i can't justify making these all separate posts... sooooo....
#!) pdp has a post talking about some conversations he's had w/ joanna about virtualization security issues... the thing i did about this is how he hones in on how 'normal' users aren't going to use virt tech in the way that peeps like joanna see it helping security, b/c it's just too complicated for them. anyway, i dig this b/c it kinda fits w/ my view on security today. it's just too complicated for normal users (and arguably many sec professionals ;), and someday there's gonna have to be a solution to alliviate this pressure... things will not go on like they have in the infosec industry forever imo... anywho, i don't have a solution or anything, i'm just bracing myself for unknown inevitable life-altering change...
#@) the whole hack the coffee maker deal... i'm not sure i totally agree w/ thor on the whole responsible disclosure rant he had. i mean, i agree in general, but it's a coffee maker maker, i can imagine they might be completely unresponsive to infosec issues... anywho, i love this b/c it hits on a point i'm considering doing some research on, which is basically that inet enabled devices which don't have financial incentive for being secure are probably going to have higher vuln rates than appliance networks which add value to their parent companies through being inet enabled. in this case, it's just a feature, not an active profit center, so it isn't a surprise that security hasn't been taken into acct...
##) so some math geeks figured out you can "listen in" to encrypted voip calls (via schneier) just by doing timing and size analysis on the encrypted packets. they claim 50-90% accuracy. if they aren't doing it already, i wonder if you could take candidate words and run them through a grammar checker to improve the ultimate tally.... they've gotta be doing that already tho... i live in awe of math and crypto people sometimes, but i sure don't feel any burning desire to try to become one...
#$) too many mother uckers w/ a cissp... anyway, that's kinda not really the point of this post. but as a sec generalist w/o a cissp, i'll raise my glass and say it is worth reading... also, i like this owasp certification industry hack as well...
#%) ok, i may not entirely understand this AV cloud bs, but to me it sounds like... bs.... are we saying that we're going to do our checksum checks by communicating w/ hosts over TCP/IP instead of a local file? tell me what this solves that needs solving. my AV files aren't filling up my HDD. the problem is that my AV software can get sploited before it knows what happens. i am getting more and more jaded in this area. the solution isn't some new AV magic. the solution is to stop trying to paint lipstick on the pig which is the windows security model and move to a design which is managable a la *nix...
#^) i really need to read this face-off stuff regularly... i am too lazy to find the rss for it... i love both of these guys... despite the fact that one of them seems much more down to earth and cool based on my personal interactions as well as that of a ninja friend doing a talk @ blackhat this year ("please don't do this to me", lol)... anywho, they both know their stuff and stimulate the mind...
#&) came across this paper in the mail... very interesting attack vector which reminds me of reflection xss.... haven't digested it yet, but tacking it on to this post for giggles...
infosec stuff on the bound
2 comments:
too many mother-uckers w/ a cissp... anyway, that's kinda not really the point of this post. but as a sec generalist w/o a cissp, i'll raise my glass and say it is worth reading... also, i like this owasp certification industry hack as well
Thank you for including TS/SCI Security in your multipost! We appreciate this kind of feedback. Glad you liked it. Help us out with the OPCP!
not at all m8, i've enjoyed reading your site for a while now...
bookmarking the opcp and i'll see if there's anywhere i can help out :D
Post a Comment