etd’s Dos and Dont’s

In adition to the changes released on the 4^th of April, yesterday we released a Windows one-click installer for dradis.

The summary of the features of the v1.2 release:

• in the client:
  • export to XML module is now part of the standard module set.
  • a new implementation of the command line parser: now it is possible to use single and double quotes to pass multi-word arguments to the different commands.
  • fixed the window.rb:159 bug.
• in the server:
  • a slightly less annoying implementation of the web interface auto refresh functionality.
  • the services added through the web interface can have a name now
  • simple prevention against embedded XSS.

You can also download the platform-independent ruby source in the download section of the site.

miniconomics.com is an easy-to-use tool designed to manage your personal expenses that we have been developing over the last few months. The key benefits of the tool at this point in time:

• It is alive, changing every day, release early, release often. miniconomics.com is under a never ending churning process.
• It is simple, a no brainer, you have categories and you have expenses, you put expenses in your categories and miniconomics.com gives you all sorts of useful information, stats and nice shinny graphs.
• Is accessible, forget about maintaing a spreadsheet with your data in your home computer or laptop. Use an online service, use it no matter where you are, no matter when, just log in and add your expenses.
• It is as geek as a tool can be. We are still developing it and we are keen on trying all sorts of approaches. We have some cool toughts on plugins and addons that we will be developing in the future. Give us your feedback and let us know what you do you want out of the tool, chances are we will develop it!
• miniconomics.com is free, free to use, free to register, free to enjoy, free to everything

I hope you decide to give it a try (you don’t have to register for a test drive) and let us know what you think. And of course if you like it, just spread the word.

Picking it up were we left it on restful_authentication howto, step-by-step (part 1) the second article of this series is a hands on example on how to use the restful_authentication plugin.

Things that will be covered include:

• remove the need of a login
• the use of an activation email, the application will require it’s users to activate their accounts upong sign up.
• howto get rid of the remember me functionality (just in case you don’t need it).
• howto strengthen a bit the default security of the framework.

Read the rest of this entry »

Directly inspired by The Art of War of Sun Tzu, yesterday I found the following piece of wisdom:

After years of thinking about, writing about, and filtering messages, I’ve decided that the best strategy for me is to not filter spam, but instead to filter non-spam

The full article at Reverse Spam Filtering: “Winning Without Fighting” by Nancy McGough.

There are more than a hundred thousand different ways of implementing authentication in ruby on rails. Authentication in the rails world is definetly not for the faint hearted. After some random reading through the rails wiki it seemed quite clear that there is one winner: acts_as_authenticated. However, after including this plugin in one of my secret projects to take over the world, it seems that is lacking some functionality, what I need out of the authentication framework is:

• A no non-sense authentication: just email and password. No bells, no wistles.
• The system should send an activation email after the user signs up.

Let’s explore the alternatives
Read the rest of this entry »

A new puzzle, this time from Conceptual Blockbusting: A Guide to Better Ideas by Jams L. Adams:

One morning, exactly at sunrise, a Buddhist monk began to climb a tall mountain. A narrow path, no more than a foot or two wide, spiraled around the mountain to a glittering temple at the summit. The monk ascended at varying rates of speed, stopping many times along the way to rest and eat dried fruit he carried with him. He reached the temple shortly before sunset. After several days of fasting and meditation he began his journey back along the same path, starting at sunrise and again walking at variable speeds with many pauses along the way. His average speed descending was, of course, greater than his average climbing speed. Prove that there is a spot along the path that the monk will occupy on both trips at precisely the same time of day.

hack-fu by: rux0r

This post is the first in a series on the subject of enterprise messaging and in particular on IBM’s flavour of it. The objective of these posts will be to remove some of the confusion about its purpose, the technologies and the methods of securing it. Hopefully this will help both security testers and other interested parties to feel confident about this important area of IT security.
Read the rest of this entry »

In this article I want to discuss a way of storing and retrieving the configuration settings of a ruby application. The first thing you need to decide is whether you want to store your settings in a database, a XML file, a YAML,…

Since this is not an easy choice we can mitigate the impact of making the decision upfront by doing some interface based design.

Read the rest of this entry »

I have just arrived from Black Hat Europe 2008 in Amsterdam (this one, not this one). It has been a cool experience, not exactly what I expected but really interesting.

Briefings were held during the 27^th and 28^th of March, and the presentations are available for download. If you want to see what the chef recommends just keep reading…

Read the rest of this entry »

What is an Intermediate Certificate Authority (CA) and why do I need one? An Intermediate CA is an authority that you use to create your own SSL certificates in a PKI environment. An Intermediate CA depends on a Root CA that is the origin of the chain of trust. The idea is that if your Intermediate CA gets compromised or you decide to revocate all the certificates issued by it, you can still use your Root CA without further inconvenience for your users (the users only need to have installed the certificate of the Root CA in their browsers).

As for the second question, the sort answer is that chances are that you really do not need one but for the shake of the experiment lets get our hands dirty!
Read the rest of this entry »