tag:blogger.com,1999:blog-4088979.post6774105900603822380..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Scanning with FlashRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-4088979.post-38769213542350769252007-08-16T08:42:00.000-04:002007-08-16T08:42:00.000-04:00He can.Comment's feedHe can.<BR/><A HREF="http://taosecurity.blogspot.com/feeds/comments/default" REL="nofollow">Comment's feed</A>Vincenthttps://www.blogger.com/profile/04548384431204957895noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-28277446581692197792007-08-15T16:23:00.000-04:002007-08-15T16:23:00.000-04:00@ Richard: Heh. Yeah I apologize for coming off a...@ Richard: Heh. Yeah I apologize for coming off as intentionally mean.<BR/><BR/>Isn't blogging just as much about blog comments as it is about the blog entries? So by that theory - I do blog a lot.<BR/><BR/>Unfortunately, Google Reader doesn't include comments in their scraping routines.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-13456423843788367112007-08-15T15:54:00.000-04:002007-08-15T15:54:00.000-04:00Hi Dre,Ok, that's cool. I agree with what you sai...Hi Dre,<BR/><BR/>Ok, that's cool. I agree with what you said just now. I'm serious about you blogging more though. :)Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-18948303732676560242007-08-15T15:11:00.000-04:002007-08-15T15:11:00.000-04:00@ Richard: Yes, you're right. I was being a jerk ...@ Richard: Yes, you're right. I was being a jerk about it.<BR/><BR/>It's not you that I'm trying to attack; it's mostly the vendors - which you are not. Any "defense-in-depth mantra" network security professional trying to defend customer assets does need to learn that what the vendors sell are not security products, but instead ways of stealing money. You're being lied to and you don't know it.<BR/><BR/>The snake-oil that comes out of selling security as a product is a huge problem that we are facing. We all have to change our minds and attitudes. I'm not trying to say that I'm better than you because "I've figured some of this out". In fact, I see it as quite the opposite. I still see network security professionals, network security vendors, pen-testers, and AV vendors as thinking that they are the 31337. The attitude that I still get from these folks is that they are above developers - that they know security best - that they know more about security than anyone else.<BR/><BR/>Maybe "disappointed" was the wrong word. Maybe "jaded" is a better one?drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-38511369720590124852007-08-15T14:29:00.000-04:002007-08-15T14:29:00.000-04:00Dre, I hope you don't think I'm contributing to th...Dre, <BR/><BR/>I hope you don't think I'm contributing to that myth. I just posted two stories from Black Hat on the same subject. <BR/><BR/>As far as being "late to the game," sorry I'm not 31337 enough for you. Maybe if you blogged a little more often I would learn something? <BR/><BR/>I try to share a few thoughts here, while doing full time work that is not "security research." It must be fun to be paid to break things and live on the public edge, but the majority of us are too busy protecting customer assets with whatever our "old guard" minds can manage. <BR/><BR/>If you're "disappointed" then you're free to read someone else's blog.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-67982833527508269502007-08-15T14:07:00.000-04:002007-08-15T14:07:00.000-04:00Richard -Whoever has been contributing to the myth...Richard -<BR/><BR/>Whoever has been contributing to the myth that firewalls and IPS devices (or NAC, UTM, scan and patch, etc) protect against adversaries.<BR/><BR/>I know it sounds like I may be trying to harsh on you or Kaminsky - and while there is some truth to that - I really do like you guys and what you have to say. It's just that well, you're both a little late to the game and I'm disappointed.<BR/><BR/>What I'm really talking about are the <A HREF="http://securitybuddha.com/2007/08/04/trends-in-information-security/" REL="nofollow">new trends in information security</A> and how these apply to the "old guard".<BR/><BR/>Also see anything and everything ever written by Marcus Ranum.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-52953139428175673912007-08-15T13:57:00.000-04:002007-08-15T13:57:00.000-04:00Dre,"Network security is dead. Don't bother learni...Dre,<BR/><BR/>"Network security is dead. Don't bother learning application security - just drop out of the industry please." <BR/><BR/>Who are you addressing?Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-37248041582653616332007-08-15T13:43:00.000-04:002007-08-15T13:43:00.000-04:00Network security is dead. Don't bother learning a...Network security is dead. Don't bother learning application security - just drop out of the industry please.<BR/><BR/>Case example: Dan Kaminsky talking about CSRF (it's CSRF not XSRF please - how else am I going to pronounce it `sea-surf'?).<BR/><BR/>He just doesn't get it. CSRF doesn't need a password. That's why we call it session riding. That's why Microsoft coined it as the one-click attack (with the zero-click attack variant). He doesn't even understand DNS rebinding.<BR/><BR/>Also there are plenty of ways of protecting against DNS rebinding, XSS, CSRF, and Ajax attacks that cross the same-origin policy.<BR/><BR/>Not surprisingly, <A HREF="http://taossa.com/index.php/2007/02/17/same-origin-proposal/" REL="nofollow">TAOSSA</A> also presented a unique solution the problem, but there is no working code for this (or content-restrictions) as of yet.<BR/><BR/>While LocalRodeo, NoScript, and forcing SSL are great ideas in theory - in practice there are still plenty of ways to get around these Firefox add-ons because Firefox does not pass the web application hacker sniff test. It probably never will. IE7, Opera, and Safari are no better (they're, in fact, usually quite worse).<BR/><BR/>My suggestion is to use a browser that does not support Javascript, Java, or Flash - and that has been through complex code review, Fagan inspection, and is well tested. Links or ELinks (Elinks has some Javascript support) are good candidates, as is the command line utility, curl. I trust Lynx or wget less than the above mentioned tools, although lynx's lack of Javascript does make it a safer browser than any of the very popular ones out there. Also - Links and ELinks can utilize images properly.<BR/><BR/>In <A HREF="http://www.gnucitizen.org/blog/xss-worms-and-mitigation-controls" REL="nofollow">this article</A> from gnucitizen, Tim Brown mentions in the comments that signed code (Javascript and Java) appears to be a sufficeable long-term solution.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-72892759981530778082007-08-14T18:09:00.000-04:002007-08-14T18:09:00.000-04:00Also worth checking out is the draft paper from so...Also worth checking out is the draft paper from some smart guys at Stanford (http://crypto.stanford.edu/dns). To prevent abuse, they require that you apply for an account before using it. I applied and was granted one within 12 hours of my original request. May be interesting to check out, Richard.Steven Andréshttps://www.blogger.com/profile/10291296846772563583noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-54602800715685392962007-08-14T16:05:00.000-04:002007-08-14T16:05:00.000-04:00hi richard,I use the link to see my opened port an...hi richard,<BR/><BR/>I use the link to see my opened port and I see that a lot of my ports are open.<BR/>I use a Netgear wifi Router. is that normal ?<BR/><BR/>Imad.Imadhttps://www.blogger.com/profile/13975055851429481856noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-58744134598919218822007-08-14T15:06:00.000-04:002007-08-14T15:06:00.000-04:00I prefer to play with DNS Spoofing...(^-^)I prefer to play with DNS Spoofing...<BR/>(^-^)Vincenthttps://www.blogger.com/profile/04548384431204957895noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-15774155580801400732007-08-14T10:55:00.000-04:002007-08-14T10:55:00.000-04:00Pretty cool. I see what you mean when you said th...Pretty cool. I see what you mean when you said the Web browser is the new operating system...Anonymousnoreply@blogger.com