Your security, networking, programming, and application news source.

Saturday, September 27, 2008



  Clickjacking is the buzz word for the week. Robert “RSnake” Hansen and Jeremiah Grossman had planned a presentation on clickjacking at the <world OWASP conference in New York>. After sharing the information with Adobe they were <asked to delay> releasing of details because of it's impact on one of their products.

  Clickjacking is underappreciated, but well known. Traditionally JavaScript had many implications in this area, but this does not require JavaScript. This zero day is purported as a fundamental flaw in how browsers handle web pages that affects all (or most all?) graphical browsers. From <Jeremiah Grossman on his blog>, "At the time, we believed our discoveries were more in line with generic Web browsers behavior, not traditional 'exploits,' and that guarding against clickjacking was largely the browser vendors' responsibility."

It's been said by many people that turning off JavaScript will not prevent this attack. The Firefox plugin/add-on <NoScript> does much more than micro-managing JavaScript. <ZDNet's Blog> posted the following email from <Firefox Noscript>:

Hi Ryan,
  I’ve seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
  I had access to detailed information about how this attack works and I can tell you the following:
  1. It’s really scary
  2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
  3. For 100% protection by NoScript, you need to check the “Plugins|Forbid <IFRAME>” option.

Through <Jeremiah Grossman's blog> (referred to in the email above) and <Robert Hansen's blog at> some information about the zero day can be found, but it seems the rest of the details have been kept pretty tight.

<Breaking Point Systems> has been speculating on this vulnerability and posted <source to some forms of web jacking>. Later they realized that these weren't exactly the zero day and then posted this <proof of concept "IFrame Trick"> which seems to fit the details of the vulnerability.

Tuesday, September 23, 2008

FLOSS Weekly

FLOSS Weekly

  <FLOSS Weekly> is an audio netcast (also known as a podcast) about 'Free Libre Open Source Software'. Hosted by Leo Laporte and Randal Schwartz, supported by Cachefly, and hosted on <TWiT.TV> (This Week in Tech). This is all reminiscent of Steve Gibson and Leo Laporte's once very popular netcast, <Security Now>.
  For many of us Security Now paved our interest in podcasts, then renamed them to netcasts. Steve Gibson coined the term netcast when podcast's copyright status came in question. Security Now caught our attention with it's early networking, encryption, and security episodes. It pioneered as one of the first semi-professional tech shows with real topics. They brought tech media away from the trend of underground bumbled garage shows battling it out against commercial fluff-tech. Fusing a respectable quality show with respectable topics.
  Security Now has slowed down in it's innovation at over 160 episodes. Pushing of products as a shows topic seemed cool when it was great new software like <Tor> and <True Crypt>, but recent plug episodes have left a bad taste in listeners' mouths.
  <FLOSS Weekly> continues this start with a different focus, open source software. FLOSS Weekly started off slow, sometimes going 2 months without a new episode, but recently has began full steam carving a schedule that is fitting of the show's title. Let the show's topics do the talking:

<FLOSS Weekly 41: DotNetNuke> - The open source content management and Web application system that runs under the .NET framework. (September 19th, 2008)

<FLOSS Weekly 40: Jeff Robbins on Drupal> - Jeff Robbins talks about Drupal the popular open source PHP/LAMP web content management system. (September 12th, 2008)

<FLOSS Weekly 39: Simon Phipps> - Simon Phipps, chief open source officer of Sun Microsystems. (September 5th, 2008)

<FLOSS Weekly 38: Asterisk> - Asterisk, an open source PBXi, telephony engine, and telephony applications toolkit. (August 30th, 2008)

See the full list of 40+ episodes and growing at <TWiT.TV / FLOSS>.

Other episodes talked about open source software you shouldn't miss. Just to name a few:

Smalltalk / Squeak

Sunday, September 14, 2008

SoCo Software Releases C++ Yahoo Source Code

  <SoCo Software> has released <XLibrary>, a C++ repository of source code modules. Included are Windows sockets, Yahoo chat, and Yahoo captcha modules. This library is released under a custom license similar to the <OS-CPL> which doesn't force adoption of open source licenses.

  SoCo Software has provided free tools, scripts, and applications with source code, for a few years now. It is one of the few places where you can find a <free proxy tester> with source code. Most free proxy testers are released by proxy list sites, so you can help them find fast proxies, while getting the bottom of the barrel.

  The software site is using this library release as the beginning in a line of additions of source code libraries and snippets, including embedded (ASM and Dynamic C) and web application (JavaScript and PHP) source code.

Monday, September 8, 2008

White Jaguar Has Hex Color Tag

<CAR model="Jaguar" color="#FFFFFF">