Ran across an old document today at work. When SPI was purchased by HP a little over a year ago my boss had me compose a memo about why we needed completely unfiltered internet access. HP IT doesn't like us very much...

Any content filter system, URL blacklist, application gatwways, internally facing Firewalls, or internally facing IDS/IPS systems that prevent access to any of the resources described below would have a severely adverse impact on SPI Dynamics’ ability to test our products and collect knowledge about current and emerging web security trends and techniques.
---

SPI spends time each day reading variety of websites across the globe which may or may not be hosted in domains other than .com, .net, or .org to keep up with the latest security research and techniques. Some of these resources include: major IT news sites, major security sites, industry blogs, and mailing lists archives (by visiting the archives we don’t have to use an email address to subscribe)

Malicious attackers are often farther ahead than traditional security researchers. As a result SPI researchers visit various resources attacker discuss their methods. These sites often advocate criminal activity and openly discuss live attacks or specific vulnerabilities in websites or products. Example websites include [REDACTED] and many, many others. From time to time we visit IRC webserver around the Internet. chatrooms to learn the latest security details.

Websites that discuss, advertise or traffic in illegal or illicit materials often contain very sophisticated and non-standard interfaces that use JavaScript, VBScript, Flash and other technologies in unique combinations to try and track what users are doing and protect access to their materials. SPI visits these sites for 2 reasons: They are excellent stress tests of our parsers for JavaScript, Flash, etc and they also provide insight into how people are trying to use web technologies maliciously. Example illegal or illicit materials include pornography, 0day vulnerability information, root kits, and phishing kits.

SPI routinely visits phishing websites (including legitimate websites that have been compromised) to assess what types of information an attacker is collecting and how the server was compromised.

When interacting with different customers or acquiring new security tools SPI will content various non-web destinations on the Internet. Examples include FTP servers, SSH servers, Subversion of CVS source code repository server, and various web servers (SSL encrypted or not) running on none standard ports numbers.

The (legitimate) web security research community is fairly small. SPI routinely uses instant messaging services to communicate with our peers in other companies and in academia. IM allows us to respond to breaking treats (such as the web worms like Samy and Yamanner) more rapidly than email. Many in our profession prefer to use encrypted channels for instant messaging so the conversations cannot be logged by inline devices.

SPI has various test websites set up external of the company (such as atlantahacker.com) which we use for demonstrative purposes when access to internal SPI test sites is not practical or impossible. SPI will scan these sites from inside SPI from time to time as well as we develop them. As a result SPI is sending attack traffic out into the Internet.

SPI performs large search engine queries and visits a sampling or sites to understand the scope of vulnerability and the number of affected platforms. These so-called Google Hacks can sometime set off intrusion detection systems that are monitoring SPI’s outbound traffic.

"From the world of art collecting and yelling..."
John McEnroe: "Why isn't there any good art in here?"

I. Love. 30rock.

Art collecting and yelling

The qmail software package is a widely used Internet-mail
transfer agent that has been covered by a security guarantee
since 1997. In this paper, the qmail author reviews the history and security-relevant architecture of qmail; articulates
partitioning standards that qmail fails to meet; analyzes the
engineering that has allowed qmail to survive this failure;
and draws various conclusions regarding the future of secure
programming.

Is security too sexy to leave?

Some thoughts on security after ten years of qmail 1.0

Girls hang on Virgil Griffith. This is no exaggeration. At parties, they cling to the arms of the 25-year-old hacker whose reason for being, he says, is to “make the Internet a better and more interesting place.” The founder of a data-mining tool called WikiScanner, Griffith is also a visiting researcher at the mysterious Santa Fe Institute, where “complex systems” are studied. He was once charged, wide-eyed rumor has it, with sedition. No wonder girls whisper secrets in his ear and laugh merrily at his arcane jokes. null

Virgil is, without a doubt, a hacker rock star.

Virgil Griffith, Internet Man of Mystery

This article investigates the internal governance institutions of violent
criminal enterprise by examining the law, economics, and organization
of pirates. To effectively organize their banditry, pirates required
mechanisms to prevent internal predation, minimize crew conflict,
and maximize piratical profit. Pirates devised two institutions for this
purpose. First, I analyze the system of piratical checks and balances
crews used to constrain captain predation. Second, I examine how
pirates used democratic constitutions to minimize conflict and create
piratical law and order. Pirate governance created sufficient order and
cooperation to make pirates one of the most sophisticated and successful
criminal organizations in history.

An-arrgh-chy: The Law and Economics of Pirate Organization

Number one with a bullet: your email account is a de-facto master password for your online identity. Most -- if not all -- of your online accounts are secured through your email. Remember all those "forgot password" and "forgot account" links? Guess where they ultimately resolve to? If someone controls your email account, they have nearly unlimited access to every online identity you own across every website you visit.

If the Sarah Palin email hack taught us anything...

Coding Horror: Please Give Us Your Email Password

Abstract:

A web application is more efficiently analyzed by identifying the sub-applications used to generate the various web pages available at the web application and then limiting the vulnerability assessment to just a subset of the web pages generated by each sub-application. The sub-applications can be identified by detecting similarity between the web pages, based on the user interface presentation, the inputs required or allowed, or both. For the user interface presentation, the markup language used to generate the user interface is reduced to common markup language elements by removing content, attribute values and white space and then determining the edit distances between the various pages. Small edit distance values indicate similarity and thus, likely generated by a common sub-application.

Inventors: Sima; Caleb; (Woodstock, GA) ; Hoffman; William M.; (Atlanta, GA)

WEB APPLICATION AUDITING BASED ON SUB-APPLICATION IDENTIFICATION

The first rule of Confidential Document Fight Club is you cannot acknowledge the existence of Confidential Document Fight Club.

Pretty cool analysis. The "ASP.NET's ValidateRequest stops XSS so its up to the dev to mess it up" is incorrect. Ignore esoteric attacks like double/triple encodings, etc. Lets do something basic.

" onmouseover="alert('xss')

ValidateRequest does not stop attribute injection attacks.

Syscan - Next Generation .NET Vulnerabilities.pdf

Today I ended up getting Kilz primer on my leather office chair. And I didn't notice the white paint on black leather for a few hours. Needless to say I thought I had ruined it.

Then, I came across some advice on the Internet. Unlike most advice or opinions on the Internet this was not anatomically impossible! Simply use olive oil and paper towels. Surely this couldn't work! But the next step was astringent and shoe polish so I took a swing.

Sure enough with a little bit of elbow grease the olive oil took the Kilz primer right off the leather leaving everything else in tact. Freaking amazing! Thank you Internet. You bring me pr0n, SQL injections, and household cleaning advice! Oh yeah!