Risky Business #107 -- Mark Dowd talks native client security
Thu, 05/07/2009 - 16:39
Thanks to our sponsor Sophos, this week's edition of the Risky Business podcast is ready to download!
This week's feature interview is pretty kickass; a chat with security megalegend Mark Dowd. We talk to Mark about his entry in Google's Native Client security competition. It's very interesting stuff that could really have implications for your job in a few years.
Fri, 05/08/2009 - 09:31
#2
ideal podcast length?
Well I'd be really interested to know how long people would like RB to be...
I aim for 40-50 minutes these days... I actually cut around 20 minutes from this week's show to make it fit.
Would people like a shorter podcast?
Fri, 05/08/2009 - 11:34
#3
Noooo, I like longer
Noooo, I like longer podcasts. I listen to them while walking/catching public transport so I'd much rather listen to some secnews than the screetching of trains...
I don't think the length matters so much as, is it filled with content?
I'd much rather 30 mins of good content show, than 60 mins with a lot of sweepers or ads.
like life; it's about balance :)
Fri, 05/08/2009 - 11:56
#4
40-50 minutes
40-50 minutes is ideal for me. I remember listneing to a few "series of tubes" on IT Radio, that were only 20 minutes and only seemed to scratch the surface of the topic and leave me dissapointed.
Altonius
Fri, 05/08/2009 - 15:18
#5
PDF Forms
I've come across a few PDF Forms recently.
One was an employment contract for a big IT Outsourcer, and another was their Salary Sacrifice provider. Both forms had programatic checks to make sure you weren't entering text into the date field or similar. Don't know why they went to all that effort as you couldn't submit it electronically, you had to print it off to manually sign them anyway..... so you could have just hand written the information.
Anyone else seen a real reason to use pdf forms in the wild?
Altonius
Fri, 05/08/2009 - 15:26
#6
I could envision using PDF
I could envision using PDF forms where I work, we're an education provider, and all of the application forms to study with us are submitted in PDF. If we had an electronic form that allowed people to fill out the form and be corrected with some user validation in the form, that would help our admissions team out.
but beyond the basics of user can't enter letters in a datefield, user can't enter numbers in a textfield, I see it mostly being superfluous.
Sat, 05/09/2009 - 03:09
#7
Keep it at 50-60min which I
Keep it at 50-60min which I think is ideal.
Sat, 05/09/2009 - 08:14
#8
To provide some context: I
To provide some context: I listen to around 70 podcasts, and several of them started to slowly extend their playtime. Makes an important difference for me.
Sat, 05/09/2009 - 10:42
#9
AV & PDF
About a year ago, during my PDF research, I noticed 2 AV products standing out because of their PDF parsing capabilities: Sophos and McAfee. But more parsing capabilities means more program code for the parser, and thus more (exploitable) bugs. And exploiting AV software leads almost always to full system compromise.
Back then, these AV products didn't deal with names obfuscation:
http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ i.e., you could avoid detection by obfuscating names, say /JavaScript -> /J#61vaScript
And I want to correct one thing mentioned in the Sophos interview: although executables can be embedded in PDF files, Adobe Reader and Foxit Reader will not allow you to extract them, e.g. save them or open them.
Many executable file formats are blocked, even scripting languages like VBScript. However, I found a couple that aren't. Like Python scripts. It's extremely rare to find Python installed on the average Windows box, but most *nix boxes have it installed! ;-)
Tue, 05/12/2009 - 13:00
#10
yeah I think the current
yeah I think the current format of the show is good. If it ain't broke don't fix it.
@Didier Stevens: Really 70 podcasts, yikes. If they are monthly and average 30min each that is 35hours a month, that is insane. Forgetting about weekly podcasts, I think you need to prioritise and remove ones you care less about. Obviously posting here means you care about RB...
I also listen to a fair few, say 20 with a couple video podcasts, I constantly prioritise and remove ones that I have lost interest in. Mine average an hour and most are monthly (or greater I am looking at you secthis), with only two being weekly. This tends to do me but it has started encroaching on my lunch hour and weekends... ah well thats the price we pay to keep updated.
Wed, 05/13/2009 - 07:31
#11
@changlinn my podcast list is
@changlinn my podcast list is prioritized, a couple of hours per day is no problem, I can multitask.
Thu, 05/14/2009 - 23:38
#12
Podcast indexing
Hi falks,
To me as long as it comes from Patrick it can even be a long as 12hours, maybe for your 150th episode? ;o)
One suggestion, why not indexing each episode in the wiki with segment timeline?
It may not please your ad providers but it can help locating quickly the segment of interest.
Cheers. TT
Sun, 05/17/2009 - 15:51
#13
That is a lot of podcasts,
That is a lot of podcasts, care to mention some of your favorite ones? This is the only audio podcast I listen to but I watch 4 weekly video podcasts which are about 50 minutes long.
Mon, 05/18/2009 - 16:58
#14
About an hour per podcast is good for me
About an hour per podcast is good for me. If they get too long then I have problems leaving them in the middle and having to find where I was when I come back. My mp3 player does not do fast forward or revers that well. You could make as many as you like. I really appreciate the quality and technical depth in a risky biz podcast.
Tue, 05/19/2009 - 08:51
#15
2 Ideas for evading code validation in Google's nativeclient
I had 2 thoughts about the interview with Mark.
1. Could I write a buggy program, and then exploit the bug to get instructions around the validation process?
2. Self modifying code.
I have not browsed all 33 pages of the reported issues list.
http://code.google.com/p/nativeclient/issues/list
Tue, 05/19/2009 - 18:29
#16
@Didier Stevens: if you can
@Didier Stevens: if you can multi-task the podcasts with work then why should you care if it creeps to be longer, if you are working ~40 hours a week that would easily handle 70 2 hour podcasts that are updated monthly, of course rb is weekly... so I guess you have to keep monitoring it, if it stops being relevant/interesting then like tv shows etc, the time is part of the weight you can give it.
@grimreeper: pm on its way if you where talking to me about my number of podcasts.
@ACoward: I think you posted in the wrong thread...
Tue, 05/19/2009 - 20:04
#17
Yes I was talking to you
Yes I was talking to you changlinn. Thanks for the PM
Tue, 05/19/2009 - 23:09
#18
@changlinn My mistake. I
@changlinn My mistake. I thought that the purpose of this thread was to discuss episode #107 -- Mark Dowd talks native client security.
I'll go try to find that thread now.
Wed, 05/20/2009 - 19:08
#19
@ACoward: sorry it was, you
@ACoward: sorry it was, you were just bringing us all back on topic... we had drifted so far from it I had forgotten what it originally was, so thankyou for getting off the other topic.
To actually answer your post:
>1. Could I write a buggy program, and then exploit the bug to get >instructions around the validation process?
Problem I think is that the code is sandboxed, even further than the existing (all be it minimal) browser sandbox, but I would say it will happen this way. Vulnerabilities in the sandbox, methods to breakout of the sandbox etc.
>2. Self modifying code.
I don't get what you mean, like a worm or trojan that modifies itself to evade detection. Yep that probably could be written, but it would still execute inside the sandbox, so maximum damage would probably be to crash the sandbox.
Wed, 05/20/2009 - 23:34
#20
Sandbox VS. Code Validation
I agree that defeating the code validator still leaves the problem of escaping the sandbox. I currently do not know how the sandbox is implemented. I need to look at the project more closely.
I should have been less sarcastic in my last post. I am sorry.
Hi Patrick.
I've yet to listen to the last episode, but I see it's around 50 minutes long. I must say I rather prefer the 30 min podcasts.
Cheers,
Didier