From lyger at attrition.org Tue Apr 6 01:59:11 2010 From: lyger at attrition.org (lyger) Date: Tue, 6 Apr 2010 01:59:11 +0000 (UTC) Subject: [attrition] rant: Ejection Seats, Cooking Dinner, and Vuln Disclosure Message-ID: http://attrition.org/security/rants/disclosure01.html Mon Apr 5 21:46:28 EST 2010 By: d2d Doing info-sec for a small company has its highs and lows. Your organization is too small to afford market leaders, so you buy software from niche-market vendors. Software that you know is less tested, and so you feel more obligated to do due diligence in your own internal assessments. That is somewhat of a 'high' point if testing apps is something you enjoy. If that was all, a gig like mine would be pretty nice. There is nothing more fun than finding a big-ass flaw in a piece of software (that you didn't write, that is). From that initial hunch, to that little thing you noticed that made you think you were onto something, to the cigarette breaks where you ponder new avenues to approach it from, right up to that pinnacle when you finally find that big vuln. The feeling is a bit universal too, whether testing a web app, some java servlet, or a full-on daemon. To me, if I search a piece of software on OSVDB.org and I find nothing, then I'm nearly guaranteed that nobody has _really_ looked at this thing, or at least not published their findings. So yeah, some of the work is great. The fun tends to stop right there though. [...] From d2d at attrition.org Fri Apr 16 02:28:50 2010 From: d2d at attrition.org (Dee Dee Winters) Date: Fri, 16 Apr 2010 02:28:50 +0000 (UTC) Subject: [attrition] rant: Layman-"Hackers" Driving Up Searches for Beef Jerky Message-ID: http://attrition.org/security/rants/bing01.html Mon Apr 15 22:21:12 EST 2010 By: d2d A foreword is in order here: To all those people, including acquaintances, who have thoroughly enjoyed the living hell out of ClubBing prizes, I apologize if this causes you stress and discomfort. Fear not though, as I doubt it'll bring about any substantial change, and I'm certain you'll continue receiving your "Bing" branded crud in the mail on a weekly basis. Unfortunately for me, I never got around to trying to build a "Bing" prize room, but I can assure you that I've lived vicariously through watching your bots run in the background every minute of every day. But I digress... Microsoft's Bing search engine has been steadily gaining ground since its release last May, according to various media and blog reports. Some articles cite a gain in market share by some 70% of the inherited market share of Microsoft Live, Bing's predecessor. While it doesn't appear to be taking share away from Google, it does seem to be chipping away at all other ancillary search engines on its way up the rankings ladder. Microsoft has invested some 100 million dollars in marketing for Bing, and it seems to be more-or-less working. There are, however, some other factors that might be boosting Bing's search popularity. One of them is a bribery scheme called "Bing Cashback". It's essentially "Google Product Search" (looks almost identical to it too), only you get a percentage of cash back by purchasing items through it. Nothing terribly revolutionary there, but it may be helping their rankings. A much more fascinating topic from a security perspective is their Club Bing project. [...] From lyger at attrition.org Sun Apr 18 04:26:06 2010 From: lyger at attrition.org (lyger) Date: Sun, 18 Apr 2010 04:26:06 +0000 (UTC) Subject: [attrition] Ultimate Hacker Sticker Collection on eBay Message-ID: http://attrition.org/news/content/stickers/ Sat Apr 17 22:57:30 EDT 2010 staff[at]attrition.org Some fifteen years in the making, quite by accident, Attrition staff have collected a wide range of stickers. Most are 'hacker' related, some on the telco side, others for $OS fanbois and a few that are just 'who knows'. As a con was attended, stickers were acquired and thrown in a folder over the years. The end result, is what you see below, and is now up for auction. [..] To make this even more fun, the auction will change just a bit depending on what the bid reaches. Initial bids are for the stickers seen in the pictures below. For some, there are multiples, others are a single sticker. If the auction reaches $75.00, I will throw in one OSF shirt (either OSVDB or DatalossDB, your choice). If the auction reaches $100.00, I will throw in one attrition.org flask featuring Lazlo, overlord of HNN along with one OSF shirt. If the auction reaches $200.00 or higher, I will turn it into a box of shit that includes the stickers, two shirts, one flask and whatever else I can find lying around here. Rest assured, the 'additional stuff' likely won't have much value, if any. But it will be a fun time if you open it in mixed company. (go to the link above for other details and pictures of the auction items) [...]