HP joins security convergence trend with SPI Dynamics buy
Topic: Business
11:15 am EDT, Jun 21, 2007
Hijexx wrote: On the heels of IBM's acquisition of Watchfire, HP today announced it was buying SPI Dynamics, another application security bellwether, for an undisclosed amount.
The move signifies the growing convergence of the information security marketplace, especially in light of IBM’s pickup of Watchfire, which was SPI’s main competitor, analysts said today.
...
I liked the name SPI Dynamics a lot better. So, how's it feel to (soon) work for HP Billy? :)
Ken Brockman : And I for one welcome our new insect overlords!
Critics like to point out it is difficult for web scanners to know when an entire RIA has been crawled. After all, certain actions might expose more functionality, which exposes more and more. Certain functionality (like a spell checker) might not get invoked unless there are mispelled words.
RIA are full blown applications. You don't "crawl" Microsoft Word do you? You don't "crawl" Visual Studio? Web security researchers need to remember that other industries confront the same problems we do. Automated GUI testing suites have existed for years and some of the research is very interesting and highly applicable. I have no numbers, but I'd bet dollars to doughnuts that market is a little bigger than the webappsec.
Talking about how difficult a problem is doesn't help anyone. Trying to solve it, even if you fail, helps everyone. I learned that in college at a lecture by Dr Cook, one of the definitive sources on the Traveling Salesmen Problem.
acidus@hatter:~$ cat purchase.txt
SPI will be purchased by HP in June or July
acidus@hatter:~$ md5
md5 md5sum md5sum.textutils
acidus@hatter:~$ md5sum purchase.txt
98a358d372c87da29509a44cc3ec387f purchase.txt
acidus@hatter:~$
"Even the most brilliant technology can fall short in that it may be too expensive or too complex for the average senior to use."
And then there was the 'k sensitive' password. My dad is 74 and had trouble with his email. He's a healthy man that still works even though he has not had to in years. He's very active.
He said it kept 'shooting up a box that said password' and so I told him to call Comcast if he couldn't remember his password.
So he did, and still it would not work. "I don't know what I'm doing wrong."
So I went down, and asked him what password they gave him, and he had written down.......... 'k sensitive' He said he'd been trying it every which way he could.
Now this is a man who owned extensive real estate, and 2 businesses in his life. How did this happen?
So I called Comcast to get his REAL password. As soon as I pressed the number in the voice automated system for email problems, a pretty female voice said "Your password is case sensitive."
My dad had assumed - because of his lack of technology vocabulary - well, you all understand. However, to me, it really highlighted the problem that seniors have using and understanding technology, and it just isn't fair.
It isn't fair to leave our 'old but capable' so far behind. It is also probably a huge market if someone would care enough to tap it.
Thanks awesome! After all the password diaglog *told* him what this password was when he set the whole thing up.
Show me Pink! (thats right, I said it) - XSS 0day for Yahoo.
Topic: Technology
2:50 pm EDT, Jun 15, 2007
Awesome. Pink is the new black! An anonymous blog where someone drops major XSS 0day and isn't pimping a product or consulting? Sweet. No offense to my big pimpin web security buddies, but honestly, we (myself included) are all XSS sluts. We could be more like RFP, who doesn't trade on his handle. This guy/gal is giving it away truly for free, which I supposed makes them an XSS whore. Hmmm. Well whatever floats your boat.
Given how painful a "cross-site scripting" attack can be, its acronym should have been "ASS" instead of "XSS". Yet the developers behind the web applications you use every day often do not know what they are or do not care.
Why don’t web sites care enough? Because on the surface these vulnerabilities do not jeopardize the security of the entire company and such hacks are not as glamorous as high-profile break-ins where millions of social security numbers are stolen. But in reality, an XSS defect can be just as devastating to a site’s user base and extremely traumatic to any single user whose identity and privacy are violated.
XSS 0day and brutal analysis? What more could I ask for? I agree with everything said here.
I have consumed a massive amount of Red Bull in the last 2 weeks in a run up to finishing the manuscript for my Ajax Security book. We are talking on average 2-3 a day, with an occasional day of 4. Once there was a day of 5. Just once, and *never* again. At some point you can't really call them "days" anymore. A day is simply a convenient unit of 24 hours that may or may not start at 12:00am.
There is an elusive euphoria stage of Red Bull consumption where you are unbelievably productive and yet task that seemly take hours take only about 27 minutes or so. That was the odd thing. It always seemed 27 minutes later. I like to call this stage "Fry-Time" in reference to that Futurama episode where Fry drinks 100 cups of coffee and time slows to a crawl. Fry-Time occurs only in a narrow band on the line between total exhaustion and caffeine-induced heart attack and is a difficult stage to reach. I've hit Fry-Time maybe 3-4 times ever. 2 of those times have happened in the last 2 weeks.
Then, there is the "attention deficient disordering" stage. This stage occurs beyond Fry-Time and before the caffeine-induced heart attack phase. In this phase, you want to be productive. You are aware of all the work you need to accomplish as well as its importance. You feel motivated and excited about all your projects. In fact, it feels like you are in the Fry-Time stage. But you aren't. You are ADDing. Because as soon as you try to do something. You can't. Halfway through your brain jumps to thinking about another task and you stall. Its like OS scheduler that has so many jobs to do it spends all it time context switching instead of actually making any progress on any of them. This is an extremely frustrating phase because you know what's happening. And the very act of noticing that you are being scattered brained brings to mind all the tasks you still need to do which makes you think about how cool some of them are and suddenly you aren't doing any more work on whatever it was you were working on. You've context switched to another job.
The only thing to do in the ADD stage is wait it out and try to be productive later. The only problem is when you are in the ADD phase you have had so much Red Bull you can't sleep! So you are wide awake, too hyped to do anything, knowing you have shit to do, and losing time that you could be sleeping.
This is exactly what happened to me around 4:00am this morning. On an upside, I got through about 60 pages of Guns, Germs, and Steel. Elonka's cousin sure can write!
iPhone + XSS = All your cell networks are belong to Acidus
Topic: Technology
1:13 pm EDT, Jun 12, 2007
In his speech, Jobs announced that the iPhone will be able to run Web 2.0 applications that look just like the iPhone's built-in apps but are created by third-party developers. As the iPhone will have a full-fledged version of Apple's Safari Web browser, developers can build their applications with Ajax and other Web technologies.
Ok, I'm not sure what this means exactly (and granted this is 2 steps removed from the source). Its a browser with a JavaScript interpreter. Of course it can run Ajax apps. I wonder if this referes to Adobe's Apollo apps which can run external of a browser.
"I'm underwhelmed," said Avi Greengart, an analyst with industry research firm Current Analysis. Many developers, he said, "were expecting to be able to write apps and run them in a browser anyway."
Yeah, nothing new here.
He pointed out that, although Jobs said that the Web 2.0 apps will run in a sandbox, they still will be able to reach beyond the sandbox to access key functions, such as phone calls
... ... SWEET! Now Samy can let you know he is your new hero by calling you. On your Phone. Thousands of times a second. From JavaScript.
This makes John Terrill's curse "I'm going to XSS your FACE!" that much closer to reality.
Data sharing with userData is extremely limited. You cannot share data between different domains or even sub domains of the root domain. You cannot share data with other web servers or services running on different ports of the same domain. You can only share data between web pages inside the same directory on the same For example, data stored by http:// company.com/Storage/UserData.html can be accessed by http:// company.com/Storage/Checkout.html or any other page inside the /Storage/ directory. Attempting to access data from other pages simply returns null. These are the default restrictions and they cannot be changed. This default closed policy is almost the exact opposite of the default cookie policy. This constitutes the lone good security decision in Internet Explorer 5.0.
You're on your own my little nightmare You cannot stay here, it's far too bright for you If they attack you just lay there, Play dead dear, it's your only hope of pulling through
And seconds they seem like a lifetime, a dream Recurring a dream that can't come true And they'll pin it all on you After all you've been put through
"Sadie G, she's crazy, see?" That's what the white coats say And now Ms. Susan A, you're losing every opportunity To put us all away
Now run along my little nightmare Your job is done here, you've scared them all to death If they revive then just sit there, Just smile dear, make them thankful for every breath
This sentence may seem like a lifetime of screams That's curdling the blood they found on you, And your knives and clothing too, Charlie's broken .22
"Sadie G, she's crazy, see?" That's what the white coats say And now Ms. Susan A, you're losing every opportunity Well they found you and they shipped you up the river the same way That you bound and gagged, you shot then stabbed. You tried to set them free, but they've thrown away the keys
--
my iPod's been playing nothing but Alkaline Trio all day.
