| |
Current Topic: Technology |
|
BFO: Attackers favor compromise over creation |
|
|
Topic: Technology |
1:01 pm EST, Jan 24, 2008 |
For the first time, legitimate Web sites compromised by attackers made up the majority of sites used to spread malicious programs, security firm Websense said in a report published on Tuesday. In the past, massive attacks aimed at Web sites typically involved defacements by online vandals. Yet, as online crime increasingly becomes motivated by profit, defacements have given way to finding ways to insert iframe redirection code or compromise a site to host malicious software. Earlier this month, for example, security firm Finjan warned that hackers had bypassed security on at least 10,000 legitimate domains to install the Random JS infection toolkit.
Which should be no surprise to anyone. We moved from kids using pings-of-death, DoS, system vandalism and general mischief to complex rootkits that own the box, evade defenses, and keep it a viable platform for attacks that generate criminals revenue. Why would the evolution of the motivation for web attacks follow a different path? BFO: Attackers favor compromise over creation |
|
Topic: Technology |
11:08 pm EST, Jan 23, 2008 |
Alright Japan, the cuteness of your Foxkeh has helped assuage the creepiness of your Maid Cafes. I guess we can call this one square. Japan: 1 win and 1 loss |
|
RE: ASP.NET Internals Spelunking |
|
|
Topic: Technology |
10:10 pm EST, Jan 23, 2008 |
Worthersee wrote: I was only poking around with Reflector before, but thanks to Dominick Baier for reminding me that I can now hook a debugger to the code I previously couldn't.
Bryan did some work with Silverlight where he could decompile the assemblies, and load them in Visual Studio 2005. There is a option where the source code lines of breakpoint must match exactly (something along those lines). By disabling that option, Bryan and I got Silverlight assemblies running in a debug mode in VS2005. Not quite the same as setting break points in the CLR, but it shows that you can uses reflector + VS voodoo to debug any .NET assembly with various degrees of success. RE: ASP.NET Internals Spelunking |
|
Topic: Technology |
9:50 pm EST, Jan 22, 2008 |
Sudoku is a very simple and well-known puzzle that has achieved international popularity in the recent past. This paper addresses the problem of encoding Sudoku puzzles into conjunctive normal form (CNF), and subsequently solving them using polynomial-time propositional satisfiability (SAT) inference techniques.
Sudoku isn't the only thing that you can use a SAT solver on ;-) Luckily I wrote a SAT Solver in college which uses a modified DLPP algorithm with back propagation and some heavy preprocessing for initial value selection. Sudoku as a SAT problem |
|
HTML 5 differences from HTML 4 |
|
|
Topic: Technology |
2:57 pm EST, Jan 22, 2008 |
Client-side storage (sessionStorage and globalStorage) as well as offline application support (including client-side databases, offline content serving/manifests, eventing, etc) have all been codified into HTML5. Not a super big surprise because they've been in WHATWG spec for a while but certainly plan for them to take on a larger role in web apps then when they were simply implemented in Mozilla (DOMStorage) or as a browser plug-in (Google Gears) Attacks and defense against these features is discussed in chapters 8 and 9 of our book. Remember folks, its only an increased attack surface ;-) HTML 5 differences from HTML 4 |
|
Comparison of science and technology funding for DOD’s space and non-space programs |
|
|
Topic: Technology |
9:30 am EST, Jan 18, 2008 |
At your request, the Congressional Budget Office (CBO) has analyzed whether a difference exists between the Department of Defense’s (DoD’s) funding for science and technology (S&T) activities supporting unclassified space programs and its funding for S&T activities supporting other (nonspace) programs. The enclosed report indicates that funding for S&T activities supporting unclassified space programs has been less than S&T funding for other defense programs and that DoD’s plans for the future maintain that difference in funding. (Because of a lack of information, CBO’s analysis does not address the extent to which classified research might be supporting unclassified space programs.)
It is hard to extract meaning from this. The DoD is spending more money on other things than funding non-classified space research. Ok, makes sense. However we have no idea hwo much money they are spending on funding for classified space researcher. Given China's publicly broadcast ability to blow shit out of space, you have to hope there is some classified research going on. Comparison of science and technology funding for DOD’s space and non-space programs |
|
Ajaxian » Book recommendation: Ajax Security by Hoffman and Sullivan |
|
|
Topic: Technology |
2:23 pm EST, Jan 16, 2008 |
Our book, Ajax Security, made the front page of Ajaxian today. I'm so pleased it is finding traction on the mainstream Ajax new sites. Reviewers overuse the phrase “required reading,” but no other description fits the new book “Ajax Security” (2007, Addison Wesley, 470p). This exhaustive tome from Billy Hoffman and Bryan Sullivan places the specific security concerns of the Ajax programming model in historical perspective. It demonstrates not only new security threats that are unique to Ajax, but established threats that have gained new traction in the Web 2.0 era. It then details both the specific technical solutions and - more importantly - the mindset that are necessary to combat such threats. Because so many developers have historically overlooked the importance of security, the authors approach their topic for what it is: a remedial subject. They take pains to explain the basic mechanisms by which hackers have exploited insecure web applications over the last decade: cross-site request forgeries, denial of service attacks, cross-site scripting and SQL injection. Then they explain how those mechanisms have changed thanks to the rise of xmlHttpRequest, public APIs, mash-ups and aggregators. If you’ve ever read a Douglas Crockford rant about the “brokenness” of the web security model and wondered why the guy was such an alarmist, Hoffman and Sullivan are only too happy to provide you with a much-needed wake-up call.
The rest of the review if here. Ajaxian » Book recommendation: Ajax Security by Hoffman and Sullivan |
|
Like a kid in a candy store |
|
|
Topic: Technology |
9:25 am EST, Jan 15, 2008 |
and today, from the "Truly good intentions but WTF are you thinking" category Representatives from MySpace and the attorneys general of 49 states are announcing a new partnership to fight sexual predators and clean up social networks. Among the dozens of measures MySpace has agreed to take, the social network will let parents submit the e-mail addresses of their children, so the company can prevent anyone from using that address to set up a profile.
MySpace doesn't have a stellar history when it comes to security (sorry Ramsey, I know you are trying, but you all aren't there yet). This database is a gold-mine for marketers and pedophiles alike, and I'm a little concerned about its existence. Like a kid in a candy store |
|
Earphone Sounds Like Ocean |
|
|
Topic: Technology |
3:07 pm EST, Jan 12, 2008 |
The Noisy Instrument won't hook into your iPod, but it will, completely without a power source, reproduce the soothing sounds of the ocean at any time and any place (ala seashell).
Earphone Sounds Like Ocean |
|