chaotic tuxedo-es.org

A few reasons to avoid socializing at work

2007-11-15T01:56:00.000-08:00

... or why you should avoid messing with your co-workers and stick to your old school friends. While some people prefer to go all way liberal and social, chit chat loving hipsters et al, some find out that work is really meant to be for work and skip the social crap.

Here we go with a few reasons for avoiding (in general) socializing at work:

Your coworkers are far more likely to develop envy and other vicious feelings towards your persona.
Your coworkers are there for the paycheck, probably as much as you are, if not more.

They will most likely do whatever comes around for getting a better one.
That means selling your ass out. Really.

It's human nature when it comes to money to fuck up things. Especially confidence.

Everyone has a price.
Sadly, the world is full of cheap people.

They will usually engage in so-called 'social chat':

Buddy X: Hey dude, I'm just back from the gym!
Buddy Y: Yo, I bench press 140 pounds, lol!

Let's go on the analysis of the conversation above:

Buddy X is ingenuous e¡to enough to talk about gym. You know, it's about 2% of the world population that truly care about their fitness and shape. People out there think bioimpedance machines tell the truth (you seriously think you have 12% bodyfat if you can't even see the joint point between your chest and abs!?).
Buddy Y knows what anyone who was watched a cheap sitcom knows: there's a thing called bench press. Pushing it further, you get him to know about the Guido work out! (Evil grin).
Buddy X afterwards thinks Buddy Y is a moron. If you weight 200 pounds and you think lifting 140 is quite an accomplishment, you seriously need therapy. Now, if you weight 140 and lift 200, it's not yet an accomplishment but you are more likely to achieve one. Hah.
Buddy Y claims he goes to the gym 'on regular basis'. Buddy X suddenly has to live together with Buddy Y and finds out that Mr. 200 pounds is a bedroom worm. Wake yourself up, soldier! Hah.

Let's continue with more reasons and suggestions...

Never cook at work. Especially in IT jobs, that's like a serious curse on your persona. You are supposed to grow the mandatory belly. That gives you a coolness factor of seventy-five chin-up coupons. Or fast food discounts, whatever comes first.
Your co-workers will hate you if you are able to fit more than just work in your life.

Example 1: Look at Buddy X, he's leaving at 4pm! - a 9pm-regular whispers...

Your co-workers might be a bunch of liberal asses like most commie imitators around the globe. This is fairly usual at Europe nowadays. Now, they wear Levis too.

The solution is simple: quit and kick their butts afterwards. For real and great justice. Army way.

A simple trick to improve Firefox security

2007-10-09T08:19:00.000-07:00

Firefox can run with add-ons disabled and what not, but if you run Firefox under Gentoo Linux, using the hardened profile, you can use a simple trick to have two different instances of Firefox available, with different enforcement of memory permissions and the usual PaX features:

PaX features disabled via PT_PAX_FLAGS, will allow most plugins to run without issues (although, for example acroread will require specific permissions on its own binary to run):

paxctl -pemrxs /usr/lib/mozilla-firefox/firefox-bin

Recommended settings (that might slow down Firefox in some systems, with noticeable overhead when there's a heavy use of Javascript or AJAX functionality):

paxctl -PEmRXs /usr/lib/mozilla-firefox/firefox-bin

For Acrobat Reader (only Address Space Layout Randomization -ASLR- can be enabled without affecting the functionality, blame the poorly compiled binary):

paxctl -pemRXs /opt/Acrobat7/Reader/intellinux/bin/acroread

You should try to use a different PDF application anyway, if you really trust any of them :)

Description of the PT_PAX_FLAGS flags:


PaX control v0.4
Copyright 2004,2005,2006 PaX Team 

usage: paxctl  

options:
      -p: disable PAGEEXEC            -P: enable PAGEEXEC
      -e: disable EMUTRMAP            -E: enable EMUTRMAP
      -m: disable MPROTECT            -M: enable MPROTECT
      -r: disable RANDMMAP            -R: enable RANDMMAP
      -x: disable RANDEXEC            -X: enable RANDEXEC
      -s: disable SEGMEXEC            -S: enable SEGMEXEC

      -v: view flags                  -z: restore default flags
      -q: suppress error messages     -Q: report flags in short format
      -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
      -C: create PT_PAX_FLAGS (see manpage!)

Simply copy the firefox-bin binary to firefox-secure and apply the different flags as necessary.

Darth Vader: today we dine with Jesus!

2007-09-29T02:37:00.000-07:00

"Your lack of Vodka supplies is disturbing."

dynamips (Cisco 7200 Simulator) on Mac OS X

2007-09-29T02:33:00.000-07:00

It runs pretty decently so far, just need to get couple things installed manually or via ports if available:

 $ curl 'http://www.mr511.de/software/libelf-0.8.6.tar.gz' -o libelf.tgz
$ tar -zxf libelf.tgz
$ cd libelf-0.8.6
$ ./configure --prefix=/usr/local
$ make
$ sudo make install ...
$ cd ../dynamips-0.2.5 && make
$ ./dynamips ../../c7200-ik9su2-mz.124-13b.bin
Cisco 7200 Simulation Platform (version 0.2.5-x86)
...
Cisco IOS Software, 7200 Software (C7200-IK9SU2-M), Version 12.4(13b), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 25-Apr-07 03:18 by prod_rel_team
Image text-base: 0x60008F10, data-base: 0x6258C180
...
Router>

Find about dynamips and the development blog. You already know about Cisco, no link loving for them today. ;-)

Those games never end

2007-09-23T09:12:00.000-07:00

One of the most amazing things about gaming, is to find out that a game is still being played after years of its release date. Maybe this is the usual practice for someone used to the likes of old gaming platforms and the availability of emulation software, but we also have the usual late-to-mid 90s "PC game" which became a cult. Quake 3 is still active and many other fun LucasArts games are also actively played in public servers. This is the case of Jedi Academy and a bunch other titles from the same company. The interesting point is how things are shifting towards more massive multi-player games and the role-playing genre, instead of the good old FPS. LucasArts has a rather exciting title (Force Unleashed) in the works which may be only available for consoles, and many other game development companies are doing the same.

Something changed in the game industry that makes most companies release the best games primarily for gaming-oriented platforms. If the graphic drivers for Vista didn't suck...

Back!

2007-09-23T09:06:00.000-07:00

Hopefully the old content will come up soon, it just takes some time to re-format it for Blogger. Until that is completed, enjoy the usual humor from Wikipedia free-for-all policy and the amusing changes made to OpenBSD's head Theo.

Improving propagation with ionized meteor trails

2006-08-31T02:09:00.000-07:00

From the Wikipedia definition of "Meteor Burst Communications":

Meteor burst communications, or MBC for short, is a radio propagation mode that exploits the ionized trails of meteors during atmospheric entry to establish brief communications paths between radio stations up to 2200 kilometers (1400 miles) apart. It is also referred to as meteor scatter communications in some documents.
As the earth moves along its orbital path, tens of thousands of particles known as meteors enter the upper atmosphere. When these meteors enter the atmosphere and begin to burn up, they create a trail of ionized particles that can persist for up to several seconds. The ionization trails can be very dense, and used to reflect radio waves. The frequencies that can be reflected by any particular ion trail are determined by the intensity of the ionization created by the meteor, often a function of the initial size of the particle, and is generally between 20 MHz and 500 MHz.
The distance over which communications can be established is determined by the altitude at which the ionization is created, the location over the surface of the earth where the meteor is falling, the angle of entry into the atmosphere, and the relative locations of the stations attempting to establish communications. Because these ionization trails only exist for fractions of a second to as long as a few seconds in duration, they create only brief windows of opportunity for communications.

A nice read for anyone interested on radio communications. The known origins go back to 1929 when a Japanese individual, Hantaro Nagaoka, reported the interaction between meteors and radio waves propagation. Later in 1931, it was noticed that long distance propagation occurred at times of major meteor showers for a short time.

ServerBeach: a highly recommended dedicated hosting provider

2006-08-16T20:44:00.000-07:00

Sometimes things look like they're not going to work. This often happens when there's a rare condition in place which automatically turns to be a show stopper. When a company has a strict policy (not about the usual encumbrances like file sharing, copyrighted work, etc), it often discourages few potential customers from actually paying for truly nice services. Maybe the company offers competitive pricing and quality of service, but the barrier is just set too low and customers leave in the middle of the process. This isn't the case of ServerBeach, originally a Texas-based (thanks Richard for pointing this out) dedicated hosting provider with probably the most competitive pricing in the market, now owned by the Canadian company Peer1.

The balance between costs and quality doesn't get hurt with this company. Without unnecessary buzz wording, our very recent experience with them shows that the guys in the sales and customer service team can handle very concrete, exceptional requests, which may require handling of serious documentation and other formalities (ex. legal documentation, information that should be handled discretely as confidential, etc).

While the so-called (and nowadays widespread) "sales live-chat" may be the only way for others out there, with these people you can actually get your phone, dial their number and get in touch with the team. If at first time you think you aren't going to get what you want, you just have to ask them over the phone and discuss on the possibilities. Don't be afraid of explaining your needs, if they handled ours, they can do the same with yours for sure ;).

They are very prompt at giving you possible solutions with your problems, and it’s not the typical sales conversation about the pricing and "extremely good services" of the company. There’s no buzz. They tell you what you need and what they need and want from you.

The pricing is the lowest we’ve found so far and it allows you to customize the order and make it suitable for your needs. For a monthly fee (without setup costs!) of US $129.00 you get a pretty decent server, and they allow you (and also support) running game servers, good thing for gamers out there seeking decent ping times/latency. At such a low price, it’s not wise to avoid giving it a try.

And more when they offer a discount of US $100 (follow the link or use the coupon/referral code: XETJPJU45K) from their referral program. This helps both the new customer and the referral (by using the coupon you support us and our infrastructure), and it’s a great opportunity for testing their services. If you don’t like it, you can quit at any time.

They offer a wide variety of possibilities, in both GNU/Linux and Microsoft Windows. For GNU/Linux servers you can choose CentOS, Red Hat Enterprise Linux 4, Fedora Core 3 or Debian Sarge, and for Windows platforms you have the 2003 series (Web edition, etc) with SQL Server 2000. They offer also many so-called ‘control panel’ options. In the end it’s up to you, you have a wide range of possibilities to choose from.

Their administration interface integrates a versatile DNS management tool as well as access to invoices, order history, services ordering, upgrades, tutorials, forums and support tickets. It lets you manage your servers easily and keep track of the financial and technical stuff, all in one place.

We highly recommend it, and would like to thank the prompt response from the sales and customer service team.

Light over Ruby on Rails "critical security upgrade" 1.1.5

2006-08-10T02:14:00.000-07:00

Yesterday, the core development team of the Ruby on Rails framework, announced in their weblog a critical security upgrade (1.1.5) which should be applied immediately.

*1.1.5* (August 8th, 2006)

* Mention in docs that config.frameworks doesn't work when getting Rails via Gems. #4857 [Alisdair McDiarmid]

* Change the scaffolding layout to use yield rather than @content_for_layout. [Marcel Molina Jr.]

* Includes critical security patch

Without giving details on the issue ("The issue is in fact of such a criticality that we’re not going to dig into the specifics. No need to arm would-be assalients") some people started reviewing the diff between the 1.1.5 and 1.1.4 releases, right away from the Subversion repository. A few hot spots have been indentified so far, one of them being a clear example of a potentially exploitable condition:
@@ -268,7 +273,7 @@ $LOAD_PATH.select do |base| base = File.expand_path(base) extended_root = File.expand_path(RAILS_ROOT) - base[0, extended_root.length] == extended_root || base =~ %r{rails-[\d.]+/builtin} + base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin} end else $LOAD_PATH

Some already have explained the issue (thanks Brandon for the links), although the development of a proof of concept by some Russian folks brought new issues to the attention of some RoR users. Basically, the fix introduced new problems, apparently.

The original issue was about the possibility of forcing Ruby to load arbitrary code after uploading a file and injecting a path to the LOAD_PATH variable through the HTTP_LOAD_PATH header (which is managed client-side... thus the user has control over it). The flaw in the routing code would allow this file (ex. a controller) to be loaded and executed. This would happen when requesting an URL with the controller name and one of it's methods, leadind the routing engine to walk through LOAD_PATH for the file and then executing it: http://railshost.tld/evil_controller/the_method.

Side-note: If $SAFE mode is enabled, at it's lowest level it's supposed to prevent code from being executed from world-writable directories, thus it shouldn't work from directories like /tmp. This probably doesn't apply to certain win32 installations anyways.

The newly discovered issues are related to loading built-in (already available) code through the autorouting engine, this causes different kinds of situations, from crashes to infinite recursion bugs (leading to the infamous 'Stack level too deep' error).

Nope, guys, the routing problems aren't fully fixed, and one still can require about 500 .rb files from standard Rails vendor/* directories just typing some text as URL in browser.

Apparently, a bug report ticket was submitted time ago:

Where is test code for that "patch"?

And there was already a ticket "#5408 Unhandled urls can cause loading of arbitrary ruby files" on Rails TRAC from 06/16 about mentioned issues...

Although, a follow-up comments that 1.1.5 upgrade fixes the situation for everything except Webrick:

The rails team is trying to contain damage. The fix works on everything except for webrick.

While the current status might have a lower immediate risk, controllers are expected to work all-together with other code, thus managing to execute methods within this controllers could still lead to exploitable conditions (ex. methods involved on filesystem-related operations) and such cases might be waiting for someone to take advantage of them.

Some light over the whole story comes with a new follow-up, explaining that actually, directories containing 'lib' will be used for the loading procedure, leading to an exploitable condition (but just a bit more complicated than the original one). This applies if HTTP_LOAD_PATH is still exposed and has direct influence over LOAD_PATH.

actionpack-1.12.4\lib\action_controller\routing.rb: 276

base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}

base.match(/\A#{Regexp.escape(extended_root)}\/*(?:#{file_kinds(:lib) * '|'})/) || base =~ %r{rails-[\d.]+/builtin}

An user reported that it affected his Mongrel installation too (Maybe Webrick isn't the only one affected? and what about Lighttpd?).

Regular expressions ~~can be~~ are evil.

Another comment on the original announcement refers to the ticket number 3030 (nice one...), but right now the machine serving the RoR development Trac installation seems to be offline or failing to handle requests. Fortunately, Google cache entry exists.

[PATCH] method_missing exposes private and protected actions
I was recently trying to create a page that shows something other than the default "Unknown Action" message when a user calls an action that isn't defined in the controller. I used the method_missing method to do so which worked as advertised. However, I created an action declared as private in that same controller and the private action is available to anyone including via the web.

While some people might argue that this makes RoR not suitable for production, every so-called web application framework is affected by security flaws at some point (ex. now). Even those considered to be in a mature state of development. Some issues might be known, others might have gone wild.

Anyways, probably a 1.1.6 upgrade is coming soon. Hopefully next time everything will be documented properly, thus users won't have to figure out the problem by themselves, in order to decide if the fix is truly necessary.

The RoR team has already done a great job for bringing such a flexible and nice framework, not even mentioning the Ruby guys. Please, keep up the nice work ;-)

A brief look over the crazy domain names business

2006-07-30T02:04:00.000-07:00

Seems like this "virtual real-state" business is getting some publicity this month, after some news and interesting overviews appeared around on blogs and news sites. One of them is written by Dennis Forbes, with title "Interesting Facts About Domain Names". He checked thousands of domain names, with different number and word combinations, and surpisingly finding that most if not all, have been taken already. Do they have developed content? Seems like they don't. People starting a web-based business can have a tough time for finding a really good brand they can market and use for word-of-mouth advertisement, as they need to look for more complicated names, hyphen-based ones, using not so nice TLDs (ex. no .com, no .net, no .org).

Dennis did a certainly nice job for creating charts to show the statistics, one of them on the different possible length letter sequences:

Most companies go for a domain name broker or speculator to do the job for them, find a potentially brandable name and then starting the negotiations with the owner and finally doing the proper transaction via a escrow agent. The point is, How much do these brokers get out of each operation? The usual commission is around 10-5% of the final value.

How much does the owner get? Well, here we go with the interesting stuff.

Magazines and blogs that track and report domain name sales exist, one of the most known is DNJournal. Normally these sales are done via brokers or specific sites like Sedo which is recommended by most people working on the business. Let's see some of the sales:

Nasty.com for US $200,000 at Sedo

Tonight.de for US $14,464 at Sedo

Mapper.com for US $13,500 at Sedo

MadisonAvenue.com for US $23,500 on private sale

Everyone wants a six figure income, but you may think it's difficult as hell to get a brand-able domain name, and then sell it somewhere else. Well, you just need to be creative, expect to spend an initial budget of a couple of bucks and have patience. You're pretty much done. Just a couple of bucks? Nowadays, you can register a domain name for really low prices, for example at GoDaddy.com with offers of US $1 for each domain name, and discounts for bulk registering which is the most used facility by the annoying domain name business guys.

The next step would be opening an account on Sedo and starting promoting them, listing for sale, or just manage your way to find potential buyers and contact them. An usual recommendation is to stay out of the bad guys, or brokers and individuals which look to be alone but actually work for a company that "snipes" domain names.

There are tools out there that create permutations of words, take keywords and word lists and work upon such data for automatically checking WHOIS information and availability, then reporting each available domain name ready for speculation ;).

Although, as the Stylegala article says, it's the brand that matters, not just the keyword. Find something easy to pronounce, easy to write and remember, and most important: something that plays well with marketing. Could people spread the word on your site easily? "Hey mate, google for this stuff!". So, that's it.

Keyword-based domain names may help for SEO, but in the end people won't buy MyBrand cars. They'll buy just cars... dot com.

For a well brandable domain name, an individual could get more than US $1,000 always, but it all depends on the buyer and the patience of the seller. Like in real-state business, time matters. The benefit is evident, buy for one or few bucks, sell for thousands.

Interesting Facts About Domain Names by Dennis Forbes.

GoDaddy.com Domains Only $1.99

Domain Name Analysis - More Fascinating But Entirely Useless Charts by Dennis Forbes

93% Of Domain Reigistrations For Scam Sites? at Techdirt.com

Best Brands, Innovative Products at Slashdot

The other side of VirtualProtect() and friends: DEP evasion

2006-07-14T02:02:00.000-07:00

As some people may think that the regression tests which involve VirtualProtect() usage for evading DEP, are wrongly implemented and present a legitimate feature as a potential risk, the images below show "hot spots" in the disassemble of Microsoft Windows Media Player and Skype. The first, as most multimedia applications in either GNU/Linux or Microsoft Windows, needs to generate code on run-time and this requires access to executable memory. Skype was known to break with Data Execution Prevention (DEP) enabled, until it was fixed...

Image below shows Skype allocating memory with PAGE_EXECUTE_RADWRITE access:

PAGE_EXECUTE_READWRITE 0x40

Enables execute, read, and write access to the committed region of pages.

Allocating memory with such a nice permission is for sure an easy way to get around DEP-related compatibility issues. Basically, DEP will be useless. If the memory area allocated, receives some-how user input (or at least is partially controlled by another process), code could be written and then executed without any barrier, including DEP protection.

19.01.2006 version 2.0.0.73
bugfix: crashes when DEP is supported in hardware

Now let's look over Windows Media Player....

It doesn't matter if we allocate memory with RWX (Read-Write-Execute) access or we just allocate it with write access and then change it to be executable. In any case, if memory becomes executable after writing from user-input or similar unsafe sources, DEP will be unable to protect against it, as there's no enforcement in place for memory access permissions. You just have to rely on the vendor, and trust that they didn't go the easy way and didn't fix their code, but just applied a workaround.

For further information:

Browser fun everyday

2006-07-11T02:00:00.000-07:00

The people from the Metasploit project came up with a certainly nice idea: a blog-style publication for releasing web browser bugs and security flaws on a daily basis for one month. A rush of issues have been published, affecting a wide range of browsers, from Microsoft Internet Explorer to Safari. Just for the shake of ~~mayhem~~ and ~~destruction~~, some issues will get published over here as well, discovered using either their tools (DOM-Hanoi, etc) or the under-going project for developing an easy to use QA and vulnerability assessment framework, QANUM (first show-case is out...).Today's one is a simple and not-really-useful NULL pointer dereference in the Macromedia Flash ActiveX component function LoadMovie():

a = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); try { a.LoadMovie(-1, "bogus.swf") } catch(e) { }

The bug is triggered by passing a non-zero value to the first parameter (which represents the layer for the loaded movie). Nothing really interesting, right? It seems already fixed in Flash 9 (finally after remaining in 8 for quite a bit of time), and it seems there was previous knowledge of the bug, two years ago. Nice timing.

Zero-day buzz and unpatched, even ancient security flaws

2006-06-14T01:55:00.000-07:00

Michael Sutton on the 0day buzz. An interesting read about how old vulnerabilities can be a serious problem to lazy administrators, or for those who get distracted by the rush of so-called advisories and other linenoise. It's nothing new but it doesn't matter how many times you tell the monkey to stop throwing the banana peel to the floor. Monkeys only care on the banana itself.

The point is, that new vulnerabilities draw attention. The ones that scare me are the old ones, the ones that have been forgotten about. Targeted attacks require specific vulnerabilities but many, if not most attacks, choose not to discriminate. The attacker simply wants control of as many machines as possible to send spam, phish for credit card numbers, etc. In this case, any old vulnerability will do, so long as a multitude of machines remain unpatched.

HD already talked on similar stuff in the Metasploit Project blog, how old and relatively new web browser flaws are being used to spread malware (well, adware would be more appropriate).

This combination of automated fingerprinting followed by a targeted attack should serve as wake-up call to anyone who believes that a patched flaw is no longer a significant threat. The Java ByteVerifier bug used in this script was fixed in April of 2003, over three years ago, yet still works well enough to be a key component of this malware installer. The fact is that an advanced malware installer is capable of attacking almost any browser or operating system and still succeed against enough people to make money for the attacker.

The mandatory links to the news and references:

Why all the hype about 0day? Michael Sutton's Blog

Internet Drive-By Shootings from The Metasploit Project

Internet Drive-By Shootings in the Metasploit Project blog

Why all the hype about 0day? at Slashdot.org

WebAttacker Unseats WMF as Most Popular Exploit

Microsoft Windows Vista beta-2build 5384: ASLR testing

2006-06-13T02:07:00.000-07:00

Only heap is randomized and it's just around 7 bits (some times reported 5, 4, none and at most 8 bits), DLL base randomization only takes place in boot time and it seems to be just incremental in most cases (and affects only core system libraries like kernel32.dll), thus likely predictable:

kernel32.dll: GetTickCount() 774A910E [reboot] 774F910E [reboot] 77B6910E

No VirtualProtect() restrictions exist, thus all tests of that category fail. With DEP policy set to OptOut, the basic memory permissions enforcement tests have all positive results.

Looking forward to test the stack randomization and other improvements in post-beta-2. Right now, the results show the effects of a weak implementation, the heap randomization is too low for being considered truly effective and the fact that DLL base randomization is performed on boot time doesn't ~~help~~. Basically, this is the same as a Windows XP Service Pack 2 system with DEP policy set to OptOut and hardware support for the NX bit.

Vista Probe reports "No Randomization" for the DLL base test due to the way it's done. It expects the executable to perform runtime randomization of the base address, but this is obviously not the case. It will work fine for both stack and heap randomization, as well as EXE base randomization (if it can be enabled on third-party applications).

A new article by Michael Howard, but still no information available with an in-depth explanation of how ASLR is implemented in Vista:

Windows Vista Security – A Bigger Picture

Microsoft Windows Vista: Measuring the security enhancements.

2006-06-11T02:23:00.000-07:00

A few days ago, Michael Howard, a member of the Microsoft Security Engineering group, made available a short description of what's supposed to be Address Space Layout Randomization (ASLR) in Vista.

• Stacks and Heap are randomized (stack-randomization is on post-Beta 2)
• EXEs and DLLs shipping as part of the operating system are randomized
• All other EXEs and DLLs will need to explicitly opt-in via a new PE header flag; by default they will not be randomized. 'Note that DLLs marked for randomization, such as system DLLs, will be randomized in every process (regardless of whether other binaries in that process have opted-in or not.

http://blogs.msdn.com/michael_howard/archive/2006/06/06/619163.aspx

As an experiment, the enhancements were tested by using a modified version of the paxtest tool, originally developed by Peter Buser and used for testing the capabilities of PaX and other projects, as a regression test suite capable of guessing how many bits are currently being randomized in a concrete section of memory, for example one allocated in the heap; among other tests (ie. return-to-function, etc). While the tests are pretty simple, they provide unbiased proof of the strength or weakness of the implementation being examinated. The information disclosed by Michael, days before the above quoted article, commented on the "probability" of guessing the right address on exploitation time:

In the case of Windows Vista Beta 2, a DLL or EXE could be loaded into any of 256 locations, which means an attacker has a 1/256 chance of getting the address right. In short, this makes it harder for exploits to work correctly.

It's worth noting that no snake-oil is present. He points out that, actually, ASLR makes successful exploitation of memory corruption-related issues harder. And that's completely true. Although, we are missing something here. The point is how difficult exploitation will be. And definitely, the current approach implemented for Vista is, with no offense meant to anyone (and again, no ~~bias~~ here), useless.

For an application that suddenly dies as of an attack or repeated attempts of exploitation, ASLR is a good option. Although, if we look over applications that actually re-spawn child processes and the like, the lower the randomization is, the higher the probability of successful exploitation in less time. What applications behave in such a suicide way? Apache is a good example :)

A GUI, user-friendly regression test suite is in development, which will also properly test the "Security Enhancements in the CRT " introduced in Visual Studio 2005. It could be, to make an analogy, the IBM Stack Smashing Protector (aka ProPolice) for Windows-based systems.

Some references for further information:

Game bugs?: Jedi Academy, gravity out

2006-06-10T02:30:00.000-07:00

Playing multi-player online games is fun. No one else doubts that, well, no average human at least. But some people, as it happens mostly everywhere, also have fun making the experience of others the worst possible. From so-called "spawn killers" (yes, those who don't let you play even a second, throwing thermal detonators right next to you when you get "spawned" in the area) to spammers (those who should keep out of playing for a while, as announcing their new kill record gets boring for most of us) and the more-than-hated h4x0rs. Those are the real problem. Either an unfair administrator or a player with some skills and knowledge, can take advantage of specific problems inside the game engine to do all shorts of tricks.

Today's episode is about a little trick that will make most Jedi Academy players out there smile the first time they see it in action. Beware of bugs, gravity doesn't seem to affect them.

Short explanation: gravity value is used to calculate the height you can gain when jumping, the velocity needed to get back to the ground, etc. The problem is that, if gravity value changes when a player is jumping or "flying", the new constants are applied immediately. The result in this case, is first putting the player characters at the highest height and then literally crunching them into the ground.

Smells like... snake-oil?

2006-06-06T02:17:00.000-07:00