From the page: "Seventeen million programmers are churning out an estimated 102 billion new lines of code per year. Add 162 million websites online, with 809,000 using SSL (an indication of valuable data) and the problem becomes apparent. Researchers estimate that roughly one security defect exists per 10,000 lines of code and nine out of 10 websites contain one or more serious vulnerabilities. If only 1 percent of security defects are exploitable that means we are generating 102,000 zero-days per year - we just don't know where most of them are. Even if 90 percent of the SSL websites contained only a single issue, 728,100 website vulnerabilities are already in circulation, and we don't know where those are, either." - dan

From the page: "Google will have to turn over every record of every video watched by YouTube users, including users' names and IP addresses, to Viacom, which is suing Google for allowing clips of its copyright videos to appear on YouTube, a judge ruled Wednesday." - dan

I know I had a blast at an undisclosed software company in Redmond...honestly, I did the security for a number of social web sites, and had the best time of my life doing that. Worked hard, played hard, challenging, and cool management to go along with it. Day in the life? Go to work, hack stuff, fix stuff, work with developers, take users who tell me there is an issue seriously, fix more stuff, break more stuff, go home. Did that help? - dan

From the page: "Generally speaking, you donâ€t want to deliver any kind of difficult news to customers, partners, etc. Some of us are lucky enough to talk to folks about the performance and capabilities of our processors, shipping and soon-to-ship. Some of us, however, face a somewhat more challenging situation: explaining how to tap into this performance. I find myself in this situation often, as I frequently talk to external developers about our ongoing research in programming for multi-core and terascale. The discussion typically goes in one of two directions (the relative distribution has changed over time)." - dan

From the page: "There's a dawning sense that extremely large databases of information, starting in the petabyte level, could change how we learn things. The traditional way of doing science entails constructing a hypothesis to match observed data or to solicit new data. Here's a bunch of observations; what theory explains the data sufficiently so that we can predict the next observation?" - dan

From the page: "Requirements for professional security certification for information technology workers in civilian agencies, now being readied by the Office of Management and Budget, would have a major impact on how government and industry recruit, train and manage their IT staffs, a security expert said Wednesday. " - dan

From the page: "WASHINGTON (Reuters) - The majority of U.S. banks would have the option to adopt alternative risk-based capital adequacy rules based on the Basel II agreement, under a proposal agreed to by a top banking regulator." - dan

From the page: " However, that is the type of stuff I see in academic security papers that I occasionally get to review. Based on our FIRST conversation, other people who happen to retain ties to academia are reporting the same: research work that confuses "phishing" with "fast flux networks" (thanks Jose), inventing a new intrusion detection "paradigm, " and all sorts of other bizarre crap continues to be cooked and submitted to publications." - dan

From the page: "When risk is present it calls for treatment, and security is a never-ending process ... right? Yes, but as a security professional, it's easy to become focused on the hard problems (download PDF) of security -- falling into the arms race for more, more, more security controls -- and lose sight of the impact of the controls themselves." - dan

From the page: "Microsoft Corp. and Hewlett-Packard Co. on Tuesday unveiled free tools to help Web developers and site administrators defend against the rapidly growing number of SQL injection attacks that aim to hijack legitimate sites." - dan

nice, very nice, on how hard it is to use microsoft.com, things still haven't changed since 2003 - dan

From the page: "Researchers at IBM have released proof-of-concept code for a new generation of Web threats that can attack the underlying operating system as well as other applications running on the compromised Web server. Called cross-environment hopping (CEH) by IBM, the attack uses any cross-site scripting vulnerability in the Web application to jump (or â€oehop”) to another environment running on that same machine." - dan

From the page: "Environmental groups have been warning for years that global climate change could make already-tense parts of the world even worse, and even spark whole new conflicts. Now, the nation's spies are saying pretty much the same thing. " - dan

From the page: "We all know about the CISSP. Youâ€ve heard the whispered hallway conversations. Youâ€ve seen the business cards, the email signatures, and the government contract requirements. You might even know the secret handshake, or have the magical letters attached to your name somewhere yourself." - dan

From the page: "is the latest site from the makers of CushyCMS, designed to bring you the freshest and most popular news from across the Web. Itâ€s a mashup of several social bookmarking sites focused on news, including reddit, digg, delicious and hackernews." - dan

From the page: "Reddit has opened up its code base to the public at large in an effort to help take on other social networking systems. While Reddit in its use is often difficult to understand from a social engineering perspective how or even why it functions the way that it does, if you have an abject need to fix something as inexplicably broken as reddit, then this is your chance to hone your open source skills. " - dan

From the page: "I wanted to do a post about â€oewhat web application security really is” because plenty of people out there donâ€t get it. They understand that â€oesecurity attacks are moving from hosts to the Web”, but they have no idea what that means. To most people, web application security is the same thing as website security. I see people trying to approach web application security in the same way that they have tried host security in the past: penetrate (web application security scanner) and patch (web application firewall) â€" which wonâ€t work." - dan

From the page: "Cases like Fiolaâ€s -- where an infected machine leads to an assumption of the userâ€s guilt -- are becoming all too common, experts say. Much of this has to do with the technical knowledge gap in the mainstream, they say. Itâ€s not the same as when someone gets arrested for possession of drugs in their vehicle: â€oeIâ€ve seen this before,” says Alex Eckelberry, CTO of Sunbelt Software. â€oeA completely innocent guy gets caught up with this mentality... a forensic investigator who didnâ€t know what he was doing, or had a lack of the technical concepts.”" - dan

From the page: "Not anymore. A recent report from Evans Data shows fewer than one in 10 software developers writing applications for Windows Vista this year. Eight percent. This is perhaps made even worse by the corresponding data that shows 49 percent of developers writing applications for Windows XP." - dan

From the page: "The site, XSSed, states that it has verified some 30 cross-site scripting vulnerabilities spread across the Websites of three of the industry's best-known security vendors: McAfee, Symantec, and VeriSign. The vulnerabilities could make it possible for attackers to launch phishing campaigns from these sites or even distribute malware to the companies' customers, according to XSSed." - dan

From the page: "Speaking at the Handsets World conference in Berlin on Tuesday, Dr Ari Jaaksi told delegates that the open-source community needed to be 'educated' in the way the mobile industry currently works, because the industry has not yet moved beyond old business models." - dan

From the page: "So, at first I was surprised to see reports coming out that Google CEO Eric Schmidt had gone on record claiming that Google does, in fact, have a moral obligation to help journalism -- but as you read the details, you see that he means in exactly the way we were talking about. He means that the moral obligation isn't to give them money, but to give them the tools by which they can make more money. I still don't see that as a "moral obligation," but simply good business for everyone involved (including consumers of the news)." - dan

From the page: "F-Secure Anti-Virus can detect and decrypt files encrypted by Gpcode trojan as well as it can detect and remove the trojan's file. If you are hit by this trojan and your files are encrypted, please scan ALL files on your hard disk and they will be decrypted. " - dan

This is really getting stupid the amount of data that is being hacked, lost, or stolen. - dan

From the page: "WASHINGTON - Deep inside the national headquarters of the Recording Industry Assn. of America (RIAA) is a purple room." - dan

From the page: "For many professional content creators and producers, being able to control the inventory that surrounds their videos is an important factor when they consider where and how to distribute content online. Revision3, the online-video-production company behind shows such as "Diggnation" and "Techzilla," is selling advertising on YouTube, starting with GoDaddy, a sponsor that's regularly integrated into the content of its shows. Many Revision3 shows have integrated sponsors, and the company's CEO, Jim Louderback, said the ability to pair companion YouTube advertising in and around the videos is appealing. " - dan

From the page: "Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity." - dan

From the page: "In order to achieve this, it is of paramount importance to have excellent working relationships with the people who actual use the information in your organization (the users) and also with the owners of that information. More often than not, primary users of information are also considered the owners of that information." - dan

From the page: "Billionaire financier Carl Icahn on Wednesday sent a scathing letter to Yahoo (NSDQ: YHOO) chief executive Jerry Yang and the company's board, claiming the two worked together in sabotaging Microsoft (NSDQ: MSFT)'s acquisition bid by putting in place a "poison pill" severance package for employees." - dan

hacking private myspace accounts again. - dan