Blog
DefCon 16 – Hmm.. 2 of these talks seem familiar…
Some of the DC16 speaker summaries have been posted, and these 2 caught my eye:
Time-Based Blind SQL Injection using heavy queries and
New Tool for SQL Injection with DNS Exfiltration Both descriptions seem pretty much spot on with what we did in our DefCon talk last year..
hmm.. wonder if its new twists on it, or a little more of the same?
/mh
ActiveX Repurposing.. (aka: Other bugs your static analyzer will never find..) (aka 0day^H^H 485day bug!)
Earlier this week we had an internal presentation on Attacking ActiveX Controls. The main reason we had it is because of the ridiculously high hit rate we have whenever we look at controls with a slight security bent.. When building the presentation i dug up an old advisory we never publicly released (obviously we reported it to the vendor who (kinda) promptly fixed the bug (without giving us any credit at all, but hey.. ))
While the IEBlog promises updates to IE8 that will minimize the damage caused by owned controls in the future, the fundamental problems with ActiveX today are an attackers dream.
If you run Debian (or a Debian Derivative, like Ubuntu)…
Then you probably should get on this one… [Problems with Random Number Generator]
While it looks like an arb openssl bug, 2 seconds of reading should get you to:
-snip-
It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch.
&&
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections.
-snip-
Should I stay or should I Gobi? Your support needed!
Hello All,
Some of you might remember that I climbed Mount Kilimanjaro two years ago. What you might not know is the REASON I did this (apart from the jol) was to o raise funds for CNCF, a Foundation that is a true oasis and a refuge to the street children of Vietnam and Mongolia.
CNCF – The Christina Noble Children’s Foundation is an International Partnership of people dedicated to serving children in need of emergency and long-term medical care, nutritional rehabilitation, educational opportunities, vocational training, job placement and the protection of children at risk of economic and sexual exploitation.
Phrack is dead.. long live Phrack ??
Uninformed has certainly done awesomely at filling in the gap left when phrack went silent, but there is something nostalgic about reading phrack… it seems like issue 65 has just hit the streets..
Its my SensePostaversary!
Whoa! time flies when you having fun…
(click for orig.)
2 Winning quotes..
from the SourceBoston videos i blogged about:
Dr Geer never dissapoints, and kicked it off with the 4 rules on his office wall:
Work like hell, Share all you know, Abide by your handshake, Have fun. If he mentioned anything about foosball or pool.. i woulda sworn blind he was talking about SensePost!
The 2nd quote that was awesome, (during the interview with the l0pht members) was from Dildog.. ex-l0pht, ex-@stake, now Veracodes chief scientist.. The discussion turned to “security companies and snake oil”, and the fact that dildog was a “vendor” again.. With a dry smile that could have been at home in a john cleese movie, he replies:
2 reasons to visit sourceboston.com (and 2 reasons to rejoice!)
SourceBoston completed its first conference earlier this month, and some of the slide decks and videos are up..
While the image of the young hax0rs indeed brings back fond memories of surfing blackcrawlarch and trying in vain to get mosaic chat to work in the lounge, it isnt one of the 2 reasons to rejoice..
The chance to watch Dr. Dan Geers talk (Dr Geer is one of those people who remind you how un-smart you are everytime you hear him speak) And on a mildly unrelated note (for some definition of mild), the fact that all USENIX conference proceedings have been made available freely online.. Rock on!
Write a paper? or nip down for a pint?
Apparently the two _are_ mutually exclusive.. [according to the NY Times…]
-snip-
According to the study, published in February in Oikos, a highly respected scientific journal, the more beer a scientist drinks, the less likely the scientist is to publish a paper or to have a paper cited by another researcher, a measure of a paperâ€s quality and importance.
-snip-
Veni, Vidi, Damni
At last years BlackHat USA a bunch of us played some American geeks a game of late night parking lot football.. Our victory there, and the 6 months of victorious memories from that night filled us with enough false self confidence to take on the SBG guys last night..
While several of us are claiming altitude differences as the root cause of the bad result, those in the game with a keener eye (and longer memory) will long recall that the (almost) final kick of the match was a missed opportunity to equalise that could have been scored by my grandmother (with her wooden leg). (we will not name the culprit who missed this gift-wrapped goal, because i dont want to people to know it was me)