Making a change with the carrot, not the stick

More info : http://www.carrotmob.org/

Beautifull Sky

The sky last evening over here :)

Cross site scripting filter evasion - OWASP

My colleague Alexios gave a talk about evading XSS filters at the recent OWASP conference, what strikes me is the multitude of ways you can do it. I am sure you find something you didn't know when watching it :

DoD Bluetooth Headset Security Requirements Matrix

http://iase.disa.mil/stigs/checklist/dod_bluetooth_headset_security_requirements_matrix_v2-0_7april2008.pdf

NIST Bluetooth Security Publication 800-121

NIST recently published the Special Publication 800-121 "Guide to Bluetooth Security". I skim read it and while it certainly is a good overview it seriously lacks in some areas. Unfortunately I concentrated on other areas than bluetooth the last year and after doing the 23C3 speech and publishing BTCrack I have not really dug further. Maybe it's time to digg into it again a bit more.

Money and the SDL

Need an argument to sell a secure development lifecycle to upper management ?
Present them this (probably) hand drawn scientific chart:

I expect this chart to be somehow close to reality when refering to large and mature software projects, although it's soooo interestingly non-scientific ;)

Attaching debugger at runtime automagically

If you're interested in attaching a debugger everytime a particular process is started in windows use :

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\myapp.exe

Debugger = REG_STRING c:\debuggers\windbg -g

PS. This represents als an autostart vector in use by certain malware.