Showing posts from May, 2010

Memory Corruption and Hacker Folklore

A while back i thought it would be nice if we had an authoritative source of memory corruption attacks (and mitigations) in a single document. I resisted mainly because: It seemed like a lot of drudgery for something we have been able to do well without, It steers towards the word "taxonomy" [1] I was a little lazy. [1] Dave Aitel has posited that "people who thing (sic) of things as "Taxonomies" are always headed in the opposite direction from correct" Late last year i ran some scripts (and waded) through OSVDB's database, to see if we could pull through some numbers on memory corruption bugs (through the ages) and their disclosure rate compared to other bugs. (theres actually a wealth of fiddling in these numbers too, that ill get around to at some point). I figured it would be nice to see a timeline of memory corruption exploitation techniques along with the mitigation steps introduced plotted along-side the bug counts (but sti

Vicarious Success

With the champions league reaching it's crescendo, and 2010 being a world cup year, it's hard to get away from sports mania. I can understand national pride and I can even understand the joy of a good match. ( I was sport crazy through high school/university and sometimes played up to 3 organized football marches per week (for different teams in different leagues) ). What I don't get is the insanely fanatical talk of " my team did X " or the even stranger " we won! ". Who's we paleface? I used to think that this was just a harmless figure of speech, but listening to conversations during the champions league really leave me dumbfounded. It's not the screaming at the television (which I can understand), but the vicarious sense of achievement people seem to eek out while watching " their " team playing. In a world where we outsource everything we can, it seems as if many people follow sporting teams in an attempt to outsource ac

"Your submission for Black Hat USA 2010 was accepted"

It doesn't matter how many conferences you present at, or how much you hate LasVegas, around this time of the year those are very happy, welcome words. I'll pop more details on the talk here in a few days (especially since I'm hoping to co-opt some of you). Interestingly enough, despite almost a decade of Blackhat/Defcon's, it's the first time I'll be free to take a training class. I'm pretty stoked! /mh

(YaTT) Yet another Twitter Tool ?

I wanted to play with Django, so built this "toy" project to kick the tires. If you are on twitter (and don't protect your tweets), check out . It's a very simple application that will grab a list of the people you follow, then grab the list of everyone they follow, to give you the top n% of people they follow that you dont. My favorite feedback on it so far was: @narvanitis : wow i dont follow @mdowd Reason enough for me to call it a success :>