I’ve decided to set up a Facebook Public Figure page, so that I can accept more friend requests from those in my industry, but also to help filter out cat memes from the infosec content. Facebook requires a privacy policy. It’s going to be incredibly simple: At this time, I do not intend to collect,…
Keeping work papers
I’d like to hear about folks’ record-keeping practices like when you will take a note and when you won’t, if you use written notes, tools, or text files or Word docs, how long you take recording stuff and has it ever saved your bacon. For background, I’ve been doing this for 20+ years and I’ve…
Porting Freemint to ARM – Retro Challenge RC2017/10
The Retro Challenge is an interesting idea – pick a project that is over 10 years old, and blog about working on it for a month. Most folks pick older computers that they acquire and fix up, or do something interesting, such as add network functionality to Apple II’s, or running Twitter clients over serial. These…
Training the next generation or abolition of the Australian 457 visa
Without consultation or warning, the Australian Government has decided to abolish the speciality skilled migration 457 visa system. There is currently a great deal of confusion, but it seems that the current plan is that there are two lists of skills shortages eligible for varying lengths of temporary stay and migration outcome: The Short Term Combined Skills Shortage…
The intelligence kimono
Some of my IR and forensics friends who I highly respect are getting all bent out shape about attribution, or the perceived lack of solid evidence for attribution regarding the DNC attacks. In particular, many of them are now publicly doubting on social media (and mainstream media) that Russia is behind the DNC hacks. When the Guccifer…
Standing for the OWASP Board in 2017 – 2018
I am standing again for the OWASP Board, again representing the Asia Pacific region, which is a huge growth area for OWASP globally. The growth opportunities in Australia, New Zealand, Singapore, Japan, Malaysia, Philippines, and in particular, Indonesia are immense. My goals for OWASP is to transition us from a small fast growing non-profit to a healthy sustainable non-profit,…
On backdoors and malicious code
So since the ASVS 3.0 retired much of the malicious code requirements, and after actually doing a line by line search of ~20 kLOC of dense J2EE authentication code, I’ve been thinking about various methods that backdoors might be created and not be findable by both automated and line by line searches. This obviously has…
Time to start rebuilding GaiaBB
In a life a long time ago in early 2002, we had to move Australia’s largest Volkswagen car forum from EzyBoard, which was distributing malicious ads and hard to get rid of pop ups to our users, to our own forum software. After a product selection, I chose XMB, which was (and is) better than…
Looking back at 2009 and Predictions for 2015
I looked back at the “predictions” for 2010, a post I wrote five years ago, and found that besides the dramatic increase in mobile assessments this last year or two, the things I was banging on about in 2009 are still issues today: Developer education is woeful. I recently did an education piece for a developer…
Independence versus conflict of interest in security reviews
I was giving a lecture to some soon to be graduating folks today, and at the end of the class, a student came up and said that he wasn’t allowed to work with auditors because “it was a conflict of interest”. No, it’s not. And here’s why. Conflict of interest It’s only conflict of interest if a…