The Code of Hammurabi is one of the earliest known written laws, and possibly pre-dates Moses’ descent from the Mount. In it, we get a picture of the Babylonian’s laws and punishments. In particular, there’s this one: If a builder builds a house for someone, and does not construct it properly, and the house which…
OSCON 2010 Wrap Up
Well, OSCON is over for another year. It’s been a great conference. Shame there were essentially no security talks (1/216 talks is not good enough). I will have to talk to them next year about including a Security track or let OWASP organize a Security Camp, like Scala and the cloud folks had this year….
OSCON 2010 – Day 2
Woke up at 5.55 am. Mr Body is seriously confused. I finished breakfast by 7 am. This is not right. Scalable Internet Architecture – Theo Schlossnagle I’m very sorry Theo, but I couldn’t take much more hand waving and so I left at half time. I think this is more about where I am in…
OSCON 2010 Day 1
Travelling to the USA was as exhausting as ever. I flew on the new A380 with Qantas. Nice plane. As per usual, there’s a mix of flight attendants – the openly hostile, the “can’t see you, didn’t see you”, and my favorite, the “never around”. We were down the back of the aircraft, which is…
FIFA Fraud – Football Federation Australia must be investigated
In today’s Age, there’s an article on how Australian taxpayer money is being used to bribe FIFA and other national soccer body officials to garner support for Australia’s World Cup Bid in 2022. Item 1. It’s is actually illegal to spend Australian government money on bribes, gifts, holidays, and so on. This is contrary to…
Risk Management 103 – Choosing Threat Agents
A key component in deciding a risk is WHO is going to be doing the attack. The above image is from the excellent OWASP Top 10 2010, and I will be referencing this diagram a great deal. We’re talking about the attackers (threat agents) on the left today. So you’re busy doing a secure code…
Looking for inspiration
Like many technical writers, I am constantly looking for ways to improve my writing skills. I don’t think there will ever be a time when I think “Okay, that’s good enough” and stop criticizing my own work. I am constantly in awe of other authors, particularly those that have published great works. I seek out…
Risk Management 102 – when is a high a high
There’s a lot of consultants (and clients) who know little to nothing about proper risk management. This is not their fault – it was never taught at computer science or most similar courses. If you get good at it, you’re unlikely to be a developer or a security consultant. That’s a shame, because risk management…
Intelligent Session Manager Architecture
As security researchers, I think we’ve let down users in the quest to close down questionable and unlikely events. The problem is that even though unlikely, these events – such as MITM attacks – work nearly 100% of the time. They make great demos to scare folks who don’t understand what they’re seeing. It’s a…
The Impossibles
I thought recently about the ways in which folks who are looking for research projects in web app sec might make a useful contribution to the field. Part of that is the list of impossible tasks – those tasks that are so hard that it is unlikely to be solved in my lifetime. If you…