One of these things is not like the other. One is a uniform women were required to wear by a company to be employed. The other is a college student who is a little trampy, as really we all are from time to time :-)
I really don't think Southwest has a well tanned and well toned leg to stand on here.
Now we get to AjaxWorld West 2007 and there are 5 presentations about security and all of them look great. Brian Chess from Fortify, Joe Stagner from Microsoft, Byran and I from SPI/HP, Danny Allen from Watchfire/IBM, and Pothiraj Selvaraj from CGE. I am absolutely floored by the turn out. And its not just more security speakers at Ajax conferences. There are other indications thats people are accepting Ajax Security. We are seeing a number of books on Ajax Security come out. Ajax frameworks are starting implement security features natively. In some cases framework developers are reaching out directly to the web security companies that seem to get it. For example SPI has been to Redmond multiple times this year working with the ASP.NET and Atlas teams. We see security vendors and consultants who were in denial about Ajax have toned down the rhetoric. Now vendors from the scanner and source code analysis spaces are joining SPI on stage this year on AjaxWorld. We've gone from a 20 something with long hair talking about Ajax security to CTOs and CEOs, and VPs spreading the message. And that is extremely satisfying.
I suppose if anything, AjaxWorld 2007 is a nice breath of fresh air. A cause SPI has been championing for nearly 2 years now is becoming more mainstream and finding acceptance in the Security and Development communities. I welcome my friendly competitors to the party, even if they were a little late and got lost along the way. :-) Because at the end of the day, more smart people working on tough problems helps everyone.
A new technique shows resizing of images while keeping the important features of the image undistorted, also allows you to protect or remove part of the image with anything removed being automagically and seamlessly filled in.
Spectator: Detection and containment of JavaScript worms
Topic: Technology
12:49 pm EDT, Aug 27, 2007
I got a chance to met Ben Livshits after my web worm talk at BH where we had a discussion about these detection techniques (and why McCabe complexity diagrams are too coarse). I'm finally getting around to reading his paper.
Here is how HTTP authentication is supposed to work:
In HTTP authentication, the browser uses a dialog box to get the user's credentials. It looks something like this.
A (perceived) downside to HTTP authentication is that web designers cannot control this dialog. Some people find this ugly nad its messes with website design and layout. As a result, many websites use what is called FORMs authentication, where the website collects a user's credentials in an HTML form, and submits them to the user.
Unfortunately, Memestreams does an RFC-violating combination of the two. It responds to resources that require login with a 401, but without specifying the WWW-Authenticate header to tell the browser how to send the credentials back.
What should happen is this:
Client Server
-------------->
GET /recommend/ HTTP/1.1
Client Server
<--------------
HTTP/1.1 302 Redirect
Location: /login/?returnURL=/recommend/
Client Server
-------------->
GET /login/?returnURL=/recommend/ HTTP/1.1
Client Server
<--------------
HTTP/1.1 200 Ok
[user files in username/password]
Client Server
-------------->
POST /login/?returnURL=/recommend/ HTTP/1.1
[post data with username and password]
Client Server
<--------------
HTTP/1.1 302 Redirect
Location: /recommend/
Set-Cookie: [set valid session cookie]
Client Server
-------------->
GET /recommend/ HTTP/1.1
Client Server
<--------------
HTTP/1.1 200 Ok
TreyChair.com - Multifunction task chairs for your desk, floor, home, or office.
Topic: Technology
12:59 pm EDT, Aug 20, 2007
Saw this today on Ars. Not sure how great it would be as an office chair (at least if you attempt to use it with a desk). But as a gamer/laptop chair, looks fairly cool.
Jill out of town for work... Check 1.75L Grey Goose... Check 12 Pack Dr. Pepper... Check Visual Studio 2005 Team Edition... Check EMCAScript Standard 3rd Edition... Check Rhino Book... Check Purple Book... Check Working from home tomorrow... Check Nidhi's super secret static analysis code... Check
Can I write a recursive descent JavaScript parser before tomorrow afternoon? Let's find out.
Ed Felton is a genius. In this paper he discusses using timing between HTTP requests to determine whether certain URLs have been cached in a user machine. He extends this to detecting secondary cache hist to determine if two arbitrary machines are on the same network subnet.
He discuss doing this both with and without JavaScript.
Yes, essentially, Ed Felton published Grossman's and RSnake's Black Hat presentation 7 years before they did.
Long ago RSnake claimed I stole his research and suggested I edit my paper to reflect that someone else has done work in this area. It will be interesting to see whether RSnake is willing to do that when confronted with the same situation. What's the phrase? Put up or shut up?
Of course, I've never seen Grossman or RSnake reference Ed Felton's work in any of their presentations. Was it willing omitted? If not, how could they not be aware of it if they did any type of due diligence for their research? It's not like Edward Felton is some obscure person in the security space. Some of his work was required reading in a class I took as a sophomore in college.
