I wanted to ask Dan Kaminsky, who btw is a brilliant presenter (more
below), about doing grammar and writing style analysis to determine who
wrote a paper. I can see the techniques as potentially having forensic
uses. Don't ask me what his talk was about, I would not be able to
recall any useful details. Here is what his talk description stated:
Weaponizing Noam Chomsky, or Hacking with Pattern Languages
There is no man page for the English language, but kids pick it up
anyway (more or less). There is deep structure hidden inside every
human generated language, especially those we intend to fuzz. I will
discuss and demonstrate new, useful, and purty purty tools for
rendering complex patterns automatically, potentially in realtime,
and breaking things with it. New toys will be released, including a
generic XML fuzzer (rawk!).
This was my first time seeing Dan talk and it was very entertaining and
surprising to watch him react and respond to questions from the
audience. No matter how annoying or frequently the questions came, he
was quick on his feet(even after drinking four beers) to counter-attack.
Posted by Marcin on Sunday, March 25, 2007 in
Intelligence and
Security.
We got our NOC up and running. Critical services have been set up for
the most part, and we'll be doing some tuning today. Not new to us all,
things don't always work the way you want, so that's what we're
currently going through today. To anyone here at the con, don't login to
any services over clear text, and try and use pub certs wherever
possible. If in doubt, just remember that we are at a security con, and
we're doing full packet dumps.. just a friendly reminder.
I'll be hitting up the NoVaSec meeting with Landon from Digital Bond and
also the pod/vid casters meetup at
room362. So, if you're
in town, feel free to meet us there. I've been having a great time at
ShmooCon so far, and everyone I met has been really cool.
Posted by Marcin on Friday, March 23, 2007 in
Security.
Tonight I had a great time hanging out with Michael Santarcangelo of
Security Catalyst, Andre
Gironda, Erich
Newell and Adam
Muntner. There were a bunch of other guys (and
Grace!) there, but I apologize for not remembering your names. It was
fun talking though! Gotta watch out for that one dude's company who has
had a bunch of weird deaths like cancer and dead people lying in their
house for a week at a time... LOL
Anyways, I'm getting ready to go to ShmooCon/Labs out in Washington D.C.
this week(end). I look forward to meeting Richard
Bejtlich and attending the
NoVaSec meeting, Landon from Digital
Bond and Martin
McKeay. If you wanna meet up - post a comment
here/send me an email/or call my cell phone. Also,try and make it to the
ShmooCon meetup in
Room362. I will also
be playing tourist with my buddy Daniel, the security admin at our
school, UAT. We'll try and check out the International Spy
Museum and also the Smithsonian National
Air & Space Museum.
I cannot wait, this conference is going to be awesome. See you guys
there.
Posted by Marcin on Tuesday, March 20, 2007 in
Security.
While chatting in #snort-gui today, somebody noticed Gizmodo was
showing off their
ticket
to Apple NAB. You can see they blurred the Name, Company and barcode on
the ticket. Whoever did this, did a poor job because they didn't blur
the name on the right-hand side.. What was the point of blurring it? Not
to mention, some reported seeing the barcode show up crystal clear in
their rss reader. Quick check on the image location and it linked to
http://gizmodo.com/assets/resources/2007/03/nab_appleevent2.jpg.
Like anyone would, I deleted the '2' from the image file name and
checked out what the image was. Sure enough, the image showed up with
the barcode in the clear.
They fixed the problem, but not before a couple of us snagged a
copy.
Posted by Marcin on Tuesday, March 20, 2007 in
Privacy and
Security.
The OpenBSD IPv6 Remote DoS vulnerability has striked
debate
and strong
reaction
on whether denial-of-service is a security vulnerability or
not.
Let's go back to the fundamentals we all learned early on: C-I-A,
Confidentiality, Integrity and Availability. We can have the most secure
systems in the world by disconnecting them from everything and making
them unavailable, both on the internet and physically. What good does
this do for us?
Some may not see a DoS as serious as say remote execution or privilege
escalation, but in many industries, availability is more important than
confidentiality or integrity. What happens when medical systems are
unavailable, or an online store's web site goes down? Availability of
the systems is just as important as the confidentiality and integrity,
and for us to think of availability as some luxury we can do without...
makes having confidentiality and integrity pretty pointless.
Michael Howard posted his thoughts on judging Windows Vista
security
which has received criticism from
Slashdot,
ComputerWorld
and MSRC stated it will not change how it rates vulnerabilities because
of underlying technology. Lowering the criticality of a vulnerability
because of some preventative technique in use, is a bad idea in my
opinion. Richard Bejtlich stresses the fact, and Joanna Rutkowska stated
it in her recent Dark Reading interview, "prevention eventually fails."
These technologies in Vista supposed to prevent such vulnerabilities
from happening, will eventually be exploited. The question then becomes,
what do we do next? Let's not play the semantics game and just stick to
fixing the issues in a timely manner.
Posted by Marcin on Sunday, March 18, 2007 in
Security.
