You can now preview your posts before submitting them. Please let me know if you run into any problems with this.

Preview added to MemeStreams!

... are fucking rockstars.

I've been exercising my new found privileges as an Addison Wesley author (getting free books) and have been burning through Subverting the Windows Kernel and... just... wow. I'd look at the FU rootkit before but the intricacy of it all was somehow lost on me at the time.

Now I'm starting to understand the little smile that comes on Jamie's lips when I start talking about stealthy JavaScript dynamically hooking user actions over drinks in a nightclub out in Vegas.

Damn.

I'm pleased to say we hired Sullo, the creator of Nikto. I assure you, it had nothing to do with his considerable web security knowledge, but solely so he wouldn't sue my ass for the Jikto logo.

Couple this with hiring RFP last year, and we are almost done absorbing all the early web security tool creators into the HP Security Labs collective. Hmmm, I wonder if the Sensepost guys can work remote from South Africa? ;-)

At your request, the Congressional Budget Office (CBO) has analyzed whether a difference exists between the Department of Defense’s (DoD’s) funding for science and technology (S&T) activities supporting unclassified space programs and its funding for S&T activities supporting other (nonspace) programs. The enclosed report indicates that funding for S&T activities supporting unclassified space programs has been less than S&T funding for other defense programs and that DoD’s plans for the future maintain that difference in funding. (Because of a lack of information, CBO’s analysis does not address the extent to which classified research might be supporting unclassified space programs.)

It is hard to extract meaning from this. The DoD is spending more money on other things than funding non-classified space research. Ok, makes sense. However we have no idea hwo much money they are spending on funding for classified space researcher. Given China's publicly broadcast ability to blow shit out of space, you have to hope there is some classified research going on.

Comparison of science and technology funding for DOD’s space and non-space programs

Our book, Ajax Security, made the front page of Ajaxian today. I'm so pleased it is finding traction on the mainstream Ajax new sites.

Reviewers overuse the phrase “required reading,” but no other description fits the new book “Ajax Security” (2007, Addison Wesley, 470p). This exhaustive tome from Billy Hoffman and Bryan Sullivan places the specific security concerns of the Ajax programming model in historical perspective. It demonstrates not only new security threats that are unique to Ajax, but established threats that have gained new traction in the Web 2.0 era. It then details both the specific technical solutions and - more importantly - the mindset that are necessary to combat such threats.

Because so many developers have historically overlooked the importance of security, the authors approach their topic for what it is: a remedial subject. They take pains to explain the basic mechanisms by which hackers have exploited insecure web applications over the last decade: cross-site request forgeries, denial of service attacks, cross-site scripting and SQL injection. Then they explain how those mechanisms have changed thanks to the rise of xmlHttpRequest, public APIs, mash-ups and aggregators. If you’ve ever read a Douglas Crockford rant about the “brokenness” of the web security model and wondered why the guy was such an alarmist, Hoffman and Sullivan are only too happy to provide you with a much-needed wake-up call.

The rest of the review if here.

Ajaxian » Book recommendation: Ajax Security by Hoffman and Sullivan

... and I'm too cosmopolitan to take Billy's phone calls (while on vacation)

and today, from the "Truly good intentions but WTF are you thinking" category

Representatives from MySpace and the attorneys general of 49 states are announcing a new partnership to fight sexual predators and clean up social networks.

Among the dozens of measures MySpace has agreed to take, the social network will let parents submit the e-mail addresses of their children, so the company can prevent anyone from using that address to set up a profile.

MySpace doesn't have a stellar history when it comes to security (sorry Ramsey, I know you are trying, but you all aren't there yet). This database is a gold-mine for marketers and pedophiles alike, and I'm a little concerned about its existence.

Like a kid in a candy store

Posts like this are exactly why Memestreams should exist. Thanks Stephanie!

Stephanie wrote:

Each wine put forth some stiff competition, and the judging was difficult. The bottom line: these wines are all horrible. We did the research so you can stay away from them.

[Wild Irish Rose] The thorn in your hangover is a wild rose from Ireland. Bottled by Canandaigua Wine in Chanadaigua, NY, the same company as Cisco. Like its brother Cisco, "Wild I" definitely has some secret additives that go straight to the cranium. Another web page claims that this foul beverage is a conspiracy by the republicans to kill the homeless.

[Thunderbird] If your taste buds are shot, and you need to get trashed with a quickness, then "T-bird" is the drink for you. Or, if you like to smell your hand after pumping gas, look no further than Thunderbird. As you drink on, the bird soars higher while you sink lower.

WARNING: This light yellow liquid turns your lips and mouth black! A mysterious chemical reaction similar to disappearing-reappearing ink makes you look like you've been chewing on hearty clumps of charcoal.

[Cisco] Known as "liquid crack," for its reputation for wreaking more mental havoc than the cheapest tequila. Something in this syrupy hooch seems to have a synapse-blasting effect not unlike low-grade cocaine. The label insists that the ingredients are merely "citrus wine & grape wine with artificial flavor & artificial color," but anyone who has tried it knows better. Tales of Cisco-induced semi-psychotic fits are common. Often, people on a Cisco binge end up curled into a fetal ball, shuddering and muttering paranoid rants. Nudity and violence may well be involved too.

In 1991, Cisco's tendency to cause a temporary form of inebriated insanity led the Federal Trade Commission to require its bottlers to print a warning on the label (above right). The FTC also forced them to drop their marketing slogan, "Takes You by Surprise," even though it was entirely accurate.

[Night Train Express] The night train runs only one route: sober to stupid with no roundtrip tickets available, and a strong liklihood of a train wreck along the way. This trainyard favorite is vinted and bottled by E&J Gallo Winery, in in Modesto, CA. Don't bother looking on their web page, because they dare not mention it there.

[Jeppson's Malört] ...the flavor is a mixture of tussin, nail polish remover, gasoline, bug spray, varnish remover, and metal with a hint of herbs. The taste powerfully lingers for at least ten minutes.

[Buckfast Tonic Wine] Buckfast was thick, with a strong taste of molasses. There was also a hint of some type of herb reminiscent of oregano, and a soapy aftertaste.

[White Ace] Our reporter brought a 3 liter jug of "White Ace" cider back to the states, which is 7% alcohol per volume and only about $3.50 US for the whole 3 liter jug. When the test subject drank the whole bottle of "White Ace," in Las Vegas, the effects were severe. He got kicked out of 4 Queens casino for washing his hands in a urinal, then fell asleep for 3 hours and woke up soaked in his own urine. He woke up and got into a 6 year old's pirate costume, ran around slapping gamblers in the gut, got kicked out of The Imperial Palace, and became so obnoxious that his friends put him on a plane and sent him home early.

BumWine.com - Reviews

The Noisy Instrument won't hook into your iPod, but it will, completely without a power source, reproduce the soothing sounds of the ocean at any time and any place (ala seashell).

Earphone Sounds Like Ocean

In the past month, at least three consumers have reported that photo frames -- small flat-panel displays for displaying digital images -- received over the holidays attempted to install malicious code on their computer systems, according to the Internet Storm Center, a network-threat monitoring group. Each case involved the same product and the same chain of stores, suggesting that the electronic systems were infected at the factory or somewhere during shipping, said Marcus Sachs, who volunteers as the director of the Internet Storm Center.

"I think that supply-side attacks are going to go from zero to some small percentage," he said. "It is obviously not going to be as dangerous as mass mailing e-mail infections, but you could have some really clever targeted attacks."

Interesting vector. But this isn't just a rootkit, this code trys to propagate!

The malicious code appears to act like a rootkit, hiding itself and disabling access to antivirus resources.

"It propagates to any connected device by copying a script, a com file and an autorun file," one consumer reported to the ISC. "It hides all systems files and itself while completely eliminating the user admin ability to show hidden files. It creates processes that negate any attempt to go to anti virus and anti spam web sites. It prevents the remote installation of any antivirus components."

Ok, thats pretty slick. Now, for the money shot.

"Kodak works very closely with our suppliers to see that they have the latest version of antivirus software on the manufacturing systems," Landry said. "We also ask that any PCs in the factory are not connected to the Internet."

... ... wow. Maybe 14 year old Poles should pwn factories instead of train systems. They could change the mass production of just about anything. Toys, computers, ... pharmaceuticals...

Malware hitches a ride on digital devices