August 21st, 2008 Anthony Towry
The team working on the Android mobile platform project have recently published an introduction to Full Disclosure and other security outlets. The team made a great move here toward encouraging hackers to responsibly disclose security issues.
The post mentions one item that many researchers value a great deal...transparency throughout the remediation process. The guys and gals at Android seem to "get it", I'm hoping it works out for them.
Posted in Programming, Security | No Comments »
July 13th, 2008 Anthony Towry
Last year sometime after Defcon and the early stages of forming the DC405, a friend of mine (m00dimus) got me into participating with the Open Source Vulnerability Database Project. Since then we've had some big fun organizing mangle parties to promote project participation (even if we beat more beer than bugs sometimes) and we've made a significant contribution to the effort.
Over the past 9 months or so, I've gotten a lot out of digging into some of the vulnerabilities I've researched. I've passed a major milestone in my mangling, now sitting at 100.25 points! I do want to say thanks to the group at OSVDB for the new 2.0 interface, which cut the time for each submission in half.
Let's keep it rolling! Join OSVDB and get mangling!
Posted in Community, Projects, Security | No Comments »
April 21st, 2008 Anthony Towry
This weekend I finished the Syngress Publishing book Open Source Fuzzing Tools. The book didn't take long. Part of the reason is that there really isn't a ton of technical information in the book to hold up the reader in lab exercise. It's not completely devoid of detailed fuzzer usage, but it's not wall to wall "let's go break some software" either. Read the rest of this entry »
Posted in Uncategorized | No Comments »
March 3rd, 2008 Anthony Towry
The Google Summer of Code is back for another round. If you're a college coder looking for a great way to work for a non-profit open source organization this summer, check out the GSoC. For the rest of us, we can sit around and wait for the new developments to be added in to our favorite projects.
OSVDB has posted some of their ideas for the GSoC. Check out some of the interesting stuff there.
I like the OSVDB Port Listing Project suggestion. Initially I didn't think much of this, but the possibilities for integrating this with firewalls and IDS systems could be really cool.
The other suggested project I found interesting is the idea of creating a Vulnerability and Patch Management Portal with OSVDB. Vulnerability management practices are going to become increasingly important in the coming years and tools like this should be well received.
My only issue is that, if I were handling vuln management for an organization I wouldn't be particularly keen on storing any information on my organization's current patch level, schedule, etc. out on the internet.
The Summer of Code projects are interesting, inspiring and great way to get some more attention for community oriented projects. I'm looking forward to seeing what gets done this summer.
Posted in Community, Programming, Security | 1 Comment »
December 13th, 2007 Anthony Towry
Jake Kouns of OSVDB recently sent around this e-mail:
Just a quick email to let everyone know that we have started the 2.0
upgrade. The new site, with all new (and very cool) data management
interface will be online Friday night. In the meantime, kick back and relax!
So if you haven't signed up to do some vulnerability research yet this is a great opportunity to get in on a new era with a killer project.
Posted in Community, Security | No Comments »
November 2nd, 2007 Anthony Towry
...or at least trying to. I applied to get an account with the Open Source Vulnerability Database project a while back. Today I found out that my application was accepted and had been sitting in my spam folder for over two weeks. Nice.
If you're signed up to contribute to the project you're supposed to try to keep up with mangling a vulnerability on at least a daily basis. So, needless to say, I feel like I'm about two weeks behind. Sure, the guys at OSVDB probably aren't going to bust my balls about it, but still Read the rest of this entry »
Posted in Projects, Security | 2 Comments »
October 31st, 2007 Anthony Towry
Today on bugtraq Michal Zalewski , a noted security researcher who pounds out some pretty cool tools, posted a new fuzzer for the C language. Bunny the Fuzzer is available through Google Code.
So, if you know me personally, you know that lately I've been pretty drawn to fuzzing and Read the rest of this entry »
Posted in Security, Testing | No Comments »
