I have consumed a massive amount of Red Bull in the last 2 weeks in a run up to finishing the manuscript for my Ajax Security book. We are talking on average 2-3 a day, with an occasional day of 4. Once there was a day of 5. Just once, and *never* again. At some point you can't really call them "days" anymore. A day is simply a convenient unit of 24 hours that may or may not start at 12:00am.

There is an elusive euphoria stage of Red Bull consumption where you are unbelievably productive and yet task that seemly take hours take only about 27 minutes or so. That was the odd thing. It always seemed 27 minutes later. I like to call this stage "Fry-Time" in reference to that Futurama episode where Fry drinks 100 cups of coffee and time slows to a crawl. Fry-Time occurs only in a narrow band on the line between total exhaustion and caffeine-induced heart attack and is a difficult stage to reach. I've hit Fry-Time maybe 3-4 times ever. 2 of those times have happened in the last 2 weeks.

Then, there is the "attention deficient disordering" stage. This stage occurs beyond Fry-Time and before the caffeine-induced heart attack phase. In this phase, you want to be productive. You are aware of all the work you need to accomplish as well as its importance. You feel motivated and excited about all your projects. In fact, it feels like you are in the Fry-Time stage. But you aren't. You are ADDing. Because as soon as you try to do something. You can't. Halfway through your brain jumps to thinking about another task and you stall. Its like OS scheduler that has so many jobs to do it spends all it time context switching instead of actually making any progress on any of them. This is an extremely frustrating phase because you know what's happening. And the very act of noticing that you are being scattered brained brings to mind all the tasks you still need to do which makes you think about how cool some of them are and suddenly you aren't doing any more work on whatever it was you were working on. You've context switched to another job.

The only thing to do in the ADD stage is wait it out and try to be productive later. The only problem is when you are in the ADD phase you have had so much Red Bull you can't sleep! So you are wide awake, too hyped to do anything, knowing you have shit to do, and losing time that you could be sleeping.

This is exactly what happened to me around 4:00am this morning. On an upside, I got through about 60 pages of Guns, Germs, and Steel. Elonka's cousin sure can write!

In his speech, Jobs announced that the iPhone will be able to run Web 2.0 applications that look just like the iPhone's built-in apps but are created by third-party developers. As the iPhone will have a full-fledged version of Apple's Safari Web browser, developers can build their applications with Ajax and other Web technologies.

Ok, I'm not sure what this means exactly (and granted this is 2 steps removed from the source). Its a browser with a JavaScript interpreter. Of course it can run Ajax apps. I wonder if this referes to Adobe's Apollo apps which can run external of a browser.

"I'm underwhelmed," said Avi Greengart, an analyst with industry research firm Current Analysis. Many developers, he said, "were expecting to be able to write apps and run them in a browser anyway."

Yeah, nothing new here.

He pointed out that, although Jobs said that the Web 2.0 apps will run in a sandbox, they still will be able to reach beyond the sandbox to access key functions, such as phone calls

... ... SWEET! Now Samy can let you know he is your new hero by calling you. On your Phone. Thousands of times a second. From JavaScript.

This makes John Terrill's curse "I'm going to XSS your FACE!" that much closer to reality.

iPhone + XSS = All your cell networks are belong to Acidus

From the Ajax Security book:

Data sharing with userData is extremely limited. You cannot share data between different domains or even sub domains of the root domain. You cannot share data with other web servers or services running on different ports of the same domain. You can only share data between web pages inside the same directory on the same For example, data stored by http:// company.com/Storage/UserData.html can be accessed by http:// company.com/Storage/Checkout.html or any other page inside the /Storage/ directory. Attempting to access data from other pages simply returns null. These are the default restrictions and they cannot be changed. This default closed policy is almost the exact opposite of the default cookie policy. This constitutes the lone good security decision in Internet Explorer 5.0.

The follow is an excerpt from the upcoming Ajax Security book. It discusses a downside of using HTTP cookies as a persistent client-side storage system: they get appended to every appropriate HTTP request.

To illustrate this more clearly, think of cookie storage like having to remember an errand to do after work by shouting it at the end of every sentence you say. It would sound something like this:

Bryan: Hello Billy, what’s Shaking?

Billy: Hey Bryan. Just finishing this chapter on offline Ajax. Pick up Red Bull On the Way Home!

Bryan: ... ... Uhhhhh, Ok. Why are you shouting that at me instead of writing it down?

Billy: Because I choose a poor client-side storage methodology. Pick up Red Bull On The Way Home!

Bryan: ... ... Ok, this is just weird. I’m leaving.

Billy: You should be glad I can only store 4K of data this way. Pick Up Red Bull On The Way Home!

Thats right, No silly appendices full of ASCII tables and RFCs. We replaced that crap with comedy. Extremely poor comedy :-)

All writing and no play makes billy a dulllllllllllllllllllll boyyyyyyyyyyyyyyyyyyyyyyy. [sleeps]

Disclaimer: This is most likely just Pat messing around. I'm not claiming this story is true one way or the other. I'm just relaying a funny story I heard in last night in a bar.

anyway...

Optyx is in Atlanta for the week and we got some drinks with John Terrill last night. A good time was had by all talking about crypto, web apps, the homies on #vax, brushes with the law, security charlatans, and new opportunities. The night was finished with a stumbling tour of Pat and my old stomping grounds: Georgia Tech.

If you don't know Optyx, he's forgotten more hacker stories then I'll ever have. The following is, as best as the beers will let me remember, the story of the Cray-2. I've tried to tell the story as close to the way Pat did. Any errors are the fault of Guinness

So I was living in San Francisco working at a web hosting startup. A friend of mine at Lawrence Livermore National Laboratory gives me a heads up, saying they were decommissioning their Cray-2 super computer. I decided to buy it but the regulations said the lab had to hold a public auction to sell it. However, it didn’t say how far in advanced the time or place of the auction had to be published. Through some help from my friends at the lab an auction got setup where I was the only bidder.

The auctioneer wasn’t in on the scheme and he opened the bidding at $2000. I looked around, saw I was the only guy, and said “$1000.” They sold me the Cray-2 for a grand and I took back to my house on Treasure Island in the back of a U-haul. A Cray-2 weights more than a ton so this was not an easy task.

The big problem I had was how to power the thing. I hacked together a power converter and ran it off the 3 phase power outlet for the clothes dryer. But I had this girl roommate who used to complain about not being able to dry her clothes when she wanted because the computer was on. So the uptime of the super computer was dependent on the laundry habits of a roommate!

After the first month, I got the power bill. It was $2200. I decided it was time to sell the Cray.

Through a mutual friend, I found some .com yuppie who wanted to buy the Cray and use it as a couch. I sold it for around $3500 to recoup the cost of the machine and the power bill. I visited his house which was on the side of a hill in SF. You’d park in a 1 car garage underneath the house and used stairs to go up into it. It was like a big loft space on the 1st floor and that is where he decided to put the Cray-2. I asked him if his floor was reinforced because the Cray-2 weighted a ton. The yuppie said the house had steel floor beams and not to worry. I broke the Cray down for shipping (which consists of breaking it into 300 pound pieces you move around with a pallet dolly) and delivered it to his house. The stairs were really steep but with the help of a bunch of friends we got each piece into the house. I set it up for him in the living room but didn’t plug it in.

About 3 days later I get a call from the mutual friend. The Cray-2 broke through the floor causing serious damage to the house. It fell down into the garage and crushed the yuppie’s month old BMW 7 series. I immediately left work and went to the yuppie’s house.

It was the most beautiful destruction I have ever seen. A destroyed super computer on to of the crushed remains of a beautiful car. Most of the Cray looks like it had landed on the hood of the car just in front of where the windshield would be. The impact almost sheared the front of the car from the passenger compartment. It appears that the Cray then fell backward on top of the rest of the car, crushing it. Both axels were broken and there was glass everywhere.

And that was the story about how I owned a Cray-2 super computer for a month and a half.

Based on methodology from the JavaScript vulnerability scanner Jikto, we will also demonstrate DOMinatrix, a JavaScript payload using SQL Injection to extract information from a website's database.

DOMinatrix: Spanking the DOM the way the DOM likes it! I'd like to thank Dan Kaminski for the suggestion. He came up with the name and challenged me to come up with the spanking victim. You'll see it at Blackhat.

Hello all,

Just a reminder that we've got a call today at 2 Eastern, 11 Pacific.

I'm attaching below a list of Web research methods compiled by the security pros in our group. The agenda for today is to get a feel for how the law might interpret these actions, and how likely criminal prosecution would be.

Today is going to be a good day :-)

A remote user can send specially crafted data to trigger a buffer overflow in the UPnP Internet Gateway Device Standardized Device Control Protocol code and execute arbitrary code on the target system. The code will run with the privileges of the target service.

"privileges of target service" == root

Apple credits Michael Lynn of Juniper Networks with reporting this vulnerability.

Mike's fuzzing DNS again which is oh so Dan Kaminski-esque.

update: My name is Billy, and I am retarded. This is UPnP. Too much Book, not enough sleep.

Remote root in Mac OS-X

Stefano Di Paola is a smart dude.

flash_App_testing_Owasp07.pdf (application/pdf Object)

Canonicalization, much like life, is a bitch. Yet another way higher character encodings get downgraded into lower character encodings, bypassing IDS/IPS signatures.

Oh course, this is just another example of the fundamental problem: IDS aren't looking at the same bytes the destination service is looking at. Arian Evans does a good job scoping this:

Somewhere along the path from HTTP protocol --> to app untrusted entry point --> to parser, there are several possible layers of decoding. These could include:

-Web Sever itself
-Web Server plugin
-Canonicalization in framework (e.g.-some .NET modules)
-Canonicalization steps in web app code.
-Decoding and interpretation by shellscripts and the like.
-Decoding certain encoding types for normalization (see this a lot in PHP, or cookies base64 file-system encoded, etc.)
-etc.

This means that:

It is possible for an app to have one or more layers of canonicalization/conversion, allowing for even crazy things like double and triple-encoding, which IDS/IPS do not handle at all over HTTP

My homies in X-Force are going to have a shitty day tomorrow...

... but not as shitty as Bob Auger is going to have. I remember him starting to do this about 6 months ago, but he wasn't the one who broke the news. Bummer.

Web hackers 9999, IDS 0