Nth Dimension/blog:: Negatively discriminating against idiots since 1995!

authors | blog | contact | downloads | faq | index | links | projects

latest

2008-05-01 13:24:24

In your network, pwning your data

By Tim Brown

Securing networks, of both the social and electronic variety interests me. The old saying that No man is an island was never more true than it is now. We're an interconnected species and those connections span the globe. Anyway, with that thought in mind I thought I'd share two interesting developments in the security domain that have occurred this week.

2008-04-04 00:02:20

Analysis of Debian's CVE-2007-4074 response

By Tim Brown

What follows is an analysis of Debian's response to my advisory regarding a remote code execution vulnerability in the Festival test to speech server.

2008-02-26 19:10:38

One for the pentesters...

By Tim Brown

Just a quickie really, and mostly inspired by my cursing of GTK. I was thinking today that what pentesters really want is a nice list of the interesting ports on the target network. OpenVAS can help here, but until now, the client has always defaulted to listing reported issues by IP. So on that note, I just hacked it to allow a default sort order to be specified. Now I can always see the interesting ports first :). Whilst I was at it, I made a few minor tweaks to the server component too. Less memory leaks and compiler warnings ahoy and it now supports logging to syslog as per its Tenable spawned brethren.

2008-02-24 04:40:11

$self->{'Fuzzled'} ++;

By Tim Brown

Well, the good news is that I have just tagged Fuzzled rc2.0 in CVS. Hopefully, it should be up on the Portcullis web site by the end of the week.

Changes:

2008-02-20 03:03:28

What's Tim been hacking now...

By Tim Brown

It's been a while since I last posted anything here, so I thought I'd do a quick brain dump of things I've been working on. If you're a regular visitor to these parts, hopefully you'll spot that the site has had a makeover, however since it's not just the look that matters, I've upgraded it to latest version which you can find in the CVS tree linked to from the downloads page. Whilst it's by no means user friendly hopefully, it's it's getting there little by little. Anyway, onwards...

2008-01-08 14:59:33

OpenVAS-Client now in sid!

By Tim Brown

It had to happen eventually, after the hard work of Jan, Javier and myself, OpenVAS-Client is now in Debian unstable (aka sid) and can be downloaded from all good mirrors. Now starts the hard work of packaging the server components.

2007-12-28 15:21:08

Another year flies by...

By Tim Brown

I appear to have been relatively successful:

2007-12-18 17:39:11

Hardening konqil.icio.us

By Tim Brown

I was thinking today about the recent spate of vulnerabilities that have affected Firefox and IE where they execute external programs and it crossed my mind that konqil.icio.us and other scripts of its ilk might be vulnerable in a similar manner. Konqil.icio.us fetches the contents of the bookmarked page and uses this to execute dcop requests using system and Perl's backticks like so:

2007-12-01 10:07:16

As ever my timing is impeccable

By Tim Brown

LOL, just a day after I release gpgutils to the world, some dutch folk release details of how they were able to subvert MD5 and produce two Windows executables with different functionality but the same hash. The amusing thing is that previously I'd been supplying signed MD5 hashes for my tools, but the release of gpgutils coincided with my decision to move to supplying MD5 and SHA1 hashes and indeed gpgutils includes such functionality - just in the nick of time it seems. All this does however lead me wondering what the liklihood is of collisions against both algorithms occuring simultaneously. One for the mathmaticians and cryptographers me thinks.

2007-11-20 09:43:45

Credit where credit is due

By Tim Brown

If only everyone was like the phpMyAdmin team, I contacted them last Thursday about an issue in the login page of their popular MySQL management interface, and lo, less than a week later, it's resolved. Now to be fair to the rest of the development community, the issue I reported was trivial to identify and fix, however their security process is first class. I reported a similar bug some time back in another web application and it took 22 days to resolve. My hats off to you gentlemen, if only everyone was so easy to work with. PS advisory is in the downloads section.

© Nth Dimension Web Master, 2006
[del.icio.us - Post this page to del.icio.us]