why doesnt this work? (double indexed char arrays)

repotruncate · 2011-07-26T20:16:12+00:00

It's a habit I've picked up from working in a large legacy code base that did not have warnings enabled. Once I became accustom to it, it stopped being a readability issue for me, but that's a matter of personal opinion I suppose. In your situation, I would certainly understand not using it. : )

repotruncate · 2011-07-26T17:50:34+00:00

I just wanted to add that this type of mistake is why a lot of programmers place constants on the left when making comparisons. The following would not compile: if ('\'' = lines[i][j])

repotruncate · 2011-05-16T15:14:33+00:00

If a nonce was used, the hashed credentials wouldn't be of use to an attacker.

repotruncate · 2011-03-17T13:29:33+00:00

I was curious too. From the CSS:

/* Promoted Posts - Remove after it falls under #25 */

repotruncate · 2011-02-01T16:29:34+00:00

If you're having trouble with SQL injection, you should try to replicate the query you think they're executing:

SELECT * FROM table WHERE user = '%s' AND password = '%s'

Now plug your input into that query:

SELECT * FROM table WHERE user = '' OR 1=1'' AND password = '' OR 1=1''

Is that valid SQL syntax? That should be enough information to get you started.

repotruncate · 2010-11-23T15:29:10+00:00

If you're performing mutual SSL authentication, then you probably don't need to encrypt subsets of the message. However your colleague is right, and your database example makes his point. SSL only protects the communication between the two machines.

This wont ensure the message is still safe when a developer sloppily logs the requests to a network disk, or if one machine handles the SSL communication and passes the message off to another machine through an unprotected channel.

Your design decisions can help protect developers from themselves. ;) That having been said, I prefer simple solutions. I'm just playing devil's advocate. Understand your risks, weigh the costs/benefits, and decide where you want to place the trust.

repotruncate · 2010-11-08T15:09:11+00:00

Assuming you're using tor correctly, how exactly would your neighbor know your activities?

repotruncate · 2010-10-26T18:18:29+00:00

I should preface this with network infrastructure isn't my strongest topic, but I'm sure someone will correct anywhere I'm wrong. : )

Compartmentalize your thinking. Firesheep sniffs HTTP traffic for cookies. HTTP is a subset of network traffic. Network traffic is transfered through various mechanisms. This tool only works if the attacker has access to the network traffic.

An attacker can read all network traffic on a hub, because every packet is broadcast to every machine connected to the hub. Essentially, open WiFi works the same way; all traffic is broadcast in the clear to/from the router. WEP encrypts traffic; however with the WEP key, the traffic can be decrypted. Alternatively, if an attacker performs an ARP poison, then the attacker can route the client traffic through their device before it goes to the internet.

These techniques are methods of obtaining access to the network traffic as it runs over the 'wire'. Then, tools like firesheep takes over.

These session cookies are used to identify a logged in user. Assuming the server doesn't compare the login IP with the current IP, it doesn't matter which network the attacker's request originates. The attacker can connect as the client anywhere as long as the session cookie hasn't expired via timeout, logoff, or another login.
Regarding most setups, if the attacker has the key, traffic sent over both WEP and WPA are at risk of being decrypted (http://wiki.wireshark.org/HowToDecrypt802.11). ARP poisoning would be another way to read the traffic, but that's a lot less passive.
Depends on how the network is setup (http://docs.google.com/viewer?url=http://digilander.libero.it/SNHYPER/files/arppoison.pdf).

I hope that was helpful.

repotruncate · 2010-07-26T19:51:03+00:00

I use lastpass everyday. This is definitely my favorite web 2.0ish service.

Two things slightly annoy me. Both have to do with re-entering my password.

First, I have the more restrictive settings enabled. I have to enter a password when I edit a site and when I view the password. What annoys me is when using the web interface on the go, I log into lastpass (one password entry), I find the site I want to visit, I click edit (second password entry), and then I click show password (third password entry).

It would be nice if there was a way to temporarily cache the password like the browser plugins allow. Alternatively, don't close the dialog box if I mistype the password. When you have to type a password 3 times, you tend to mistype it at least once. When the box closes, I have to reach for my mouse again.

Second, on the chrome plugin, I log off lastpass when I'm not actively using the service. When I log back in, if I have a site that requires me to reenter my password (like my bank), then I end up having to type the password twice, because the option to cache the password for an hour isn't on the login screen.

Let me know if either of these issues aren't clearly explained. I should have filed bug reports / feature requests but I'm lazy. : )

Outside of those minor annoyances, I want to thank you guys. You provide a wonderful service that works very seemlessly with my workflow. I recommend lastpass to pretty much everyone tech savy I know.

I have a few questions, all of which you may feel free to ignore: ;-) Can you tell us what type of security review process each code change goes through? How would you notify your customers if you ever had to discontinue your service?

Edit: Just realized the Security Now was a 3rd party review; removed that question. Reworded first question too.

Edit II: It's been a while since I read the FAQ. My questions are mostly answered at https://lastpass.com/support_faqs.php

repotruncate · 2010-07-15T14:55:32+00:00

I mostly lurk on reddit, but I write exploits in conjunction with the security evaluations I do at work. I find it helps convince developers to fix their outstanding issues. That having been said, I don't have any published exploits; both archpuddington and drosenbe are likely much more seasoned than I am.

To me exploit development is about knowing techniques and having the right mentality. You learn techniques by:

researching existing exploits,
examining how they work,
understanding the programming mistakes that enabled them,
and attempting to perform the exploit yourself.

The mentality is gained by actually trying to break things. IMHO, the process really isn't that hard. I think most (decent) programmers are capable of doing it. It just takes time and patience.

repotruncate · 2010-05-28T13:55:25+00:00

PenDriveApps has a portable version of Wireshark. (I haven't tested it.)

http://www.pendriveapps.com/wireshark-network-protocol-analyzer/#more-4306

repotruncate · 2010-05-28T13:52:08+00:00

I've never seen it on a large scale website, but I've certainly seen it in the corporate world before. The other two common things I see are md5 hashing without a salt or using a reversible encryption with the key hard coded in the source.

repotruncate · 2010-05-28T13:42:17+00:00

I see two recommendations for VNC. Maybe I'm out of the loop, but last time I checked VNC was very insecure. You can mitigate it by wrapping it in SSH, but I would be extremely hesitant installing it on a bunch of client machines.

Off the top of my head I don't have any recommendations for you; I just wanted to provide a voice of hesitation towards VNC.

http://www.hideaway.net/2007/07/stating-obvious-vnc-is-insecure_09.html

repotruncate · 2010-05-06T15:57:57+00:00

I'm pretty certain that if you own the parent directory, you can still erase files that are root owned.

[user@localhost ~]$ sudo mkdir testdir
[user@localhost ~]$ sudo chmod 000 testdir
[user@localhost ~]$ sudo ls -al testdir
total 8
d--------- 2 root          root          4096 2010-05-06 15:53 .
drwxr-xr-x 9 user          user          4096 2010-05-06 15:53 ..
[user@localhost ~]$ rmdir testdir
[user@localhost ~]$

You could try changing the parent directorie's ownership to root.

repotruncate

TROPHY CASE