
This New Vulnerability: Dowd’s Inhuman Flash Exploit - rms
http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/
======
tptacek
I'm going to guess that this post has limited interest to this audience
(please correct me if I'm wrong).

But what may interest you, if you're a dev, is TAOSSA, Mark Dowd, John
McDonald and Justin Schuh's awesome Addison-Wesley book on reviewing source
code for security problems:

<http://taossa.com>

If you code, and there's just one book you're going to put on your shelf to
fill the "security" slot, fuck Applied Cryptography (which is going to _cause_
security problems in your code). This book is about as large, and, in stark
contrast to Schneier, flipping to any page of it is probably going to improve
the security of your product.

In the very best case with your company, people like Mark Dowd --- or at least
people who've memorized his book --- are what you're up against the moment
someone decides your security needs to be reviewed (to take credit card
numbers, manage personal information, or get deployed at a Fortune 500
client).

Highest possible recommendation.

~~~
icey
This exploit is nothing short of a work of art; seriously, it's beautiful.

I haven't checked out TAOSSA, but I have to admit I've got a pretty dog-eared
copy of Applied Cryptography here on my desk. In my defense, I only have it
for light reading over lunch, I wouldn't dare implement anything from it by
hand ;)

~~~
yters
Wait, is AC bad or good?

I can't tell whether the gp means it'll cause problems because the protocols
are hard to implement or wrong.

~~~
tptacek
AC is bad. If you implement cryptography and you're not depending on it in
some way, you're wasting time. If you do depend on it, you have to get it
exactly right. Even people who do that for a living don't know exactly what
that means.

[http://www.matasano.com/log/487/rsa-signature-forgery-
explai...](http://www.matasano.com/log/487/rsa-signature-forgery-explained-
with-nate-lawson-part-ii/)

~~~
icey
I would say AC is good from a theory point of view, but bad as an
implementation guide. Kind of in the same way that a Chilton guide will tell
you all sorts of things about your car, but you shouldn't try to build a car
from scratch based on it.

~~~
tptacek
Ferguson and Schneier wrote a followup book, "Practical Cryptography", which
addresses the shortcomings of "Applied Cryptography" --- it selects the "best"
algorithms and protocols to use, and tries to document the pitfalls of
actually implementing them in real software.

I recommend it with reservations. It's an extremely valuable book, especially
if you're a security evaluator looking for crypto vulnerabilities. As an
implementation guide, it misses glaring faults that real software constantly
introduces.

There simply is no by-the-numbers guide to implementing crypto in an
application, and doing it wrong is worse than not doing it at all.

