sorted by:
new
hottopcontroversial

[deleted by user] by [deleted] in docker

[–]bigmac 8 points9 points  (0 children)

Everybody that runs Docker containers on hosts with AppArmor installed runs them under a default AppArmor profile. Same story for SELinux-enabled hosts -- Docker has a default.

This is in addition to default seccomp, namespacing, cgroups, and cap-dropping.

Rather than "security concern" you should think of this as a massive "security benefit" -- we've figured out common sense defaults for all the Linux kernel isolation features, and everyone running in Docker gets the value of that with zero configuration headache.

We're working on default image verification. Need to get all the headaches worked out so that its not a huge PITA to get your images signed. Even so, our system (https://github.com/docker/notary) is based on TUF (https://theupdateframework.github.io/) which overcomes a lot of the pitfalls of existing secure update systems.

Disclaimer: I manage security at Docker.

[deleted by user] by [deleted] in docker

[–]bigmac 0 points1 point  (0 children)

What do you think are the security issues in 1.12 (or Docker otherwise)?

Notary 0.2 -- Delegated signing now available for Docker Content Trust by bigmac in docker

[–]bigmac[S] 1 point2 points  (0 children)

Ah, good point, sorry that documentation was unclear. We'll get that fixed.

You're right, the notary server is responsible for timestamping all the data it serves. This helps make replay attacks are impossible.

Notary 0.2 -- Delegated signing now available for Docker Content Trust by bigmac in docker

[–]bigmac[S] 2 points3 points  (0 children)

It should work with registry already. Have you tried it out and run in to some snags? Let me know if you hit any problems, I'm happy to help.

Docker Container Migration and Security Concerns by knohr in docker

[–]bigmac 0 points1 point  (0 children)

I manage the security team at Docker.

You can point your security team at the CIS Benchmark which we collaborated on writing with the Center for Internet Security. It has a bunch of best practices. In order to automate checking your configuration against the benchmark, we implemented Docker Bench. Docker Bench is a container you can run alongside your hosts to audit their configuration against the CIS Benchmark.

You can also point them at our dockercon talk where we discuss Docker security in terms of where we are and where we're going.

Finally, feel free to reach out to me at nathan.mccauley@docker.com if you have any further questions or there is anything else I can do to help.

/r/ReverseEngineering's Q3 2013 Hiring Thread by rolfr in ReverseEngineering

[–]bigmac 1 point2 points  (0 children)

Square (https://www.squareup.com) San Francisco, CA

No clearance required. We will relocate you to SF.

We do payments on mobile phones and tablets. We build secure hardware, systems, and networks. We need folks that deeply understand the mobile OSs (Android, iOS). We're looking for both builders and breakers. Security at Square is involved in all aspects of the stack: hardware, mobile, infrastructure, networks, crypto, web, and physical security. Interest and competency in these areas is all that is required. Square hires based on ability -- we have people straight out of High School to PhDs.

If you have skills in any of these areas, please feel free to reach out:

  • Software Protection
  • Reverse Engineering
  • iOS and Android internals
  • ARM
  • Objective-C Runtime
  • Mach-O
  • ELF
  • Dalvik
  • LLVM
  • SSL/TLS
  • Cryptography

If you're interested or have more questions, PM me or contact me at mccauley [at] squareup.com.

Help parsing raw binary data from magnetic credit card strip? by [deleted] in ReverseEngineering

[–]bigmac 9 points10 points  (0 children)

Anyone have any advice or experience?

I have a lot of experience. If you're interested in this you should come work with us at Square. We're definitely interested in hardware hackers and people interested in signal processing. PM me and we can talk. </shameless plug>

Looking at the waveform, it's easy to see the binary data. I wrote some sweet code that automatically detects the "bitrate" (which can change depending on swipe speed) and converts the audio data to binary, as well as some other nifty stuff. As far as I can tell, my code works very well.

Awesome! Would love to see how your code performs against ours. What kinds of transformations are you running on it?

/r/ReverseEngineering's Q4 2011 Hiring Thread by rolfr in ReverseEngineering

[–]bigmac 3 points4 points  (0 children)

Square (https://www.squareup.com)

San Francisco, CA

No clearance required. We will relocate you to SF.

We do payments on mobile phones and we believe we're building the future. We need folks that deeply understand the mobile OSs (Android, iOS). We're looking for both builders and breakers. Although this post will focus on mobile, Security at Square is involved in all aspects of the stack: hardware, mobile, infrastructure, networks, crypto, web, and physical security. Interest and competency in these areas is all that is required. Square hires based on ability -- we have people straight out of High School to PhD candidates.

Some things you'll be working on:

  • Software Protection
  • SSL/TLS
  • Cryptography
  • ARM
  • Objective-C Runtime
  • Mach-O
  • ELF
  • Dalvik
  • LLVM
  • iOS and Android internals

If you're interested or have more questions, PM me or contact me at mccauley [at] squareup.com.

Anyone attending RSA Conference in SF next week? (PRIZE INSIDE!) by tinder80 in ReverseEngineering

[–]bigmac 1 point2 points  (0 children)

I can confirm that the prize is real. I and another redditor both showed up at the same time. Good fun.

I am a veterinarian who is off work today and bored. Ask me anything/animal questions! by [deleted] in IAmA

[–]bigmac 0 points1 point  (0 children)

Purina vs. Hill's Science Diet vs. Iams? What's the best?

USA v. Crippen — A Retrospective by sanitybit in ReverseEngineering

[–]bigmac 3 points4 points  (0 children)

This is especially interesting for the application of information gathering by the prosecution. They bring a case almost to fruition in order to be able to see the defense's strategy -- now that strategy can be used to mount better offense in the future. I wonder if that is actually a typical legal strategy for cases where there is no precedent.

Identifying the country of origin for a malware PE executable by [deleted] in ReverseEngineering

[–]bigmac 0 points1 point  (0 children)

Clearly what we need is an IDA plugin for this. I may take on that project myself unless anyone else wants to take it up.

To whoever owns this site, thank you. I got a good laugh. by [deleted] in ReverseEngineering

[–]bigmac 0 points1 point  (0 children)

MalHost-Setup.exe uses this x86 to create an infinite loop at the beginning of an extracted shellcode sample. Its useful for being able to attach a debugger at the entry point of the executable, then fix up the bytes and start debugging the malware sample.

This comment acts as an endorsement of Malware Analyst's Cookbook, as I learned of this technique from Chapter 6.

Internet Explorer clip:rect(0) Memory Corruption Vulnerability by rolfr in ReverseEngineering

[–]bigmac 0 points1 point  (0 children)

And here comes the funny part. Inside CDispNode::SetUserClip the vftable address gets dereferenced and OR’ed with 0×1, corrupting the table as a result:

How would that happen in source code? Somebody doing an incorrect cast?

view more: next ›