From rodrigo at kernelhacking.com Sat Mar 1 02:12:25 2008 From: rodrigo at kernelhacking.com (Rodrigo Rubira Branco (BSDaemon)) Date: Sat, 1 Mar 2008 7:12:25 -0000 Subject: [Dailydave] VPC Message-ID: <20080301101225.1CF458BD1A@mail.fjaunet.com.br> Hello Joanna, > Let me point out some issues here: Sure, tks for that... > 1) On slide #13 you refer to me (at least I assume it is me): Yes, you are the reference in this subject, right? > fact that we don't know all the possible hooking places (type II hooking > places) that an attacker might use, *not* the problem of tamper proof > detector code. Hum, indeed... the idea of garantee that all the code are tamper proof is exactly to avoid any hook to be used... as I think you noticed in the presentation, the project itself tries to use the difficult to locate any possible hook to insert random entries to smm... > Another reason for seeking help in hardware, this time when implementing > kernel protection (as opposed to detection) is Again, the project implements protection and detection, in different ways... the smm-hackish is a new thing inserted to garantee another level of security... there are lots of other problems to be solved related to the kernel data itself, since the project does not try to protect user-mode applications, just to grant the kernel itself has not been modified. > that for an effective > protection we need to move drivers (or groups of drivers) into separate > domains/address spaces. We can not effectively do that without IOMMU/VT-d. I agree in the matter of protection of the system subversion, not in the matter of protect the kernel integrity itself. Also to clarify, I proposed myself hardware additions in some situations, including to do the proposed hackish (see the power architecture portion of the presentation). > 2) On slides #54 you write: "The idea of putting the entire kernel as > read-only seems good". > Let me just point out that there is no such thing > as "read-only kernel" -- kernel is a program, and as every program it > also needs to use and operate on *data* that change all the time and > cannot be made read-only by definition. So even if you can force the > kernel *code* to be read-only (which is a good idea indeed and digital > signatures are useful in actually verifying this property), the kernel > as a whole, is always read/write. For sure it's just about the kernel .text. Also it's a reference to PaX protections. > It seems to me that StMichael focuses more on detecting rootkit's code > rather then ensuring system integrity. Yes. In the presentation I make very clear that what StMichael does is garantee no kernel modification done by rootkits... not to protect applications and the data itself. >Just out of curiosity I would > love to see a list of all the places that are checked by StMichael. For now it's basically the kernel .text and some important structural data. It also protect the LSM and SELinux management structures to garantee no one will insert a rootkit using it or will disable it in runtime (the first I proposed for a Defcon presentation and the second have been done by Spender in his exploit discussed here). > 3) While the whole idea of putting own code into SMM seems interesting, > I see it much more useful for writing kernel malware rather then > security tools. Yeah, I showed that use in my HITB Malaysia presentation... >I really don't see a reason why to use this "hack" > instead of using the virtualization technology, which was designed just > for such tasks among others? Well, I already give the motivation, but again: 1-) I started to work on it before virtualization been really spread ;) 2-) Virtualization is not supported by lots of computers > 4) BTW, AFAIK modern laptops have their SMRAM locked down just after it > is initialized by SMM. Are you going to bypass this locking mechanism in > order to install your protection system? BIOS patching... I did it in my laptop and this is one of the discussed topics in the presentation. Another question is the cost itself to enter smm, verify integrity and everything else, and the timing to do that... It must be discussed/verified deeply... cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 1FCEDEA1 From arr at watson.org Sat Mar 1 14:59:18 2008 From: arr at watson.org (Andrew R. Reiter) Date: Sat, 1 Mar 2008 14:59:18 -0500 (EST) Subject: [Dailydave] VPC In-Reply-To: <276004ce0802281543l16babc4bja6be34c4fdbbdef7@mail.gmail.com> References: <47BD746D.5040201@immunityinc.com> <276004ce0802281543l16babc4bja6be34c4fdbbdef7@mail.gmail.com> Message-ID: <20080301145558.S52493@fledge.watson.org> hey, On Thu, 28 Feb 2008, Matt Richard wrote: [snip] > > I have only seen defensive implementations such as the work of > Garfinkel and Rosenblum at Stanford. Their use case is a modified > hypervisor that can monitor critical OS data structures. One of their > implementations watches the Linux system call table and can prevent > modification to thwart rootkits. > > http://www.cs.fit.edu/%7Epkc/id/related/garfinkel03ndssVM.pdf > Admittedly I just browsed this paper (so please forgive any poor assumptions I make), but it seems their sys call protection scheme just monitors the syscall table structure and not the actual syscall code. My point being -- for a long time people have just done jmp overwrites at the beginning (or other known to be "ok" location) of the system call they are hooking so that they don't have to touch the values in the syscall table. Am I wrong about what they protect? If so, my fault!! :D Cheers, Andrew From don.bailey at gmail.com Mon Mar 3 11:53:13 2008 From: don.bailey at gmail.com (don bailey) Date: Mon, 03 Mar 2008 09:53:13 -0700 Subject: [Dailydave] VPC In-Reply-To: <20080301101225.1CF458BD1A@mail.fjaunet.com.br> References: <20080301101225.1CF458BD1A@mail.fjaunet.com.br> Message-ID: <47CC2CF9.1090701@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> 2) On slides #54 you write: "The idea of putting the entire kernel as >> read-only seems good". >> Let me just point out that there is no such thing >> as "read-only kernel" -- kernel is a program, and as every > program it >> also needs to use and operate on *data* that change all the time and >> cannot be made read-only by definition. So even if you can force the >> kernel *code* to be read-only (which is a good idea indeed and digital >> signatures are useful in actually verifying this property), the kernel >> as a whole, is always read/write. > > For sure it's just about the kernel .text. Also it's a reference to PaX > protections. > Lots of kernels use read-only .text pages in kernel land. The problem is that your architecture may not care. For those that are familiar with Solaris kernel hacking, you may be familiar with the hotpatch() kernel function that allows you to patch read-only segments of a running kernel. Second, digital signatures for segments of code (whether it's kernel code or an image stored on flash/etc) are really only valid when loading the code to verify its integrity. Constant monitoring of a segment of RAM for its signature is expensive. There are ways around this, of course, but the cost of implementation is great and you need specialized hardware. D http://kernelspace.us/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHzCzwyWX0NBMJYAcRAgajAJ4kUe0/j48CeF/ybzWpA8sFo3NMowCdHtzb c+DRRW3gALIjbHyqRNHrJYc= =szOw -----END PGP SIGNATURE----- From elite_netbios at yahoo.com Tue Mar 4 11:42:02 2008 From: elite_netbios at yahoo.com (Hamid . K) Date: Tue, 4 Mar 2008 08:42:02 -0800 (PST) Subject: [Dailydave] Owning Citrix & Terminal Services Clients Message-ID: <585550.18875.qm@web90501.mail.mud.yahoo.com> I`ve posted some notes about this case ,following previous works on my blog few days ago . Though it may be interesting for some of list members. ,feel free to replay on list ,or drop some comments , specially about 'attack-1' . Here`s the link http://hkashfi.blogspot.com/2008/03/citrix-terminal-service-and-some-dirty.html regards Hamid ----- Original Message ---- From: DSquare Security To: dailydave at lists.immunitysec.com Sent: Wednesday, February 27, 2008 9:47:32 PM Subject: [Dailydave] Owning Citrix & Terminal Services Clients Several vulnerabilities can help you to compromise a Citrix server or a Terminal Services server. So the question is: what can you do when you have a privileged access on these Citrix and Terminal Services servers? The answer is simple: try to compromise Citrix and TS clients. There are at least two interesting ways to access client data 1) Spying his session to get passwords from a published application 2) Accessing his local drives if they are mapped in the session D2CiTerm is designed to help you in this kind of work. Here are two demonstrations of this tool: 1) From a remote SYSTEM access after the exploitation of Citrix MPS 4.0 IMA Service Heap overflow: http://www.d2sec.com/d2citerm_1.htm 2) From a privileged Citrix session: http://www.d2sec.com/d2citerm_2.htm This tool will be released in the next update of D2 Exploitation Pack. -- DSquare Security, LLC http://www.d2sec.com _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080304/62799f14/attachment.htm From dave at immunityinc.com Wed Mar 5 08:39:00 2008 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 05 Mar 2008 08:39:00 -0500 Subject: [Dailydave] WCF SSL Validation Message-ID: <47CEA274.8060103@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I'm doing an application assessment of a .Net 3.0 app that uses WCF a lot. I learned a lot of random things about Windows while reading up for it - they put http.sys into XP SP2, for example. I didn't realize that had gotten back-ported. Also the WCF .Net API does not treat certificates the same way that IE7 does. You can have a certificate imported into IE and then browse nicely through SPIKE Proxy but still have WCF requests fail with SSL validation errors. This is a pain but there's no way to bypass it that I can figure out. Today the plan is to bypass the need for SSL MITM by using Immunity Debugger to hook the http request API and modify it on the fly the way JMS usually does. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzqJ0tehAhL0gheoRAiTQAJ96S0kv0OG0GOu8RuDiBjX3UveqRQCeL25W 67e1M7T+GdnrCeUlTDmlFD8= =aLCb -----END PGP SIGNATURE----- From rodney at tsc-labs.net Wed Mar 5 10:45:29 2008 From: rodney at tsc-labs.net (Rodney Thayer) Date: Wed, 05 Mar 2008 07:45:29 -0800 Subject: [Dailydave] WCF SSL Validation In-Reply-To: <47CEA274.8060103@immunityinc.com> References: <47CEA274.8060103@immunityinc.com> Message-ID: <47CEC019.2050303@tsc-labs.net> Dave Aitel wrote: > So I'm doing an application assessment of a .Net 3.0 app ... > Also the WCF .Net API does not treat > certificates the same way that IE7 does. You can have a certificate > imported into IE and then browse nicely through SPIKE Proxy but still > have WCF requests fail with SSL validation errors. This is a pain but > there's no way to bypass it that I can figure out. I thought they were both bolted into the Crypto API certificate store. Of course, they probably have asymmetric certificate validation callback processing. Have you tried CRL's or OCSP? Hell, if it's really doing certificate processing, a modern CAPI would probably have hooks to do extended key usage (baroque exotic certificate option) processing and that too could be asymmetric. It's nice to see that certificate processing crosses your radar. It deserves your level of attention. > Today the plan is to bypass the need for SSL MITM by using Immunity > Debugger to hook the http request API and modify it on the fly the way > JMS usually does. Very cool. I hate it when people treat SSL as a cryptographic codpiece rather than defending the underlying technology. From cmiller at securityevaluators.com Wed Mar 5 11:55:16 2008 From: cmiller at securityevaluators.com (Charles Miller) Date: Wed, 5 Mar 2008 10:55:16 -0600 Subject: [Dailydave] WOOT '08 Call for papers Message-ID: <0E64EF76-563C-45B9-B0FB-23087E9A6A43@securityevaluators.com> Daily Dave guys: Thought I'd interrupt the discussion of sandboxing/kernel hooking to ask for submissions to WOOT this year. The due date is June 1. Details can be found at: http://www.usenix.org/event/woot08/cfp/ Take care, Charlie From joanna at invisiblethings.org Wed Mar 5 15:45:07 2008 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Wed, 05 Mar 2008 21:45:07 +0100 Subject: [Dailydave] WOOT '08 Call for papers In-Reply-To: <0E64EF76-563C-45B9-B0FB-23087E9A6A43@securityevaluators.com> References: <0E64EF76-563C-45B9-B0FB-23087E9A6A43@securityevaluators.com> Message-ID: <47CF0653.7080207@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charles Miller wrote: | Daily Dave guys: Would one be classified as a fighting feminist if pointed out that this is an example of sexism on DD? ;) j. -----BEGIN PGP SIGNATURE----- iQEVAwUBR88GUMwG7MOLAMOlAQKFQwf+LBeH8NTvEmFadR8ZAnH0uYFdj+v/1k5r Lt7WBQdXt23+g4bG2RyfPCkjBnBErX/Og6eSfRojoE7LjMUIXebB3AScsPMHcCbG i/JBqx2x9q2wmS+m+cjiyGHsRVftIAXWXLeIijvirvGrQzzIhxJvizTp4CpyRDwT ZN8HU1NFWSV1qVekJvQVhEo92hMA9qBp4xEWNnIreZHNuuLdSHbnoyB3bHh529D9 fUNRbXhjTinpA0oeJEdwORd2muelNSqtt8+FxbToeQqGBH3c81WQsbggTh6AxiwZ qSglALF6ut3UDFd82CM8SjynYTAcD/J8TvOHbPKOWi8gRM/L3O812w== =4TmT -----END PGP SIGNATURE----- From dave at immunityinc.com Thu Mar 6 15:32:46 2008 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 06 Mar 2008 15:32:46 -0500 Subject: [Dailydave] Classes and fun! Message-ID: <47D054EE.4000801@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I'm in the midst of figuring out how to decode Microsoft's weird compressed SOAP format (msbin). In the meantime I notice we have a couple if spaces left open in class. Having recently written a decent MSRPC Fuzzer based of pyMSRPC, I can guarantee that the MSRPC Auditing class will be fun. :> The heap overflow class, of course, is unique. Some of the techniques he presented on at various conferences, but you pretty much have to do it to understand it. In other news, 90 people wrote in to say that "guys" is an accepted "non-gendered" term in English, but no one cares either way how people feel about it. So I'm killing that thread. - -dave *March 24-26, 2008*: Windows Overflows Duration: 3 days Cost: $3000 per person *March 27-28, 2008*: Auditing MSRPC Duration: 2 days Cost: $2000 per person *March 31-April 3 2008*: Windows Heap Exploitation, including Windows Vista Duration: 4 days Cost: $4000 per person -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH0FTutehAhL0gheoRAudaAJ43dvPVgIlc1Co6OIVjV7+159EykQCfTOpq jSqGqf3+yfljcxRuzSoIkLE= =Ur2o -----END PGP SIGNATURE----- From dave at immunityinc.com Fri Mar 7 10:29:46 2008 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 07 Mar 2008 10:29:46 -0500 Subject: [Dailydave] !hookssl Immunity Debugger script Message-ID: <47D15F6A.3010102@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://forum.immunityinc.com/index.php?board=6.0 Just as a quicky followup - I cannot for the life of me figure out why adding a trusted certificate to every certificate store on Windows XP does not let you get in-between a WCF application and the web service with transport level security. But there's more than one way to skin a bison - and in this case a quick Immunity Debugger script gets you access to the data and you could then spend time modifying it or fuzzing it or whatever. Fun stuff! :> My question of the day is "When will someone write Python for the IPhone via the SDK?" Once we have Python, we have everything else we need. :> Even Mono would be cool. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH0V9qtehAhL0gheoRAinHAJ9lBOcUo0+FWPsyjN43SkvupHwcdACbB1q4 mK/+p1ENNyOkT943j5nEYmQ= =uxCp -----END PGP SIGNATURE----- From Thierry at Zoller.lu Fri Mar 7 11:40:11 2008 From: Thierry at Zoller.lu (Thierry Zoller) Date: Fri, 7 Mar 2008 17:40:11 +0100 Subject: [Dailydave] !hookssl Immunity Debugger script In-Reply-To: <47D15F6A.3010102@immunityinc.com> References: <47D15F6A.3010102@immunityinc.com> Message-ID: <1079179993.20080307174011@Zoller.lu> Dear Dave, Currently have no access to similar software necessary to replicate, but have you considered trying out the usual hooking techniques (WSAConnect, WSASend..etc) ? http://www.bindshell.net/tools/echomirage -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 From andreg at gmail.com Mon Mar 10 09:06:19 2008 From: andreg at gmail.com (Andre Gironda) Date: Mon, 10 Mar 2008 06:06:19 -0700 Subject: [Dailydave] !hookssl Immunity Debugger script In-Reply-To: <47D15F6A.3010102@immunityinc.com> References: <47D15F6A.3010102@immunityinc.com> Message-ID: <2fd9390e0803100606h4484972dka23425d75016db6e@mail.gmail.com> On Fri, Mar 7, 2008 at 8:29 AM, Dave Aitel wrote: > My question of the day is "When will someone write Python for the IPhone > via the SDK?" Once we have Python, we have everything else we need. :> > Even Mono would be cool. Why do you care about the warranty on your iPhone so much? I would assume that anyone who wanted to purchase an iPhone and a copy of Canvas with the hopes of making them work together also likely doesn't mind too much about their iPhone warranty either. The only benefit to writing Canvas with the SDK as opposed to the open tool chain would be for marketing purposes. For example, to have your application hosted on the Apple Store and be "official". I don't know if there is a lot of truth behind this http://www.techcrunch.com/2008/03/07/iphone-sdk-some-of-the-details-arent-great/ but it looks like these sorts of restrictions make the SDK rather useless in comparison to the open tool chain. "Only one iPhone application can run at a time, and third-party applications never run in the background. This means that when users switch to another application, answer the phone, or check their email, the application they were using quits". "An Application may write data on a device only to the Application's designated container area, except as otherwise specified by Apple". "Applications must comply with the Human Interface Guidelines and other Documentation provided by Apple". "Applications may only use Published APIs in the manner prescribed by Apple and must not use or call any unpublished or private APIs". For some reason, I think that Apple would consider Python an unpublished or private API. On the other hand, I have seen at least one Python package that was compiled with the open tool chain. PM me for the link if you have a hard time finding it. Haven't seen Mono, but it probably wouldn't be difficult to cross-compile to ARM. Or you can pay $99 (make sure you already have Leopard and a .mac account!) to the Apple Developer Connection only to find out later that your application won't work correctly and/or will be b& http://developer.apple.com/iphone/program/ You could also wait until June and see if the Sun JVM pans out. Jython is better than nothing - http://www.iclarified.com/entry/index.php?enid=774 Of course, by June there will likely be a compatibility library so that programs built using the open tool chain will run on an out-of-the-box Phone firmware 2.0. Cheers, Andre From dave at immunityinc.com Mon Mar 10 11:18:31 2008 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 10 Mar 2008 11:18:31 -0400 Subject: [Dailydave] "Specialization is for insects" - Heinlen Message-ID: <47D55147.4040802@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's interesting the tension between generalism and specialism in information security. For example, we hire consultants who are generalists. Essentially you have to show up at a client in a suit with a body of security knowledge, and learn as quickly as possible how it affects their particular technology, be it Citrix, .Net 3.0, J2EE with Beans, Ruby on Rails, or a DG-UX based system built internally to the client and never exposed to cold air. It's a how-fast-can-you-learn-new-stuff-and-break-it game. But when it comes to technology, I think it's valuable to specialize. Immunity Debugger is a disassembler and debugger that ONLY does Vulnerability Analysis. That's it. It does it in user-space on Win32 and it does it better than anything else out there (IMHO). Lately with CANVAS we've started to see traction with partners who specialize. Doing client-side attacks against a target who wants to know their real risk? You probably want to use Gleg's RealPlayer attacks. Attacking an application hosted on Citrix? You probably want to use the D2Sec pack. (It's what we're using this week. We do eat the dogfood we re-sell!) I find that an over-reliance on generalized scanners is tending to go against the technology gradient. How is a SOAP testing tool going to help you when the server only accepts application/soap+msbin1 format (aka MC-NBFS)? How is a network scanner (with exploits or without) designed for banks going to help your hotel business? Anyways, it's something I'm thinking about, and no doubt a lot of other people on the list too. I wanted to throw it out there : What kind of generalized scanner features can we build that would allow you to build the specialized scanner that actually helps your business? If you want to see CANVAS or SILICA live we have a few conferences coming up: March 13-14, 2008 SOURCE Boston http://www.sourceboston.com/ March 26-28, 2008 CanSec West - Vancouver http://www.cansecwest.com/ April 7-11, 2008 RSA - San Francisco http://www.rsaconference.com/2008/US/Home.aspx April 14-17, 2008 HITB - Dubai http://www.hackinthebox.org/ - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH1VFHtehAhL0gheoRAh3pAJ9ECEE1r3LTAzgJpCTn8dh6OpTemQCff9Zx Dk98x20oNvLPAz+gMOcQwUw= =br4H -----END PGP SIGNATURE----- From rcs at cert.org Thu Mar 13 10:50:20 2008 From: rcs at cert.org (Robert C. Seacord) Date: Thu, 13 Mar 2008 10:50:20 -0400 Subject: [Dailydave] CERT C Secure Coding Standard: last call for reviewers In-Reply-To: <47D55147.4040802@immunityinc.com> References: <47D55147.4040802@immunityinc.com> Message-ID: <47D93F2C.9070606@cert.org> We would like to invite the community to review and comment on the current version of the CERT C Secure Coding Standard available online at www.securecoding.cert.org before Version 1.0 is published. To comment, you can create an account on the Secure Coding wiki and post your comments there. Our intent is to complete major development of Version 1.0 by April 18, 2008, with the published version of the standard being available in September. Once Version 1.0 of the standard goes to the publisher, we will begin development of Version 2.0. That is, we will continue to maintain the wiki to further advance the "working version" of the CERT C Secure Coding Standard. The published 1.0 version will become the official version, until replaced by a future version. It is unlikely a subsequent version will be released any time in the next 2-3 years, so we would like to ensure that Version 1.0 will be a high quality product that will promote and encourage secure coding practices. Thanks for any help and assistance you have already provided and for any additional contribution you may make. There are currently 158 individuals who have contributed to the development of this standard, without whom this effort could not have succeeded. Thanks, rCs From isaac.dawson at gmail.com Thu Mar 13 21:28:28 2008 From: isaac.dawson at gmail.com (Isaac Dawson) Date: Fri, 14 Mar 2008 10:28:28 +0900 Subject: [Dailydave] Trendmicro et.al. Message-ID: <5ff6321e0803131828h1f20d7d5i6cd9b8af4f8d38e4@mail.gmail.com> Not sure if it has made the news over in the states/rest of the world but here in Japan its quite huge. Apparently on 3/12 trendmicro's site got hit by some sort of SQL injection scanner/tool that then injects some script URL to own the visitors. Seeing as how this was on their virus definition section I found it a rather interesting attack ;>. (Just found out that the register appears to have reported on it, take a look: http://www.dslreports.com/forum/r20161397-Trend-Micro-Hacked-Serving-Malicious-Iframes ). I find the selection of the javascript's name rather interesting as well. Makes me wonder if they're against the whaling that's going on here... -isaac -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080314/00853cbc/attachment-0001.html From dan at geer.org Fri Mar 14 09:22:52 2008 From: dan at geer.org (dan at geer.org) Date: Fri, 14 Mar 2008 09:22:52 -0400 Subject: [Dailydave] a puff of white smoke over Lexicon Central Message-ID: <20080314132252.EC53E33E96@absinthe.tinho.net> A puff of white smoke over Lexicon Central -- we have a coinage! Certified Pre-0wned --dan From jmoss at blackhat.com Fri Mar 14 18:43:42 2008 From: jmoss at blackhat.com (jmoss) Date: Fri, 14 Mar 2008 15:43:42 -0700 Subject: [Dailydave] Black Hat Announcements: New CFP system and Japan '08 confirmed In-Reply-To: <47D1558D.80706@msu.edu> References: <47D1558D.80706@msu.edu> Message-ID: <137f01c88624$da7fc390$8f7f4ab0$@com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Daily Dave readers, Here is a big Black Hat update to keep inquiring minds up to date with all the goings on in our not-so-secret lair: Black Hat Amsterdam is a go! Training: 25-26 March 2008 Briefings: 27-28 March 2008 There will be four different tracks over two days comprised of over 20+ internationally renowned security professionals speaking on diverse topics from intercepting GSM traffic and the evolution of spam techniques to attacking Anti Virus products and new client side channels: https://www.blackhat.com/html/bh-europe-08/bh-eu-08-main.html Black Hat USA News: We're very proud to announce a new feature for paid Black Hat attendees starting with the USA show in August - delegate access to our CFP system! Paid delegates can now log into our CFP database, read and review our proposed presentations and share their ratings and comments with Black Hat. Your ratings will help us create the show you want to attend, and even help focus presentations as they're being created. We are excited to see what kind of information we learn about what interests our delegates and what kind of talks meet their needs best. We've always said that our delegates make Black hat the experience it is, and we're glad to have the opportunity to extend their influence on the final product. To read more about this new opportunity, go to: https://www.blackhat.com/html/blackpages/blackpages.html We're also unveiling an "Un-Track" where attendees create their own mash-up style presentations - so if you've got something to share with the security community, this is your moment. Continuing a popular new BH development, we will also have speaker Q&A rooms after every presentation to help you follow up with your speaker and network with likeminded delegates. Still have a question that didn't quite get answered? Follow your speaker and continue the conversation. Registration is now OPEN for The Black Hat Briefings USA, register now to take advantage of our early bird rates: Black Hat Briefings USA 2008, August 2-7 at the Caesars Palace Las Vegas Early registration rate closes May 1, 2008. Regular registration rate closes July 1, 2008. https://www.blackhat.com/html/bh-registration/bh-registration.html#USA The Black Hat USA Call for Papers is now open. For descriptions of the tracks and deadlines check out: https://www.blackhat.com/html/bh-usa-08/bh-usa-08-cfp.html To create or update a submission: https://cfp.blackhat.com/ Download all the Black Hat USA 2007 content for free in an iPod friendly format! For audio and video follow these links: https://www.blackhat.com/podcast/bh-usa-07-video.rss https://www.blackhat.com/podcast/bh-usa-07-audio.rss Black Hat Japan News: We're happy to announce that Black Hat is returning to Tokyo for another Black Hat Japan in October 2008. We'll be bringing another strong lineup of speakers and trainers and the best lineup of technical security presentations available in Japan. We hope to see you there! About Black Hat The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world - from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and timely, actionable knowledge. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow's information security landscape. 15 years at the intersection of network security and hacker ingenuity is what makes Black Hat the one-of-a-kind conference it is, one where the establishment and the underground are equally at home. In addition to the large number of short, topical presentations in the Briefings, Black Hat also provides hands-on, high-intensity, multi-day Trainings. The Training sessions are provided by some of the most respected experts in the world and many also provide formal certifications to qualifying attendees. Arrangements can also be made to bring Black Hat's trainers to your location for private and customized training. Subscribe to the Black Hat RSS feed to keep up to date on news, announcements, and content: https://www.blackhat.com/BlackHatRSS.xml UNSUBSCRIBE: These announcements get sent to past Black Hat attendees. If you wish to stop receiving them just reply saying so and I'll remove you from the list. Jeff Moss Director Black Hat -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.7.0 (Build 1012) Charset: us-ascii wsBVAwUBR9r/nkqsDNqTZ/G1AQgQkggAm85QIBVZdnKzOhxJy6dZOPbx1gH7GSi4 UrktKLhGWS+fK5LSoXsZ+hgd8HmsoE3FDDOdIiZp4xJu7HL8xisKngLHGUEjCy2C fLcR+YjA7NT7t/XPaXcp7VPIn2FD1SmP1CRJ3QyOzND4CpDA5BkmQN5pJZtIkR3c goQWgizLjHIIBKnrEKZZWyM7/SHuB5Kekaxewy2s2HPUS9OVRiuUGqiybNyBPQ80 hDfXr8Kr/0DO5RbEQYnf8neqfnIhg6KRgk3X6gObzdjjAMym0Ay2ulRtiNzRxWg1 hFs3JUMyyHLznkgy8E0mIMOYzT/ckqK+IKh1MBJbGeSNMXr3dUUBPA== =IeSG -----END PGP SIGNATURE----- From joanna at invisiblethings.org Mon Mar 17 15:22:21 2008 From: joanna at invisiblethings.org (Joanna Rutkowska) Date: Mon, 17 Mar 2008 20:22:21 +0100 Subject: [Dailydave] Trendmicro et.al. In-Reply-To: <5ff6321e0803131828h1f20d7d5i6cd9b8af4f8d38e4@mail.gmail.com> References: <5ff6321e0803131828h1f20d7d5i6cd9b8af4f8d38e4@mail.gmail.com> Message-ID: <47DEC4ED.4010902@invisiblethings.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, so that just inspired me to ask Dear Dailydavers how many of you use, for a *daily* browsing, a web browser running inside: 1) a VM? (What VM product? Some VMWare appliances?) 2) a dedicated account for unsafe browsing (because OS-provided ACLs are just good enough)? 3) the same account but with some form of manually-adjusted sandboxing (protected mode IE doesn't count, right? :P), like e.g. OSX syscall sandboxing ('cause it's like driving a car with a stick)? 4) An air gapped machine ;) j. Isaac Dawson wrote: | Not sure if it has made the news over in the states/rest of the world | but here in Japan its quite huge. Apparently on 3/12 trendmicro's | site got hit by some sort of SQL injection scanner/tool that then | injects some script URL to own the visitors. Seeing as how this was | on their virus definition section I found it a rather interesting | attack ;>. (Just found out that the register appears to have reported | on it, take a look: | http://www.dslreports.com/forum/r20161397-Trend-Micro-Hacked-Serving-Malicious-Iframes | ). | | I find the selection of the javascript's name rather interesting as | well. Makes me wonder if they're against the whaling that's going on | here... | | -isaac | | | | ------------------------------------------------------------------------ | | | _______________________________________________ Dailydave mailing | list Dailydave at lists.immunitysec.com | http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- iQEVAwUBR97E6cwG7MOLAMOlAQIYYgf+Iec8xe7gtqCcloDpJtzJTV6ukA6ofLwa Mmisp3ok4QzpXiJfIXTVDlWWUhsY47Ncr5QCvdJFYcyx8cTyO6iUHlpnNUdOmHgz RLfHa+Lv3YIC13MGmYFj8Zcx+7o5Xc96X/EFaETMk5OFW7c5vcJWIxjbZmabtPjn rMmDWgmvZux9YcLnF9THpBPmcsv6v7wFmWdI88EplkRAAS+LSeWG0pdgLbniapyJ BqrCCWducR45fNBd+z1oi0GbkD5wuCqMn4y5cPGhg9FwbICYytOH+SXE17/dPy3e dc1hln7EkoAKAxS0T/sXOmmO4W45A9X3nbSdCWZc+mLrb+3paQW3dQ== =o4eE -----END PGP SIGNATURE----- From msantana at terremark.com Tue Mar 18 02:26:25 2008 From: msantana at terremark.com (Mario Santana) Date: Tue, 18 Mar 2008 02:26:25 -0400 Subject: [Dailydave] "Specialization is for insects" - Heinlen In-Reply-To: References: Message-ID: <2FC9EBF8D5275546AEEC4E9AEEE0444A03806C65@EXCHANGE03.terremark.org> I've just done a lot of thinking about specialization vs. resilience. I agree with your notes, so far as they go. Heinlein was talking about human beings, and you seem to agree with him on that point. You're adding another good point: a given tool should do one thing, and do it well. So maybe specialization is for tools. The resilience and adaptability of generalists comes from diversification. Generalists can combine and adapt a wide range of skills to deal with new or unexpected situations. But only human generalists can do this well. So far, attempts at building software generalists have failed. There is a type of generalization that works well for tools, though. Think about Kernighan's "The Practice of Programming," where he advocates generality in programs as one of his three core concepts of good coding. (Simplicity and clarity are the other two.) He's not talking about coding a tool that's all things to all people. Instead, he's saying that by not making assumptions about how this tool will be used, and especially by making it easy to provide input and read output from this tool, you can code a specialist program that's useful in a wide variety of unexpected situations. So yeah, generalist humans combine powerfully with specialized tools. In the end, though, deep down... I think we're generalists because we like it. Generalists are most valuable in the flux and chaos of unexpected changes: where basic assumptions aren't met, fool-proof methods aren't working, and nobody knows even what questions to ask. That's when things get interesting. We're generalists because that's what it takes to be in the middle of it. Cheers! Mario D. Santana, CISSP, CISA, GCWN, GREM, RHCT IT Security Specialist ---------------------------------- Date: Mon, 10 Mar 2008 11:18:31 -0400 From: Dave Aitel Subject: [Dailydave] "Specialization is for insects" - Heinlen It's interesting the tension between generalism and specialism in information security. For example, we hire consultants who are generalists. [...] But when it comes to technology, I think it's valuable to specialize. [...] From dr at kyx.net Thu Mar 20 23:55:43 2008 From: dr at kyx.net (Dragos Ruiu) Date: Thu, 20 Mar 2008 19:55:43 -0800 Subject: [Dailydave] CanSecWest 2008 PWN2OWN - Mar 26-28 Message-ID: <200803201955.43280.dr@kyx.net> Calendar Notes: =========== PacSec 2008 will be on November 12/13 in Tokyo at Aoyama Diamond Hall. EUSecWest 2008 will be on May 21/22 at a fun new venue in central London. (We cooked this schedule up so it will enable people to fly to Berlin on the 23rd and make FX's ph-neutral on Saturday the 24th - which also has a fun new venue. Island???!?) The EUSecWest 2008 CFP opens tomorrow and closes _before_ April 1 :-). EUSecWest registration is now open. Announcing CanSecWest PWN2OWN 2008. =================================== Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it. Each has a file on them and it contains the instructions and how to claim the prize. Targets (typical road-warrior clients): VAIO VGN-TZ37CN running Ubuntu 7.10 Fujitsu U810 running Vista Ultimate SP1 MacBook Air running OSX 10.5.2 This year's contest will begin on March 26th, and go during the presentation hours and breaks of the conference until March 28th. The main purpose of this contest is to present new vulnerabilities in these systems so that the affected vendor(s) can address them. Participation is open to any registered attendee of CanSecWest 2008. Once you extract your claim ticket file from a laptop (note that doing so will involve executing code on the box, simple directory traversal style bugs are inadequate), you get to keep it. You also get to participate in 3com / Tipping Point's Zero Day Initiative, with the top award for remote, pre-auth, vulnerabilities being increased this year. Fine print and details on the cash prizes are available from TippingPoint's DVLabs blog (http://dvlabs.tippingpoint.com/). More fine print and rules for the contest will be found at the http://cansecwest.com/ site. Quick Overview: -Limit one laptop per contestant. -You can't use the same vulnerability to claim more than one box, if it is a cross-platform issue. -Thirty minute attack slots given to contestants at each box. -Attack slots will be scheduled at the contest start by the methods selected by the judges. -Attacks are done via crossover cable. (attacker controls default route) -RF attacks are done offsite by special arrangement... -No physical access to the machines. -Major web browsers (IE, Safari, Konqueror, Firefox), widely used and deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium, Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird, kmail) are all in scope. Fine Print: These computers are REAL and FULLY patched. All third party software is widely used. There are no imitation vulnerabilities. Any exploit successfully used in this contest would also compromise a significant percentage of Internet connected hosts. Instead, players choose to use their exploits here, at CanSecWest PWN2OWN 2008. All successful exploits will be turned over to the appropriate vendor and patched before details are made public. Rules 1. Attacks remain confidential until prize is claimed Players will connect to the targets with a crossover cable and we will not record the network traffic or log anything other than what is done by default. Successful exploits can be delivered directly to Tipping Point after the we verify that you control the target. In the event that internet connectivity is required (eg. IM clients) we will put the target online behind a firewall. We won't sniff at the firewall, but we can make no guarentees for upstream networks. (so be careful what you send over the Internet!) 2. No wireless attacks in the conference area Players with intent to use wireless attacks must inform us in advance. We will relocate to a secluded, undisclosed location where there won't be dozens of people watching the traffic. 3. One attacker per target at a time As is obvious from rule #1 and rule #2, one player gets exclusive access to any target at one time. 4. Players take turns, no hogging the targets Players are limited to 30 minutes per attempt. We will mercilessly disconnect your cable at the end of each attack slot. Be fast! We will reboot the targets before each session begins. 5. First come, first served access to targets. Players get in line for their turns and may take an unlimited number of turns. If a player runs out of time and no one else is waiting for access to the target he may continue for another turn. Players may not have more than 1 turn in any 30 minute period. (That means we won't reboot a target any time you feel like it) 6. Remote, pre-authentication attacks are required to win Players may not physically touch the targets or look at the target's display. Players are required to demonstrate to our satisfaction that arbitrary code runs on the target. 7. Attackers control the default route for the target. Players may become the target's default gateway in order to perform man in the middle attacks. 8. Contest officials visit attacker web servers Players may direct us to visit a web server running on the player's computer. Players may specify which browser to use. Keep the URL reasonable. We're not going to type weird addresses in. Once we hit enter that's it. We will not click on any links. 9. Contest officials read email from attackers Autopreview (Preview panes, etc) is enabled on mail readers, but we will not click on links contained therein or open attachments. 10. Contest officials will add attackers on IM and read their messages. They will not click on links or open file transfers. 11. Client Application list: The fully patched client-side applications that qualify for a prize includes: . Adobe PDF . Adobe Flash . Microsoft Silverlight . Microsoft Internet Explorer . Microsoft Outlook/Outlook Express . Firefox . Safari . iChat . Apple Mail . Skype . Adium . Pigdin . Kmail . Thunderbird . AOL, Yahoo!, and MSN official IM clients . Java/JRE Other software may be added to this list at our discretion of if we deem it represents a significant attack target on normal internet clients at large. 12. Winning exploits must be true 0day. They may not have already been submitted to the affected vendor or to third parties. 13. Each machine will be secured to common industry best practices: We'll get Andrea Barisani from our Hardening Linux Dojo (which still has seats available :) to look over the Ubuntu machine, and the Microsoft/iSec/Core DTF folks to secure the Windows box, and Josh Ryder our local Mac zealot to look at the OSX wafer. Special Thanks: -LTC Ron Dodge, USMA, for agreeing to be in the hot seat as the judge. -The folks at 3com Tipping Point ZDI for helping out. -The folks at White Wolf Security for assistance in the design, prep, and running the challenge. -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada March 26-28 - 2008 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp From dan at geer.org Mon Mar 24 17:04:35 2008 From: dan at geer.org (dan at geer.org) Date: Mon, 24 Mar 2008 17:04:35 -0400 Subject: [Dailydave] confirming it's a person Message-ID: <20080324210435.6AEC933EE4@absinthe.tinho.net> I would like to RTFM on alternatives to CAPTCHAs, but I don't know what FM to R. If someone here wants to say "forget it" or "this is the current best technique" or what-have-you, I'd be thankful to hear. Not trying to start a large thread; you can, if you like. --dan From dave at immunityinc.com Tue Mar 25 14:44:42 2008 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 25 Mar 2008 14:44:42 -0400 Subject: [Dailydave] confirming it's a person In-Reply-To: <20080324210435.6AEC933EE4@absinthe.tinho.net> References: <20080324210435.6AEC933EE4@absinthe.tinho.net> Message-ID: <47E9481A.30305@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 re Captchas: You could just ask the user to retype two strings and measure how long it takes for them type it in, a.la. BioPassword. BioPassword tries to use biometrics to determine which person someone is (by measuring how long their fingers take to move between keys with a flash applet, for example), but biometrics are often quite useful for "this is a person". Of course, you'll have to make a model for each different keyboard type if you're internationally savvy. Rather than having a single password the user types, you'll want to have a "random string". Hmm. If you give everyone two strings to type, you could build a database of timings with the second string, and simple datapoint grouping will get you which keyboard they are using so you can build your models. Then you can start rotating that second string in and retiring your first string after your model is built and tested. You need a continual stream of random strings+statistical models because otherwise people will just type them in once, slightly modify them, and submit them mechanically. I don't have code to do this, of course. The counter-attack would be a good model of how a human types on a keyboard, where given a random string you could generate timings. That might not be a difficult thing to build to the level of precision you'd need, but it might. Then again, typing in long random strings might be much more annoying than trying to read distorted images. :> Just as an FYI, Justine and JMS are heading to CanSecWest and JMS is going to demo his new CANVAS Win32 kernel rootkit for anyone who asks, he tells me. :> - -dave dan at geer.org wrote: | I would like to RTFM on alternatives to CAPTCHAs, | but I don't know what FM to R. | | If someone here wants to say "forget it" or "this | is the current best technique" or what-have-you, | I'd be thankful to hear. Not trying to start a | large thread; you can, if you like. | | --dan | | _______________________________________________ | Dailydave mailing list | Dailydave at lists.immunitysec.com | http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH6UgatehAhL0gheoRAqZzAJ9++E9WwssHekJKK8Ga7K0RO78bQQCcDW90 oHmCYGf0IHtLkS8gS2cObOI= =vtqh -----END PGP SIGNATURE----- From dave at immunityinc.com Tue Mar 25 16:44:07 2008 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 25 Mar 2008 16:44:07 -0400 Subject: [Dailydave] confirming it's a person In-Reply-To: <767ba1040803251333j2e843be8i967657d1890c4be6@mail.gmail.com> References: <20080324210435.6AEC933EE4@absinthe.tinho.net> <47E9481A.30305@immunityinc.com> <767ba1040803251333j2e843be8i967657d1890c4be6@mail.gmail.com> Message-ID: <47E96417.2060406@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan Wilkins wrote: | The problem with that is that it's only as difficult for the attacker to | build the model as it is for the defender. | The defender doesn't have to build a model in this particular example though - the mobs of humans build it for you - you just have to do pattern recognition on the data. So it is asymmetric because you supply the random strings, and the humans generate data for you. I don't think you are resource limited (if each human submits three strings, one real and two statistics gathering examples, then your supply of random strings+statistics should replenish faster than it goes away?), but as for the false positive rate, I'm not sure. I'd have to go head to head with you on this one with real working code, and I don't have time to learn Silverlight/Flash right now. :> All captcha type systems are broken if an attacker owns a popular online service though, right? Because they can just put the captcha up on their service and have a real human answer it. :> Hmm. Palladium would have solved this problem, like almost all security problems by building a trusted PKIed tunnel from the online service to your machine's CPU, but everyone hated it. I wonder what VMWare is going to do when Microsoft makes it mandatory to use Palladium-like technology to get to hotmail and only VirtualPC is allowed to support it? - -dave | To be useful, a system of this sort has to be: | - Asymmetric in effort (has to cost the attacker much more than the | defender) | - Can't rely on resource scarcity (of the type attackers can steal). This | is the major weakness in hashcash type systems in the face of bot nets. | - Have a low random/partial success rate | | I have a white paper on breaking various CAPTCHA systems (and building | better ones) coming out soon. I don't want to side track the thread on | specific CAPTCHA issues though. | | On Tue, Mar 25, 2008 at 11:44 AM, Dave Aitel wrote: | | re Captchas: | | You could just ask the user to retype two strings and measure how long | it takes for them type it in, a.la. BioPassword. BioPassword tries to | use biometrics to determine which person someone is (by measuring how | long their fingers take to move between keys with a flash applet, for | example), but biometrics are often quite useful for "this is a person". | Of course, you'll have to make a model for each different keyboard type | if you're internationally savvy. Rather than having a single password | the user types, you'll want to have a "random string". | | Hmm. If you give everyone two strings to type, you could build a | database of timings with the second string, and simple datapoint | grouping will get you which keyboard they are using so you can build | your models. Then you can start rotating that second string in and | retiring your first string after your model is built and tested. You | need a continual stream of random strings+statistical models because | otherwise people will just type them in once, slightly modify them, and | submit them mechanically. | | I don't have code to do this, of course. The counter-attack would be a | good model of how a human types on a keyboard, where given a random | string you could generate timings. That might not be a difficult thing | to build to the level of precision you'd need, but it might. Then again, | typing in long random strings might be much more annoying than trying to | read distorted images. :> | | Just as an FYI, Justine and JMS are heading to CanSecWest and JMS is | going to demo his new CANVAS Win32 kernel rootkit for anyone who asks, | he tells me. :> | | -dave | | | dan at geer.org wrote: | | I would like to RTFM on alternatives to CAPTCHAs, | | but I don't know what FM to R. | | | | If someone here wants to say "forget it" or "this | | is the current best technique" or what-have-you, | | I'd be thankful to hear. Not trying to start a | | large thread; you can, if you like. | | | | --dan | | | | _______________________________________________ | | Dailydave mailing list | | Dailydave at lists.immunitysec.com | | http://lists.immunitysec.com/mailman/listinfo/dailydave | |> _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave |> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH6WQWtehAhL0gheoRArHlAJ9az18a8B1MMhjZ/QtWXCVWaDKwagCeKsny ncrqqPZmd3KbT7RAm8n/0UE= =3fJB -----END PGP SIGNATURE----- From dguido at gmail.com Tue Mar 25 21:30:17 2008 From: dguido at gmail.com (Daniel Guido) Date: Tue, 25 Mar 2008 21:30:17 -0400 Subject: [Dailydave] the typical security guy I interview Message-ID: <9c2204930803251830r45f48b3bob26df7b229efd240@mail.gmail.com> http://sfbay.craigslist.org/sfc/res/613938518.html -- Dan Guido From andreg at gmail.com Wed Mar 26 02:28:58 2008 From: andreg at gmail.com (Andre Gironda) Date: Tue, 25 Mar 2008 23:28:58 -0700 Subject: [Dailydave] confirming it's a person In-Reply-To: <20080324210435.6AEC933EE4@absinthe.tinho.net> References: <20080324210435.6AEC933EE4@absinthe.tinho.net> Message-ID: <2fd9390e0803252328t5a78c9a5j4f3bb722bbb63e3a@mail.gmail.com> On Mon, Mar 24, 2008 at 2:04 PM, wrote: > I would like to RTFM on alternatives to CAPTCHAs, I recall sending this link to Robert Auger when he was interested in gathering research on the current, "state-of-the-art" in CAPTCHA technology http://www.ocr-research.org.ua Do per-page tokens or another solution even partly solve the problem you are trying to solve? Cheers, Andre From agustingianni at gmail.com Wed Mar 26 00:31:03 2008 From: agustingianni at gmail.com (Agutin Gianni) Date: Wed, 26 Mar 2008 01:31:03 -0300 Subject: [Dailydave] confirming it's a person In-Reply-To: <20080324210435.6AEC933EE4@absinthe.tinho.net> References: <20080324210435.6AEC933EE4@absinthe.tinho.net> Message-ID: <47E9D187.5090500@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think we have already discussed this topic, and someone said we could use pictures of cats and other animals and ask the user to count the number of cats on the photos. Microsoft is working on this, it looks promising. http://research.microsoft.com/asirra/ dan at geer.org wrote: > I would like to RTFM on alternatives to CAPTCHAs, > but I don't know what FM to R. > > If someone here wants to say "forget it" or "this > is the current best technique" or what-have-you, > I'd be thankful to hear. Not trying to start a > large thread; you can, if you like. > > --dan > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH6c/32jXd1kalE7wRAnpkAKCuhH7r982w5AiORGM37DRj8GA7FwCgoIV+ vDo7fz6zoOm6XIabFFE4wv8= =mgzW -----END PGP SIGNATURE----- From blakefrantz at gmail.com Wed Mar 26 00:32:12 2008 From: blakefrantz at gmail.com (Blake Frantz) Date: Tue, 25 Mar 2008 21:32:12 -0700 Subject: [Dailydave] confirming it's a person Message-ID: <943e44610803252132u51ab9f3bnf3c53c2bdb06fbff@mail.gmail.com> *An uneducated statement made from row 41 seat D destined to Michigan* CAPTCHAs that are based on obfuscation are a losing battle (imho) due to what I like to call 'the sophistication arms race'. Good guys write increasingly sophisticated CAPTCHAs (I hate typing that, btw, let's use HIP (Human Interactive Proof)). The 'bad guys' write software to break them. The 'bad guys' also have access to other really smart people trying to solve other computer vision problems. Check out the work conducted by the UC Berkeley Computer Vision Group. Anyhow, the efficacy of the HIP system decreases proportionally with the number of carbon based life forms that can actually decode the mess. Which means the good guys are limited in their sophistication because everyday grey matter can't figure it out well enough. On a long enough timeline, or so I suppose, the number of humans capable of passing the test drops below 'most' acceptable false negative rates. The result is the 'bad guy' wins the race and spams the universe. I've implemented an SMS based HIP system at areyouahuman.org. Yes, you can slang some code onto your mobile device to get the challenge. But, I'm currently writing the per-site threshold mechanism that should resolve this. This system presumably helps prevent site automation via thresholds, driving the cost of breaking it up, and by using an identifier that is in lesser quantities - IPs are 'easier' to commandeer than phone numbers. What are some thoughts on this approach? Blake > >I would like to RTFM on alternatives to CAPTCHAs, but I don't know what FM to R. > >If someone here wants to say "forget it" or "this is the current best technique" or what-have-you, I'd be thankful to hear. Not trying to start a large thread; >you can, if you like. > >--dan _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080325/e0c500ee/attachment.htm From jon at oberheide.org Wed Mar 26 10:31:40 2008 From: jon at oberheide.org (Jon Oberheide) Date: Wed, 26 Mar 2008 10:31:40 -0400 Subject: [Dailydave] confirming it's a person In-Reply-To: <47E9D187.5090500@gmail.com> References: <20080324210435.6AEC933EE4@absinthe.tinho.net> <47E9D187.5090500@gmail.com> Message-ID: <1206541900.9678.1.camel@apollo> On Wed, 2008-03-26 at 01:31 -0300, Agutin Gianni wrote: > I think we have already discussed this topic, and someone said we could > use pictures of cats and other animals and ask the user to count the > number of cats on the photos. One of my favorite alternative captchas: http://www.hotcaptcha.com/ (fairly safe for work I suppose) Regards, Jon Oberheide -- Jon Oberheide GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080326/2b27645a/attachment.pgp From isaac.dawson at gmail.com Wed Mar 26 10:51:08 2008 From: isaac.dawson at gmail.com (Isaac Dawson) Date: Wed, 26 Mar 2008 23:51:08 +0900 Subject: [Dailydave] confirming it's a person In-Reply-To: <2fd9390e0803252328t5a78c9a5j4f3bb722bbb63e3a@mail.gmail.com> References: <20080324210435.6AEC933EE4@absinthe.tinho.net> <2fd9390e0803252328t5a78c9a5j4f3bb722bbb63e3a@mail.gmail.com> Message-ID: <5ff6321e0803260751r271e0e51t7c10b589389eeec@mail.gmail.com> I think a lot of this is just guess work if we don't know what the purpose is. Is this to protect a login form on a web site? One thing that I've always wondered is how well a site that has good state management will fair against a brute force attempt. If the user must go through 2-3 actions to login, it should be pretty easy to determine if that sequence is being repeated more than is normal for a human as the system can track the progress of where the user 'is' on the server side. -isaac On Wed, Mar 26, 2008 at 3:28 PM, Andre Gironda wrote: > On Mon, Mar 24, 2008 at 2:04 PM, wrote: > > I would like to RTFM on alternatives to CAPTCHAs, > > I recall sending this link to Robert Auger when he was interested in > gathering research on the current, "state-of-the-art" in CAPTCHA > technology > http://www.ocr-research.org.ua > > Do per-page tokens or another solution even partly solve the problem > you are trying to solve? > > Cheers, > Andre > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080326/1959ecfe/attachment.htm From kowsik at gmail.com Wed Mar 26 11:58:27 2008 From: kowsik at gmail.com (Kowsik) Date: Wed, 26 Mar 2008 08:58:27 -0700 Subject: [Dailydave] Can't sleep, clowns will eat me. In-Reply-To: <47A8C8CF.3010200@immunityinc.com> References: <47A8C8CF.3010200@immunityinc.com> Message-ID: <7db9abd30803260858s484d025bu9c6c88c8fe62d63b@mail.gmail.com> And here's one for XDR: http://labs.musecurity.com/2008/03/24/ruby-xdr-parser/ Just the parser for now, but the binding and transport coming soon. http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/head/rpcsvc/ http://milw0rm.com/exploits/5282 K. On 2/5/08, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I can't sleep. It's like 5:33 here in Tokyo and I woke up at 2 thinking > "Why am I awake?". Luckily there is a present in the inbox! > > http://code.google.com/p/pymsrpc/ > > Yay Cody and Aaron for their hard work on NDR! > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHqMjPtehAhL0gheoRAn1zAJ9EGBlhX5dKVUviy/D6vnoIBZ2nMwCfeuKg > n2coDMRNlKG7r3suh9ahgBI= > =ca/y > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From ffm.stefan at googlemail.com Wed Mar 26 13:21:41 2008 From: ffm.stefan at googlemail.com (Stefan Wagner) Date: Wed, 26 Mar 2008 18:21:41 +0100 Subject: [Dailydave] confirming it's a person In-Reply-To: <47E9D187.5090500@gmail.com> References: <20080324210435.6AEC933EE4@absinthe.tinho.net> <47E9D187.5090500@gmail.com> Message-ID: > I think we have already discussed this topic, and someone said we could > use pictures of cats and other animals and ask the user to count the > number of cats on the photos. > > Microsoft is working on this, it looks promising. > > http://research.microsoft.com/asirra/ I think a weak point may be that petfinder.com pictures are available to the public too. An Attacker could let some bots crawl petfinder.com by Category, grab the thumbnails (or the big pictures) and resize 'em to asirra thumbnail size (to avoid the bottom text "petfinder.com" Logo on asirra big pictures) and put some CRC of that into a DB (maybe even make it b/w and low-res, only take specified part(s) of the picture for the CRC and so on). This sure won't be perfect, but for some usable percentage i think it may currently work. Regards, Stefan From dmolnar at gmail.com Wed Mar 26 14:30:02 2008 From: dmolnar at gmail.com (David Molnar) Date: Wed, 26 Mar 2008 11:30:02 -0700 Subject: [Dailydave] confirming it's a person In-Reply-To: <47E9D187.5090500@gmail.com> References: <20080324210435.6AEC933EE4@absinthe.tinho.net> <47E9D187.5090500@gmail.com> Message-ID: <3ad50dea0803261130g25c7ff59m2ac1eb2fcae7e826@mail.gmail.com> On Tue, Mar 25, 2008 at 9:31 PM, Agutin Gianni wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I think we have already discussed this topic, and someone said we could > use pictures of cats and other animals and ask the user to count the > number of cats on the photos. > > Microsoft is working on this, it looks promising. > > http://research.microsoft.com/asirra/ > As cool as ASIRRA is, and as awesome as it is that they help find homes for pets, it is more or less "a better CAPTCHA." I took the original post as a request for a manual for bot-detection techniques in addition to CAPTCHAs. I don't know of anything in one place on this topic, although I can think of things like Bayesian filters for the spam application as maybe a place to start. Incidentally, this paper just showed up on eprint.iacr.org . The author claims an automatic classifier between cats and dogs that can pass a 12-image ASIRRA challenge 10.3% of the time: Machine Learning Attacks Against the ASIRRA CAPTCHA Philippe Golle http://eprint.iacr.org/2008/126 -David Molnar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080326/3dc6d222/attachment-0001.htm From jwilkins at gmail.com Wed Mar 26 14:39:52 2008 From: jwilkins at gmail.com (Jonathan Wilkins) Date: Wed, 26 Mar 2008 11:39:52 -0700 Subject: [Dailydave] confirming it's a person In-Reply-To: References: <20080324210435.6AEC933EE4@absinthe.tinho.net> <47E9D187.5090500@gmail.com> Message-ID: <767ba1040803261139s301d6d1bsef915acf0196ce21@mail.gmail.com> Algorithms like SIFT ( http://en.wikipedia.org/wiki/Scale-invariant_feature_transform) make this even more accurate. FWIW, here's my opinion on the technology. Some of this is from memory. First, they're ok with a 1/4096 success rate from random guesses according to their paper. They say that they have a very large database to pull from (all of the previously posted data that attackers wouldn't have access to) but I'm figuring that adding a few thousand pre-tagged animals to the mix every week (the animals available for adoption currently) in combination with the fact that attackers can farm out solving them and also save correct answers means that the attacker's cost declines over time and their success rate increases. Not good characteristics. On Wed, Mar 26, 2008 at 10:21 AM, Stefan Wagner wrote: > > I think we have already discussed this topic, and someone said we could > > use pictures of cats and other animals and ask the user to count the > > number of cats on the photos. > > > > Microsoft is working on this, it looks promising. > > > > http://research.microsoft.com/asirra/ > > I think a weak point may be that petfinder.com pictures are available > to the public too. > > An Attacker could let some bots crawl petfinder.com by Category, grab > the thumbnails > (or the big pictures) and resize 'em to asirra thumbnail size (to > avoid the bottom text "petfinder.com" > Logo on asirra big pictures) and put some CRC of that into a DB (maybe > even make it b/w and > low-res, only take specified part(s) of the picture for the CRC and so > on). This sure won't be perfect, but > for some usable percentage i think it may currently work. > > Regards, > Stefan > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080326/cc49a5e0/attachment.htm From dave at immunityinc.com Thu Mar 27 14:03:49 2008 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 27 Mar 2008 14:03:49 -0400 Subject: [Dailydave] SyScan 08 Hong Kong Finalized! Message-ID: <47EBE185.6080408@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ~From the SyScan 08 Hong Kong Comittee: dear all the program for SyScan'08 Hong Kong is finalised. SyScan'08 Hong Kong will be held on 29th and 30th May over at the Langham Place. Do register early for early bird discount. Attacking Anti-virus - Feng Xue The Powerful Evil on Mobile phone - Nanika Cyber Crime: Follow the Money - Pedro Bueno Real World Kernel Pool Exploitation - Kostya Kortchinsky Attacking Telco Core Network - Philippe Langlois Mobile Botnets: Future of Cyber Terrorism - Michal Bucko Securing your Web Application Code - Kurt Grutzmacher Hacking RFiD: Octopus Card? - Adam Laurie Media Security on VoIP Systems - Shao Weidong please visit www.syscan.org for more details and registration. - -- Thank you Thomas Lim Organiser SyScan'07 www.syscan.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH6+GEtehAhL0gheoRAi0mAJ4qyNn45kwKCacQDR+osSFb1njB6ACdEirM nvJORSzoQaXOLnvjgqrOD3A= =5NIE -----END PGP SIGNATURE----- From dave at immunityinc.com Thu Mar 27 14:19:42 2008 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 27 Mar 2008 14:19:42 -0400 Subject: [Dailydave] About to ship out to Boston... Message-ID: <47EBE53E.6000902@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm going to miss just one night of the Winter Music Festival, which is this awesome thing they do here in SoBe where they import tons of hipsters to put cards in the windows of every store advertising techno music parties. Paul Oakenfold is here. Some guy named "Mouse" is here. It's quite the thing. You can listen to it on Sirius channel 33. I can't report on what the actual parties are like since I'm not quite that cool, and I'm headed to Boston to talk at the Harvard ABCD meeting this month (which is tomorrow). So if you're at Harvard, I'll see you there. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH6+U+tehAhL0gheoRAltDAJ9imgTc/RmfaLQ5YAy5ZkIGSNI9WQCggb7M TcbkAG//OjxP9iDUT/qrCjs= =+xqB -----END PGP SIGNATURE----- From dave.aitel at gmail.com Thu Mar 27 16:01:19 2008 From: dave.aitel at gmail.com (Dave Aitel) Date: Thu, 27 Mar 2008 16:01:19 -0400 Subject: [Dailydave] Congrats to Charlie Miller ... Message-ID: For bringing some old school beef and winning a mac air at cansecwest! Is safari on the vista box vuln too? After that iTunes update it should be fair game. From version5 at gmail.com Thu Mar 27 17:51:11 2008 From: version5 at gmail.com (nnp) Date: Thu, 27 Mar 2008 21:51:11 +0000 Subject: [Dailydave] Congrats to Charlie Miller ... In-Reply-To: References: Message-ID: <28749c0e0803271451n6dbbac75hb7dbc5a4b6fe1a5e@mail.gmail.com> So apparently all that webkit fuzzing payed off ;) Was today the final day or is there one more? My money is on the Vista laptop to survive. (Fortunately, I'm a broke student and 'my money' amounts to 14 pence and a bottle cap). Not because nobody has any Vista/IE exploits but more to do with them probably being worth a lot more than 10K On Thu, Mar 27, 2008 at 8:01 PM, Dave Aitel wrote: > > For bringing some old school beef and winning a mac air at cansecwest! > > Is safari on the vista box vuln too? After that iTunes update it > should be fair game. > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- http://www.smashthestack.org http://www.unprotectedhex.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080327/961d2e83/attachment.htm From nicolas at immunitysec.com Fri Mar 28 06:42:35 2008 From: nicolas at immunitysec.com (Nicolas Waisman) Date: Fri, 28 Mar 2008 07:42:35 -0300 Subject: [Dailydave] Immunity Debugger v1.5 Message-ID: <47ECCB9B.5080602@immunitysec.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Immunity team is proud to present: Immunity Debugger 1.5 This new Immunity Debugger release provides a lot of new scripts and important fixes. New scripts to improve your debugging experience include: gflags, hookssl, and hookndr. The API has been reinforced with new functionality which allows you to gather more information from the remote process, such as Threads, findRetValue. This release also includes some important fixes such as correct Memory Page protection flags, which are also available via the Python API. Check the Changelog below for the details of this exciting release. As usual, you can discuss your scripts, request new features or just hang out at our forum: http://forum.immunityinc.com. We would like to thank Teddy Roggers from tuts4you for maintaining a list of Immunity Debugger ported plug-ins that can be found at http://www.tuts4you.com/download.php?list.74 Do you want to hire a hacker? Are you looking for job? Immunity has extended the Immunity Debugger Advertisment service to hackers, reverse engineers and debugger freaks and it is now free for job seekers! Job seekers can place ads at http://debugger.immunityinc.com/hireahacker.html Happy debugging (and job hunting)! Team Immunity P.S.: If you want to request a feature, show off your script or just chat about Immunity Debugger, Justin Seitz from the Immunity Debugger team will be at CanSecWest for the next three days. 1.50 Build 0 New Features: - - Debugger: o Added "Servers" folder with specific PyCommand listeners - for example, hookssl.py will send all the data back to a XML-RPC service using ssl_listener.py, which then has the option to change it and send it back. - - Memory Pages: o Working on Windows Vista. Now correct on Windows XP, 2000, 2003. Immunity Debugger API: o Added imm.vmQuery() wrapper [Query Virtual Memory pages] o The MemoryPage class has been improved. - Protect and Allocation Protect Flags are queried in real-time - You can get a human readable flag passing human = 1 to page.getAccess() and page.getInitAccess() o Added: - searchOnExecute() - searchOnRead() - searchOnWrite() These methods will search in any memory page with access = any combination. o Modified: - Search() - searchShort() - searchLong() to receive an extra flag parameter to specify memory protection type when searching. o Added imm.isAdmin() : is ID running as admin? o Added Thread class to debugtypes.py o Added imm.getAllThreads() method o librecognition.py : Improved REGEXP support for the indexed register search o Added Function.findRetValue Find all the possible values on a Function o GFlags class Handle Windows Global Flags. PyCommands: o gflags.py: Enable/Disable Windows Global Flags o recognize.py: Backward compatability o Added hookssl.py o Added ssl_listener.py to Servers directory o Added hookndr.py: Hooks the NDR unmarshalling routines and prints them out so you can see which ones worked o Added nohooks.py : removes all hooks from memory Bug Fixes: - - Debugger Core o The memory page protect information is correctly displayed now. o Fixed Second Analysis pass repeated entries bug. o Fixed thread state swap issue which was leading to a memory leak. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH7Mubnx8KWzmcRsERAjDdAJ0UQB8kYTH5x+QVfcltwLt7ISAMAQCgkl82 i77HdHbSsBiMOB9qk9OtTRA= =uwS7 -----END PGP SIGNATURE----- From alex at sotirov.net Fri Mar 28 06:18:45 2008 From: alex at sotirov.net (Alexander Sotirov) Date: Fri, 28 Mar 2008 03:18:45 -0700 Subject: [Dailydave] Congrats to Charlie Miller ... In-Reply-To: References: Message-ID: <20080328101845.GA7593@dsl093-068-003.sfo1.dsl.speakeasy.net> On Thu, Mar 27, 2008 at 04:01:19PM -0400, Dave Aitel wrote: > For bringing some old school beef and winning a mac air at cansecwest! Exploited with an OSX port of my heap feng shui library :-) If anybody out there is still writing heap exploits by trial and error or brute force, they should definitely get out of the stone age and upgrade. Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20080328/0df86bbc/attachment.pgp From rhyskidd at gmail.com Fri Mar 28 06:28:11 2008 From: rhyskidd at gmail.com (Rhys Kidd) Date: Fri, 28 Mar 2008 19:28:11 +0900 Subject: [Dailydave] Congrats to Charlie Miller ... In-Reply-To: References: Message-ID: <68dd869f0803280328p77b8e461qf4a12c0ac84f4f30@mail.gmail.com> http://trac.webkit.org/projects/webkit/changeset/31388 On 28/03/2008, Dave Aitel wrote: > > > For bringing some old school beef and winning a mac air at cansecwest! > > Is safari on the vista box vuln too? After that iTunes update it > should be fair game. > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080328/48bad571/attachment.htm From arunkoshy at gmail.com Sat Mar 29 01:33:32 2008 From: arunkoshy at gmail.com (Arun Koshy) Date: Sat, 29 Mar 2008 16:33:32 +1100 Subject: [Dailydave] project idea : an old list made new Message-ID: <1d0ba3070803282233i193eebe9y44b2869400f9ba5c@mail.gmail.com> hi folks, I am wondering if others are missing http://www.cs.cmu.edu/~ralf/files.html .. I certainly do and would really like to start something to document the undocumented ( windows / nix / derivatives ). Part of this frustation was born out of a short conversation that I'd with a few fellow programmers about the DRIVER_DATA structure ( they are all friends who've written stuff that is widely used ).. none of us actually knew much more than it holds the next and previous drivers. It would nice for people to know the unknown via a collaborative effort. I'm unsure if such a project exists .. so, maybe, it is time for us to renew the efforts of the original RB list. This would avoid a lot of pain for many folks who have to rely on limited networks. best, a-./ From dave at immunityinc.com Mon Mar 31 13:10:47 2008 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 31 Mar 2008 13:10:47 -0400 Subject: [Dailydave] A small fun Python puzzle Message-ID: <47F11B17.7050303@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is part of our smb file putter. With small files it works great. With larger files, it uses 100% of the CPU and takes forever. Can anyone spot why? (Answer forthcoming, of course) ~ while data!="": ~ data_to_send=data[:1024] ~ success, results=smb_writex(self.s,self.fid,self.uid, self.tid,self.pid,data_to_send,offset) ~ offset+=len(data_to_send) #nt4 needs the offset to be calculated correctly on a named pipe ~ #for a given DCE call - oddly, 2000 and above don't care. ~ if not success: ~ devlog("msrpc", "Error while writex-ing") ~ #close request ~ self.fileclose() ~ return 0 ~ #we wrote up to 1024 bytes... ~ data=data[1024:] - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH8RsXtehAhL0gheoRAnsRAJ97NNsKL0K0H3JOpsa86ouixGJqCACfSPgI O1LaA/yuCAV7DFB0H0HHr0s= =ase8 -----END PGP SIGNATURE----- From dt-dailydave at handcraftedcomputers.com.au Mon Mar 31 16:34:49 2008 From: dt-dailydave at handcraftedcomputers.com.au (Daryl Tester) Date: Tue, 01 Apr 2008 07:04:49 +1030 Subject: [Dailydave] A small fun Python puzzle In-Reply-To: <47F11B17.7050303@immunityinc.com> References: <47F11B17.7050303@immunityinc.com> Message-ID: <47F14AE9.5060001@handcraftedcomputers.com.au> Dave Aitel wrote: > This is part of our smb file putter. With small files it works great. > With larger files, it uses 100% of the CPU and takes forever. Can anyone > spot why? (Answer forthcoming, of course) Depending on the value of "large", I suspect slicing and garbage collection become expensive operations. Given - import time def test(l): data = ' ' * l t = time.time() while data != "": data = data[1024:] return time.time() - t results in: >>> for l in [100000, 1000000, 5000000, 10000000]: ... print '%10d %f' % (l, test(l)) ... 100000 0.006711 1000000 0.764886 5000000 28.554786 10000000 111.738498 (wow - so not linear ...) An iterative version appears a lot faster (which, admittedly, probably rules out the slicing operation) - def test2(l): data = ' ' * l i = 0 t = time.time() while i < l: data2 = data[i:i+1024] i += 1024 return time.time() - t >>> for l in [100000, 1000000, 5000000, 10000000]: ... print '%10d %f' % (l, test2(l)) ... 100000 0.000320 1000000 0.003319 5000000 0.012145 10000000 0.021329 -- Regards, Daryl Tester "We are sexy, sexy Von Neumann machines." -- http://www.xkcd.org/387/