| . |
|
Bitland.Net Security Notes
Comments? email jwilkins-at-bitland*net
More information on the author at Jonathan Wilkins's home page RSS feed available at http://www.bitland.net/index.rss 
|
| Archives: 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000 |
| |
| |
| Conducting interviews | (2007/11/16 13:50) |
I haven't interviewed anyone in a long time, but I had a thought today. The next time I do one, I'm not going to ask any coding questions or logic problems. Instead I'm going to ask a series of questions like:
|
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Ruby's equivalent of Python's setattr | (2007/09/17 17:52) |
I am still really new to Ruby but I'm jumping in with both feet. As a result I figured out metaprogramming before I knew what the ! operator did. Anyway, I was trying to find out the equivalent of Python's setattr when I came across Hal Fulton's 'An Exercise in Metaprogramming with Ruby'. That and some hints from a ruby-talk thread on attr_accessor allowed me to translate this Python code I'd written for dealing with MySpace profiles from:
print "Getting Profile Nodes.."
for p in ['ProfileMusic', 'ProfileGeneral', 'ProfileBooks', 'ProfileHeroes']:
try:
v = self.soup.first('td',id=p).string
setattr(self, p, v)
except:
setattr(self, p, None)
Into this Ruby:
(page/"td").each do |t|
tid = t.attributes['id']
if /Profile([.]*)/ =~ tid
pname = tid[7..-1].downcase
pname = pname.gsub(/[ \/]/, "_").gsub(/[^\w]/, "").squeeze('_')
instance_variable_set("@"+pname, t.inner_html)
eval("class << self; attr_accessor :#{pname}; end")
end
end
The Ruby uses
Hpricot instead of
BeautifulSoup,
but is more generalized and OOish.
I'm a little uncomfortable with the security of the eval, but the technique
is useful and I couldn't google a better solution. If you have something
better, let me know. |
| +digg | +del.icio.us | [Ruby ] | Permanent link |
| |
| IEs4Linux | (2007/06/24 13:30) |
Check out IEs4Linux, a really easy to install set of Internet Explorer versions that will run on Linux under Wine. The build includes IE5, 5.5 and 6. |
| +digg | +del.icio.us | [Web ] | Permanent link |
| |
| Switching | (2007/06/17 16:45) |
So I've made the switch, though not the one that most people in the security industry have made. Instead of going to Apple, I've gone to Ubuntu. I used to use FreeBSD way back in the day, but switched to OpenBSD as my preferred Unix sometime in late 1996 or early 1997. I always had a PC running some version of Windows as well since there was always something I needed or (post vmware) that didn't quite work in a VM. I made a couple of forays into the Linux world, but various things just didn't work properly. RedHat *almost* got it right, just before they abandoned desktop Linux and spun off the Fedora project. Mandrake got my hopes up for a little while and I had a file server using Loop AES that was a major improvement over my prior OpenBSD/cfs setup. But there was always some major issue with desktop Linux that made it unbearable for me. And while OpenBSD and FreeBSD were OK, they just didn't keep up with the apps I wanted. (For instance, OpenBSD gave up on VMWare ages ago and VMWare 3 is the latest they seem to support.) I looked seriously at the Mac laptops, but the screen resolution and weight factors just didn't compare to PC laptops. The latest screens have some promise, but I've gotten pretty offended by Apple's treatment of the security community (Maynor et al) and their relationship with the RIAA/MPAA and their stance on DRM. (BTW, if you can get a DRM fix out in hours, you can do the same with security fixes...). But I digress ... I've been running Ubuntu on my laptop (a Thinkpad X60 Tablet) and I can't say how much I like it. No major problems. VMWare 6 works beautifully. Disk crypto (in the form of Loop AES and TrueCrypt) are both happy. Video is solid. Drivers, including the one for my pre-N wireless card, work. The only thing that doesn't work is the pressure sensitivity for the pen interface in virtual machines, and that *does* work if I plug in a USB tablet instead of using the built in tablet, which isn't as good as the external Wacom tablet I use anyway... Given my experience, I'm probably days away from killing my last physical Windows box and moving to Windows in VM's only.
OpenBSD will continue to be my server OS and run my mail/web servers, but
I have to say that desktop wise, Ubuntu is my favorite. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Fixing the Firefox profile selection dialog | (2007/05/18 14:00) |
If you have a bunch of profiles, then the non-resizable profile selection dialog that pops up when you launch Firefox is a bit of an annoyance. To fix this: On *nix - edit /usr/share/firefox/chrome/toolkit/content/mozapps/profile/profileSelection.xul around line 91
<listbox id="profiles" rows="10" seltype="single"
ondblclick="onProfilesDblClick(event)"
onkeypress="onProfilesKey(event);">
</listbox>
On Windows you have to jump through a few more hoops. Go to \Program Files\Mozilla Firefox\chrome and unzip toolkit.jar, then edit content\mozapps\profile\profileSelection.xul the same as above. I also changed the dialog style (around line 60) to read: style="width: 30em; height:400px;" Then re-zip using store instead of deflate and replace the existing toolkit.jar file.
You can also download my firefox-2-toolkit.jar, if you don't want to do it yourself. All Firefox sessions have to be closed in order to replace toolkit.jar.
|
| +digg | +del.icio.us | [Tools ] | Permanent link |
| |
| Glitch Attacks and Amateur Cryptographers | (2007/05/11 12:05) |
Nate's blog (rdist) talks about Glitch Attacks and links to some good papers on the topic. Basically, this is probably the most interesting general purpose cryptographic attack technique to come about in the past few years. By introducing fluctuations to the power supply or clock you can make the CPU execute a number of wrong instructions. If you can do this, you can recover a DES key with between 1 and 10 faulty ciphertexts. You can factor a RSA key with one.
The most fascinating thing is that this technique seems to have originated
with the pay-tv hacking community, not from academics or conventional
crypto researchers. |
| +digg | +del.icio.us | [Crypto ] | Permanent link |
| |
| A Positive Review for ProxMon | (2007/04/03 23:57) |
Andre Gironda had some kind words for ProxMon, saying "Last month was web application security awareness month. Just as I predicted, probably some of the best tools for this year were released. Jikto (Billy Hoffman, SPI Dynamics) being #1 and ProxMon (Jonathan Wilkins, iSEC Partners) being #2. Or maybe flip that ordering." Thanks Andre! |
| +digg | +del.icio.us | [ProxMon ] | Permanent link |
| |
| Official Release | (2007/04/03 23:55) |
I've been on the road for a couple weeks now with unreliable net access but last Friday ProxMon was officially released at Black Hat EU. |
| +digg | +del.icio.us | [ProxMon ] | Permanent link |
| |
| CanSecWest 2007 | (2007/03/14 20:35) |
ProxMon was accepted for CanSec this year, so I'll be speaking there as well. That's perfect because I've been missing Vancouver lately. |
| +digg | +del.icio.us | [ProxMon ] | Permanent link |
| |
| ScarabMon has been renamed ProxMon | (2007/03/14 19:35) |
When I started the project, it was just a couple of quick scripts that parsed the WebScarab log directory. Then I discovered that a couple of my co-workers had similar tools and I realized that there must be tons of auditors doing the same thing and so I started thinking about how best to generalize and simplify these scripts. Before long I was staying up until 4am every night hacking on the tool and finding ways to abstract everything. I started looking at supporting other proxies a little while ago and have a couple cool demos for BlackHat planned. The upshot is that the proxy interface is pretty well defined now and since I'm not just targeting WebScarab a rename made sense. I've also decided on hosting. The tool will be up at Google Code because they have a nice wiki/bug tracker and support for subversion.
The one thing they don't have is a way to track downloads, so the
distributions will be released off the
iSEC tools page.
It will be available the day I speak, which will be March 30th.
|
| +digg | +del.icio.us | [ProxMon ] | Permanent link |
| |
| GMail supports perl style regex | (2007/02/26 19:35) |
I knew that Google's Code Search supported regex style searches, but I didn't realize that GMail did too. Gmail supports a slightly different syntax than Code Search though. It's the perl syntax, so, if you're reading this, there's a good chance you're familiar with it. If not, you can read about perl regex syntax As an example, if I want to quickly check that nothing related to my upcoming talk has been thrown in the spam filter (which it had, argh), but I didn't want to hear about windows vista warez, I could do: blackhat OR scarabmon in:spam -/windows vista.*download/A quick search on google doesn't show anything useful in the first few entries so I'm posting this in hopes of letting people know. PS: for a great intro to google's code search, check out Dug Song's Static Code Analysis Using Google Code Search UPDATE: I was wrong about standard google search, it's just gmail |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| ScarabMon at BlackHat Europe | (2007/02/19 18:00) |
I've been working on a new tool for automating web application penetration tests and I'll be presenting it at BlackHat Europe 2007. You can check out the ScarabMon abstract
I hope to have the web site up soon, but if you have questions, just
email me (jwilkinsatbitlanddotnet). I'll also be looking for beta testers
pretty soon. |
| +digg | +del.icio.us | [Misc ] | Permanent link |
| |
| Fourmilab Releases Ent - Randomness Testing Utility | (2007/01/20 17:00) |
Ent is available here and looks like a good alternative to Diehard or the NIST STS suite. |
| +digg | +del.icio.us | [Crypto ] | Permanent link |
| |
| IE not much better in 2005 or 2006 | (2007/01/10 16:45) |
Brian Krebs' Security Fix blog did some followup on the scanit.be report on 2004. Apparently IE fared slightly better in 2005 and 2006, but not remotely well enough. IE had 109 days where it was *not* vulnerable to a published exploit. For more than 2/3 of the year, you were simply screwed if you were running IE. Even worse, it was known to be vulnerable to actively exploited vulnerabilities for 38 days. 2006 was worse again, though not quite as bad as 2004. In 2006, a fully patched IE was only safe from published vulnerabilities on 81 days of the year. Overall, if you were running IE from 2004-2006, you would have been in danger 898/1095 days and only safe on 197 days. I didn't see similar statistics for Mozilla for the same period in Krebs' posts, so I hope he does a follow up post. |
| +digg | +del.icio.us | [Web ] | Permanent link |
| |
| RSS feed available at http://www.bitland.net/index.rss |