Thinkst Blog

Today i did a brief interview with E-TV news on "Anonymity Systems". Interestingly enough, the journalist started the interview determined to go down the " Anonymity is Evil! " route. I must confess to being slightly surprised by the thought. I didn't expect such strong support for the "Anonymity allows Child Pornography" point of view. The snippet of the interview that was aired was probably only a few minutes long (I have not seen it yet), but i thought it was probably worth it to note a few simple thoughts on Anonymity systems. Very few people, (if any), would question the necessity of allowing anonymity for people who suffer from victimization. Dissidents of a tyrannical regime, or victims of crime need a platform that will permit them to speak out without fear of further victimization. The problem is that "anonymity needs company". This simply implies that it's really difficult to be anonymous alone. Signals Intelligence operators ha...

This weekend we held our 2nd ever ZaCon , The Conference in need of a tagline! ZaCon aims specifically at growing the South African InfoSec Research scene by giving locals a place to teach, learn and grow. The talk had people flying in from Durban, CapeTown and even Grahamstown, and almost doubled last year's attendance. If nothing else, The coffee service was an unmistakable win! My talk this year was called "Fig Leaf Security", and was aimed at saying some of the things that we generally dont like saying (about the industry in general, and about ourselves in particular). You can catch the talk [ here ] and can watch the rest of the ZaCon Album [ here ] I went into the talk expecting it to generate some hate, but most of the feedback so far has been really positive [1|2|3]. Feel free to drop me an email or msg @haroonmeer on twitter to let me know why im wrong.. /mh [1] @nitesh_dhanjani : Watch this talk by @haroonmeer if you are in the infosec industry and feel like g...

iTried is a quick little utility I wrote while testing something. It sits on your menubar, and shows you the photograph of the last person who disturbed your screensaver (ie. tried to login). You can read more about it (and download it (free)) [ here ]

It's pretty common for people to hate Apple and to pick on the apple-tax , but then you spot something like this and you just have to smile (that special blend of fanboy smile!). The standard icon for textpad is clearly a text pad with a pen. I was looking into icons, and ended up maximizing the text pad icon. (click for full size) The quote was heavily used during early Apple commercials, but like many things Apple, it's just the attention to detail thats awesome!

Nils Kreimeier wrote an article for Capital Magazine on cyber-war based on interviews he did at the CCDCOE conference earlier this year. The article is in German but does feature exciting Atari style graphics superimposed on scary looking hackers. [ Grab a copy here ]

The Internet lit up last week with news of Intel's purchase of McAfee . Every analyst (and his dog) has chimed in on what it means, from "Anti Virus on a chip", to just " a national security disaster ". I think it has a subtler implication that bodes well for developing nations. - In the ongoing competition between hardware and software, hardware just flinched. Watching Intel spend almost a years worth of profit on McAfee made me think of Professor Clayton Christensen (of " The Innovators Dilemma " fame) and his "Law of Conservation of Modularity / Law of conservation of Attractive Profits"). (If you have not yet read the book, you can catch a good overview of the content from his talk titled " Capturing the Upside ".) Professor Christensen regularly cites his conversations with Intel's Andy Grove, and it is clear that Intel took cues on strategic direction from him in the past. (First, some background) The Law of Conservation ...

Hello. How 'bout that ride in? I guess that's why they call it Sin City . [1] BlackHat this year passed in a blur. In retrospect staying in Vegas for only 3 nights was probably a bad idea. ( This is especially obvious when you consider that the round trip involves about 60 hours of travelling time ) I got in and mostly hid in my room working on the talk. I did the talk, and promptly hid in my room feeling sick till it was time to fly home. (this means that i failed completely to participate in teamZA's magnific ent #hackcup football victory ) In 2009, our " Clobbering the Cloud " talk squeezed in about 138 slides into 70 minutes. This year my talk was 50 minutes long ( i wasn't convinced that the topic could hold interest for longer periods ), and my keynote deck was made up of 38 slides. But, the presentation used both the 38 keynote slides, and a prezi presentation (with about 170 transitions). This means there was never a chance of finishing the presentatio...

July in information security means Vegas heat, dark t-shirts and " BlackHat ". Over the year there have been many new infosec conferences, but BlackHat remains the premier event for the infosec community. In a few minutes, i'll start the >24hour journey towards the insanity^2 (Vegas is crazy, and the injection of the Defcon crew just dials up the crazy-meter). My talk this year turns me into infosec historian: " Memory Corruption Attacks: The (almost) Complete History... Buffer Overflows, Stack Smashes and Memory Corruption Attacks have been the info sec headline stealers for the better part of 3 decades. Sadly, poor record keeping (and dismal regard for attribution of prior research) has resulted in huge gaps in our "hacker folklore". It has also resulted in several re-inventions of the wheel. This talk traces the history of memory corruption attacks and defenses, from the Morris Worm of 1988 to the awesome Pointer Inference work published by Blazakis ...

The CCDCOE (Cooperative Cyber Defence Centre of Excellence) held its Conference on Cyber Conflict in Tallinn, Estonia. It was an interesting opportunity to see some of the issues that lurk beneath the "CyberWar" banner. Charlie Miller (of pwn2own fame) and i were invited to talk about things from an attackers perspective. Both our talks avoid the question of "Is the threat real?" ( Which i think was answered awesomely by the talk given by Bryan Krekel and George Bakos of Northrop Grumman ), and instead focused on "stuff we know!" I had 30 minutes (which isn't really enough to go too deeply into a topic). My slides (with some notes) can be found here . /mh

The Mail & Guardian published their 2010 list of " 200 Young South Africans you must take to Lunch ". According to their page: " These are young people who will shape our country in the decades to come, in the sporting arena, in public life and in business. " I made the list under Technology , which was really quite flattering. (thanks M&G , @singe ) Deels forced me to attend the lunch (which i would normally have found an excuse to avoid), and i was genuinely glad that she did. Making the list was flattering, meeting some of the other candidates was absolutely humbling. Guys like Marlon Parker (who's software is really saving lives), or guys like Eusebius McKaiser (who are clearly future thought leaders in .za politics) make one realize both how much potential .za has and how much more i should be doing with my life.

A while back i thought it would be nice if we had an authoritative source of memory corruption attacks (and mitigations) in a single document. I resisted mainly because: It seemed like a lot of drudgery for something we have been able to do well without, It steers towards the word "taxonomy" [1] I was a little lazy. [1] Dave Aitel has posited that "people who thing (sic) of things as "Taxonomies" are always headed in the opposite direction from correct" Late last year i ran some scripts (and waded) through OSVDB's database, to see if we could pull through some numbers on memory corruption bugs (through the ages) and their disclosure rate compared to other bugs. (theres actually a wealth of fiddling in these numbers too, that ill get around to at some point). I figured it would be nice to see a timeline of memory corruption exploitation techniques along with the mitigation steps introduced plotted along-side the bug counts (but still lacked the real mo...

With the champions league reaching it's crescendo, and 2010 being a world cup year, it's hard to get away from sports mania. I can understand national pride and I can even understand the joy of a good match. ( I was sport crazy through high school/university and sometimes played up to 3 organized football marches per week (for different teams in different leagues) ). What I don't get is the insanely fanatical talk of " my team did X " or the even stranger " we won! ". Who's we paleface? I used to think that this was just a harmless figure of speech, but listening to conversations during the champions league really leave me dumbfounded. It's not the screaming at the television (which I can understand), but the vicarious sense of achievement people seem to eek out while watching " their " team playing. In a world where we outsource everything we can, it seems as if many people follow sporting teams in an attempt to outsource achievement ...

It doesn't matter how many conferences you present at, or how much you hate LasVegas, around this time of the year those are very happy, welcome words. I'll pop more details on the talk here in a few days (especially since I'm hoping to co-opt some of you). Interestingly enough, despite almost a decade of Blackhat/Defcon's, it's the first time I'll be free to take a training class. I'm pretty stoked! /mh

I wanted to play with Django, so built this "toy" project to kick the tires. If you are on twitter (and don't protect your tweets), check out http://fun.thinkst.com/land . It's a very simple application that will grab a list of the people you follow, then grab the list of everyone they follow, to give you the top n% of people they follow that you dont. My favorite feedback on it so far was: @narvanitis : wow i dont follow @mdowd Reason enough for me to call it a success :>

While talking to someone on IRC today, i mentioned that lot's of young companies (and some old ones) are Cargo Cult Startups.. I was asked to explain ( which is a sure fire sign that someone hasn't been reading their Feynman ), but figured i could probably elaborate. In his commencement speech at CalTech (and in his book " Surely You're Joking Mr Feynman ") RPF talks about Cargo Cult Science. He was referring to Pacific Islanders, who having seen the planes landing from the sky bringing provisions during the war, built hats with coconuts and erected runways, replicating marching drills (after the war) trying to get the provisions to land once more. The islanders were replicating the observed behavior without understanding the true nature of the tasks.. Now Feynman famously likened this to people performing the superficial motions of scientific experiment, without truly understanding the core of it, and if you look around today you will see lots of this disguised a...

I just finished the new book from 37Signals - " ReWork ", and it was a reasonably enjoyable read. (It was actually the first book i read through the iPhone Kindle App, which is incredibly cool) (Would love to see that discussion at Amazon, deciding if they should support the iPad to sell books, or try to starve the iPad to sell the Kindle?.. but i digress..) There are many, many 37Signal fanboys and signal vs noise has to be one of the more popular geek blogs out there.. but.. its really hard not to notice that what the 37Signal guys understand, more than almost anything is how to market to the current geek-hackernews-entrepreneur crowd. They hit all the right notes to appeal to their target demographic every time. There are obviously many times when you disagree with them, (like saying that long hours at work is " making up for intellectual laziness with brute force ", or their take on formal education, or the SalesForce.com bashing you often hear DHH talk about) ...

If you didnt figure that portswigger rocked for his elite " The Web Application Hacker's Handbook ", or for managing to put out a tool ive never heard anything bad about (in an industry full of people who dont hesitate to say bad things..) , you have to give him +1 for having the coolest ad that ever graced an infosec magazine .. BURP SUITE PRO v1.3 NOW* AVAILABLE New features Same logo More expensive http://portswigger.net *Product not available at time of print. Actual release date depends on the motivation and morale of Portswigger's helper monkey, but it will probably be before Christmas (2009)

On Friday my great-aunt passed away. She was an amazingly wonderful, warm lady who's work and efforts have touched the lives of many. When you remember her as the soft spoken, self effacing granny figure at family functions, you tend to forget just how remarkable a person she was. Rhodes University published the following tribute penned by Paul Maylam. It's the sort of tribute that makes you recognize the difference between regular people (like us) and legends like her.. The world is truly poorer for her passing.. [ Tribute by Paul Maylam ]

Welcome to thinkst thoughts, my new blog home. There is a good chance you got here from the SensePost blog, where I've been pondering, posting & prognosticating for the past few years. Add us to your RSS reader .. (aka. the elevator pitch! ) There is much broken in the info-sec industry, and there is much broken in general. There are answers waiting to be discovered, brand new questions waiting to be asked, and really important problems waiting to be worked on. Thinkst Thoughts will be the home of such thoughts, tirades, tips, tricks and tech. tid-bits.. and so it begins... /mh PS. if you subscribe to the RSS feed , ill even promise to stop the a nnoying a lliteration a lready..