This post will be quite “video-heavy”, so I won’t embed all the videos (because the post would load very hard), rather I will just link to them.
Nate Koechley: "Professional Frontend Engineering" – a good introduction in the topic. Covers progressive enhancements and similar topics. If you are already well-versed in the basics, there isn’t anything particularly new here.
Attacking Layer 8: Client-Side Penetration Testing SOURCE Boston Edition – good presentation about the client-side capabilities of Metasploit (“user assisted exploitation” :-)). As a related note: on the Techie working in a corporate world blog you can find a lot of Metasploit scripts, which is encouraging seeing how I ranted about the fact that all the tutorials are videos.
Ether: Malware Analysis via Hardware Virtualization Extentions – nothing incredibly new (in fact my diploma thesis was very similar to this, the difference being that I patched Qemu to do this – with hardware support this is much faster), but still interesting. There is of course the problem of how much you let the (suspected) malware interact with the “interwebs”? Make it too little, and samples won’t run. Make it too much, and you risk participating in a DDoS attack.
Via the Enterprise Application Whitelisting blog: the Cisco guide to check the validity of IOS images before updating the routers. Their recommendation? Check the MD5! Fail! MD5 is insecure and has been broken several times publicly. I understand that their legacy tools only support MD5, but at least publish the SHA1 (or preferably SHA-256 and SHA-512) sums and give people instructions on how to validate them manually. How often do you update the firmware that this is a burden?
From certifiedbug.com: a musical ad from FTC instructing people on how to verify their credit reports and avoid falling for fake sites.
Via glasblog: The 2009 Google Summer of Code ideas from The Honeynet Project have been announced. If you’re a student, check it out and make some good money (4500 USD AFAIK).
From taint.org: How to merge a ramdrive and physical drive under Linux, so that the data overflows to the physical drive when the ramdrive is full. Interesting.
How to blog anonymously (via the Tor blog): Anonymous Blogging with WordPress & Tor. This can be increasingly important as countries traditionally thought of as “democratic” begin to also severely restrict free speech (see the recent cases in the UK, Australia and New-Zeeland).
From the Security4All blog: EFF Re-Launches Legal Guide for Bloggers. See the complete list of questions. While mainly (only) applies if you are in the USA, it is a good idea for all of us to look trough it. For a more international version see How to avoid libel and defamation from the BBC. It is quite chilling to read trough these texts, as they are a reminder of the fact that law and justice are two separate things.
Via GlasBlog (sorry for all the non German-speakers):
- A central honeypot to collect RFI attempts – this could be improved with mod_proxy, since there is no telling that the automated scanning tool actually follows 3xx redirects (or that it follows them off-site)
- The Schnucki project – an other project aimed at watching web-crawlers which collect e-mail addresses
The Enso Launcher – a quick way to launch executables and perform other tasks on your computer. Also, it is free 🙂
From dammit.lt: Linux 2.6.29 has been released and it can cause a performance hit if you don’t watch the settings.
From absoblogginlutely’s Bookmarks on Delicious: 10 things you should know about connecting Macintosh OS X systems to Windows networks – they are mostly Samba related, so you can look at them also from a Linux perspective.
Why I Sued Google (and Won) – a tale about how somebody disputed the fact that their AdSense got closed in court and got a favorable verdict. Now I never used AdSense (or other ad services), but it is good to know that you might have recourse (of course, if you are outside of the USA, it is an entire other case).
Picture taken from Tony the Misfit’s photostream with permission.