LOL'ing my LOL'er off at the Syngress IDA Pro Book

 book review, fun, links  2 Responses »
Aug 262008
 

I ran across this after I finished reading back-to-back reviews by Phn1x and Ilfak Guilfanov of the sounds-like-it’s-excellent “The IDA Pro Book by Chris Eagle, from No Starch Press.  Excellent reviews, and the book looks really good.  Please don’t confuse it’s coolness with the lameness I’m about to copy-paste about. I’ll probably wind up buying a copy of Eagle’s book.

The Syngress IDA book, though?  Not so much.

I didn’t know Syngress had an IDA Pro book when I went to Amazon to look at No Starch’s.  There’s a reason for that:  It’s awful.  I can say this, with certainty, without ever having picked it up.  I don’t normally feel this strongly without at least reading the book, but the universally bad reviews of “Reverse Engineering Code with IDA Pro” are quite damning…

…and hilarious :) .  Which is why I’m pasting select comments from the various reviews here, as they tickle my funny-bone:

ZT says:

Do we really need half a page to print a table that does nothing but list every possible form a MOV instruction can take?

..and:

For heaven’s sake, the book was published FOUR MONTHS AGO, and already the repository for the book’s source and binaries has disappeared?!  Come on, this is unacceptable. Every time the book dedicates an entire chapter to disassembling a binary, you have to pretty much skip the entire chapter, because the binary isn’t available for you to disassemble. You can’t follow along.

magicmac2000 chimes in with:

And finally, there is information in the index of a chapter, but the pages are not there! It is not a problem of my book, it is a problem of the edition itself!

Hah what?  There’s entire chunks of the book missing:

(Chapter 4) claims to have this items:
Understanding Execution Flow, Tracing Functions, Recovering Hard Coded Password, Finding Vulnerable Functions, Backtracing Execution, Crafting a Buffer Overflow.
The problem is that the editors (Syngress) forgot to include the latest three. Yes, exactly as you hear it: the editors forgot to place those pages on the book.

Even one of the authors, Justin Ferguson, gave it a negative review:

This is my second attempt at reviewing the book I helped write, Amazon continues to censor me probably because my encouragement is not to buy this book (after dealing with syngress, I wouldn’t advise buying anything that comes from them). I don’t know how to say this other than I apologize to everyone who purchased this book, it really was supposed to be much more. However the corporate world being what it is, it was rushed from deadline to deadline without any regard for quality, the editors actually introduced errors, many of the diagrams are unreadable and theres parts of the book just flat out missing. DO NOT BUY.

Ouch!  You can check out the reviews for yourself here.  I think I’ll be getting Chris Eagle’s book instead.

 Posted by wesley at 2:51 pm

Leaner, meaner mcgrewsecurity.com

 fun  2 Responses »
Aug 192008
 

Switching the site over to the new theme didn’t go as quickly as I had hoped, but it seems to be working now.  I’ve changed how things are organized too, so it should be easier to find things.  Most of my readers seem to be those interested in the technical guts of security, so I’ve done my best to set the ratio of content to fluff as high as possible.

 Posted by wesley at 5:12 pm

Not even GTD can save me now…

 fun  No Responses »
Aug 112008
 

…I’d spend a fair amount of time cleaning this inbox:

Thankfully, it’s just a glitch.  Probably something to do with GMail being a little messed up today.

2**32 minus 2, strangely enough :) .

Edit: It decrements by 2 each time I click to another folder and then back to Inbox.

 Posted by wesley at 4:12 pm

Splunk FAIL

 fun  7 Responses »
Aug 072008
 

Thanks to HD Moore for this via twitter.  Splunk ad versus linkedin profile found via google:

Splunk FAIL

I can’t stop giggling.

 Posted by wesley at 8:14 pm

Blackhat USA 2008 Fantasy League

 fun  No Responses »
Jul 312008
 

Everybody else is posting their picks for the talks they want to attend at Blackhat USA 2008.  I’m not going, but Chris Gates, of the excellent carnal0wnage blog, and I have decided to post our picks as part of an armchair “Blackhat Fantasy League”.  This’ll serve as a nice reference for myself when audio/video of the conference is released too.

(Edit: Chris just posted his picks.  There’s a nice web security flavor to his choices)

It really is a shame that I won’t be able to go, since our good friend Yousif Yalda promised to “beat me down” there.  Assuming I could make it to each talk, between all the beatings, here’s where I’d like to be:

Day 1 – 10:00 – 11:00

Fyodor Vaskovich – Track: The Network

This is going to be outstanding.  I always enjoy hearing Fyodor talk about nmap internals and tricks used to get more speed out of it.

Day 1 – 11:15 – 12:30

Dan Kaminsky – DNS Goodness

Pretty obvious choice here.  I feel sorry for the other speakers on during this time slot.

Day 1 – 13:45 – 16:30

Lots of folks – Iron Chef Fuzzing Challenge

Jacob West, Charlie Miller, Geoff Morrison, Jacob Honoroff, Sean Fay, Brian Chess finding vulnerabilities, Iron Chef style.  The Cisco shellcode/backdoor talk almost beats this out, but I had a lot of fun listening to the last Iron Chef challenge.

Day 1 – 16:45 – 18:00

Val Smith, Colin Ames – MetaPost-Exploitation

I’m on a Metasploit kick right now :)

Day 1 – 18:00 -

The Pwnie Awards

Day 2 – 10:00 – 11:00

Felix Lindner – Developments in Cisco IOS Forensics

I haven’t gotten my hands dirty with the guts of IOS, so I think I would enjoy this.

Day 2 – 11:15 – 12:30

Eric Filiol – Passive and Active Leakage of Secret Data from Non-Networked Computer

The description on the Blackhat site is kind of vague, but it sounds fascinating

Day 2 – 13:45 – 16:30 (?)

Lukas Grunwald – Hacking and Injecting Federal Trojans

Law enforcement injecting trojans into software downloads… neat… (this one is scheduled back to back with itself, so I don’t know if it’s a continuation or what?)

Day 2 – 16:45 – 18:00

Patrick McGregor – Braving the Cold : New Methods for Preventing Cold Boot Attacks on Encryption Keys

Having written msramdmp, I definitely have an interest in talks on cold-boot memory attacks :)

 Posted by wesley at 6:18 pm

University of Phoenix uses Mississippi State University building in their banner ad

 fun  2 Responses »
Jul 152008
 

I don’t normally pay much attention to banner ads, especially for diploma mills, but this one caught my eye:

I thought to myself, “That looks familiar.  It’s almost as if I have been there before…”

I have:

Swalm Hall, on the Mississippi State University campus.  This is about half of a mile away from where I work part time as a graduate researcher at the MSU Center for Computer Security Research while I finish up my Ph.D.  As an undergraduate, I had a technical writing class in Swalm, and attended entrepreneurialship lectures in the auditorium.  While it’s a relatively new building, built while I was an undergrad, it was designed as a replica of another, older building on campus, Lee Hall:

These two buildings face each other, on opposite sides of the drill field.  I had actually convinced myself that the University of Phoenix was using an image of Lee Hall, and was halfway through writing this blog post, when I went looking for an image of Swalm Hall to give the post some character.  In the process, I stumbled across the picture of Swalm above, which appears to be the exact image they used (or very close).

We can’t quite offer a 13-month degree here, but at least we don’t have to claim buildings from other campuses :) .  If you’re ever in the area and want the grand tour, let me know.

 Posted by wesley at 9:59 am

Sexyhacking.com censorship fail.

 forensics, fun, Uncategorized  1 Response »
Jul 122008
 

It’s a weekend, so I’m all for a fun post.

The sexyhacking.com videos are not safe for work, however they’re probably even less arousing than you’d think.  They are hosted on YouTube, after all.  You might want to have a look, though, since they’re funny (intentionally and unintentionally), and who knows how long they’ll actually be around.

In the second video, described as Episode 1 in a series called “Naughty Script K1dd13″, basic compilation and usage of nmap is covered by a somewhat disinterested teacher.  It must be hot in the classroom, since she’s unbuttoned her shirt about halfway down.  Strangely enough, while nmap is displaying its scan, they censor the IP addresses involved with COPS-style pixelization:

http://mcgrewsecurity.com/img/sexyhacking1_th.png

If you’re paying more attention to the terminal than the girl, you’ll notice that they’re not very thorough.  At 3:49, we catch the video editor asleep at the wheel as the traceroute pops up :

http://mcgrewsecurity.com/img/sexyhacking4.png

…and at 3:50, the censor wakes up :) :

http://mcgrewsecurity.com/img/sexyhacking5.png

I’m not even sure why they’re attempting to hide the IP address.  It’s stated in the narration that sexyhacking.com will be used as the target, and the IP address revealed above is simply what you’d get doing a DNS lookup of sexyhacking.com…

(so long as Dan Kaminsky isn’t angry at you)

So, to sum it up:  If you’re redacting information out of a video you’re publishing, you not only have to worry about people being able to reverse engineer your pixelation (just black it out!), you’ll also have to make sure you blot it out of every frame :) .

 Posted by wesley at 8:19 pm

The Defendant, Wesley McGrew

 forensics, fun  4 Responses »
May 282008
 

I just received these two pictures via email from my major professor, and thought I’d share.  They’re from a series of mock trials that were held for this past fall semester’s computer forensics class.  The students had the opportunity to take the stand and present expert witness testimony regarding the evidence that they had examined as part of a class project.  We had a real courtroom, a real judge, real attorneys, and another university’s students sitting as a jury.  I sat as the accused for a few cases, and also helped guide the defense attorneys through some of the more technical aspects of the forensics.

Thankfully, with the inexperience of the expert witnesses, and coaching my attorney a bit (he had an engineering background, which helped), I was found to be not guilty :) .

 Posted by wesley at 1:11 pm

Slow Posting, Upcoming CTF, PaulDotCom

 fun  No Responses »
Apr 142008
 

I just wanted to check in to say that regular readers of this blog should expect my posting schedule to slow down over the next week or so.  I’ve been trying to post more regularly, and I was doing well at it for a while, however things are a bit busy this week.  A colleague and I are putting together the Capture The Flag event for this semester’s Security class at Mississippi State, and I’m also putting together a lecture/demonstration to go along with it.

The “links” posts will keep coming, as I’m pretty happy with the quality of the content so far, and it’s very easy for me to do as a part of my daily reading and investigating.  I could keep those up just from content generated and linked to by the people I follow on Twitter alone.  When I get some spare moments, I’m going to work on some planned features for msramdmp as well.

Also, I will soon be an Internet super-star, once episode 104 of PaulDotCom Security Weekly is released.  Paul and Larry invited me onto the show, and I had a blast recording with them Friday night.  I rambled on about msramdmp for a while, recent memory attacks in general, and had the pleasure of staying around for the rest of the show, commenting on recent security news.  I hope people enjoy listening to it half as much as I enjoyed being Paul and Larry’s guest.

 Posted by wesley at 9:31 am

OS X Terminal Bug: My Open URLs go to 11!

 fun  No Responses »
Mar 312008
 

This really isn’t a security vulnerability, but it is a bit strange. As I leave Terminal running, with one tab in a screen session on a remote host, and other tabs coming and going, weird things happen with my ability to right-click on URLs. Occasionally it will only let me right-click on things that aren’t urls, but most of the time it simply displays an arbitrary, but increasing over time, number of “Open URL” options. Mine goes to 11 :

Open URL X 11

Trying it right now, I get 10. The number fluctuates, but increases over time. Restarting Terminal resets it back to only having one.

This is a little off-topic for this blog, but I couldn’t find anyone else on Google that has the same problem, so I figured I’d throw this post up so that when someone else with the same problem searches for it they’ll find this. Then they’ll email me or comment and we’ll be best trivial-bug-friends. Maybe we’ll start a support group or something.

 Posted by wesley at 10:43 am
 Older Entries  Newer Entries
© 2012 McGrew Security Suffusion theme by Sayontan Sinha