From a posting on StackOverflow.
There are many areas of security expertise, so it highly depends on what your want your career path to look like. At the bits-and-bytes end there is penetration testing and “security research” (which is often as much “cataloging of programming bugs” as actual research). At the more strategic end there is “risk management” which often spends much of its time in non-technical considerations like appropriate budgets, education and response.
Blah, blah, blah, but how do you get started, right? Read more…
We recently had a discussion on cocoa-students (the excellent list for Big Nerd Ranch alumni; yet another reason to go to BNR classes) about protecting Cocoa programs from reverse engineering, mostly around some anti-copying code. I had some thoughts on the subject since I happen to have a background in anti-counterfeiting.
Cocoa is a reverse-engineer’s dream. Spend some time at culater before dreaming you can really protect a Cocoa program. Objective-C is meant to be highly readable both in source and at run time. Obfuscation is not in its nature. This only points out Objective-C’s particular difficulties in this area; it is not to suggest C or C++ will save you. They’re just not quite as trivial as Objective-C.
That said, the world of obfuscation falls into three big camps: you can try to deal with 70% of your problem, 75% of your problem or 90% of your problem.
Read more…
A fie on useless attempts to stop hacking… At least that’s my current assumption on why Microsoft did this. I’m a Cocoa guy, but I actually like .NET and hack a bit of it now and then. It’s a pretty good framework, though you can see some of the seams where Microsoft didn’t quite think it through when they were designing it and had to tack on later (the whole System.Text.Encoding namespace that’s made up of methods that should exist on String; but then C# doesn’t have ObjC-style categories so they probably also being more careful about throwing 10k methods on a single class the way Cocoa does, but I’m running off on a tangent here).
The point today is the headache that is the HttpWebRequest.Date property. What HttpWebRequest.Date property you might ask? That’s right; there isn’t one. Read more…
The $10,000 Mac Hack
I recently read a comment about this hack wondering how long the author had sat on the exploit rather than reporting it to Apple. It’s a very important point.
My opinion of these “security researchers” is well known: there’s a difference between bird watching and research. Finding yet another buffer overflow isn’t “research.” Creating a new way to secure systems is research. Coming up with whole new classes of attack might be research (along the lines of bioweapon research). Those who hunt new instances of old bugs are collectors of exotic animals, weapon manufacturers, volunteer quality testers, or a half-dozen other categories that have little to do with science or research. Read more…
Researchers at the University of Illinois at Urbana-Champaign build a new browser from scratch to help keep hackers at bay.
I was incredibly skeptical from the headline. It read to me like “team builds near-useless browser that is probably a bit harder to hack than an unpatched Windows box.” But it’s actually an interesting architecture. I like their early consideration of plugin issue. Rather than banning plugins, sandboxing them till they can’t do anything, or bemoaning that plugin writers will probably be stupid and break security but it won’t be the browser’s fault, these guys actually seem to have considered how to compartmentalize such that the plugin can be compromised without losing the farm. That’s a good security lesson for us all. It’s not about making sure nothing bad ever happens or banning everything that could ever let something bad happen. It’s about making sure that when bad things do happen (and they will), that the damage is contained to the piece that was compromised. And to this feature, wow:
The UIUI team has also designed a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks.
That’s a team that “gets it.” You will get hacked. Designing for what you do after you get hacked is a sign of great security thinking.
