Thanks to the amount of feedback on Ideastorm, Dell is seriously
considering pre-installing Linux on desktop systems. Having had the
chance to play with the Core 2 Duo systems Dell puts out, I can
definitely say they are pimpin'. I want one, but my main concern is
Linux hardware compatibility. I would like a stable desktop that runs
Linux for a primary workstation, and these Dell's are my top choice.
Go to Dell.com/linuxsurvey and fill
out the short survey to give them a better idea in what you're looking
for in a Linux Desktop. If anything, giving average customers the option
of choosing between "Windows Vista ($100)" or "Ubuntu Linux (free)"
would greatly help spread mainstream Linux adoption.
Posted by Marcin on Thursday, March 15, 2007 in
Linux and
Tech.
I laughed when I saw the Worst Captcha
Ever and just
had to show the one I came across a couple months ago that was featured
on the DailyWTF (now known as Worse
Than Failure).
Too funny!
Posted by Marcin on Tuesday, March 13, 2007 in
Other.
Last night I attended my first Phoenix-OWASP meeting hosted at UAT.
There were around 30 people in attendance from all backgrounds,
including independent researchers, government agencies, private sector,
and academia. Andre Gironda had a cool
presentation (available in PDF) Reflections on Trusting the Same-Origin
Policy.
Adam Muntner, also in attendance is now a Trusted Catalyst/contributor
to The Security Catalyst and
starts off with a bang with 5 Questions to Ask Your Web Application
Vendor
I enjoyed last nights meeting, getting to know a couple people, and look
forward to meeting them again at ShmooCon
and at the March 26 Arizona Security Practioner's
Forum.
Posted by Marcin on Friday, March 9, 2007 in
Security.
The folks at nCircle Blog have posted a VERT
Challenge,
and hopefully more to come. You can check out the details at their blog,
but I'll be posting my progress here and we'll see how far I can get
before I either a.) give up, or b.) someone else gets it, or c.)
hopefully win!
Anyways the requirements are as so:
- Locate the WinNY application Online (Both Versions 1 and 2)
- Determine how to perform proper WinNY detection. (remotely -- via the
listening TCP port)
What you need to provide in order to win:
- Any encryption, authentication or hashing used for communication.
- A breakdown of the information provided by WinNY when you connect to
it.
- The unencrypted strings that distinquish between WinNY 1 and WinNY 2.
- Bonus Points for providing a script or source code to perform the
detection.
I have located both versions 1 and 2 of the the p2p software... I'll
begin working on identifying them on the network soon. Stay tuned for
further progress and good luck to anyone else participating.
Posted by Marcin on Wednesday, March 7, 2007 in
Security.
From the Owasp-phoenix mailing
list:
This month we have an exciting technical talk discussing the Same-Origin
Policy and attacks that attempt to break/circumvent these controls by
security researcher Andre Gironda. The details of this month's meeting
are below:
Where:
UAT - University of Advancing Technology (Entrance at the back of the
building)
2625 West Baseline Road
Tempe, Arizona 85283-1056
When:
6:30PM, Thursday, March 8th
Agenda:
6:30 to 6:45 News & Introductions
6:45 to 7:45 (1 hour): Reflections on Trusting the Same-Origin Policy
– and other web+network trust issues – Andre Gironda, Independent
Vulnerability Assessor / Researcher
In computing, the same origin policy is an important security measure
for client-side scripting (mostly Javascript). It prevents a document or
script loaded from one "origin" from getting or setting properties of a
document from a different "origin". It was designed to protect browsers
from executing code from external websites, which could be malicious.
XSS and CSRF vulnerabilities exploit trust shared between a user and a
website by circumventing the same-domain policy. DNS Pinning didn't pan
out exactly right, either. Can client-side scripting allow malicious
code to get into your browser history and cache? Can it enumerate what
plugins you have installed in your browser, or even programs you have
installed to your computer? Can it access and modify files on your local
hard drive or other connected filesystems? Can client-side scripts be
used to access and control everything you access online? Can it be used
to scan and attack your Intranet / local network? Does an attacker have
to target you in order to pull off one of these attacks successfully? If
I turn off Javascript or use NoScript, am I safe? What other trust
relationships does the web application n-Tier model break?
7:45 to 8:00: Wrap up
8:00 Happy Hour/Social:
Tilted Kilt
650 West Warner Road, Tempe AZ
Google
Maps
For more information on the OWASP-Phoenix chapter, check out Phoenox -
OWASP Wiki entry
Posted by Marcin on Tuesday, March 6, 2007 in
Security.
