May 6, 2011

A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock – let it have been made in whatever country, or by whatever maker – is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquintance with real facts will, in the end, be better for all parties.

May 2, 2011

Evidence of recent attacks on major political and financial systems suggests that large-scale attacks on critical infrastructures are still a focus of attackers, despite recent reports that cyber attackers are focusing on smaller targets. In an article titled “Are We Ready for a Financial Cyber Attack” the Wall Street Journal hints at several of the most serious potential cyber attacks the world could experience. The article alludes to a potential attack on Western financial institutions that could affect trillions of dollars of transactions everyday, and could have a destabilizing effect on economic and political stability. Unfortunately, in the last few months, some attacks on major financial and political systems have come close to that possibility.

May 2, 2011

Words like “privacy” and “confidentiality” and “cyber-security” are thrown around frequently in discussions of technology, but many people consider these issues more idealistic than essential. It may be widely accepted that confidentiality is better than no confidentiality, but few people would go out of their way to protect their information at the cost of convenience or practicality. The question becomes whether or not most of these people who give away their private information haphazardly realize the danger and ignore it, or are ignorant of the severity of the ramifications altogether. Unfortunately, some of those people will probably learn of the severe ramifications first hand- and there’s a significant chance that will happen when their fiscal situation takes a hit because of a financial cyber attack.

Apr 26, 2011

Use this .gdbinit. Make sure you save it as your ~/.gdbinit file in $HOME. This adds functionality: you can see the stack, data, registers and code and how they change on each cmd entered into gdb. For best results use 80x24 sized windows (It acts like a motion picture in that size.)

Apr 26, 2011

You are probably going to want to do this to make your initial exploit examples easier to work with and understand.

Apr 13, 2011

Here’s a quick one liner to make linux shell code that runs “exec /bin/bash”. The last argument of c to msfencode generates the c.

Apr 12, 2011

“In everything one thing is impossible: rationality.” –Friedrich Nietzsche

Apr 11, 2011

The GNU Compiler Collection has a FORTIFY_SOURCE option that does automatic bounds checking of dangerous functions to prevent simple buffer overflows. The FORTIFY_SOURCE code will do static and dynamic checks on buffer sizes to prevent these buffer overflows.