It only took about 8 hours before I started getting SMS messages telling me that joining the Borg was inevitable and that resistance was futile.

Divide, KP, Thank you for being my messengers!

Billy: [reading an RSA 08 flyer] "What would Alan Turing Do?"
Mark: What *wouldn't* Alan Turing do?
Billy: Yeah, well, thats kind of why he's dead.

How fucking pompous is it for RSA to postulate what Alan Turing would or wouldn't do?

From:
Date: Nov 26, 2007 11:52 AM
Subject: [Full-disclosure] To Hell With Georgia
To: full-disclosure@lists.grok.org.uk

UGA may have beaten Georgia Tech this year in football but just
listen to what their website has to say:

http://www.uga.edu/cgi-
bin/ldap?name=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%27%54%6F+%4
8%65%6C%6C+%57%69%74%68+%47%65%6F%72%67%69%61%27%29%3C%2F%73%63%72%6
9%70%74%3E&submit=Go&ouo=%3Duga&searchtype=cn

I've URI-encoded the injected script as to not spoil the surprise
(benign XSS).

Go Jackets!!!

-George P Burdell

To the Georgia Tech Alumni on Memestreams. What's the good word? To Hell With Georgia!

PS: It looks like George never got the message that Hushmail isn't so secret...

What's the good word?

I knew it was only a matter of time before I had to start filtering out poorly written and technically incompetent XSS "0day" posts on WebAppSec. I just hoped it would have lasted a little longer.

This attack is known as 0day because it has just been reported to public and this is first day of public vulnerability, and 0day means 'published.'

... [sigh]

There is so much wrong with this sentence my head might just explode.

That's quite an image, isn't it? It's ISS CEO Tom Noonan holding a silver bullet, announcing the Proventia IPS product in the October 2003 issue of ISS' Connect magazine. Raise your hand if you think IPS or anything else ISS has produced is a silver bullet. No takers?

I don't mention this to criticize ISS, specifically. Rather, I'd like to emphasize the importance of proper frames of reference when considering security.

HAHA! I've enjoyed Richard Bejtlich's humor for a while now, but this was too good not to post.

Kidding aside, Richard raises a good point that nothing in security is a silver bullet. Not an application, not a WAF, not WebInspect, not security as a service, nothing. Security must be layered, composed of many and varied products and defenses. Anyone who says otherwise is a charlatan.

Silver Bullets and the Network Werewolves

And while over 2/3 understand that Ajax applications have an increased attack surface, many of the comments showed that some people believe Ajax security is just about an increased attack surface.

Let me assure you, if Ajax Security was only about an increased attack surface two things would have happened:

1. Addison Wesley won't have asked me to write a 500 page book about it
2. Bryan and I would have finished a long time ago :-)

There are many issues surrounding Ajax Security and hopefully this piece will help people see the bigger Ajax Security picture.

A little peak into some of the many topics we cover in Ajax Security, our book on all things Ajax.

Hopefully this little taste shows you that there is far far more to Ajax Security than some JavaScript eye candy and an increased attack surface. Developer, QA professional, and hacker alike will all find Ajax Security an enormously powerful resource to help design, build, test, and hack Ajax applications.

Ajax Security is more than an Increased Attack Surface

Friends and relatives of Stacy Peterson, 23, say her disappearance is suspicious.

Her husband of four years, Bolingbrook police Sgt. Drew Peterson, 53, reportedly has told police his wife said she was leaving him for another man, and police are not treating the disappearance as a criminal investigation.

...
23 - 4 = 19
53 - 4 = 49

Since when do cops get trophy wives 30 years their junior? And that doesn't even including dating. They got married when she was 19, so they started dating when she was what, 18? 17?

[checks story] Hmmm I could have sworn this would have taken place in the South.

Trophy Wives and the Blue Wall of Silence

K Said:

Just ran across this...

Any chance it makes the baby jesus' crying less acute?

Well, this sure scares me: http://saja.sourceforge.net/security/

I need to look at this but here are my thoughs so far.

The "Function" security sounds a lot like nonce on the system calls. Ok, so no one can access you system calls unless they are using your application, but most of hte Ajax stuff I'm focusing on is exploiting the application inside the context of the application (i.e. tampering with variables while its being used, control flow modification, data leakage, etc). This "you can only access the callback if you are really using the application" approach doesn't sound promising because it doesn't really address the problem, it attempts to limit access to the problem.

The emulating SSL with JavaScript is just damn scary. We have a whole chapter about hacking and securing mashups and aggregates like NetVibes, Facebook, etc in Chapter 11, Web Mashups and Aggregators, in our book Ajax Security. Here we point out that this implementing crypto in JavaScript is a bad idea. In fact, here is the text from the book:

Another popular aggregate site, PageFlakes, tries attempts a different solution: using asymmetric key encryption (also known as public key encryption). In public key encryption, the key used to encrypt the data is different than the key to decrypt the information. Thus PageFlakes uses a public/private key pair and embeds the public key in the web pages it sends to the client. Client-side JavaScript uses RSA to encrypt sensitive data before transmitting it to back to the server. This allows data to be securely sent from the client to PageFlakes by essentially emulating parts of an SSL connection on top of an HTTP connection. However this is not a good solution because it only solves half the problem because. Only the web server has a public/private key pair allowing secure communication in a single direction form the client to the server. There is no way for the server to communicate back to the client. You cannot pre-seed the client-side code with its own public/private key pair because that would be transmitted to a user’s web browser unencrypted over standard HTTP. An attacker would simply intercept it. The public/private key pair for the client would have to be generated on the client. JavaScript does not have a random number generator that is suitable for cryptographic functions. It might be possible for JavaScript to use a Java Applet’s cryptographically secure random number generator for key generation, but some browsers do not allow Applet’s to access these secure libraries. This whole approach does not even matter if malicious widgets that are not properly jailed. They could simply hook the JavaScript code and steal sensitive data before it is even encrypted using this convol... [ Read More (0.2k in body) ]

SAJA, and the smoking of the crack

I'm in Japan and got to the hotel. I was on a plane for 14 hours. Its about 5pm here but my laptop clock (Still on EST) says 3:45am.

I think my head is going to explode from sleep dep, but I know if I crash before 8pm or 9pm, I'll be screwed up for tomorrow.

I keep asking for Red Bull, but people just smile and say "so-sorry."

:-(

:-( [REDBULL] )

:-)

Why can't I get to stage 2?

On Oct 15, 2007, k wrote:

TOM DOMINATES TIME! TIME IS HIS BITCH!

On Oct 15, 2007, at 2:26 PM, tom@memestreams.net wrote:

> What is a spotter/time master? Do i get to travel through time or am I
> mearly responsible for doing beurocratic things related to time
> measurement?