I just got through the book by McGraw and Hoglund on "exploiting online games - cheating massively distributed systems". I've tried to extract the most important attack vectors because I found the book rather verbose. And don't expect much "distributed". Most of the attacks discussed are purely local exploits of the game client. But the threat model is quite interesting: The server side needs to trust the game client while being aware that it might be under control of the attacker - so it uses heuristics to find out about the manipulations. This is not a scenario that most business e-services would survive...
Security Enhanced Linux is NSA's open source version of a better Linux. The work on SELinux has taken many years (some aspects of the implementation look a bit old-style) but it is an interesting approach towards better host based security.
The following is based on the excellent book about SELinux by Bill Mccarty and concentrates on the concepts behind SELinux and its implementation.
Can the security of a local system be achieved through collaborative services? And what is the price you have to pay for it in the long run? A few comments on Bill Gates talk at the RSA 2005.
and why would somebody say so? A short bit on so called "immutable laws" of security proposed by Microsoft guys. I've used structural text analysis methods to uncover the assumptions behind. It's the typical MS argumentation: the operating system is OK. Systems can't be safe against malware. It has nothing to do with architecture. And it's the users fault anyway.
A few political thoughts sometimes expressed in my mother tongue
My friend Roland Schmitz and myself have written an article on the relation between usability and security for <KES> magazine. It speculates on user interface design in a world of reduced authority compared to the typical windows style of ambient authority. Usability and Security (in German) as part of the BSI forum.
This paper resulted from building a large scale enterprise portal for a major bank. It covers performance aspects (caching, request handling, Java problems) as well as architectural issues (fragment architecture, data-warehouse connection, personalization and rule engine integration). Quite technical. 100+ pages.
Looks like our usability workshop was quite a success. Here are some ideas about what could be done to improve developer awareness. In the summer term we will make a workshop on usability in mobile computing. Contact me if you'd like to present something.
This paper resulted from building a large object-oriented framework. It covers CORBA, OO, SGML, Domain Analysis, Design Patterns, C++ specialties, automated builds and last but not least social issues of replacing an existing system. It was probably the first attempt to combine object technology with descriptive techniques like SGML in Europe. 150+ pages in German!.
This paper was an attempt to apply lessons learnt from a large scale framework project to banking projects of different size. OOPSLA97 paper.
Sometime projects need a while to get over them (;-). The framework project above was one of those. When Bernhard (who was also working on this project) and myself couldn't stop talking about it even more than a year after we had left the company we decided to write about our experiences - especially about the conflicts between the developers of the first releases of the software and us - coming late into the game and trying to re-design the software completely.
We've learned a lot from this exercise: about differences in social behavior between the groups, about the terrible effects of re-inforcing technical differences through social differences and that there is no "better" technology that one is forced to accept. We've also presented our findings during two events at the University of Freiburg, department for computer science and society, Prof. Britta Schinzel. 30+ pages in German!.
While working on the development environment for a distributed infrastructure for a large bank I've started to write down some requirements for a meta-data repository that would be able to hold the development artifacts and ttheir dependencies - both for development and runtime purposes. This would finally lead to a more flexible environment and also support generative computing better. Currently no repository exists that would fit the bill here. 10+ pages .
Around 1995 SGML became an important topic for me as a tool for system configuration and generic computing. When I started working for larger banks I learned about the general qualities of a markup language, e.g. to support the re-use of information. That's when I started teaching first SGML (1996) and later in 1997 and 1998 XML. XML Event with Adam Rifkin and Rohit Khare 10+ pages .