WGET doesn't support PAC files. Damn it. ... [starts hacking WebInspect]

I'm working on an app spanning hundreds of domains all over the place (don't ask) so I actually need to compute PAC lookups while crawling.

I've mentioned Richard Bejtlich in passing before. He is a TCP/IP ninja and if you are in the computer security biz you should know who he is. I'm pleased to announce that he just posed a 5/5 review on Amazon.com about our book Ajax Security. Here is a little snip:

The book is absolutely compelling and every security professional and Web developer should read it. It's really as simple as that.

They start by introducing a technology, which is critical for someone like me who doesn't deal with Web development issues. Next they describe how it is broken. They continue with defensive recommendations and summarize their findings in the conclusion. This is a perfect technical writing style that is too often lost on other authors.

Truly this an awesome honor and I think Richard for the praise. However, not only does Richard like the book, Richard goings on to declare that Ajax Security is the best book of 2007!

And, the winner of the Best Book Bejtlich Read in 2007 award is...

1. Ajax Security by Billy Hoffman and Bryan Sullivan (Addison-Wesley). Ajax Security was the last book I read and reviewed in 2007. However, it was the best book I read all year.

TaoSecurity says 'Ajax Security' Best Book of 2007

Wow

Government In Action

Unrestricted Warfare (超限战, literally "warfare beyond bounds") is a book on military strategy written in 1999 by two colonels in the People's Liberation Army, Qiao Liang (乔良) and Wang Xiangsui. Its primary concern is how a nation such as China can defeat a technologically superior opponent (such as the United States) through a variety of means. Rather than focusing on direct military confrontation, this book instead examines a variety of other means. Such means include using International Law (see Lawfare) and a variety of economic means to place one's opponent in a bad position and circumvent the need for direct military action.

PDF of book. Look at Network attacks. Frame this with how the DoD is reporting the PLA has been screwing with our networks over the last few years.

Unrestricted Warfare (book)

Casper and Butterscotch, you are so fat and fuzzy! [kiss kiss kiss]... ... DAMN!

You're a Kitty!

Ajax Security is out and the feedback I'm getting is incredible.

Andrew van der Stock The Executive Director of OWASP reviewed a draft of Ajax Security and here is what he had to say about it:

If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserves success. Go buy this book.

Is it just a re-hash of old presentations? No. The book breaks some new ground, and fills in a lot of the blanks in all of our presentations and demos. I hadn’t heard of some of these attacks in book form before. The examples improved my knowledge of DOM and other injections considerably, so there’s something there for the advanced folks as well as the newbies.

I really liked the easy, laid back writing style. Billy and Bryan’s text is straightforward and easy to understand. They get across the concepts in a relatively new area of our field.

The structure flows pretty well, building upon what you’ve already learnt ...
there is advanced stuff, but the authors have to bring the newbie audience along for the ride.

Billy and Bryan spend a bit of time repeating the old hoary “no new attacks in Ajax” meme which is big with the popular kids (mainly because their products can’t detect or scan Ajax code yet and still want money from you), and then spend the rest of the book debunking their own propaganda with a wonderful panache that beats the meme into a bloody pulp and buries it for all time.

Web security guru dre offers up this review of Ajax Security:

It’s quite possible that many Star Wars Ajax security fans will be calling Billy Hoffman, the great “Obi-Wan”, and pdp “Lord Vader” to represent the “light” and “dark” sides that is The Force behind the power wielded by Ajax.

The book, Ajax Security, covered a lot of new material that hadn’t been seen or talked about in the press or the security industry. The authors introduced Ajax security topics with ease and provided greater understanding of how to view Javascript malware, tricks, and the aberrant Java... [ Read More (0.2k in body) ]

Ajax Security Book Out! Awesome buzz!

All the SPI folks are in our new office and all of SPI senior management that used to have offices now has cubes like the rest of us.

I was up above it.
I was up above it.
Now I'm down in it
I was up above it.
I was up above it.
Now I'm down in it
-Nine Inch Nails, Down in it

Lawyers representing Procter & Gamble send a 66-page cease-and-desist letter to British sex-toy company Love Honey, demanding that it stop using images of its Oral B electric toothbrushes to promote a product called the Brush Bunny - a rabbit-shaped piece of plastic that slips over the top of an Oral B to turn it into a vibrator.

Toothbursh... or Sex Device?

Start: 2007-12-15 18:00
End: 2007-12-15 23:59
Timezone: Etc/GMT-5
Location: Vortex, Atlanta

That's right kids, it's that time again. SantaCon is coming!!! I've seen the pics from the last few years and have to say, Yall do it right!!!! Just to remind everyone, I have listed the rules for SantaCon again. There is no Santa in charge to call. If you can't show up for the start, get the phone number of someone who can help you catch up later.

1 AGAIN! Santa does not make children cry. Really - If you see kids, give them nice toys, candy, or something pleasant. Parents and Tourists are a different matter altogether -- adjust based on their attitude.

2 Santa dresses for all occasions. It's December. Smart Santas wear mutliple costume layers. Dress to maximize merriment whether singing christmas carols in the snow, or swinging from a stripper pole.

3 Santa doesn't whine! We will be outside alot and commuting mainly on foot -- bring enough "snacks" to keep your pie-hole filled until we get indoors.

4 Bring gifts -- NAUGHTY gifts to give grown ups; NICE stuff to give kids. Throwing coal at people is discouraged no matter who they are. YES THAT INCLUDES POLITICIANS

To my west coast homies who think Atlanta is boring, I present to you SantaCon. Dan, trade in you 1337 limo races. Peter, set down those urban golf clubs.

Embrace the joy of the Santa-themed pub crawl.

Atlanta SantaCon

Jello wrote:

function show_props(obj, obj_name) { var result = "" for (var i in obj) result = obj_name "." i " = " obj[i] "\n" return result; }

Super convenient when peeps don't document their objects.

You can do this on the window object and you get all global objects. This means all global variables and all the user-defined functions! You can valueOf() on the function object to extract the source code! valueOf() even automatically inserts the appropriate whitespace and indenting for you to easily read the code You can recurse down objects and check their childern so this handles JavaScript "names spaces" as well.

Hook this up to a setInterval() call and you can also perform runtime monitoring of the JavaScript environment! On-demand Ajax?, no problem! With firebug, you have the JavaScript equivalent of "View Source." With this method, you have the JavaScript equivalent of "View Generated Source!"

Super convenient when peeps don't document the Ajax applications you are hacking!

Take a read of Chapter 7 of Ajax Security. Bryan and I wrote a JavaScript tool called HOOK which does this very thing! On-demand monitoring and hijacking of JavaScript functions! Even better, it's cross browser. Oh Yeah!

In the interest of disclosure, websec guru Amit Klein came pretty close to this in 2006. He discovered the joy of valueOf() but didn't take the next step of how to discover/enumerate all the user-defined functions in the JavaScript environment.

List all properties the entire JavaScript environment!