Heres Dan

and heres Scott Sigler

And merge the two…

You Decide.

As many of you have seen, I have a “Hackme” site setup to go along with my podcast, and specifically for the Hands On Series podcasts. Well the current king of Web App Security blogging has setup a couple hacker challenges on his site. The ones on my site are really focused toward teaching, the ones on ha.ckers.org are setup for the fun, challenge and bragging rights.

I have had the mis-fortune of being completely swamped in work during the start of these last two, but when the third is up, Im cleaning my calender, turning off cell phones and ignoring any unnecessary chats so I can beat it as quickly as possible and get listed in the top ten. Knowing rSnake, I may decide to put together a small MightySeek team to work together to increase our chances, but I will see how it plays out.

Go have fun, and test your skills

• Ha.ckers.org Challenge #1
• Ha.ckers.org Challenge #2

Btw, #2 had a logic flaw which really opens up the next one to additional scrutiny to see whats possible to find during the next one.

Theres been alot of discussion lately about an issue thats near and dear to my heart. The capabilities and of web application security scanning is something I have been living and breathing for about 5 years with NT OBJECTIves. AT NTO I lead the development and research teams involved in building our own scanner called NTOSpider,  and have been trying to increase what is possible to test for in an automated tool.

This is a really difficult and challenging issue, with a bunch of issues that are fuzzy at best. I have high hopes that the WASSEC Project thats being hosted by the Web Application Security Consortium, because its going to bring a bunch of us from the app sec tool vendor space and the web app sec community  together to discuss the issue and attempt to come up with a good reference document for the ways to evaluate scanners.

I’m curious how we will be able to come up with any consensus, but with any luck and some hard work and compromise I think this could be a turning point to helping public understanding of this issue.

I had a pretty interesting day yesterday.
After being up till close to 2am I woke up at 5:30am, showered and drove to the airport to do my 10am talk at WordCamp 2007.
My flight landed at 8:30am and I was picked up by my old buddy Joe Engo. After a couple wrong turns we finally got to the event location at 9:30 in time to get setup.

I finally had a chance to meet Matt Mullenweg, and was thoroughly impressed, this is one young man to watch. To think that at 23, hes at the head of a project thats impacted so many people, and has gained so much interest and respect, and has managed to build a business model around an open sourced app… no easy feat.

So then it sets in. I’m the opening presenter to this conference… I’ve really been too busy to have thought much about my talk at WordCamp the preceding couple of weeks because work has been crazy busy. But standing there getting setup to open the conference I got a bit nervous. Its also been a couple years since doing one of these types of things, so I really started feeling completely unprepared.

Matt introduces me and I ask the audience a few questions about whos familiar with podcasting (everyone) and how many podcasters are out there (a few). Well, this kind of took some thunder out of my slides intended to be used to help explain podcasting basics. I had to think quick to adjust my talk and explain my views of how I feel podcasting to be a little more personal and blah blah. Was a bit of a slow start.

So I figured I could launch into the stuff about podPress and show of the features and talk some praise of WordPress, which I started… and then the Internet connection went dead. Just as I was starting to feel a little comfortable…
With some quick action by the Automattic team I got back online and was quickly followed by the audience and was able to start cracking some lame jokes and getting into a groove about podPress, podcasting and WordPress.

Even with the slow start, I felt like I was finally able to connect and coherently discuss some of the things I am passionate about, and hopefully show how easy it is to get into podcasting, the cool features of podPress and the amazing platform WordPress provided that enabled me to create the feature set. The talk was video taped, so as soon as I get a copy of the video I will be adding the media to this post so it will end up in my feed as a video podcast.

As soon as my talk was over, I chatted with a few people in the lobby for about half and hour, and then headed to the airport to get back home. Next year, as a speaker or not, I’m going to make sure to plan better so I can stay for the entire weekend.

Update: The video is now available.

Back in the early 90’s, yes back even before most had even heard of the Internet and the geeks spent most of their time on BBS’s there were a few online services trying to get going. AOL, Prodigy and CompuServe were fairly well known, but there was one other that stole my heart. It was the ImagiNation Network and primarily MedievaLand and its first game The Shadow of Yserbius.

Way back before World of Warcraft, Never Winter Nights, Ultima Online there was The Shadow of Yserbius which really set the bar for online gaming.

The whole network was unbelievable in its scope. You could play the D&D style Yserbius, card games at the club house, gamble at CasinoLand, have simulated dog fights in the Red Baron game, play the popular Boogers game, and ever get help with your home work.
To this day I have not seen anything to match the fun and variety that I had the privilege to experience back in the days when I was spending thousands of dollars and endless hours experiencing life “online”.

I have cherished my memories of those days and have copies of all the old software and hacks which I have kept faithfully for the last 15 years. I have joined a couple efforts to re-create the world, but all have failed… until now. A guy that goes by the name of byoung was able to re-create the server so that the old client software is able to work in DosBox which redirects the modem calls over TCP/IP. His website has all the software and directions to get setup very easily. It took me all of 10 mins to get everything installed and working. **To make it even easier to get started use the installer I created**

I spent about 4 hours online yesterday playing The Shadow of Yserbius with a few other people and building up my character. Oh man have I forgotten a ton, but the memories flooding back are a total blast. Even if you never played back in the day, I encourage you to get setup with it and join the growing community of users. If you let me know you will be in, I will be glad to join you for any game you like. Im having fun re-discovering all the cool stuff in this world of ImagiNation.

Its crazy… I really just dont get this crazyness over an insanely priced cell phone. Now keep in mind, I live with my video iPod, it goes everwhere with me and most of the TV and movies I see these days are on the thing. I also look forward to the day that I can have a single device so that I dont have to carry the iPod and cell phone.

However, the iPhone just isnt it for me. Its cool, and its heading toward the dream of having a single device, but for $600 and having to switch to a crappy cell phone carrier, NO THANKS. Aside from the price and cell phone carrier monopoly, I really just cant stand touch pad phone buttons. I need to be able to dial without looking, and can only do that with actual buttons. Touch screens wear out, and become a pain to push the button you want. Im sure you are all experienced in using the touch screens at the market when you pay by debit card, and the hassles when they start wearing out. Do we really want that on our cell phone, where we have a $600 price tag to replace the thing. No me.

For those trying to follow the latest news of our web app sec community, someone has finally setup a feed planet called Planet Websecurity that I’m really impressed with. No, at this time MightySeek is not yet part of the RSS mashup, but I do hope to be at some point.

For those not familiar with Planet sites, they are basically RSS readers which download other RSS feeds and merge together into a single feed. This means you can subscribe to one and get all the postings from all the feeds in the Planet.

Visit Planet Websecurity to see this in action

After my run in with vBulletin I began a search for a secure and stable open sourced forum solution. My first thought was to find out what was running on sla.kers.org so I put in a call to rsnake and was told to keep looking because his solution sucked as well and that he was still on the hunt for a replacement. I’ve been looking at a bunch of the apps out there and so far I havent been all that impressed with the security design of the forum apps I’ve looked at.

This makes me wonder if web app sec is ever going to succeed, or if the web is just doomed to have problems for all time. Forum software is a very good example of the problem with many web apps, and web app development in general. To start its a very simple application, which if done right can be done securely. Of course the major challenge is that your taking user input and displaying it to other users. This immediately means your storing the data most likely into a database, which means you must secure against SQL Injection attacks. OK, thats not too hard, so that can be done. Next you need to make sure your filtering the inputs on the way in to remove any HTML tagging and escaping on the way out to be safe. The XSS part is a bit harder because there are clever people out there using a ton of different ways to bypass any filtering/escaping you do.� However, this can be accomplished with some focused attention, and you will then have a simple, secure and stable forum application.

So whats wrong with this? Feature creep.
Now that you have a basic forum in place, people will want to be able to format their text, which means you need to allow some  HTML tags, or have some custom tags like BBCode which you then convert to real HTML tags. At this point things are starting to get a little tougher, but with diligence its still all workable. Next users want to upload attachments, have avatars, have all sorts of moderation features, and so on and so on. Then to make matters even worse, new developers join the project and they are not always as aware or concerned about security issues, and soon the application is as buggy and vulnerable as the forum software you are trying to replace.

Is this solvable? Yes, but only with diligence, hard work and auditing. Did I mention hard work?

I had been using vBulletin for a little over a year when I started podPress and wanted a place for users to create a community and to provide support. The forums have been very successful and tend to have on the order of 20-30 postings a day, with many more viewers.  Now vBulletin is commercial software, so I had to pay $85 to use it, and figured that donations would cover the costs and I mistakenly had thought the way the licensing worked is that after one year I could keep running the forums, but could no longer get updates which seemed fair enough to me.
Well, the license I did buy doesnt allow for that, and I had to find out the hard way. After my license had been expired a couple months I received an email saying I was in violation, which I ignored on the assumption that it was a mistake or SPAM. I mean, why would software I paid for become invalid to use? It does when you purchase leased software! Read the rest of this entry »

Every once in awhile I try and find out if anyone is noticing my podcast. Well I stumbled on a mention of the SQL Injection hands on episode on hype-free.