* Posts by toby

8 publicly visible posts • joined 24 Oct 2007

Asus' angular laptop-of-the-future designs spied


makes me think of...

...origami somehow

McAfee 'Hacker Safe' cert sheds more cred


Web App Sec 101

1. Go to the OWASP site, have a bit of a read.


2. Check out the most recent (stable) version of the OWASP top 10 web app sec flaws:


3. Oh look, XSS is number 1. Ahead of SQL inection.

Plasma TV components applied to password cracking


As already stated...

...FPGAs for key cracking is old news. For example:


Just cos someone ripped 'em from a plasma doesent make this news. Then again, I do like to hear about FPGAs... gotta love 'em.

Ex-MS staffer to demo Vista smart card hack


@Tim Bates

Yeah sorry - Apple thats who I meant (confused? me? ahem).

My point is MS have put a decent amount of investment into security recently, but its hard to change perceptions overnight. It must be galling for them to watch other vendors such as Apple (no offence, like) apply minimal attention to security, while MS are still percieved as being insecure.

A good point for FUD pushers: once you have a crappy reputation, it can be hard to shake.


@ Morely Dotes

yes: its all about the benjamins at the end of the day (i.e. profit is the main driver for vendors), no surprise there - bill likes green.

but trust me, in 5 years time Mac will have the poor security rep MS has now, because MS put more time and money into security than they do.



Yeah, that would be a bit cheeky.

But here's another scenario - a pen tester by the name of raven worked for years as an ISP engineer. She got sick of the general lack of security and the kicks to the head she got when the risks she was warning management about crystallised into issues and impacted the operation.

So, she went into pen testing, where she did an excellent job of revealing the poor levels of security observed by ISPs.

Not saying that's happened here - I happen to believe MS to be much more security conscious than many vendors. A LOT more. There are probably a lot more shades of grey here...

cDc automates Google Hacking


using this may be illegal

i love cDc to bits and the world would be a much poorer place without them. its also great to see them back in the news!

i belive this is a good tool in that it gives anyone who manages a website a chance to see if their ass is hanging out - that cant be a bad thing.

however, regardless of what you think of cDc, using this tool in the uk on a domain you are not responsible for may be illegal.

there's a very good, brief article here :


Bad security products thrive on confusion


Security; A Lemon's Market?

If buyers don't have enough information to determine the performance of products, then sub-standard products (lemons) will dominate the market and the producers of such rubbish will drive genuinely fastidious developers out of business.

This is where standards, CLEFs, and other rather dull (but eminently necessary) aspects should pick up...

But most of all, we all, as buyers, create the markets we deserve - if we all made more effort to avoid buying sh*te, i.e. actively avoiding products marketed using those Fear Uncertainty Doubt techniques, we might see less of a lemon's market.