Mighty Seek

My sons animation

seek3r — Sat, 02 Feb 2008 04:17:05 +0000

My 3rd grade sone did this awesome animation using Stickman, so I have to show it off.

Coverage of web application scanners

seek3r — Tue, 16 Oct 2007 21:56:54 +0000

My buddy rsnake over at Ha.ckers.org posted a report from Larry Suto about tests he performed on web application scanners and comparing how well they cover a web applications code base.

The report is intesting on many fronts, one of which is the fact that the tool I help build at NT OBJECTives came out on top, but also because its the first type of review thats looking at a statistic that really compares scanners in a quantifiable way.

Some comment on the site from users of the other products or from the vendors themselves have made the claim that web scanners are not designed to be “point and shoot” as they say, and that a human should be training the scanner to each web app. I think they are doing users a disservice to work from that assumption.

A scanner should do as much as it can on its own, and let humans do their own pen testing, and/or help point pen testers to areas of interest. If your a organization with hundreds or thousands of web apps that need testing, do you really have the man power to teach your “automated web scanner” how to test each of those apps?

Do you really have time to spend clinking on every link, and filling out every form on a website with some 3000+ pages, or do you want the scanner that does the best job of doing all of this for you?

podPress 8.3 Released - With Podango Support

seek3r — Fri, 28 Sep 2007 10:38:39 +0000

For all the details, check out the changelog but this is one release that cleans up a ton of mess and adds in support for full integration with the Podango API.

Theres still a few tiny features I want to add in, but its in good shape, and I need sleep so I can run off to the Podcast Expo in a few hours.

UPDATE - Bug in this version… of course, so hang on for next release due out in a few hours

The Ha.ckers.org Hacking Challenges

seek3r — Thu, 23 Aug 2007 21:40:23 +0000

As many of you have seen, I have a “Hackme” site setup to go along with my podcast, and specifically for the Hands On Series podcasts. Well the current king of Web App Security blogging has setup a couple hacker challenges on his site. The ones on my site are really focused toward teaching, the ones on ha.ckers.org are setup for the fun, challenge and bragging rights.

I have had the mis-fortune of being completely swamped in work during the start of these last two, but when the third is up, Im cleaning my calender, turning off cell phones and ignoring any unnecessary chats so I can beat it as quickly as possible and get listed in the top ten. Knowing rSnake, I may decide to put together a small MightySeek team to work together to increase our chances, but I will see how it plays out.

Go have fun, and test your skills

Btw, #2 had a logic flaw which really opens up the next one to additional scrutiny to see whats possible to find during the next one.

Evaluating Web Application Security Scanners

seek3r — Thu, 23 Aug 2007 21:09:44 +0000

Theres been alot of discussion lately about an issue thats near and dear to my heart. The capabilities and of web application security scanning is something I have been living and breathing for about 5 years with NT OBJECTIves. AT NTO I lead the development and research teams involved in building our own scanner called NTOSpider,� and have been trying to increase what is possible to test for in an automated tool.

This is a really difficult and challenging issue, with a bunch of issues that are fuzzy at best. I have high hopes that the WASSEC Project thats being hosted by the Web Application Security Con sortium, because its going to bring a bunch of us from the app sec tool vendor space and the web app sec community� together to discuss the issue and attempt to come up with a good reference document for the ways to evaluate scanners.

I’m curious how we will be able to come up with any consensus, but with any luck and some hard work and compromise I think this could be a turning point to helping public understanding of this issue.

WordCamp Experience

dan — Mon, 23 Jul 2007 08:23:54 +0000

I had a pretty interesting day yesterday.
After being up till close to 2am I woke up at 5:30am, showered and drove to the airport to do my 10am talk at WordCamp 2007.
My flight landed at 8:30am and I was picked up by my old buddy Joe Engo. After a couple wrong turns we finally got to the event location at 9:30 in time to get setup.

I finally had a chance to meet Matt Mullenweg, and was thoroughly impressed, this is one young man to watch. To think that at 23, hes at the head of a project thats impacted so many people, and has gained so much interest and respect, and has managed to build a business model around an open sourced app… no easy feat.

So then it sets in. I’m the opening presenter to this conference… I’ve really been too busy to have thought much about my talk at WordCamp the preceding couple of weeks because work has been crazy busy. But standing there getting setup to open the conference I got a bit nervous. Its also been a couple years since doing one of these types of things, so I really started feeling completely unprepared.

Matt introduces me and I ask the audience a few questions about whos familiar with podcasting (everyone) and how many podcasters are out there (a few). Well, this kind of took some thunder out of my slides intended to be used to help explain podcasting basics. I had to think quick to adjust my talk and explain my views of how I feel podcasting to be a little more personal and blah blah. Was a bit of a slow start.

So I figured I could launch into the stuff about podPress and show of the features and talk some praise of WordPress, which I started… and then the Internet connection went dead. Just as I was starting to feel a little comfortable…
With some quick action by the Automattic team I got back online and was quickly followed by the audience and was able to start cracking some lame jokes and getting into a groove about podPress, podcasting and WordPress.

Even with the slow start, I felt like I was finally able to connect and coherently discuss some of the things I am passionate about, and hopefully show how easy it is to get into podcasting, the cool features of podPress and the amazing platform WordPress provided that enabled me to create the feature set. The talk was video taped, so as soon as I get a copy of the video I will be adding the media to this post so it will end up in my feed as a video podcast.

As soon as my talk was over, I chatted with a few people in the lobby for about half and hour, and then headed to the airport to get back home. Next year, as a speaker or not, I’m going to make sure to plan better so I can stay for the entire weekend.

Update: The video is now available.

Forums back online

dan — Sun, 22 Jul 2007 07:13:08 +0000

Thanks to the generous sponsorship of Podango the MightySeek/podPress forums are back online!

The Sierra Network (ImagiNation) - Lives again

dan — Tue, 03 Jul 2007 17:15:14 +0000

Back in the early 90’s, yes back even before most had even heard of the Internet and the geeks spent most of their time on BBS’s there were a few online services trying to get going. AOL, Prodigy and CompuServe were fairly well known, but there was one other that stole my heart. It was the ImagiNation Network and primarily MedievaLand and its first game The Shadow of Yserbius.

Way back before World of Warcraft, Never Winter Nights, Ultima Online there was The Shadow of Yserbius which really set the bar for online gaming.

The whole network was unbelievable in its scope. You could play the D&D style Yserbius, card games at the club house, gamble at CasinoLand, have simulated dog fights in the Red Baron game, play the popular Boogers game, and ever get help with your home work.
To this day I have not seen anything to match the fun and variety that I had the privilege to experience back in the days when I was spending thousands of dollars and endless hours experiencing life “online”.

I have cherished my memories of those days and have copies of all the old software and hacks which I have kept faithfully for the last 15 years. I have joined a couple efforts to re-create the world, but all have failed… until now. A guy that goes by the name of byoung was able to re-create the server so that the old client software is able to work in DosBox which redirects the modem calls over TCP/IP. His website has all the software and directions to get setup very easily. It took me all of 10 mins to get everything installed and working. **To make it even easier to get started use the installer I created**

I spent about 4 hours online yesterday playing The Shadow of Yserbius with a few other people and building up my character. Oh man have I forgotten a ton, but the memories flooding back are a total blast. Even if you never played back in the day, I encourage you to get setup with it and join the growing community of users. If you let me know you will be in, I will be glad to join you for any game you like. Im having fun re-discovering all the cool stuff in this world of ImagiNation.

iPhone - I dont get the hype

dan — Sat, 30 Jun 2007 03:06:56 +0000

Its crazy… I really just dont get this crazyness over an insanely priced cell phone. Now keep in mind, I live with my video iPod, it goes everwhere with me and most of the TV and movies I see these days are on the thing. I also look forward to the day that I can have a single device so that I dont have to carry the iPod and cell phone.

However, the iPhone just isnt it for me. Its cool, and its heading toward the dream of having a single device, but for $600 and having to switch to a crappy cell phone carrier, NO THANKS. Aside from the price and cell phone carrier monopoly, I really just cant stand touch pad phone buttons. I need to be able to dial without looking, and can only do� that with actual buttons. Touch screens wear out, and become a pain to push the button you want. Im sure you are all experienced in using the touch screens at the market when you pay by debit card, and the hassles when they start wearing out. Do we really want that on our cell phone, where we have a $600 price tag to replace the thing. No me.

Planet Websecurity

dan — Fri, 29 Jun 2007 07:55:16 +0000

For those trying to follow the latest news of our web app sec community, someone has finally setup a feed planet called Planet Websecurity that I’m really impressed with. No, at this time MightySeek is not yet part of the RSS mashup, but I do hope to be at some point.

For those not familiar with Planet sites, they are basically RSS readers which download other RSS feeds and merge together into a single feed. This means you can subscribe to one and get all the postings from all the feeds in the Planet.

Visit Planet Websecurity to see this in action

Why is it so hard to code secure web apps?

dan — Fri, 29 Jun 2007 07:46:27 +0000

� � � After my run in with vBulletin I began a search for a secure and stable open sourced forum solution. My first thought was to find out what was running on sla.kers.org so I put in a call to rsnake and was told to keep looking because his solution sucked as well and that he was still on the hunt for a replacement. I’ve been looking at a bunch of the apps out there and so far I havent been all that impressed with the security design of the forum apps I’ve looked at.

This makes me wonder if web app sec is ever going to succeed, or if the web is just doomed to have problems for all time. Forum software is a very good example of the problem with many web apps, and web app development in general. To start its a very simple application, which if done right can be done securely. Of course the major challenge is that your taking user input and displaying it to other users. This immediately means your storing the data most likely into a database, which means you must secure against SQL Injection attacks. OK, thats not too hard, so that can be done. Next you need to make sure your filtering the inputs on the way in to remove any HTML tagging and escaping on the way out to be safe. The XSS part is a bit harder because there are clever people out there using a ton of different ways to bypass any filtering/escaping you do.� However, this can be accomplished with some focused attention, and you will then have a simple, secure and stable forum application.

So whats wrong with this? Feature creep.
Now that you have a basic forum in place, people will want to be able to format their text, which means you need to allow some� HTML tags, or have some custom tags like BBCode which you then convert to real HTML tags. At this point things are starting to get a little tougher, but with diligence its still all workable. Next users want to upload attachments, have avatars, have all sorts of moderation features, and so on and so on. Then to make matters even worse, new developers join the project and they are not always as aware or concerned about security issues, and soon the application is as buggy and vulnerable as the forum software you are trying to replace.

Is this solvable? Yes, but only with diligence, hard work and auditing. Did I mention hard work?

Run in with vBulletin - leasing software is intolerable

dan — Fri, 29 Jun 2007 07:27:42 +0000

I had been using vBulletin for a little over a year when I started podPress and wanted a place for users to create a community and to provide support. The forums have been very successful and tend to have on the order of 20-30 postings a day, with many more viewers. Now vBulletin is commercial software, so I had to pay $85 to use it, and figured that donations would cover the costs and I mistakenly had thought the way the licensing worked is that after one year I could keep running the forums, but could no longer get updates which seemed fair enough to me.
Well, the license I did buy doesnt allow for that, and I had to find out the hard way. After my license had been expired a couple months I received an email saying I was in violation, which I ignored on the assumption that it was a mistake or SPAM. I mean, why would software I paid for become invalid to use? It does when you purchase leased software! (more…)

SQL Injection mention on hype-free

dan — Fri, 27 Apr 2007 07:35:42 +0000

Every once in awhile I try and find out if anyone is noticing my podcast. Well I stumbled on a mention of the SQL Injection hands on episode on hype-free.

MightySeek Interviews rsnake

dan — Thu, 19 Apr 2007 07:45:27 +0000

Today I had the pleasure of meeting up with a celeb of the web app sec world…. rsnake of the ha.ckers.org website. I hope you enjoy the interview, but I made a huge mistake with the recording. Here I was with my first interview, I hook up my mic and load up the recording software and then completely forget to switch to the mic input to my good mic, and end up doing the recording on the lame mic thats built into my laptop.

In any case, here ya go.

PHP Security and the Month of PHP Bugs

dan — Sat, 10 Mar 2007 01:20:01 +0000

In this episode is discuss PHP security. Up till this point I have talked about web app sec in general, but I break from this in honor of the Month Of PHP Bugs that is going on through March.

PHP has frequently been blamed for security problems in applications written in PHP which really is no fault of the language and engine itself. It would be like everyone blaming C and C++ as being insecure, and the cause of tons of security problems. Most of the time the problem is the developers who use the languages, not the languages themselves. However, there are security problems in the PHP codebase which need to be fixed and is what is being highlighted by the Month Of PHP Bugs.

So in this episode I discuss these issues, some of my past projects and some various other issues in PHP… Its so good to be back at the mic, even tho I am still recovering from the flu and had my voice start failing me at the end.
Enjoy!

podPress more than one year old

dan — Mon, 05 Mar 2007 10:21:44 +0000

Today I was pondering the success of the podPress project since it started which got me to trying to remember how long its been. So a quick look at the change log shows that I released the first version on Feb 2nd of 2006.

So, its only a year and one month old!

What started as a quick hack to wordpress that I wanted to use to bring attention to my little podcast, has become far more widely appreciated and used than I could have ever guessed.
I want to thank you all for your support and thanks that I get in forum posts, emails and paypal donations. They all matter very much to me, and encourage my development to continue.

A special thanks also to macx who, over the last couple of months has really taking the initial quick little stats feature and turned it into something impressive. Its always great fun when I can chat about code with another developer and enjoy the collaborative artistic effort that software development can be.

Stranger Things Podcast - Wow

dan — Sat, 03 Mar 2007 10:08:15 +0000

As a long time podcasting fan and supporter of the community I have been a fan of many shows, and impressed by a bunch of them. Some of my favorites (and I know I’ll end up forgetting some) have been Slice of Sci/Fi, Escape Pod, Filmspotting, The Signal, The Bitterest Pill, Verge of the Fringe, zeFrank, TikiBarTV and numerous Podiobooks (Sigler, Selznick, JC Hutchins, etc), along with many many more.

So when I say I was blown away by the efforts of Stranger Things (http://www.strangerthings.tv), its not from a lack of experience with the brillance and creativity in this community. Its because its quite an impressive accomplishment. Audio is one thing, and it takes skill and hard work to do it well. Short video clips like those from zeFrank andTikiBarTV are also quite a bit of work and take great talent. But to produce a 30 minute long episode with decent acting, a cool story (from self-pimping Sigler) and very nice special effects… and to make it a free podcast. Wow.

I have a hell of a time just trying to get my show out once a month, and even that is wayyy behind on getting some episodes out (one is coming soon btw).

Anyways, my props to the Stranger Things team, and I hope you are able to continue gaining an audience and some sponsorship/donations to help keep your show going.

A Month of PHP Security Bugs

dan — Thu, 01 Mar 2007 20:21:30 +0000

The folks at the Hardened PHP Project (makers of Suhosin) have started their Month of PHP Bugs initiative. This initiative is an effort to improve the security of PHP by bringing awareness to various security problems in PHP itself. This does not directly impact any PHP applications, but instead the language itself. As far as I understand, the plan is to disclose issues that can be resolved by way of just using Suhosin or the Hardened PHP Project. Hopefully the PHP core team will finally wake up and start implementing some of the recommendations being suggested.

note: this post is likley to become a podcast if I can finish recording the show.

Dan Kuykendall on CrazyEngineers

dan — Fri, 26 Jan 2007 17:51:11 +0000

I did an interview thats been posted on CrazyEngineers.com.

Go check out the interview, along with the forum thread discussion.

Universal PDF XSS

dan — Sun, 07 Jan 2007 03:16:55 +0000

Cross Site scripting attacks are getting even more dangerous these days, and exploitable in many new creative ways. I will be discussing this issue in my next podcast, till then read up on it here or at ha.ckers.org

podPress - New powered by logo

dan — Mon, 11 Dec 2006 20:18:41 +0000

Today I got an email from the Daddo of the http://driftkikker.com/ website and he sent over a new Powered By logo to replace the lame one I threw together some time back.

My best effort vs Daddo

Daddo wins!

Still alive and kicking

dan — Fri, 08 Dec 2006 19:11:57 +0000

I know its been fairly quiet from me. No new versions of podPress and no new podcasts. The absense has been due to an extremely busy schedule, and a slight bit of lazyness on my part. Ive been doing TONS of reseach, and not had the energy to push out my findings just yet.

Well thats all changing now. Today I released a new version of podPress and am preping to push out a podcast in the next day or two.
Thanks for all of you still out there watching, I’ll make sure to avoid big gaps like this again.

Seek3r

Dan on Slice of SciFi

dan — Thu, 05 Oct 2006 21:32:22 +0000

While at the PPME I met up with the legendary Evo Terra and got to sit in on a recording of the great Slice of SciFi podcast, which was quite alot of fun. It was recorded in Evo’s hotel room with a bunch of us hanging out in there. Amoung the live audience Mattew Wayne Selznick (author of Brave Men Run), podcasting “good guy” Paul Puri (founder of the Podcasters Guild), podcasting “mean guy” Steve Eley (Escape Pod), and fellow security podcasters Michael Santarcangelo (Security Catalyst) and Martin McKeay (Network Security Podcast).

I was pretty silent thru most of it, but toward the end Evo went around the room introducing each of us and asking a few questions. I hassled them a little (all in good fun) and got quite a laugh/boo out of it. It was a great time and it alone was worth getting to the PPME for me.

Dan with Friends of the Fringe

dan — Mon, 02 Oct 2006 22:15:39 +0000

I sat in with the LA Podcasters gang at the PPME and was in on a recording of Friends of the Fringe, which was pretty fun.

Im the guy on the right with the green shirt and this hat

MightySeek coming back online slowly

dan — Wed, 13 Sep 2006 14:09:16 +0000

We had a total system failure, and of course I didnt have a backup worth using to get things back online. I am working to get the site fully back up and will be doing so as quickly as possible,

Mighty Seek

Jeremiah Grossmans XSS BlackHat Presentation

dan — Fri, 08 Sep 2006 22:48:02 +0000

If you didnt get to BlackHat this year, then you may have heard about the really cool presentation about Cross Site Scripting. He uses XSS to hack intranets by writing a port scanner in javascript. If your into web app sec, you need to see this. It also really puts a point on the need to start learning about this issue and the very large problems XSS can cause. So get over to my XSS Hands on Series and start following along!

Behind the Mic: Interviews Dan Kuykendall

dan — Thu, 07 Sep 2006 22:48:01 +0000

I had the great pleasure of being interviewed about podPress by the one and only Michael Geoghegan. I got in a small plug for my podcast as well, so Im pretty happy.

The Podcast Academy: Dan Kuykendall

Hands On Series - Cross Site Scripting (XSS) Part 1

dan — Mon, 28 Aug 2006 03:57:40 +0000

The “Hands on Series” continues!

In this episode we start dealing with Cross Site Scripting (XSS) attacks.

CSS = Cascading Style Sheets
XSS = Cross Site Scripting

Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users browsers.
A key element to XSS is that one user can submit data to a website that will later be displayed for other users.
It is nessesary that the bad guy NOT mess up the HTML structure, otherwise the result will be web defacement rather then attacking other users.

The hackme site has been updated and improved (more about that in a moment)

and now includes a section for XSS which we will be using in this episode.

(more…)

podPress reviewed on Upon Further Review » Episode 3

dan — Sat, 29 Jul 2006 22:45:43 +0000

In the latest episode of Upon Further Review the podPress plugin (and me) was reviewed. Im happy to say we got a 4.5 out of 5 rating and in general alot of glowing praise.

The podcast itself is very well done for an episode #3, and theres lots of other good stuff in the episode so have fun listening.

MightySeek on (IN)SECURE Magazine

dan — Sat, 08 Jul 2006 22:43:20 +0000

The MightySeek podcast got a cool mention in the lastest issue of (IN)SECURE Magazine.

Mighty Seek Podcast #15 - News and Misc Topics

dan — Fri, 26 May 2006 22:41:15 +0000

A quick in between to the Hands On Series, I chat about some news and issues of the day.

Turkish Hacker defaces 38,000 websites hosted on GoDaddy

Flawed USC admissions site allowed access to applicant data

Breach case could curtail Web flaw finders

Man charged with accessing USC student data

Tsunami appeal site ‘hacker’ found guilty

The Security Roundtable » Featured in the iTunes Music Store

dan — Wed, 24 May 2006 23:40:05 +0000

The Security Roundtable » Blog Archive » SRT in the iTunes Music Store

The podcasting group Im a part of now has its own Artist Group in iTunes and is featured on the podcasting home page. Im pretty excited about this and look forward to any new listeners that join in due to the exposure.

Network Security Blog: Network Security Podcast, Episode 28

dan — Wed, 24 May 2006 22:35:32 +0000

Network Security Blog: Network Security Podcast, Episode 28

Tonight I appear as co-host/guest of the Network Security Podcast with Martin McKeay. This podcast is a fellow Security Round Table podcast, and I had alot of fun being able to discuss more general security issues.

Questions for podcast with Dan (PodPress developer)

dan — Thu, 18 May 2006 22:31:14 +0000

James Woodcock will be interviewing me in the coming days, and so posted this on the forums.

Click here to get to the forum topic

Dan (Mighty Seek) developer of the PodPress plugin for Wordpress, will be interviewed in one of my future blogcasts on my website.

If you have any questions you would like him to answer about either his PodPress plugin or security, please ring my automated (non-premium) voicemail on UK: 0207 193 3092 or Worldwide: +44 207 193 3092 or for free on skype id: glidem

The best questions will be included in the show…..
__________________
>> Hear more about PodPress, in my audio interview with Dan Kuykendall <<

http://www.jameswoodcock.co.uk - My personal online diary covering the internet that I find of interest including audio interviews, music, gaming, technology, gadgets, websites, free downloads and general articles.

Hands On Series - SQL Injection Part 1

dan — Fri, 28 Apr 2006 21:56:15 +0000

The start of the “Hands on Series”, which means that there are actual
hands on excersises to go along with these shows.

I feel that its time to go beyond the concepts, the chatter about what bad guys can do,
and actually show you directly. Let you see for yourself the saying goes.

I recommend that you listen to these episodes while viewing the hacking test site and
have the show notes visible and ready to cut and paste from.

http://hackme.ntobjectives.com/ - The new site setup for you to practice web app hacking.
Includes detailed notes and samples that can be used to practice with.
Web App Hacking Toolkit - Collection of tools and links helpful for web security.
Jonathan Coulton’s Things a Week - Where the Code Monkey song came from.

(more…)

InformationWeek | Web App Hack Incidents Are Up

dan — Fri, 14 Apr 2006 18:09:58 +0000

InformationWeek | Web Application Security | Web App Hack Incidents Are Up As Businesses Take Cover | April 12, 2006

First a bug ‘duh!”
And then I get to move into the “finally someones talking about this in the mainstream press”.

Not that Information Week is read by grandma or the average joe on the street, but for info tech community its pretty well known.

The things I like about the article is that they get it. The problems are basicly bad coding practices that are at the root of the problem. This is of course the primary topic in my podcast, so start listening and following my advice to deal with these issues!

Privilage Escalation Attacks

dan — Fri, 14 Apr 2006 17:10:39 +0000

In this podcast I discuss a type of attack that allows users to basicly do things they are not supposed to do, without ever having to hack the admin type of accounts. So without having to figure out the admin password it is often possible to do administrative functions by simply attempting them.

The problem is around validation against access controls at every point of execution. Too often the access controls are done to control the navigational structure, meaning that the menus do not have links to the admin functionality, but if you know what the URL is then you can just type it into your browser and get there. Thats bad design in the app, and it is VERY common.

Catching up and a preview of future shows

dan — Thu, 13 Apr 2006 17:11:47 +0000

In this edition of the Mighty Seek podcast I give a rundown of podPress and list out some ideas for the future podcasts. The site now has a forum for the podcast and general web application security discussion.

For-Pay Only Podcasting (Password Protected)

dan — Mon, 13 Mar 2006 17:56:57 +0000

Today I learned about iTunes support for password protected podcasts, and am thinking about the security issues, planning out how I can support this in PodPress as well as what this means for podcasting in general.

Overall I think this is very cool for podcasting, because it can open the doors for various content providers to jump in and start offering content. It may also allow existing podcasters to start offering special pay-only content. I know many want everything for free, but Im not opposed to paying people for the time and talent they pour into creating great content.

That aside, I was most curious about the technical issues involved. So I dug in…

Last week I heard that radio talk show host Rush Limbaugh announced that his show would be available from within iTunes. For several months his show was available as a “podcast” which meant his subscribers could download MP3’s a few hours after each show aired. At the time this happened, I dug into the custom downloader, sniffed out the traffic and figured out how it all worked. It wasnt complicated, but it wasnt a real podcast, there was no RSS feed with enclosures, and no way standard podcatchers could ever support it.

Now the landscape has changed, and this is a new solution that works with iTunes. I still didnt know how it was going to work, but my guess was that it had to do with HTTP BasicAuth. This morning the website had the link, and I had my Paros Proxy. I configured my computer to run thru the local proxy, and I went about getting the show into my iTunes, recording all the network traffic along the way.

It turned out to be much easier than I expected. It did use HTTP BasicAuth, and it only does so for the rss feed.
So what we have is a link to the RSS feed, but with the protocol defined as itpc, which I assume to mean ITunesPodCast and is something that iTunes is registered to handle.

So the link looks something like this:

itpc://rss.premiereradio.net/podcast/rushlimb.xml

Note: Just because the protocol is itpc instead of http, does not mean you couldnt go to this URL with your browser

http://rss.premiereradio.net/podcast/rushlimb.xml

If you try, you will get a password prompt. This is using standard HTTP BasicAuth, and once you give your credentials you would get the RSS Feed.
The feed itself is a standard iTunes compliant RSS2 document like we are all used to. As far as the MP3 files themselves, there is only security by obscurity. I will not give an actual URL to one of the MP3 files, but its something along the lines of

http://rss.premiereradio.net/download/rushlimb /username/48123789787qe98/rushlimb/2006/03/ Rush%20Limbaugh%20-%20Mar%2010%202006%20-%20Hour%201.mp3

If you had the actual URL, you could download the MP3 without any sort of authentication. Of course, security by obscrurity is not an ideal solution, but in the case of this type of content it serves the need. It should also be easy use the same HTTP BasicAuth to protect the MP3 files is so desired.

I have also found out that the popular podcatcher Juice supports HTTP BasicAuth as well, so using this solution really seems the way to go.

I believe I can add support into PodPress for all this at some point, and the bottom line is that this is an interesting and exciting development in the Podcasting world.

- Additional Resources -

* Just found out about another blogger who did a write up here

* http://juicereceiver.sourceforge.net

Security Engagement Cast Part 2

dan — Sat, 11 Mar 2006 17:13:13 +0000

In part 2 we discuss the planning and deliverables involved when doing a security engagement. Most of the discussion demonstrates the importance of understanding the boundaries, requirements and deliverables from the start.