Archive for category Uncategorized
Replacing Passwords With EasyAuth
Posted by scriptjunkie in Uncategorized on October 23, 2014
There’s been a lot of focus on replacing passwords for authentication lately. Google and Twitter have each put forward proposals to address issues in authentication, Google’s based on browser modifications and Twitter’s based on mobile phone usage. Many people advocate multi-factor authentication while others advocate email-based authentication or even more unusual ideas. While many offer […]
4 practical rules to not get your program hacked
Posted by scriptjunkie in Uncategorized on May 26, 2014
If you’re a developer, the task of building secure software can seem to be daunting. Vulnerabilities are a bane of large complex software projects, and companies like Microsoft spend millions to try to address them. This shouldn’t be a surprise, but since it’s popular to claim everything is hackable and nothing can be secure, it’s worth spelling out: Remote code execution vulnerabilities are not hard to prevent if developers follow a few simple, practical rules from the start, since they basically always fall into the below categories.
Red Teaming the CCDC
Posted by scriptjunkie in Uncategorized on May 10, 2014
At BSides San Antonio this year, I gave a talk on Red Teaming the CCDC, including the CCDC red team year-end highlights, lessons learned, and all the secrets we’ve been hiding from the regional qualifiers to the national finals. I covered how we hacked and hid from the most paranoid student sysadmins in the nation, […]
March – Pass the Hash Awareness Month
Posted by scriptjunkie in Uncategorized on March 3, 2014
March is Pass-the-Hash Awareness Month! It’s not as simple as you might think, but to break it down, I did a guest post on the passing-the-hash blog: http://passing-the-hash.blogspot.com/2014/03/guest-post-lets-talk-about-pass-hash-by.html
A Comparison of HTTPS Reforms
Posted by scriptjunkie in Defense, Uncategorized, webapps on December 11, 2013
An old adage in cryptology is that encrypting data is always easy, but key distribution is always hard. Just a few days ago, Google reported that yet another wrongfully-issued certificate had been found for Google’s domains. As a result of many incidents and problems with CA-issued certificates, many different proposals have been made to improve the system. Google’s Certificate Transparency page compares some of the proposals; but it did not include my favorite idea, I thought it did not do justice to some of the other competing proposals, and it glossed over some of CT’s big issues. I evaluated all the proposals according to these criteria and put together the below spreadsheet to compare their strengths and weaknesses.
Windows API Function Definitions
Posted by scriptjunkie in Uncategorized on January 16, 2012
All of them. Or at least a good chunk of ’em. Why? Because sometimes you just need to know what the parameters are for some obscure function. Download here: winapi.txt and enjoy.
Network Nightmare (Intel)
Posted by scriptjunkie in Uncategorized on December 17, 2011
You can see the slides I put together for my talk Network Nightmare – Intel PXE at http://www.scriptjunkie.us/wp-content/uploads/2011/10/Network-Nightmare-Intel.pdf. It is a modification of the Defcon talk, and adds some lessons learned/suggestions for developers. I also added a few slides evaluating the PXE attack according to the most common vulnerability severity criteria, as if it was […]
Important Stuff
Posted by scriptjunkie in Uncategorized on March 31, 2011
I am adding a page Important Stuff with some thoughts on non-information-security stuff. As fun and interesting as hacking is, there are more important sides of life. So I summarized just four of the reasons why I believe what I believe, and a bit of what that means. As you may know, I am a […]