I’ve been asked to produce a service offering for a Montreal based security specialist contract. The request was generic – make me wonder about the provider lack of the specialized knowledge required to complete a selection. Hiring a consultant, specialist or sme (subject matter expert) should never be left to an ultimate comparison between university degrees. So, for fun, I submit a couples questions, all security related, feel free to answers as comment or by email:
1) what’s wrong with:
void f() {
char buf[2048];
gets(buf)
}
void main() {
f();
}
(note ; this is the modified version of this function. Read comment 1 on this blog post for more info)
2) With current systems, IPV6 is becoming standard feature. What security problems do you see with that statement and how would you go to secure an IPV4 network knowing those problems ?
3) There have been quite a few problems with SSL theory and OPENSSL implementation in the last few years – please, name a few and explain them.
4) What is entropy or prng ?