RealTime IT News

Blog Archives

Mozilla TraceMonkey to speed up JavaScript

By Sean Kerner   |    August 22, 2008

From the "we're the fastest nanananah" files:

The race to produce the world's fastest internet browser is about to get a boost from the Mozilla TraceMonkey effort. Mozilla's Interim VP of Engineering Mike Shaver is expected to formally announce TraceMonkey later today(*update* Shaver just blogged on it). TraceMonkey adds native code compilation to Mozilla's
JavaScript engine which is called "SpiderMonkey".

Shaver told me in June that SpiderMonkey in Firefox 3 would be 'more awesome' than it had been before. With TraceMonkey, I think that Shaver's claim will truly be fullfiled.

TraceMonkey will build off the Tamarin Tracing project (which uses technology donated to Mozilla by Adobe last year).

The ultimate goal of the TraceMonkey project is to make JavaScript performance super fast on Mozilla such that it's as fast as native code. Apple has been trying to get to the same place in terms of JavaScript speed as well with its SquirrelFish effort.

TraceMonkey is still in the early development stage though it looks like Mozilla already has it baking for its latest nightly development builds.

The race for fast JavaScript is a great thing for the Web 2.0 world, I can hardly wait to see how much better things can be.

Red Hat Fedora servers compromised

By Sean Kerner   |    August 22, 2008

From the "this isn't good news" files:

Servers for both Red Hat Enterprise Linux and Fedora Linux were compromised in recent weeks by some kind of illegal access. Neither project however is currently admitting than any of their software or users were in any way directly affected by the illegal access.
Fedora Project Leader Paul Frields wrote in a mailing list entry that:

Last week we discovered that some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline.Security specialists and administrators have been working since then to analyze the intrusion and the extent of the compromise as well as reinstall Fedora systems.

On the Red Hat Enterprise side of things there is an OpenSSH update notification that contains (few) details about what happened.

Last week Red Hat detected an intrusion on certain of its computer systems
and took immediate action. While the investigation into the intrusion is
on-going, our initial focus was to review and test the distribution
channel we use with our customers, Red Hat Network (RHN) and its associated
security measures. Based on these efforts, we remain highly confident that
our systems and processes prevented the intrusion from compromising RHN or
the content distributed via RHN and accordingly believe that customers who
keep their systems updated using Red Hat Network are not at risk.

The fear in both cases is that an attacker could have somehow gained access and then created or compromised a security signing key used to distribute packages and updates.

As far as I can tell based on the analysis provided by Red Hat that's not the case and Red Hat and Fedora are being responsible and prudent by locking down system, analyzing everything and re-issuing keys.

Of course DNS is STILL vulnerable

By Sean Kerner   |    August 21, 2008

From the "I told you so" files:

A month ago Dan Kaminsky revealed to the world that there was a serious flaw in DNS - and nearly every DNS vendor had patches available right away. The patches never claimed to eliminate the flaw - but rather to mitigate and reduce the risk from the flaw.

So I was a little surprised today to get an email from MessageLabs claiming that DNS is still vulnerable. This is what they sent me:

MessageLabs has today revealed that an intricate flaw in the
underlying design of the Internet's DNS (domain name system) protocol is still
vulnerable several weeks after patches were made available. MessageLabs recorded 52 percent increase in suspicious DNS traffic between July and August indicating that the online
underworld is poised to launch targeted attacks in the coming weeks.

This is kinda funny. Of course there was an increase in DNS traffic - everyone on earth was looking to see if their DNS servers were vulnerable. No one has ever claimed that the patches provide 100 percent protection and no one has ever claimed that 100 percent of all DNS servers have been patched either.

The most basic of all hacking attacks is to look for servers that haven't been patched for flaws (whatever those flaws might be) and attack them. With the DNS flaw, there is even a Metasploit module so it's really a trivial matter to exploit.

*UPDATED* Websense is reporting that ISP China Netcom has actually been hit by the same caching exploit. In that case it looks like that attack is based on typo domains (i.e  Bottom line here is that all DNS admins should ensure their servers are patched and more importantly also make sure they have some kind of IDS/IDP monitoring/rules in place to watch for any suspicious activities.

Microsoft getting Seinfeld for ads

By Sean Kerner   |    August 21, 2008

From the "no Mac for you!" files:

Jerry Seinfeld is going to be the new pitch man for Microsoft - at least that's what the Wall Street Journal is now reporting.

Seinfeld who is reportedly getting $10 million for the spots will take on Apple's Mac vs. PC (with Daily Show comedian John Hodgeman) which are just hilarious spots.
The Apple spots are produced by TBWA/Chiat/Day (I actually worked for Chiat/Day in Toronto in the late 80's).

Seinfeld is the everyman - the guy that made a show about nothing popular. On a comedic level he can compete against anyone and I think we're all in for some good comedy - at Microsoft's expense (literally).

Here are some one liners I'm hoping we'll hear (but probably won't):

Blue Screen of Death? What Blue Screen of Death - no one died?

No MAC for you!

Linux? What's a Linux? Yaddaa yadda yadda you want a PC.

Microsoft is profiting from Linux

By Sean Kerner   |    August 20, 2008

From the "no it's not WinUx but.." files:

As Microsoft is set to pump up to $100 million more in Novell for Linux, it's important to note that Microsoft is not paying off Linux - it's actually making money from it.

Microsoft isn't just buying Linux subscriptions from Novell to give's buying them so they can sell them. So that means for the past 18 months, Microsoft has been selling Linux.

How much Microsoft is actually making is difficult to determine.

"We have purchased the Novell certificates, which enables customers to
gain direct support from Novell for Novell SUSE Linux Enterprise and we
take those certificates and sell them to customers," Susan Hauser,
general manager for strategic partnerships and licensing at Microsoft,
told"We keep the pricing confidential since customer size and opportunity
pricing varies. We do resell and redistribute the certificates as part
of our engagement."

But seeing as this is a blog let's do some simple math - as pure speculation - to figure out how much Microsoft may yield in direct Linux revenues. 

Let's start by assuming the total value of the Novell Linux subscription purchases is $340 million (and it may not necessarily be that in the end as it could be less - or more). Microsoft is reselling those subscriptions at a markup that should yield some kind of operating profit. To date in 2008, Microsoft has net profit margin of just over 29 percent.

So doing the simple calculation ($340 million by 29%= X), Microsoft over the lifetime of the Novell coupon deal could profit by $99 million (or more) dollars. At that figure Microsoft would likely be one of the top Linux resellers on Earth.

Yes there are a lot of assumptions in there and we don't know what the actual markup/margin is - but we do know that Microsoft is selling Linux and they are making money doing it.  It just goes to show you that people will buy Linux - even from Microsoft.

IE 8 to get 'porn mode' ?

By Sean Kerner   |    August 20, 2008

From the "what are people actually using their browsers for" files:

Microsoft's upcoming Internet Explorer 8 (IE 8) may get a private browsing (aka "porn mode) feature.  IE 8 Beta 2 is supposed to be out soon and a pair of newly filed Microsoft trademarks (pointed out by blogger Long Zheng) might be indications that the private browsing feature is coming.

What private browsing does is disable history and caching for a given session such that a user's browsing session is private. Apple Safari has this feature as an option today.

Reality is of course as anyone (not me) that has looked at inappropriate sites knows well is that since the very first Netscape browser you've been able to delete history after a session. Which is sort of a manual private mode. Firefox 3 has an option that lets you delete history and cookies immediately at the end of a session or on session start up (semi-automatic private mode?).

Users behind corporate firewalls however still wouldn't be safe though from snoopers as gateway appliances can still potentially track, identify and block users access to various sites.

Firefox 3 coming to Firefox 2 users next week

By Sean Kerner   |    August 20, 2008

From the "we know what's best for you" files:

Firefox 3 has been out since June 17th, but to date existing Firefox 2 users have not received an upgrade notice for the new version. Instead users have had to go out and download Firefox 3 on their own (which over 30 million people have already done).

The vast majority of Firefox users however (somewhere in the 120 million user range) still use Firefox 2 though. That's where the Major Update notification comes in which will pop up on Firefox 2 users screens next week.

Considering that Firefox 2 may well be at risk from a Jinx attack (check out my article from Black Hat on that), the need to move to Firefox 3 for security reasons alone is very obvious to me.

Firefox 2 is still set to be supported by Mozilla till the end of the year when Firefox 3.5 is expected to be released.

Boston Transit hacking trio free to talk

By Sean Kerner   |    August 19, 2008

It looks like the trio of MIT researchers that had been barred from talking about flaws in the Boston subway/ Massachusetts Bay Transportation Authority (MBTA) system fare system can now talk.

The Electronic Frontier Foundation (EFF) which had been vocal on behalf of the three students reported that:

The Court found that the MBTA was not likely to prevail on the merits
of its claim under the federal Computer Fraud and Abuse Act. MBTA had
argued that the CFAA, which prohibits the transmission of a program
that causes damage to a computer, also covers "verbal transmission,"
such as talking to people at conferences. Judge O'Toole, however,
looked closely at the statute, and held that the CFAA does not apply to
security researchers like the students talking to people.

This is an important development.

Security researchers need to be allowed to properly disclose and discuss vulnerabilities. That's how others (including the vulnerable) learn how to protect themselves. Security by obscurity is a myth.

Mozilla grabs new Exec Director from Shuttleworth

By Sean Kerner   |    August 19, 2008

From the "Shuttleworth does more than just Ubuntu" files:

The Mozilla Foundation has named Mark Surman as its new Executive Director effective September 22.  Surman is currently serving as an Open Philanthropy Fellow at the Shuttleworth Foundation.

Yup that's the same Shuttleworth that runs Canonical/Ubuntu and the same dude that paid $20 million to hitch a ride on a Soyuz up to the International Space Station.  The Shuttleworth Foundation is a social development initiative that has been active since 2001.

Surman will replace Frank Hecker at Mozilla who had been the Executive Director since 2006.

"I am totally psyched about this.
Mozilla is a new kind of foundation, one with with participation,
transparency and innovation at its very roots," Surman wrote in a blog posting. "It's not just about
giving out grants or making bold statements (although these are
useful things to do), but also about getting large numbers of people
involved in making things. In particular, things that make the
Internet more open. For someone obsessed with reinventing how
foundations work, there could be no more exciting job than this."

Debian @15 is it still relevant?

By Sean Kerner   |    August 18, 2008

From the "it's about releases isn't it?" files:

Debian GNU/Linux is now 15 years old -- which isn't too shabby for an operating system. Yet though Debian is still alive and kicking, I'm not so sure it holds the market position that it should at this point in its maturity.

Sure there are many Linux distributions based on Debian - Ubuntu, Xandros and others among them. There have also been efforts over the past 15 years to create an Enterprise Debian support system/vendor of some sort. Ian Murdoch (the 'IAN' part of Debian) had tried with his firm Progeny which ultimately failed. Then there was the Debian Common Core Alliance (DCCA) which also failed. Bruce Perens (a former Debian Project Leader himself) also tried with UserLinux which never ended up materializing either.

HP is a major backer of Debian and seems to be profiting from the experience as well. Outside of HP's success,  and Ubuntu's success being based off Debian - Debian has not hit the same level of commercial success as a Red Hat or Novell.

There are a lot of reasons why Debian has faltered a bit over the years - the most obvious issue is the lack of a consistent and reliable release schedule which is what helped to give birth to Ubuntu in the first place.

That said, Debian is a massive repository for many architectures and subsystems. As such it is an unmatched resource for downstream distributions like Ubuntu and Xandros to build from.

Debian is also the model for true community leadership and participation. The Debian Project Leader is an elected position and its Social Contract is the model for Open Source itself.

So is Debian relevant? OF COURSE IT IS.

But I'll still argue that it could have been more. At this point Ubuntu has eclipsed Debian proper in terms of popular mindshare. Ian Murdoch once told me that he thought that Ubuntu's popularity was more harmful than helpful to Debian itself. Yet Debian development and releases still persist and Debian itself still had users/supporters and contributers.

So Happy Birthday Debian. You've been a mainstay of Linux since the beginning and I sincerely hope that will remain that way for at least the next 15 years.

Canonical/Ubuntu formally joins Linux Foundation

By Sean Kerner   |    August 18, 2008

From the "what?!" files:

Big news friends, Canonical (the lead commercial backer of Ubuntu Linux) has formally joined the Linux Foundation.

Shocking isn't it?

Shocking in that Ubuntu is one of the most hyped (if not THE most) of all Linux distributions and Canonical was NOT previously a member of the Linux Foundation. Certainly you can be part of the Linux community without being a member of the Linux Foundation as Debian and Gentoo users know full well. Certainly the OSDL (the predecessor group) to the Linux Foundation was an expensive undertaking in terms of membership. But the Linux Foundation since its inception more than 18 months ago has tried to be as inclusive as possible.

There are those that have argued (not me necessarily) that Ubuntu/Canonical does not participate in standards and upstream development (particularly enough or at all given their user base. Being (finally) part of the Linux Foundation might help to change that perception and bring Ubuntu deeper into the mainstream of core Linux development.

Linux Foundation occupies a critical, non-commercial function in the
use and popularization of Linux around the world. We've always seen the
Linux Foundation's value and are pleased to now become an official
member and support its activities. We look forward to working with them
to continue the march of Linux in all areas of computing," said Matt
Zimmerman, Ubuntu program manager and CTO, Canonical in a statement.

The Russia Georgia cyberwar

By Sean Kerner   |    August 15, 2008

Disabling an enemy's ability to communicate is one of the most basic - and ancient - tactics of warfare. In the case of the current Russian incursion in to Georgia that also means the Internet. There is no clear indication at this point who is directly to blame for the DDoS attacks against Georgia but there is no doubt that it is happening.

A report on the Renesys security blog noted that there are some 309 networks that geo-locate to Georgia with 60 percent of them being unstable (and under some form of attack).

Jose Nazario of security firm Arbor networks reported some interested stats on the attacks this week. According to Arbor's data:

Average peak bits per second per attack

211.66 Mbps

Largest attack, peak bits per second

814.33 Mbps

Average attack duration

2 hours 15 minutes

Longest attack duration

6 hour

The reality though, is that the Internet itself is very resilient (it was built by the US military to withstand attack after all) and websites in Georgia are still accessible. Things like moving the hosting servers (to the US or elsewhere) as well as distributing loads can minimize the full impact of DDoS.

Whether or not it is actually the Russian government or not that is behind the attacks is still a matter of speculation. Security researchers Gadi Evron wrote:

While Georgia is obviously under a DDoS attacks and it is political in
nature, it doesn't so far seem different than any other online
after-math by fans. Political tensions are always followed by online
attacks by sympathizers.

Regardless of who is to blame and what the impact is, it's important to remember that this is all about people and innocent people are being killed in this conflict. Let's all hope that the Internet will also be used as a tool for getting information out that will end this conflict.

Boston subway hackers told to stay quiet

By Sean Kerner   |    August 15, 2008

They still can't talk about it. First the court ordered three M.I.T students not to present their findings on how to hack the Boston subway/ Massachusetts Bay Transportation Authority (MBTA) system fare system. So no presentation happened at Defcon on it as a result.

Instead the full presentation ended up being posted publicly on the internet for all to see. Yet still the court order restricting the students from actually talking about the flaws is in place. The AP reports that:

Judge George O'Toole Jr. also ordered the students Thursday to turn
over more information about their findings, including a report they
submitted to their professor - cryptography pioneer Ronald Rivest - and
computer code they planned to release as part of their presentation.

A hearing is scheduled for Tuesday to determine the next steps. The students claimed that they disclosed issues to the MBTA first but considering the backlash, I think it's safe to assume that the information (at least not all of it) didn't get to the right people.

Dell Latitude ON - big win for Linux

By Sean Kerner   |    August 14, 2008

From the "who needs a pre-load when you're embedded" files:

Dude - if you're getting a Dell then you're getting Linux.

No you don't have to order one of those fancy Ubuntu pre-load deals. This is an embedded Linux that will be available on a whole bunch of new Dell Latitude laptops in a feature called Latitude ON. This is a feature that uses an embedded Linux to allow for instant on access to email, calendar and Internet.

So even if you pay for Windows Vista on a Dell Latitude - when you want instant on - you'll boot Linux.

Everyone at one point or another has suffered the trials of a long boot up time (on Window or Linux) with an embedded OS (Linux cause it does embedded best) boot time becomes a non-issue. On consumer electronics devices (TV, camera's, DVDs) we don't wait for a boot so why should we on laptops?

Open source Artistic license now court validated

By Sean Kerner   |    August 14, 2008

From the "it ain't real till someone checks" files:

The US Court of Appeals for the Federal Circuit (CAFC) has validated the open source Artistic license in a key ruling handed down yesterday. DLA Piper attorney Mark Radcliffe called the case, "...the first real test of the remedies for breach of open source licenses in US courts."

The gist of the case is simple enough. Robert Jacobsen accused Matthew Katzner and Kamind Associates of copying certain materials from Jacobsen's website and incorporating them into one of Katzer/Kamind's software packages without following the terms of the Artistic License. According to the court documents Jacobsen brought an action for copyright infringement and moved for a preliminary injunction.

The CAFC's ruling from the way I read it is all about validating the Artistic licence itself as legal contract within the jurisdiction of the US legal system.

We consider here the ability of a copyright holder to dedicate certain work to free public use and yet enforce an "open source" copyright license to control the future distribution and modification of that work.

Precedence is a key characteristic of the US legal system and with this ruling there is now a precedent for courts to validate open source license as being legal. In my simple (non-lawyer) opinion, until a license (or patent) is court tested there is always a question about its validity. When it comes to open source that question has now been removed.

10GbE switch market worth $600 million

By Sean Kerner   |    August 13, 2008

From the "adios 1GbE" files:

10 Gigabit Ethernet (10 GbE) has been available for some time, but is is only now that it is really hitting full stride.  According to a new report from market research firm Dell'Oro Group, for the second quarter of 2008 10GbE switch revenues exceeded $600 million.

Over 250,000 10GbE switch ports were shipped in the quarter which is also an important milestone.

I've written before about the challenges of 10GbE deployment. Often it's a cost issue - though 10GbE prices are falling. Then there was once the question of demand. Reality is that with the increasing demands placed on networks - principally by video - 10GbE is something that many (if not most) enterprise networks actually need.

Considering that 40 GbE/100GbE is years away from being a switch interconnect speed, I'd suspect that 10GbE port shipments and revenues will continue to rise for the foreseeable future.

Google Keyczar open source crypto

By Sean Kerner   |    August 12, 2008


From the "we're not just a search company anymore" files:

Cryptography and open source are being joined together in a new effort called Keyczar. The project is being hosted on Google Code under the Apache 2.0 license and includes both Java and Python implementation (nope no PHP or C++).

According to Google's Steve Weiss:

Keyczar is a cryptographic toolkit that supports encryption and
authentication for both symmetric and public-key algorithms. It
addresses some of the aforementioned issues by choosing safe defaults,
tagging outputs with key version information, and providing a simple
application programming interface. Keyczar's key versioning system
makes it easy to rotate and revoke keys, without worrying about
backward compatibility or making any changes to source code.

One of the key (no pun intended) things that Keyczar will do (at least from what I can tell) is help protect users against the same sort of situation that occured when Debian messed up their OpenSSL keys earlier this year. Google notes on the project page that Keyczar is not intended to replace OpenSSL but rather is a complement to it.

While this is currently a Google project, I could see this getting adopting broadly and quickly over the course of 2008 as Linux distributions take a look at it.

Boston Transit hack averted?

By Sean Kerner   |    August 11, 2008

From the "don't talk don't tell" files:

A Federal Judge successfully prevented a pair of MIT students from presenting a paper at Defcon on Sunday that could have exposed flaws in the Massachusetts Bay Transportation Authority (MBTA) system.

According the the AP  MBTA argued that they weren't properly notified of the flaws that the students would be presenting.


Reality is that if the MIT student researchers could find the flaws - in the hopes of sharing them at a conference - then others could properly figure them out too (and not for research purposes either). Hacking RFID isn't a terribly complicated thing to do anymore if you've got the right equipment and it's likely in the MBTA best interests that this information becomes avaialble so they can take the appropriate step to protect they network.

The argument of not being properly disclosed is one that I heard alot of last week. Both Google and Mozilla argued that flaws that were presented at Black Hat were not fully disclosed before their respective presentations. To the credit of both organizations though neither attempted to stifle the presentation of the research.

*UPDATED* Though the presentation wasn't delivered at DEFCON, an online student pubication at MIT has made the full presentation available to anyone over the internet. It's an interesting presentation - check out the pdf at:

Hacking journalists at Black Hat

By Sean Kerner   |    August 08, 2008

LAS VEGAS -- Journalists hacking other journalists? Say it ain't so.

I'm never a fan of press rooms and tend to spend most of my time in sessions which is a good thing this year for me at Black Hat. There were a pair of French journalists who actually sniffed out journalist user/pswrd on the wired press room network. Apparently they were trying to get at CNET (among others).

As I wrote earlier in the week, the Black Hat network is hostile and there was a Wall of Sheep effort to embarrass (and help) users who send their login credentials in clear text, but that's over  Wi-Fi. The press room is wired and had no such Wall of Sheep warning. So the jokers who sniffed out other journalist passwords got ejected from the conference - and rightly so.

That said on the Wi-Fi network, Black Hat founder Jeff Moss noted in a Wednesday AM introduction that Wi-Fi admins for Black Hat protected against some 709 clients that tried to set up rogue access points (many with the SSID: BlackHat). What the Black Hat admins did was DDoS any SSID set to BlackHat (other than the official ArubaNetworks one) based on the access points MAC address.

So what's the difference between setting up a rogue access point and sniffing traffic in the press room? LOTS.

The press room (though I avoided it) is supposed to be a 'safe' zone
for journalists where they can plug in (power/Ethernet) to get work
done without interference. Violating that sanctity is a crime in my

That said, don't send user/pswrd in the clear cause you never know who is listening.

Black Hat: Beware of GIFAR

By Sean Kerner   |    August 07, 2008

From the "he's not just an evil Disney character anymore" files:

LAS VEGAS -- We've known that image files could potentially be malicious for some time, but there is now the potential for a super blended attack that could cause widespread damage.

In a session today at Black Hat Ernst and Young security researcher Nate McFeters (joined by Rob Carter and John Heaseman) detailed how a GIFAR attack could propagate. GIFAR is an combination word for GIF and JAR (Java archive). The idea is that the JAR applet is contained inside the GIF file. So a website could be hosting what looks like a harmless image file which in fact under the right circumstances could also be called as applet. The Java Virtual Machine (JVM) is capable of calling files with a number of different extensions, including GIF.

Thanks to a number of different violations of same domain origin policy, McFeter's argued that it could be possible to actually have the GIFAR hosted on a domain and then be able to wage attacks again all others on that domain.

McFeters repeatedly cited Google as an example of how something could be executed, though he was quick to note in numerous cases that Google has been responsive and has patched for the issues that he found.

But what about other sites?
Personally I think sites that aren't as security focussed as Google could likely be ripe target for GIFAR. This is one massive multi-headed attack that I for one think deserves to be taken seriously by all domain owners that host images (and that's nearly everyone..).

Black Hat: No REST for the wicked

By Sean Kerner   |    August 07, 2008

From the "more cool session titles" files:

LAS VEGAS -- Microsoft hacker (that's right Microsoft?!)  Bryan Sullivan has got some news for Web Services developers : REST can be a panacea for attackers.

Sullivan's official title is Security Program Manager on the
Security Development Lifecycle (SDL) team at Microsoft and he spent an hour at Black Hat explaining how REST Web Services could be hacked for Cross Site Request Forgery (CSRF) attacks.

Personally I never really thought of using REST for an attack but it really does make a whole lot of sense since it's a cross site approach and if it's not properly secured - you've got a problem.

There are a few solutions though Sullivan wasn't keen on the access control  W3C working draft that could provide a degree of security for REST.

Sullivan however admitted that his company Microsoft actually has a competing proposal for security that is going to be implemented in Internet Explorer 8 called XDR (cross domain requests).

All told though what I surmised is that REST could be a very risky proposition if not properly secured (but then again what isn't).

Black Hat doesn't scare Cisco

By Sean Kerner   |    August 07, 2008

VEGAS --  A couple of years ago Cisco fought Black Hat over a
presentation. This year there are at least three presentations that
deal with various Cisco vulnerabilities.

Does that worry Cisco?

at all according to Russell Smoak Director Technical Services for Cisco
Security Intelligence Engineering.  Smoak told me that all of the
presenters first disclosed their information to Cisco and Cisco has
been aware of and already patched any potential vulnerabilities months

Smoak did say that Cisco is always concerned about security
vulnerabilities but overall they've got a very good working
relationship with the security research community as well as other
vendors like Microsoft and even competitor Juniper Networks.

While some organizations might pay security researcher to disclose vulnerabilities, Cisco is not one of them

"No money changes hands with researchers," Smoak said. "But we find other
ways to work together."

Overall the real key for Cisco is about getting more best practices in
place at enterprises to protect and mitigate against vulnerabilities.

"I believe that  there are around 20  best practices that will really insulate you
against 95 percent of issues," Smoak said.

Black Hats hack Macs

By Sean Kerner   |    August 07, 2008

From the "security by obscurity doesn't work" files:

LAS VEGAS -- Though Apple isn't officially presenting at Black Hat, Apple is definitely in the crosshairs of security researchers.

In a session given by famous security researcher Petko D. Petkov, attendees were told about how a particular Apple QuickTime URI handling flaw was discovered. Petkov  also gave the audience a tip, that there are plenty more Zero Day bugs to be found for other researchers who concentrate on looking at applications that will accept addresses that then trigger a file protocol URI function.

Ever heard of Mac OS X rootkits?

Neither had I, but I sat in part of a session in wish Jesse D'Aguanno talked about his MAC OS X rootkit called iRK.  From the part of the talk that I saw it sure looked like the real deal to me, but of course to get a rootkit onto a  Mac (to do whatever damage you want) you have to have root.

So I skipped out on the rootkit session halfway to sit in on another session about reverse engineering on the Mac OS X. Tiller Beauchamp and David Weston gave a revised version of their talk from Black Hat DC about using Dtrace as a tool for security research. This time out their tool is called Re:Trace and it's in Ruby and targets the Mac.

"You can fuzz an application and easily find all the places that are
vulnerable to heap overflow," Beauchamp said. "Then we could figure what parts would be susceptible
to arbitrary code execution."

So no, there were no major exploits for Apple actually revealed at Black Hat, but it sure looks to me like researchers are looking.

Thousands gather to hear Kaminsky DNS

By Sean Kerner   |    August 06, 2008

LAS VEGAS -- Everyone wants to hear Dan Kaminsky talk about his DNS vulnerability that shocked the web 30 days ago.
I'm sitting in the Palace ballroom and I've never seen so many people
in one room to listen to one man talk about one vulnerability.

are literally thousands (maybe 4,000) people trying to cram into this
room - the conference organizers just announced that speakers from
other sessions should not skip out of their sessions to listen in on
this one.

*UPDATED* Kaminsky didn't disappoint detailing a myriad of way in which
the DNS exploit could have destroyed the Internet, including email.

"There is always
another way to get screwed by bad DNS," Kaminsky said.

Kaminsky also took time at the end of his 70 minute session to address his critics.

"DNS bugs create  a
skeleton key across all websites," Kaminsky said."A lot of people
think that breaking DNS is not a big deal and  I think I was called out. I don't think I was
hyping anything."

Black Hat: Will technology lead to ruin?

By Sean Kerner   |    August 06, 2008

From the "doom and gloom" files:

. Professor Ian O.Angell of the London School of Economics is a gloomy fellow. In a packed keynote session at Black Hat, Angell literally raged against the machine.

Angell argued that we use technology in order to swap out hopelessness for optimisim, but in his view that optimism is misplaced. In his view computer systems deal with objects that are  well structured but they cannot deal properly with singularities.

As part of his rant Angell claimed that end users rely on the system without exercising their own judgment.

"The madness of our
age is the delusion that our world can be controlled and manged using the pseudo
science of technology," Angell said.

Angell offered little in the way of recommendations other than to use common sense and to be wary of those that see technology as the answer for everything.

So is Angell isn't an optimist (glass half full) and he also claims he's not a pessimist (glass half empty).

"I'm a capitalist and they're
using too much glass
..and cynics will be laughing all the way to bank."

Mozilla Aurora browser is out there...

By Sean Kerner   |    August 06, 2008


From the "pie in the sky" files:

Mozilla has always prided itself on being open for participation, but a new Mozilla Labs effort is trying to extend the model further. Basically they're fishing for ideas.

Today we're calling on industry, higher education and people from
around the world to get involved and share their ideas and expertise as
we collectively explore and design future directions for the Web.

To kick things off, Mozilla has posted a series of concept videos, one of which is narrated and produced by none other than Jesse James Garret. Yes that guy. The guy that "invented" AJAX. So yeeeaah he's got some cred.

I'm not sure I like the Aurora concept browser myself, but you gotta admit it is ...out there.
Aurora (Part 1) from Adaptive Path on Vimeo.

Black Hat: 'This network is hostile'

By Sean Kerner   |    August 06, 2008


From the "I don't think we're in Kansas anymore Toto" files:

LAS VEGAS -- Aaaaaah Black Hat, where all that ails computer security is out in plain view, even some stuff that you normally can't see like Wi-Fi. I go to many conferences over the course of any year but only one, only Black Hat provides its attendess with a disclaimer about Wi-Fi.

This Network is hostile

That's what it says on the Black Hat sheets telling users how to connect to Wi-Fi here. Sure any Wi-Fi network could be hostile (and really all public ones should be considered as such) but they've spelled it out very plainly here.

To make matter even more (in)secure - this year the Wall of Sheep is part of Black Hat. The Wall of Sheep will detail users here at Black Hat that connect insecurely (over the hostile network). Specifically it will look at users who sent their passwords in the clear.

So users who connect to POP/IMAP with Outlook (without using HTTPS) kiss your sheepish skins goodbye. Do you connect to instant messaging with a public IM client (that doesn't have an HTTPS connection) - ttyl you're toast too.

It's actually a very good exercise since all this 'fun' is being monitored under the guidance of the Black Hat conference as a learning kind of tool. Other conferences (and public Wi-Fi) present the same risks too, even if they don't advertise it.

Whitehat talks at Black Hat about making $

By Sean Kerner   |    August 05, 2008

From the "show me the money" files:

I had the good fortune of meeting up today with Jeremiah Grossman, Founder and CTO of Whitehat Security. Grossman is talking at Black Hat in a session called "Get Rich or Die Trying" in which he is set to discuss how Black Hat's make money.

Grossman told me that he wants to move the discussion beyond just simple exploits, be they XSS, CSRF, SQL injection or otherwise - for him some real flaws and some real money for hackers are being made from flaws in website's business logic.These are flaws that aren't at the code level but exist in how a site itself operates - in a way that hackers can exploit.

As an example, Grossman described a business logic attack whereby an attacker tries to log into a users account on an auction site repeatedly with the wrong password. The business logic of the site dictates that after a certain number of failed logins the legitimate user is actually locked out.

In another example, using a technique known as "timing" a hacker can try to access a site with an email address in order to determine if the email address is valid. Where the timing comes in, is the typical business logic (regardless if the password is valid or not) is that it there is a valid email there is a slight difference in the amount of time it takes for the website to respond.

As opposed to code level flaws which can be scanned for with tools and often fall into particular categories of vulnerabilities - business logic flaws according to Grossman are "all over the place and vary from site to site."

So how does a site protect itself against a business logic level flaw? How does a site owner even know that they have a flaw?

Well here's where the motivated self-interest comes in for Grossman - while the hackers themselves can use the business logic flaws to make money - Grossman's company Whitehat can also make money by throwing humans (and some technical know how) at the problems to help site vendors as well.

Test page

By Sean Kerner   |    August 05, 2008

widget test

Apple still under the gun at Black Hat

By Sean Kerner   |    August 05, 2008

From the "you can run but you can't hide" files:

LAS VEGAS. There is a lot of chatter out  today about Apple canceling out on a pair of presentations at Black Hat. One of the sessions was supposed to be run by Apple staffers who were going to give an insiders look at how Apple does security response.

Though that particular session isn't on the Black Hat schedule (and hasn't been for a few weeks), Apple isn't necessarily off the hook at Black Hat.

Security researcher Petko Petkov who is a well known Apple vulnerability hunter still has a scheduled talk (and as of 11:30 AM PT on Tuesday August 5th) and his talk hasn't been canceled. According to the synopsis of his talk he will be discussing, "..numerous techniques for attacking Clients-side

Sounds painless enough. But there's a catch. 

If Apple responds before the event, I will drop the details of a QuickTime
0day for Windows Vista and XP.

Knowing Petkov (mostly by reputation) and Apple (by trying to get comments from them on security stuff), I'd bet (this is Vegas after all) that whether or not Petkov discloses the QuickTime bug or not will come down to the wire (which is Wednesday afternoon PT). Even if he doesn't actually disclose a proof of concept for his QuickTime Zero day, having a researcher of Petkov's caliber detail how he finds issues (he could easily just not name the company though hint at it..) is likely to be a real eye opener.

So though Apple may have decided not too allow its own people to talk, that doesn't mean that others won't.

Iron Chef Black Hat Returns

By Sean Kerner   |    August 05, 2008

From the "and the secret ingredient is..." files:

One of the most interesting sessions at Black Hat 2007 was the Iron Chef session  where researchers battled the clock and each other to find security exploits in applications. This year Iron Chef is back and supersized! I spoke with Fortify's Jacob West and Brian Chess about the return of Black Hat and both men were excited to be back.

This time around they've doubled the length of the event and are including both static analysis and fuzzing. As well, last time around the Iron Chef event was somewhat overshadowed by the iPhone session that occured at the same time. So this time out, the iPhone security researcher will be a participant in the Iron Chef competition.

Fortify has also solicited some interesting talent to help judge the event. Mozilla's Chief Security person, Window Snyder will be on hand to help decide whose 'security cuisine is supreme!.

Personally I'm amazed that vulnerabilities can be found so quickly in a live event. West assured me that participants will not know what application they will be given, so it really is a true test of skill.

As an adjunct, Fortify is also running an online hacking competition this year too, so for those of us not skilled enough to be on the official Iron Chef stage, we can try out our skills in an online 'kitchen stadium.'

Mozilla files landslide bug

By Sean Kerner   |    August 01, 2008

From the "aren't the 2010 Winter games there?" files:

There are a lot of interesting bugs on Mozilla's bugzilla site. One of the most interesting I've ever seen is bug 446804 titled - "Can't get out of Whistler"

It turns out Mozilla has a developer sumitt this week up in Whistler BC. The main road leading to Whistler was hit by a landslide the other day so developers are now stuck.

What do developers do when there is a problem?
They file a bug report of course.

As of this posting there some 97 comments attached to this bug ranging from the humorous to the practical.

"Soon, the food will run out and we will be forced to eat one another. Luckily,we have interns...," wrote Al Billings

"So, is this going to cause a delay on Firefox 3.0.2?" wrote Ryan S.S.

To add further insult to injury a truck hit the transformer at the hotel where Mozilla is at, shutting off main power.

"Anyone see this truck
around the hotel around near the time the transformer was hit?
, " wrote Mike Schroepfer

All I can say is at least they didn't run into bears...........

Apple finally patches Kaminsky DNS flaw

By Sean Kerner   |    August 01, 2008

From the "better late than never" files:

For some unknown reason, Apple did not have a patch available for the DNS flaw that Dan Kaminsky first announced more than two weeks ago, despite the fact that one was available for BIND (which is what Apple uses). Apple has finally gotten off its iPhone rich tail and now put out an official patch, saving users from a flaw that has been weaponized and exploited in the wild.

The BIND update is part of Apple security update 2008-005 which also includes fixes for PHP, OpenLDAP and OpenSSL.

Do you see a pattern here? Cause I sure do.

Apple uses a lot of open source software and that's great. Apple also doesn't seem to be offering its users the updated packages for some of those open source packages as quickly as they are actually available in the general community (not so great).

It sure would be easy pickings for hacker to just look at the open source apps running on a Mac, see what isn't update and then go after vulnerabilities that have already been publicly exposed.