Can’t make it to DC this year for Shmoocon due to time, money, or gigantic snowstorms? Fear not, there will be a live stream starting this friday! DC is getting slammed by a massive snowstorm, but Bruce Potter has vowed to not let that stop his con of awesomeness 
Look for any further updates on the Shmoocon news page. I can’t wait to see the unleashing of the Shmoo-cannons 
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Jack Daniel (@jack_daniel) announced that there will be a Security B-Sides event coming to Austin on March 13 to coincide with everyone coming to town for SXSW Interactive an to help “Keep Security Weird.” I listened to the excellent B-Sides Las Vegas talks and I am extremely excited to be able to attend a B-Sides event in person since I’m already in the Austin area . I can’t think of a better way to make up for killing my phone service than by offering what promises to be an awesome lineup of talks 
.
If Jack or any other organizers read this let me know if there’s anything I can do to help out…
(also, I will probably start posting more regularly after getting settled in from moving and my duties at the new job)
I created a new page that contains links to all of the InfoSec self education resources that I currently use or have used in the past. The page started out as a blog post but morphed into a page because it was something I saw myself and potentially others referring back to and updating in the future. I have links to blogs, podcasts, webcasts, conference materials, live distributions, and I am currently in the process of adding some mailing lists. I am still updating many of the sections on the page, but I will take any and all suggestions of things to add.
-jason
I started listening to the Security B-Sides Las Vegas 09 audio release by the Security B-Sides guys (I believe Jack Daniel did most of the audio editing) after forgetting that the mp3 files had been out there for awhile. You can either subscribe to the B-Sides RSS feed or subscribe to the podcast in iTunes. So far I have finished listening to to a talk on WarVOX by H.D. Moore of the Metasploit project, a talk on using BeEF + Cain for snagging and cracking password hashes, and a good talk by Mike Kershaw, author of kismet, that covers developments in lorcon and kismet and integration into metasploit. These have all been really interesting and informative to listen to and are highly recommended.
The BruCon conference was held at the end of September and they released the presentation materials and video soon after. You can find the video on the BruCon website here and the materials here.I’ve started watching Chris Nickerson’s (of Tiger Team fame and currently one of the hosts on Exotic Liability in addition to his day job at Lares Consulting) talk and it’s been really good so far. The videos look to be a little bit fuzzy so I recommend following along in the PDF versions of the slides.
I hope to take some ideas from these talks and start making some posts on using the tools and methods talked about and applying them in virtual environments for those that are inclined to do alot of self-learning, so please stay tuned….
UPDATE: Edited to reflect my mistake of saying Jayson Street donating all of his proceeds from his book to Hackers for Charity. He is, however, donating a portion of his proceeds to Hackers for Charity so you should still buy it for that and because it’s a great book
I just wanted to make a few quick book recommendations about one book I recently finished reading and one I plan to start reading as soon as it arrives.
I read Daemon by Daniel Suarez
My other book recommendation is Dissecting the Hack: The f0rb1dd3n Network by Jayson Street and others. Jayson has said that he will be donating all of his proceeds a portion of his proceeds to Hackers for Charity and the link I provide is via Johnny Long’s affiliate link so you can end up helping Johnny double . My copy is currently on order and I am waiting for it to arrive so I can dive in.
The number of XSS, XSRF, command injection, and SQL injection vulnerabilities in popular web applications has seemed to be increasing alot over the last year and I am left wondering why these things keep popping up (and I also wonder why it’s take me a month to finish this rant ).
The Dutch branch of Tele2 has apparently been assigning the same default password to all users according to SC Magazine. From the article:
The Dutch branch of Tele2 claimed that when a new subscriber signs up, they can choose a login or are assigned one and they are then sent a letter by Tele2 with their login name, password and the date their new DSL connection will be activated.
As the password is changed monthly instead of being generated randomly, all subscribers that signed up in the same month will have the same password.
Writing on the securityandthe.net blog, author Martin claimed that the letter does not even mention the need to change this password anywhere, and with the correct login and password, you can, amongst others, view and change the customer’s contact details and view their billing history.
I wonder if they store the passwords in plaintext too? It’s extremely simple to write something to generate a random password and insert that in place of “password=’lame’” in the codebase so they really have no excuse for this. Even making the the change mandatory doesn’t fix the problem because I would still be able to get into your account if you haven’t logged in yet. This is almost as bad as AT&T leaving just about every iPhone user’s voicemail unprotected by a password and not telling them or giving them an easy option on the phone itself to setup a password.
I was reminded that on this day in 1991 Linus posted his Usenet message announcing his creation of a new hobby OS that he had been working on and looking for feedback. I know that I would not be where I am today if it were not for Linux and all the wonderful software distributions that use its kernel.
So a big “Thank You!” goes out to Linus and a “Happy 18th Birthday!” to Linux.
Patrick Michaud posted a journal entry on his use Perl; page that says
We will make an “official”, intermediate, useful and usable release of Perl 6 (an appropriate subset) by Spring 2010.
in reference to the Rakudo implementation of Perl6 on Parrot. This is definitely exciting news for all Perl programmers out there. While this is only intended to be an intermediate release and the feature set is still being ironed out, I’m definitely excited by this milestone release of Perl 6. I first heard Larry Wall talk about Perl6 during his keynote at the USENIX LISA conference in 2002. I was fascinated by many of the new features and couldn’t wait to get my hands on it. Over the years the lack of usable Perl6 implementations being included by different distros has cooled my excitement. I messed around with a few of the different implementations (such as Pugs) and parrot here and there, but never took it too seriously because things were changing in them so quickly.
I still use Perl for alot of the scripts I write, but I have also begun implementing some of my scripts in Python and more recently even a few in Ruby (due to its easy extension of base classes, not due to the speed ). This is definitely exciting news and I hope to hear plans for integration by the major Linux distros soon so I can start taking advantage of all the awesome new features.
Further Perl6 Reading:
The conference materials for BlackHat USA 09 are now online here. Only a few talks have their videos online (Dan Kaminsky’s and Mark Dowd’s) but pretty much all the papers and accompanying slides are available in PDF format. Can’t wait to get through some of these papers and increase my paranoia even more!