Silly-Yammerings
Something about sudo, Kingcope and re-inventing the wheel
Willems and I are currently on an internal assessment and have popped a couple hundred (thousand?) RHEL machines, which was trivial since they are all imaged. Anyhoo – long story short, we have a user which is allowed to make use of sudo for a few commands, such as reboot and service. I immediately thought it would be nice to turn this into a local root somehow. Service seemed promising…
Privilege Escalation in SQL Server (Depending on some dodgy requirements)
I was playing with a few SQL server idiosyncrasies more than a year ago before becoming so completely distracted with the whole SAP protocol-decoding business. Having some time on my hands for once, I thought I would blog it. Early last year, I found it possible to create jobs owned by other users on MS SQL Server (2000, 2005 and 2008) by an unprivileged user – providing the user had…
Is the writing on the wall for general purpose computing ?
The Apple iPad announcement set the interwebs alight, and there is no shortage of people blogging or tweeting about how it will or wont change their lives. I’m going to ignore those topics almost completely to make one of those predictions that serve mainly to let people laugh at me later for being so totally wrong.. Heres my vision.. Its not just the Hipsters and college kids who get iPads,…
Happy New Year! (No predictions.. promise..)
It’s the last few hours of 2009 here in South Africa so i wanted to take the opportunity really quickly to wish the 2 readers of this blog all the best for new year.. Most security “pundits” are currently doing their 2010 predictions. (although in truth few of them so far have been particularly surprising or out-there.. “Adobe will be brutalized” ? really? hows that different to 08 or 09)(One…
John Viega’s “the myths of security”.. Really??
i go through a ton of books. Over the past 10 years, this has been dominated by books on computer security, computer science, programming (and some sprinklings of management classics). I generally stay away from writing reviews, but was genuinely suprised at the number of 5 star reviews Viega’s new book had received and felt i had to chime in. I picked up “the myths of security” (what the computer…
Zappos number 1 priority
[Zappos.com] is one of those companies people love to write about. They make headlines for their use of new media and their CEO (Tony Hsieh) is as .com legendary as one gets.. (he sold LinkExchange in 1998 for $265 million and under him zappos went from $1.6 million in sales (2000) to $840 million in sales (2007)). He recently gave a talk at the [Web 2.0 conference]. He talks about…
Attack Vector based Risk Management?
Interesting post by Michael Dahn at pcianswers.com discussed (again) the difference between compliance and security. Do you know the joke about the difference between a canary? Apparently, its one leg is the same. Well, according to the post, the difference between compliance and security is… there is no spoon. I’m sounding facetious, but the post is actually not bad. Read more… But actually, there was another part of the post that caught my…
You know you are getting old..
When you blog a link to poetry: [The man watching] is a poem by Rainer Maria Rilke, that i picked up from a talk by Tim Oreilly during his [recent talk] where he chided the audience for focusing on trivial banalities while leaving bigger problems un challenged. A subsequent speaker picked up the theme, and likened it to abandoning NASA to work on DisneyLand. I think the sentiment is grand,…
On working when everyone else is asleep…
This quote reminded of something H always says: “When opportunity comes… its too late to prepare” – John Wooden – Hall of Fame Basketball coach
Is URL / Variable Name the new Port Number ??
There has been a fair bit of blog buzz about the new SQL Injection worm that ran around infecting sites. I have not looked too deeply into it, but have not yet seen accounts of how the targeting was done. Since the sites do not appear to have been running a common framework i would guess that it was search-engine generated targets based on resource name (like inurl: search.asp).. For…
Page 1 of 3
Next