From nicolas at immunitysec.com Mon Jun 2 09:48:26 2008 From: nicolas at immunitysec.com (Nicolas Waisman) Date: Mon, 02 Jun 2008 10:48:26 -0300 Subject: [Dailydave] Immunity Debugger 1.6 is out! Message-ID: <4843FA2A.2070503@immunitysec.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Immunity, Inc. proudly presents: IMMUNITY DEBUGGER 1.6 This release we are introducing the most requested feature since the release of ID 1.0 in the form of automatic symbol downloading. In the script department we included two awesome new scripts: tredll and findloop. Yes, you read that correctly, we have implemented dominator trees for your coverage analysis pleasure and you are now able to detect loops inside functions. Immunity Debugger 1.6 delivers more stability and fixes a lot of known issues. For example the old AddKnowledge/PostAnalysis bug is gone and the land of hooking is all happiness. Check the Changelog below for more details. Download it now: http://debugger.immunityinc.com/ For the next release we are working on variables and structure, so stay tuned! The Immunity ID Team - -------------- 1.60 Build 0 New Features: - - Debugger o Added 'Use Symbol Server' option [http://forum.immunityinc.com/index.php?topic=162] o Improved Getallnames o Added timestamp to log events - - Immunity Debugger API o Added getAllSymbolsFromModule method o Added libcontrolflow.py Container for classes DominatorTree and ControlFlowAnalysis o Added Clear function to FastLogHook. - - PyCommands o Added findloop.py: Find natural loops given a function start. o Added treedll.py: Creates imported dll tree. - - Bug Fixes: o Fixed POST_ANALYSIS_HOOK "FATAL ERROR" o Fixed Arguments overflow (Thanks David Wetson for reporting this one!) o Local Symbol Path issue o Analysis second pass option now works o Getallsymbols now correctly creates the PyDict [Import/Export/Library issue] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIQ/oqnx8KWzmcRsERAjz4AJ9oI/I8+wWc+0UF2LHchvGyxssUpwCdEd+K r+WmstQa4YBU94sRMv0LHr4= =ZX25 -----END PGP SIGNATURE----- From pty.err at gmail.com Mon Jun 2 12:18:56 2008 From: pty.err at gmail.com (Parity) Date: Mon, 2 Jun 2008 09:18:56 -0700 Subject: [Dailydave] The paradox of our security measures In-Reply-To: <5af738920805301459uf2d8a10k36cf7cbb890a4c5e@mail.gmail.com> References: <5af738920805301459uf2d8a10k36cf7cbb890a4c5e@mail.gmail.com> Message-ID: <1cd499dd0806020918x39dceabdnb94fa70c95487650@mail.gmail.com> Nah, no paradox here. Even among security pros, there's a certain obliviousness to the fact that the term "security" is overloaded. Sometimes we mean security-as-in-* controls* (A/V, IDS, content filtering, etc) and sometimes we mean security-as-in-*assurance* (the result of practices that yield things like qmail instead of sendmail, or maybe SQL Server 2005 instead of SQL Server 2000.) Put another way, security assurance is what the business pays for, and security controls are what it gets. pty On Fri, May 30, 2008 at 2:59 PM, Dave Aitel wrote: > I like the smaller security conferences better. Big conferences are like > weddings - just enough time to remind people you're still alive and pass > along a phone number or email address. There's usually less media glare and > so speakers can avoid the prostrations necessary to avoid painful PR battles > and just get straight to the technical facts. For example, one of the > speakers demonstrated 4 different vulnerabilities in various anti-virus > products. It was just part of the talk, not meant as publicity whoring. > > One thing I liked as well was Thomas Lim's introductions which provided a > context to the talks. Recently the Hong Kong police have had confidential > information leakage via a P2P program called "Foxy", for example. Likewise > the Beijing Olympic tickets are going to have RFID chips with everyone's > name and address, passport number, picture, birthday, and anything else an > identity thief would want. It's a great way to build up a huge database, I > guess, but based on Adam Laurie's excellent talk, anyone 60 feet around you > can just pick that information right out of the air. Like Anti-Virus and > IDS, RFID is another cool example of how adding a security measure ends up > reducing your security. > > -dave > > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080602/9e497127/attachment-0001.htm From oliver at securitycompass.com Mon Jun 2 19:41:35 2008 From: oliver at securitycompass.com (Oliver Lavery) Date: Mon, 02 Jun 2008 19:41:35 -0400 Subject: [Dailydave] AccessMe Tool Now Available Message-ID: Hello, Security Compass is proud to announce the release of AccessMe, the latest addition to our ExploitMe series of free penetration testing add-ons for Mozilla Firefox. This preliminary release of AccessMe expands the series with powerful functionality for testing the access control and session management mechanisms of web applications, including: - Invalid HTTP method attacks - Bypassing access control using HTTP HEAD - Session dropping We're releasing this tool as open-source under the GPLv3, and hope they will assist penetration testers, QA staff, and developers detect and eliminate common security vulnerabilities in today's web applications. Please visit http://www.securitycompass.com/ to download AccessMe, and all of our other free penetration testing tools. Regards, Oliver Lavery Security Compass -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080602/d751a0ef/attachment-0001.htm From daniel.bilar at gmail.com Tue Jun 3 15:23:58 2008 From: daniel.bilar at gmail.com (Daniel .) Date: Tue, 3 Jun 2008 15:23:58 -0400 Subject: [Dailydave] Job at vilabs (Waltham, MA, USA) Message-ID: Hi people Many of you on dd have the tech skills. The sine qua non requirement is the product shepherding: A "significant track record as an architect of commercial software product, preferably overseeing a number of successful product launches". I did not have that, siiiigh ... Pay is estimated between 110k-120k USD, need to be US citizen or Green Card Holder Say hi to Barbara from me when you apply ;) Good luck Daniel Product architect ----------------- Responsibilities include providing direction on existing product architecture and defining the next generation architecture and design for V.i. Labs' CodeArmor and other software protection products. The software architect will incorporate input from marketing, customer, and engineering to ensure the architecture and design both the short-term and longer term market needs. The software architect will work with the engineering team to build the products that deliver on this vision. Important aspects of the role include mentoring members of the engineering team, providing architectural oversight, and working with the Vice President of Engineering in setting the development direction for the company. Experience and Skills Required: - MS or PhD in Computer Science or Computer Engineering - Experience in role as architect at a commercial software company - Outstanding communication skills (both written and verbal) - 5+ years working in or with Software Security with working knowledge of encryption techniques, application signing, and/or other forms of software protection - Reverse Engineering skills (demonstrable knowledge of RE tools, Microsoft Compilers, PE file architecture) - Operational understanding of application runtime internals for multiple operating systems (Microsoft, Unix/Linux, and popular mobile operating systems) - Team player, must be able to lead/mentor both senior and junior engineers *Must be a US Citizen or Green Card Holder.* Contact: Barbara Curran, Staffing Consultant ? cell ? 978-793-0404; main ? 781-398-3408; bcurran at vilabs.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080603/d9759528/attachment.htm From druid at caughq.org Tue Jun 3 23:06:11 2008 From: druid at caughq.org (I)ruid) Date: Tue, 03 Jun 2008 22:06:11 -0500 Subject: [Dailydave] The paradox of our security measures In-Reply-To: <5af738920805301459uf2d8a10k36cf7cbb890a4c5e@mail.gmail.com> References: <5af738920805301459uf2d8a10k36cf7cbb890a4c5e@mail.gmail.com> Message-ID: <1212548771.16929.19.camel@localhost> On Fri, 2008-05-30 at 17:59 -0400, Dave Aitel wrote: > Like Anti-Virus and IDS, RFID is another cool example of how adding a > security measure ends up reducing your security. You're statement is a little misleading regarding scope. The mechanism is meant to increase security of the Olympics by (supposedly) creating a mechanism for provable identity, and I'll give them the benefit of the doubt without reviewing the overall security system that the identification mechanism is intended for that it does so, however what it does do is effectively reduce users' personal *privacy* (security://confidentiality) due to vulnerabilities of the identification mechanism itself. Adding the mechanism didn't necessarily reduce the security of the system it was intended to be used within, as the privacy of the users was probably not one of their design goals (they probably just care about identifying people traversing security checkpoints). Rather, it just had a really nasty side-effect which undermines a lot of protections and controls of different system altogether (reasonable expectation of personal privacy and the existing protections thereof). Anyhow... RF snarfing people's dox as they use their vulnerable ID to traverse a security checkpoint has a special kind of irony to it, and is funny as hell. Bonus points to whoever turns one of the jumbotrons at the games into an Olympic wall of sheep and broadcasts the snarfed info directly to it. (: BTW, is Laurie on this list? I'd really like a tour of his bunker next time I'm near London... -- I)ruid, C?ISSP druid at caughq.org http://druid.caughq.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080603/c455329d/attachment.pgp From tqbf at matasano.com Wed Jun 4 14:35:44 2008 From: tqbf at matasano.com (Thomas Ptacek) Date: Wed, 4 Jun 2008 13:35:44 -0500 Subject: [Dailydave] Job at vilabs (Waltham, MA, USA) In-Reply-To: References: Message-ID: <1df0a410806041135s772994e4udfc6a5b38e2c9b03@mail.gmail.com> Since you posted on DailyDave, we get to critique you. Why, exactly, would you require an MS degree for this position? On 6/3/08, Daniel . wrote: > Hi people > > Many of you on dd have the tech skills. The sine qua non requirement is the > product shepherding: A "significant track record as an architect of > commercial software product, preferably overseeing a number of successful > product launches". I did not have that, siiiigh ... Pay is estimated between > 110k-120k USD, need to be US citizen or Green Card Holder > > Say hi to Barbara from me when you apply ;) > > Good luck > Daniel > > > Product architect > ----------------- > > > Responsibilities include providing direction on existing product > architecture and defining the next generation architecture and design for > V.i. Labs' CodeArmor and other software protection products. The software > architect will incorporate input from marketing, customer, and engineering > to ensure the architecture and design both the short-term and longer term > market needs. The software architect will work with the engineering team to > build the products that deliver on this vision. > > Important aspects of the role include mentoring members of the engineering > team, providing architectural oversight, and working with the Vice President > of Engineering in setting the development direction for the company. > > Experience and Skills Required: > MS or PhD in Computer Science or Computer Engineering > Experience in role as architect at a commercial software company > Outstanding communication skills (both written and verbal) > 5+ years working in or with Software Security with working knowledge of > encryption techniques, application signing, and/or other forms of software > protection > Reverse Engineering skills (demonstrable knowledge of RE tools, Microsoft > Compilers, PE file architecture) > Operational understanding of application runtime internals for multiple > operating systems (Microsoft, Unix/Linux, and popular mobile operating > systems) > Team player, must be able to lead/mentor both senior and junior engineers > > Must be a US Citizen or Green Card Holder. > > Contact: Barbara Curran, Staffing Consultant ? cell ? 978-793-0404; main ? > 781-398-3408; bcurran at vilabs.com > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From rodney at tsc-labs.net Thu Jun 5 16:57:28 2008 From: rodney at tsc-labs.net (Rodney Thayer) Date: Thu, 05 Jun 2008 13:57:28 -0700 Subject: [Dailydave] Job at vilabs (Waltham, MA, USA) In-Reply-To: <1df0a410806041135s772994e4udfc6a5b38e2c9b03@mail.gmail.com> References: <1df0a410806041135s772994e4udfc6a5b38e2c9b03@mail.gmail.com> Message-ID: <48485338.4080609@tsc-labs.net> Some product evaluators would take that sort of requirement as a red flag about the product they're working on ;-) Or we could just be quiet and wait until their product shows up on Dave's radar one way or the other... Thomas Ptacek wrote: > Since you posted on DailyDave, we get to critique you. Why, exactly, > would you require an MS degree for this position? > > On 6/3/08, Daniel . wrote: >> Hi people >> >> Many of you on dd have the tech skills. The sine qua non requirement is the >> product shepherding: A "significant track record as an architect of >> commercial software product, preferably overseeing a number of successful >> product launches". I did not have that, siiiigh ... Pay is estimated between >> 110k-120k USD, need to be US citizen or Green Card Holder >> >> Say hi to Barbara from me when you apply ;) >> >> Good luck >> Daniel >> >> >> Product architect >> ----------------- >> >> >> Responsibilities include providing direction on existing product >> architecture and defining the next generation architecture and design for >> V.i. Labs' CodeArmor and other software protection products. The software >> architect will incorporate input from marketing, customer, and engineering >> to ensure the architecture and design both the short-term and longer term >> market needs. The software architect will work with the engineering team to >> build the products that deliver on this vision. >> >> Important aspects of the role include mentoring members of the engineering >> team, providing architectural oversight, and working with the Vice President >> of Engineering in setting the development direction for the company. >> >> Experience and Skills Required: >> MS or PhD in Computer Science or Computer Engineering >> Experience in role as architect at a commercial software company >> Outstanding communication skills (both written and verbal) >> 5+ years working in or with Software Security with working knowledge of >> encryption techniques, application signing, and/or other forms of software >> protection >> Reverse Engineering skills (demonstrable knowledge of RE tools, Microsoft >> Compilers, PE file architecture) >> Operational understanding of application runtime internals for multiple >> operating systems (Microsoft, Unix/Linux, and popular mobile operating >> systems) >> Team player, must be able to lead/mentor both senior and junior engineers >> >> Must be a US Citizen or Green Card Holder. >> >> Contact: Barbara Curran, Staffing Consultant ? cell ? 978-793-0404; main ? >> 781-398-3408; bcurran at vilabs.com >> >> >> >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> >> > > From tqbf at matasano.com Fri Jun 6 01:41:00 2008 From: tqbf at matasano.com (Thomas Ptacek) Date: Fri, 6 Jun 2008 00:41:00 -0500 Subject: [Dailydave] Job at vilabs (Waltham, MA, USA) In-Reply-To: <4848CCC7.5020609@securisea.com> References: <1df0a410806041135s772994e4udfc6a5b38e2c9b03@mail.gmail.com> <4848CCC7.5020609@securisea.com> Message-ID: <1df0a410806052241v1d6dff64m49d938595fdaddf8@mail.gmail.com> Advanced degrees definitely don't correlate to the best-known vulnerability researchers. On 6/6/08, Josh Daymont wrote: > > > What percentage of dd list subscribers have MS degrees? 10%? Less? Or am > I completely wrong... > > > Thomas Ptacek wrote: > Since you posted on DailyDave, we get to critique you. Why, exactly, > would you require an MS degree for this position? > > On 6/3/08, Daniel . wrote: > > > Hi people > > Many of you on dd have the tech skills. The sine qua non requirement is the > product shepherding: A "significant track record as an architect of > commercial software product, preferably overseeing a number of successful > product launches". I did not have that, siiiigh ... Pay is estimated between > 110k-120k USD, need to be US citizen or Green Card Holder > > Say hi to Barbara from me when you apply ;) > > Good luck > Daniel > > > Product architect > ----------------- > > > Responsibilities include providing direction on existing product > architecture and defining the next generation architecture and design for > V.i. Labs' CodeArmor and other software protection products. The software > architect will incorporate input from marketing, customer, and engineering > to ensure the architecture and design both the short-term and longer term > market needs. The software architect will work with the engineering team to > build the products that deliver on this vision. > > Important aspects of the role include mentoring members of the engineering > team, providing architectural oversight, and working with the Vice President > of Engineering in setting the development direction for the company. > > Experience and Skills Required: > MS or PhD in Computer Science or Computer Engineering > Experience in role as architect at a commercial software company > Outstanding communication skills (both written and verbal) > 5+ years working in or with Software Security with working knowledge of > encryption techniques, application signing, and/or other forms of software > protection > Reverse Engineering skills (demonstrable knowledge of RE tools, Microsoft > Compilers, PE file architecture) > Operational understanding of application runtime internals for multiple > operating systems (Microsoft, Unix/Linux, and popular mobile operating > systems) > Team player, must be able to lead/mentor both senior and junior engineers > > Must be a US Citizen or Green Card Holder. > > Contact: Barbara Curran, Staffing Consultant ? cell ? 978-793-0404; main ? > 781-398-3408; bcurran at vilabs.com > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > > > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From arr at watson.org Fri Jun 6 10:37:01 2008 From: arr at watson.org (Andrew R. Reiter) Date: Fri, 6 Jun 2008 10:37:01 -0400 (EDT) Subject: [Dailydave] Job at vilabs (Waltham, MA, USA) In-Reply-To: <1df0a410806052241v1d6dff64m49d938595fdaddf8@mail.gmail.com> References: <1df0a410806041135s772994e4udfc6a5b38e2c9b03@mail.gmail.com> <4848CCC7.5020609@securisea.com> <1df0a410806052241v1d6dff64m49d938595fdaddf8@mail.gmail.com> Message-ID: <20080606103442.W55604@fledge.watson.org> I would argue that those not holding advanced degrees, more often than not, tend to lack the ability to successfully see through a large project to it's completion... if not ability, then the experience. I would also begin to argue that more and more "vulnerability researchers" are actually getting advanced degrees and so this requirement is not so far-fetched. On Fri, 6 Jun 2008, Thomas Ptacek wrote: > Advanced degrees definitely don't correlate to the best-known > vulnerability researchers. > > On 6/6/08, Josh Daymont wrote: >> >> >> What percentage of dd list subscribers have MS degrees? 10%? Less? Or am >> I completely wrong... >> >> >> Thomas Ptacek wrote: >> Since you posted on DailyDave, we get to critique you. Why, exactly, >> would you require an MS degree for this position? >> >> On 6/3/08, Daniel . wrote: >> >> >> Hi people >> >> Many of you on dd have the tech skills. The sine qua non requirement is the >> product shepherding: A "significant track record as an architect of >> commercial software product, preferably overseeing a number of successful >> product launches". I did not have that, siiiigh ... Pay is estimated between >> 110k-120k USD, need to be US citizen or Green Card Holder >> >> Say hi to Barbara from me when you apply ;) >> >> Good luck >> Daniel >> >> >> Product architect >> ----------------- >> >> >> Responsibilities include providing direction on existing product >> architecture and defining the next generation architecture and design for >> V.i. Labs' CodeArmor and other software protection products. The software >> architect will incorporate input from marketing, customer, and engineering >> to ensure the architecture and design both the short-term and longer term >> market needs. The software architect will work with the engineering team to >> build the products that deliver on this vision. >> >> Important aspects of the role include mentoring members of the engineering >> team, providing architectural oversight, and working with the Vice President >> of Engineering in setting the development direction for the company. >> >> Experience and Skills Required: >> MS or PhD in Computer Science or Computer Engineering >> Experience in role as architect at a commercial software company >> Outstanding communication skills (both written and verbal) >> 5+ years working in or with Software Security with working knowledge of >> encryption techniques, application signing, and/or other forms of software >> protection >> Reverse Engineering skills (demonstrable knowledge of RE tools, Microsoft >> Compilers, PE file architecture) >> Operational understanding of application runtime internals for multiple >> operating systems (Microsoft, Unix/Linux, and popular mobile operating >> systems) >> Team player, must be able to lead/mentor both senior and junior engineers >> >> Must be a US Citizen or Green Card Holder. >> >> Contact: Barbara Curran, Staffing Consultant ? cell ? 978-793-0404; main ? >> 781-398-3408; bcurran at vilabs.com >> >> >> >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> >> >> >> >> >> >> > > > -- > --- > Thomas H. Ptacek // matasano security > read us on the web: http://www.matasano.com/log > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > From adam at homeport.org Fri Jun 6 10:37:35 2008 From: adam at homeport.org (Adam Shostack) Date: Fri, 6 Jun 2008 10:37:35 -0400 Subject: [Dailydave] Job at vilabs (Waltham, MA, USA) In-Reply-To: <1df0a410806052241v1d6dff64m49d938595fdaddf8@mail.gmail.com> References: <1df0a410806041135s772994e4udfc6a5b38e2c9b03@mail.gmail.com> <4848CCC7.5020609@securisea.com> <1df0a410806052241v1d6dff64m49d938595fdaddf8@mail.gmail.com> Message-ID: <20080606143734.GA27511@homeport.org> Does being the best-known vuln researcher correlate with designing market-beating products? They're looking for architecture and design. (I'm not saying having a Masters or PhD correlates. Just asking about the researcher end.) Adam On Fri, Jun 06, 2008 at 12:41:00AM -0500, Thomas Ptacek wrote: | Advanced degrees definitely don't correlate to the best-known | vulnerability researchers. | | On 6/6/08, Josh Daymont wrote: | > | > | > What percentage of dd list subscribers have MS degrees? 10%? Less? Or am | > I completely wrong... | > | > | > Thomas Ptacek wrote: | > Since you posted on DailyDave, we get to critique you. Why, exactly, | > would you require an MS degree for this position? | > | > On 6/3/08, Daniel . wrote: | > | > | > Hi people | > | > Many of you on dd have the tech skills. The sine qua non requirement is the | > product shepherding: A "significant track record as an architect of | > commercial software product, preferably overseeing a number of successful | > product launches". I did not have that, siiiigh ... Pay is estimated between | > 110k-120k USD, need to be US citizen or Green Card Holder | > | > Say hi to Barbara from me when you apply ;) | > | > Good luck | > Daniel | > | > | > Product architect | > ----------------- | > | > | > Responsibilities include providing direction on existing product | > architecture and defining the next generation architecture and design for | > V.i. Labs' CodeArmor and other software protection products. The software | > architect will incorporate input from marketing, customer, and engineering | > to ensure the architecture and design both the short-term and longer term | > market needs. The software architect will work with the engineering team to | > build the products that deliver on this vision. | > | > Important aspects of the role include mentoring members of the engineering | > team, providing architectural oversight, and working with the Vice President | > of Engineering in setting the development direction for the company. | > | > Experience and Skills Required: | > MS or PhD in Computer Science or Computer Engineering | > Experience in role as architect at a commercial software company | > Outstanding communication skills (both written and verbal) | > 5+ years working in or with Software Security with working knowledge of | > encryption techniques, application signing, and/or other forms of software | > protection | > Reverse Engineering skills (demonstrable knowledge of RE tools, Microsoft | > Compilers, PE file architecture) | > Operational understanding of application runtime internals for multiple | > operating systems (Microsoft, Unix/Linux, and popular mobile operating | > systems) | > Team player, must be able to lead/mentor both senior and junior engineers | > | > Must be a US Citizen or Green Card Holder. | > | > Contact: Barbara Curran, Staffing Consultant ? cell ? 978-793-0404; main ? | > 781-398-3408; bcurran at vilabs.com | > | > | > | > _______________________________________________ | > Dailydave mailing list | > Dailydave at lists.immunitysec.com | > http://lists.immunitysec.com/mailman/listinfo/dailydave | > | > | > | > | > | > | > | | | -- | --- | Thomas H. Ptacek // matasano security | read us on the web: http://www.matasano.com/log | _______________________________________________ | Dailydave mailing list | Dailydave at lists.immunitysec.com | http://lists.immunitysec.com/mailman/listinfo/dailydave From ceng at Veracode.com Fri Jun 6 11:22:52 2008 From: ceng at Veracode.com (Chris Eng) Date: Fri, 6 Jun 2008 11:22:52 -0400 Subject: [Dailydave] Job at vilabs (Waltham, MA, USA) In-Reply-To: <1df0a410806052241v1d6dff64m49d938595fdaddf8@mail.gmail.com> References: <1df0a410806041135s772994e4udfc6a5b38e2c9b03@mail.gmail.com><4848CCC7.5020609@securisea.com> <1df0a410806052241v1d6dff64m49d938595fdaddf8@mail.gmail.com> Message-ID: <79348E23E9D34F4F8032010B2913D72B010B3C45@NexusCore.Veracode.local> Isn't that common knowledge by now? Further, isn't it a known fact that most companies artificially inflate requirements on their job listings? It all goes out the window when the right candidate comes along. > -----Original Message----- > From: dailydave-bounces at lists.immunitysec.com > [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of > Thomas Ptacek > Sent: Friday, June 06, 2008 1:41 AM > To: Josh Daymont > Cc: dailydave at lists.immunitysec.com > Subject: Re: [Dailydave] Job at vilabs (Waltham, MA, USA) > > Advanced degrees definitely don't correlate to the best-known > vulnerability researchers. > > On 6/6/08, Josh Daymont wrote: > > > > > > What percentage of dd list subscribers have MS degrees? > 10%? Less? > > Or am I completely wrong... > > > > > > Thomas Ptacek wrote: > > Since you posted on DailyDave, we get to critique you. > Why, exactly, > > would you require an MS degree for this position? > > > > On 6/3/08, Daniel . wrote: > > > > > > Hi people > > > > Many of you on dd have the tech skills. The sine qua non > requirement > > is the product shepherding: A "significant track record as an > > architect of commercial software product, preferably overseeing a > > number of successful product launches". I did not have > that, siiiigh > > ... Pay is estimated between 110k-120k USD, need to be US > citizen or > > Green Card Holder > > > > Say hi to Barbara from me when you apply ;) > > > > Good luck > > Daniel > > > > > > Product architect > > ----------------- > > > > > > Responsibilities include providing direction on existing product > > architecture and defining the next generation architecture > and design > > for V.i. Labs' CodeArmor and other software protection > products. The > > software architect will incorporate input from marketing, customer, > > and engineering to ensure the architecture and design both the > > short-term and longer term market needs. The software > architect will > > work with the engineering team to build the products that > deliver on this vision. > > > > Important aspects of the role include mentoring members of the > > engineering team, providing architectural oversight, and > working with > > the Vice President of Engineering in setting the > development direction for the company. > > > > Experience and Skills Required: > > MS or PhD in Computer Science or Computer Engineering Experience in > > role as architect at a commercial software company Outstanding > > communication skills (both written and verbal) > > 5+ years working in or with Software Security with working > knowledge > > 5+ of > > encryption techniques, application signing, and/or other forms of > > software protection Reverse Engineering skills > (demonstrable knowledge > > of RE tools, Microsoft Compilers, PE file architecture) Operational > > understanding of application runtime internals for multiple > operating > > systems (Microsoft, Unix/Linux, and popular mobile operating > > systems) > > Team player, must be able to lead/mentor both senior and junior > > engineers > > > > Must be a US Citizen or Green Card Holder. > > > > Contact: Barbara Curran, Staffing Consultant - cell - 978-793-0404; > > main - 781-398-3408; bcurran at vilabs.com > > > > > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > > > > > > > > > > > > > -- > --- > Thomas H. Ptacek // matasano security > read us on the web: http://www.matasano.com/log > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From tqbf at matasano.com Fri Jun 6 12:06:57 2008 From: tqbf at matasano.com (Thomas Ptacek) Date: Fri, 6 Jun 2008 11:06:57 -0500 Subject: [Dailydave] Job at vilabs (Waltham, MA, USA) In-Reply-To: <20080606143734.GA27511@homeport.org> References: <1df0a410806041135s772994e4udfc6a5b38e2c9b03@mail.gmail.com> <4848CCC7.5020609@securisea.com> <1df0a410806052241v1d6dff64m49d938595fdaddf8@mail.gmail.com> <20080606143734.GA27511@homeport.org> Message-ID: <1df0a410806060906p10532c0dwa50c192dc468acd0@mail.gmail.com> Some of the best dev shops in the world (I can name names over beer) AVOID hiring PhD's. Certainly, the best developers we know are as likely as not to lack even a BSCS. On 6/6/08, Adam Shostack wrote: > Does being the best-known vuln researcher correlate with designing > market-beating products? They're looking for architecture and design. > > (I'm not saying having a Masters or PhD correlates. Just asking about > the researcher end.) > > > Adam > > > On Fri, Jun 06, 2008 at 12:41:00AM -0500, Thomas Ptacek wrote: > | Advanced degrees definitely don't correlate to the best-known > | vulnerability researchers. > | > | On 6/6/08, Josh Daymont wrote: > | > > | > > | > What percentage of dd list subscribers have MS degrees? 10%? Less? Or am > | > I completely wrong... > | > > | > > | > Thomas Ptacek wrote: > | > Since you posted on DailyDave, we get to critique you. Why, exactly, > | > would you require an MS degree for this position? > | > > | > On 6/3/08, Daniel . wrote: > | > > | > > | > Hi people > | > > | > Many of you on dd have the tech skills. The sine qua non requirement is the > | > product shepherding: A "significant track record as an architect of > | > commercial software product, preferably overseeing a number of successful > | > product launches". I did not have that, siiiigh ... Pay is estimated between > | > 110k-120k USD, need to be US citizen or Green Card Holder > | > > | > Say hi to Barbara from me when you apply ;) > | > > | > Good luck > | > Daniel > | > > | > > | > Product architect > | > ----------------- > | > > | > > | > Responsibilities include providing direction on existing product > | > architecture and defining the next generation architecture and design for > | > V.i. Labs' CodeArmor and other software protection products. The software > | > architect will incorporate input from marketing, customer, and engineering > | > to ensure the architecture and design both the short-term and longer term > | > market needs. The software architect will work with the engineering team to > | > build the products that deliver on this vision. > | > > | > Important aspects of the role include mentoring members of the engineering > | > team, providing architectural oversight, and working with the Vice President > | > of Engineering in setting the development direction for the company. > | > > | > Experience and Skills Required: > | > MS or PhD in Computer Science or Computer Engineering > | > Experience in role as architect at a commercial software company > | > Outstanding communication skills (both written and verbal) > | > 5+ years working in or with Software Security with working knowledge of > | > encryption techniques, application signing, and/or other forms of software > | > protection > | > Reverse Engineering skills (demonstrable knowledge of RE tools, Microsoft > | > Compilers, PE file architecture) > | > Operational understanding of application runtime internals for multiple > | > operating systems (Microsoft, Unix/Linux, and popular mobile operating > | > systems) > | > Team player, must be able to lead/mentor both senior and junior engineers > | > > | > Must be a US Citizen or Green Card Holder. > | > > | > Contact: Barbara Curran, Staffing Consultant ? cell ? 978-793-0404; main ? > | > 781-398-3408; bcurran at vilabs.com > | > > | > > | > > | > _______________________________________________ > | > Dailydave mailing list > | > Dailydave at lists.immunitysec.com > | > http://lists.immunitysec.com/mailman/listinfo/dailydave > | > > | > > | > > | > > | > > | > > | > > | > | > | -- > | --- > | Thomas H. Ptacek // matasano security > | read us on the web: http://www.matasano.com/log > | _______________________________________________ > | Dailydave mailing list > | Dailydave at lists.immunitysec.com > | http://lists.immunitysec.com/mailman/listinfo/dailydave > > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From joshd at midgard.net Fri Jun 6 13:41:23 2008 From: joshd at midgard.net (Josh Daymont) Date: Fri, 06 Jun 2008 10:41:23 -0700 Subject: [Dailydave] Job at vilabs (Waltham, MA, USA) In-Reply-To: <20080606103442.W55604@fledge.watson.org> References: <1df0a410806041135s772994e4udfc6a5b38e2c9b03@mail.gmail.com> <4848CCC7.5020609@securisea.com> <1df0a410806052241v1d6dff64m49d938595fdaddf8@mail.gmail.com> <20080606103442.W55604@fledge.watson.org> Message-ID: <484976C3.6080902@midgard.net> Andrew, Of course lack of degrees could, and often does, indicate someone is better at starting projects than finishing them. There's a difference though between taking a few extra steps to ensure someone without a degree doesn't fit that stereotype during the interview process and removing everyone who isn't degreed from the candidate pool from the start. I'm definitely seeing more vulnerability researchers entering the job market with degrees, but not as many going back to get degrees. I can think of one good exception who's enrolled at UMass... Josh Andrew R. Reiter wrote: > > I would argue that those not holding advanced degrees, more often than > not, tend to lack the ability to successfully see through a large > project to it's completion... if not ability, then the experience. > > I would also begin to argue that more and more "vulnerability > researchers" are actually getting advanced degrees and so this > requirement is not so far-fetched. > > > > On Fri, 6 Jun 2008, Thomas Ptacek wrote: > >> Advanced degrees definitely don't correlate to the best-known >> vulnerability researchers. >> >> On 6/6/08, Josh Daymont wrote: >>> >>> >>> What percentage of dd list subscribers have MS degrees? 10%? >>> Less? Or am >>> I completely wrong... >>> >>> >>> Thomas Ptacek wrote: >>> Since you posted on DailyDave, we get to critique you. Why, exactly, >>> would you require an MS degree for this position? >>> >>> On 6/3/08, Daniel . wrote: >>> >>> >>> Hi people >>> >>> Many of you on dd have the tech skills. The sine qua non requirement >>> is the >>> product shepherding: A "significant track record as an architect of >>> commercial software product, preferably overseeing a number of >>> successful >>> product launches". I did not have that, siiiigh ... Pay is estimated >>> between >>> 110k-120k USD, need to be US citizen or Green Card Holder >>> >>> Say hi to Barbara from me when you apply ;) >>> >>> Good luck >>> Daniel >>> >>> >>> Product architect >>> ----------------- >>> >>> >>> Responsibilities include providing direction on existing product >>> architecture and defining the next generation architecture and >>> design for >>> V.i. Labs' CodeArmor and other software protection products. The >>> software >>> architect will incorporate input from marketing, customer, and >>> engineering >>> to ensure the architecture and design both the short-term and longer >>> term >>> market needs. The software architect will work with the engineering >>> team to >>> build the products that deliver on this vision. >>> >>> Important aspects of the role include mentoring members of the >>> engineering >>> team, providing architectural oversight, and working with the Vice >>> President >>> of Engineering in setting the development direction for the company. >>> >>> Experience and Skills Required: >>> MS or PhD in Computer Science or Computer Engineering >>> Experience in role as architect at a commercial software company >>> Outstanding communication skills (both written and verbal) >>> 5+ years working in or with Software Security with working knowledge of >>> encryption techniques, application signing, and/or other forms of >>> software >>> protection >>> Reverse Engineering skills (demonstrable knowledge of RE tools, >>> Microsoft >>> Compilers, PE file architecture) >>> Operational understanding of application runtime internals for multiple >>> operating systems (Microsoft, Unix/Linux, and popular mobile operating >>> systems) >>> Team player, must be able to lead/mentor both senior and junior >>> engineers >>> >>> Must be a US Citizen or Green Card Holder. >>> >>> Contact: Barbara Curran, Staffing Consultant ? cell ? 978-793-0404; >>> main ? >>> 781-398-3408; bcurran at vilabs.com >>> >>> >>> >>> _______________________________________________ >>> Dailydave mailing list >>> Dailydave at lists.immunitysec.com >>> http://lists.immunitysec.com/mailman/listinfo/dailydave >>> >>> >>> >>> >>> >>> >>> >> >> >> -- >> --- >> Thomas H. Ptacek // matasano security >> read us on the web: http://www.matasano.com/log >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> >> From tqbf at matasano.com Fri Jun 6 13:48:35 2008 From: tqbf at matasano.com (Thomas Ptacek) Date: Fri, 6 Jun 2008 12:48:35 -0500 Subject: [Dailydave] Job at vilabs (Waltham, MA, USA) In-Reply-To: <484976C3.6080902@midgard.net> References: <1df0a410806041135s772994e4udfc6a5b38e2c9b03@mail.gmail.com> <4848CCC7.5020609@securisea.com> <1df0a410806052241v1d6dff64m49d938595fdaddf8@mail.gmail.com> <20080606103442.W55604@fledge.watson.org> <484976C3.6080902@midgard.net> Message-ID: <1df0a410806061048s775399b1l47286b8e2f99cc6f@mail.gmail.com> > Of course lack of degrees could, and often does, indicate someone is better > at starting projects than finishing them. Oldest cliche in the book. Probably not true at all. -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log From paul at xelerance.com Mon Jun 9 16:27:14 2008 From: paul at xelerance.com (Paul Wouters) Date: Mon, 9 Jun 2008 16:27:14 -0400 (EDT) Subject: [Dailydave] PCI-DSS and ssh public key question Message-ID: Hi people, Does anyone have a definitive answer on whether ssh public key encryption, without hardware tokens, is allowed according to PCI-DSS? pci_audit_procedures_v1-1.pdf section 8 seems to suggest passwords for everyone or two factor auth, and sudo passwords for everyone for audit trail. Of course, this makes changing 100 servers' configuration requiring root access either the worst job in the universe, or will see some awful "expect" wrappers to stop sysadmins from leaving their job to serve coffee at Star Bucks. Personally, I would trust ssh keys over admins (inclusding myself) not screwing up their password wrappers. It seems the answer might be depending on your auditor..... Paul ps. I know using ssh with passwords and wrappers on top of sudo wrappers sucks and is actually less secure (go find that password in the bash_history file). It is not myself I'm trying to convince here..... From rforbes at e-stalkers.net Mon Jun 9 23:04:54 2008 From: rforbes at e-stalkers.net (Raymond Forbes) Date: Mon, 09 Jun 2008 20:04:54 -0700 Subject: [Dailydave] PCI-DSS and ssh public key question In-Reply-To: References: Message-ID: <484DEF56.8030206@e-stalkers.net> You have to ask yourself. Can you track individual users based on their private key or will everything just show up as "root" in the logs? For PCI, you need to be able to show evidence that each transaction is associated with a particular person and you can track it. If you can do that, I think you should be ok. however, I am not an auditor, so take it for what it's worth. -Raymond Paul Wouters wrote: > Hi people, > > Does anyone have a definitive answer on whether ssh public key encryption, > without hardware tokens, is allowed according to PCI-DSS? > > pci_audit_procedures_v1-1.pdf section 8 seems to suggest passwords for > everyone or two factor auth, and sudo passwords for everyone for audit > trail. > > Of course, this makes changing 100 servers' configuration requiring root > access either the worst job in the universe, or will see some awful > "expect" wrappers to stop sysadmins from leaving their job to serve coffee > at Star Bucks. > > Personally, I would trust ssh keys over admins (inclusding myself) not > screwing up their password wrappers. > > It seems the answer might be depending on your auditor..... > > Paul > > ps. I know using ssh with passwords and wrappers on top of sudo wrappers > sucks and is actually less secure (go find that password in the bash_history > file). It is not myself I'm trying to convince here..... > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > From trygve at pogostick.net Tue Jun 10 01:18:28 2008 From: trygve at pogostick.net (Trygve Aasheim) Date: Tue, 10 Jun 2008 07:18:28 +0200 Subject: [Dailydave] PCI-DSS and ssh public key question In-Reply-To: References: Message-ID: <484E0EA4.3070409@pogostick.net> Paul Wouters wrote: > > It seems the answer might be depending on your auditor..... > > Paul > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave That's the key really. The auditor wants two things: - He/She doesn't want to be blamed for auditing someone who then had a breach - He/She wants to help you to pass as well So if you can show him/her that you are in control, using a slightly different approach than what is suggested - it will pass (most likely). The important thing is to show him/her that you see the red line throughout the requirements, and even though you've followed this - there are some areas that you've chosen another path (but for which you have documented well). At least that's how it works over here in Europe, when we have audits on the different American standards (and now you guys are sending Sox over the lake as well....!)... Good luck, T From lee at nerds.org.uk Tue Jun 10 04:00:52 2008 From: lee at nerds.org.uk (Lee Brotherston) Date: Tue, 10 Jun 2008 09:00:52 +0100 Subject: [Dailydave] PCI-DSS and ssh public key question In-Reply-To: References: Message-ID: <20080610080052.GA71832@nerds.org.uk> On Mon, Jun 09, 2008 at 04:27:14PM -0400, Paul Wouters wrote: > Does anyone have a definitive answer on whether ssh public key encryption, > without hardware tokens, is allowed according to PCI-DSS? Unfortunately the PCI-DSS standard is generally fluffy enough that there is no definitive answer to much of it. I would say the best course of action is to ask your QSA when they are doing your gap analysis. After all, it's their opinion that counts, at least from the perspective of getting the accreditation anyway. Thanks Lee -- Lee Brotherston - From pmelson at gmail.com Tue Jun 10 06:39:37 2008 From: pmelson at gmail.com (Paul Melson) Date: Tue, 10 Jun 2008 06:39:37 -0400 Subject: [Dailydave] PCI-DSS and ssh public key question In-Reply-To: References: Message-ID: <40ecb01f0806100339u6e0210do5fc51dd1617edae8@mail.gmail.com> On Mon, Jun 9, 2008 at 4:27 PM, Paul Wouters wrote: > Does anyone have a definitive answer on whether ssh public key encryption, > without hardware tokens, is allowed according to PCI-DSS? > pci_audit_procedures_v1-1.pdf section 8 seems to suggest passwords for > everyone or two factor auth, and sudo passwords for everyone for audit > trail. 8.2 requires that all of your authentication schemes use at least one of password, token, cert, public key, or biometrics. SSH keys would fall into the public key category, which is, for PCI-DSS purposes, a "token." That means that for remote access (across the Internet or some other public network), you must combine it with a password. The password to unlock the client keystore doesn't count. > Of course, this makes changing 100 servers' configuration requiring root > access either the worst job in the universe, or will see some awful > "expect" wrappers to stop sysadmins from leaving their job to serve coffee > at Star Bucks. Starbucks has to be PCI compliant, too. There is no escape. > Personally, I would trust ssh keys over admins (inclusding myself) not > screwing up their password wrappers. Especially since 8.4 requires that you not store the password or the key to said password in clear text anywhere. > It seems the answer might be depending on your auditor..... Bingo. PaulM From bkdelong at pobox.com Tue Jun 10 11:22:01 2008 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 10 Jun 2008 11:22:01 -0400 Subject: [Dailydave] PCI-DSS and ssh public key question In-Reply-To: <20080610080052.GA71832@nerds.org.uk> References: <20080610080052.GA71832@nerds.org.uk> Message-ID: Not to get too off-topic but one of the questions many merchants have been asking is how willing is the QSA to standup for their audit findings and PCI Compliance certification? Hannaford is obviously one of the more recent examples as they were deemed compliant and yet they had a fairly large breach. It's not news that every QSA is different and some are far more strict than others - are there any accountability standards for QSAs? Can the PCI Council or the card acquirer effected sanction a QSA for an audit that was too lenient? Yes, PCI Compliance does not equal being secure by any means but that is definitely an end-goal of the PCI-DSS (with another major one being the game of risk transference). I would also followup Lee's comments, (to keep this on topic), to make sure said compensating control is proposed to the QSA in writing and approved by them in writing to maintain the full audit trail. I've heard of quite a few cases where an auditor says one thing and the acquirer or Council says another and no one can find the paperwork to reconcile. On Tue, Jun 10, 2008 at 4:00 AM, Lee Brotherston wrote: > On Mon, Jun 09, 2008 at 04:27:14PM -0400, Paul Wouters wrote: >> Does anyone have a definitive answer on whether ssh public key encryption, >> without hardware tokens, is allowed according to PCI-DSS? > > Unfortunately the PCI-DSS standard is generally fluffy enough that > there is no definitive answer to much of it. I would say the best > course of action is to ask your QSA when they are doing your gap > analysis. After all, it's their opinion that counts, at least from > the perspective of getting the accreditation anyway. -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From lists at bughunter.ca Wed Jun 11 16:54:24 2008 From: lists at bughunter.ca (Justin Seitz) Date: Wed, 11 Jun 2008 14:54:24 -0600 Subject: [Dailydave] Windows Kernel Exploitation Papers Message-ID: <48503B80.4020607@bughunter.ca> Kostya and I published a couple of papers today and of course are always looking for feedback: Exploiting Kernel Pool Overflows (Kostya Kortchinsky) http://immunityinc.com/downloads/KernelPool.odp The I2OMGMT Driver Impersonation Attack (Justin Seitz) http://immunityinc.com/downloads/DriverImpersonationAttack_i2omgmt.pdf All comments appreciated! JS From dan at geer.org Sun Jun 15 14:19:52 2008 From: dan at geer.org (dan at geer.org) Date: Sun, 15 Jun 2008 14:19:52 -0400 Subject: [Dailydave] reminder of upcoming deadline In-Reply-To: Your message of "Tue, 06 May 2008 06:47:51 EDT." <20080506104751.4059133DCC@absinthe.tinho.net> Message-ID: <20080615181952.A1AF033E01@absinthe.tinho.net> MetriCon 3.0 agenda at this URL http://www.securitymetrics.org/content/Wiki.jsp?page=Metricon3.0 Workshop is limited attendance though some small number of requests can still be granted; send same by e-mail to metricon3 at securitymetrics.org Best, --dan From dave at immunityinc.com Mon Jun 16 17:16:00 2008 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 16 Jun 2008 17:16:00 -0400 Subject: [Dailydave] Tracks through the desert Message-ID: <4856D810.2030001@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pablo just got back from RECon and his talk is now posted on our Resources page. http://www.immunityinc.com/resources-papers.shtml The basic thrust of a lot of people's efforts lately is that you need to combine what you know about the high level languages running in a VM with what you know about other C++ components of an application. This helps when writing exploits (by manipulating memory layouts, for example) but also for finding interesting vulnerabilities. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIVtgQtehAhL0gheoRAnjlAJ90eu3uNS6+LH5HAy9bxtdVExgWogCfQ3RR 1Fn+eATguj2UfV1M9yke8Qk= =iRIk -----END PGP SIGNATURE----- From publists at enablesecurity.com Wed Jun 18 10:01:11 2008 From: publists at enablesecurity.com (Sandro Gauci) Date: Wed, 18 Jun 2008 16:01:11 +0200 Subject: [Dailydave] The Extended HTML Form attack revisited Message-ID: <69e56bb50806180701g158e45bcqd3dc1c8cc2116951@mail.gmail.com> Hi - Back in 2002 I had published details of a vulnerability affecting most web browsers. It detailed a security flaw that allows attackers to abuse non-HTTP protocols to launch Cross Site Scripting attacks even when a target web application was not vulnerable to XSS. Six years later I'm releasing an update to this research in this paper. This security vulnerability still affects popular web browsers nowadays and the following browsers were tested as vulnerable: * Internet Explorer 6 * Internet Explorer 7 * Internet Explorer 8 (beta 1) * Opera 9.27 * Opera 9.50 * Safari 1.32 * Safari 3.1.1 Others have described how to abuse behavior for purposes other than Cross Site Scripting. NGSSoftware previously published a paper called "Inter-Protocol Exploitation" which references the original EyeonSecurity paper. Paper at: http://resources.enablesecurity.com/resources/the%20extended%20html%20form%20attack%20revisited.pdf or http://tinyurl.com/5d88ll -- Sandro Gauci EnableSecurity Web: http://enablesecurity.com/ From dave at immunityinc.com Wed Jun 18 11:03:23 2008 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 18 Jun 2008 11:03:23 -0400 Subject: [Dailydave] Old friends installed on a server near you! Message-ID: <485923BB.5000302@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I spent some time improving an old friend a couple days ago: http://www.immunityinc.com/products-hydrogen.shtml <--see more here https://www.immunityinc.com/cgi-bin/gethydrogen.py <--get it here The 1.8 release of Hydrogen fixes two important bugs: o setwrap doesn't need to be called twice o spaces in Windows paths no longer confuse the Hydrogen children. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIWSO7tehAhL0gheoRAiaMAKCDk+rWjeuMgKJURlpI7jXqyGaD4wCfQaup a59a5Zwv/tvxJ/eXRnC9N+Q= =Bqoq -----END PGP SIGNATURE----- From dave.aitel at gmail.com Tue Jun 24 20:25:58 2008 From: dave.aitel at gmail.com (Dave Aitel) Date: Tue, 24 Jun 2008 20:25:58 -0400 Subject: [Dailydave] Getting your mojo back Message-ID: So one thing I've noticed with hackers is they tend to occasionally lose their mojo. This might be because of random other life events, or because for whatever reason they've burnt out on a problem. Generally the only solution is to take on a series of easy problems for a while until the brain gets back in order. One thing I find, if not easy, then satisfying is teaching these how-to-hack classes. Over time, of course, you have to change your classes - Windows 2000 is a good learning tool, but there's going to be a time when the class has to be taught entirely with ActiveX controls and OS X remotes. For now though, it's Windows 2000. Gotta love it. Anyways, more posts this month than last month. I'm starting to feel the heart of darkness beat again. In the meantime I spent some time reading the IATAC newletters, to warm up, and you notice things like the paper by Wei Li, Lap-chung Lam, and Tzi-cker Chiueh about Win32 sandboxing [1] draws graphs by looking at the call stack. The call stack, of course, is data which is in user-space, under hacker control. Likewise you don't see a whole lot about threading in the paper - threading being the problem all system call graph algorithms blow up on. They claim that the false negative rate for their system is "miniscule". This is probably true for any system no one has ever attacked, but given a couple days and a hacker with some mojo, I'm sure that can be changed. :> -dave [1] http://iac.dtic.mil/iatac/IA_newsletter.jsp -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080624/62aeefc4/attachment.htm From dr at kyx.net Fri Jun 27 11:58:37 2008 From: dr at kyx.net (Dragos Ruiu) Date: Fri, 27 Jun 2008 08:58:37 -0700 Subject: [Dailydave] BA-Con 2008 CFP - Buenos Aires, Sept. 30 / Oct. 1 (closes July 11 2008) Message-ID: <200806270858.38162.dr@kyx.net> BA-Con 2008 CALL FOR PAPERS BUENOS AIRES, Argentina -- The first annual BA-Con applied technical security conference - where the eminent figures in the international and South American security industry will get together and share best practices and technology - will be held in Buenos Aires on September 30 and October 1st. 2008. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The BA-Con meeting provides local and international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of South America's largest metropolises. All material will be translated into both Spanish and English. Evening social activities will be planned to provide personal networking opportunities. The BA-Con conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application exercises to maximize information transfer. We would like to announce the opportunity to submit papers, lightning talk proposals for selection by the international BA-Con technical review committee. Please make your paper proposal submissions before July 11th, 2008. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accommodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest08 [at] ba-con.com.ar . Only slides will be needed for the September paper deadline, full text does not have to be submitted - but will be accepted and translated on a best effort basis if available. The BA-Con 2008 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Please list any other publications or conferences where this material has been or will be published/submitted. 10. Do you have any special demo or network requirements for your presentation? Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments. Please forward the above information to secwest08 [at] ba-con.com.ar to be considered for placement on the speaker roster, have your lightning talk scheduled. We would like to extend a special thanks to our local partners at Core Security Technologies, and the gracious sponsorship of Microsoft, and Symantec for making this event possible and letting us keep the registration fee lower in local currency while letting us cover the costs of international speakers. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Buenos Aires, Argentina Sept. 30 / Oct. 1 - 2008 http://ba-con.com.ar Tokyo, Japan November 13/14 - 2008 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp From dave at immunityinc.com Fri Jun 27 19:21:04 2008 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 27 Jun 2008 19:21:04 -0400 Subject: [Dailydave] Immunity Training en Espanol! Message-ID: <486575E0.6090006@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Immunity, Inc. ofrece por primera vez un trainning abierto de CANVAS en Buenos Aires. La clase completa ser? brindada en el idioma Espa?ol. Usualmente Immunity brinda esta clase en su casa central en Miami Beach, Florida y hasta el momento siempre ha sido dada en Ingles. Esta es una gran oportunidad para quienes esten interesados en asistir. Las fechas del trainning son el 10 y 11 de Julio del 2008. El costo total de la clase es de $1000 USD. Incluido con este valor, una version de CANVAS gratis, manuales, almuerzo y la certificaci?n correspondiente al terminar la clase. Si estas interesado en asistir a esta clase, envia un email a admin at immunityinc.com para mas detalles sobre la clase y el lugar donde ~ se realizar?. **** Immunity Inc. is offering a two-day Public Canvas Training class for the first time in Buenos Aires. The entire class will be taught in Spanish. This class is usually only held at the Immunity Inc. headquarters in Miami Beach, FL, and until now the class has only been taught in English. This is a very exciting opportunity for anyone interested in attending. The class is scheduled for July 10 and 11, 2008. The total cost of this 2 day class is $1000 USD. Included in the cost of the class is a free single user CANVAS license, training manuals, lunch and a certificate upon successful completion of the class. If you are interested in attending this class please email admin at immunityinc.com for more details about the class and location of the training. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIZXXgtehAhL0gheoRAkx2AJ4nE0si+Q3nPJIxF1loA7z9RtoE5gCeO+xD jVAZBGly8Wvptr0mHP7QJ5g= =SgdH -----END PGP SIGNATURE----- From dave at immunityinc.com Fri Jun 27 20:50:27 2008 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 27 Jun 2008 20:50:27 -0400 Subject: [Dailydave] The reporting gap Message-ID: <48658AD3.9030706@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's interesting that the security "tactical" reporting, largely filled by blogs, has been pretty spotty lately. Is the latest Flash bug 0day or not 0day? Is the Adobe Reader bug being exploited in the wild, or not? Perhaps it's an indication that people are paying less attention to each individual vulnerability now. But I think it's something worse. There's a lot of stuff a good security weblog that's vendor independent COULD say though. The market is still pretty unprobed - there's a lot of huge security companies out there no one writes about. Take one: INS.com. There's a thousand more like that, and they have a huge impact on the market, technology, and everything else we do. When was the last time you heard about them on ZDNet or eWeek or The Register? I won't claim to be "vendor independent" or even technology agnostic. But there's a gap here in our industry that more journalists and analysts should fill. 451Group and a few others are there, but we need more. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIZYrStehAhL0gheoRArDHAJ9Q30p/ApeIRpG2xni4YTF7pkeJVgCfRxCi k0KWzLDD1mBGgMC0M0WuaHM= =iv1h -----END PGP SIGNATURE----- From prabu at hackinthebox.org Fri Jun 27 21:13:15 2008 From: prabu at hackinthebox.org (Praburaajan) Date: Sat, 28 Jun 2008 09:13:15 +0800 Subject: [Dailydave] CFP for HITBSecConf2008 - Malaysia closing soon ! Message-ID: <4865902B.5010508@hackinthebox.org> This is a reminder that the Call for Papers for HITBSecConf2008 - Malaysia is closing on the 30th of June. The HITBSecConf series is a deep-knowledge technical conference. Talks that are more technical or that discuss new and never before seen attack methods are of more interest than a subject that has been covered several times before. Details on topics of interest and submission guidelines are listed on the conference page: http://conference.hackinthebox.org/hitbsecconf2008kl/?page_id=72 https://conference.hitb.org/hitbsecconf2008kl/?page_id=72 We look forward to receiving your submissions! From jf at danglingpointers.net Sat Jun 28 05:21:48 2008 From: jf at danglingpointers.net (jf) Date: Sat, 28 Jun 2008 09:21:48 +0000 (UTC) Subject: [Dailydave] The reporting gap In-Reply-To: <48658AD3.9030706@immunityinc.com> References: <48658AD3.9030706@immunityinc.com> Message-ID: > But there's a gap here in our industry that more journalists and > analysts should fill. 451Group and a few others are there, but we need more. the problem is journalists are not hackers, and hackers (typically) are not journalists-- which means that with a few exceptions, your hacker news will always suck. From dave at immunityinc.com Sun Jun 29 12:49:34 2008 From: dave at immunityinc.com (Dave Aitel) Date: Sun, 29 Jun 2008 12:49:34 -0400 Subject: [Dailydave] Twitter: (verb) to fail under exponential growth Message-ID: <4867BD1E.9010901@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Talking with my British friends lately they're all quite obsessed with trash. For good reason, I assume, since they now have strict recycling regulations that make the "please sort your trash" Miami Beach and NYC laws seem as worthless as the paper they wasted making them. In NYC the landlord theoretically got fined, but if you were up in the morning you could watch the trash trucks throw the recycling into the same bin as the rest of the trash. Here in Miami it's more real, but you still generate a huge amount of trash every week. Essentially it's an obscene amount of bottles and other things that look different for marketing's sake. What if, like in DKM's books, everything had the same basic package? If all beer comes in "bulbs" then you don't need to recycle, you just need to reuse them. I don't know if that's ever going to happen, but it's clear that what we have now is not even close to sustainable. It's a model that fails under exponential growth, like Twitter or anti-virus signatures. I've always wondered about the rest of our technology that fails in a similar way. Why do our application assessment tools not also fix the bugs they find? If you're trying to buy web application scanning, then your scanner should also be updating the application to fix those pesky SQL Injection bugs. Your binary/source analysis tool should be svn commiting patches to fix your overflows. If you have to rely on a developer to understand the bugs themselves, it doesn't scale. Your network attack tool should upload and run the right patch automatically.[1] Does the modern generation of scanners do this? - -dave [1] Obviously you can upload a management program like BindView instead, but this means you have to MANAGE everything, which doesn't scale. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIZ70etehAhL0gheoRAv/ZAJ9KjggIYf8ch5Hnw5Blajlg5U4+6gCZAVwk WB9QwhyVDqiGFA182Oso9m4= =nHWH -----END PGP SIGNATURE----- From ceng at Veracode.com Sun Jun 29 15:02:07 2008 From: ceng at Veracode.com (Chris Eng) Date: Sun, 29 Jun 2008 15:02:07 -0400 Subject: [Dailydave] Twitter: (verb) to fail under exponential growth In-Reply-To: <4867BD1E.9010901@immunityinc.com> References: <4867BD1E.9010901@immunityinc.com> Message-ID: <79348E23E9D34F4F8032010B2913D72B0123BDF4@NexusCore.Veracode.local> Oh come on, you know the answer to that. Because things break. Same reason people don't run WAFs in prevent mode, same reason IPS isn't more popular. Source/binary tools could patch automatically, in theory, but in order to measure whether it broke something, you have to have an extremely robust regression suite. Network scanners applying patches for known vulns... don't some products do that already, integrating with patch management tools and whatnot? > I've always wondered about the rest of our technology that > fails in a similar way. Why do our application assessment > tools not also fix the bugs they find? If you're trying to > buy web application scanning, then your scanner should also > be updating the application to fix those pesky SQL Injection > bugs. Your binary/source analysis tool should be svn > commiting patches to fix your overflows. If you have to rely > on a developer to understand the bugs themselves, it doesn't > scale. Your network attack tool should upload and run the > right patch automatically.[1] Does the modern generation of > scanners do this? > > - -dave > [1] Obviously you can upload a management program like > BindView instead, > but this means you have to MANAGE everything, which doesn't scale. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFIZ70etehAhL0gheoRAv/ZAJ9KjggIYf8ch5Hnw5Blajlg5U4+6gCZAVwk > WB9QwhyVDqiGFA182Oso9m4= > =nHWH > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From adrien at kunysz.be Sun Jun 29 15:13:08 2008 From: adrien at kunysz.be (Adrien Krunch Kunysz) Date: Sun, 29 Jun 2008 20:13:08 +0100 Subject: [Dailydave] Twitter: (verb) to fail under exponential growth In-Reply-To: <4867BD1E.9010901@immunityinc.com> References: <4867BD1E.9010901@immunityinc.com> Message-ID: <20080629191308.GA10291@krunch-laptop> On Sun, Jun 29, 2008 at 12:49:34PM -0400, Dave Aitel wrote: > I don't know if that's ever going to happen, but it's clear that what we > have now is not even close to sustainable. It's a model that fails under > exponential growth, like Twitter or anti-virus signatures. > > I've always wondered about the rest of our technology that fails in a > similar way. Why do our application assessment tools not also fix the > bugs they find? Because they also find false positive? > If you're trying to buy web application scanning, then > your scanner should also be updating the application to fix those pesky > SQL Injection bugs. Your binary/source analysis tool should be svn > commiting patches to fix your overflows. If you have to rely on a > developer to understand the bugs themselves, it doesn't scale. Your > network attack tool should upload and run the right patch > automatically.[1] Does the modern generation of scanners do this? You proposition seems to fall between the "Automatic programming" and "Program verification" paragraphs of the 1986 No Silver Bullet paper. I suggest you reread it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080629/3abd2899/attachment.pgp From mmaiffret at inveniosecurity.com Sun Jun 29 20:41:58 2008 From: mmaiffret at inveniosecurity.com (Marc Maiffret) Date: Sun, 29 Jun 2008 17:41:58 -0700 Subject: [Dailydave] Twitter: (verb) to fail under exponential growth In-Reply-To: <4867BD1E.9010901@immunityinc.com> References: <4867BD1E.9010901@immunityinc.com> Message-ID: <000f01c8da4a$1bf0a550$53d1eff0$@com> > -----Original Message----- > From: Dave Aitel > Talking with my British friends lately they're all quite obsessed with > trash. For good reason, I assume, since they now have strict recycling I am not sure what unsustainable growth in human garbage or number of virus signatures, really has to do with security tools not taking the extra step in automation. Vulnerability Assessment, and Code Bugs do not create an exponential amount of findings but rather a steady stream, mileage may vary. Some could argue they are exponential in their databases of things to scan for but that is not true with code bugs and in the case of VA typically there is a lot of superseded patches where you are looking for the latest rollup rather than the 100 bugs that led up to it. But I'm digressing... > I've always wondered about the rest of our technology that fails in a > similar way. Why do our application assessment tools not also fix the > bugs they find? If you're trying to buy web application scanning, then > your scanner should also be updating the application to fix those pesky > SQL Injection bugs. Your binary/source analysis tool should be svn > commiting patches to fix your overflows. If you have to rely on a > developer to understand the bugs themselves, it doesn't scale. Your > network attack tool should upload and run the right patch > automatically.[1] Does the modern generation of scanners do this? Automation can be a great thing or it can be a bane. To many times these days technology caters to laziness or as Band-Aids to human stupidity like the difference between side airbags and cars that can parallel park themselves. Coding mistakes are a human problem, not a technology one. You very well could create an asp source code scanner that not only fixes but patches vulnerabilities but most likely the humans that write that program will fail at thinking about all of the nuances in coding and build processes across organizations and therefore completely f-things up in the process of automation. And at that point we would probably have forgot why we wanted to automate this in the first place. Because we have tools that can already pinpoint code problems but companies are too lazy to care to get them fixed. For smaller companies they just simply have no idea what any of us are currently talking about and probably outsourced their website to someone equally as clueless and none of these people are making enough money to afford to build things the right way[1]. Which is why Google Apps and Microsoft Live is doing it all for them. They can afford to do it securely and hopefully care enough to. For large companies though it would simply cost them more time/money to try to use automated code fixing tools than tools that detect potential problems that are reviewed by educated developers. And I can hear it now, "developers don't know anything!" and I completely agree but that is the root of the problem and where the money should be spent more than anywhere else. The complexity in security is not from any complexity in technology but the complexity in motivating people to truly care about security and act accordingly. Non-accidental Murder by Technology will help speed peoples thinking along. > - -dave > [1] Obviously you can upload a management program like BindView > instead, > but this means you have to MANAGE everything, which doesn't scale. Companies already have to manage everything so they will have to deal with scale either way. Maybe BindView does not scale (I don't know) but there are companies in the world that manage half million or more windows systems centrally, including patching, and they do an extremely good job of it. As you seem passionate on the subject I cannot help but ask, When is Canvas coming out with a feature to automatically push patches for vulnerabilities it uses to own a system and how will you handle zeroday? :-) Signed, Marc Maiffret Founder/CEO Invenio Security Security Services & Training http://www.inveniosecurity.com [1] - That is not to imply that security, but rather intelligence, is an expensive purchase. From lmh at info-pull.com Mon Jun 30 14:52:57 2008 From: lmh at info-pull.com (Lance M. Havok) Date: Mon, 30 Jun 2008 20:52:57 +0200 Subject: [Dailydave] Twitter: (verb) to fail under exponential growth In-Reply-To: <000f01c8da4a$1bf0a550$53d1eff0$@com> References: <4867BD1E.9010901@immunityinc.com> <000f01c8da4a$1bf0a550$53d1eff0$@com> Message-ID: Hi Mr. Maiffret, Nice to meet you, I guess. I was already pretty much off from the whole computer security thing, and I was packing my stuff for going on a legendary pilgrimage to the beach for partying hard, wasting myself and possibly destroy my last few sane brain cells with some drugs and booze. Therefore, before I become incurably clueless and insane, I decided to reply to this message. I still have a good bye letter pending and a last bang to shut the door behind forever. So here we go... yeah dude! On Mon, Jun 30, 2008 at 2:41 AM, Marc Maiffret wrote: >> -----Original Message----- >> From: Dave Aitel >> Talking with my British friends lately they're all quite obsessed with >> trash. For good reason, I assume, since they now have strict recycling > > > I am not sure what unsustainable growth in human garbage or number of virus > signatures, really has to do with security tools not taking the extra step > in automation. Vulnerability Assessment, and Code Bugs do not create an > exponential amount of findings but rather a steady stream, mileage may vary. > Some could argue they are exponential in their databases of things to scan > for but that is not true with code bugs and in the case of VA typically > there is a lot of superseded patches where you are looking for the latest > rollup rather than the 100 bugs that led up to it. But I'm digressing... Every patch once in a while introduces another hundred bugs. And people still have to care about patching bugs they consider 'unimportant'. > > Automation can be a great thing or it can be a bane. To many times these > days technology caters to laziness or as Band-Aids to human stupidity like > the difference between side airbags and cars that can parallel park > themselves. > > The complexity in security is not from any complexity in technology but the > complexity in motivating people to truly care about security and act > accordingly. Non-accidental Murder by Technology will help speed peoples > thinking along. Why should we care about security anyway? Security these days is becoming a matter of crowd control, nothing else. Normal people don't give a shit about the details or whatever other cranky technology affecting their security. Technology is the new form of slavery. The more connected you are, the more control others can exercise on yourself. I was reading an interview done by Hubbard's (the Scientology founder) son, and he basically said something alas: "Scientology counseling revolves around your sexual life. If you know every sexual detail, dirty deed, desire and craving of an individual, you control his life." Technology is pretty much becoming the new cancer of nowadays society. Security in technology is just an accident. We are hyper-connecting ourselves, everything is getting networked. From phones to fridges, to dildos, anything. You are broadcasting your whole life, and nobody really cares about it until they want to steal your bank information. This whole new thing about technology is that it makes you and me, the average random idiot on Earth, feel like we are someone special. Goddammit, there are more than 6k million people in this planet. Illusion of self-importance. Might make you feel good and fuzzy, but it's freaking non-existent. You won't achieve enlightenment in your life while blogging about your last trip to Las Vegas. No fucking way. I would pay to see Nedd Ludd brought back to these days. > > Companies already have to manage everything so they will have to deal with > scale either way. Maybe BindView does not scale (I don't know) but there are > companies in the world that manage half million or more windows systems > centrally, including patching, and they do an extremely good job of it. > > As you seem passionate on the subject I cannot help but ask, When is Canvas > coming out with a feature to automatically push patches for vulnerabilities > it uses to own a system and how will you handle zeroday? :-) You miss the point about CANVAS. It's an offensive technology. It's not supposed to defend you against anything. It simply provides an efficient way to have a real perspective of how clueless your network security people are, and how you should be moving from Apache/PHP to IIS/ASP.NET. If you don't like that, go develop a plugin and plug it into the framework. The point here is that the whole industry and the technologies developed by people working at it, pretend to be defensive. They pretend like if by investing a crap load of money on a super advanced IDS megasystem of anti-hacker nanotechnology, you could actually prevent your employees from downloading child pornography, suffering targeted attacks via Office documents, leak information via P2P software, etc. The same goes for antiviruses, for vulnerability assessment, etc. There are a whole helluva lot of smart asses out there who can audit your code and still miss incredibly stupid shit. How do you like that? And you are paying 2k bucks a day for each code-leaking auditing minion. The only technology that has actually worked overtime is grsecurity and watch out for the imitators out there. Brad did an excellent job at freely licensing it. You know what, I was gonna work on a BSD-licensed grsec-like security patch for NetBSD. I would hope to have it promptly stolen by Apple (since I was going to use the kauth subsystem, they wouldn't need much integration work). Why? Because the still emerging market for OS X security would be pointless afterwards. Maybe some journalist would still pick random remote root bug news from random security vendors. So what. How did we end up with OS X security becoming a mainstream interest for the security industry? Sigh. No matter how many band aids and koolaids we take, security doesn't exist. Enough said. Stop making a business of defensive security technology that doesn't work. Go buy CANVAS (no, seriously, do it, it's like Metasploit but for professionals, and you will see a grasp of its potential). - Lance. From lmh at info-pull.com Mon Jun 30 23:12:08 2008 From: lmh at info-pull.com (Lance M. Havok) Date: Tue, 1 Jul 2008 05:12:08 +0200 Subject: [Dailydave] The final countdown Message-ID: Before I write my true, final farewell letter (jokes aside), I will put some links to the exploit I promised to release months ago. I just didn't have the thrill to finish it and publish it, so I've used the version I found in some random hard disk, and the original movie. http://lul-disclosure.net/exploits/openbsdjizz.c http://lul-disclosure.net/lulz/openbsdjizz-the_movie.html It's for OpenBSD 4.0 and it indeed gives you a root shell. Don't ask me for help about reading the source code. Yes, it's the first animated exploit on Earth as far as I know. Lul-disclosure is not under my control, even though I'm a dormant member of the staff since I pretty much enjoy the idea of 'lulzhats' (neither blackhats nor whitehats, and hats are awkward). Please give props to those guys. Now let's get to my rather long letter... It's been a long wait. It's been a long time since I coded my first exploit back when I was about 10 and clueless about mostly everything else. It's been roughly 7 years doing this kind of stuff non-stop, using a handful nicknames and avoiding public recognition under my signature as much as possible. After all, nicknames are volatile and using an alias makes sure I don't get too proud of myself. Polishing my tongue-in-cheek humor and ironic comedy. Learning languages one after another and feeling like they were all the same, just to end up using them all at once and grow incurably insane. It's been a great time of using my slightly obnoxious bipolar disorder for something productive and have a fucking blast with it. It's been a great amount of really high highs and really low lows, not hitting the pipes but almost there. At some point I realized It was time to change towards another direction and my lifestyle didn't really fit well with investing long periods of time in front of a machine. I was talking the other day with my friend Mr. B, and I tried to explain this weird philosophy of mine, of how we've been given the opportunity to live for a short period of time, and how the 6k million people on this planet can't waste their life pretending to live them like a cheap scripted drama. I refuse to accept the idea of running my life like if anything I could do would change anything in this world. Whether we like it or not, we ain't unique snowflakes. Today there's nothing you can do that hasn't been done some other way before. Confidence, betrayal, trust, friendship... history has got enough stories of all of them and just because you ignore it doesn't mean they won't happen again to you. When I say scripted life, It's pretty much a short set of steps that repeat over and over in mostly every human being out there: 1. Your parents have sex. You literally 'happen' (yeah, you've never been a tick in a calendar, we are mostly accidents and that's it). 2. You get born. Welcome to Planet Dust, have a nice fucking day! 3. You start babbling your first words, start walking and go to kindergarten. 4. You start going to school. Damn, that was fun shit. 5. You start high school. First kiss, maybe first sex experience nowadays (alright, if you are a nerd or look like one then this won't happen, sorry, life's hard). 6. You finish high school and enroll in a nice looking college, and your mom prepares a nice looking cake for you. 7. You finish college and get a stable girlfriend. 8. You get married with this Elisabeth girl who prepares incredible apple pies. 9. You have kids. 10. ???? 11. No profit. The story repeats once again. So basically we have this choice: either live the short period of time you've been given to do so, in a manner that is unique and absolutely different from that of most other people, or conform to the norm and be a potential frustrated individual for the rest of your repetitive life. Let's imagine for a second that you have terminal cancer and an expected life span of 3 months. Are you going to spend them getting a degree? Avoiding drugs? Avoiding conflict and potentially risky activities? Playing nice and talking politically correct, even though you feel like crashing your car away? No way in hell, you will try to have a blast and experiment almost anything out there. You will do drugs, you will risk your ass to death (after all, it's inevitable, and that way you have a little control about how it's gonna happen or where, probably not a hospital room). Security is becoming pretty much the opposite of that. The true sense of hacking is dead. Very few people if anyone truly does it for the shake of doing it. I resigned from my security industry job past year and made the decision to avoid doing this for a paycheck. And also enjoyed the freedom of being able to tell people to shut the fuck up and not worry about my 'professional reputation' being tarnished. I could care less. So many people in the industry don't say a word just because they believe their reputation might be tarnished. Others simply play better in this happy world of 'everyone is neat and fuzzy' (even though they might despise each other to the bone). I don't come from a low end family (actually, the opposite, which represented further trouble with my rather rebellious attitudes), and I did have a rather expensive education (until I dropped out, after getting my high school diploma). I had the opportunity to go through one of those boring IQ tests (WISC-R if anyone cares, score is irrelevant since everyone knows I'm mentally troubled in several ways!) and found out that I didn't want to join Mensa's chocolate club when I was offered to. I freaking hate chocolate. I had access to expensive equipment (my mother indeed paid for that SPARC64 1U rack box, thanks mom!) and I was given literature since I was pretty much around 4-5. I was talking and writing by that age anyway (and yeah, I was drawing penises like any normal kid out there, though the fact that I still do it is clearly not 'normal' per se, but my friends enjoy the barbecues). And I still despise being pushed towards living through steps I didn't find the least appealing. And no, I don't have a police record. I'm clean as a pearl and hard as a pillow! Just kidding, but I'm clean. I swear. Well, maybe a battery but that was all. My current age is irrelevant as well, but don't let the juvenile style fool you. I emancipated at 16 and started working early as well, and for some time I truly believed in this whole idea of 'having a stable life'. That was until I tried it. It didn't feel like it was the kind of thing you want to run for 30 years. 20 years. 10 years. Definitely not. Nowadays we are obsessed with extending lifespan. We want to live forever. That's pretty much bullshit. Like it's said in Moby Dick (man the harpoons!)... life is only meaningful thanks to contrast. You can't feel warm if you don't feel cold in some part of your body. In the same fashion as you can't feel comfort if you don't experience disgusting situations once in a while. It's not really about "Life Fast, Die Young" (and leave a corpse in any case, obviously), it's more about being sure you've truly *lived* when you are about to die. A long lifespan won't help you to find the necessary contrast between experiencing life and having a meaningless, futile one. You can't appreciate the time you've been given here without knowing it's gonna be short and intense. And you will likely ask yourself if I'm not on crack, meth or some other hardcore shit while I'm writing this. Not really. I just feel there's talent out there, and a lot of potential, being wasted working in office cubicles. Being forced to live the way they are 'supposed' to, and not how they would really like. Just because someone has been in jail, doesn't mean that person is a waste. Just because you look Arab doesn't mean you want to blow up a freaking circus, and just because you work in the security industry doesn't mean you have to take all the bullshit moving around it. I just feel I'm pretty much done wasting my time with several things and people around information security, and that it's the right time to let someone else take the role of bringing some humor and joy over here, like GOBBLES did in the past, among several others (likely better than me, I'm such a poser!). There will be always people like Dave, Brad, Mr. R, the turkey, and some others that keep it real and fun, but there will be always people that have nothing better to do than cringing, ranting and talking bullshit about someone else or their work. And there will be me again some day, haha! Keep hacking alive, life fast, and don't let the bullshit get to you. And remember.... it's better to burnout than fade away! (no, this ain't a suicide note, just in case ;P) Yours truly, Lance, the guy who writes long letters and prints them on toilet paper.