RTFA: http://news.bbc.co.uk/2/hi/technology/7824939.stm

The US National Security Agency has helped put together a list of the world’s most dangerous coding mistakes.

The 25 entry list contains errors that can lead to security holes or vulnerable areas that can be targeted by cyber criminals.

Experts say many of these errors are not well understood by programmers.

According to the SANS Institute in Maryland, just two of the errors led to more than 1.5m web site security breaches during 2008.

Here’s the list:

CWE-20:Improper Input Validation
CWE-116:Improper Encoding or Escaping of Output
CWE-89:Failure to Preserve SQL Query Structure
CWE-79:Failure to Preserve Web Page Structure
CWE-78:Failure to Preserve OS Command Structure
CWE-319:Cleartext Transmission of Sensitive Information
CWE-352:Cross-Site Request Forgery
CWE-362:Race Condition
CWE-209:Error Message Information Leak
CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642:External Control of Critical State Data
CWE-73:External Control of File Name or Path
CWE-426:Untrusted Search Path
CWE-94:Failure to Control Generation of Code
CWE-494:Download of Code Without Integrity Check
CWE-404:Improper Resource Shutdown or Release
CWE-665:Improper Initialization
CWE-682:Incorrect Calculation
CWE-285:Improper Access Control
CWE-327:Use of a Broken or Risky Cryptographic Algorithm
CWE-259:Hard-Coded Password
CWE-732:Insecure Permission Assignment for Critical Resource
CWE-330:Use of Insufficiently Random Values
CWE-250:Execution with Unnecessary Privileges
CWE-602:Client-Side Enforcement of Server-Side Security

RTFA: http://blog.wired.com/27bstroke6/2008/12/feds-eff-…

The Bush administration on Tuesday will try to convince a federal judge to let stand a law granting retroactive legal immunity to the nation’s telecoms, which are accused of transmitting Americans’ private communications to the National Security Agency without warrants.

At issue in the high-stakes showdown – set to begin at 10:00 a.m. PST – are the nearly four dozen lawsuits filed by civil liberties groups and class action attorneys against AT&T, Verizon, MCI, Sprint and other carriers who allegedly cooperated with the Bush administration’s domestic surveillance program in the years following the Sept. 11 terror attacks. The lawsuits claim the cooperation violated federal wiretapping laws and the Constitution.

In July, as part of a wider domestic spying bill, Congress voted to kill the lawsuits and grant retroactive amnesty to any phone companies that helped with the surveillance; President-elect Barack Obama was among those who voted for the law in the Senate. On Tuesday, lawyers with the Electronic Frontier Foundation are set to urge the federal judge overseeing those lawsuits to reject immunity as unconstitutional. At stake, they say, is the very principle of the rule of law in America.

“I think it does set a very frightening precedent that it’s okay for people to break the law because they can just have Congress bail them out later,” says EFF legal director Cindy Cohn. “It’s very troubling.”

I watched the FISA debate on the Senate floor, and although I was sometimes encouraged by the discussion, I was equally disappointed by the arguments I heard.

Retroactive Immunity is unacceptable if only because there were some phone companies that refused to comply, on the basis that they suspected it was illegal. Let’s be clear: certain companies proactively determined this would be illegal. This is a perfect case for a … what do you call it? Oh yeah: a Judge. See, a Judge would clear up the uncertainty because there’d be a record of the judgment. This could later be overturned, but that’s a world apart from the current situation.

The whole idea about warrants (or the FISA court, for that matter) is to determine if an action is legal BEFORE you commit that action.