ALIGN="LEFT">To Prospectus dated September 26, 2006</TD><br />
<TD WIDTH="14% "VALIGN="TOP"></TD><br />
<TD WIDTH="43%" VALIGN="TOP">File No. 333-131275</TD><br />
</TR><br />
</TABLE><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">&nbsp;</P><br />
<P ALIGN="LEFT">&nbsp;</P><br />
<B><P ALIGN="CENTER">xxxxxxxxxx, INC.</P><br />
</B><P ALIGN="CENTER"></P><br />
<P ALIGN="JUSTIFY">This document supplements the prospectus dated September 26, 2006, as supplemented on November 21, 2006, December 14, 2006 and January 9, 2007, relating to the offer and sale of a minimum of 350,000 up to a maximum of 2,000,000 shares of our common stock. This prospectus supplement is incorporated by reference into the prospectus. This prospectus supplement is not complete without, and may not be delivered or utilized except in connection with, the prospectus, including any amendments or supplements to the prospectus.</P><br />
<P ALIGN="JUSTIFY"></P><br />
<B><U><P ALIGN="JUSTIFY">Second Closing, Continuing Offering and Subsequent Closings</P><br />
</B></U><P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">Following the receipt and acceptance on January 26, 2007 of subscriptions in a total amount of $2,008,111 for 286,873 shares of our common stock pursuant to the terms of our offering subject of the prospectus, xxxxxx scheduled a second closing of the offering. All subscriptions subject to the accepted agreements were for cash.</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">The second closing took place on January 29, 2007. At the second closing xxxxxx issued 286,873 shares of its common stock in accordance with the instructions of the subscribers and issued instructions to the escrow agent to disburse proceeds of the subscriptions in the amount of $1,750,153 to the company. The remaining $227,578 of funds in the escrow account were distributed at the second closing to Network 1 Financial Services, Inc., the underwriter of the offering, in accordance with the terms of underwriting agreement as described at pages 16-17 of the prospectus ("PLAN OF DISTRIBUTION - Underwriting Agreement"), as follows: $111,719 in commissions, $55,859 of expense reimbursement and $60,000 in financial advisory and investment banking fees. At the second closing, xxxxxx also issued to the underwriters in accordance with the terms of the underwriting agreement, an Underwriter's Warrant to purchase 6,593 shares of xxxxx common stock at a price of $8.75 per share to be exercisable for a peri<br />
od beginning six months after the final closing of the offering and expiring on December 28, 2009.</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">The offering with respect to the remaining 1,276,220 shares of xxxxx's common stock being offered pursuant to the prospectus will continue in accordance with the "PLAN OF DISTRIBUTION" as described at pages 16-18 of the prospectus until the receipt and acceptance of the maximum offering of 2,000,000 shares or March 26 (which date may be extended by us for up to an additional 60 days) whichever occurs first - unless earlier terminated. One or more interim closings may take place between the second and final closing. We have scheduled another closing for February 28, 2007 and have set February 16, 2007 as the date by which subscriptions must be received in order to be included in such closing, provided documentation is in order and funds received by the closing. Subscriptions received after the cutoff date which are not able to be closed on by the scheduled closing date will continue to be deposited in the xxxxx escrow account at Sterling Trust Company pending their acceptance and disbursement<br />
in the context of subsequent closings. Terms of the continuing offering will be the same as the terms prior to the second closing, with a per share price of $7.00 and a 100 share minimum.</P><br />
<P ALIGN="JUSTIFY"></P><br />
<B><U><P ALIGN="JUSTIFY">Market for Common Stock</P><br />
</B></U><P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">Shares of our common stock commenced trading on the American Stock Exchange on January 3, 2007 under the ticker symbol <B>ZN</B>. Since then and through the January 29, 2007 the highest sales price was $14.05 and the lowest sales price was $7.05. See Supplement No. 2 at page 2 ("American Stock Exchange Listing and Commencement of Trading").</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">Following the second closing there are approximately 2,800 holders of record of our common stock.</P><br />
<P ALIGN="JUSTIFY"></P><br />
<B><U><P ALIGN="JUSTIFY">Use of Proceeds</P><br />
</B></U><P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">As described above, upon our instructions at the initial closing, the escrow agent released the $2,008,111 of funds in the escrow account as follows: $227,578 to the underwriter in payment of $111,719 of commissions, $55,859 of expenses and a $60,000 financial advisory investment banking fee due underwriter in accordance with the terms of the underwriting agreement. The remaining $1,750,153 were released to the company for use by the company for the purposes and in the amounts described at pages 7-9 of the prospectus ("USE OF PROCEEDS"). These funds have been deposited in interest bearing accounts in our depository banks in the United States and xxxxx pending their use in furtherance of our plan of operations as described in the prospectus at pages 11-13 ("PLAN OF OPERATIONS AND MANAGEMENT'S DISCUSSION" "-- Basic Plan" and "-- Milestones for the Plan of Operations") and in accordance with the "USE OF PROCEEDS" section at pages 7-9 of the prospectus. </P><br />
<P ALIGN="JUSTIFY"></P><br />
<B><U><P ALIGN="JUSTIFY">Submission of Application for Asher-Menasseh Exploration License</P><br />
</B></U><P ALIGN="JUSTIFY"></P><br />
<P ALIGN="LEFT">On January 31, 2007, xxxxxx filed an application with the xxxxx Petroleum Commission for a petroleum exploration license, tentatively denominated the xxxxxxxx License, on approximately 81,000 acres north of xxxxxxx's 99,000 acre xxxxxx License. The acreage subject to application includes primarily acreage which was subject to xxxxx's xxxxxxxxxx Permit as reduced in accordance with the provisions of the xxxxxx Petroleum Law, together with a small addition of acreage abutting to the north of the lands subject to the Asher Permit. </P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">The application was submitted in accordance with the terms of xxxx's xxxx Permit, together with xxxxx's Final Report and Prospect Identification, upon the termination of the xxxxx Permit on January 31. In the context of the<FONT SIZE=3> </FONT>application, xxxxx proposed a work program to include the acquisition of 20 kilometers of new seismic lines in the xxxxxxx (xxxxx Heights) region and the drilling of a test well, tentatively designated the xxxxxxx #1, to the Triassic formation.</P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">xxxxx's application is subject to the review and approval of the xxxxx Petroleum Commissioner, in consultation with the statutory Petroleum Council. xxxx does not know when the Commissioner and Council will consider the application or what the results of such consideration will be.</P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">See the prospectus at pages 43-44 ("BUSINESS AND PROPERTIES -- Properties") and at page 45 ("--xxxxxx's Petroleum Law -- Preliminary Permit" and "-- License").</P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">A map of the lands subject to the license application overlaid on the boundaries of the xxxxx Permit and the company's xxxxxx License follows:</P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="CENTER"><img src="image26.jpg" WIDTH=443 HEIGHT=539></P><br />
<P ALIGN="LEFT"></P><br />
<B><U><P ALIGN="JUSTIFY">Related Party Transactions</P><br />
</B></U><P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">On January 17, 2007, following the initial closing and in accordance with its terms, we repaid Ms. xxxxxxxxx, one of our shareholders, the $75,000 outstanding principal balance outstanding under the credit facility extended by Ms. xxxxxxx to the company, together with accrued interest thereon. See prospectus at page 30 ("CERTAIN RELATIONSHIPS AND RELATED PARTY TRANSACTIONS").</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">On January 18, 2007, following approval by the Audit Committee, we repaid xxxxxxx Resources, Inc., a company owned by xxxxxxx, our Chief Executive Officer, the remaining $32,000 principal balance outstanding under a loan facility extended by xxxxx to xxxxx, together with accrued interest thereon.. See prospectus at page 28 ("CERTAIN RELATIONSHIPS AND RELATED PARTY TRANSACTIONS").</P><br />
<P ALIGN="JUSTIFY"></P><br />
<B><U><P ALIGN="JUSTIFY">Amendment to Bylaws</P><br />
</B></U><P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">On January 24, 2007, our board of directors amended our bylaws by adding a provision clarifying that shares in xxxxxx did not have to be represented by physical certificates, but could be represented by book entries in our stock register only. Since the initial closing on December 29, 2006, our stock register is being maintained by our registrar and stock transfer agent, Registrar and Transfer Company Cranford, New Jersey. See prospectus at page 38 ("DESCRIPTION OF SECURITIES -- Amendments" "-- Transfer Agent and Registrar").</P><br />
<P ALIGN="JUSTIFY"></P><br />
<B><U><P ALIGN="JUSTIFY">Modification of the Subscription Agreement</P><br />
<P ALIGN="JUSTIFY"></P><br />
</B></U><P ALIGN="JUSTIFY">The subscription agreement has been amended to read as shown on the two pages following this one.</P><br />
<P ALIGN="JUSTIFY"></P><br />
<B><P ALIGN="JUSTIFY">Investing in our common stock is very risky. See "Risk Factors" commencing at page 2 of the prospectus to read about the risks that you should consider before buying shares of our stock.</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">Neither the U.S. Securities and Exchange Commission nor any state securities commission has approved or disapproved of these securities or determined if the prospectus or any prospectus supplement is truthful or complete. Any representation to the contrary is a criminal offense.</P><br />
<P ALIGN="LEFT"></P><br />
</B><P ALIGN="CENTER">The date of this prospectus supplement is February 1, 2007.</P><br />
<P ALIGN="LEFT"></P><br />
<HR><br />
<B><I><FONT FACE="Wide Latin" SIZE=4><P ALIGN="CENTER">xxxx&amp; Gas, Inc.</P><br />
</I></FONT><FONT SIZE=3><P ALIGN="CENTER">REVISED SUBSCRIPTION AGREEMENT (and Substitute IRS Form W-9)</P><br />
<P ALIGN="CENTER">&nbsp;</P><br />
</FONT><U><FONT SIZE=1><P ALIGN="JUSTIFY">INVESTOR PROFILE: (Please completely fill all items below)</P></B></U></FONT><br />
<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=680><br />
<TR><TD VALIGN="TOP"><br />
<B><FONT SIZE=1><P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">TITLE OF ACCOUNT__________________________________________________________________________________________</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">MAIL ADDRESS (Street, City, State, Zip)__________________________________________________________________________</P><br />
<P ALIGN="RIGHT"> </P><br />
<P ALIGN="JUSTIFY">NAME OF BENEFICIAL OWNER/PURCHASER___________________________________________________________________</P><br />
<P ALIGN="JUSTIFY"> How many years at home address?____</P><br />
<br />
<P ALIGN="JUSTIFY">HOME (BENEFICIAL) ADDRESS </P><br />
<P ALIGN="JUSTIFY">(If different from mail address)____________________________________________________________________________________</P><br />
<P ALIGN="JUSTIFY"></P><br />
</B><P ALIGN="JUSTIFY">Under Federal Law, we are now required to obtain photo identification of investors. Please indicate below and attach to this subscription form the identification you are providing (by filling in the ID number). Your photo information will remain strictly confidential and will not be used for any purpose other than your purchase of Shares. </P><br />
<B><P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">PASSPORT #______________ or DRIVER'S LICENSE #_________________ STATE____ or OTHER:_________#___________</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="LEFT">DATE OF BIRTH ______________ SS# or TAX ID#_______________ MARITAL STATUS________ # OF DEPENDENTS____</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="LEFT">PHONE: (W)__________________________(H) _________________________________ (M) _______________________________ </P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">EMAIL:______________________________________________________________________________________________________</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="LEFT">EMPLOYER _____________________________________ BUSINESS________________ POSITION _______________#YRS___</P><br />
</B><P ALIGN="LEFT"></P><br />
<B><P ALIGN="LEFT">ANNUAL INCOME ______________ NET WORTH _____________ LIQUID NET WORTH _____________TAX RATE____%</P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">PRINCIPAL BANK NAME ______________________________________INVESTMENT EXPERIENCE (# OF YEARS) ______</P><br />
</B><P ALIGN="LEFT">(All the financial information above is required by the Patriot Act and new rules of the National Association of Securities Dealers.)</FONT></TD><br />
</TR><br />
</TABLE><br />
<br />
<FONT SIZE=1><P ALIGN="JUSTIFY"></P><br />
<B><U><P ALIGN="JUSTIFY">JOINT INVESTOR: (Fill out if applicable)</P></B></U></FONT><br />
<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=679><br />
<TR><TD VALIGN="TOP"><br />
<B><FONT SIZE=1><P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">PASSPORT #______________ or DRIVER'S LICENSE #_________________ STATE____ or OTHER:_________#__________</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="LEFT">DATE OF BIRTH ______________ SS# or TAX ID#__________________ EMAIL_______________________________________</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="LEFT">EMPLOYER _____________________________________ BUSINESS________________ POSITION _______________#YRS___</B></FONT></TD><br />
</TR><br />
</TABLE><br />
<br />
<B><FONT SIZE=1><P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">INVESTMENT:&#9;&#9;&#9;&#9;&#9;&#9;&#9;WIRE TRANSFER (Instructions on reverse side)</P></B></FONT><br />
<P ALIGN="CENTER"><CENTER><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=675><br />
<TR><TD WIDTH="54%" VALIGN="TOP"><br />
<FONT SIZE=1><P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">Shares Purchased ____________ Dollar Amount $___________</P><br />
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">5</FONT><FONT SIZE=1> Initial Purchase </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> 2nd </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> 3rd </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> 4th </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> 5th </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> __th</P><br />
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="LEFT"></P><br />
<P ALIGN="JUSTIFY">5</FONT><FONT SIZE=1> CHECK ENCLOSED CHECK NUMBER ________</FONT></TD><br />
<TD WIDTH="46%" VALIGN="TOP"><br />
<FONT SIZE=1><P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">SENDING BANK ___________________________</P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">City_______________ST___Phone_____________</P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="JUSTIFY">WIRE #_________________DATE SENT _______</FONT></TD><br />
</TR><br />
</TABLE><br />
</CENTER></P><br />
<br />
<B><FONT SIZE=1><P ALIGN="JUSTIFY"></P><br />
<U><P ALIGN="JUSTIFY">CERTIFICATE DELIVERY ELECTION </B>(Please choose one of the three following options)<B>:</P><br />
</B></U></FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><B><FONT SIZE=1> PHYSICAL DELIVERY: </B>Please<B> </B>deliver the physical certificate representing my Shares to the mailing address above.</P><br />
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><B><FONT SIZE=1> NETWORK 1 ACCOUNT: </B>Please send me documents to open a Network 1 account and electronically deposit my Shares with the transfer agent so they can be transferred into such an account after being issued. </P><br />
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><B><FONT SIZE=1> OTHER BROKER ACCOUNT: </B>Please send my Shares to my brokerage account:</P><br />
<P ALIGN="JUSTIFY"> </P><br />
<P ALIGN="JUSTIFY"> FIRM NAME_________________________________Address__________________________City_______________ST____Zip______</P><br />
<P ALIGN="JUSTIFY"> NAME ON MY ACCOUNT_________________________________________________________ACCT#_____________</P><br />
<B><U><P ALIGN="LEFT"></P><br />
<HR><br />
<P ALIGN="LEFT">xxxxxx OIL &amp; GAS, INC. Subscription Agreement...Page 2</P><br />
<P ALIGN="JUSTIFY"></P><br />
<P ALIGN="JUSTIFY">ACCOUNT CLASSIFICATION</U>: </P><br />
</B></FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><FONT SIZE=1> INDIVIDUAL&#9;</FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> JTWROS &#9;</FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> ESTATE </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> IRA/KEOGH&#9;</FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> TEN COM&#9;</FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> CORP (Supply corp resolution)</P><br />
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><FONT SIZE=1> CUST/UGMA (STATE:_______) </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> TRUST (Supply trust agreement)&#9;</FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> PARTNERSHIP (Supply partnership agreement)</P><br />
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><FONT SIZE=1> OTHER:______________________________ (e.g. Investment Club, Sole Proprietor, Non-profit, Pension Plan, Profit Sharing Plan)</P><br />
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><FONT SIZE=1> IF FIDUCIARY, STATE NAMES OF PRINCIPAL OFFICERS:_______________________________________________________</P><br />
<B><U><P ALIGN="LEFT">&nbsp;</P><br />
<P ALIGN="JUSTIFY">ARE YOU A U.S. CITIZEN? </B></U></FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1>YES </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> NO IF NO, PLEASE INDICATE COUNTRY:<B><U> </B></U>___________________________</P><br />
<P ALIGN="JUSTIFY"></P><br />
<B><P ALIGN="JUSTIFY">BROKER-DEALER/REGISTERED REPRESENTATIVE DATA </B>(broker-dealer use only)<B>: </P></B></FONT><br />
<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=696><br />
<TR><TD VALIGN="TOP"><br />
<FONT SIZE=1><P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">Broker-Dealer NASD Firm Name: ________________________ Registered Representative:_____________________________________</P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">Address: _______________________________________ Phone:______________Email:________________________________________</FONT></TD><br />
</TR><br />
</TABLE><br />
<br />
<B><FONT SIZE=1><P ALIGN="LEFT"></P><br />
</FONT><FONT FACE="Times" SIZE=1><P ALIGN="LEFT">IRS FORM W-9 CERTIFICATION: &#9;&#9;&#9;</P></B></FONT><br />
<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=696><br />
<TR><TD VALIGN="TOP"><br />
<FONT SIZE=1><P ALIGN="LEFT">Under penalties of perjury, I certify that:</P><br />
<OL><br />
<br />
<P ALIGN="LEFT"><LI>The Internal Revenue Service does not require your consent to any provision of this document other than the certifications required to avoid backup withholding;</LI></P><br />
<P ALIGN="LEFT"><LI>The number shown on this form is my correct taxpayer identification number, and I am not subject to backup withholding because: (a) I am exempt from backup withholding; (b) I have not been notified by the Internal Revenue Service (<B>IRS</B>) that I am subject to backup withholding as a result of a failure to report; or (c) the (<B>IRS</B>) has notified me that I am no longer subject to backup withholding; and</LI></P><br />
<P ALIGN="LEFT"><LI>I am a U.S. person (including a U.S. resident alien).</LI></P></OL><br />
<br />
<B><P ALIGN="LEFT">The Internal Revenue Service does not require your consent to any provision of this document other than the certifications required to avoid backup withholding</B>. If exempt, indicate type of entity:______________</FONT></TD><br />
</TR><br />
</TABLE><br />
<br />
<B><FONT SIZE=1><P ALIGN="JUSTIFY"></P><br />
<U><P ALIGN="LEFT">PURCHASE AGREEMENT:</P><br />
</B></U><P ALIGN="JUSTIFY">The Investor named above, by payment of <U>a wire transfer or check payable to</U> <B>xxxxxx &amp; GAS ESCROW ACCOUNT</B>, hereby subscribes for shares of common stock, $.01 par value ("the Shares") indicated above (minimum purchase of 100 shares at a purchase price of $7.00 per Share) of xxxxxxx &amp; Gas, Inc. If the dollar amount and number of Shares do not match, the dollar amount shall govern. No fractional Shares shall be purchased and any excess funds representing fractional Shares shall be returned to the Investor. By such payment, the named Investor acknowledges receipt of the Prospectus and any supplements, the terms of which govern the investment in the Shares. <B>The date of this agreement is:</B> ______________.</P><br />
<P ALIGN="JUSTIFY"></P><br />
<B><U><P ALIGN="JUSTIFY">SIGNATURES</B>:</U> By signing below, I/we represent that I/we have relied on the information set forth in the Prospectus, as and if amended or supplemented and free writing prospectuses on file with the Securities and Exchange Commission, and on no other statement whatever, whether written or oral. The information set forth above (including the IRS Form W-9 Certification and SS# or Tax ID#) is true and correct.</P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">Signatures - Registered Owner: ________________-____________&#9;Co-Owner: _________________________________</P><br />
<P ALIGN="LEFT">&nbsp;</P><br />
<P ALIGN="LEFT">PRINTED NAME(S):____________________________________&#9;&#9; __________________________________</P><br />
<B><U><P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">ACCEPTANCE--xxxxxxx &amp; GAS, INC. </U> &#9;</B>Signature:_________________________________________________ </P><br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">&#9;&#9;&#9;&#9;&#9;&#9;&#9; Name:________________________Title_____________Date_______</P><br />
<B><U><P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT">SUBMITTAL INSTRUCTIONS:</P></B></U></FONT><br />
<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=686><br />
<TR><TD WIDTH="48%" VALIGN="TOP"><br />
<B><FONT SIZE=1><P ALIGN="LEFT">Subscription Agreements and Checks (payable to xxxxxxx &amp; Gas Escrow Account).....Send to:</P><br />
</B><P ALIGN="LEFT"> xxxxxxxxxxxxx, Inc., </P><br />
<P ALIGN="LEFT"> Corporate Securities Department</P><br />
<P ALIGN="LEFT"> xxxxxxxxxxxxxxx, </P><br />
<P ALIGN="LEFT"> xxxxxxxxxxxxxxx</P><br />
<P ALIGN="LEFT"> Phone xxxxxxxxxxxx Fax xxxxxxxxxxxxx </FONT></TD><br />
<TD WIDTH="52%" VALIGN="TOP"><br />
<B><FONT SIZE=1><P ALIGN="LEFT">Wire Transfers:</P><br />
<P ALIGN="LEFT"></P><br />
</B><P ALIGN="LEFT"> xxxxxxxx, xxxxxx, xx</P><br />
<P ALIGN="LEFT"> ABA Routing No. xxxxxxxxxx</P><br />
<P ALIGN="LEFT"> Account No. xxxxxxxxx </P><br />
<P ALIGN="LEFT"> Acct: xxxxxxxxxxx. </P><br />
<P ALIGN="LEFT"> FBO: xxxxxxxxxxxx Escrow Acct</FONT></TD><br />
</TR><br />
</TABLE><br />
<br />
<P ALIGN="LEFT"></P><br />
<P ALIGN="LEFT"></P></BODY><br />
</HTML><br />
</TEXT><br />
</DOCUMENT><br />
<DOCUMENT><br />
<TYPE>GRAPHIC<br />
<SEQUENCE>2<br />
<FILENAME>image26.jpg<br />
<DESCRIPTION>GRAPHIC FOR SUPPLEMENT # 4<br />
</DOCUMENT><br />
</SEC-DOCUMENT><br />
-----END PRIVACY-ENHANCED MESSAGE-----<br />
<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com1tag:blogger.com,1999:blog-7399109506254107325.post-34088354248089044552015-12-01T12:19:00.000-08:002015-12-01T12:19:12.918-08:00Privacy, Breadcrumbs and Personally identifiable information (PII)<br />
<br />
<span style="font-size: large;">I am reading “Programming Windows Store Apps with HTML and CSS</span><span style="font-size: large;">“</span><span style="font-size: large;"> by Kraig Brockschmidt. It’s a good book and better still you can get the ebook/pdf version for free (</span><i><a href="http://blogs.msdn.com/b/microsoft_press/archive/2012/10/29/free-ebook-programming-windows-8-apps-with-html-css-and-javascript.aspx"><span style="font-size: large;">http://blogs.msdn.com/b/microsoft_press/archive/2012/10/29/free-ebook-programming-windows-8-apps-with-html-css-and-javascript.aspx</span></a></i><span style="font-size: large;">).</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The author Kraig Brockschmidt has a section about adding code to a demo app (Here my AM!) to share a photo and a geo location. I came onto the following text (“And if you still think I’ve given you coordinates to my house, the ones shown here will send you some miles down the road where you’ll make a fine acquaintance with the Tahoe National Forest.”). His newer version of the book he has his house coordinates blurred out so we can’t see them.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Let’s look at his remark and see how true it is from a privacy perspective. First is what do we actual know.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">* His name Kraig Brockschmidt.</span><br />
<span style="font-size: large;">* A good guess is he works for Microsoft Software.</span><br />
<span style="font-size: large;">* We know he lives close to Tahoe National Forest.</span><br />
<span style="font-size: large;">* A quick look up in Google/Bing we see that the main address for Tahoe National Forest is Lake Tahoe, CA 96140.</span><br />
<span style="font-size: large;">* We now know that another good guess is he lives in the state of California.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Now lets go back to our favorite search tool and see how difficult it is to learn what Kraig’s physical address is since he won’t give us his geo coordinates to his house. Maybe we want to borrow a cup of sugar and share some Microsoft love,</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">First we can just search for his name and state to see what we get. Our first entry in our results list is a web site (<i>http://www.kraigbrockschmidt.com</i>) a quick look around and we know its Kraig’s web site. We can see references to California and his books. On his about-page we see a reference to that he and his wife moved to Nevada City, CA in 2011. So now we know his state, and city.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Using his own web site, LinkedIn and O’Reilly we see that his current employer is Microsoft Software as a program manager.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So now we have his city, state and employer. We just need to get his physical house address. Not to worry a quick web search and we will be at his house in a few minutes to borrow that cup of sugar.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">We can use <i>http://www.zabasearch.com </i>(zaba search can be totally free if you sign in using Facebook) or if we want we can use a paid service like <i>http://www.intelius.com/</i>. Now we have his physical house address and phone number.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I am not going to post his actual home address or his phone number in this blog post. I just look and I have enough sugar so I don’t need to borrow a cup.</span><br />
<span style="font-size: large;">Unfortunately what works to find Kraig’s home address also works to find my home address, I also check on a few friends living in Owasso, Depew Ok and I was quickly able to get their home addresses and phone numbers.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The issue here is a hard one to solve. We want to be connected to people. Easiest way is using the Internet. We want and need the Internet to help with our own personal branding. We need and want to show our professional work. Some of us want to discuss our spiritual paths, political views, etc. with friends and others. That causes us grief since one web site may not give a view of who we are but we leave enough breadcrumbs for sites like ZABA Search and state and federal government web sites to collect data on us. Remember we don't want our physical address known to everyone on the Internet but we do want police, fire services to be able to quickly find us.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">We find ourselves in an uncomfortable position of wanting to control what we can’t.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Not just our physical addresses are hard to keep private but other personal information is under attack as well. Researchers using Facebook found with remarkable accuracy( 93% to 95% ), based on what we mark as likes on Facebook that a wide variety of our personal attributes, from sexual orientation, race, age, political affiliation to intelligence can be predicted. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">See (<i><a href="http://www.pnas.org/content/110/15/5802.full.pdf">http://www.pnas.org/content/110/15/5802.full.pdf</a></i>) and you can also go to (<i><a href="http://applymagicsauce.com/test.html">http://applymagicsauce.com/test.html</a></i>) to become part of the study.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">These new predictive algorithms are only going to improve in the future. Not just Facebook but also Google, Bing, Yahoo, Amazon and others are paying for predictive algorithm research so businesses can sell us more products and services.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So what is the solution? I don’t know. We want our information out there and businesses are finding more and more ways to get it and to use it. We ourselves give away information for perceived and real benefits like being able to search without paying for Bing or Google or getting good deal on products and services. By leaving breadcrumbs on the Internet and with public data we that we have already provided the ability for someone to build an accurate profile on us is real. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">My recommendation is to pay attention to what you are doing. One example is by default our likes on Facebook is public knowledge. You can in Facebook settings is make this information private. This makes you in charge of your own information. I am not going to kid you; this is not an easy task. You are on a slippery slope and no matter what you do some information on you is always going to be publicly available.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Additional information...</span><br />
<span style="font-size: large;">* <a href="http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf">http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf</a></span><br />
<span style="font-size: large;">* <a href="https://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf">https://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf</a></span><br />
<span style="font-size: large;">* <a href="http://itlaw.wikia.com/wiki/Personally_identifiable_information">http://itlaw.wikia.com/wiki/Personally_identifiable_information</a></span><br />
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com3tag:blogger.com,1999:blog-7399109506254107325.post-90580549417860170442014-08-17T13:40:00.001-07:002014-08-17T14:36:14.571-07:00UnHandled exceptions and secure coding
We all want our programs to run with explicit control doing exactly what the user or other processes needs. But as we know that does not always happen. This has cause the rise of several large components of software development, Quality Assurance (QA) testing, Test Driven Design (TDD), etc. These processes try to identify all the reasons why a program may fail. Never less even with these processes programs fail for many reasons.<br /><br />
This weekend I went to one of my favorite web sites (www.movies.com) to look for a movie to watch. I click on one of the controls and I received an exception. This is a major Internet site. I hope nothing bad comes of this for movies.com but this is not a good thing for a major web site. movies.com gets about 15,000 users a month to visit their site and is rank as 3,152 for top sites by daily users and page views. To see the exception that prompted this blog post scroll to the bottom of this post.<br /><br />
One of the principals of secure programming is to fail securely. Many programmers simple do not look at exception handling as part of secure coding. One of my favorite sayings is “An error message to a cyber criminal, is like a bone to a dog; something good to chew.”<br /><br />
Exceptions throw out a lot of very useful information; file paths, database names, database table names, server names, program names, module names, line numbers, etc. All of this information is very helpful to developers at 3:00am in the morning trying to debug a production issue. The same information is also helpful to a cyber criminal. Many forms of attack require knowing or guessing locations of files, with exception information being out in the open you are reducing the time and guessing the bad guy needs to find a vulnerability to enter your application it also provides a red flag to the bad guys that something is amiss here and maybe this is a good place to start for something bad to happen at your organization.<br /><br />
All exceptions need to be caught and sanitized before propagating them to upstream callers and or displaying them.<br /><br />
A few suggestions on exception handling in a more secure way. <br /><br />
<ol>
<li>Log your exceptions; remember to sanitize what you log. Never log passwords, or other highly sensitive information. Look closely at user input to make sure you really need to log that information.</li>
<li>Display an error message to the user to know something is wrong with the application. The programmer needing the error information at 3am in the morning should be trained to know where to look for additional error information in a log.</li>
<li>Cleanup state if the application is going to fail. Cleanup often involves reclaiming of resources, rolling back of transactions or some combination of these two among others. Some of this can be automated. Make sure the entire cleanup mechanism is also tested in QA.</li>
<li>Fail-secure should be part of the application design and included as part of the functional specification and not left to individual implementers.</li>
<li>Make sure programmers are not using the anti-pattern of “exception swallowing”</li>
</ol>
<br /><br />
Summary:<br /><br />
How your application will fail-secure should be part of the design document and reviewed early in the lifecycle. Use the programming framework to detect an exception and then augmented the frameworks exception handling with activities that are performed after the system has detected the exception. <br /><br />
Carefully consider the content of error messages displayed to the user. This is to ensure that those messages cannot be used to launch a more serious attack. <br /><br />
Finally, a process should be in place that ensures that all errors and exceptions are logged and audited periodically to detect and potentially prevent any malicious activity that appears in the audit trail and no confidential information is being logged. <br /><br /><br />
References:<br />
https://www.owasp.org/index.php/Secure_Coding_Principles#Fail_securely<br />
http://msdn.microsoft.com/en-us/magazine/cc188938.aspx<br />
http://www.oracle.com/technetwork/java/seccodeguide–139067.html<br />
http://en.wikipedia.org/wiki/Error_hiding<br />
<br /><br />
<br /><p>Exception: www.movies.com </br>
Server Error in ‘/’ Application.
<br /> 1. In GetTheaterShowTimes() <br /> 2. Passed movieId: <br /> 3. Passed zipCode: 74012 <br /> 6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012 <br /> 7. and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012 <br /> 10. forceRetrieve = True <br /> 11. resultsDoc == null? False <br /> 12. Trying to get results from file system! <br /><br />
Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace: at System.Xml.XmlTextReaderImpl.Throw(String res, String arg) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type) at System.Xml.XmlTextReaderImpl.ParseElementContent() at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace) at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc) at System.Xml.XmlDocument.Load(XmlReader reader) at System.Xml.XmlDocument.Load(String filename) at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254 at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. </p>
<br />
<p>Exception Details: System.ApplicationException:
<br />1. In GetTheaterShowTimes()
<br />2. Passed movieId:
<br />3. Passed zipCode: 74012
<br />6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
<br />7. and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
<br />10. forceRetrieve = True
<br />11. resultsDoc == null? False
1<br />2. Trying to get results from file system!
<br />Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace: at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)
at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)
at System.Xml.XmlTextReaderImpl.ParseElementContent()
at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)
at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)
at System.Xml.XmlDocument.Load(XmlReader reader)
at System.Xml.XmlDocument.Load(String filename)
at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254
at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372</p>
<br />
<p>Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.</p><br />
<p>Stack Trace:
[ApplicationException: <br />
<br /> 1. In GetTheaterShowTimes()
<br /> 2. Passed movieId:
<br /> 3. Passed zipCode: 74012
<br /> 6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
<br /> 7. and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
<br /> 10. forceRetrieve = True
<br /> 11. resultsDoc == null? False
12. Trying to get results from file system!
<br /><br /> Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace: at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)
at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)
at System.Xml.XmlTextReaderImpl.ParseElementContent()
at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)
at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)
at System.Xml.XmlDocument.Load(XmlReader reader)
at System.Xml.XmlDocument.Load(String filename)
at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254
at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372]
Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:649
Mdc.Movie.Presentation.TheaterSelectionPage.OnLoad(EventArgs e) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.Presentation\TheaterSelectionPage.aspx.cs:529
System.Web.UI.Control.LoadRecursive() +71
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3178</p>
<br />
<p>Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18446</p>Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com3tag:blogger.com,1999:blog-7399109506254107325.post-19599876157403728492014-06-12T18:30:00.000-07:002014-06-12T18:30:48.620-07:00Privacy<span style="font-size: large;">Here is a good definition of privacy...</span><br />
<br style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;" /><span style="font-size: large;"><span style="background-color: white; color: #222222; font-family: arial, sans-serif;">An individuals’ ability to determine how much, to whom, and when / for how long </span><span style="background-color: white;"><span style="color: #222222; font-family: arial, sans-serif;">Information about themselves is revealed.</span></span></span><br />
<span style="font-size: large;"><span style="background-color: white;"><span style="color: #222222; font-family: arial, sans-serif;"><br /></span></span></span>
<span style="font-size: large;"><span style="background-color: white;"><span style="color: #222222; font-family: arial, sans-serif;">Here is another </span></span></span><span style="color: #222222; font-family: arial, sans-serif; font-size: large;">definition...</span><br />
<span style="background-color: white; color: #252525; font-family: sans-serif; line-height: 22px;"><span style="font-size: large;">The right to privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, secrets and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.</span></span><br />
<span style="background-color: white; color: #252525; font-family: sans-serif; line-height: 22px;"><span style="font-size: large;"><br /></span></span>
<span style="background-color: white;"><span style="font-size: large;"><span style="color: #252525; font-family: sans-serif;"><span style="line-height: 22px;">I think the first definition cuts to the heart of the matter a little quicker with a more simple and </span></span></span></span><span style="color: #252525; font-family: sans-serif; font-size: large;"><span style="line-height: 22px;">accessible definition. </span></span><br />
<span style="font-size: large;"><span style="background-color: white;"><span style="color: #222222; font-family: arial, sans-serif;"><br /></span></span></span>
<span style="font-size: large;"><span style="background-color: white;"><span style="color: #222222; font-family: arial, sans-serif;"><br /></span></span></span>Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com2tag:blogger.com,1999:blog-7399109506254107325.post-68874463804345517402014-06-10T19:21:00.000-07:002014-06-10T19:21:29.730-07:00Privacy and the internet<span style="font-size: large;">A lot has been in the media recently about encrypting emails using gmail. But email isn't the only thing being looked at concerning your privacy. I decided for this blog post two show two inforgraphics. I have already talked about this subject in several blog post but showing the same information again on an important subject can't hurt.</span><br />
<br />
<span style="font-size: large;"><br /></span>
<a href="https://www.blogger.com/internet-privacy-safety-tips-statistics-2014-infographic"><img alt="Internet Privacy Tips Statistics 2014" src="http://ansonalex.com/wp-content/uploads/2014/01/internet-privacy-tips-statistics-2014.jpg?a17e84" height="4500" width="900" /></a>This Infographic was published on <a href="http://ansonalex.com/">AnsonAlex.com</a>
<span style="font-size: large;"><br /></span>
<span style="font-size: x-large;"><br />
Here is the last Inforgraphic on Privacy I have for this blog post.
</span><a href="http://imgur.com/7jTSJTT"><img src="http://i.imgur.com/7jTSJTT.jpg" title="Hosted by imgur.com" /></a>
<span style="font-size: large;"><br /></span>Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-81182205565692650982014-05-11T15:20:00.001-07:002014-05-11T15:20:26.450-07:00Tulsa School of Dev<br />
<br />
<span style="font-size: x-large;">Don't forget May 16. OUS downtown campus free training. An all day event. For more information go to ...<a href="http://tulsaschoolofdev.com/">http://tulsaschoolofdev.com</a></span>Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-26784742697945952722014-05-11T15:00:00.001-07:002014-05-11T15:39:28.464-07:00Client Side Coding - JavaScript<span style="font-size: large;">JavaScript has several known security vulnerabilities. Now with HTML5 and JavaScript becoming more prevalent in web sites today and with more web sites moving to responsive web design with its dependence on JavaScript the developer needs to understand what vulnerabilities to look for.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The most significant vulnerabilities in JavaScript is cross-site scripting (XSS) and Document Object Model, DOM-based XSS.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Detection of DOM-based XSS can be challenging. This is cause by the following reasons.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">• JavaScript is often obfuscated to protect intellectual property.</span><br />
<span style="font-size: large;">• JavaScript is often compressed out of concerned for bandwidth.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">In both of these cases it is strongly recommended the code reviewer, and QA be able to review the JavaScript before it has been obfuscated and or compressed. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Another aspect that makes code review of JavaScript challenging is its reliance of large frameworks such as Microsoft .Net and Java Server Faces and the use of JavaScript frameworks, such as JQuery, Knockout, Angular, Backbone. These frameworks aggravate the problem because the code can only be fully analyzed given the source code of the framework itself. These frameworks are usually several orders of magnitude larger then the code the code reviewer needs to review. Because of time and money most companies simple accept that these frameworks are secure or the risks are low and acceptable to the organization.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Because of these challenges we recommend a hybrid analysis for JavaScript. Manual source to sink validation when necessary, static analysis with black-box testing and taint testing. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">First use a static analysis. Developers, Code Reviewers and the organization needs to understand that because of event-driven behaviors, complex dependencies between HTML DOM and JavaScript code, and asynchronous communication with the server side static analysis will always fall short and may show both positive, false, false–positive, and positive-false findings.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Black-box traditional methods detection of reflected or stored XSS needs to be preformed. However this approach will not work for DOM-based XSS vulnerabilities. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Taint analysis needs to be incorporated into static analysis engine. Taint Analysis attempts to identify variables that have been ‘tainted’ with user controllable input and traces them to possible vulnerable functions also known as a ‘sink’. If the tainted variable gets passed to a sink without first being sanitized it is flagged as vulnerability.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Second the developers, QA needs to be certain the code was tested with JavaScript was turned off to make sure all client sided data validation was also validated on the server side.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Code examples of JavaScript vulnerabilities.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><html></span><br />
<span style="font-size: large;"><span class="Apple-tab-span" style="white-space: pre;"> </span><script type=”text/javascript”></span><br />
<span style="font-size: large;"><span class="Apple-tab-span" style="white-space: pre;"> </span>var pos=document.URL.indexOf(“name=”)+5;</span><br />
<span style="font-size: large;"><span class="Apple-tab-span" style="white-space: pre;"> </span>document.write(</span><br />
<span style="font-size: large;"><span class="Apple-tab-span" style="white-space: pre;"> </span>document.URL.substring(pos,document.URL.length));</span><br />
<span style="font-size: large;"><span class="Apple-tab-span" style="white-space: pre;"> </span></script></span><br />
<span style="font-size: large;"><html></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Explanation: An attacker can send a link such as “http://hostname/welcome.html#name=<script>bad code here</script>" to the victim resulting in the victim’s browser executing the injected client-side code.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Another example:</span><br />
<span style="font-size: large;"><br /></span>
<html>
<script type="”text/javascript”">
var pos=document.URL.indexOf(“name=”)+5;
document.write(
document.URL.substring(pos,document.URL.length));
</script>
<html>
<ol>
<li><span style="font-size: large;">var url = document.location.url;</span></li>
<li><span style="font-size: large;">var loginIdx = url.indexOf(‘login’);</span></li>
<li><span style="font-size: large;">var loginSuffix = url.substring(loginIdx);</span></li>
<li><span style="font-size: large;">url = ‘http://mySite/html/sso/’ + loginSuffix;</span></li>
<li><span style="font-size: large;">document.location.url = url;</span></li>
</ol>
<span style="font-size: large;">Line 5 may be a false-positive and prove to be safe code or it may be open to “Open redirect attack” with taint analysis the static analysis should be able to correctly identified if this vulnerability exists.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">If static analysis relies only on black-box component this code will have flagged as vulnerable requiring the code reviewer to do a complete source to sink review. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">References:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<ul>
<li><span style="font-size: large;">http://docstore.mik.ua/orelly/web/jscript/ch20_04.html </span></li>
<li><span style="font-size: large;">https://www.owasp.org/index.php/CRV2_SourceSinkRev</span></li>
<li><span style="font-size: large;">https://www.owasp.org/index.php/CRV2_CanStaticAnalyzersDoAll</span></li>
<li><span style="font-size: large;">https://www.owasp.org/index.php/Static_Code_Analysis</span></li>
<li><span style="font-size: large;">http://www.cs.tau.ac.il/~omertrip/fse11/paper.pdf</span></li>
<li><span style="font-size: large;">http://www.jshint.com/about/
https://github.com/mozilla/doctorjs</span></li>
</ul>
</html></html>Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-45799484967706435102014-03-08T08:46:00.002-08:002014-03-08T08:46:50.979-08:00OWASP Wins SC Magazine 2014 Editor's Choice Award<br />
<span style="background-color: white; color: #444444; font-family: Cambria; font-size: 16px; line-height: 22px;">On Tuesday, February 25</span><sup style="background-color: white; color: #444444; font-family: Cambria;">th</sup><span style="background-color: white; color: #444444; font-family: Cambria; font-size: 16px; line-height: 22px;"> OWASP was awarded the 2014 SC Magazine Editor’s Choice award.</span><span style="background-color: white; color: #444444; font-family: Cambria; font-size: 16px; line-height: 22px;"> T</span><span style="background-color: white; color: #444444; font-family: Cambria; font-size: 12pt; line-height: 22px;">his was the final award of the evening and presented directly from </span><span style="background-color: white; color: #444444; font-family: Cambria; font-size: 16px; line-height: 22px;"></span><span style="background-color: white; color: #444444; font-family: Cambria; font-size: 16px; line-height: 22px;">Illena Armstrong</span><span style="background-color: white; color: #444444; font-family: Cambria; font-size: 16px; line-height: 22px;">, VP, editorial, SC Magazine.</span><br />
<span style="background-color: white; color: #444444; font-family: Cambria; font-size: 16px; line-height: 22px;"><br /></span>
<div class="MsoNormal" style="background-color: white; color: #444444; font-family: Cambria; font-size: 12pt; margin: 0in 0in 0.0001pt;">
From the <a href="http://media.scmagazine.com/documents/64/botn2014sm_15794.pdf" style="color: #4d469c; text-decoration: none;">2014 SC Magazine Awards announcement</a>:<br /><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2R2X8esjqimfkBP6Im7L5QPy-M61jj8rM2JNPLA-A7N5CogwRo23fpdDIHX9zg1__IQ-G7Jb_3ZaECMr8njWAUW_51Sj7Eotc9PbsavfX-VBiJzGiIxEOaSssRw2j2PvgJBWFclSI8XaW/s1600/OWASP-SC-Magazine-2014.jpg" imageanchor="1" style="clear: right; color: #4d469c; float: right; margin-bottom: 1em; margin-left: 1em; text-decoration: none;"><img border="0" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2R2X8esjqimfkBP6Im7L5QPy-M61jj8rM2JNPLA-A7N5CogwRo23fpdDIHX9zg1__IQ-G7Jb_3ZaECMr8njWAUW_51Sj7Eotc9PbsavfX-VBiJzGiIxEOaSssRw2j2PvgJBWFclSI8XaW/s1600/OWASP-SC-Magazine-2014.jpg" style="-webkit-box-shadow: rgba(0, 0, 0, 0.2) 0px 0px 0px; background-color: transparent; background-position: initial initial; background-repeat: initial initial; border-bottom-left-radius: 0px; border-bottom-right-radius: 0px; border-top-left-radius: 0px; border-top-right-radius: 0px; border: 1px solid transparent; box-shadow: rgba(0, 0, 0, 0.2) 0px 0px 0px; padding: 8px; position: relative;" width="320" /></a></div>
</div>
<div class="MsoNormal" style="background-color: white; color: #444444; font-family: Cambria; font-size: 12pt; margin: 0in 0in 0.0001pt;">
<blockquote class="tr_bq">
For its ongoing support of the development and maintenance of secure web applications, we are calling out the achievements of the OWASP (OpenWeb Application Security Project). Its efforts in offering tools and education materials to developers and other security professionals has greatly aided in furthering the advancement of web application security. The nonprofit group does not endorse or recommend commercial products or services. This enables its open network to remain vendor neutral and synergize the collaborative efforts of the leading lights in software security worldwide. It’s all about trust, and information security professionals have come to rely on the group’s annual Top 10 project– ongoing since 2003 – which delineates the most common flaws present in web apps, thus increasing awareness in the security community of some of the most critical risks facing organizations. As well, the “Bug Bash,” held for three nights in November during the AppSec Conference, is considered one of the biggest application security bug searches in recent time. The event, sponsored by OWASP, gathered security researchers from 30 countries who collaborated to discern security gaps in software that runs the internet and some of the planet’s most commonly used applications. For its advocacy, out reach and teaching, we are delighted to recognize OWASP with this year’s Editor’s Choice Award</blockquote>
</div>
<div class="MsoNormal" style="background-color: white; color: #444444; font-family: Cambria; font-size: 12pt; margin: 0in 0in 0.0001pt;">
As a volunteer driven, non-profit organization our contributors donate their time and expertise for the betterment of all. It is exciting and rewarding for the entire community to be recognized for our continued efforts to increase application security!</div>
<br />
<br />
<br />
<a href="http://owasp.blogspot.com/2014/03/owasp-wins-sc-magazine-2014-editors.html">http://owasp.blogspot.com/<wbr></wbr>2014/03/owasp-wins-sc-<wbr></wbr>magazine-2014-editors.html</a><br />
<br />Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-57589926570995718552014-01-15T18:56:00.000-08:002014-01-15T18:56:02.366-08:00RSA, NSA, OWASP Continued<br />
<span style="font-size: large;">Bruce Schneier, a well respected security expert has written an essay that has an opposing view of the NSA and why the NSA surveillance program is not good security. I don't always agree with Mr. Schneier but he does make some good points and as a very respected security expert I think its good the read his essay. I am not re-printing it here but here is the link.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><a href="http://www.theatlantic.com/technology/archive/2014/01/how-the-nsa-threatens-national-security/282822/">http://www.theatlantic.com/technology/archive/2014/01/how-the-nsa-threatens-national-security/282822/</a></span><br />
<br />
<span style="font-size: large;">You can subscribe to Mr.Schneier security newsletter here…on the web at<span style="background-color: white; color: #444444; line-height: 21px;"> </span></span><span style="background-color: white; color: #444444; font-size: large; line-height: 21px;"><</span><a href="http://www.schneier.com/crypto-gram.html" style="background-color: white; color: #0068cf; cursor: pointer; font-size: x-large; line-height: 21px;" target="_blank">http://www.schneier.com/crypto-gram.html</a><span style="background-color: white; color: #444444; font-size: large; line-height: 21px;">>. </span><br />
<br />
<br />
<span style="font-size: large;">On another subject here is a podcast where I was interview about the project I am leading with OWASP concerning the Code Review Guide book.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><a href="http://trustedsoftwarealliance.com/2014/01/13/appsec-usa-2013-larry-conklin-and-the-code-review-book-project">http://trustedsoftwarealliance.com/2014/01/13/appsec-usa-2013-larry-conklin-and-the-code-review-book-project</a>/</span><br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-18977344496650259742014-01-14T19:00:00.001-08:002014-01-14T19:23:15.586-08:00RSA, NSA, OWASP<span style="font-size: large;">Last week OWASP has had a vigorous debate on if OWASP should cancel planned secure code training at the RSA conference. I was (and still am) in favor of not canceling the secure code training. Debate surrounded the issue of RSA and its relationship with NSA. More specifically did RSA per request of NSA weaken its cryptology products to allow NSA better access to be able to unencrypted encrypted data encrypted with RSA products? These allegations came about because of documents leaked by Eric Snowden. At present time I know of no organization or individual who has confirmed if the allegations are true, partially true, false, or a government mandate that RSA had to fulfill.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I do know that OWASP’s main core value is to present unfretted security information to everyone. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">What I don’t know is if OWASP had not cancelled its training would that have put a mark against OWASP as being able to continue its main core value of delivering unfretted security information to everyone and still be vendor impartial and have no ramifications to its brand name by co-marketing with RSA. I would have hoped the individuals attending the course could easily have made that distinction for themselves that OWASP and RSA are very different originations with each having its own values. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I think it’s sad that OWASP caved into media hype as to RSA and NSA relationship. I am also disappointed by RSA for not dealing the speaker cancellations in a positive way and for not being more open then they have been with their relationship with NSA. I do support OWASP and the speakers who cancelled their speaking engagements. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I think there is a larger discussion that was not raised completely. That discussion centers on our individual need for privacy and the real need by Law enforcement and governments to be able to gather information to make us secure and safe. This discussion is made harder by the fact that what is or is not privacy differs between individuals, cultures (American, European, Middle East, and Asian), and governments. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Current surveillance program being conducted by NSA is a direct response by Terrorist attack on 9/11 in New York. That attack 2,977 innocent people lost their lives. The mindset of this for need of surveillance was further embedded into American mindset by the Boston marathon attack where three spectators were killed and more than 200 people (men, women and children) were injured.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So this discussion needs to be kept in scope of what the NSA is doing is trying to do is prevent more deaths of our civilian population and reducing the fear of terrorism. Because of the secret nature of NSA we really will never know the results of these efforts to a large degree. That prevents us from having absolute confidence of the good and bad of organizations like NSA and its partners, governmental and others. This lack of confidence is not uncommon. We unfortunately we have a long history of individuals or groups within organizations abusing their power and we have just as long of uncovering the abuse. The difference here is our government has needs to keep part of its activities secret. While at the same time giving us the confidence that it has the oversight in place and abuse is not happening. Not a simple task.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">One last thing, encryption; does encryption equal privacy? I have written a blog post talking about this every issue. American courts have upheld law enforcement request for suspects to give up encryption keys, etc. I want law enforcement and my government to be able to decrypt files by terrorist, pedophiles, and other bad guys/governments, however I also realize this can be very slippery slope.</span><br />
<span style="font-size: large;"><br /></span>
<strong><span style="font-size: large;">Recap:</span></strong><br />
<span style="font-size: large;"><em>Unknowns…</em> The benefits or fallout of OWASP doing or not doing secure code training at RSA conference is unknown.
* The RSA and NSA relationship is largely unknown. We don’t know if RSA weaken its cryptology products per NSA request.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><em>Facts…</em> Secure training is very much needed. OWASP is a premier leader of making unfretted secure information open and available to anyone. With the Target data breach reaching over 70 million accounts the need for secure coding training needs to be at the forefront of all development teams.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><em>Hopes…</em> </span><br />
<ul>
<li><span style="font-size: large;">I think OWASP if it has the bandwidth should offer free secure coding to any organizations that has had a large data breach. The organizations with the data breach will pay for trainers expense; travel cost and provides the venue for the training. That would be a win-win solution for everyone, OWASP, consumers, businesses.</span></li>
</ul>
<div>
<span style="font-size: large;"><br /></span></div>
<ul>
<li><span style="font-size: large;">I would also like to see OWASP bring together, politicians, law enforcement, legal experts (defense, prosecuting, judicial), legal scholars on all levels (community, state and federal), for open panel discussions on privacy issues. OWASP has the opportunity to lead in the privacy arena giving everyone accurate information on privacy for individual’s, communities and discuss issues of NSA surveillance both positive and negative. This could be done here in America and in other countries. That would be very cool! Also it would be a win-win solution for everyone.</span></li>
</ul>
<em><span style="font-size: large;"><br /></span></em>
<em><span style="font-size: large;">Resources:</span></em><br />
<ul>
<li><a href="http://blogs.csoonline.com/security-industry/2914/owasp-terminates-marketing-agreement-rsa-conference-board-member-cancels-class-out-protest?source=CSONLE_nlt_salted_hash_2014-01-10">http://blogs.csoonline.com/security-industry/2914/owasp-terminates-marketing-agreement-rsa-conference-board-member-cancels-class-out-protest?source=CSONLE_nlt_salted_hash_2014-01-10</a></li>
<li><a href="http://voixsecurity.blogspot.com/2012/02/stored-communications-act.html">http://voixsecurity.blogspot.com/2012/02/stored-communications-act.html</a></li>
<li><a href="http://voixsecurity.blogspot.com/2013/07/cost-of-data-breach.html">http://voixsecurity.blogspot.com/2013/07/cost-of-data-breach.html</a></li>
</ul>
<br />
<br />
<br />
<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-41092552857495988772013-11-13T18:54:00.001-08:002013-11-13T18:54:19.194-08:00Mozilla Firefox Lightbeam<span style="font-family: Times, Times New Roman, serif; font-size: large;">Lightbeam is a new add-on for Firefox. It provides a light (pun intended) on what third party companies you interact with when visiting web sites. Lightbeam works by recording all tracking cookies saved on your computer through the Firefox browser to see which advertisers or other third parties are connected to which cookies. Amazedly it can differentiate between “behavioral” tracking cookies (those which record specific actions on a site) and other tracking cookies. The data can be viewed visually and in text format.</span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;">I visited one the large brick-and-mortar companies that also has a decent e-commerce web site. Below is what I found out. I tried to organization the cookie data the best I could. Some of the companies are familiar to all of us like DoubleClick. But al lot of these companies I had no clue about most of these companies until I looked them up.</span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;">I would recommend that your turn on Lightbeam for a day and use Firefox exclusively. At the end of the day you will be amazed by how many companies are tracking you. Of course don’t be too surprise, the top companies in the tracking space bring in over 39 billion in revenue. This is big business. Don’t get me wrong I depend of these companies to profit by seeing what I do online. I don’t want to pay to use Google, Yahoo, or Bing to search the web. I like having services like Hotmail, Gmail for free. I want to have Amazon recommend books to me based on prior buys and searches. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;">I also want to have a say into who is tracking me, what I do, how the information can be used and by who. The issue now is how big and powerful these business has gotten without anyone really realizing it. Now add that with powerful behavioral software and we are facing a monster. Like Pogo said, “we have met the enemy and he is us”. Privacy and the need for it are still valid in our connected world. How much of our privacy we keep is going to be decided on how much we are willing to get involved and learn what and who are behind the curtain. I would say right now we are facing an uphill battle.</span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5uL8snX5yh22j-LkGT31BmcklThWgqVBoV3scCtEUBhwCnOT3KEAtcnrYnAcWhkk-Hgy82p55Ct0r2Uj9_xTW1EPpq6RnRK5j297cMGl9FfzunNyAo1DA2UYOMPsaJbWhaQ7oxvFSb6l_/s1600/Pogo+3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5uL8snX5yh22j-LkGT31BmcklThWgqVBoV3scCtEUBhwCnOT3KEAtcnrYnAcWhkk-Hgy82p55Ct0r2Uj9_xTW1EPpq6RnRK5j297cMGl9FfzunNyAo1DA2UYOMPsaJbWhaQ7oxvFSb6l_/s320/Pogo+3.jpg" width="245" /></a></div>
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;">Tag Management: </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* http://www.brighttag.com </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* http://www.google.com/tagmanager/</span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;">Brand Management/Protection </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* https://www.markmonitor.com</span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;">Ad content providers: </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* Tribalfusion.com Tribal Fusion is a global online advertising provider. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* Amazon CloudFront is a content delivery web service. It integrates with other Amazon Web Services to give developers and businesses an easy way to distribute content to end-users with low latency; high data transfer speeds, and no commitments. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* Tapad.com apad’s proprietary technologies, advertisers can now employ consistent ads across multiple platforms: home computers, tablets, smartphones, and now even smart televisions</span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;">Tracking Management. (Technologies used to track you, what you do and what you click on, as you go from site to site, surfing the Web.) </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* 2mdn.net is a domain used by Doubleclick. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* Atwola.net is a domain used by AOL Advertising. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* Mathtag.com is a domain used by MediaMath. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* W55c.net s a domain used by Lotame. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* Googlesyndication.com is a domain used by Google Adsense. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* Fastclick.net s a domain used by ValueClick Media. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* Specificlick.net is a domain used by SpecificClick. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* ATDMT is a tracking cookie served by Microsoft subsidiary Atlas Solutions. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* Doubleclick.net A Google Company.</span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;">SEO Services. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* GoogleLeadServices (not connected with Google Inc.) provides SEO services.</span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;">Big Data/Market analytics. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* monetate.com Ecommerce connecting customers to sales. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* http://www.bluekai.com big data marketing platform. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* Adnxs.com is run by AppNexus, a company that provides technology, data and analytics to help companies buy and sell online display advertising. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* Turn.com market analytics.</span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;">Consumer profiling/preference/psychology software. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* http://www.liveclicker.com/web/ Liveclicker is there to provide all the tools necessary to create one-of-kind interactive shopping experiences. </span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;">* 247-inc.com Inventory check based on buying preferences on web site visitor. </span><br />
<span style="font-family: Times, 'Times New Roman', serif; font-size: large; text-align: center;">* Tumri, an interactive ad platform. With their new technology, ads dynamically change based on geography, demographics, psychographics, media type, sites, etc.</span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><a href="http://www.mozilla.org/en-US/lightbeam/%C2%A0" target="_blank">http://www.mozilla.org/en-US/lightbeam/ </a></span><br />
<br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><a href="http://www.ted.com/talks/gary_kovacs_tracking_the_trackers.html" target="_blank">http://www.ted.com/talks/gary_kovacs_tracking_the_trackers.html</a></span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-9617093667924439402013-11-02T18:49:00.001-07:002013-11-02T18:49:34.314-07:00Secure SDLC Processes <span style="font-size: large;">I was reading about the differences between weak and strong typed computer languages and I came across the following sentence in Wikipedia “Programming languages are often colloquially referred to as strongly typed or weakly typed. In general, these terms do not have a precise definition”. This got me to thinking about a recent conversation I had about Software Development Life Cycle (SDLC) and mentoring. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The terms SDLC and mentoring are used often in conversations but like strongly typed or weakly typed languages both terms do not have a precise definitions, worse is the definitions between organizations both commercial and academia can differ vastly. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Mentoring is more than just answering occasional questions or providing ad hoc help. It is about an ongoing relationship of learning, dialogue, and challenge. Often it is the senior person given the responsibility to mentor the junior person. To begin this conversation lets settle on a broad definition of mentoring…. A relationship in which a more experienced person helps to guide a less experienced. However, true mentoring is more than just answering occasional questions or providing ad hoc help. It is about an ongoing relationship of learning, dialogue, and challenge.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">How do we mentor secure coding/development to an organization? Who do we need to mentor? Upper management to add development time and cost to make sure the delivered product is secure for the organization, users both internal and external. With upper management we certainty need to use formal and informal transmission of knowledge and social capital. But we are hardly in a true mentoring relationship.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Peers, Peers have their eyes set on the goal of getting their projects into production. Most project incentives are based of development cost, meeting timelines, getting thru QA and getting user acceptance, not on being secure. Add all those pressures together and trying to throw secure coding into the mix except a few points about sql injections usually falls of to the floor while more pressing issues to ship the product take front stage. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Let’s move off mentoring for a moment and move to SDLC. With SDLC, we have XP, Agile, JAD, RAD to mention a few. But now with Secure Software Development Life Cycle we can add OWASP’s OpenSAMM, Microsofts SDL, CIGITAL BSIMM just to name a few. To make matters worse every organization I have every been associated with takes various pieces of each SDLC and uses the methods they like best and even within those methods they not fully use the entire method as it was defined. To further muddy the waters most development organizations add their own brand of project management to their SDLC processes.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">So how do we have a meaningful conversation on these? Maybe we don’t. Do we have each party give out a fully disclosed document on their definitions? Are our definitions only related to each other past experience or a combination of experience and professional research and training? Or at best muddle thru hoping each person understands the other.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I know I really don’t have an answer but the conversations are always fun. Maybe that is part of the answer instead of looking for the right answers lets talk about what strategies have work for us and what in the past did not work and where we want to go. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">What strategies do you use in your organization? Do mentoring and SDLC and security come together or is each item separate? Can you write down what your organization definition of the SDLC is? The steps it follows and where it defers from the published guidelines for that SDLC? If not is your organization using an ingrown ad-hoc SDLC that is documented and does your organization follow that document to the tee or a partial implementation? Remember seat of the pants is not really the way to go. No matter what S-SDLC you use, a plan is better than no plan at all. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Tim Rains of Microsoft just release a blog post on developers using secure SDLC. Microsoft’s survey showed “security wasn’t considered a “top priority” when building software by 42% of developers worldwide.” His blog post goes on to say “While security development processes have been shown to reduce the number and severity of vulnerabilities found in software, almost half of all developers (44%) don’t use a secure application program/process today.”</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi30gvioC73RabrQ8s1hAMBFWh-N8VxfcEmb3qyEWxvQm4wrF-b_0gRMQzwkKEpzO16IwNEQ6Wpton1Qt4jKNs2S0jfmthFMMw9fDBViaFj5gqWR-5-PH_NevNlyYbKXlRGiujE0INSeeJT/s1600/1346.tic-dev.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi30gvioC73RabrQ8s1hAMBFWh-N8VxfcEmb3qyEWxvQm4wrF-b_0gRMQzwkKEpzO16IwNEQ6Wpton1Qt4jKNs2S0jfmthFMMw9fDBViaFj5gqWR-5-PH_NevNlyYbKXlRGiujE0INSeeJT/s1600/1346.tic-dev.jpg" /></a></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><a href="http://blogs.technet.com/b/security/archive/2013/07/12/trust-in-computing-survey-part-2-less-than-half-of-developers-use-a-security-development-process.aspx">http://blogs.technet.com/b/security/archive/2013/07/12/trust-in-computing-survey-part-2-less-than-half-of-developers-use-a-security-development-process.aspx</a></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">I am speaking at APPSECUSA 2013. Nov 18-2013. <a href="http://appsecusa.org/2013/">http://appsecusa.org/2013/</a></span><br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-71356879313400953382013-10-06T14:06:00.000-07:002013-10-07T04:07:56.132-07:00Sql Injection, OWASP AppSec 2013, Free Training, Published Bad Code<span style="font-size: large;">Since 2003, SQL injections have remained in the top 10 list of CVE (</span><span style="font-size: large;">Common Vulnerabilities and Exposures dictionary</span><span style="font-size: large;">) vulnerabilities. Injection vulnerabilities is the OWASP (Open Web Application Security Project) number one vulnerability. </span><br />
<span style="font-size: large;"><br /></span><span style="font-size: large;">The Verizon Business Data Breach Investigations Report 2013, SQL Injection was identified as the single largest attack vector responsible for data theft. The Verizon Business Data Breach reported, “60% of SQL injection attacks in the 2011 dataset were single-event incidents, meaning they exfiltrated data (or otherwise caused an incident) in the initial compromise and didn’t continue beyond that. Single-event incidents are often over and done in a matter of seconds or even milliseconds.”</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Yet remarkable SQL injection is one of the low hanging fruits that can be resolved without much effort by any organization. So how is it that we still have SQL injection as a top ten vulnerability after 14 years; developer training, need to evangelize IT management, IT tools, code reviews? All of these can help in reducing the SQL injection. This blog I am going over some great resources for developer training.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Invest in your developers training. The payback is worth it. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">**APPSEC USA 2013** is a great place for developers to get together to learn how to defend their applications. This year APPSEC USA 2013 is in New York, November 18-21.</span><br />
<a href="http://appsecusa.org/2013/"><span style="font-size: large;">http://appsecusa.org/2013/</span></a><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">**Safecode.org**</span><br />
<span style="font-size: large;">Jim Manico , VP of Security Architecture at WhiteHat Security and Board member of OWASP, gave a shout out to SafeCode.org. SafeCode is a very well funded non-profit secure coding organization. They are in the process of releasing a large inventory of secure coding training that is fairly high quality.</span><br />
<span style="font-size: large;">Check it out. <a href="https://training.safecode.org/">https://training.safecode.org/</a></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">**Published example demo code**</span><br />
<span style="font-size: large;">But please be aware not everything out there is of the quality that it should be. Code Magazine – A leading independent developer publication that has a good emphasis on .Net development had two articles in its May/June 2013 issue, which showed examples of how SQL injection creeps into applications. Both authors should know better even for a demo article not to use dynamic SQL.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The first article “Creating Collections of Entity Objects” show sql statement. </span><br />
<br />
<!-- code formatted by http://manoli.net/csharpformat/ -->
<style type="text/css">
.csharpcode, .csharpcode pre
{
font-size: large;
color: black;
font-family: Consolas, "Courier New", Courier, Monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #a31515; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
</style>
<br />
<div class="csharpcode">
<pre class="alt"><span class="lnum"> 1: </span>da = New SqlDataAdapter(“SELECT * FROM Product”, _</pre>
<pre><span class="lnum"> 2: </span> “Server=Localhost;Database=Sandbox; Integrated Security=Yes”)</pre>
</div>
<br />
<br />
<span style="font-size: large;">Not good at all. I can just see someone reading this article downloading the code and making it work for his or her needs and adding a software vulnerability that a cyber criminal can exploit. The average data breach cost any organization about $300.00 per record. TJ Max’s data breach cost exceeded over $250 million in 2007. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">A quick fix, </span><br />
<!-- code formatted by http://manoli.net/csharpformat/ -->
<style type="text/css">
.csharpcode, .csharpcode pre
{
font-size: large;
color: black;
font-family: Consolas, "Courier New", Courier, Monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #a31515; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
</style>
<br />
<div class="csharpcode">
<pre class="alt"><span class="lnum"> 1: </span>SqlDataAdapter myCommand = <span class="kwrd">new</span> SqlDataAdapter("GetProductsStoredProcedure”,</pre>
<pre><span class="lnum"> 2: </span>myConnection);</pre>
</div>
<br />
<span style="font-size: large;">The next article “Creating a Robust Web Application with PHP and CodeIgniter” in this example we read things like…</span><br />
<!-- code formatted by http://manoli.net/csharpformat/ -->
<style type="text/css">
.csharpcode, .csharpcode pre
{
font-size: large;
color: black;
font-family: Consolas, "Courier New", Courier, Monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #a31515; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
</style>
<br />
<div class="csharpcode">
<pre class="alt"><span class="lnum"> 1: </span>strQuery = “INSERT INTO logs “& _</pre>
<pre><span class="lnum"> 2: </span>“(custername, cevent, computer) “ _</pre>
<pre class="alt"><span class="lnum"> 3: </span>Values (‘” & strUserName & “’,’” _</pre>
<pre><span class="lnum"> 4: </span>& strEvent & “’, ‘” & _</pre>
<pre class="alt"><span class="lnum"> 5: </span>strComputerName & “’)”</pre>
</div>
<br />
<br />
<span style="font-size: large;">However we should have read code like this from the author.</span><br />
<br />
<br />
<!-- code formatted by http://manoli.net/csharpformat/ -->
<style type="text/css">
.csharpcode, .csharpcode pre
{
font-size: large;
color: black;
font-family: Consolas, "Courier New", Courier, Monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #a31515; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
</style>
<br />
<div class="csharpcode">
<pre class="alt"><span class="lnum"> 1: </span>$name = $_GET[<span class="str">'username'</span>];</pre>
<pre><span class="lnum"> 2: </span>$<span class="kwrd">event</span> = $_GET[<span class="str">'event'</span>];</pre>
<pre class="alt"><span class="lnum"> 3: </span>$computerName = $_GET[<span class="str">'ComputerName'</span>];</pre>
<pre><span class="lnum"> 4: </span> </pre>
<pre class="alt"><span class="lnum"> 5: </span> </pre>
<pre><span class="lnum"> 6: </span><span class="kwrd">if</span> ($stmt = $mysqli->prepare(<span class="str">"INSERT INTO logs (custername,cevent,computer) VALUES (?, ?,?)"</span>)) {</pre>
<pre class="alt"><span class="lnum"> 7: </span>$stmt->bind_param(<span class="str">"ss"</span>, $name, $<span class="kwrd">event</span>, $computerName); <span class="rem">// Bind the variables to the parameter as strings.</span></pre>
<pre><span class="lnum"> 8: </span>$stmt->execute(); <span class="rem">// Execute the statement.</span></pre>
<pre class="alt"><span class="lnum"> 9: </span>$stmt->close(); <span class="rem">// Close the prepared statement.}</span></pre>
</div>
<br />
<span style="font-size: large;">Don’t forget about another great resource OWASP has Cheat Sheets.</span><br />
<span style="font-size: large;"><a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet</a></span><br />
<br />
<br />
<span style="font-size: large;">SQL-injection Infographic</span>
<br />
<a href="http://www.veracode.com/security/sql-injection"> <img alt=" SQL Injection Tutorial Infographic" src="http://www.veracode.com/images/Infographics/sql-injection-ig.jpg" style="font-size: x-small;" /></a><br />
<br />
<br />
<span style="font-size: large;">References:</span><br />
* <a href="http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf">http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf</a><br />
* <a href="https://www.owasp.org/index.php/Top_10_2013">https://www.owasp.org/index.php/Top_10_2013</a><br />
* <a href="http://appsecusa.org/2013/">http://appsecusa.org/2013/</a><br />
* <a href="http://msdn.microsoft.com/en-us/library/ff648339.aspx">http://msdn.microsoft.com/en-us/library/ff648339.aspx</a><br />
* <a href="http://www.code-magazine.com/">http://www.code-magazine.com</a><br />
* <a href="https://www.owasp.org/index.php/Main_Page">https://www.owasp.org/index.php/Main_Page</a><br />
<br />
<div>
<a br="" href="http://www.blogger.com/blogger.g?blogID=7399109506254107325"><br /></a></div>
Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-90025584208813297782013-08-03T12:44:00.001-07:002013-08-03T13:15:53.608-07:00How unique are you? Your Zip code knows.<div>
<span style="font-family: "Times New Roman";"><span style="font-size: large;">
<br />
<p>
When I am out shopping and ready to checkout the clerk asks me for my Zip code. My family readily gives out such information and often apologizes to the clerk when I refuse to give out my Zip code. When I respond with that is personal information my reply is just eyes rolling with your just being grumpy. Of couse there is some truth in that. But still we have the question is how much information can they(retail store) get by knowing my Zip code? The answer is a lot. <br />
</p>
<p>
Famed Harvard Professor Latanya Sweeney who has done pioneering work on data privacy has a web site where you can now test your uniqueness. Her site asks for your gender, birthdate and Zip Code. Remember the retail store has an advantage because they have your name and Zip code. Give it a try. You might find that you not as unique as you think you are and using your Zip code really can help identify you and in most cases with 100% accuracy. <br />
<p>
<br />
<a href="http://aboutmyinfo.org">http://aboutmyinfo.org</a><br />
<br />
<p>
Dr. Sweeney explains that “365 days in a year x 100 years x 2 genders = 73,000 unique combinations, and because most postal code have fewer people, the surprise fades”.<br />
</p>
Here is a sample output using a made up person…<br />
74012 (pop. 57526)
Male
Birthdate 12/13/1987 Easily identifiable by birthdate (about 1)
Birth Year 1987 Lots with your birth year (about 378)
Range 1987 to 1991 Wow! There are lots of people in your age range (about 1894)<br />
</p>
<br />
<p>
A lot of retailers today use services like GeoCapture. This service produced by Harte-Hanks (<a href="http://www.harte-hanks.com/">http://www.harte-hanks.com</a>) simply captures your name from your credit card and with the clerk entering your Zip code into the POS during the transaction. Using the GeoCapture service your store matches the collected information to a comprehensive consumer database to return an address.
</p>
<p>
Beside your address GeoCapture can…<br />
<ul>
<li> Identify customers, understand purchase behavior, and follow up with dynamic, personalized marketing.</li>
<li> Provides customer contact information and purchase history.</li>
<li> Extensive, proprietary matching logic and nickname tables identify customers easily with accuracy rates close to 100%.</li>
<li> Can be used in conjunction with Reverse E-mail Append for customer identification.</li>
</ul>
<br />
</p>
<p>
Here is the PDF from Harte-Hanks that describes services offered to retail stores.
Of course if you shop in your own Zip code and the clerk enters the store Zip code. They got you.
<a href="http://www.hartehanks.com/pdf/Data%20Services%20and%20Solution%20brochure%20100108.pdf">http://www.hartehanks.com/pdf/Data%20Services%20and%20Solution%20brochure%20100108.pdf</a><br />
</P>
<p>
Ok here are some simple proven ways to help protect your privacy.
<br />
<ul>
<li>1. Sign out of online accounts when not using them, Hotmail, Facebook, etc. (This is becoming more difficult with always on mobile apps).</li>
<li>2. Don’t give out personal information when shopping.</li>
<li>3. Encrypt your hard drive on your computer.</li>
<li>4. Turn on 2-step authencation for all app that provide this. Gmail does.</li>
<li>5. Pay cash for embarrassing things.</li>
<li>6. Change your Facebook settings to Friends Only.</li>
<li>7. Clear your browser history and cookies on a regular basis.</li>
<li>8. Use an IP masker. <a href="http://www.hidemyass.com">www.hidemyass.com</a></li>
<li>9. Set and use your passcode on all of your wireless devices.</li>
<li>10. Remember everyone now carries a phone with a camera. If you do some something stupid it is very likely someone took a picture of it and posted it on the Internet.</li>
</ul>
</p>
<br />
<p>
I thought this was a cool site and I wanted to share it with you. Smile your on camera, maybe. <a href="http://360gigapixels.com/petrin-prague-photo/">http://360gigapixels.com/petrin-prague-photo/</a>
</p>
</span>
</div>Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-68839756094234400782013-07-28T12:32:00.000-07:002013-07-28T13:06:15.782-07:00Cost of a Data Breach and Information collected about you on the Internet. While we wait, talk and complain about our governments intrusion into our private lives we do very little about the professional criminal who is breaking into our web sites stealing our data. Curious isn't it?<br />
<br />
<br />
<br />
<a href="http://www.veracode.com/blog/2013/07/the-real-cost-of-a-data-breach-infographic"><img alt="The Real Cost of a Data Breach" src="http://www.veracode.com/blog/wp-content/uploads/2013/07/cost-of-a-data-breach-infographic.jpg" width="500" /></a>
<br />
<br />
Ok, now about all that data that we make freely available so we don't have to pay for services like google, youtube, hotmail, etc. Remember when your mom and dad said there was no such thing like a free lunch? They weren't wrong.
<br />
<br />
<br />
<ol>
<li>Google Street View has collected over 5,000,000 miles of images </li>
<li>58% of people are unaware of how data is gathered and shared online by advertisers </li>
<li>Facebook collects over 500 terabytes of data from its users each day </li>
<li>50% of iOS apps track your location </li>
<li>Free apps are more than 4x as likely to access contact lists </li>
<li> 87% of US adults can be tracked via their mobile device</li>
<br />
<img alt="Internet Privacy: How Much Data Does the Net Hold on You?" class="infographic_embedder" src="http://www.whoishostingthis.com/blog/wp-content/uploads/2013/05/Internet-Privacy-large.jpg" width="100%" /></li>
</ol>Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com1tag:blogger.com,1999:blog-7399109506254107325.post-60405819478859259822013-06-17T12:12:00.000-07:002013-06-17T15:25:23.439-07:00Eric Snowden and OWASP Hashing & Salt<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<div class="MsoNormal">
<span style="font-family: "Times New Roman";"><span style="font-size: large;">Sorry for being
dark so long. I am being pulled in several directions at once. My main
priorities right now is…<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<ul>
<li><span style="font-family: 'Times New Roman';"><span style="font-size: large;">Work. They pay
the bills.</span></span></li>
<li><span style="font-size: large;"><span style="font-family: 'Times New Roman';">OWASP Code
Review Guide. I am the co-leader and project support of this project. It is one
of OWASP Flag Ship products.</span><span style="font-family: 'Times New Roman';"> </span></span></li>
<li><span style="font-size: large;"><span style="font-family: 'Times New Roman';">Tulsa .Net Users
Group. This year we are doing a coding contest every quarter sponsor by Inceed
(</span><a href="http://www.inceed.com/index_sm.html" style="font-family: 'Times New Roman';">http://www.inceed.com/index_sm.html</a><span style="font-family: 'Times New Roman';">)
see (</span><a href="http://codeshootout.com/" style="font-family: 'Times New Roman';">http://codeshootout.com</a><span style="font-family: 'Times New Roman';">). I am the
contest master who comes up with the contest objectives, rules, etc. with some
help from friends.</span></span></li>
</ul>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman";"><span style="font-size: large;">On OWASP Code
Review Guide 2.0 we are re-vamping the book published in 2008 to refresh it,
expand on it and build on the great platform created by the first book.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman";"><span style="font-size: large;">OWASP is a great
organization that is always looking for good people to volunteer some effort on
many great projects, like the Code Review Guide. Anyone intested??? <a href="http://www.owasp.org/">www.owasp.org</a> <o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "Times New Roman";">The Code
Review Guide are wiki articles. Authors
post these articles to OWASP main wiki. Once we have the content needed we will
combine these articles into a book, with review process being done by OWASP and
professional editor. I am also going to post some of the articles here in my
blog. This article is one I wrote on Hashing and Salting. Interesting enough
Bruce Schneier in his monthly crypto-gram newsletter has an article on
password cracking which I though fitted nicely with my article on hashing and
salting. You can read his newsletter on
the web at…</span><span style="color: #343434; font-family: 'Times New Roman';"> <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><<a href="http://www.schneier.com/crypto-gram-1306.html"><span style="color: #004dcc;">http://www.schneier.com/crypto-gram-1306.html</span></a>>
I have written on this subject before in my blog but I feel this is the type on
information that can and should be repeated. <o:p></o:p></span></span><span style="font-size: large;"><span style="color: #343434; font-family: 'Times New Roman';">See
also (</span><a href="http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/" style="font-family: 'Times New Roman';">http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/</a><span style="color: #343434; font-family: 'Times New Roman';">
)</span></span><br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><o:p></o:p></span></div>
<!--EndFragment--></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><b><i><span style="font-size: large;">Eric Snowden</span></i></b></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">One point I would like to make before we get into the Hashing stuff is Mr.Schneier
comments and essay on whistleblowers like Eric Snowden. My question to Mr. Schneier is "How does the
whistleblower know if they are exposing a true abuse in power or hurting our
national security?". I am in favor of whistleblowers exposing abuse in power by
our government or any government official but I am also not in favor of hurting our
national security. I also don't want to give up every freedom I have to be "safe" but I realize the governments need to keep secrets. The
discussion I would like to see out of this mess is a clear-cut understandable
checks and balance on our government in the context private/personal information gathering. How they can be held liable and what are the limits on how intrusive they can be into our private lives and
communications. How do we know they are staying in those limit and who are the gatekeepers? Sorry Eric, Manning and </span></span><span style="font-family: 'Times New Roman';"><span style="font-size: large;">Julian
Assange but I want better then the three of you.</span></span></div>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment--><!--EndFragment-->
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b>Code review Guide – Hashing
and Salting</b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b><i>Introduction</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">A
cryptographic hash algorithm; also called a hash "function" is a
computer algorithm designed to provide a random mapping from an arbitrary block
of data (string of binary data) and return a fixed-size bit string known as a
“message digest” and achieve certain security.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">Cryptographic
hashing functions are used to create digital signatures, message authentication
codes (MACs), other forms of authentication and many other security
applications in the information infrastructure. They are also used to store
user passwords in databases instead of storing the password in clear text and
help prevent data leakage in session management for web applications. The
actual algorithm used to create a cryptology function varies per implementation
(SHA-256, SHA-512, etc.)<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">The
code reviewer needs to be aware of three main things when reviewing code that
uses cryptographic hashing functions.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">* Legality of the cryptographic hashing functions if the source code is being
exported to another country.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">* The life cycle of the cryptographic hashing function being used.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">* Basic programming of cryptographic hashing functions.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b><i>Legal</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">In
the United States in 2000, the department of Commerce Bureau of Export revised
encryption export regulations. The results of the new export regulations it
that the regulations have been greatly relaxed. However if the code is to be
exported outside of the source country current export laws for the export and
import counties should be reviewed for compliance. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">Case
in point is if the entire message is hashed instead of a digital signature of
the of message the National Security Agency (NSA) considers this a
quasi-encryption and State controls would apply.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">It
is always a valid choice to seek legal advice within the organization that the
code review is being done to ensure legal compliance.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b><i>Lifecycle</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">With
security nothing is secure forever. This is especially true with cryptographic
hashing functions. Some hashing
algorithms such as Windows LanMan hashes are considered completely broken. The
code reviewer needs to understand the weaknesses of obsolete hashing functions
as well as the current best practices for the choice of cryptographic
algorithms. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b><i>Programming/Vulnerabilities</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">The
most common programmatic issue with hashing is not using a salt value or if
using a salt the salt value is too short and or the same salt value is used in
multiple hashes. The purpose of a salt is to make it harder for an attacker to
perform pre-computed hashing attack (e.g., using rainbow tables) but other
benefits of a salt can include making it difficult for an attacker to perform
even password guessing attacks by obfuscating the hashed value.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b><i>Salt</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">One
way to generate a secure salt value is using a pseudo-random number generator.
Note that a salt value does not need to possess the quality of a
cryptographically secure randomness.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">Best
practices is to use a cryptographically function to create the salt, salt value
should be created for each hash value, and a minimum value of 128 bits. The
bits are not costly so don't save a few bits thinking you gain something back
in performance instead use a value of 256-bit salt value. It is highly
recommended. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b><i>.Net
Salt</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> private int minSaltSize = 8;<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> private int maxSaltSize = 24;<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> private int saltSize; <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> private byte[] GetSalt(string input) {<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> byte[] data;<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> byte[] saltBytes;<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> RNGCryptoServiceProvider rng = new
RNGCryptoServiceProvider();<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> saltBytes = new byte[saltSize];<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> rng.GetNonZeroBytes(saltBytes);<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> data =
Encoding.UTF8.GetBytes(input);<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> byte[] dataWithSaltBytes =<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> new byte[data.Length +
saltBytes.Length];<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> for (int i = 0; i < data.Length;
i++)<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> dataWithSaltBytes[i] = data[i];<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> for (int i = 0; i <
saltBytes.Length; i++)<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> dataWithSaltBytes[data.Length +
i] = saltBytes[i];<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> return dataWithSaltBytes;<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> }<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">This
method uses an agile approach to calling a hash function. It is explained
below.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> private string
computeHashWithSalt(HashAlgorithm myHash, string input) {<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> byte[] data;<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> data =
myHash.ComputeHash(GetSalt(input));<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> sb = new StringBuilder();<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> for (int i = 0; i < data.Length;
i++) {<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">
sb.Append(data[i].ToString("x2"));<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> }<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> return sb.ToString();<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> }<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b><i>Microsoft
.Net Notes on Hashing</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">Microsoft
does not recommend using MD5 or SHA-1. With .Net 3.5 and above Microsoft
supports the Suite B set of cryptographic algorithms published by the National
Security Agency (NSA). <o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">The
salt value does not need to be secret and can be stored along with the hash
value. Some may use a combination of account details (username, user full name,
ID, creation date, etc.) as the salt for hash to further obfuscate the hash
computation: for example salt =
(username|lastname|firstname|ID|generated_salt_value).<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b><i>Best
Practices</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">Industry
leading Cryptographer’s are advising that MD5 and SHA-1 should not be used for
any applications. The United State FEDERAL INFORMATION PROCESSING STANDARDS
PUBLICATION (FIPS) specifies seven cryptographic hash algorithms — SHA-1,
SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256 are approved
for federal use. The code reviewer should consider this standard because the
FIPS is also widely adopted by the information technology industry. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">The
code reviewer should raise a red flag if MD5 and SHA-1 are used and a risk
assessment be done to understand why these functions would be used instead of
other better-suited hash functions. FIPS does allow that MD5 can be used only
when used as part of an approved key transport scheme (e.g. SSL v3.1) where no
security is provided by the algorithm. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">FIPS
disapproves the following functions DES; MD51; RC4; Blowfish; Diffie-Hellman2;
Diffie-Hellman3 (key agreement); EC Diffie-Hellman2 (key agreement); AES4
(non-compliant); Diffie-Hellman5 (key agreement); EC Diffie-Hellman4 (vendor
affirmed); RSA4 (key agreement); RSA2 (key wrapping).<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b><i>.Net
Agile Code example for hashing</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><i>App
Code File:</i><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><add
key="HashMethod" value="SHA512"/><o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><i>C#
Code:</i><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 1:
preferredHash =
HashAlgorithm.Create((string)ConfigurationManager.AppSettings["HashMethod"]);<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 2: <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 3:
hash = computeHash(preferredHash, testString);<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 4: <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 5:
private string computeHash(HashAlgorithm myHash, string input) {<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 6:
byte[] data;<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 7:
data = myHash.ComputeHash(Encoding.UTF8.GetBytes(input));<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 8:
sb = new StringBuilder();<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 9:
for (int i = 0; i < data.Length; i++) {<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 10:
sb.Append(data[i].ToString("x2"));<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 11:
}<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 12:
return sb.ToString();<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"> 13: }<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">Line
1 let's us get our hashing algorithm we are going to use from the config file.
If we use the machine config file our implementation would be server wide
instead of application specific. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">Line
3 allows us to use the config value and set it according as our choice of
hashing function. ComputHash can be SHA-256 or SHA-512.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">The
drawback to this method is key size. I would suggest of giving yourself twice
the size of the largest key of hashing algorithm you could possible use to
store hash values. This means we need a varchar of 1024 if we are going to
store our hash value in the database.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b><i>Afterword</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">Lastly,
never accept in a code review an algorithm created by the programmer for
hashing or copy a hashing function taken from the Internet. Always use
cryptographic functions that are provided by the language framework the code is
written in. These functions are well vetted and well tested by experience
cryptographers.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;"><b><i>References:</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">* http://valerieaurora.org/hash.html (Lifetimes of cryptographic hash functions)<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">* http://msdn.microsoft.com/en-us/library/system.security.cryptography.rngcryptoserviceprovider.aspx<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">* http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="color: #343434; font-family: "Times New Roman";"><span style="font-size: large;">* Ferguson
and Schneier (2003) Practical Cryptography (see Chapter 6; section 6.2 Real
Hash Functions)<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<!--EndFragment-->Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com1tag:blogger.com,1999:blog-7399109506254107325.post-48482836147883466512013-03-31T14:19:00.001-07:002013-03-31T14:19:28.382-07:00Facebook<br />
<div style="font-family: 'Times New Roman'; margin-bottom: 15px;">
<span style="font-size: large;"><span style="text-decoration: underline;"><i>Datalogix</i></span>: Has over 50% market share of the top 100 advertisers and over 90% of the top 50 digital media and ad tech companies. Today it has the world largest platform of 1:1 offline purchasing data and tracks over $1 trillion in consumer transactions in a wide range of retail settings.</span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;"><span style="text-decoration: underline;"><i>Acxiom</i></span>: Mainly collects data from financial services, insurance, information services, direct marketing, and federal, state and local government sector.<span style="color: #0a45ad;"> </span></span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;"><span style="color: #0a45ad;"><br /></span></span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;"><span style="text-decoration: underline;"><i>Epsilon</i></span>: Monitors social networking and online media sites to see what people are saying about a company, advises on markets to target, helps develop and maintain customer loyalty programs. </span></div>
<div style="font-family: 'Times New Roman'; min-height: 12px;">
<span style="font-size: large;"><br /></span></div>
<div style="color: #464646; font-family: 'Times New Roman';">
<span style="font-size: large;"><span style="color: black; text-decoration: underline;"><i>Bluekai</i></span><span style="color: black;">: Has created an</span> actionable audience database on more than 300 million users (80% of the entire US Internet population). </span></div>
<div style="color: #464646; font-family: 'Times New Roman'; min-height: 12px;">
<span style="font-size: large;"><br /></span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;"><span style="color: #464646;">So what do these companies have in common? I</span>n February, Facebook announced partnerships with the above four companies. Facebook is moving into new area to combine its online data with its users and with their offline purchases. The goal is to create better targeted/relevant ads for Facebook users and its advertisers.</span></div>
<div style="font-family: 'Times New Roman'; min-height: 12px;">
<span style="font-size: large;"><br /></span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;">This means the lines between and our physical and digital self’s has been blurred.</span></div>
<div style="font-family: 'Times New Roman'; min-height: 12px;">
<span style="font-size: large;"><br /></span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;">For me this means I reveal more personal information without being able to opt-out. That isn’t necessarily bad in my opinion. If the data is used to make my shopping experience better, better product placement, more relevant products closer to the door that is better for me. However I doubt if I am the most targeted demography group so my shopping experience will stay the same. </span></div>
<div style="font-family: 'Times New Roman'; min-height: 12px;">
<span style="font-size: large;"><br /></span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;">Will companies in the future offer private shopping as a feature for the discerning shopper? Right now I don’t feel this is a viable option. Maybe Lindsay Lohan will want a bit more privacy in her shopping habits and will be willing to pay for it. If so now privacy is a sellable retail item. It would be kinda funny seeing people in Target walking around in plain brown boxes to protect their identity. Funny as that would be I do see a market in the future where banks offer anonymous ATM/credit cards to number accounts to protect their clients identity. </span></div>
<div style="font-family: 'Times New Roman'; min-height: 12px;">
<span style="font-size: large;"><br /></span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;">This can also work against me my last big purchase was a car a few months ago. I had gone to the dealership’s web site I bought the car from. In fact the dealers web site and his inventory of cars is one reason I went to his brick and motor store. If he is able to use my online digital profile and link it to my physical profile he can use my own information against me to get a better price for his car. I doubt if I can get the same information on his sales to use his sales data against him for the best price for me. Seems a bit unfair to me.</span></div>
<div style="font-family: 'Times New Roman'; min-height: 12px;">
<span style="font-size: large;"><br /></span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;">References:</span></div>
<div style="color: #1e39f6; font-family: 'Times New Roman';">
<span style="text-decoration: underline;"><a href="http://www.blogger.com/%22"><span style="font-size: large;">http://www.nytimes.com/2013/03/26/technology/facebook-expands-targeted-advertising-through-outside-data-sources.html?ref=acxiomcorp&_r=0</span></a></span></div>
<div style="font-family: 'Times New Roman'; min-height: 12px;">
<span style="font-size: large;"><br /></span></div>
<div style="color: #1e39f6; font-family: 'Times New Roman';">
<span style="text-decoration: underline;"><a href="http://www.blogger.com/%22"><span style="font-size: large;">http://adage.com/article/digital/facebook-partner-acxiom-epsilon-match-store-purchases-user-profiles/239967/</span></a></span></div>
<div style="font-family: 'Times New Roman'; min-height: 12px;">
<span style="font-size: large;"><br /></span></div>
<div style="color: #1e39f6; font-family: 'Times New Roman';">
<span style="text-decoration: underline;"><a href="http://www.blogger.com/%22"><span style="font-size: large;">http://allfacebook.com/custom-audiences-datalogix-epsilon-acxiom-bluekai_b111746</span></a></span></div>
<div style="font-family: 'Times New Roman'; font-size: 11px; min-height: 12px;">
<br /></div>
Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-73951619021658270042013-03-17T14:05:00.001-07:002013-03-17T14:08:38.564-07:00Front Range OWASP Conference 2013<br />
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;">Wow time goes fast. It’s been a while since I have updated my blog. I will be making an concentrated effort to get content out faster and on a more regular schedule.</span></div>
<div style="font-family: 'Times New Roman'; min-height: 15px;">
<span style="font-size: large;"><br /></span></div>
<div style="font-family: 'Times New Roman'; margin-bottom: 6px;">
<span style="font-size: large;">At the end of March (28,29) I will be speaking and attending Front Range OWASP Conference 2013. I will be speaking on <i>“A Demo of and Preventing XSS in .NET Applications</i>”. This presentation will cover a variety of approaches toward preventing XSS vulnerabilities in .NET applications, including: (Microsoft's Web Protection Library/AntiXSS and OWASP's AntiSamy.NET project) and discovering XSS with CAT.Net and code reviews.</span></div>
<div style="font-family: 'Times New Roman'; min-height: 15px;">
<span style="font-size: large;"><br /></span></div>
<span style="font-size: large;"><span style="font-family: Times New Roman;">While XSS is not one of the most </span><span style="color: #333233; font-family: 'Times New Roman';">sophisticated exploits </span><span style="font-family: Times New Roman;">it is still one of the most common exploits found on the web today and can have real consequences. Meraki, a division of Cisco found that out from an analysis done by Nibble Security on one of Meraki’s devices using the splash screen. Nibble Security realized the splash screen was designed to take HTML5 so each customer could customize it. This particular vulnerability revels how a trivial XSS flaw can be abused to </span><b style="font-family: 'Times New Roman';">subvert an entire network infrastructure</b><span style="font-family: Times New Roman;"> (</span><span style="color: #1e39f6;"><a href="http://blog.nibblesec.org/2013/03/subverting-cloud-based-infrastructure.html">http://blog.nibblesec.org/2013/03/subverting-cloud-based-infrastructure.html</a></span><span style="font-family: Times New Roman;">). </span></span><br />
<div style="font-family: 'Times New Roman'; min-height: 15px;">
<span style="font-size: large;"><br /></span></div>
<div style="font-family: 'Times New Roman'; min-height: 15px;">
<span style="font-size: large;"><br /></span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;">Resources:</span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;"><a href="https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2013">https://www.owasp.org/index.php/Front_Range_OWASP_Conference_2013</a></span></div>
<div style="color: #1e39f6; font-family: 'Times New Roman';">
<span style="text-decoration: underline;"><span style="font-size: large;"><a href="http://blog.nibblesec.org/2013/03/subverting-cloud-based-infrastructure.html">http://blog.nibblesec.org/2013/03/subverting-cloud-based-infrastructure.html</a></span></span></div>
<div style="font-family: 'Times New Roman';">
<span style="font-size: large;"><a href="http://beefproject.com/">http://beefproject.com</a></span></div>
<div style="color: #1e39f6; font-family: 'Times New Roman';">
<span style="text-decoration: underline;"><span style="font-size: large;"><a href="http://www.meraki.com/">http://www.meraki.com</a></span></span></div>
<div style="font-family: 'Times New Roman'; font-size: 12px; min-height: 15px;">
<br /></div>
Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-62840499709508115432012-12-09T17:58:00.000-08:002012-12-09T17:58:01.217-08:00Whole Disk Encryption<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<div class="MsoNormal">
<span style="font-size: large;">In computer security data breaches are unfortunate and
unfortunately not all that uncommon. In
October of this year South Carolina Department of Revenue announced they were
victims of a data breach. The breach was large in the amount of people affected
and the breath of the breach. Breach consisted of 3.8 million residents of South
Carolina. Social Security, credit cards, and bank account information was
exposed. Additionally cyber criminals gained access to 44 servers, installed 33
pieces of malicious software and utilities. As bad as that news is gets worse; internal
monitoring or audits did not notify the South Carolina Department of Revenue of
its own data breach. It was not until law enforcement agencies brought 3 cases
of identity theft to the department before they became aware that something
might not be right.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="color: #3e3e42; mso-bidi-font-family: Helvetica;">One
interesting thing that came out of the data breach is </span>South Carolina
Department of Revenue was in compliance with IRS rules of storing Social
Security numbers. But compliance is not the same thing as security. While
encryption is one of the main defense steps used to provide security it may not
be enough. This is especially true if we use encryption without compliance or
use it without additional monitoring or auditing.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">Many companies are moving to entire disk encryption for laptops.
The hope is to prevent a data breach if the laptop is stolen or lost. The South
Carolina Department of Revenue data breach was not caused by a stolen or lost
laptop. Other data breaches have been such as Department of Veterans were cause
by a stolen laptop. The key point here is encryption alone is not security and
it will be always be about defense in depth, which includes encryption,
auditing, active monitoring, risk assessments, compliance, procedures, etc and
just being open mined to the “what if”. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">Lets take a closer look at whole disk encryption and the
risks. The first risk is an always-present risk when using encryption; key
management. When using whole disk encryption such as PGP whole disk the key is
on the machine it is protecting. This key needs to be available at all times
for disk access. No problem we can store
the key in memory. To comprise the key you need access to the machine and
knowledge of where the key is in memory.
Second is if the computer is stolen or lost from a park car, airport,
hotel room the computer if off so memory is no longer an issue, or is it.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">The <span style="color: #262626; mso-bidi-font-family: Arial;">Princeton
University’s Center for Information Technology Policy released a paper showing
how whole-disk encryption can be cracked quickly and easily.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="color: #262626; mso-bidi-font-family: Arial;">Princeton
group’s attack on whole-disk encryption relies on the fact that computer memory
(DRAM) is not wiped out when the system is powered off. Instead, it becomes
unreliable, decaying over a period of time. The attack is as follows: get
access to a laptop that is <i>currently operating </i>(so that the whole-disk
encryption key is in memory), spray the RAM with an inverted compressed air can
to cool it to -50 degrees Celsius, and power the system off. Cooling the memory
slows the decay of memory. Second you will need to get a snapshot of the target
computers memory. This snapshot can then be inspected to locate prospective
cryptographic keys and try them on the target drive. Some knowledge of the
particular whole-disk encryption product being used would be needed to find the
exact spot in memory where the key is, and some error-correction techniques
must be used in case a bit or two has been flipped due to memory decay, but it
reduces the problem from cryptographically impossible to something that can be
cracked in a few minutes or at worst hours. So is this the end of whole disk
encryption? The answer to that question is no. But we do need to look at our
procedures.</span><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<ul style="margin-top: 0in;" type="disc">
<li class="MsoNormal" style="color: #262626; margin-right: 30.0pt; mso-layout-grid-align: none; mso-list: l0 level1 lfo1; mso-pagination: none; tab-stops: 0in 11.0pt; text-autospace: none;"><span style="font-size: large;">Do not
use sleep/suspend-to-RAM when the computer is not actually in your hands —
either power off or use hibernate mode. Best is power off <span style="color: #434343; mso-bidi-font-family: Verdana;">several minutes before
any situation in which the computers’ physical security could be
compromised.</span><span style="color: #434343; font-family: Verdana; mso-bidi-font-family: Verdana;"> </span>In
a sleep or suspend-to-RAM scenario, the whole-disk encryption key is still
maintained in memory and can be recovered.</span></li>
</ul>
<div>
<span style="color: #262626; font-size: large;"><br /></span></div>
<ul style="margin-top: 0in;" type="disc">
<li><span style="color: #262626; font-size: large; text-indent: -0.25in;">If you have a few truly critical files, use file encryption
(such as Windows’s Encrypted File System or PGP’s file encryption) on those
files with a different password than that used on the whole-disk encryption.
Better yet keep critical information off mobile devices.</span></li>
</ul>
<div style="text-indent: -24px;">
<span style="color: #262626; font-size: large;"><br /></span></div>
<ul style="margin-top: 0in;" type="disc">
<li><span style="color: #262626; font-size: large; text-indent: -0.25in;">If laptop is lost or stolen do a risk assessment/audit of what
was on that computer and increase monitoring on vulnerable data/systems that
may be at risk.</span></li>
</ul>
<div style="text-indent: -24px;">
<span style="color: #262626; font-size: large;"><br /></span></div>
<ul style="margin-top: 0in;" type="disc">
<li><span style="color: #262626; font-size: large; text-indent: -0.25in;">Educate laptop users about the above risk and using whole disk encryption
is a good solution but can be enhanced by the above steps.</span></li>
</ul>
<div class="MsoListParagraphCxSpLast" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;">Links:</span><o:p></o:p></div>
<div class="MsoNormal">
<span style="font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: large;"><a href="https://citp.princeton.edu/research/memory/">https://citp.princeton.edu/research/memory/</a><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: large;"><a href="https://citp.princeton.edu/research/memory/faq/">https://citp.princeton.edu/research/memory/faq/</a><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: large;"><a href="https://citp.princeton.edu/research/memory/code/">https://citp.princeton.edu/research/memory/code/</a><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: large;"><a href="https://citp.princeton.edu/research/memory/media/">https://citp.princeton.edu/research/memory/media/</a><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: large;"><a href="http://www.sctax.org/News+Releases/20121009_1026NR.htm">http://www.sctax.org/News+Releases/20121009_1026NR.htm</a></span><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<!--EndFragment-->Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-69746504006969511092012-11-11T13:59:00.001-08:002012-11-11T19:52:08.501-08:00“A man’s home is his castle”<span style="font-size: large;">“A man’s home is his castle”. This aphorism invokes many emotions tied to our notions on privacy. Our courts have reached another decision when we travel from the physical world to our digital world. Daniel Reed in “Information Privacy: Changing Norms and Expectations” offers three ideas about the future of personal online information management. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"> The first two could be binary access specifications that can be embed into the content. The content would be encrypted so that only users who know the public encryption key of the content owner and use a viewer that has the binary access specifications built into it would be able to view the content. The two binary access specifications are… </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"> 1. Bounded lifetime. An end of life attribute that can be embedded into media content that I upload to the Internet. Any pictures of me during college or high school I might want to have an end of life once my college life is over. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"> 2. Transitivity of access. An attribute that controls how far my content can travel. It allows me to say this content can be shared within my group of friends but my friends cannot share it outside of my group I tied to this content. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"> The usability of UI for privacy and security deserves far more attention than it is getting. This is not a vendor problem but belongs to content owners, individuals who view others content and system providers. Privacy specifications must be made far simpler and more intuitive. Content owners who post content to the Internet must understand their roles in privacy for themselves and others. Individuals who use or transmit content of others must understand the implications of their actions. Vendor or system providers must provide tools to control the ownership and privacy of our content. </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"> Is anyone listening at Facebook, Yahoo, or Google???</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><a href="http://cacm.acm.org/blogs/blog-cacm/108232-information-privacy-changing-norms-and-expectations/fulltext">ACM Blog Information-privacy-changing-norms-and-expectations/fulltext</a> </span><br />
<br />Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com1tag:blogger.com,1999:blog-7399109506254107325.post-30448601127359206642012-10-17T19:11:00.000-07:002012-10-17T19:11:23.668-07:00Android vs iOS infographic<p><a href="http://www.veracode.com/resources/android-ios-security"><img src="http://www.veracode.com/images/media/ios-android.png" width="975" height="2684" alt="Android vs iOS infographic"/></a></p>
<p>Infographic by <a href="http://www.veracode.com/">Veracode Application Security</a></p>Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-9418330579663977772012-10-15T19:39:00.000-07:002012-10-15T19:39:00.181-07:00Tulsa TechFest/SQL Injection
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="0" Name="List Bullet"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif; font-size: large;">This year's Tulsa TechFest was a great success, over 700 attendees. </span></div>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif; font-size: large;">The
security track had over 30 attendees per session. This made the security track
one of the most successful tracks for the entire conference. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif; font-size: large;">Great content on web security and digital forensics!! Great job speakers!!!
Thank you!!! <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif; font-size: large;">I will be posting speakers content in the next few days.
First content is Ted Ward’s SQL Injection presentation.</span><o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><br /></span></div>
<div class="MsoNormal">
<a href="http://itd-saint.osuit.edu/~tward/sql.pdf"><span style="font-size: large;">http://itd-saint.osuit.edu/~tward/sql.pdf</span></a></div>
<!--EndFragment--><br />
Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-74928117514298412542012-10-01T20:07:00.000-07:002012-10-01T20:08:32.227-07:00Tulsa TechFest <div style="text-align: center;">
<br /></div>
<br />
<span style="font-size: large;"><span style="background-color: white;"><b><span style="color: red;">When:</span></b> </span>2012 Friday, October 12th, 2012</span><br />
<span style="font-size: large;"><b><span style="color: red;">Where:</span></b> OSU-Tulsa, 700 North Greenwood Ave, Tulsa, OK 74106</span><br />
<br />
<span style="font-size: large;"><br /></span>
<b><span style="background-color: white; color: blue; font-size: large;">9:00AM Topic: Digital Forensics: Advanced Threats and Changing Technologies</span></b><br />
<span style="font-size: large;">Recent years have brought about marked changes in the field of digital forensics forcing the practitioner to respond and adapt accordingly. Frequently investigations will involve multiple agencies and cross domains coloring the way an investigation is conducted. </span><span style="font-size: large;">New storage technologies require special handling to preserve evidence. Evolving malware threats are forcing practitioners to examine unusual devices for evidence.</span><br />
<b><span style="font-size: large;">Speaker: Doug Gorden</span></b><br />
<span style="font-size: large;"><b>Bio: </b>Doug Gorden is an Information Security Analyst and a lead forensic specialist for ONEOK. </span><br />
<span style="font-size: large;">He is also the owner / operator of Secure Investigative Services, a provider of digital forensic services.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="color: blue; font-size: large;"><b>10:30AM Topic: SQL Injection tools to help detect and prevent.</b></span><br />
<span style="font-size: large;"><b>Speaker: Ted Ward</b></span><br />
<span style="font-size: large;"><b>Bio:</b> “Aviation antisubmarine warfare electronics technician” in the US Navy from 1987-1990 BS Computer Science Oklahoma State University Fall 1992 Software developer at various companies from 1993-2002. </span><span style="font-size: large;">PhD candidate Oklahoma State University expected graduation Fall 2013 and Author of open source applications AstroGrep and OSUQuiz.</span><br />
<span style="font-size: large;"><br /></span>
<b><span style="color: blue; font-size: large;">1:00PM Topic: Web vulnerabilities and session hacks.</span></b><br />
<span style="color: purple;"><b><span style="font-size: large;">Speaker: </span></b><span style="font-size: large;"><b>David Crandell</b></span></span><br />
<b><span style="font-size: large;">Bio: </span></b><span style="font-size: large;">Professor at Oklahoma State University Institute of Technology</span><br />
<span style="font-size: large;"><br /></span>
<span style="color: blue; font-size: large;"><b>2:30PM Topic: Demonstration of Digital Forensics</b></span><br />
<span style="color: purple; font-size: large;"><b>Speaker: Avansic</b></span><br />
<span style="font-size: large;"><b>Bio: </b>Avansic is a leading provider of e-discovery and digital forensics services to attorneys, litigation support teams, and business communities across the nation. We take a scientific approach to providing e-discovery, digital forensics, data preservation, online review, and expert consulting service. Avansic has its roots in academia; we were founded in 2004 by computer science professor Dr. Gavin W. Manes. Since then, we have created a reputation as a trustworthy, reliable and responsive specialist in e-discovery and forensics fields.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<br />
<br />
<div style="text-align: left;">
<!--EndFragment--></div>
Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0tag:blogger.com,1999:blog-7399109506254107325.post-63051350910744396522012-09-16T20:22:00.001-07:002012-09-16T20:22:16.776-07:002012 (ISC)2 Security Congress/ASIS <span style="font-family: Times, Times New Roman, serif; font-size: large;">I just got back from <span style="background-color: white;">Philadelphia, Pa where I gave my poster session about creating a foundation for secure coding.</span></span><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><span style="background-color: white;">Here is my abstract and Introduction...</span></span><br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<div class="MsoNormal">
<span style="font-size: 22pt;">Abstract<o:p></o:p></span></div>
<!--EndFragment--><br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<div class="MsoNormal">
<span style="font-size: large;">Teaching secure coding in
the Enterprise requires more than giving lectures to programmers about SQL
injection, XSS and string vulnerabilities. It requires a new foundation and
culture to be put in place for the IT Enterprise. This paper describes what
foundation and culture changes need to take place before teaching secure
coding.</span><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="line-height: 200%; mso-outline-level: 1;">
<b><i><span style="font-size: large;">Introduction<o:p></o:p></span></i></b></div>
<div class="MsoNormal" style="line-height: 150%;">
<span style="font-size: large;"> Despite
technological advancements, software vulnerabilities have continued to grow at
an alarming rate, with the cost of data breaches becoming more significant to
all stakeholders, regardless of if they are public or private, large or
small. Because of the increased cost
this situation has placed on the enterprise, security has moved from firewalls,
IPS, IDC, et al, to include enterprise programmers to create more secure
code. There are many sources, both
online and in print, that have coding guidelines, best practices, suggestions
and tips for creating secure coding; however, as good as this information is,
it is worthless if secure coding practices are not integrated into the
framework of the enterprise. Not
integrating these practices into the framework of the enterprise could result
in the loss of data, compromise to the system, loss of productivity, and
financial loss.<o:p></o:p></span></div>
<div class="MsoNormal" style="line-height: 150%;">
<span style="font-size: large;"> The purpose of this paper is not to
present another secure coding guideline for developers or another methodology
such as Microsoft Trust Computing SDLC or ALM, but rather to show how a layered
approach is necessary so that the complete infrastructure is firmly in place
before the enterprise moves to secure coding.
Part of this layered approach will be emphasizing the need for creating
a culture that will place emphasis on secure coding in the first place. I am well aware that what I am proposing is
not new; it has been suggested before many times. However, what is being taught today in the
field of secure coding does not include the attendant infrastructure that an
engineer would encounter in the real world; in short, secure coding is being
taught in a vacuum, devoid of the complexities of the environment in which it
will operate. My objective for this
paper is to bring teaching secure coding and the practice of creating secure
coding out of the classroom and shows how to integrate it into the software
development lifecycle (SDLC) of the enterprise.
Software development is no longer an individual task; it is now a very
large and complex process involving several teams and team members. Understanding these basic principles and
applying them to the best practices of secure coding is the aim of my paper.</span><o:p></o:p></div>
<div class="MsoNormal" style="line-height: 150%;">
<br /></div>
<!--EndFragment--><br />
<br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<div class="MsoNormal">
<span style="font-size: x-large;">Download entire paper at </span><span style="font-family: Calibri;"><span style="font-size: large;">https://www.dropbox.com/sh/p6kba70j7uaphol/ekkN3FwLn3</span><span style="font-size: 15pt;"><o:p></o:p></span></span></div>
<!--EndFragment--><br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><span style="background-color: white;"><br /></span></span>Anonymoushttp://www.blogger.com/profile/06713943523133426106noreply@blogger.com0