I have been to a Pat Helland great sesssion about the analogy between SOA and the Metropolis (I know others have seen that a long time ago, but I have been busy last spring and summer speaking and learning new stuff). It was overall a great session, but it did introduce a concept that I believe is totally new (to me at least)... it can summed up with the acronyme S.O.D. which littreally means "Slide Oriented Delivery"... I have delivered somwhere around 100 presenttions since January 2004, but I still think it is a totally weird thing to have over 70 slides in a one hour presentation... I don't mean to criticize, but still, BOA was a good shot, HST wasn't a bad joke, but SOD certainly doesn't work...

I have many other remarks, but If I told you any of the confidential info, I would very simply have to shut you up, which usually would implicate killing you... (unless you are under the right NDA, but then you probably have access to me by other means)

A last word : I advocate SOA, I accept thinking BOA, I tolerate DOD, but I certainly refuse to cope with SOD...

good night

8/26/2004 9:52:15 AM UTC    Comments [16] 

   last June, at the Q&A session at the Pakistan Developer Conference in Karachi, an attendee asked : "Can there be an exploitable buffer overrun in the CLR?". My answer was that it is always possible in theory... I was really tired after five sessions back to back. I did not develop my answer enough. I am not an expert on the CLR, so I post this in hope to get some comments from more knowledgeable people on the subject.

    Here are my thoughts :

1. The CLR is definitely unmanaged, and thus, in theory it can have a buffer overrun. No Developer is beyond making mistakes, and there certainly could be a buffer overrun. the problem is whether it can be exploited, and if so, how...
2. One shouldn't confuse the CLR with the .Net Framework : we develop in managed code against the built-in classes of the .Net Framework. this means that any exploitable buffer overrun that would surface in our applications would have to be there on the classes we develop. This means that if a buffer overrun on CLR is to be exploited through managed code, it has not only to be there on the CLR, but also to re-surface through some of the .Net Framework classes (calls to managed heap allocation for example, without validating values before making the call to the CLR). then, our own code would have to have the same flaw again... that means that the same flaw, applying to the very same value, would have to exist in three separate layers. The probability is so low that, even if it is theoritically possible, it remains so improbable that one should dismiss its possibility. There is a higher chance of having a class in the .Net framework itself having a buffer overrun in a native call, than having a CLR buffer overrun re-surface.
3. Can there be an unmanaged call to the CLR exploiting a possible buffer overrun ? I will address this in a coming post

    Anyway, I realize the question's main objective is to find out whether it is possible to defeat the managed code security messaging. No matter whether there is a possible theoritical buffer overrun exploit (which will be, in any case so improbable that it is virtually impossible), it is very clear that the managed code is hundreds of times more secure than unmanaged...

8/6/2004 3:15:22 PM UTC    Comments [8] 

    Back to Casablanca. My great friend Chris Foster is here. I am taking some time for myself, and to take her and her friend Kristen around.

     I will not be blogging for few days. When I'm back, there will be quite a few technical topics I will be talking about, and a few poetic texts waiting to be let out...

7/4/2004 8:56:10 PM UTC    Comments [12] 

     Friday, Lee Mungai and I had a great day speaking at DevDays Mauritius. here is the content I presented (sorry for the delay).

(0) Trends and Vision.ppt (1.54 MB)

(1) Threats and Defenses.ppt (1.72 MB)

(2) Rebuild the puzzle.ppt (1.69 MB)

DevDays_Demos.zip (257.15 KB)

6/28/2004 6:26:59 AM UTC    Comments [12] 

   Wednesday, coming back from the Bowling in Area 51, I was the accomplice of Nasser recording a conversion that took place on the bus somewhere around 12:30 AM.The main voice that is on the recording is that of Serge Lenbet. Off course the rest of us, as geeky as we are, were discussing much more technical subject like distributed security and handheld devices used by the mobiles forces...

 Enjoy

6/18/2004 6:55:13 PM UTC    Comments [23] 

    Yesterday, after a day in which I spoke on 5 sessions back to back, and then had to sit through the Q&A session (not that I had any energy to actively partcipate). Then, with a heavy security escort (the police took us for some really important people as it sems), we all went a bowling in Area 51.

At the bowling, we had fun and very good food. There were all 6 RDs :

From left to right, one can see Ahmad Badr, Hossam Khalifa, Clemens Vasters, Me,Goksin Bakir and Farhan Muhammad.

6/18/2004 12:40:25 AM UTC    Comments [0]