If you like this, you can use flattr. ;)
- Quickpost: Inspiring Windows software profilers and checkers
- 0x41 - back to bugs
- low footprint/hardware assisted virtualization with Linux and GrSec
- Postfix troubleshooting - a security nightmare
- New content soon
- 0x41 - (weekly) exploitation matters - Vista Heap, scripting debuggers with debug libs and how to learn to use that knowledge
- 0x41 - weekly exploitation matters - Shellcode and frameworks
- Explicit and implicit security in software development - measures and change
- 0x41 - weekly exploitation matters - Heap overflow fundamentals
- 0x41 - weekly exploitation matters - About
- wishinet: checking out GDB with Dtrace support for OS X... (1.9.2). Should be interesting.
- wishinet: RT @bfoo: Worth reading: http://merbist.com/2010/08/22/discussion-with-a-java-switcher/
- wishinet: nächstes Jahr Taikai in Nürnberg (http://www.taikai.de/) - und nu aus Nürnberg total groggy in die Falle! ;)
UnprotectedHex - about formal software verification
Sean's blog
Xecurity - a security feed collecter
Reddit RCE group
Freedom To Tinker
Emergent Chaos
Woodmann RCE forums
OpenRCE community forums
SecViz - security data visualization
DAVIX Live - for security metrics
Hex Live
Security Metrics
Immunity's Free Software
Core Security's OpenSouce research
Zynamics Blog
So fast - So weekly: upcoming and interesting!
Wed, 11/26/2008 - 22:11 | wishi
txt
cheesy certs suck ;) - make your own way!
Upcoming 25c3 - nothing to hide: DAVIX workshop
Finally someone managed to publish a early beta of the 25c3 program. Expect the DAVIX workshop. If you're interested in how to do packet analysis in visual and pragmatic way... maybe Jan and I can inspire you. I don't have any experience how to do a workshop at a conference, but Jan did this at Defcon and Blackhat as far as I know. So... you'll get a well defined workshop in any case. Even if you don't like what I do and write here or elsewhere.
It'll be fun! I guarantee. And if you want to have security specific inputs... I have got tons of material and research stuff. Believe it. That's one of my passions!
The art of zen - webcast with Paul
Zenhacker Paul shared his wisdom with us. I always like Core's webcasts. And I like Paul's materials and podcast. And Larry's of course. Seriously: the stuff is good. A little too basic here and there. But the "Allowance Document" to prevent problems during a penetration test is worth looking at. That's in the forums. Thing is: in a company I worked for, and I have reasons not to mention the name, a lawyer made these documents. He put lots of effort into these, but in the end huge problems occurred when we found illegal material at a director's laptop, that was running Windows 2000.
But in any case: permission saves your ass! Get that! Every time! Or you suck!
CSI 2008 presentations
From the pauldotcom mailing list bytebucket mentioned: the CSI 2008 slides are there. Brilliant...
Harvard C - secure programming
Here's a selected presentation of a Harvard C course: get it. It's about secure programming. The whole stuff is here. If you take a look at the notes, you'll find some truth about stack smashing, heap overflows and stuff, that normally no one tells students. I never understood why universities failed in teaching that. And now I feel in a very competent company NOT understanding this and seeing this as a failure! Every C programmer has to know that! If you hide this knowledge, failures will be made and exploited. The first layer of security has to be the code itself! The deepest and most effective answer.
Cerias security seminar videos
int bad_idea(char *buf, unsigned int size) {
int length;
if () {
length = -ERROR_CODE;
} else {
length = size; // substitute any operations that could overflow the signed int
}
return length;
}
int bad_idea(char *buf, unsigned int size) {
int length;
if () {
length = -ERROR_CODE;
} else {
length = size; // substitute any operations that could overflow the signed int
}
return length;
}
From the feed... very funny I think.
But they even have got more sophisticated stuff: The Role Graph Model and its Extensions by Sylvia Osborn from the University of Western Ontario. It's from a very interesting series available here.
The Role Graph Model was first introduced by Nyanchama and Osborn in 1994. It has been extended over the years to include parameterized roles, an administrative model and a delegation model. We will show how the semantics of our role graph operations differ from those of the ANSI standard. Then we will discuss how to simulate DAC, and how the underlying basic model helped us to understand and expand the model to deal with delegation. The present and future of RBAC will also be discussed.
The other interesting seminar video was from the same archive, and you can find it here.
Steganography is a discipline of computer science whose aim is to conceal the existence of information. Steganography synergizes various technologies including data compression, digital signal processing, information theory, data networks, cryptography, coding theory, and the human audio and visual system. Strap on your seatbelt. I will present some key concepts of steganography, describe a number of basic and advanced spatial and transform domain techniques (with lots of pictures and sounds for the “attention-challenged”), and demonstrate these techniques using custom steganography software. The demonstrations include a Least Significant Bit (LSB) technique, High-Capacity Hiding in Jpegs, and time modulation in audio.
The stuff is not hard to understand. We're at the beginning at the information age. There'll be stuff - very complex - in future. And computer scientists will giggle while looking at all of us, like we do while reading about approaches from the 60ies. Nevertheless nowadays that stuff rocks! Well presented, well done. I like this feed - I guess I live today, don't I?
Lost in a wood of certs
The last week I made a cert. *proud* Haha! I have got a reason to ask for more money. I'm a certified forensic (expert). Whohoo!
Finally someone mentions to all people new in InfoSec world: Not all certs are important. No! CEH is a big collection of shit! If you ask me that's for kids. CISSP exam is focusing communication skills. For the reason: you have to do this. Management doesn't care whether you use Nessus or something you wrote on your own. They want to be addressed. - That's much more important. GSEC, is similar, but more technical. A CISSP exam isn't really deep into penetration testing. And if you can avoid any Cisco stuff. MS certs are important if you're focusing on small companies, but the big ones just care for specialized people. And not into MS, which doesn't scale for huge tasks. Even if there are some local administrator who tell you MS is important. You have to be able to use that, to penetrate it. But nobody wants you to make magical masterpieces with it. Just know it.
There are a lot of security certifications, ranging from entry level to advanced and from very general to focused on specific areas of security. Some security certifications include a focus on hands on skills whereas others entirely dismiss them. Picking the top three is bound to be controversial, and certainly (polite) feedback on my choices of the top three security certifications is invited.
I guess he just forgot about DLP and data recovery as an aspect for pentesting ;). And Flash forensics (Smartphones) is important. But of course pentesting makes much more noise. Forensic investigation is silent, but it kicks ass!
Yeahr... I've got thousands of interesting articles, new tools, new material. But I just filtered out the best stuff. Have fun with that!
wishi
Post new comment