From alex at sotirov.net Wed Aug 1 02:13:04 2007 From: alex at sotirov.net (Alexander Sotirov) Date: Tue, 31 Jul 2007 23:13:04 -0700 Subject: [Dailydave] Pwnie Awards Ceremony Message-ID: <20070801061304.GA20916@dsl093-068-003.sfo1.dsl.speakeasy.net> The call for Pwnie Award nominations is now closed. We had a tremendous number of submissions and it was really hard to decide which ones are the best. The list of nominees is finally up at http://pwnie-awards.org/awards.html The Pwnie Awards ceremony will take place on Wednesday, August 1st. The location is Palace Ballroom 3 at Caesar's Palace, right next to the BlackHat reception area. We'd like to thank BlackHat for their generous offer to host the awards. We will start at 6pm. See you there! Alex From adriel at netragard.com Wed Aug 1 13:09:37 2007 From: adriel at netragard.com (Adriel T. Desautels) Date: Wed, 01 Aug 2007 13:09:37 -0400 Subject: [Dailydave] Local IBM Mainframe Consultant Message-ID: Guys, I've got two IBM Mainframe consultants in OKC and VA, but was wondering if anyone knew anyone local to the greater Boston area? I'm looking for someone that will do hourly contract based work on an as needed basis. Most importantly, I'm looking for someone that will pass a background check, that plays well with others and that doesn't mind wearing a suit and tie. -- Regards, Adriel T. Desautels Chief Technology Officer - Netragard, LLC Office: 617-934-0269 || Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 http://www.netragard.com ------------------------- "We make IT secure." From nicolas.waisman at immunitysec.com Fri Aug 3 21:57:54 2007 From: nicolas.waisman at immunitysec.com (Nicolas Waisman) Date: Fri, 3 Aug 2007 20:57:54 -0500 Subject: [Dailydave] Immunity Debugger has been released Message-ID: <20070804015754.GA2120@mail.immunityinc.com> Announcing Immunity Debugger v1.0 After almost a year of intensive development and internal use, we are pleased to announce the public release of Immunity Debugger v1.0. When we started developing Immunity Debugger our main objective was to combine the best of the commandline based and GUI based debugger worlds. The commandline because most of us come from a UNIX background, and it just ends up being more efficient than clicking your way around. The GUI because we understand that we are visual beings that often can grasp more from a single look at a graphical layout than from two days of x/x-ing memory pages. The third feature we required was full flexible access to the debugging API, the graphing engine, and the GUI API. Because having to Re-Compile plugins is lame, we decided to make everything accessible from Python. So we put everything together and developed something we feel very comfortable using. This means we ended up with a fully flexible and extendible Win32 debugger that has all of it's features, both debugging and graphical, easily accessible from it's Python scripting engine. And best of all, it's available for free. That's right, Immunity Debugger is released for free, including free monthly updates. Here's some cool features: o The Python API ("Immlib/Lib reference" for full documentation) o A full Python based graphing library o Full debugger and GUI API access o A flurry of cool example scripts such as: - !heap A fully working heap dumping script (try the -d option!) - !searchheap Searching the heap - !hippie Trampoline hooks on RtlAllocateheap/RtlFreeHeap - !modptr Dynamic search for function pointers in pages - !findantidep Find address to bypass software DEP o Writing your own scripts for your specific tasks is easy :) Interested? Give Immunity Debugger a spin and download it from: http://www.immunitysec.com/products-immdbg.shtml For feedback or bug reports please contact support at immunityinc.com. Happy debugging! Thanks, Team Immunity PS: Yes, we will be implementing an interactive Python shell too. From hybridus at gmail.com Mon Aug 6 07:58:05 2007 From: hybridus at gmail.com (Hybridus) Date: Mon, 6 Aug 2007 14:58:05 +0300 Subject: [Dailydave] Immunity Debugger on eWeek Message-ID: <4863d70b0708060458r7214e2f3j116bdb62ad05f14f@mail.gmail.com> http://www.eweek.com/article2/0,1895,2166829,00.asp <>What it means is more zero days, Marcus said. "And that's certainly not a good thing.(Why?) I think you'll see a spike in zero days, and contributions to the zero-day initiative, because it makes it easier to find vulnerabilities. Vulnerability is already out there, people/tools don't create them. I don't understand what's the matter with zero days.. -- -- From isaac.dawson at gmail.com Tue Aug 7 03:15:52 2007 From: isaac.dawson at gmail.com (Isaac Dawson) Date: Tue, 7 Aug 2007 16:15:52 +0900 Subject: [Dailydave] Immunity Debugger on eWeek In-Reply-To: <4863d70b0708060458r7214e2f3j116bdb62ad05f14f@mail.gmail.com> References: <4863d70b0708060458r7214e2f3j116bdb62ad05f14f@mail.gmail.com> Message-ID: <5ff6321e0708070015m1859b097y41954ef295eafa30@mail.gmail.com> I'd say chalk that one up to FUD. I love the "near automatic" commentary, also it's pretty easy to tell this journalist doesn't really know what they are saying. The fact that she did not even read that the tool is called "Immunity Debugger" not Debugger says quite enough for the rest of the content of the article. Also I bet some people at McAfee aren't too pleased with the managers response. Why is it journalists always talk to the managers and not the technical people? Just easier to get a hold of and get their 2 cents worth? Doesn't he know that Foundstone creates tools to "find bugs easier", and in fact has many training materials to help people learn how to find web vulnerabilities? >>> Marcus said he doesn't think that "the bug exists already" argument is a good one. "Yes, we know that," he said. "We know the bugs are in the code. But making more and more tools" to make it easier to find those bugs, that, he said, is not going to make his customers happy. "They'll all do this," he said, rolling his eyes to the ceiling. "'Great!'" <<< Gold Jerry, Gold. -isaac On 8/6/07, Hybridus wrote: > > http://www.eweek.com/article2/0,1895,2166829,00.asp > > <>What it means is more zero days, Marcus said. "And that's certainly > not a good thing.(Why?) I think you'll see a spike in zero days, and > contributions to the zero-day initiative, because it makes it easier > to find vulnerabilities. > > Vulnerability is already out there, people/tools don't create them. > I don't understand what's the matter with zero days.. > > -- > > -- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070807/1ab6708d/attachment-0001.htm From bbinger123 at yahoo.com Tue Aug 7 10:28:00 2007 From: bbinger123 at yahoo.com (Bee Binger) Date: Tue, 7 Aug 2007 07:28:00 -0700 (PDT) Subject: [Dailydave] Immunity Debugger on eWeek In-Reply-To: <4863d70b0708060458r7214e2f3j116bdb62ad05f14f@mail.gmail.com> Message-ID: <144473.86811.qm@web56001.mail.re3.yahoo.com> Any press is good right? besides that this is just another flaky journalist trying to make a name for herself. If you look at these links: http://findarticles.com/p/search?tb=art&qt=%22Lisa+Vaas%22 http://blog.eweek.com/blogs/eweek/archive/category/1243.aspx you see she hasnt exactly written any mind blowing articles. Some quotes from the linked article: "Debugger comes with what Immunity says is the industry's first heap analysis tool built specifically for heap creation." Did she miss quote someone here? what exactly is "heap creation". I dont think the debugger is magically creating any "heap"s somewhere. Now from Marcus ( this is really sad ): "What it means is more zero days, Marcus said." .. What an idiot. This tool does not magically create anymore "zero day" they are already there. Maybe Marcus is mad because he did not have the idea first? ( and judging from his comments the skill to make the tool ) Lets have another quote from clueless Lisa: ""We know the bugs are in the code. But making more and more tools" to make it easier to find those bugs, that, he said, is not going to make his customers happy." So she cuts off his quote to mis paraphrase again. Marcus starts the quote by saying "we know the bugs are in the code" and in the last part of his quote seems he was going to point out that they are alot of bugs but not easy way to write exploits for all of them, but she misparaphrases him again and says "easier to find those bugs" when this is not the point of immdbg at all. How could immdbg help you exploit bugs that you aren't aware exist? Even the title of the article seems misleading.( Immunity Unleashes Automatic Exploit Tool) I must of missed the option in immdbg where you can give it a random binary with a heap overflow and it produces another binary that exploits it reliably. *yawn* another clueless/worthless journalist. She should stick to dell vs hp. >> Hybridus wrote:>>http://www.eweek.com/article2/0,1895,2166829,00.asp --------------------------------- Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070807/66b5b767/attachment.htm From dave at immunityinc.com Wed Aug 8 10:25:51 2007 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 08 Aug 2007 10:25:51 -0400 Subject: [Dailydave] Immunity Debugger on eWeek In-Reply-To: <5ff6321e0708070015m1859b097y41954ef295eafa30@mail.gmail.com> References: <4863d70b0708060458r7214e2f3j116bdb62ad05f14f@mail.gmail.com> <5ff6321e0708070015m1859b097y41954ef295eafa30@mail.gmail.com> Message-ID: <46B9D26F.9000304@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If I had a quarter for every time someone said to me they were going to reverse a binary into an intermediate language and do slicing on it to find all the bugs, I'd ... well, I'd be able to buy some ice cream at least. But regardless, the automatic analysis the article was talking about refers to the script I was demoing at our booth at defcon (linked off the Immunity Debugger web page): http://www.immunityinc.com/images/immdbg-stackvars.png It's a lot simpler than most analysis scripts, since Bas whipped it up in a couple days to demonstrate and test the Python API. But it does work for the trivial case here, which makes it cool in my book. Just having all the functions marked up nicely to point out sizes is useful. - -dave Isaac Dawson wrote: > I'd say chalk that one up to FUD. I love the "near automatic" > commentary, also it's pretty easy to tell this journalist doesn't > really know what they are saying. The fact that she did not even > read that the tool is called "Immunity Debugger" not Debugger says > quite enough for the rest of the content of the article. Also I bet > some people at McAfee aren't too pleased with the managers > response. Why is it journalists always talk to the managers and not > the technical people? Just easier to get a hold of and get their 2 > cents worth? Doesn't he know that Foundstone creates tools to "find > bugs easier", and in fact has many training materials to help > people learn how to find web vulnerabilities? > >>>> Marcus said he doesn't think that "the bug exists already" >>>> argument is a > good one. "Yes, we know that," he said. "We know the bugs are in > the code. But making more and more tools" to make it easier to find > those bugs, that, he said, is not going to make his customers > happy. > > "They'll all do this," he said, rolling his eyes to the ceiling. > "'Great!'" <<< > > Gold Jerry, Gold. -isaac > > > > > On 8/6/07, Hybridus wrote: >> http://www.eweek.com/article2/0,1895,2166829,00.asp >> >> <>What it means is more zero days, Marcus said. "And that's >> certainly not a good thing.(Why?) I think you'll see a spike in >> zero days, and contributions to the zero-day initiative, because >> it makes it easier to find vulnerabilities. >> >> Vulnerability is already out there, people/tools don't create >> them. I don't understand what's the matter with zero days.. >> >> -- >> >> -- _______________________________________________ Dailydave >> mailing list Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> > > ---------------------------------------------------------------------- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGudJtB8JNm+PA+iURAk/kAKDkFRDgdwT7JMeByw9GDCM50A3exwCgyW0s ONfa/BcSZjVjjgxAKcB70Z4= =8/NV -----END PGP SIGNATURE----- From dave at immunityinc.com Fri Aug 10 17:33:15 2007 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 10 Aug 2007 17:33:15 -0400 Subject: [Dailydave] sh -c "Binary | Python > Python" Message-ID: <46BCD99B.4080608@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've posted Dami's talk here: http://www.immunityinc.com/resources-papers.shtml in both OpenOffice and PDF formats. One thing I've been thinking about lately is how people assume that if it's not written in C++, that it's not "real". For example, although Immunity Debugger contains some default analysis built in and we could always extend that in C++, it would be insane to do so. Immunity's current thoughts on doing binary analysis are: Do it by building a Python program (aka, ID plugin) that builds a Python program from your binary. Then run that program to emit vulnerabilities, psuedocode, specialized graphs, ERESI, or whatever you want. If you can annotate and modify your Python program from dynamic analysis (aka, running the target process) or simply by hand-editing (you know Python already, right?), taint flows, etc. then so much the better. The ERESI team is doing some good work on a specialized set of auditing languages (lisp-like, I believe). This is a cool idea, but for me it seems more logical to use Python as the language you build from the binary. I'd be cool if they'd respond here to tell us the features of the specialized language they're using so mere mortals can understand it. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGvNmaB8JNm+PA+iURAvprAKCPjLHW5jWxEkcrc6HR4MdKplcR5gCeLVvW 3sBvJpU2Ix77SIlCmfxiIuo= =0iIE -----END PGP SIGNATURE----- From jv274 at cl.cam.ac.uk Mon Aug 13 07:39:27 2007 From: jv274 at cl.cam.ac.uk (Julien Vanegue) Date: Mon, 13 Aug 2007 12:39:27 +0100 Subject: [Dailydave] An introduction to the ERESI language for program analysis Message-ID: <46C042EF.2050608@cl.cam.ac.uk> Hi dailydavers, It was suggested to present the ERESI language a bit, so here it is. ERESI stands for ERESI Reverse Engineering Software Interface, its web page stands at : www.eresi-project.org. ERESI is a command-based domain-specific (scripting) language. It provides a core language providing the basic requirements for a modern programming language (foreach, regex, hash tables, lists, recursive functions, etc). This core language can be extended by language fragments (read: set of additional commands). Each fragment is specialized for a given task. This common language is not specific to an architecture or operating system (even if we have been working mostly on UNIX operating systems for INTEL and SPARC architectures). The inspiration of ERESI are languages such as OCaML (for the "match" command), LISP (for reflection), or Python (for the overall syntax). ERESI is -not- object oriented, but features the concept of "record subtyping" (e.g. inheritance of fields across structures). Existing fragments of the ERESI languages are: - ERESI+ : a fragment for type-based decompilation and reflection-based analysis. Mainly composed of one command called "inform" which take an address and the name of a type, and that register this address as being the base of a structure whose type is the one given by the other parameter. Basicaly, this feature allows structures of the analyzed program to be directly made accessible naturally into the ERESI language interpreter, just like if it was a variable declared in the ERESI language. Then you can do : print $var.field.subfield etc directly in the ERESI language, without needing any debug format. - ERESI-PT: a fragment mainly composed of a command called "match" that allow to "rewrite" programs. Programs may be rewritten from ASM instruction to ASM instruction, but not only. Using the type system provided in the ERESI core language (the same used by ERESI+), you can declare new types that will constitute an intermediate forms suitable for your analysis requirements. Then you can define a mapping from the assembler instructions into the intermediate forms. Afterwards you can define a higher-level intermediate representation that you can translate from the lower-level transformation using the same "rewrite" command. For example, you might declare a special type of expression "PotentiallyDangerousMemAccess()" that will be translated from instructions/expressions that write in memory for which the bound has to be checked. Then it suffices to walk the intermediate representation and performs a special analysis when those types are encountered. The idea is the one of staged analysis, where each pass is very simple, but where the complete analysis is made of multiple transformation passes. - ERESI-DF: Data-flow analysis: Using "def", "use", and "reachdef" commands, the ERESI language brings the capability to compute various data-flow analysis such as liveness, reaching definitions, or pointer-analysis. - Control-flow analysis: The ERESI environment provides, as a base feature, the construction of the control flow graph and the call graph. Those graphs can be accessed from the language. You can then program your own graph structuring algorithm in ERESI. There is no special command for doing that, only pre-defined data structures that can be used during program transformation, or simply for walking on the program's graph representations. The advantages of ERESI are: - It has an easy syntax for complex analysis operations. - It has its own type system that can handle pointers, (mutually recursive) structures, arrays of unbounded dimensions, and -partial types-. Partial types are useful in type-based decompilation, when program types are recovered step by step. Thus its possible to define structures "with holes" where some fields are unknown, but for which the global structure type will be refined by further analysis (thus eliminating partial types as the analysis go on). - It makes program transformation (a known technique for a wide range of different program analysis) very easy to specify. The syntax of ERESI is simple, it can deal with 1 -> 1 and 1 -> N transformations (e.g. micro-asm generation). The "hidden" concept behind program transformation in ERESI is "record subtyping". It allows to tell whether or not two structures are matching. Matching is -not- equality. Think about regular expressions where the base object is a structure, and you'll have a good approximation of the idea of "matching". It is also being investigated how to use the program transformation system of ERESI to perform shape analysis (approximating the shape of structures in a program. For instance : is an object a tree, a directed acyclic graph, or a cycling graph ?). - Its semantic is very well formally defined. An upcoming article focussed on the ERESI language will make this public some time soon. As such, implementors of ERESI language interpreter are let a lot of freedom. It would be for instance possible to write an ERESI interpreter in python. The idea is that program analyzers are created independently of the implementation language, and can be reused across analysis framework, even if they are implemented in a different programming language (provided they have an ERESI interpreter). Our prototype ERESI interpreter is implemented in the C language. - Writing analyzers in ERESI is faster than in any other language, since its commands are dedicated to analysis. ERESI is not a general purpose programming language, but it remains Turing complete : you can write analyzer that never stops (can be useful for analyzers embedded in a debugger, for instance : e2dbg ;) but also Immdbg, IDA-dbg, etc) There is no example of ERESI programs in this email, as we keep the primer for our upcoming articles. If you are really interested, you can look at the .esh files in: http://cvs.eresi-project.org/cvsweb.cgi/eresi/evarista/ http://cvs.eresi-project.org/cvsweb.cgi/eresi/testsuite/testscripts/ The bibliography related to ERESI (that you might need to understand this email correctly) is located at : http://www.cl.cam.ac.uk/~jv274/eresi-bib.html I want to recall that ERESI is a perpetually work in progress analysis environment that includes : - ELFsh: static instrumentation of ELF binary programs. - E2dbg : embedded debugging of ELF binary programs - Etrace : embedded tracing of ELF binary programs - Kernsh: instrumentation at the kernel level from userland (NEW) - Evarista: static analysis of binary programs (NEW) Articles about those components can be read from the ERESI website. ERESI is a free-software project. If you wish to join us, you can contact the team on : team at eresi-project dot org Julien Vanegue, for the ERESI team From jv274 at cl.cam.ac.uk Mon Aug 13 08:19:50 2007 From: jv274 at cl.cam.ac.uk (Julien Vanegue) Date: Mon, 13 Aug 2007 13:19:50 +0100 Subject: [Dailydave] Immunity Debugger on eWeek Message-ID: <46C04C66.5020906@cl.cam.ac.uk> >Dave Aitel wrote: > >If I had a quarter for every time someone said to me they were going >to reverse a binary into an intermediate language and do slicing on it >to find all the bugs, I'd ... well, I'd be able to buy some ice cream >at least. I guess your point is not to state that these techniques are not working, since many tools in the academic world are already doing this on source code. Maybe thats why people talk about it ? Binary-level tools that include program transformation facilities also start to appear even if there is no commercial environment (afaik) providing it. The gap between the research world and the security industry does not help to setup much mutual respect, and I dont think your mail diverges from this trend. It is a pity because each world has things to learn from the other. Also, how much is an ice-cream on miami beach ? ;) >But regardless, the automatic analysis the article was >talking about refers to the script I was demoing at our booth at >defcon (linked off the Immunity Debugger web page): >http://www.immunityinc.com/images/immdbg-stackvars.png Is this script bringing a real innovation, or is it just a presentation of the well-known feature of local variables recognition with some additional warning messages ? Julien Vanegue From dave at immunityinc.com Tue Aug 14 14:55:15 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 14 Aug 2007 14:55:15 -0400 Subject: [Dailydave] Immunity Debugger on eWeek In-Reply-To: <46C04C66.5020906@cl.cam.ac.uk> References: <46C04C66.5020906@cl.cam.ac.uk> Message-ID: <46C1FA93.3070503@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is the ISC site down because they got owned or just because they rm'd something by mistake? How are we going to find out who's a CISSP now?!? More stuff inline... Julien Vanegue wrote: >> Dave Aitel wrote: >> >> If I had a quarter for every time someone said to me they were >> going to reverse a binary into an intermediate language and do >> slicing on it to find all the bugs, I'd ... well, I'd be able to >> buy some ice cream at least. > > I guess your point is not to state that these techniques are not > working, since many tools in the academic world are already doing > this on source code. Maybe thats why people talk about it ? > Binary-level tools that include program transformation facilities > also start to appear even if there is no commercial environment > (afaik) providing it. I'm sure that almost any static analysis will find SOME bugs. My opinion is that static analysis is not a game changing event, and never will be. In the source code world you have Microsoft's Prefix/Prefast and Fortify (comes free with the Static Analysis book!) and their competitors. These are all quite well engineered and have strong academic credentials, but none of them work. But I have yet to run the ERESI stuff! So perhaps I will change my entire opinion next week when I get a chance to do so. :> >> >> http://www.immunityinc.com/images/immdbg-stackvars.png > > > Is this script bringing a real innovation, or is it just a > presentation of the well-known feature of local variables > recognition with some additional warning messages ? > This is a quicky 2-day demo script. Also included as "automatic analysis" is a simple strncpy(dest, src, strlen(src)); bug finder. Mostly API documentation in script form. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGwfqRB8JNm+PA+iURAkcDAJsHxBiF6wgY5WVdFRGleKqPWtXMlACgmixC 22QH3+EaKPYjmDTo3cOEx9k= =z7la -----END PGP SIGNATURE----- From jv274 at cl.cam.ac.uk Wed Aug 15 06:10:35 2007 From: jv274 at cl.cam.ac.uk (Julien Vanegue) Date: Wed, 15 Aug 2007 11:10:35 +0100 Subject: [Dailydave] Immunity Debugger on eWeek In-Reply-To: <46C1FA93.3070503@immunityinc.com> References: <46C04C66.5020906@cl.cam.ac.uk> <46C1FA93.3070503@immunityinc.com> Message-ID: <46C2D11B.8070708@cl.cam.ac.uk> > I'm sure that almost any static analysis will find SOME bugs. My > opinion is that static analysis is not a game changing event, and > never will be. Many problems in static analysis are undecidable (which is a result known as "Rice's theorem", derived from the result of the Turing machine halting problem). So that was never my intension to claim the opposite. My opinion is that automated analysis is not a substitute for manual analysis, but a complement, which can divide by 10 the time of audit. It can also strongly reduce the time of exploit development (if the automated analysis platform provides the capacity of refinement). You could argue that expert exploit writers take just a few hours already to develop something reliable, but I believe this time is increasing as the exploiting conditions get more complicated (for inherant reasons due to the exploited bug, or because extra protections are forbidding obvious ways of exploitation : non-exec, ASLR, canaries, etc). > In the source code world you have Microsoft's Prefix/Prefast and > Fortify (comes free with the Static Analysis book!) and their > competitors. These are all quite well engineered and have strong > academic credentials, but none of them work. But I have yet to run the > ERESI stuff! So perhaps I will change my entire opinion next week when > I get a chance to do so. :> One of the reason why there is so few communication about the static analysis primitives in ERESI is because it is still in development (we are not a commercial project and it takes more time for us !). Also ERESI is not intended to bring a ./ program, but an environment with which you can develop your own static analysis very fastly, but I guess you assumed that. Julien From nicolas.waisman at immunitysec.com Wed Aug 15 16:37:10 2007 From: nicolas.waisman at immunitysec.com (Nicolas Waisman) Date: Wed, 15 Aug 2007 15:37:10 -0500 Subject: [Dailydave] Immunity Debugger Plugin Award Message-ID: <20070815203709.GB25346@mail.immunityinc.com> The Why To celebrate the official release of the Immunity Debugger we are having an Immunity Debugger plugin contest. The Immunity Debugger is a full featured Win32 debugger aimed at streamlining VulnDev and Reverse Engineering work. You can read all about it at http://www.immunityinc.com/products-immdbg.shtml. Immunity Debugger is available to the community for free! The fully integrated Python scripting engine means you are able to rapidly develop highly flexible debugger plugins. The entire debugger API, the GUI and the graphing engine are available from this pure Python environment. Immunity Debugger comes with a set of example plugins, but those only scratch the surface of what you can do with the engine. So to get the creative juices flowing, Immunity has organized an ID plugin writing contest for and by the people. Yah, we're socialist like that. The What First prize will consist of either a candle lit dinner with Kostya, or a Immunity SILICA unit. You pick. Second prize will consist of maybe a blender. But we have a really bad track record for sending those out. So you should probably go for first place. The How Plugins need to be written in Python using the Immunity Debugger API. If any part of your plugin is not written in Python, you will have to provide full sourcecode access. Plugins will be scored by means of a voting process. Winners and not-winners-but-still-really-cool will be listed on the Immunity website. The criteria are as follows: o Original Content o Novelty of the Research involved o Overall Coolness Judges: - Damian Gomez - Dave Aitel - Halvar Flake - Pedram Amini - Sinan Eren The When Right now! The submission deadline is 11:59PM on October 10th 2007. You can submit your plugins to: immunitydebugger ( at ) immunityinc.com. We encourage you to post hashes of your plugins to FD. More info: http://www.openrce.org/blog/view/857/Immunity_Debugger_Plugin_Awards http://forum.immunityinc.com/index.php?topic=12.0 Legal Note All submitted entries need to be licensed under the modified (3-clause, aka non-attribution) BSD license to be considered for the prize. By submitting your plugin, you grant Immunity Inc. the right to distribute, reproduce, and advertise your plugin. The winner of a SILICA unit will be subject to the terms of the SILICA license and will have to provide proof of identity. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070815/93b1d2da/attachment.pgp From dave at immunityinc.com Fri Aug 17 13:46:48 2007 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 17 Aug 2007 13:46:48 -0400 Subject: [Dailydave] Unmask vs Internet Superheroes Message-ID: <46C5DF08.8020304@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I quite liked this little e-zine. They even have a whole feature on Unmask, my very first Python program ever! Rightfully, he complains about code quality. But then he goes on to talk a lot of about how it works, which is quite useful! Based on his comments, you could easily improve Unmask to avoid small words or conjunctions. Worth a try someday. http://milw0rm.com/papers/175 sub Unmaskunmask { ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; my $self = shift; say($self, <<'EOUNMASK' unmask.py blows. The code is shit. Considering that it is only one of seven sources listed on http://www.immunitysec.com/resources-freesoftware.shtml, and that the others are mostly Python too, we can reasonably conclude that Dave Aitel codes like shit. Maybe if you pay for non-free software from Dave Aitel you will get something better. "By releasing tools, such as these, we hope to demonstrate our knowledge leadership, and give back to the security community as a whole." It is horribly incomplete and doesn't do all the things it says it does. You are better off entirely ignoring the comments Aitel wrote, because they are LIES. How could he give this a 1.0 version number? It isn't even 0.1 unless you're living in the 90s. Here's how it actually gets a score from two stores: - --- Take the 100 most common words from both and compare. Add the amount that match. So, that's a possible 100 points. Take the 100 most common (continuous or non-continuous) doubles in sentences (where the phrase "I like dogs. I am." would form doubles of "I like", "I dogs", "like dogs" and "I am"). Add the amount of those that match. Do the same for triples. - --- So you have a highest possible score of 300. Don't be fooled into thinking scores are a percentage. It entirely ignores punctuation, sentence length, and other things he said were used. Now, take me for example. I try to write short sentences using simple words. So my singles list is packed with words that are less than five chars long. These, from two texts, match at a ridiculous rate. Look at this paragraph itself, words including "take me for I try to write words so my list is with that are less than from two at a", most of those 20+ words will be in my most common word lists in both texts. Then take the doubles and triples. It would make a bit of sense if it was only continuous words, but it isn't. So in anything except for very short sentences, all the doubles list suggests is, again, your most common words. My doubles list would be full of combinations of the above example short words. It's basically taking how similar your basic vocabulary is and multiplying that by three. - ---- Here are some ideas to cause unmask fun: In one text, write always with "I", and in the other always write with "we". Use very short sentences. That will leave your singles almost the same but will destroy your doubles and triples values, so you should be able to drop your score 10 points in a bad situation and much much more if your sentences are short enough. Misspell common words and they will be cut out of the results, lowering your scores in general. See, Aitel was a dumbass and decided to not match words that aren't words. I can understand how he wants to remove non-text data, but even if he just held onto text that matched something like /\b[a-z]{5,}\b/ he could catch a lot of words that are spelt wrong and would increase the accuracy of his script. Unfortunately, regex is probably a bit too much for Aitel in general. Ever wonder why it takes so long to build such massive stores? Ask yourself, did Dave Aitel think to just store the most common 100 keys of his lists (the data he actually uses), or did he decide to store everything? Ask yourself, if I add one word to a sentence, although that will create just one more single item, how many more doubles and triples will it create? Could I possibly make unmask.py hang for half an hour and take up 50mb with just a short essay that lacks punctuation? - ---- It is interesting that the script works pretty well. The reason is does so is because vocabulary does mean a lot. By compounding it he expands the differences between different people. The more you match, the more your score will increase by in a non-linear way. So even though X writes good english fairly similar to mine, the small differences may account for 25-40 points. On the other hand Y writes with entirely different english that I do, and might sit just 50-60 points back of me. For example with a certain small text of mine as a baseline, another writing by myself got about 85, one by X got 62, and one by Y got about 45. So even though X writes much more like I do than like Y does, his score is closer to that of Y in comparison to me. Something to note is that there are some really obvious words, like "a", "the", "I", etc, that everybody will use, and thus common doubles (not so much triples, but still some), so any two people comparing each other should get something like a 20 score basically by default. So subtracting that from the above, it's like I had 65, X had 42, and Y had 23. The small differences between X and I still lead to such a big variation because of the non-linear function that makes comparisons: I don't just have more of the same words, I thus have more of the same doubles and triples. The fact that X got that close to me (64% of my score), even after subtracting an arbitrary default value of obvious words, is a testiment to just how comparable the rest of our basic vocabulary is. People with english as a second language, even if writing technically proper english, may rely on specific words a lot and completely avoid other obvious ones (like 'got' for 'have', or so). So they could match themselves extremely well and match others very poorly. So here are some good and accurate excuses if some random guy matches you: - - unmask.py is crap - - Two people with a strong command of english who use a lot of conjunctions and common verbs with ease could have a very strong correlation. - - People that have a very limited vocabulary will have their top100 lists padded by less common words, and will match less in general. - - By knowing and using a mass of small words at the expense of long words, you increase your match potential in general. - - Most of the long/odd words used won't make it into the top 100 lists that are used for comparison. - - Vocabulary testing is a good idea for people of different nationalities and education levels, but for people of the same ones, it's very cheap. - - This is entirely vocabulary, and doesn't even test that, just compares the most popular words. EOUNMASK );} -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGxd8GB8JNm+PA+iURAnNtAJ9wQHq5DkPb1DrX7PsiuZKMuuKZrgCggUTq J/+EvgdvAZtWORY0cTJX824= =3Y9f -----END PGP SIGNATURE----- From auto227309 at hushmail.com Fri Aug 17 15:22:50 2007 From: auto227309 at hushmail.com (auto227309 at hushmail.com) Date: Fri, 17 Aug 2007 15:22:50 -0400 Subject: [Dailydave] ZF03 released (Hi Dave!) Message-ID: <20070817192250.C36D5DA82D@mailserver7.hushmail.com> The third issue of the Zero For 0wned zine was released a few days ago. You should be able to read it at http://www.milw0rm.com/papers/175 Oh, Dave, hope you enjoy the critique of unmask.py. ;) -- The fast, secure VPN solution you've been looking for is here! Click here! http://tagline.hushmail.com/fc/Ioyw6h4dKfiZiKIS0IqNhRi56fyBqEo1DmzmQPCe4ZtnUrKgHjIlCW/ From bbinger123 at yahoo.com Fri Aug 17 23:43:07 2007 From: bbinger123 at yahoo.com (Bee Binger) Date: Fri, 17 Aug 2007 20:43:07 -0700 (PDT) Subject: [Dailydave] ZF03 released (Hi Dave!) In-Reply-To: <20070817192250.C36D5DA82D@mailserver7.hushmail.com> Message-ID: <127455.51691.qm@web56009.mail.re3.yahoo.com> Yes lets all take advice from script kiddies who "own" boxes with public php app exploits and then post it online. /me waits for h0no4 >> auto227309 at hushmail.com wrote:>>The third issue of the Zero For 0wned zine was released a few days >>ago. You should be able to read it at >>http://www.milw0rm.com/papers/175 >>Oh, Dave, hope you enjoy the critique of unmask.py. ;) --------------------------------- Park yourself in front of a world of choices in alternative vehicles. Visit the Yahoo! Auto Green Center. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070817/2c819b06/attachment.htm From aza at whiteh8.org Sun Aug 19 19:39:38 2007 From: aza at whiteh8.org (h4h) Date: Sun, 19 Aug 2007 16:39:38 -0700 Subject: [Dailydave] ZF03 released (Hi Dave!) In-Reply-To: <127455.51691.qm@web56009.mail.re3.yahoo.com> References: <20070817192250.C36D5DA82D@mailserver7.hushmail.com> <127455.51691.qm@web56009.mail.re3.yahoo.com> Message-ID: <23fded040708191639n23b7ba18tb7ee04469fed375f@mail.gmail.com> On 8/17/07, Bee Binger wrote: > > Yes lets all take advice from script kiddies who "own" boxes with public > php app exploits and then post it online. > > /me waits for h0no4 I didn't see any public exploits in it. maybe you're just a serious idiot BB? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070819/5bd447bf/attachment.htm From wesley at mcgrewsecurity.com Sun Aug 19 23:20:09 2007 From: wesley at mcgrewsecurity.com (Robert Wesley McGrew) Date: Sun, 19 Aug 2007 22:20:09 -0500 Subject: [Dailydave] Shellcoder's Handbook, Second Edition Message-ID: I was just browsing around on Amazon, noticed the slightly different cover, and realized that the release date for the Second Ediiton is the 20th: http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=pd_sim_b_4/002-9507551-2756861?ie=UTF8&qid=1187579269&sr=1-3 Dave is no longer listed as an author (I hope your content's out of it then!). If anyone's had a look at this, I'd love to see some opinions on how this compares to the first edition, which was good, but had some serious errors, and was never supported on the Wiley site as was promised. The book features, straight from amazon: """ * This much-anticipated revision, written by the ultimate group of top security experts in the world, features 40 percent new content on how to find security holes in any operating system or application * New material addresses the many new exploitation techniques that have been discovered since the first edition, including attacking "unbreakable" software packages such as McAfee's Entercept, Mac OS X, XP, Office 2003, and Vista * Also features the first-ever published information on exploiting Cisco's IOS, with content that has never before been explored * The companion Web site features downloadable code files """ -- Robert Wesley McGrew http://mcgrewsecurity.com From arley.leal at sonae.com Mon Aug 20 08:27:31 2007 From: arley.leal at sonae.com (Arley Barros Leal) Date: Mon, 20 Aug 2007 13:27:31 +0100 Subject: [Dailydave] [TOOL] TXDNS 2.1.5. An aggressive multithreaded DNS brute-forcer Message-ID: <8101CF6879C82549A86FC36CD8AD35AB0E0BEE2C@lx1exc2k002.optimus.pt> Hi everyone, TXDNS [http://www.txdns.net] 2.1.5 is out. This an intermediary release for the upcoming 2.2 version. This release implements DNS queries against multiple DNS servers, a more efficient threading algorithm and some minor bug fixes. To use along with the new feature you'll find on the download area a start-up list of know open/public dns servers that I have extracted from VivilProject's list of public DNS servers. Bear in mind that I can not guarantee that all DNS servers will remain open :-) and thus you may come across with some false-negatives by the time that some of them gets closed or discontinued. I'll keep an eye on VivilProject web site and and try to update de list as much as I can. Feel free to report me closed servers or any new open ones. Usage example: > txdns foo.com -rt -bb --min 1 --max 3 -sl dnslist.txt -x 50 Faster DNS servers will place more queries than others, so you may easily compile a top 10 servers list by sniffing your own traffic. At last but not at least, smalllist.txt has been updated and renamed to namelist.txt. A few more links to public word lists are also available. Cheers, -- Arley Silveira [http://www.txdns.net] From dunceor at gmail.com Mon Aug 20 08:31:58 2007 From: dunceor at gmail.com (=?UTF-8?Q?Karl_Sj=C3=B6dahl_-_dunceor?=) Date: Mon, 20 Aug 2007 14:31:58 +0200 Subject: [Dailydave] Shellcoder's Handbook, Second Edition In-Reply-To: References: Message-ID: <5d84cb30708200531m35c0d70s646b8dea1e7153b@mail.gmail.com> Sinan Eren isn't listed as author either as several of the others from the first edition. Are they only listing the people that has written the new material maybe? I'll probobly pick up this even if I got the first edition. On 8/20/07, Robert Wesley McGrew wrote: > I was just browsing around on Amazon, noticed the slightly different > cover, and realized that the release date for the Second Ediiton is > the 20th: > > http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=pd_sim_b_4/002-9507551-2756861?ie=UTF8&qid=1187579269&sr=1-3 > > Dave is no longer listed as an author (I hope your content's out of it > then!). If anyone's had a look at this, I'd love to see some opinions > on how this compares to the first edition, which was good, but had > some serious errors, and was never supported on the Wiley site as was > promised. > > The book features, straight from amazon: > """ > * This much-anticipated revision, written by the ultimate group > of top security experts in the world, features 40 percent new content > on how to find security holes in any operating system or application > * New material addresses the many new exploitation techniques that > have been discovered since the first edition, including attacking > "unbreakable" software packages such as McAfee's Entercept, Mac OS X, > XP, Office 2003, and Vista > * Also features the first-ever published information on exploiting > Cisco's IOS, with content that has never before been explored > * The companion Web site features downloadable code files > """ > > -- > Robert Wesley McGrew > http://mcgrewsecurity.com > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From Marco.Figueroa at pepsi.com Mon Aug 20 09:54:32 2007 From: Marco.Figueroa at pepsi.com (Figueroa, Marco {PBSG}) Date: Mon, 20 Aug 2007 09:54:32 -0400 Subject: [Dailydave] Shellcoder's Handbook, Second Edition In-Reply-To: Message-ID: <0419600327F4594596B0378D670CCE9A02222775@PEPWMV00045.corp.pep.pvt> There was a pre-release at defcon of the Shellcoder's Handbook, I picked up a copy and its pretty good. My favorite section of the book was Part 3 Vulnerability Discovery it is very well written. My advice is go and pick up the book, today is the release date. A book that I recommend is HACKING: The Art of Exploitation 2nd edition the author Jon Erickson delivers a book like no other. The release date for this book is scheduled for October but in reality this will get published in March. But what's great is if you really want to read this book like me you can email the owner of no starch he will email you a draft of chapters that have been written by Jon. I recommend you to request chapter 2 the programming part which is really good. -----Original Message----- From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Robert Wesley McGrew Sent: Sunday, August 19, 2007 11:20 PM To: dailydave at lists.immunitysec.com Subject: [Dailydave] Shellcoder's Handbook, Second Edition I was just browsing around on Amazon, noticed the slightly different cover, and realized that the release date for the Second Ediiton is the 20th: http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Securi ty/dp/047008023X/ref=pd_sim_b_4/002-9507551-2756861?ie=UTF8&qid=11875792 69&sr=1-3 Dave is no longer listed as an author (I hope your content's out of it then!). If anyone's had a look at this, I'd love to see some opinions on how this compares to the first edition, which was good, but had some serious errors, and was never supported on the Wiley site as was promised. The book features, straight from amazon: """ * This much-anticipated revision, written by the ultimate group of top security experts in the world, features 40 percent new content on how to find security holes in any operating system or application * New material addresses the many new exploitation techniques that have been discovered since the first edition, including attacking "unbreakable" software packages such as McAfee's Entercept, Mac OS X, XP, Office 2003, and Vista * Also features the first-ever published information on exploiting Cisco's IOS, with content that has never before been explored * The companion Web site features downloadable code files """ -- Robert Wesley McGrew http://mcgrewsecurity.com _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From dave at immunityinc.com Mon Aug 20 11:27:38 2007 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 20 Aug 2007 11:27:38 -0400 Subject: [Dailydave] Determinaing a real market for HIDS. Message-ID: <46C9B2EA.4000502@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1268544,00.html Determina got bought by VMWare. This is interesting because it gives a clear advantage over Microsoft's offering in the near future. You can click "Go Secure" and have a host IPS on all your VM's. People aren't buying HIDS. But they are buying into virtualization. So a good move all around. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGybLoB8JNm+PA+iURAtM0AJ4xVsROdcPVJI6ryTorAlsQwTn49QCePKRh EVbda7ovjxJZvjuK9LbTSRg= =vVGn -----END PGP SIGNATURE----- From dan at geer.org Tue Aug 21 15:00:20 2007 From: dan at geer.org (dan at geer.org) Date: Tue, 21 Aug 2007 15:00:20 -0400 Subject: [Dailydave] news items Message-ID: <20070821190020.8F71233DA8@absinthe.tinho.net> Everyone probably saw the two items I'm mentioning, but if Windows Update == a DDoS against Skype, then you've just proven the monoculture conjecture. Similarly, if you can slow down the entire Internet with a 9mm, then you've just proven the fragility conjecture. --dan http://heartbeat.skype.com/2007/08/what_happened_on_august_16.html http://it.slashdot.org/article.pl?sid=07/08/21/1531216&from=rss From bkdelong at pobox.com Tue Aug 21 15:55:40 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 21 Aug 2007 15:55:40 -0400 Subject: [Dailydave] news items In-Reply-To: <20070821190020.8F71233DA8@absinthe.tinho.net> References: <20070821190020.8F71233DA8@absinthe.tinho.net> Message-ID: Windows Update = Skype DDOS seems too good to be true.... Why did this not happen to Skype with previous Windows Updates. What changed since the last large update to make this happen? Has Skype really been getting significant enterprise penetration subject to massive reboots after a patch-management run....? Or is this just the automatic "download, install and reboot" XP does so well? Something seems hinky. On 8/21/07, dan at geer.org wrote: > > > Everyone probably saw the two items I'm mentioning, but if > Windows Update == a DDoS against Skype, then you've just > proven the monoculture conjecture. Similarly, if you can > slow down the entire Internet with a 9mm, then you've just > proven the fragility conjecture. -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From dave.aitel at gmail.com Tue Aug 21 16:53:48 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Tue, 21 Aug 2007 16:53:48 -0400 Subject: [Dailydave] Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Message-ID: http://video.zdnet.com/CIOSessions/?p=165 If you listen to Colonel John Hayes in the above interview, he says that oddly enough, they found that one of the most important applications they implemented for mission support was "Text Chat". He also noted that although he spent a lot of money building up wireless, people aren't using it. That's probably because wireless never works. Ever sat next to the door in your hotel because that's the only place you could get connectivity? Anyways, back to the main point: busting a myth. Myth: The US is more vulnerable to information warfare because it is more reliant on information technology. Some people like to say the US is "uniquely vulnerable". I hear this all the time from various weblogs and every time I hear it I wonder why people keep repeating it. For background, the IATAC has this to say: """ The United States is vulnerable to Information Warfare attacks because our economic, social, military, and commercial infrastructures demand timely and accurate as well as reliable information services. This vulnerability is complicated by the dependence of our DoD information systems on commercial or proprietary networks which are readily accessed by both users and adversaries. The identification of the critical paths and key vulnerabilities within the information infrastructure is an enormous task. Recent advances in information technology have made information systems easier to use, less expensive, and more available to a wide spectrum of potential adversaries. The security of our nation depends on the survivability, authenticity, and continuity of DoD information systems. These systems are vulnerable to external attacks, due in part to the necessary dependence on commercial systems and the increased use of the Internet. The survivability, authenticity, and continuity of DoD information systems is of supreme importance to the Warfighter. """ My intuition strongly disagrees with the idea that the US is specially vulnerable. So with that in mind, let's go through a little exercise in iconoclasty. Counter arguments: 1. Hacking has an economy of scale. 2. The US is a hard system to model. 3. Complexity breeds resilience. 4. Technology is adopted quickly in the US, making it a fast-moving target. 5. Having a "target rich environment" overwhelms an attacker's analytical capability. 6. Everyone repeats this Myth yet no one has any data to back it up. Some details: 1. Hacking has an economy of scale. 10 hackers working together are more productive than 10*1 hacker. Less advanced countries have easier technology to hack - NT 4.0 has unpatchable remote roots on it. Management software is more easily used on modern stuff than old crusty stuff. Technology rots, in other words. And rotted stuff is easy to break. We all know very well how to write Windows 2000 heap overflows. Nico is just getting Vista heap support into Immunity Debugger now. Of course, you only get an economy of scale when all your hackers can talk to each other. If Clay Shirky[1] was commissioned to tell you what kind of tools you need to maintain compartmentalization while still getting that kind of economy of scale the results would be quite interesting I think. Someone at DARPA needs to do that. 2. The US is a hard system to model. Hacking is easiest when you can model your target. Modeling a MIG is easier than modeling an F-22 because you can purchase an old one on eBay and fit it up to act like whatever your target looks like. Likewise with information systems that drive things you'd want to target with IW attacks. Owning a Cray is hard. Why? Because you have to own a Cray. MMM,vector'd shellcode. :> 3. Complexity breeds resilience. People say that hacking the United States and causing damage is easier because more of what the US does is connected, in many cases, to the Internet. However, it's also more resilient - a SCADA system in a country that is less dependent on network technology is harder to reach initially, but you're more likely to find a single point of failure once you do reach it. 4. Technology is adopted quickly in the US, making it a fast-moving target. Hacking is a continual treadmill. New techniques have to be invented constantly to cope with changing technology. The US's technology treadmill is set on 10 with a 15 degree incline. Countries that change less will be easier to hack. There's a number X for any given system, network, or organization where X is how fast things you've owned get updated and your knowledge about them, exploits, and trojans become worthless. [2] 5. Having a "target rich environment" overwhelms an attacker's analytical capability. Even understanding one branch of the US military's IT infrastructure is too large a project for even the most well funded non-US attacker. 6. Everyone repeats this Myth yet no one has any data to back it up. This isn't a "classification" problem necessarily. Very few people have experience hacking at all, let alone on a scale that would afford them the ability to make generalizations like this. _________________________________________________________ [1] Clay Shirky is the person you read when you want to know how people react to social software. He can be found here. http://many.corante.com/archives/authors/Clay.php [2] This number X is something I was looking for in the John Arquilla's Networks and Netwars. Although the book started off really well, it veered far from anything to do with hacking. Maybe one of his other books has something on it. http://www.amazon.com/Networks-Netwars-Future-Terror-Militancy/dp/0833030302 (I don't necessarily recommend it unless you are very interested in the Zapatistas). From blancher at cartel-securite.fr Tue Aug 21 17:37:43 2007 From: blancher at cartel-securite.fr (Cedric Blancher) Date: Tue, 21 Aug 2007 23:37:43 +0200 Subject: [Dailydave] news items In-Reply-To: References: <20070821190020.8F71233DA8@absinthe.tinho.net> Message-ID: <1187732263.13734.11.camel@anduril.intranet.cartel-securite.net> Le mardi 21 ao?t 2007 ? 15:55 -0400, B.K. DeLong a ?crit : > Something seems hinky. Not to mention Windows client update on 08/17... http://www.skype.com/download/skype/windows/ -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! From dentonj at gmail.com Tue Aug 21 20:11:13 2007 From: dentonj at gmail.com (Jeffrey Denton) Date: Wed, 22 Aug 2007 02:11:13 +0200 Subject: [Dailydave] Myth: The US is more vulnerable to information warfare because it is more reliant on information technology In-Reply-To: References: Message-ID: <8ebbd7f50708211711i46c48057wbf425f079f793f9f@mail.gmail.com> Every time some within the DoD goes public and starts rattling sabres, it's because a short coming has been identified and resources are needed to fix the problem. Resources can be in the form of money, personnel, training/skill set, authority, etc. The DoD has long suffered from personnel rotations. This causes problems in training people, retaining trained/experienced people, and stable leadership. People get trained up and become halfway proficient at what they do, rotate to another duty station, leave the service, move up and rank take on other responsibilities, etc. New leadership comes in with a different set of priorities and focuses on different tasks. It's not uncommon for an unfinished task to be scraped when someone new takes charge. Government civilians provide some continuity. Some are good, others are looking to retire. Overall, the pay isn't good enough to retain quality throughout the work force. Defense contractors have been filling the gaps with training and experience. But this smooths over the problem until a contract goes up for rebid and gets lost to another company that underbids. Point 1: Not sure what to say here other than government agencies have publicly claimed that their critical infrastructure is using equipment that is so old, no one would know what to do with it, let alone know how to break into it. Just because 10 organized hackers are better than one lone hacker doesn't mean you can ignore the ankle biters. The ankle biters are the ones triggering all of the alarms which in turn consumes most of your time. You can't ignore them because that ankle biter may be an inexperience team member of the other 9 that own your network (other people suffer from personnel rotation problems too...) Point 2: "The US is a hard system to model." That is true of any complex system. The components are easy to model. Yes, a MIG is easy to model. Even an F22 would be easy to model. Try modeling the Air Force of a country. Little more complex. Model a network switch or an OS. Little easier. Points 3: "Complexity breeds resilience." In relation to security, complexity is inherently insecure. This horse has been beaten to death many times. Add the rotation of people in and out of an complex environment as I stated above and complexity can become very difficult to comprehend for those trying to protect the infrastructure. Point 4: "Technology is adopted quickly in the US, making it a fast-moving target. " Rapidly changing technology makes it difficult for people defending the infrastructure to keep up. Policy is slow to adapt. Training on new technology doesn't happen overnight. By the time some organization has formally conducted an evaluation of a new technology and release a security technical implementation guide, you already have half a dozen of those devices on your network that some hacker found holes in the day after it was release. Some enterprising individual on the defense side may have already bothered to read the manual, but that seems to be the exception and not the rule. Point 5: "Having a "target rich environment" overwhelms an attacker's analytical capability." I have a hard time believing this is one of your arguments. A target rich environment is also known as easy pickings. Anyone who's done a penetration test will tell you they only need to find one hole. That one hole will lead to many more. Those defending have to protect against every possibility. In a complex environment as you pointed out in point 3, defending that environment against attack becomes complex as well. There is a big push for standardization to get rid of complexity and get rid of the "target rich environment". Everyone will use this AV product, this OS configured with this baseline, managed with these tools, scanned for vulnerabilities and compliance with a different set of spelled out tools, only use this vendor for network devices, etc. Standardization tends to create tunnel vision. Standardization forgets about the other "legacy" stuff on the network. Standardization doesn't see the details inside big solutions. Buy a big SAN solution to do virtualization. The associated network equipment will probably not be from the only vendor that is authorized when purchasing networking equipment. Contract out a big solution, don't be surprised when what gets developed doesn't meet your standardization. What? Tell them to fix it? Was is spelled out in the contract? "No, then give us more money...." But those standardized tools don't monitor that other stuff. Don't worry, tunnel vision will make sure everyone forgets about that other stuff. Add a complex environment, new technologies, personnel rotation problems, standardization, and you soon have a network full of holes. For points 3, 4, and 5, "You don't know what you don't know." Point 6: "Everyone repeats this Myth yet no one has any data to back it up." The DoD is the one making the most noise. They are going to keep any evidence that they are getting their asses handed to them classified. About the only evidence you may see is sabre rattling. Dave, you cannot have evidence, not yours. "Myth: The US is more vulnerable to information warfare because it is more reliant on information technology. Some people like to say the US is "uniquely vulnerable"." That can be debated either way. From dave.korn at artimi.com Tue Aug 21 20:52:00 2007 From: dave.korn at artimi.com (Dave Korn) Date: Wed, 22 Aug 2007 01:52:00 +0100 Subject: [Dailydave] news items In-Reply-To: References: <20070821190020.8F71233DA8@absinthe.tinho.net> Message-ID: <003101c7e456$a5b8a390$2e08a8c0@CAM.ARTIMI.COM> On 21 August 2007 20:56, B.K. DeLong wrote: > Windows Update = Skype DDOS seems too good to be true.... > > Why did this not happen to Skype with previous Windows Updates. What > changed since the last large update to make this happen? Skype's membership continued to grow exponentially. You can get phase changes in non-scaling networks when things like that happen. You can cross thresholds. Emergent effects can arise. Did anyone try adding the missing 'system' call to that neutered PoC to see if it would work? cheers, DaveK -- Can't think of a witty .sigline today.... From juha-matti.laurio at netti.fi Wed Aug 22 01:15:22 2007 From: juha-matti.laurio at netti.fi (Juha-Matti Laurio) Date: Wed, 22 Aug 2007 08:15:22 +0300 (EEST) Subject: [Dailydave] news items Message-ID: <8634312.333221187759723008.JavaMail.juha-matti.laurio@netti.fi> This summary-type blog entry written yesterday lists the reasons why the issue had its special "moves". And what Skype can learn from security community. Link to the newest clarification post of Skype included. Link: http://blogs.securiteam.com/?p=983 - Juha-Matti Dave Korn wrote: > On 21 August 2007 20:56, B.K. DeLong wrote: > > > Windows Update = Skype DDOS seems too good to be true.... > > > > Why did this not happen to Skype with previous Windows Updates. What > > changed since the last large update to make this happen? > > Skype's membership continued to grow exponentially. > > You can get phase changes in non-scaling networks when things like that happen. > You can cross thresholds. Emergent effects can arise. > > Did anyone try adding the missing 'system' call to that neutered PoC to see if > it would work? > > cheers, > DaveK > -- > Can't think of a witty .sigline today.... From sonicsai at gmail.com Wed Aug 22 02:05:09 2007 From: sonicsai at gmail.com (sai) Date: Wed, 22 Aug 2007 11:05:09 +0500 Subject: [Dailydave] Myth: The US is more vulnerable to information warfare because it is more reliant on information technology In-Reply-To: References: Message-ID: <41d04d600708212305h981f8b8pf2a50ec4ff7563eb@mail.gmail.com> On 8/22/07, Dave Aitel wrote: > > 1. Hacking has an economy of scale. 10 hackers working together are > more productive than 10*1 hacker. Less advanced countries have easier > technology to hack - NT 4.0 has unpatchable remote roots on it. > Management software is more easily used on modern stuff than old > crusty stuff. Technology rots, in other words. And rotted stuff is > easy to break. We all know very well how to write Windows 2000 heap > overflows. Nico is just getting Vista heap support into Immunity > Debugger now. > Less advanced countries dont worry about licences :-) Generally you will not find ANY advertising for PCs with Windows. They all allegedly come installed with (free)DOS or Linux. In fact they usually will have Vista installed. Getting Vista installed on an older PC costs $5 at your corner computer shop. > 3. Complexity breeds resilience. Well, yes, sometimes. It depends... Well connected networks are usually more secure, but generally complexity in components and systems produces vulnerabilities. >People say that hacking the United > States and causing damage is easier because more of what the US does > is connected, in many cases, to the Internet. However, it's also more > resilient - a SCADA system in a country that is less dependent on > network technology is harder to reach initially, but you're more > likely to find a single point of failure once you do reach it. Less developed places : the SCADA system was probably built and designed by foreigners, meaning the blueprints may be fairly easy to get, maybe even for free. > 5. Having a "target rich environment" overwhelms an attacker's > analytical capability. Even understanding one branch of the US > military's IT infrastructure is too large a project for even the most > well funded non-US attacker. If you mean that having a very large number of potential targets, of which only a small number have vulnerabilities then yes I would agree with that. sai From berendjanwever at gmail.com Wed Aug 22 07:37:55 2007 From: berendjanwever at gmail.com (Berend-Jan Wever) Date: Wed, 22 Aug 2007 12:37:55 +0100 Subject: [Dailydave] Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Message-ID: <3fa2f5bb0708220437i3a277622iba884dd377e498f8@mail.gmail.com> Hi Dave, I liked point 5 best: *Having a "target rich environment" overwhelms an attacker's analytical capability.* I'll tell the people I work with we need to put more bugs in our software to stop people from exploiting them :) I think point 6 applies to everybody: there is no data to back up either side of the argument. However, we do have some data to back up claims around the insecurity of software, so let's make an analogy with hard-to-model, complex software products which gets updated frequently and see what we find: *1. Hacking has an economy of scale.* There are plenty of complex products that get hit by 0days from "one-hit-wonders". If you have two smart pentesters looking at product X and one dumb attacker, that does not guarantee your pentesters will find all bug in the product before the attacker finds one they have yet to discover. *2. Product X is a hard system to model.* One does not need to model the whole system, just the weak parts. I have not a clue how SETI at HOME does what it does, but I'm sure it's pretty complex. Regardless, I was able to write an exploit for it. *3. Complexity breeds resilience.* It also breeds issues. The more lines of code, the more potential bugs and adding complexity often requires adding more lines of code. Therefore, you'll find more bugs in more complex code. *4. Technology is adopted quickly in product X, making it a fast-moving target.* New technology brings new issues: the technology has not been proven, new classes of issues that affect only this new technology are yet to be discovered. Unfortunately, I have no data to back up that my analogy scales well. It seems that only time may tell us who was right, let's hope it never gets to that. Cheers, SkyLined -- Berend-Jan "SkyLined" Wever Email & Live messenger: berendjanwever at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070822/1e5ba45b/attachment.htm From tim.chavez at linux.vnet.ibm.com Wed Aug 22 14:08:06 2007 From: tim.chavez at linux.vnet.ibm.com (Timothy R. Chavez) Date: Wed, 22 Aug 2007 13:08:06 -0500 Subject: [Dailydave] Myth: The US is more vulnerable to information warfare because it is more reliant on information technology In-Reply-To: References: Message-ID: <20070822130806.03ae90ec@crumpet> So what about attacks _with_ information? I think the US would be more susceptible to information warfare attacks, in this regard, if it were more reliant on _homogeneous_ sources of information. Neil Stephenson brings up a good point in his book Cryptinomicon that even when the British cracked the Enigma code, they still had to constantly ask themselves if the Nazis knew they knew and if not, how they could effectively use the information they intercepted without giving themselves away. For the defender of this information, integrity of the technology carrying it is of utmost importance, for the attacker of this information, integrity of the information, itself, is of utmost importance. So I'd argue, if anything, that by meddling with the affairs of others, we make ourselves more susceptible :) -tim On Tue, 21 Aug 2007 16:53:48 -0400 "Dave Aitel" wrote: > http://video.zdnet.com/CIOSessions/?p=165 > > If you listen to Colonel John Hayes in the above interview, he says > that oddly enough, they found that one of the most important > applications they implemented for mission support was "Text Chat". He > also noted that although he spent a lot of money building up wireless, > people aren't using it. That's probably because wireless never works. > Ever sat next to the door in your hotel because that's the only place > you could get connectivity? Anyways, back to the main point: busting a > myth. > > Myth: The US is more vulnerable to information warfare because it is > more reliant on information technology. Some people like to say the US > is "uniquely vulnerable". I hear this all the time from various > weblogs and every time I hear it I wonder why people keep repeating > it. > > > For background, the IATAC has this to say: > """ > The United States is vulnerable to Information Warfare attacks because > our economic, social, military, and commercial infrastructures demand > timely and accurate as well as reliable information services. This > vulnerability is complicated by the dependence of our DoD information > systems on commercial or proprietary networks which are readily > accessed by both users and adversaries. The identification of the > critical paths and key vulnerabilities within the information > infrastructure is an enormous task. Recent advances in information > technology have made information systems easier to use, less > expensive, and more available to a wide spectrum of potential > adversaries. > > The security of our nation depends on the survivability, authenticity, > and continuity of DoD information systems. These systems are > vulnerable to external attacks, due in part to the necessary > dependence on commercial systems and the increased use of the > Internet. The survivability, authenticity, and continuity of DoD > information systems is of supreme importance to the Warfighter. > """ > > > My intuition strongly disagrees with the idea that the US is specially > vulnerable. So with that in mind, let's go through a little exercise > in iconoclasty. > > Counter arguments: > 1. Hacking has an economy of scale. > 2. The US is a hard system to model. > 3. Complexity breeds resilience. > 4. Technology is adopted quickly in the US, making it a fast-moving target. > 5. Having a "target rich environment" overwhelms an attacker's > analytical capability. > 6. Everyone repeats this Myth yet no one has any data to back it up. > > Some details: > > 1. Hacking has an economy of scale. 10 hackers working together are > more productive than 10*1 hacker. Less advanced countries have easier > technology to hack - NT 4.0 has unpatchable remote roots on it. > Management software is more easily used on modern stuff than old > crusty stuff. Technology rots, in other words. And rotted stuff is > easy to break. We all know very well how to write Windows 2000 heap > overflows. Nico is just getting Vista heap support into Immunity > Debugger now. > > Of course, you only get an economy of scale when all your hackers can > talk to each other. If Clay Shirky[1] was commissioned to tell you > what kind of tools you need to maintain compartmentalization while > still getting that kind of economy of scale the results would be quite > interesting I think. Someone at DARPA needs to do that. > > 2. The US is a hard system to model. Hacking is easiest when you can > model your target. Modeling a MIG is easier than modeling an F-22 > because you can purchase an old one on eBay and fit it up to act like > whatever your target looks like. Likewise with information systems > that drive things you'd want to target with IW attacks. Owning a Cray > is hard. Why? Because you have to own a Cray. MMM,vector'd shellcode. > :> > > 3. Complexity breeds resilience. People say that hacking the United > States and causing damage is easier because more of what the US does > is connected, in many cases, to the Internet. However, it's also more > resilient - a SCADA system in a country that is less dependent on > network technology is harder to reach initially, but you're more > likely to find a single point of failure once you do reach it. > > 4. Technology is adopted quickly in the US, making it a fast-moving > target. Hacking is a continual treadmill. New techniques have to be > invented constantly to cope with changing technology. The US's > technology treadmill is set on 10 with a 15 degree incline. Countries > that change less will be easier to hack. There's a number X for any > given system, network, or organization where X is how fast things > you've owned get updated and your knowledge about them, exploits, and > trojans become worthless. [2] > > 5. Having a "target rich environment" overwhelms an attacker's > analytical capability. Even understanding one branch of the US > military's IT infrastructure is too large a project for even the most > well funded non-US attacker. > > 6. Everyone repeats this Myth yet no one has any data to back it up. > This isn't a "classification" problem necessarily. Very few people > have experience hacking at all, let alone on a scale that would afford > them the ability to make generalizations like this. > > _________________________________________________________ > > [1] Clay Shirky is the person you read when you want to know how > people react to social software. He can be found here. > http://many.corante.com/archives/authors/Clay.php > > [2] This number X is something I was looking for in the John > Arquilla's Networks and Netwars. Although the book started off really > well, it veered far from anything to do with hacking. Maybe one of his > other books has something on it. > http://www.amazon.com/Networks-Netwars-Future-Terror-Militancy/dp/0833030302 > (I don't necessarily recommend it unless you are very interested in > the Zapatistas). > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave From ab3a at comcast.net Wed Aug 22 22:51:40 2007 From: ab3a at comcast.net (Jake Brodsky) Date: Wed, 22 Aug 2007 22:51:40 -0400 Subject: [Dailydave] Myth: The US is more vulnerable to information warfare because it is more reliant on information technology In-Reply-To: References: Message-ID: <46CCF63C.8070803@comcast.net> /* Delurking */ Dave, I've been following this list for a while to see an inside view of what the various 'hats are discussing for software vulnerabilities. I come from the industrial automation world. I'm a registered engineer of control systems. For those of you who might recognize the term SCADA, that's a part of what I design, build, and live with every day. The broader term we like to use is "industrial control systems" because it covers plant and process systems as well as regional supervisory systems for distribution networks. Industrial control systems are in the dark ages of security. We do not adopt new technologies right away. We frequently do not even patch, unless there is a threat to life and limb. The reason is very simple: every change in an industrial control system MUST be validated. This isn't just me talking, it's the federal regulations. Go look at the OSHA regulations, the FDA Part 11 regulations or even the SOX legislation for examples of this kind of thinking. We have to adhere to most of this. Validation of a control system is extremely expensive. If we updated our systems the way most IT shops do, it would be more expensive than the risk of an attack. We would also risk critical safety systems. More systems have been damaged or brought down from bad patching practice than by actual attacks. So we have to be very selective about what we patch, where, and when. The bottom line is that your assumptions about the adoption of technology aren't typical. We're working to change that. However, we can't do what most of the IT community does. We can't patch first and trust that all will be well. So we hide behind firewalls, we segment our networks, and we're trying to push authentication right to the micro-controllers in the field. But it's a long uphill battle. The typical lifetime of an industrial control system is can be 10 to 15 years. Chew on that for a minute. What were YOU playing with 15 years ago? This won't happen overnight. I'm member of various standards committees and we're trying to create market standards and authenticated protocols we can use to effect these changes on the market. But it won't be easy and it won't be quick. You don't rewire or redesign a refinery overnight. You don't replace a SCADA system covering hundreds or even thousands of miles of pipeline without expending some impressive labor costs. The DOD boilerplate isn't wrong to say the sorts of things they're saying. Misguided? Maybe. Inaccurate? Only so far as they don't quite understand the technicalities. But this is just funding talk. I know others in DOD and law enforcement who understand the issue very well. There is much to be afraid of. Cities depend on an infrastructure that runs all too well; utilities are so reliable that we forget about how integral they are to daily life. We're nearly invisible until something breaks. Think of this the next time you flush your toilet. How long could a large city last without water? The only people who sleep well in my industry are those who do not understand the problem. Jacob Brodsky, PE From prabu at hackinthebox.org Wed Aug 22 23:43:01 2007 From: prabu at hackinthebox.org (Praburaajan) Date: Thu, 23 Aug 2007 11:43:01 +0800 Subject: [Dailydave] Reminder: HITBSecConf2007 - Malaysia is less than 2 weeks away Message-ID: <46CD0245.5060001@hackinthebox.org> HITBSecConf2007 - Malaysia is a mere 2 weeks away! Organized as a community centric, non-profit effort, HITBSecConf is Asia's largest network security event featuring 4 keynote speakers, 7 tracks of technical training sessions and access to over 30 hours of deep knowledge demos and presentations! Date: 3rd - 6th September 2007 Venue: Hilton KL Sentral Time: 0900 - 1800 What's on the menu - 7 tracks of hands on technical training sessions (3rd & 4th) - 4 keynote speakers (Mark 'Phiber Optik' Abene, Emmanuel Goldstein, Mikko Hypponen and Lance Spitzner!) - Lock Picking Village (run by members of TOOOL USA) - Capure The Flag (team-based hacking competition with 11 teams from around the world confirmed) - BZFlag Area Some of the highlight conference presentations: - Hacking Biometric Systems - High Security Locks - Illusion or Reality? - How to 0wn Critical National Infrastructure - Hacking SCADA - RDS-TMC Injection: How to Freak Out Your Sat Nav Systems - Attacking Cisco NAC - Hacking Hardened and Secured Oracle Servers PLUS an exclusive presentation on WABISABILABI - The Exploit Marketplace Project by their Director of Strategy, who will be taking questions from the audience and speaking on the purpose of the project and it's future plans. Walk in registrants are accepted and the area where the lock picking village, bzflag competition, zone-h hacking challenge and the capture the flag 'live hacking' competition is being held is FREE AND OPEN TO PUBLIC. So do come and check it out. :) If you haven't registered yet, there's still time to do so but do note that prices increase after 31st August 2007. For further details, please see: http://conference.hitb.org/hitbsecconf2007kl/ From dave at immunityinc.com Fri Aug 24 12:48:43 2007 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 24 Aug 2007 12:48:43 -0400 Subject: [Dailydave] Helio Ocean Review Message-ID: <46CF0BEB.5010500@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A Helio Ocean Review from a Sidekick 3 user's perspective So the Helio Ocean is a "semi-smart" phone much like the Sidekick 3. In this day and age, the Sidekick needs massive updating to compete with the features of any modern phone and T-Mobile is too dumb to replace broken Sidekick's for free for long time users. So I got a Helio Ocean. Here are a list of features the Helio Ocean has the Sidekick does not. Keep in mind both phones cost pretty much the same thing, although you can get a Sidekick for as low as $99 with a new two year contract from T-Mobile (which is crazy - they should be free since they're as old as the hills, but whatever). Helio Ocean features that beat the Sidekick: o GPS+Google Maps App. This has saved my ass at least once when lost in Dallas with a cabbie intent on ripping me off. Extremely usable application - you can say things like "Sushi near me" and find your local sushi restaurants. Works great even inside since it uses the cell phone towers to triangulate you. This is essentially a killer app, the second killer app being the Video Camera+YouTube integration. I'd try "Buddy Beacon" which tells all your friends where you are, but I don't have friends with Helio phones. Everyone else seems to have either an iPhone or a TracPhone (30 bucks from CVS) o Video camera and normal camera that does not suck like the Sidekick's does o number pad for dialing phone numbers (whee!) o Lots more applications you can download, but you'll never use any of them because they want an astonishing 3 dollars a day for most of them. So this doesn't count. o "3G" I know people want this, but frankly, it's not worth even listing as a "Feature" since it's no faster than anything else you've ever used. This doesn't count either. I've tested the iPhone, and it's just as fast, if not faster. o Cheap and good plans. Nothing from Helio will break your piggy bank. They don't nickle and dime you the way AT&T does if you buy an iPhone, and the overall plan is cheaper than T-Mobile's. o Better phone call quality. o Good customer support from cheery southern chicks (T-Mobile is also quite good). None of the customer support at Helio appeared to have ever used the Helio Ocean, but some of the second level support had and could answer questions like "Why doesn't file download work" with "You need a microsd card" o Helio UP lets you automatically upload videos to YouTube. This is pretty awesome really. Works well for daily videos of your small child for the extended family. You can have the phone tag the videos with the geolocation theoretically, although I can't figure out how to get that data back from YouTube. o Helio UP sends pictures to MySpace. I'm not sure why you'd want them on MySpace rather than say, Google Picasa. There's no Google Picasa option. I find I never use this. The downsides of the Helio Ocean are: o Slightly worse keyboard than sidekick. Not horrible, just slightly worse. o The GUI is terrible. Why a cell phone GUI should have lag is something I've never understood. I should not be typing on the AIM client and have it start missing characters because I'm typing too fast. Is the thing doing character mode and sending each character to the server? That would be insane, but I'm not ruling it out. o Basic UI design concepts are missing from the Helio designer's brains. For example, most people on the Sidekick will load a web page by hitting the "Web Browser" button, then typing an address, and then they will put the sidekick back into their pocket and come back to it later when the web page is there. Or perhaps they will AIM for a bit while the web page loads. This is impossible on the Helio since it runs one application at a time. Starting and stopping the web browser takes about 10 seconds, which is infuriating once you start wanting to use it. o Gmail doesn't appear to accept my password so I can't use GMail on the phone. Not sure why. Tech support has no idea either. o When the Helio is running the web browser, that's all it does. If you close the phone, the web browser app closes too. This is retarded beyond belief. Was opera too expensive to license or something? The web browser is the worst thing ever. It's slightly faster than the GPRS the Sidekick uses, but navigating on it is nearly impossible. Useful only for reading headlines on Google News. Slashdot is impossible on it, but digg works well. o The camera app has some very strange bugs. Examples: o Using the camera vertically can only do 300X200 (crappy). Using it horizontally with the keyboard out works really well. o You have to choose between External (MicroSD - 1Gig for 30 bucks at Circuit City) or Internal storage. You cannot copy photos or videos from Internal to your Mac using USB. You can copy them from External, but you cannot email things or use "Helio UP" from External. So either way you're screwed. There's a 2.5 meg limit (30 seconds) on videos when you want to email them to yourself or "helio up" them. So I recommend using "Internal" and then only moving things externally when you want to copy them to your hard drive. This is awkward, to say the least. o Built in email and text messenging is slightly worse than Sidekicks. Only downloads first 1000 characters of emails for example. Just essentially worse applications here in every way. o No way to easily say "Get me a new GPS location" while in Google Maps application other than restarting application. IN CONCLUSION: The iPhone has no GPS or Video camera, or AIM, and is horribly expensive. If they added a GPS and Video Camera and someone finished a nice AIM application that runs in their web browser, they'd be best-of-breed in every area. Overall Helio Ocean is not a terrible phone. It's a good phone, with a terrible UI and web browser. GPS and YouTube integration will make you like it while you wait for Apple to get iPhone version 2.0 out the door. But if I had to purchase it again, I'd probably get an iPhone. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGzwvpB8JNm+PA+iURApf0AKDG7B9VEUGYmTzqBlkk94caqk/+HwCgjleE TmuXW1jJGaVBRuPE4tZhnKo= =73wi -----END PGP SIGNATURE----- From fukami at vakuum.net Fri Aug 24 20:45:28 2007 From: fukami at vakuum.net (fukami) Date: Sat, 25 Aug 2007 02:45:28 +0200 Subject: [Dailydave] 24th Chaos Communication Congress 2007: Call for Participation Message-ID: <43E48364-F7BE-4A5F-B220-C3330008FF62@vakuum.net> 24th Chaos Communication Congress 2007: Call for Participation 24C3: Volldampf voraus! 24th Chaos Communication Congress December 27th to 30th, 2007 Berlin, Germany http://events.ccc.de/congress/2007/ Overview ======== The 24th Chaos Communication Congress (24C3) is the annual four-day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany. First held in 1984, it since has established itself as ?the European Hacker Conference?. Lectures and workshops on a multitude of topics attract a diverse audience of thousands of hackers, scientists, artists, and utopists from all around the world. The 24C3s slogan is Volldampf voraus! ? the German equivalent of ?full steam ahead? ? a particular request for talks and projects featuring forward looking hands-on topics. The Chaos Computer Club has always encouraged creative and unorthodox interaction with technology and society, in the good tradition of the real meaning of ?hacking?. Topics ====== The 24C3 conference program is roughly divided into six general categories. These categories serve as guidelines for your submissions (and later as a means of orientation for your prospective audience). However, it is not mandatory for your talk to exactly match the descriptions below. Anything that is interesting and/or funny will be taken into consideration. # Hacking The ?Hacking? category addresses topics dealing with technology, concentrating on current research with high technical merit. Traditionally, the majority of all lectures at 24C3 revolve around hacking. Topics in this domain include but are in no way limited to: programming, hardware hacking, cryptography, network and system security, security exploits, and creative use of technology. # Making The ?Making? category is all about making and breaking things and the wonderful stuff you can build in your basement or garage. Most welcome are submissions dealing with the latest in electronics, 3D- fabbing, climate-change survival technology, robots and drones, steam machines, alternative transportation tools and guerilla-style knitting. # Science The ?Science? category covers current or future objects of scientific research that have the potential to radically change our lives, be it basic research or projects conducted for the industry. We are looking for talks and papers on the state of the art in this domain, covering subjects such as nano technology, quantum computing, high frequency physics, bio-technology, brain-computer interfaces, automated analysis of surveillance cctv, etc. # Society Technology development causes great changes in society and will determine our future. This category is for all talks on subjects like hacker tools and the law, surveillance practices, censorship, intellectual property and copyright issues, data retention, software patents, effects of technology on kids, and the impact of technology on society in general. # Culture Shaping the world we live in means making it more interesting, entertaining and beautiful. The hacker culture has many facets ranging from electronic art objects, stand-up comedy, geek entertainment, video game and board game culture, music, 3D art to e- text literature and beyond. If you like to show your art and teach others how to make their lives more enjoyable, this category is for you. # Community In addition to individual speakers the Chaos Communication Congress is also inviting groups such as developer teams, projects and activists to present themselves and their topics. Developer groups are also encouraged to ask for support to hold smaller on-site developer conferences and meetings in the course of the Congress. Further Information =================== The Chaos Communication Congress is a non-profit oriented event and speakers are not paid. However, financial help on travel expenses and accommodation is possible. It needs to be agreed upon after acceptance of the submission, though. Don't be shy and state your requirements when submitting your lecture and we'll work something out! You can find the preliminary agenda and additional information on our 24C3 website at http://events.ccc.de/congress/2007/. For further information and questions please feel free to contact 24c3-content at cccv.de Submissions =========== All proposals must be submitted online using our online lecture submission system at https://cccv.pentabarf.org/submission/24C3. Please follow the instructions given there. If you have any questions regarding your submission, feel free to contact us at 24c3- content at cccv.de but do NOT submit your lecture via e-mail. Language ======== 24C3 is an international event and we want to have a lot of interesting talks in English for the benefit of our growing number of international guests. So ideally we are looking for speakers who can give lectures and/or workshops in either English or German. But while we are interested in maximum quality of presentation, the topic and its relevance to our community are our main concern. So don't worry about your English skills: the language of a submission is not a criteria for accepting or rejecting it! If you feel insecure talking in English, have received criticism on your language skills from your audience before, or if you just fear that the value and understandability of your lecture might suffer, please offer your talk in German. Please tell us if you are a native speaker of English or have similar skills, when submitting your lecture. Lecture Requirements ==================== Lectures should not exceed 45 minutes plus up to 10 minutes for questions and answers. Longer time slots are possible if we feel the topic demands it (please tell us if necessary). Workshops should include a talk on the basic principles and a practical hands-on section. Dates and deadlines =================== The deadline for submission is October 12th, 2007 Midnight UTC. Notification of acceptance will be sent by e-mail on November 11th, 2007 the latest. However, you may very well get your notification earlier than that if needed. Final papers or slides are due by November 18th, 2007. * October 12th, 2007 (Midnight UTC) Submission due * November 11th, 2007 Final notification of acceptance (or earlier) * November 18th, 2007 Final papers/presentations due * December 27th - 30th, 2007 Chaos Communication Congress From dave.aitel at gmail.com Sat Aug 25 20:40:35 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Sat, 25 Aug 2007 20:40:35 -0400 Subject: [Dailydave] just got back from obama event Message-ID: In Overtown. SS would not let me pee! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070825/470145e1/attachment.htm From dave.aitel at gmail.com Sun Aug 26 08:03:46 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Sun, 26 Aug 2007 08:03:46 -0400 Subject: [Dailydave] just got back from obama event In-Reply-To: References: Message-ID: Ah yes, so the whole goal of the moderator password is to be secure against a drunk me. Clearly we need a harder password! In any case, last night Justine and I went to Overtown (aka, the ghetto in the middle of Miami) for an Obama reception. My goal was to see if there was anyone there to discuss software patents with. It turns out there wasn't. They had a Katie-Holmes looking character managing the event, and she didn't do what we would have done, which is throw a bunch of ringers into the crowd to finish squeezing the money out. In any case, it was interesting to see Obama up close rather than on the Daily Show. Some pictures here: http://picasaweb.google.com/dave.aitel/ObamaInOvertown/ Other thoughts: Who is doing the security for their websites I wonder? SS seems good physically, but at what point will they also be responsible for cyberspace? Someone should put up a "Hackers for Diebold" website. Motto: Diebold: The technology you need, the election results you want! Although it looks like Florida doesn't get to vote in the primary anymore either way. I bet donor lists are worth quite a lot of money. For those who haven't seen it, a binary->Python translator is a cool thing to have. http://forum.immunityinc.com/index.php?topic=33.0 -dave On 8/25/07, Dave Aitel wrote: > > In Overtown. SS would not let me pee! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070826/f2437937/attachment.htm From endrazine at gmail.com Mon Aug 27 08:12:10 2007 From: endrazine at gmail.com (endrazine useless) Date: Mon, 27 Aug 2007 14:12:10 +0200 Subject: [Dailydave] just got back from obama event In-Reply-To: References: Message-ID: Hi Dave, On 8/26/07, Dave Aitel wrote: > > > For those who haven't seen it, a binary->Python translator is a cool thing > to have. > http://forum.immunityinc.com/index.php?topic=33.0 > > Quoting you on 08/08 : If I had a quarter for every time someone said to me they were going to reverse a binary into an intermediate language and do slicing on it to find all the bugs, I'd ... well, I'd be able to buy some ice cream at least. Quoting http://forum.immunityinc.com/index.php?topic=33.0 : We're working on a script that get a binary file and return a pythonized version, not actually a decompiled version, but one that can help you to find bugs automagically. hrm, I must be missing something... Cheers, endrazine- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070827/4b0152c0/attachment-0001.htm From dan at geer.org Mon Aug 27 10:25:31 2007 From: dan at geer.org (dan at geer.org) Date: Mon, 27 Aug 2007 10:25:31 -0400 Subject: [Dailydave] just got back from obama event In-Reply-To: Your message of "Sun, 26 Aug 2007 08:03:46 EDT." Message-ID: <20070827142531.D8ACF33D75@absinthe.tinho.net> | | Someone should put up a "Hackers for Diebold" website. Motto: | Diebold: The technology you need, the election results you want! | Although it looks like Florida doesn't get to vote in the primary | anymore either way. | W.r.t. Diebold, they and all others suffer from a universal election commission requirement that might be worth discussion here. It is that on election day if something in an election machine breaks, then the (various) election commision(s) insist on being able to reload/restart on demand, and to do so with essentially unskilled help. The reason it might be worth discussion is a general design-level question for embedded systems -- do you or do you not want an embedded system to have a remote management interface. An argument "for" is "How else can we recover from design flaws found later?" An argument "against" is "A remote management interface is the openest invitation to mischief." All the actual engineers here will agree that, when building something, the outcome can be no better than the problem statement. I do know something about Diebold's election experience in Ohio, and it is consistent with my first remark, viz., the requirement for a mid-Election-Day correction. From the Atty. General's point of view, a DoS against the electorate due to something that he could fix but wasn't able to do so because of "security" is paramount. I also know that technology to absolutely lock down the configuration of the election machines he had did exist, had been bought, had been tested, and yet eventually foundered on the requirement I mentioned -- it was not possible to both lock the configuration and to make it field upgradable by cops and retirees. On the other point, I have nothing to offer to trump Howard Dean, but I do so enjoy watching. --dan From dave.korn at artimi.com Mon Aug 27 10:30:31 2007 From: dave.korn at artimi.com (Dave Korn) Date: Mon, 27 Aug 2007 15:30:31 +0100 Subject: [Dailydave] just got back from obama event In-Reply-To: References: Message-ID: <005f01c7e8b6$d2381090$2e08a8c0@CAM.ARTIMI.COM> On 27 August 2007 13:12, endrazine useless wrote: > Hi Dave, > > > On 8/26/07, Dave Aitel wrote: > > > For those who haven't seen it, a binary->Python translator is a cool thing to > have. http://forum.immunityinc.com/index.php?topic=33.0 > I must be using too much adblock or noscript or something, because I see a reference to screenshots but I can't see any screenshots.. where am I supposed to be looking? > Quoting you on 08/08 : > > If I had a quarter for every time someone said to me they were going > to reverse a binary into an intermediate language and do slicing on it > > to find all the bugs, I'd ... well, I'd be able to buy some ice cream > at least. > > Quoting > http://forum.immunityinc.com/index.php?topic=33.0 > : > > We're working on a script that get a binary file and return a > pythonized version, not actually a decompiled version, but one that can > help you to find bugs automagically. > > > > hrm, I must be missing something... Ice-cream? cheers, DaveK -- Can't think of a witty .sigline today.... From dami at immunityinc.com Mon Aug 27 11:18:01 2007 From: dami at immunityinc.com (Damian Gomez) Date: Mon, 27 Aug 2007 12:18:01 -0300 Subject: [Dailydave] just got back from obama event In-Reply-To: <005f01c7e8b6$d2381090$2e08a8c0@CAM.ARTIMI.COM> References: <005f01c7e8b6$d2381090$2e08a8c0@CAM.ARTIMI.COM> Message-ID: <46D2EB29.4060506@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Korn wrote: > On 27 August 2007 13:12, endrazine useless wrote: > >> Hi Dave, >> >> >> On 8/26/07, Dave Aitel wrote: >> >> >> For those who haven't seen it, a binary->Python translator is a cool > thing to >> have. http://forum.immunityinc.com/index.php?topic=33.0 >> > > > I must be using too much adblock or noscript or something, because I see a > reference to screenshots but I can't see any screenshots.. where am I supposed to > be looking? i think you need to be registered to actually see the screenshots > >> Quoting you on 08/08 : >> >> If I had a quarter for every time someone said to me they were going >> to reverse a binary into an intermediate language and do slicing on it >> >> to find all the bugs, I'd ... well, I'd be able to buy some ice cream >> at least. >> >> Quoting >> http://forum.immunityinc.com/index.php?topic=33.0 >> : >> >> We're working on a script that get a binary file and return a >> pythonized version, not actually a decompiled version, but one that can >> help you to find bugs automagically. >> >> >> >> hrm, I must be missing something... > > Ice-cream? > > > cheers, > DaveK -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) iD8DBQFG0usnchUpv2oeW9gRAk0SAJ9JCiNAyXD6t4zjTfApkAiKpNcsZACfbqJa n1eBRsybbMuYgUDeV5kg8tY= =/GNh -----END PGP SIGNATURE----- From numatrix at ufl.edu Tue Aug 28 01:10:35 2007 From: numatrix at ufl.edu (Jordan Wiens) Date: Tue, 28 Aug 2007 01:10:35 -0400 Subject: [Dailydave] just got back from obama event In-Reply-To: <20070827142531.D8ACF33D75@absinthe.tinho.net> References: <20070827142531.D8ACF33D75@absinthe.tinho.net> Message-ID: <90AA1DC9-ECCA-44F8-AA2A-BF27D84EF0E1@ufl.edu> On Aug 27, 2007, at 10:25 AM, dan at geer.org wrote: > > | > | Someone should put up a "Hackers for Diebold" website. Motto: > | Diebold: The technology you need, the election results you want! > | Although it looks like Florida doesn't get to vote in the primary > | anymore either way. > | > > > W.r.t. Diebold, they and all others suffer from a > universal election commission requirement that might > be worth discussion here. It is that on election day > if something in an election machine breaks, then the > (various) election commision(s) insist on being able to > reload/restart on demand, and to do so with essentially > unskilled help. Our county gets around this issue by training up a staff of mid-level techies whose job is to drive around between polling locations and provide "higher" level technical support. In the case of a machine going really bad, we have spares of everything and can re-program a spare to become any local machine. They do have someone from the county come out though with a programmer in some situations though. As a side-note, this led to a rather interesting practice called sleep-overs in which the techs in question get to have one of the machines without any seals on the memory card slot (presumably because the device will be reloaded with the appropriate config as necessary) over-night since they have to be at their first polling location at ridiculously early hours. So yeah, I've got some fun photos of me with an unlocked touch-screen diebold voting system in my trunk from the day before elections last year. ;-) The only good news in that situation was that our county only uses the touch-screens for accessibility reasons, and primarily uses paper- scanners unless folks /really/ want to use a touch-screen. -- Jordan Wiens, CISSP UF Network Security Engineer (352)392-2061 From joanna at invisiblethings.org Tue Aug 28 05:49:00 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Tue, 28 Aug 2007 11:49:00 +0200 Subject: [Dailydave] Exchange's privacy issues Message-ID: <46D3EF8C.1010908@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Over time, when I get more and more computers I really am starting to feel the need to migrate my Outlook's local .PST file to some server solution, like e.g. MS Exchange Server. I'm least concerned about mail (as I'm using IMAP4 anyway) but mostly about syncing my calendar, contacts, task list and memos. So, why I don't like Exchange (and other similar solutions)? After all one can buy an Exchange hosting for some $10/month... Well, I don't like it because the idea of somebody else (i.e. the hosting company) having full access to all my personal data (calendar, etc) is simply scary. Many people on this list will probably just shrug off and say that they are using their's company Exchange server, which they trust. But then again, would you place a "New Job Interview" appointment in your calendar if you knew that your corporate admin will be able to see it? So, the simple question is -- does anybody know an encryption solution that would work on the client-to-client level? I.e. I would like my Outlook program to encrypt all the fields in my calendar, todo list, etc and send them to the exchange server as encrypted base64. Simple, symmetric crypto, one shared key, will do. True, the server would still know that I have a meeting on Friday at 11.am, but it would not be possible to decipher what kind of meeting it is. Similarly they would see that I have 15 tasks on my todo list, and maybe they can also see that 3 of them are of an 'Important' priority, but they would not be able to read them. In other words I'm looking for something analogous to PGP. With PGP your adversary still can see who you got mail from or to whom you send it, heck, they can even see the subject of the mail (which is BTW really annoying), but they don't see the content. Would be nice if the solution also worked for BlackBerry devices. Yes, I know, that one solution would be to buy a collocation, put there my own server, disable FireWire ports and put some glue into spare PCI slots, so that nobody can get access to the machine's memory, even having a physical access... But that solution is too pricey. Not because of the hosting fee, but because the time needed to administer such a server. I would greatly appreciate all the feedback. Cheers, joanna. -----BEGIN PGP SIGNATURE----- iQEVAwUBRtPviMwG7MOLAMOlAQIUTQf/W3hjSz+jliH747g0HRDiHp2ihl1Yb+A0 c5gR9U7syooSgGachP6RxcaqzXgG/R5P/9QNpPvueCGaTWeJyjjESgvtRgnmZOgc kgRRCi6hI5VmDp5axW0jTbYVAEsW2V7TDzCgkB70/ZAqAKu1tLy7mylHGBWiYvoH TW6bBccx+vxClJr5f2GtJW5ho+cul+ajxZYFqyY+VZn/7sTByr/p+X5unn5EIzLO 12H14eoLKpqqiuDb9CkgwgACDWHuKFJiQafMCIZMOv7HA/kBYuPfBi6DHe0siiKp 83hm5UyLWqy6ngRTq8kPD+d2REEvw4GSG455O+UhUhT7K6ZY/3lKxg== =yRKD -----END PGP SIGNATURE----- From joanna at invisiblethings.org Tue Aug 28 08:25:25 2007 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Tue, 28 Aug 2007 14:25:25 +0200 Subject: [Dailydave] Exchange's privacy issues In-Reply-To: <5e01c29a0708280456yca61f77y7249e2b5656d4f73@mail.gmail.com> References: <46D3EF8C.1010908@invisiblethings.org> <5e01c29a0708280456yca61f77y7249e2b5656d4f73@mail.gmail.com> Message-ID: <46D41435.5050500@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 silky wrote: > i'm fairly sure you can use gmail calendar over ssl (you may like to > 'force' this option with 'CustomizeGoogle' extension for firefox). > > (but then you need to trust google with your data ...) > Right, after all Google already keeps all your search queries and all your mail and all your office documents (if you're using Google Docs & Spredsheets), so what does it change if you also give them away your calendar, tasks and contact lists? After all, Google is not evil, right? ;) j. -----BEGIN PGP SIGNATURE----- iQEVAwUBRtQUNcwG7MOLAMOlAQJK3Af+ODM057t03FB849XdqgHiLfsuAuKAJ8Ml DbsbP74T62CswuPw1hrsrC+MbaaTaWC3yH5D+9pWQLghsu4Ki3CTtOyX8XEH58nB uNfoCkIpgFTeBdJnfmY3CxCJQRSkZ9jcw2Ic5YI+YzyZFnjoXIA06WnLDqp9ybGr xyPaWrG1fX7Iz0DZ0/kQw610T/0GbKBuCg8jkeLZlga5kL2mBWykVwnVXCRZNFmi GcU5u6bStyr+XfhhgfoTvwbHV/o0SmuF1DOgKbThJ+nx5uyBniy4fRGXvYD2A62E 2wIVO24QwjJGvsbZR7ZR96pz2y8+zJoTQ8ZWgtQiMMc5Bm9H5LdSBA== =zwno -----END PGP SIGNATURE----- From dave at immunityinc.com Wed Aug 29 12:07:35 2007 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 29 Aug 2007 12:07:35 -0400 Subject: [Dailydave] The Long Run Message-ID: <46D599C7.9080408@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Now available: http://www.immunityinc.com/downloads/TheLongRun.pdf http://www.immunityinc.com/resources-dkm.shtml has been updated with "The Long Run". It's a rather old book, by internet standards. I read it when I was sixteen, but it's been out of print for a long time. It has the earliest known reference to internet addiction, among other things. It also answers the question of why "CANVAS" is named "CANVAS". In any case, it's one of the classics of hacking fiction, the others being Neuromancer and Snow Crash. So if you haven't read it, you really really should. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG1ZnDB8JNm+PA+iURAlLeAKDs+l6rTB0i23QYqc123Tw+3woc3ACgjUYu kkOIzqwl+1ZzUYutCft5bZQ= =o4p7 -----END PGP SIGNATURE----- From jeremiah.johnson at gmail.com Wed Aug 29 16:32:44 2007 From: jeremiah.johnson at gmail.com (Jeremiah Johnson) Date: Wed, 29 Aug 2007 15:32:44 -0500 Subject: [Dailydave] The Long Run In-Reply-To: <46D599C7.9080408@immunityinc.com> References: <46D599C7.9080408@immunityinc.com> Message-ID: <701ea59b0708291332p475c5b29ueda35b59751813bf@mail.gmail.com> Thanks Dave, I'll take a look. I recommend Feed by M.T. Anderson, its a very quick read but gives a possible answer to the question of 'what would happen if we had the internet hardwired to our brain?'. Hackers are involved in the story, but hacking is not the main point, and hacking is used for a different purpose since its no longer about 0wning some corp server, but peoples brains. http://www.amazon.com/Feed-M-T-Anderson/dp/0763622591/ref=pd_bbs_sr_1/105-6138693-5850068 Amazon.com This brilliantly ironic satire is set in a future world where television and computers are connected directly into people's brains when they are babies. The result is a chillingly recognizable consumer society where empty-headed kids are driven by fashion and shopping and the avid pursuit of silly entertainment--even on trips to Mars and the moon--and by constant customized murmurs in their brains of encouragement to buy, buy, buy. Anderson gives us this world through the voice of a boy who, like everyone around him, is almost completely inarticulate, whose vocabulary, in a dead-on parody of the worst teenspeak, depends heavily on three words: "like," "thing," and the second most common English obscenity. He's even made this vapid kid a bit sympathetic, as a product of his society who dimly knows something is missing in his head. The details are bitterly funny--the idiotic but wildly popular sitcom called "Oh? Wow! Thing!", the girls who have to retire to the ladies room a couple of times an evening because hairstyles have changed, the hideous lesions on everyone that are not only accepted, but turned into a fashion statement. And the ultimate awfulness is that when we finally meet the boy's parents, they are just as inarticulate and empty-headed as he is, and their solution to their son's problem is to buy him an expensive car. Although there is a danger that at first teens may see the idea of brain-computers as cool, ultimately they will recognize this as a fascinating novel that says something important about their world. (Ages 14 and older) --Patty Campbell --This text refers to the Hardcover edition. -miah On 8/29/07, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Now available: http://www.immunityinc.com/downloads/TheLongRun.pdf > > http://www.immunityinc.com/resources-dkm.shtml has been updated with > "The Long Run". It's a rather old book, by internet standards. I read > it when I was sixteen, but it's been out of print for a long time. It > has the earliest known reference to internet addiction, among other > things. It also answers the question of why "CANVAS" is named "CANVAS". > > In any case, it's one of the classics of hacking fiction, the others > being Neuromancer and Snow Crash. So if you haven't read it, you > really really should. > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFG1ZnDB8JNm+PA+iURAlLeAKDs+l6rTB0i23QYqc123Tw+3woc3ACgjUYu > kkOIzqwl+1ZzUYutCft5bZQ= > =o4p7 > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From mwollenweber at gmail.com Wed Aug 29 17:21:24 2007 From: mwollenweber at gmail.com (matthew wollenweber) Date: Wed, 29 Aug 2007 17:21:24 -0400 Subject: [Dailydave] Shellcoder's Handbook, Second Edition In-Reply-To: References: Message-ID: <42210a440708291421g20de3673qd880fa06ea3717cb@mail.gmail.com> I haven't read the whole book cover to cover, but I've finally managed to spend a bit of time with it. My general opinion is that they've cleaned up the book quite a bit. The first edition was difficult to read. This one is a bit easier. On the whole, the book seems to have refocused on shellcode. That makes sense given the title, but I'm a bit disappointed by this. I mainly enjoyed the first book as it was the best reference on how to exploit software.... the metasploit page is always there to generate shellcode that usually works. This book of course discusses exploitation techniques, but it doesn't seem to go into depth with newer technologies in fuzzing or bypassing exploit protections. I didn't see too much particular to Vista in the book, though it does have a lot regarding Windows 2003. I was particularly attracted by the thought of bypassing Entercept. I've ran into it a few times during pen tests and it's always amusing to get thrown off the box. The book suggests two methods for bypassing Entercep and neither are detailedt. The first is mimicking normal behaviour -- which is obvious, or second, hooking the system call table which is nuts in most cases. I've only ever seen Entercept on important production boxes and injecting custom shell code into a kernel level process to hook the system calls again is probably asking for an explosion. It's probably a book worth having, but I don't think it nearly has the impact of the first book. On 8/19/07, Robert Wesley McGrew wrote: > > I was just browsing around on Amazon, noticed the slightly different > cover, and realized that the release date for the Second Ediiton is > the 20th: > > > http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=pd_sim_b_4/002-9507551-2756861?ie=UTF8&qid=1187579269&sr=1-3 > > Dave is no longer listed as an author (I hope your content's out of it > then!). If anyone's had a look at this, I'd love to see some opinions > on how this compares to the first edition, which was good, but had > some serious errors, and was never supported on the Wiley site as was > promised. > > The book features, straight from amazon: > """ > * This much-anticipated revision, written by the ultimate group > of top security experts in the world, features 40 percent new content > on how to find security holes in any operating system or application > * New material addresses the many new exploitation techniques that > have been discovered since the first edition, including attacking > "unbreakable" software packages such as McAfee's Entercept, Mac OS X, > XP, Office 2003, and Vista > * Also features the first-ever published information on exploiting > Cisco's IOS, with content that has never before been explored > * The companion Web site features downloadable code files > """ > > -- > Robert Wesley McGrew > http://mcgrewsecurity.com > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- Matthew Wollenweber mwollenweber at gmail.com | mjw at cyberwart.com www.cyberwart.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070829/9443dd47/attachment-0001.htm From mwollenweber at gmail.com Thu Aug 30 14:49:43 2007 From: mwollenweber at gmail.com (matthew wollenweber) Date: Thu, 30 Aug 2007 14:49:43 -0400 Subject: [Dailydave] ie fuzz prevention Message-ID: <42210a440708301149i2291e934g571dbd64fe624981@mail.gmail.com> Today I decided to start fuzzing IE to prepare for an upcoming pen test. I know the target has a small externally accessible attack surface, so developing a nice IE exploit seemed like a good idea. This is my first time fuzzing IE, and I'm immediately surprised by two things: 1. How easy it is to get IE to throw a fault 2. How ungodly slow IE loads fuzzed pages While the first is good, when I play the evil bad guy, the second is quite irksome. I think it might make a good talking point for MS, I mean Firefox loads the pages about 10x as fast so fuzzing is much easier. I can see it now, Microsoft: "Our web browser is so slow attackers can't exploit it". Maybe slowness is Microsoft's new anti-hacker strategy. Vista is their "most secure" OS and you can barely even surf the web while listening to music. I think I see a pattern!!! :) -- Matthew Wollenweber mwollenweber at gmail.com | mjw at cyberwart.com www.cyberwart.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070830/90cf006d/attachment.htm From lists at bughunter.ca Thu Aug 30 15:19:22 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Thu, 30 Aug 2007 12:19:22 -0700 Subject: [Dailydave] ie fuzz prevention In-Reply-To: <42210a440708301149i2291e934g571dbd64fe624981@mail.gmail.com> Message-ID: <005701c7eb3a$ac942910$6207a8c0@jseitz> >>How easy it is to get IE to throw a fault Do you mean an access violation, or the standard C++ exception codes? In my experience pretty much every single piece of software will throw exception codes, but use ImmunityDebugger or Olly to ignore those codes and I bet your hit count will be lower. >> How ungodly slow IE loads fuzzed pages Do you have a bunch of COM objects that get loaded? Disable all plugins first, and you will have a much faster turnaround time on your iterations. JS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070830/8198c2d7/attachment.htm From nicolas.waisman at immunitysec.com Thu Aug 30 17:06:46 2007 From: nicolas.waisman at immunitysec.com (nicolas.waisman at immunitysec.com) Date: Thu, 30 Aug 2007 16:06:46 -0500 Subject: [Dailydave] Immunity Debugger 1.1 Release Message-ID: <20070830210646.GI16158@mail.immunityinc.com> The number one request this month was "Please implement a Python shell so I can write scripts and play with immlib features on the fly!". This is now done. Enjoy! Next to that we continued our efforts to improve the overall debugging experience with two new libraries, libstackanalyze and Ero's Carrera pefile and two new scripts: searchcrypt and stackvar. The Immunity Debugger engine has also undergone changes to improve reliability issues, fix reported memleaks and remove some well-know bugs used for packers such as the printfloat format error (a.k.a the FLD bug). Keep in mind we still have a contest going for the best Immunity Debugger script. The winner gets a free SILICA! Get more details from http://forum.immunityinc.com/index.php?topic=12.0 . We hope you enjoy this month's release. You can upgrade your current Immunity Debugger by going to Help/Update or directly downloading from http://debugger.immunityinc.com/register.html Feedback, Requests, and Cool Screenshots are always welcomed at http://forum.immunityinc.com Sincerely, Team Immunity http://www.immunityinc.com PS: If you are a company, and you are looking for a person with the right skills, try our ID Job Advertisment program: http://www.immunityinc.com/products-idadvertising.shtml ------------------------------- 1.1 Build 0 August 30, 2007 New Features: o Interactive Python Shell added o Lookaside enhanced output + Discovery option o libdatatype "Get" Function o Get OS information methods o Ero Carrera's pefile.py (http://code.google.com/p/pefile/) o Python engine rewritten to properly use thread locking/unlocking o Added ignoreSingleStep method for immlib (TRANSPARENT + CONVENTIONAL) o Attach process window is now dynamically searchable o Added clean ID memory methods inside immlib o Added Stack analyzation library (libstackanalyze) o Fixed some memleak on Disasm o Fixed wrong arguments on Disasm operand o Improved Patch command o Safeseh moved into a PyCommand New Scripts: o searchcrypt PyCommand o stackvars PyCommand Bug Fixes: o Solved 'ij' issue inside attach window o Fixed VCG parser (Blocks display complete address now) o Fixed traceback error when trying to graph and not attached o Fixed printfloat() format error o Fixed ret value of Getaddrfromexp in case of non-existing expression -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070830/cd06c290/attachment.pgp From lists at bughunter.ca Thu Aug 30 17:23:37 2007 From: lists at bughunter.ca (J.M. Seitz) Date: Thu, 30 Aug 2007 14:23:37 -0700 Subject: [Dailydave] Immunity Debugger 1.1 Release In-Reply-To: <20070830210646.GI16158@mail.immunityinc.com> Message-ID: <00a801c7eb4c$07c76b60$6207a8c0@jseitz> Nico, Well done guys! Also to update your ID just go to Help->Update not sure if you mentioned this :) JS > -----Original Message----- > From: dailydave-bounces at lists.immunitysec.com > [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of > nicolas.waisman at immunitysec.com > Sent: Thursday, August 30, 2007 2:07 PM > To: dailydave at lists.immunitysec.com > Subject: [Dailydave] Immunity Debugger 1.1 Release > > The number one request this month was "Please implement a > Python shell so I can write scripts and play with immlib > features on the fly!". This is now done. Enjoy! Next to that > we continued our efforts to improve the overall debugging > experience with two new libraries, libstackanalyze and Ero's > Carrera pefile and two new scripts: searchcrypt and stackvar. > > The Immunity Debugger engine has also undergone changes to > improve reliability issues, fix reported memleaks and remove > some well-know bugs used for packers such as the printfloat > format error (a.k.a the FLD bug). > > Keep in mind we still have a contest going for the best > Immunity Debugger script. The winner gets a free SILICA! Get > more details from http://forum.immunityinc.com/index.php?topic=12.0 . > > We hope you enjoy this month's release. You can upgrade your > current Immunity Debugger by going to Help/Update or directly > downloading from http://debugger.immunityinc.com/register.html > > Feedback, Requests, and Cool Screenshots are always > welcomed at http://forum.immunityinc.com > > Sincerely, > Team Immunity > http://www.immunityinc.com > PS: If you are a company, and you are looking for a person > with the right skills, try our ID Job Advertisment program: > http://www.immunityinc.com/products-idadvertising.shtml > > ------------------------------- > 1.1 Build 0 > August 30, 2007 > > New Features: > > o Interactive Python Shell added > o Lookaside enhanced output + Discovery option o libdatatype > "Get" Function o Get OS information methods o Ero Carrera's > pefile.py (http://code.google.com/p/pefile/) > o Python engine rewritten to properly use thread > locking/unlocking o Added ignoreSingleStep method for immlib > (TRANSPARENT + CONVENTIONAL) o Attach process window is now > dynamically searchable o Added clean ID memory method