A New York Times story last month described a new phenomenon in China in which groups of “netizens” hunt down wrong-doers through online crowd-sourcing and sleuthing. According to the story, a group of online vigilantes determined the identity of a woman who had posted a video of herself torturing and killing a kitten. Within a few days, the vigilantes were able to piece together clues and identify her by eliciting information from readers on Mop, a popular online forum. Ultimately, the woman and her camera man were publicly shamed and expelled from their public sector jobs, cutting them out of the prospect of pensions and lifetime employment.
Mob justice is nothing new, but the Internet moves it along faster than before. Also, the Internet expands the playing field from the proverbial village of twenty or so torch-bearing peasants to potentially the entire online world. In other words, the Internet’s gifts to mob justice are speed and reach. The kitten killer was picked out of a population of 1.3 billion Chinese in six days. But the problem with speed, when applied to an angry mob, is that it tends to skip over due process. The kitten killer story led me to three conclusions about online mass collaboration known as crowd-sourcing:
Read More »
Cisco has defined a development standard called the Cisco Secure Development Lifecycle (CSDL). This process is designed to ensure that Cisco produces secure and resilient products by identifying and implementing specific processes or tools to enable engineers to detect, fix, mitigate and prevent design and code weaknesses that could become exploitable.
CSDL is a multi-layered defensive approach. First, we seek to ensure product security is integrated into the design and design review process through the use of baseline requirements and threat modeling reviews. Secondly, we pursue a rigorous software development design process to detect, fix, and protect against potential software weaknesses. Finally, we utilize robust penetration testing to validate the effectiveness of the first two layers of our defense, and to identify and fix any resulting vulnerabilities.
Read More »
DANGER, WILL ROBINSON, DANGER! MY SENSORS DETECT THAT YOU LIVE IN A HIGH RISK AREA FOR CYBERCRIME!
According to a recent press release from Symantec, some cities in the U.S. are more “vulnerable” than others, with Seattle at the top of list. Their methodology “analyzed data for each city including the number of cyberattacks and potential infections (data provided by Symantec Security Response), level of Internet access, expenditures on computer hardware and software, wireless hotspots, broadband connectivity, Internet usage and online purchases.”
While an argument could be made about a potential conflict of interest for a press release of this nature, I’d like to focus on what greater access to Internet connectivity means in terms of best practices, regardless of whether you are in Seattle or Shishmaref. As noted in a recent Cyber Risk Report, the study’s real conclusion has little to do with your actual location.
Read More »
Isolating the root cause of a heap-based buffer overflow can be tricky at best. Thankfully, Microsoft provides a great tool called the Application verifier, which makes the process significantly gentler.
In this post, we will look at how to use the Application Verifier to pinpoint the source of a heap overflow in a binary. Due to the fact that it is difficult to find a publicly available and easy-to-trigger heap overflow vulnerability in an application whose EULA does not prevent reverse engineering, I have created a small sample application that contains a heap overflow for this purpose.
Read More »
“I’m sorry, Dave, I’m afraid I can’t do that.”
- HAL the computer from 2001: A Space Odyssey (1968)
Every day, essential business and physical functions are executed by software, without human oversight. Many of these functions—automobile braking systems, automatic systems on commercial aircraft and commuter trains, medical equipment—function at speeds and levels of precision that cannot be matched by human beings. Thankfully, the persistent fear that someone may eventually create software that is intelligent enough to defy us has not come to pass. If anything, the opposite remains the more immediate concern: as fallible humans, we continue to generate software riddled with problems, setting the stage for accidents waiting to happen. One such incident was recently made public.
Read More »