When using the MSXML2 library, you typically load XML files from disk into a DOM (Document Object Model) object by creating an instance of IXMLDOMDocument and calling its load function—where you pass a BSTR reprentation of the file name. However, I had a situation recently where—due to security concerns—I needed to first decrypt the XML data in memory and then load that memory (without writing it to disk) into a DOM object. Surprisingly, I wasn't able to find any open source examples of how to do this, so I wrote a couple of helper functions to accomplish this task. Hopefully, these functions will help others who run into a similar situation.
Saturday, June 18, 2005
Thursday, June 16, 2005
Deploying Authenticode with Cryptographic Hardware for Secure Software Publishing
Malicious code in the form of viruses, worms, and Trojans is now a serious threat that impacts every computer user, whether network-connected or not. Recent reports indicate that, in the United States alone, the effect of malicious code costs industry and consumers between $427M and $522M in 2004.
This paper describes the role of Microsoft Authenticode code-signing and time-stamping in establishing user trust in code that is published online. It provides an overview of the Authenticode code-signing and time-stamping process and examines the role of public key cryptography in proving the identity of the code publisher and proving that code has not been tampered with since original publication. The paper looks at the importance of protecting the credentials that underpin Authenticode and the role of cryptographic hardware in securing digital keys and certificates.
Wednesday, June 08, 2005
admins / spammers / proxies
Why some server administrators make mistakes with their proxy servers?
It happened because somebody just dropped a proxy server on their network without fully considering the consequences of their action. They didn't bother to properly design a server access control list, and because it is available on the public internet, a spammer found it and began to use it for their spamming ventures.
Quite often a server administrator is very upset at his mistake, and is looking to "pursue each ISP in attempts to track down the guilty parties". Unfortunately, he is ignoring the person who had the most power to prevent this situation. Himself.
Live, learn, realize that you made a mistake configuring your server, and get back to working. Unless your business is that of hunting spammers, it really will not be worth your while to waste money and time chasing ISPs and shadows of spam fiends.