SEARCH KEYWORD -- CYBER ATTACK

  The Death of .NET and the Power of Perception

One of my long-standing issues with Microsoft is its inability to control the perceptions surrounding its own products. One of the biggest examples was during the Windows Vista years when, even after the product had been fully patched and worked fine, Apple continued to do a better job to define the image of Windows (compilation of ads here) than Microsoft did, costing Microsoft billions in lost revenue for the millions it saved on a strong advertising campaign. The firm has a history of being p...

   .NET,future,death,bottleneck,development     2011-08-10 03:13:40

  Google engineer: What I learned in the war

Veteran's Day is an ideal time to hear from one of those rare folks who combine corporate and military careers. Dan Cross, a software engineer at Google (GOOG) and a 1st Lieutenant in the U.S. Marine Corps, took a leave to serve active duty in Afghanistan, came home a year ago, and brought back lessons that he couldn't have learned in business. While he had never seen himself as the military type until a personal tragedy made him reroute his career, he's a better man for it. Cross, 34, is now an...

   Military,Marine,Google,Engineer,Lessons,Teamwork     2011-11-12 10:36:03

  HTTP Streaming and Internet Explorer

In early 2006, Alex Russell posted about a neat hack that the Google Talk team in Gmail use to support Comet in Internet Explorer, a trick which works as far back as IE 5.01. What great news! A reliable way to stream Comet messages to Microsoft’s browsers. If only it were that easy. I have not been alone in the following findings: after connecting the htmlfile ActiveX object as a streaming Comet transport to my Comet server, everything works perfectly for a few messages, but then abruptly...

   IE,Streaming,JavaScript,htmlfile,ActiveX     2011-09-05 04:05:23

  That “JavaScript not available” case

During some interesting discussions on Twitter yesterday I found that there is now more than ever a confusion about JavaScript dependence in web applications and web sites. This is a never ending story but it seems to me to flare up ever time our browsing technology leaps forward. I encountered this for the first time back in the days of DHTML. We pushed browsers to their limits with our lovely animated menus and 3D logos (something we of course learned not to do again, right?) and we were ...

   JavaScript,Security,Banned,Reason     2012-01-04 02:37:35

  SSH Security and You - /bin/false is *not* security

Backstory While at RIT around 2004 or 2005, I discovered that a few important machines at the datacenter allowed all students, faculty, and staff to authenticate against them via ssh. Everyone's shells appear to be set to /bin/false (or some derivative) on said machines, so the only thing you'll see after you authenticate is the login banner and your connection will close. I thought to myself, "Fine, no shell for me. I wonder if port forwarding works?" ...

   Linux,Security,/bin/false,SSH     2012-02-06 07:46:29

  All I Know About Certificates -- Clients

 Finally, in last article we’ve covered the responsibilities of CAs, showing that being a CA isn’t simple and has high management costs, explaining why issuing certificates costs money! This article we will cover the client in this chain. Verifying Certificates as a Client For clients, verifying certificates isn’t simple either. Articles introducing TLS handshakes often mention "the server sends back a certificate, and the client verifies it," but in reality, as ...

   CLIENTS,WEBSITES,SSL CERTIFICATE,CERTIFICATE AUTHORITY,CA     2024-07-26 22:24:30

  Python Deserialization Attack Introduction: How to Build a Python Pickle Bomb

This article introduces an old and classic unsecured Python data serialization feature (the pickle library) and demonstrates how a red team attacker can exploit it to create a malicious binary or text data file that executes remote code or commands upon deserialization. The following attack flow diagram illustrates this process: We will follow 3 steps with the program code to show how Deserialization Attacks Work:   [ Step1 ] Crafting Malicious Data: An attacker crafts a malicious payloa...

       2024-07-07 03:08:22

  Can Your Programming Language Do This?

One day, you're browsing through your code, and you notice two big blocks that look almost exactly the same. In fact, they're exactly the same, except that one block refers to "Spaghetti" and one block refers to "Chocolate Moose." // A trivial example: alert("I'd like some Spaghetti!"); alert("I'd like some Chocolate Moose!"); These examples happen to be in JavaScript, but even if you don't know JavaScript, you should be able to follow along. The repeated code looks wrong, ...

   Programming,Maintainability,Reusable     2011-05-31 07:42:41

  Speed Hashing

A given hash uniquely represents a file, or any arbitrary collection of data. At least in theory. This is a 128-bit MD5 hash you're looking at above, so it can represent at most 2128 unique items, or 340 trillion trillion trillion. In reality the usable space is substantially less; you can start seeing significant collisions once you've filled half the space, but half of an impossibly large number is still impossibly large. Back in 2005, I wondered about the difference between a checksum and...

   Speed hashing,Security,MD5     2012-04-07 10:35:15

  Roundup on Parallel Connections

A lot of blogging and follow-up discussion ensued with the announcement that IE8 supports six connections per host. The blogs I saw: IE8: The Performance Implications IE8 speeds things up IE8: 6 Connections Per Host IE 8 and Performance Testing IE8.s Connection Parallelism IE 8 Connection Parallelism Issues It’s likely that Firefox 3 will support 6 connections per server in an upcoming beta release, which means more discussion is expected. I wanted to pull all the facts into one place an...

   Browser,Concurrent connection,Persistent     2011-09-05 01:51:44

RECENT