2009
Like deja-vu (all over again)
Those of you who were around in 2001 will recall http://anti.security.is (anti-sec f.a.q)..
The sentiment pops up periodically (in different forms) and it seems like CansecWest this year has seen a resurgence of it.. From Charlie Millers comments on the Safari bug:
“Did you consider reporting the vulnerability to Apple?
I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.”
Hack Like You Mean It – we’re taking PCI to Vegas
We’ve been busying ourselves with the PCI DSS in one way or another for more than a year now here at SensePost. Its been a frustrating exercise of mixed messages, politics, tokenism, mixed in with a healthy dose of mixed feelings about what the standard offers and whether that’s good for anyone at all. Now, finally, we’re accredited to do this that and the other under the standard so we feel its time to start speaking our minds on the subject.
Only an idiot will install a beta os on his primary phone..
and i am that idiot…
Developers signed up with Apples Dev Program get to take iPhoneOS3.0 out for a spin, so that the app store can have ver3 apps when the new OS launches.. A quick download (as quick as it gets in South Africa), a prayer (or 10) during install:
and now i too have a phone that can handle cut n paste! (tho admittedly it feels surprisingly fiddly to me at this point).
CodeGate – 2009
[beistlabs] [CodeGate] has come and gone.. A nice writeup of the event can be found [here] with a pdf of challenges and solutions [here]
Attack Vector based Risk Management?
Interesting post by Michael Dahn at pcianswers.com discussed (again) the difference between compliance and security. Do you know the joke about the difference between a canary? Apparently, its one leg is the same. Well, according to the post, the difference between compliance and security is… there is no spoon. I’m sounding facetious, but the post is actually not bad. Read more…
But actually, there was another part of the post that caught my eye. Its the comments about ‘Attack Vector based Risk Management’ or ‘AVRM’. Not much is said about this except:
Defcon 16 Videos Available..
Ok.. So The Dark Tangent announced this [a few days ago], but i felt it deserved mention because i was genuinely wow’ed at the video quality.. I have only gone through a couple of the presentations, but its the first time ive found demos video’d well enough to follow ferpectly on screen..
Readers can pull the videos from [here]
SensePost’ers can pull from [here]
/mh
PS. When we did our talk (pictured above) i had almost no voice and a flu from hell
BiDiBLAH Case Study (Part 1)
With our recent release of BiDiBLAH 2.0, we’ve decided to revisit some real world scenarios, and ways BiDiBLAH can deal with it… All the scenarios can be downloaded from the BiDiBLAH home page.
Scenario:
If a hacker can mine/collect email addresses from our company he/she can send malware / phishing attacks to these people. But, who are these people? And what other sensitive information are we leaking from a particular domain?
Solution:
MacBook Pro – Battery RIP
About 2 weeks ago the battery performance on my machine took a sudden nose dive. Worse than the fact that it started giving me only about 1 hour, is the fact that its become perfectly unreliable in terms of watching the battery meter. (Once it reaches about 30% it switches off).
Then yesterday i started noticing a wobble on the machine as it sat on my desk.. A quick examination this morning shows that the Battery has warped completely..
VMWare enters the cloud computing foray
BusinessWeek reports that VMWare has launched a new product aimed at establishing it as a competitor in the cloud computing space.
-snip-
Dubbed the Virtual Data Center Operating System (VDC-OS), the software creates a bank of computers, storage devices, and networking equipment that a company can tap at will, as computing needs arise—say, during a December spike in Web traffic for an online retailer.
-snip-
VMWare is the leet, so this should be interesting to watch…it should also be interesting as it is being spearheaded by some ex-Microsoft execs…
Top Ten Web Hacking Techniques of 2008
(aka – Whoot! we are almost famous!!)
Jeremiah Grossman’s panel of judges (Rich Mogull, Chris Hoff, HD Moore and RFP) hath spoken (or spake) and the top 10 web-hacking techniques of 2008 have been published.
Of course we would be lying completely if we said it wasn’t cool to make it into the top 10 (and doubly cool to make it twice in the top 10!)..