Archive for category Uncategorized
4 practical rules to not get your program hacked
Posted by scriptjunkie in Uncategorized on May 26, 2014
If you’re a developer, the task of building secure software can seem to be daunting. Vulnerabilities are a bane of large complex software projects, and companies like Microsoft spend millions to try to address them. This shouldn’t be a surprise, but since it’s popular to claim everything is hackable and nothing can be secure, it’s worth spelling out: Remote code execution vulnerabilities are not hard to prevent if developers follow a few simple, practical rules from the start, since they basically always fall into the below categories.
Red Teaming the CCDC
Posted by scriptjunkie in Uncategorized on May 10, 2014
At BSides San Antonio this year, I gave a talk on Red Teaming the CCDC, including the CCDC red team year-end highlights, lessons learned, and all the secrets we’ve been hiding from the regional qualifiers to the national finals. I covered how we hacked and hid from the most paranoid student sysadmins in the nation, […]
March – Pass the Hash Awareness Month
Posted by scriptjunkie in Uncategorized on March 3, 2014
March is Pass-the-Hash Awareness Month! It’s not as simple as you might think, but to break it down, I did a guest post on the passing-the-hash blog: http://passing-the-hash.blogspot.com/2014/03/guest-post-lets-talk-about-pass-hash-by.html
A Comparison of HTTPS Reforms
Posted by scriptjunkie in Defense, Uncategorized, webapps on December 11, 2013
An old adage in cryptology is that encrypting data is always easy, but key distribution is always hard. Just a few days ago, Google reported that yet another wrongfully-issued certificate had been found for Google’s domains. As a result of many incidents and problems with CA-issued certificates, many different proposals have been made to improve the system. Google’s Certificate Transparency page compares some of the proposals; but it did not include my favorite idea, I thought it did not do justice to some of the other competing proposals, and it glossed over some of CT’s big issues. I evaluated all the proposals according to these criteria and put together the below spreadsheet to compare their strengths and weaknesses.
Windows API Function Definitions
Posted by scriptjunkie in Uncategorized on January 16, 2012
All of them. Or at least a good chunk of ’em. Why? Because sometimes you just need to know what the parameters are for some obscure function. Download here: winapi.txt and enjoy.
Network Nightmare (Intel)
Posted by scriptjunkie in Uncategorized on December 17, 2011
You can see the slides I put together for my talk Network Nightmare – Intel PXE at http://www.scriptjunkie.us/wp-content/uploads/2011/10/Network-Nightmare-Intel.pdf. It is a modification of the Defcon talk, and adds some lessons learned/suggestions for developers. I also added a few slides evaluating the PXE attack according to the most common vulnerability severity criteria, as if it was […]
Important Stuff
Posted by scriptjunkie in Uncategorized on March 31, 2011
I am adding a page Important Stuff with some thoughts on non-information-security stuff. As fun and interesting as hacking is, there are more important sides of life. So I summarized just four of the reasons why I believe what I believe, and a bit of what that means. As you may know, I am a […]
Cryptology, Academics, and Chaos
Posted by scriptjunkie in Uncategorized on February 4, 2011
I saw an article the other day critical of the ACM (here also see this linked to in comments) and I have to say, I completely agree. As far as I can tell, the ACM, like the IEEE and other publishing houses, exists to leech off of the academic world, charging large amounts of money […]