published: September 2nd, 2008
It is time to rethink the way the desktop works. Some of my ideas may seem radical but sometimes evolution is the only solution to all of our problems. Read on…
I have this idea for quite some time now. [...]
published: September 2nd, 2008
It is true what many of you have heard. Google is releasing their own browser. Google Chrome, as they call it, is based on WebKit rendering engine and introduces some novel approaches to interacting with web technologies. I must say, it is very exciting to see all of this happening.
What makes Google Chrome different is its architecture. The browser is no longer single-threaded process. Each tab is actually a separate process with own memspace. [...]
published: August 31st, 2008
I am heavily frustrated from the way the Web works today. Everything seems to be broken beyond reason. I really want to fix the damn thing but I realize that it is not up to me to do that. It is up to all of us to make sure that code is written in the most secure possible way. Can we do that? Perhaps not! What can we do then?
Before I get to the point, I need to tell you how I fixed my insecure Wordpress blog. [...]
published: August 30th, 2008
So we all know about cross-domain vulnerabilities that allow attackers to run code within the security context of the target domain. Typically, they are either a XSS bug on the server-side application, or a bug in the client (web browser plugin or web browser itself). Most of the times, these vulnerabilities require some type of interaction from the victim user. i.e.: being tricked to click on a link or visit a malicious page.
Now, most techies are familiar with bookmarklets. [...]
published: August 27th, 2008
I would like to share a few thoughts on the notion of being in direct control of your environment. This article is a continuation from my previous one and it aims to justify why nowadays individuals and organizations prefer to give away control in order to gain more agility. Needless to say, less control is often equal to less security.
Some of you who have been following the blog may be familiar with some of my other articles on the same topic. [...]
published: August 24th, 2008
This is a quick post just to let you know that we are currently introducing a lot of changes around this website and our infrastructure in general. If you are a regular visitor, you should have spotted a few problems in the last couple of days. We are working on them and we are also adding some awesome security features to Wordpress, which will be released as a plugin soon. The stuff are really good and I am sure that many will love them and perhaps use them in your setups! [...]
published: August 13th, 2008
Defcon 16 was awesome! I’d like to congratulate Dark Tangent and all the Defcon goons for such an awesome event.
This year somehow I managed to meet more people, attend more parties and see more presentations than during previous years. I had the pleasure to meet other fellow researchers for the first time such as Nathan McFeters, Billy (BK) Rios, RSnake, id and many others! All of them are security warriors whose research I was familiar with, but had never met in person. [...]
published: August 12th, 2008
Alright. If you have been following the Full-disclosure mailing list, you have probably stumbled across several emails which claim that one of my GMail accounts have been compromised. That is right. It did happen but I am not that surprised since I’ve been expecting it after being unsuccessfully attacked for so many times during the last 3 years. It is interesting to me that shady characters from across the Net see me as a quite important person although I would say otherwise. [...]
published: August 4th, 2008
For my Black Hat talk I had to come up with some made-up terms in order to find sensible enough categories in which my material actually fits. So, I will put them all up here for feedback from the audience.
Cross-context Request Forgery
CCRF (Cross-context Request Forgery) is the generalized form of CSRF (Cross-site Request Forgery). Although, the general notation is that CSRF only applies to site-to-site types of attacks, the reality is very different. [...]
published: August 3rd, 2008
This is a continuation from my previous post. The reasons why GIFARs, although in my case it was JPGAR (from JPG + JAR), work was explained to me by FX (Recurity Labs) after my talk during the last Black Hat in Amsterdam.
Basically, when you combine GIF/JPG and JAR/ZIP you have a hybrid file which have two heads. The head of GIF/JPG file is at the top. The head of the JAR/ZIP file is at the bottom. [...]