Interesting Bits – May 7th, 2008

Howdy folks. Here are some worthy reading items for today.

This was actually posted last month by Don Weber, but I just came across it and thought it worth pointing out. He has written and provided to us all an incident response information collection script that uses only built-in Windows operating systems resources. Nifty!

Danny McPherson provides a classic article published in 1928 by J.B.S Haldane titled “On Being the Right Size.” He observes that it is still applicable today in wide variety of topics. Worth a gander.

Rafal Los provides some compelling evidence that while static code analysis can provide value, it does not guarantee that the compiled code will be secure.

Anton Chuvakin writes about “reverse compliance” or purposefully not logging information so that you won’t know what is going on. Drazen Drazic posted about not logging to avoid PCI fines last month. Obviously, neither is promoting this type of behavior, but there it is. “Don’t ask, Don’t Tell” in Information Security 🙂

Dre put up a post that talks about a cross-browser, multi-os browser vulnerability that may not be closed for quite some time.

The folks over at Wouter Veugelen Blog have been putting up a few posts about interesting tools and one of them is call AOSS. It is a bootable CD that will detect and remove deeply embedded malware on windows systems. I haven’t played with it yet, but it looks neat. They also point out UBCD4Win, the Ultimate Boot CD for Windows that is useful for repairing broken windows systems.

Finally, Darknet points out that rtpbreak 1.3a has been released. It is an RTP analysis and hacking tool. Again, haven’t played with it yet, but will be soon.

Have a great rest of your day!



3 Responses to Interesting Bits – May 7th, 2008

  1. Jeff Newfeld says:

    “Reverse compliance” is a familiar refrain — CIOs tell me that not only do they not want to implement new compliance measuring functions, they often don’t even want to know that a way to measure that particular issue exists! As long as they have plausible deniability they can skate through an audit. These aren’t people who want to avoid the work, and they’re not people who don’t care about security. But they’re concerned that a compliance measure without appropriate mitigation will be an audit red flag, and they want to protect their organizations. And themselves.

    When we made compliance a regulatory issue, with civil and criminal penalties, then we created this behavior. It’s the compliance version of “don’t ask, don’t tell”.

  2. dre says:

    I also updated the post on the web application global cross-domain vulnerability with a bit of information on a new, similar vulnerability that only affects Firefox (and includes a PoC by Michal Zalewski!). Be sure to check it out.


  3. Kevin Riggins says:


    I was just talking with somebody else this afternoon about the same things you mention. Boggles the mind.


    Thanks for the info. I’ll check it out.


%d bloggers like this: