If you keep informed of the movements that are going on in the computer security world, you would know that this week Vancouver was host to the CanSecWest Security Conference. Last year, CSW organizers had “Hack a Mac”, whereby owning their testlab Mac made it yours – plus a nice cash prize.

To take things further, this year the contest was extended to one representative of each of the major platforms: a MacBook Air, a Vista and an Ubuntu Linux. The MBA was first to fall, and while I tried to keep off comments about it… I can’t.

«Continue Reading»

Since some people seem to be reaching an older post of mine trying to figure out how to unlock a passcoded iPhone, I thought of sharing a few thoughts on the matter.

«Continue Reading»

Grab my OPML to MobileRSS converter here.

UPDATE Nov. 28th 2007: MobileRSS version 2 has support for importing OPML files. Follow the on-screen instructions on how to do so.MobileRSS is an RSS reader meant for the iPhone. You can access your feeds wherever you want and catch up on the latest news. The only shortcoming I’ve found, so far, was the need to type in feeds manually. No more. If you’ve already ‘broken’ your iPhone [and, if you're considering running MobileRSS, I guess we know the answer] then here’s your fix:

1. export the feeds from your news reader of choice as a flat OPML file
2. download the jarfile for OPML2MRSS¹
3. run java -jar OPML2MRSS.jar <your-opml-file>
4. copy the resulting file [com.google.code.mobile-rss.plist] into ~/Library/Preferences/ on your iPhone
5. load up MobileRSS and watch all your feeds :)

Caveat: It seems MobileRSS doesn’t like too many feeds. You might want to put only the ones you really enjoy, otherwise load times will be quite large and you run the risk of crashing the program.Let me know if you have problems, hopefully with the OPML that gave you those issues. As it is customary, all responsibility for running this code is with you. Armageddon - not my fault.

1. This is a FatJar, containing source code, binaries and the nanoxml XML parsing library [↩]

… that are having fun at DEFCON 15! I can’t wait to find the time and freedom to get there… maybe next year? BTW this baby sounds like the ideal machine to bring there [wipe clean before, wipe clean after, of course =) .]

So you read code every so often. You meet a coder. Fascinating people, we are. Most of us, at least. But we’re not the same, mind you. Here’s the breakdown:

«Continue Reading»

I’ve met a real security researcher once. He writes academic papers, works for one of the big virtualisation companies and, I think, even teaches a course or two. He told me there is a clear distinction between the style in which academic papers are written - the ones by PhDs, at least - and how blackhat docs come about.

«Continue Reading»

This is not about intellectual property, copyright or electronic markets. This is about malware infections. I know, how weird of me.

I overheard someone speaking recently about the threat of viruses and other nasty malware coming from P2P networks. How it must be obvious that pirates have ulterior motives for distributing software applications free of charge - nobody in their right mind would do that unless there was something to gain. In this person’s view, all software originating from P2P networks [all commercial software] is somehow infected with some form of malware or another.

«Continue Reading»

Today was WWDC. Today Apple released a beta of Safari [the Mac web browser] for Windows. Today was a good day for battles between Microsoft apologists and Mac fanboys.

But I’ve been in my battle someplace else. Today I’m here to express my sadness regarding David Maynor’s latest blog post. Of course, Mr. Maynor does not need to care about my opinions in the least bit - after all, his name is known in security circles well enough. I do respect his work - my ‘port’ of Ferret was a tribute to that - but I won’t hold back because of that.

First off, congratulations. There are bugs in beta-grade software. Important bugs, admittedly. So what would one do? Dump the product or report said bugs upstream in hope of a fix from the original developer[s]. Why do the latter? Well, as someone who would be concerned about the state of the Internet and the fact that security issues are an important reason for the pollution of the Web¹, it does sound like a reasonable thing to do. Sure, mr. Maynor has had previous run-ins with Apple which he reports as being of a negative nature - and, as such, has decided to withhold disclosure of security vulnerabilities to the Fruit. Fine, it’s his “Intellectual Property” or simply his right to do so.

What’s going to happen? I’m not the Oracle. What could happen? Safari final comes to Windows. Bugs are still - maybe just some, maybe all - there. Mister Maynor can laugh in the face of Apple for failing to fix them and then sell them to the highest bidder [granted, it will probably be a security company and not blackhats.] Another hit against Apple and some brownie points for ErrataSec.

I am disappointed by what I can only perceive to be dubious intent. A vendetta of sorts which will damage the users more than the companies involved [Apple, ErrataSec or any other third-parties that get drawn into this.] In light of the alleged gag-order imposed with regards to the Apple WiFi affair, I think another alternative means of distribution of said bugs could be found. I understand that mister Maynor has to pay his bills - it would be wise of more companies to offer bounties for the finding and reporting of serious security risks [as some do] - but his attitude does not encourage any kind of positive action to come about. While I do not vilify mercenaries in the security world, I do take issue with those inconsistent in their approach.

UPDATE: It seems something ticked him off, the trackback link was removed sometime during the day today. Wonder what that means…

UPDATE 2: Trackback now shows on ErrataSec. I see others were removed so maybe DM thought I was spamming. A trackback link should be used as a comment, generally, to let people know you’re talking about something they said.

1. MySpace would be in the top #10, no doubt [↩]

I can’t read this right now, I’m laughing too hard and it sounds like a mouse on ecstasy screaming after his deaf buddies.

COYOTE v. ACME

And for more old school geeky stuff: the Textfiles Humour section. For those - like me - that like a bit of history, check the entire Textfiles archive.