Permalink | Leave a comment  »

Permalink | Leave a comment  »

If you are a web developer and want to add SSL feature for the security reason, i bet that you will not set the SSL to all the pages on your website. Why? because it is SO SLOW!!

By using SSL , it means that the traffic between the client and server is encrypted and causing the bigger data transfered than without one. So, many of the developers will apply the SSL feature on specific places that need protection such as settings and message feature and then switch back to http when it comes to the page that doesn't need to be protected.

Everything looks nice and clean until you need to load balance your site because of the increasing of the traffic. Yes, load balance means you need more than one server. And if you manage more than one server , it means that you need to do something with your SSL certificate that you already have for one domain only. That's not the only problem, as we know some big guy out there like Rackspace has Load Balancing as their service but it can not manage multiple ports ( 80 + 443 ) at once. So, what do you have to do?

Lets make one! :)

In this tutorial, i assume that you are already familiar with Linux Server.

- Install Apache server

- Enable modules needed

- Comment out the content of /etc/apache2/sites-available/default

- Edit the /etc/apache2/httpd.conf

- Restart the Apache server and voila!

Permalink | Leave a comment  »

My Presentation at Jakarta Ruby meetup 17th of October 2011

Permalink | Leave a comment  »

Ok, so i will start with a simple tips . I don't know about you guys, but in my team's Rails projects we made database_example.yml instead of database.yml in our repository ( SVN / git etc ) and write password there. The problem comes at the first time you make a job when the codes are downloaded from repository and you wanna start to build your project using "rake db:migrate" for migration .

Do you see the problem? yup.. the default rails configuration file for database is database.yml but the one that is downloaded from repository is database_example.yml and with no password inserted. And the result is "FAILURE" when building the job because the database.yml don't exist and database password is not filled yet.

The Solution :

1. Search the text in the database_example.yml that contain "password:" and replace it with "password: yourpassword".
2. Save it to database.yml

For those operations , we can use 'sed' command. We can use the sed command to change all occurrences of one string to another within a file, just like the search-and-replace feature of your word processor. The sed command can also delete a range of lines from a file. Since sed is a stream editor, it takes the file given as input, and sends the output to the screen, unless we redirect output to a file. In other words, sed does not change the input file.

For this case, see the code below :

Put the code on your Jenkins Build step before running migration . enjoy :)

Permalink | Leave a comment  »

Since i migrated to be a Rails programmer , i saw many new things that i didn't get from my way before. And because there's only a few Rails coder here in Indonesia , i don't have place to ask and share my problems. Thank GOD there's a cool things created by man named "The Internet". I read a lot of Ruby , Rails , TDD/BDD , How to deploy bla..bla . And not just books (pdf) , i also collecting the video casts and slides.

Some names appeared : Yukihiro Matsumoto (Matz), 37signals , Heroku , Engine Yard , Github , Pivotal Labs , Hashrocket , Envylabs , DHH , Yehuda Katz , Dave Thomas , Michael Hartl , José Valim , Obie Fernandez , Greg Pollack , Sam Ruby , TextMate , RubyMine and many more.

And what i love from what my condition right now is : "liberated" . And now , i have something like a new culture that i love to be with.

Back to Agile , this methodology is used by most of Rails developer . But it's not a "one size fits all" , they are flexible to the certain condition. These video and slide are presenting about "Agile the Pivotal Way" by Ian McFarland, Principal and VP of Technology for Pivotal Labs.

The video duration is 49:45 and you can download it here in mp4 format : Agile the Pivotal Way

The slide of this presentation can be downloaded here : http://bit.ly/fCIznj

And if you wanna see it here , i embedded the slide from slideshare . Enjoy :)

Permalink | Leave a comment  »

Information is one of the most valuable asset in a company these days. Costumer records , strategy , financial and many other that only the insider have the right to know it. 

According to a survey that examines how IT professionals and employees view the use of policies and technologies to manage and protect users’ electronic identities, the sharing of work log-ins and passwords between co-workers is a regular occurrence.

The results of the survey - conducted by Quest Software and Harris Interactive - underscore how these technologies, or lack thereof, are making it more difficult for employees to get their jobs done, and how they are causing greater concern about insider threats to IT security.

Key research findings, based on two surveys of more than 1,000 employees and 500 IT decision-makers in the U.S., include:

• 51 percent of IT professionals report they are concerned about insider threats to network security in their company’s current infrastructure.
• One in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they’ve left the organization.
• 52 percent of employees admit that they’ve shared their work log-ins and passwords with other co-workers, and vice versa.
• One in four IT professionals spend more than 30 minutes per day logging into different websites and databases they need for work.
• 65 percent of workers contact the help desk or IT department at least once per month when they can’t access a system needed for work.
• 94 percent of IT professionals say it is important to be able to manage access, user identities and passwords quickly and efficiently.
• 90 percent of IT professionals agree that companies need to do more to manage and protect users’ electronic identities. 88 percent say identity and access management is an important mechanism to increase security in companies.
• More than a third (34 percent) of IT professionals say their companies don’t realize the value of identity and access management technology as an integral part of their arsenal of security tools.

via net-security

Permalink | Leave a comment  »

Do NOT simply escape the list of example characters provided in the various rules. It is NOT sufficient to escape only that list. Blacklist approaches are quite fragile. The whitelist rules here have been carefully designed to provide protection even against future vulnerabilities introduced by browser changes.

RULE #0 - Never Insert Untrusted Data Except in Allowed Locations

The first rule is to deny all - don't put untrusted data into your HTML document unless it is within one of the slots defined in Rule #1 through Rule #5. The reason for Rule #0 is that there are so many strange contexts within HTML that the list of escaping rules gets very complicated. We can't think of any good reason to put untrusted data in these contexts.

Most importantly, never accept actual JavaScript code from an untrusted source and then run it. For example, a parameter named "callback" that contains a JavaScript code snippet. No amount of escaping can fix that.

RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content

Rule #1 is for when you want to put untrusted data directly into the HTML body somewhere. This includes inside normal tags like div, p, b, td, etc. Most web frameworks have a method for HTML escaping for the characters detailed below. However, this is absolutely not sufficient for other HTML contexts. You need to implement the other rules detailed here as well.

Escape the following characters with HTML entity encoding to prevent switching into any execution context, such as script, style, or event handlers. Using hex entities is recommended in the spec. In addition to the 5 characters significant in XML (&, <, >, ", '), the forward slash is included as it helps to end an HTML entity.

See the ESAPI reference implementation of HTML entity escaping and unescaping.

RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes

Rule #2 is for putting untrusted data into typical attribute values like width, name, value, etc. This should not be used for complex attributes like href, src, style, or any of the event handlers like onmouseover. It is extremely important that event handler attributes should follow Rule #3 for HTML JavaScript Data Values.

Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of the attribute. The reason this rule is so broad is that developers frequently leave attributes unquoted. Properly quoted attributes can only be escaped with the corresponding quote. Unquoted attributes can be broken out of with many characters, including [space] % * + , - / ; < = > ^ and |.

See the ESAPI reference implementation of HTML entity escaping and unescaping.

RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values

Rule #3 concerns the JavaScript event handlers that are specified on various HTML elements. The only safe place to put untrusted data into these event handlers as a quoted "data value." Including untrusted data inside any other code block is quite dangerous, as it is very easy to switch into an execution context, so use with caution.

Please note there are some JavaScript functions that can never safely use untrusted data as input - EVEN IF JAVASCRIPT ESCAPED!

For example:

Except for alphanumeric characters, escape all characters less than 256 with the \xHH format to prevent switching out of the data value into the script context or into another attribute. Do not use any escaping shortcuts like \" because the quote character may be matched by the HTML attribute parser which runs first. If an event handler is quoted, breaking out requires the corresponding quote. The reason this rule is so broad is that developers frequently leave event handler attributes unquoted. Properly quoted attributes can only be escaped with the corresponding quote. Unquoted attributes can be broken out of with many characters including [space] % * + , - / ; < = > ^ and |. Also, a </script> closing tag will close a script block even though it is inside a quoted string because the HTML parser runs before the JavaScript parser.

See the ESAPI reference implementation of JavaScript escaping and unescaping.

RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values

Rule #4 is for when you want to put untrusted data into a stylesheet or a style tag. CSS is surprisingly powerful, and can be used for numerous attacks. Therefore, it's important that you only use untrusted data in a property value and not into other places in style data. You should stay away from putting untrusted data into complex properties like url, behavior, and custom (-moz-binding). You should also not put untrusted data into IE’s expression property value which allows JavaScript.

Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the \HH escaping format. Do not use any escaping shortcuts like \" because the quote character may be matched by the HTML attribute parser which runs first. Prevent switching out of the property value and into another property or attribute. Also prevent switching into an expression or other property value that allows scripting. If attribute is quoted, breaking out requires the corresponding quote. All attributes should be quoted but your encoding should be strong enough to prevent XSS when untrusted data is placed in unquoted contexts. Unquoted attributes can be broken out of with many characters including [space] % * + , - / ; < = > ^ and |. Also, the </style> tag will close the style block even though it is inside a quoted string because the HTML parser runs before the JavaScript parser. Please note that we recommend aggressive CSS encoding to prevent XSS attacks for both quoted and unquoted attributes.

See the ESAPI reference implementation of CSS escaping and unescaping.

RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values

Rule #5 is for when you want to put untrusted data into HTTP GET parameter value.

Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the %HH escaping format. Including untrusted data in data: URLs should not be allowed as there is no good way to disable attacks with escaping to prevent switching out of the URL. All attributes should be quoted. Unquoted attributes can be broken out of with many characters including [space] % * + , - / ; < = > ^ and |. Note that entity encoding is useless in this context.

See the ESAPI reference implementation of URL escaping and unescaping.

WARNING: Do not encode complete or relative URL's with URL encoding! If untrusted input is meant to be placed into href, src or other URL-based attributes, it should be validated to make sure it does not point to an unexpected protocol, especially Javascript links. URL's should then be encoded based on the context of display like any other piece of data. For example, user driven URL's in HREF links should be attribute encoded. For example:

https://gist.github.com/815206.js?file=xss-rule-5

RULE #6 - Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way

https://gist.github.com/815212.js?file=xss-rule-6

RULE #7 - Prevent DOM-based XSS

For details on what DOM-based XSS is, and defenses against this type of XSS flaw, please see the OWASP article on DOM-based XSS.

Related Articles

XSS Attack Cheat Sheet

The following article describes how to exploit different kinds of XSS Vulnerabilities that this article was created to help you avoid:

• RSnake: "XSS Cheat Sheet" - http://ha.ckers.org/xss.html

Description of XSS Vulnerabilities

• OWASP article on XSS Vulnerabilities

How to Review Code for Cross-site scripting Vulnerabilities

• OWASP Code Review Guide article on Reviewing Code for Cross-site scripting Vulnerabilities

How to Test for Cross-site scripting Vulnerabilities

• OWASP Testing Guide article on Testing for Cross site scripting Vulnerabilities

Other Articles in the OWASP Prevention Cheat Sheet Series

• Authentication Cheat Sheet
• Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
• Cryptographic Storage Cheat Sheet
• SQL Injection Prevention Cheat Sheet
• Transport Layer Protection Cheat Sheet
• XSS (Cross Site Scripting) Prevention Cheat Sheet

Authors and Primary Editors

Jeff Williams - jeff.williams[at]aspectsecurity.com

Jim Manico - jim[at]manico.net

via OWASP

Permalink | Leave a comment  »

So , even you use GNU/Linux , it doesn't mean that you don't have to care about malicious code . Enjoy the show :)

This Shmoocon presentation by Jon Larimer from IBM X-Force starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things.

Larimer explains how attackers can abuse these features to gain access to a live system by using a USB flash drive. He also shows how USB as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not.

via net-security

Permalink | Leave a comment  »

Unsolved Mysteries: Kevin Poulsen

This infamous Unsolved Mysteries segment features Kevin Poulsen aka Dark Dante, hacking ARPANET and breaking into a CO to "work" on the ESS. Telephone company investigators Terry Atchley and Jon Von Brauch, who worked to arrest Poulsen also appear in this episode. This is a must see video! Click here to download.

CNN: Justin Petersen AKA Agent Steal

CNN & Time features Justin Petersen in a segment titled "Digital Desperado." This 13 minute video, produced in 2000, covers Agent Steals history, from breaking into C.O.'s with Kevin Poulsen and Ron Austin, to wiretapping, to what he's up to these days. This is the first and only video I've ever seen of Agent Steal anywhere. Click here to download.

Fox News: Amdocs, CALEA, & Comverse

Fox News does a three part story on the possibility of Israeli's spying on American's through data mining call records. Amdocs, a company which handles billing for major telcos is detailed in the first story, with CALEA and Comverse featured in the second part of the story. If you don't know who Amdocs and Comverse are, you have to watch this episode. Click here to download.

Documentary: Unauthorized Access

Unauthorized Access is a four part documentary, with the first segment focusing on Phiber Optic in New York with an interview and footage of Phiber on Off the Hook right before he goes away to serve out his prison term. There's also a quick bit on Agent Steal in Los Angeles and what he was up to with Kevin Poulsen. Click here to download.

TLC Hackers: Computer Outlaws

Hackers: Computer Outlaws was an hour long documentary produced by TLC. It features Steve Wozniak, Captain Crunch, Denny Teresi, Kevin Mitnick and their individual stories, heavily focused on phreaking. Click here to download.

60 Minutes: Kevin Mitnick

60 Minutes interviews a younger looking Kevin Mitnick in 2000. The second half of the video features newer footage of Kevin and focuses on him turning legitimate. There's even a quick clip of Mitnicks guest appearance on the TV show "Alias" towards the end. Click here to download.

CNBC: Kevin Mitnick Interview

A more recent video of CNBC interviewing Kevin Mitnick about his past. Kevin admits he cannot whistle into a telephone and launch a nuclear weapon and also explains how his own web site was recently hacked. This reporter had never heard of the term "phone phreaking" before and laughs about it. Click here to download.

DougTV: Episode 1

This classic episode of DougTV stars Lucky225 as he uses his mouth to redbox. Lucky also talks about how to get free 411, ANI II digits, and hybrid payphones. Lucky also calls all kinds of cool test numbers throughout the episode. A must see. Click here to download.

TelCove: Central Office Tour

This is a quick six minute video of a virtual tour through a TelCove Central Office! It's almost as good as a live tour and this host does a good job explaining what everything is and it's function throughout the CO. Click here to download.

HackTV: Episode 2

This episode of HackTV features Zer0db and StankDawg exploring the phone connections in a utility room and then quickly moving to a remote fiber distribution terminal. Zer0db gives a great break down of exactly what you'll find in a fiber distribution terminal, including the alarm system. Click here to download.

BBS Documentary Interview: Minor Threat

This 40 minute interview by Jason Scott features Minor Threat detailing his development of ToneLoc, the famous wardialer. Also, Minor Threat talks about Southwestern Bell's DATU systems and how he used to use them back in the day. Click here to download.

Source : http://www.phreakvids.com/

Permalink | Leave a comment  »

Learn how to apply the test-first approach to all of your Rails projects. In this six class series, experienced Rails engineer and consultant, Wolfram Arnold applies his real-world perspective to teaching you effective patterns for testing.

Presented by: Wolfram Arnold, in collaboration with Sarah Allen.

Videos , Slides and Source codes :

Class 1 : http://marakana.com/forums/ruby/ruby_on_rails/191.html

• The economics of testing
• Testing in layers, design patterns
• Toolbox: RSpec with Rails
• RSpec & Models

Class 2 : http://marakana.com/forums/ruby/ruby_on_rails/195.html

• A culture of testing: Why TDD? How to TDD?
• Testing & Date Dependencies
• Toolbox: Fixtures, Factories, Mocks & Stubs

Class 3 : http://marakana.com/forums/ruby/ruby_on_rails/201.html

• Controller testing
• View, Helper, Routes Testing
• How much is enough? How much is too much?

Class 4 : http://marakana.com/forums/ruby/ruby_on_rails/204.html

• Refactoring code & tests, custom matchers
• API Testing
• Remote data setup
• Cucumber for API testing & documentation

Class 5 : http://marakana.com/forums/ruby/ruby_on_rails/214.html

• how to do integration testing with Cucumber, a story-based framework that allows you to execute feature documentation written in plain text.

Class 6 : http://marakana.com/forums/ruby/ruby_on_rails/215.html

• Integration frameworks (Cucumber, Webrat, Capybara, and Selenium)
• Integration testing with Selenium (advantages and problems)
• Page Objects
• Locators (Selenium, CSS and XPath locators)
• RSpec Custom Matchers
• Testing for Access Control

Enjoy !!

Permalink | Leave a comment  »

And yes , i think it happens with Nikto 2.1.3 especially with the "-C all" option , or "force directory check" to cgi directories. OK , it's not making me stop using nikto to check the bug , but it makes me to avoid using "-C all" option because sometimes it produces many files that don't even exist ( Correct Me If I'm Wrong ) .

This is the sample of Nikto's output :

Permalink | Leave a comment  »

It happened to me when i first learn about Rails . I read a lot of Rails books with different versions of Rails each book. It is not efficient if we Install and Uninstall Ruby and Rails for several times because of the version of Rails we read from the books. Thank GOD we have RVM in this beautiful world .

If you want to know how to install it , it's not the right place for that , just Google it :)

See the commands below to see the way we can use different Ruby versions and so does the Rails :

Permalink | Leave a comment  »

At some point , OpenJDK is not stable *in my opinion* . For example , i run Eclipse with Aptana Studio to Code in Ruby and i also use RubyMine that also Java Based IDE. Sometimes it's just closing it self when i operating the IDE .

Someday when i see the "rubymine.sh" script and i got this :

So i realize that the problem of my IDE's stability is from the Java VM . So , i changed it :

Permalink | Leave a comment  »

Official Site : http://savingcaptaincrunch.com

When John Draper aka Captain Crunch is on form, great things happen. A legendary hacker, he created the infamous Blue Box. He went on to invent EasyWriter, the first ever word processor for the Apple II.

By any standard, he’s an icon of the digital age.

But today, he’s in great pain and risks losing the use of his hands and arms.

The problem started at the Def Con convention in late July of this year, when an overzealous fan gave him a hug and Crunch immediately felt a stabbing pain in his shoulders. The pain has worsened ever since. A few critical nerves have been trapped and despite a program of physical therapy and painkillers, Crunch’s fingers and forearms are now approaching total paralysis.

The situation is critical.

Crunch is in such pain that he can barely put his shoes on in the morning. One of the pioneers of the Word Processor can barely type any more, let alone code. And the doctors have told him that within 3-6 months he risks losing the use of his hands permanently because trapped nerves die after a while. But wait – there is some good news.

The Solution – Surgery

A straightforward surgical procedure can release the trapped nerves before they wither away, and return life to his hands.

The bad news is that Crunch cannot afford it. It costs $6,000 just for the Medical co-pay for the surgery, $2,000 for the post-surgery convalescence and even more for the drugs and physical therapy that will get him back at his Mac and coding again.

Please give generously. Please spread the word.

Captain Crunch needs you.

Donate Here!!

Permalink | Leave a comment  »

From their twitter account at http://twitter.com/Op_Payback/ , i can summarize some of their resources :

Their official instruction is written in : http://pastehtml.com/view/1c8i33u.html

The malware warning will be shown if you open that address , click "I understand the risk . View the page" if you want to see it.

This is the content of the instruction :

The host for AnonOps.net shut us down and told us to "prove we used legal money". Bring the PAIN!

This page has been marked as "containing malware". We all know that is BULLSHIT. Mail the host and tell him to remove it! (PS. Ask nicely) maksims@sadovskis.com

IRC.ANONOPS-IRC.COM

Do not trust any other download links than those on this page! They might log your IP or infect you, etc.

www.AnonOps.info

LOIC SETUP GUIDE

HIVEMIND mode will connect your client to an IRC server so it can be controlled remotely. Think of it like a voluntary botnet. They might even make your client do naughty things, so beware.

Note: It does NOT allow remote administration of your machine, or anything like that, it is just control of LOIC itself.

Windows

XP users MUST get the Half-Open connections fix first.

1. Download MS .NET Framework 3.5 or 4.0 and install it.
2. Download Hivemind LOIC and unzip it to your desktop.
3. Start LOIC with the LOIC.EXE
4. Server: irc.AnonOps-IRC.com
5. Channel: #loic
6. Select "hivemind mode"
7. Sit back and watch the show

• If LOIC can't connect HiveMind, set it manual and enter the target URL and click LOCK ON, change settings to TCP and START FIRIN' LAZERS!

MAC/Linux

JavaLOIC for MAC (no hivemind feature): Download

• Launch JavaLOIC
• Enter Target URL or IP and click LOCK ON
• FIRE LAZERS
• join #setup on IRC for target info and settings (TCP and rest on defualt is usually best)

With HiveMind feature (Mono or Wine):

• Mono Guide
• Wine Guide

Install script for Debian/Ubuntu/Fedora: View
Run the script from terminal.

 

Settings:

• Server: irc.AnonOps-IRC.com
• Channel: #loic
• Select "hivemind mode"
• Sit back and watch the show

 

Go through the above steps 2-3 times if you can't get it working.
If you still can't fix it; Join #Setup for Win/Nix or #nubbintank for MACs, and ask.

Guide to get on IRC to the right side ------->

FAQ

• Is LOIC infected with a virus? NO, your AV gives a false positive. Disable your AV. The source code is included in the download to prove this.
• Will I get caught/arrested for using it? Chances are next to zero. Just blame you have a virus, or simply deny any knowledge of it.
• Can I use a PROXY? NO, you will just attack the proxy. But a VPN is OK.
• LOIC cant connect; Turn off MSE or your Firewall. Still no go; On IRC, type /map and choose a different server.
• Requests stuck? Target is down, KEEP FIRING TO KEEP IT DOWN
• Who/What is the target; Set LOIC on HIVEMIND mode or join #setup on IRC and ask.
• What settings should I use? Join the HIVEMIND or leave it at default w/ TCP. Protip: Dont go over 100 threads.

 

• What is (D)DOS?
• What is a botnet?
• How do I get a botnet? No.

IRC FAQ

Rules:

• DO NOT PM OPs! We have enough shit happening already.
• READ the TOPIC in the channels. Scroll up!!!
• Stay on topic! E.G dont ask for help in main chat, and dont talk about targets in #setup.

Type /msg nickserv help to register to talk.
See link above for any other questions.

To get on IRC:

GET THE ANONOPS MIRC CLIENT (windows) HERE (updated).
It will automatically connect you to IRC and join the channels. It also hides join/quits.

• Unzip it to your desktop
• Start with the mIRC shortcut
• Choose a name and click OK
• Click to connect!

Other Cients: Nix xChat / Mac colloquy

• Server: irc.anonops-irc.com
• Quick join link for CLIENTS

Channel List (click to join w/ client or type /join #channel ):

• #OperationPayback - main chat
• #setup - LOIC help
• #nubbintank - MAC LOIC help
• #RadioPayback - official radio
• #recruit - help us get more people!
• #WikiLeaks - general wikileaks discussion
• #propaganda - yes
• #target - target discussion
• #hispano - espa�ol
• #tpbfrance - fran�ais
• #tpbitaly - italiano

 

See www.anonops.info for status on website and IRC servers.

This is the screenshot of www.anonops.info that contains status of their website and IRC servers

You have to understand the way DDoS happens and then you'll know why they need many people to run their tools

As you can see they're targetting the api.paypal.com or https://www.paypal.com:443/

This is the source code of the JS LOIC v0.1

js-loic.pdf Download this file

Permalink | Leave a comment  »

Back in ’90 websites were having just one distribution channel (HTML), now thanks to the API they can reach thousands of users through an API being available everywhere, anyone can become an ubiquity platform. Moreover back in ’90 there were just simple websites, now we have web, mobile and devices applications running through the internet. Thus, the power of information and data that can be used is so much powerful than ever before: "Not having an API today is like not having a website in the 90s" says Martin Tantow co-founder of 3Scale.

1995:  At the beginning  there were just website

2005:  First websites with API as add-ons; they were an additional access/interface to their existing data: e.g Yelp

2008:  The API has overtaken website traffic, the API is more important than the website: e.g Twitter

2009: The API is the product and websites/webapps have become web services: e.g Twilio, Simplegeo

Future: Web services become open platform, applications turn into platforms, everything is programmable and expandable

Yes , in order to survive now and future web must be unique and open . Hey CEO , CTO , Developers etc. , are you ready for that challenge ??

Read more at The Silicon Age by Augusto Marietti

Permalink | Leave a comment  »

Wanted by Google: Bounty-hunting hackers who can find security vulnerabilities in popular Web apps.

For security researchers who find flaws in Internet services like Gmail, Blogger and YouTube, Google will reward $500 or more per bug. Vulnerabilities that are "severe or unusually clever" pay up to $3,133.70. Optionally, benevolent hackers can also donate their rewards to charity, in which case Google will match the winnings at its discretion.

Bug-hunting researchers will also be credited on Google's security page.

To keep Web services running smoothly, Google is excluding bugs caused by denial of service attacks and search optimization tricks. Technologies recently acquired by Google are also off-limits.

This isn't the first time Google has opened up security research to the masses with cash rewards. In January, the company announced a bounty program for Chromium, the open-source project behind Google's Chrome Web browser, following the lead of Mozilla's Firefox bounty program.

The move to Web apps, however, is an important and logical step for Google. The company is putting a lot of faith in Web apps as the future of computing, as evidenced by the upcoming Chrome OS. If users are going to store more and more sensitive information into online services, those services need to be secure.

In the future, Google may expand the program to client applications such as Android, Picasa and Google desktop. Let's hope that happens soon; analysis firm Coverity recently found 88 high-risk defects in the Android kernel.

via PCW

Permalink | Leave a comment  »

Download Here

• Deploying & Utilizing Intrusion Detection Using Snorby

  Snorby is an advanced Snort IDS front-end. Snorby has two basic fundamental pieces, which are simplicity and power. The project goal is to create a free, open source and highly competitive application for network monitoring in enterprise environments or private use.

  ---

  - Joshua Morin

• Malware Incident Response - Outbreak Scenario

  This article applies to Microsoft OS on Intel Platform. With the ongoing threat of the Conficker Virus, which is still hanging like the sword of Damocles, it becomes very important to know and understand, what exactly needs to be done during a possible Virus Outbreak.

  ---

  - Rajdeep Chakraborty

• TDSS botnet - full disclosure

  What is a botnet? A botnet is not merely an army of infected computers. First of all, a botnet is an externally managed complex structure. While the malware side is studied pretty well in most known botnets, the management side is often underestimated. The latter usually involves hacking and vulnerability exploitation, because server side scripts of a centralized botnet are hidden from public.

  ---

  - Andrey Rassokhin and Dmitry Oleksyuk

• When XOR is your friend...

  Using a random enough input stream may sound like outright blasphemy to many if not all reading this; however in this article I will demonstrate when using it makes sense. One of my hobbies include creating crypto challenges where I hide an English message string in a block of numbers and letters. The first challenger that can correctly find what the message exactly states and demonstrate the algorithm used (usually in a programmatic fashion) they win a cash prize. I’ve learned over this year that in the past I had been making it far too difficult…

  ---

  - Israel Torres

• Proactive Defenses and Free Tools

  In my last article, I described the greatest breach in cyber history and made some suggestions on how it could have been avoided – enabling strong wireless encryption, testing your wireless routers for vulnerabilities, visiting http://nvd.nist.gov, limiting the number of trusted devices allowed
  on your wired and wireless networks and hardening your systems.

  ---

  - Gary S. Miliefsky

• Wuala – Secure Online Storage

  ---

  - Michael Munt

• Book review: A beginners Guide to Ethical Hacking

  ---

  - Shyaam Sundhar

• An analysis of the spyware threat and how to protect a PC

  ---

  - Julian Evans

• Electronic Cold War

  ---

  - Matthew Jonkman

via hakin9.org

Permalink | Leave a comment  »

See the full gallery on Posterous

In my mind ?? "marketing" .. :-)

Permalink | Leave a comment  »