[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Comment on Microsoft's leaked memos, and the unofficial end of Microsoft 'Trustworthy Computing'
- To: dinis@xxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Comment on Microsoft's leaked memos, and the unofficial end of Microsoft 'Trustworthy Computing'
- From: nabiy <nathan.aguirre@xxxxxxxxx>
- Date: Thu, 17 Nov 2005 17:50:12 -0800
On 11/17/05, Dinis Cruz <dinis@xxxxxxxxxx> wrote:
>
> *From*: "James Tucker" <jftucker@xxxxxxxxx>
> You are talking about user APIs, I am talking about what is happening
> under the hood.
>
> Yes developer's APIs have been simplified, but that creates an environment
> where nobody really knows what is happening and how things work. A lot of
> security vulnerabilities occur when you glue together two secure objects in
> ways never predicted by the original developers...
isn't creating an environment where you don't need to know what's going on
'under the hood' a good thing? It reflects good class design and is what
blackboxing and encapsulation is all about. Not only does this help simplify
the api's but it also helps prevent your security problem. With well defined
methods to limit the interaction one has with a 'secure object' it shouldn't
matter how u use it, it should stay secure. - nabiy
--
http://nabiy.sdf1.org . http://sdf.lonestar.org
The Super Dimension Fortress Public Access Unix System
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/