A few of us were hanging out in the Veracode kitchen the other day and got to discussing the idea of programmatically injecting vulnerabilities into software. This is essentially the opposite of the problem that most security vendors, including ourselves, are trying to solve — that is, detecting vulnerabilities. Clearly there’s not much business value in making software less safe, though you could imagine such a tool being used for educational purposes or a way to mass-produce QA test cases.

It sounds easy, right? Certainly it would be easy to inject the types of classic security problems that …

We spend a lot of time thinking about hackers and abuse cases. This article entitled “Who Needs Hackers” by John Schwartz of the New York Times talks about how flawed systems, the increasing complexity of systems, and even mergers and acquisitions can make computer systems unreliable. The rush to market can lead to not enough testing. Pressures to ship software and hardware quickly and to keep costs at a minimum work against more secure and robust systems. These are the same pressures that lead to the flaws that hackers take advantage of as well.

There’s been a lot of blogging over the weekend about the 36-hour Skype outage that occurred starting last Thursday. From Skype’s official explanation, it wasn’t a security-related event — in other words, Skype wasn’t hacked. We have no reason to believe otherwise. However, security and availability are often discussed in the same breath, and lots of people will be speculating about the chain of events that led to this outage.

It’s worth understanding a little bit about the Skype network. I remembered reading this paper a few years back, in which some Columbia …

As you may have guessed, I’m out in Vancouver the rest of the week attending CanSecWest. Looking forward to catching up with old friends and former colleagues and meeting more of you lurkers!

I am always overly paranoid about getting owned by 0day at these conferences. My work laptop won’t run Linux cleanly without rebuilding the kernel, and since I don’t have time for that stuff anymore, I’m resigned to running Windows XP. The Windows and BitDefender firewalls are enabled — hopefully they work. My wireless card is physically disabled, and all web and e-mail traffic is …