Since yesterday, and my post about Google Chrome, Google has updated its terms and conditions and removed the clauses.  See my previous post here: Security: How much do you trust Google?. Privacy clauses Section 11 has been completed rewritten.  Note that this is the only change in the terms of service, even the date has not been changed: 11. Content license from you 11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. Looks a bit different to the previous clause.  Specifically, the following has be... [More]

Google has just released a beta of its Google Chrome web browser.  Make sure you read the terms and conditions.  Have a look at the privacy clauses... [Note: Google has updated its terms and conditions.  Read my blog post here: Security: Google retracts its privacy clauses] Privacy clauses 11. Content license from you 11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive li... [More]

I'm currently conducting a due-diligence review of a technical system.  The system is a classic distributed, two-tier system with data held centrally and business-logic delegated to an application tier.  I've been asked to perform a security analysis as part of my review.  I can't tell you anything about the project itself, for confidentiality (and security) reasons, but I thought I'd share some of the thought processes behind what I've been doing. Reviewing security The foremost rule of security assessment is to include the entire system.  Don't just look at technical aspects of security bu... [More]

UPDATED: 16-MAY-2008 Overview How can you get the PageData object for a page when the current user doesn't have access.  It took me a while to find out, but you can just read on... Context I have been implementing a redirect facility.  Only editors and administrators are allowed access to the page and everyone else is redirected according to a property on the page.  The ACL on the page does not give Read access to the Everyone group.  How can I get the property? Solution The easy solution is to use EPiServer 5.  Then you can use the GetPage method of the DataFactory class to get a page, ... [More]

Overview Have you ever wondered how to view object permissions using a query? Simple example Try this on a database: select o.name, u.name, p.permission_name, p.state, p.state_desc   from sys.database_permissions p        inner join sys.all_objects o          on p.major_id = o.object_id        inner join sys.database_principals u          on p.grantee_principal_id = u.principal_id References sys.database_permissions (Microsoft TechNet) sys.database_principals (Microsoft TechNet) sys.all_objects (Microsoft TechNet) Versions Microsoft SQL Server 2005... [More]

Overview Sometimes, old code doesn't seem to work with the new Data Execution Prevention feature in Microsoft Windows.  It's easy to turn it off for non-system applications and services, but how do you do it for system components, and why would you? Warning: Data Execution Prevention is a security feature.  Disabling DEP reduces the security of your system. Context On our Microsoft Commerce Server 2002 system, running on Windows Server 2003, we were getting "COM Surrogate" errors, which relate to DEP errors with the dllhost.exe system program.  Adding it to the exception list didn't solve ... [More]

Overview What is a malicious trigger?  What can it do?  How can you protect yourself and your database server? Background I've been reading the Microsoft Press MCITP training book for the Microsoft 70-441 exam: Designing Database Solutions by Using Microsoft SQL Server 2005 and I came across an interesting comment about trigger security.  I'm describing it here, because it is quite easy for a malicious database developer to use against an unsuspecting DBA. You can find the book here: http://www.amazon.com/MCITP-Self-Paced-Training-Exam-70-441/dp/0735623422/ref=sr_1_1?ie=UTF8&s=books&... [More]