So, for anyone who didn't get the email, or hasn't heard yet... it looks like Microsoft is releasing an Out-of-Band Bulletin tomorrow. I'm excited to find out why there was cause for an emergency patch release.
Side Note: Possibly the shortest blog post ever.
I've always commented that I'm not a big fan of NoScript... I find browsing "modern" websites to be almost impossible with the plugin installed. For this reason, I don't know how popular it is with "the masses". That being said, I use it because a hindrance is better than a gaping security hole.
However, I've now found what I feel to be the best feature in NoScript. The ability to force HTTPS. Sites like Linkedin have always had issues with provided adequate HTTPS support. There are other sites that are HTTPS only, yet don't redirect HTTP to HTTPS. I've always found these issues to be frustrating. NoScript has solved these problems.
I've inserted a number of common websites I visit into the force HTTPS dialog and now, even if they have flakey HTTPS support that pushes you to HTTP on every request, I'm always using HTTPS. If I type in a address manually to a site that's configured only for HTTPS, NoScript forces the connection over to HTTPS and I no longer curse and go to the address bar to add the 's'.
This is an amazing feature and has greatly increased the value of NoScript in my eyes. Given that this isn't the core focus of the plugin, it's probably the single greatest addition that could have occured.
Update
Marcin just pointed out that LinkedIn public profiles don't exist over HTTPS (treguly (http) works, treguly (https) doesn't)
To resolve this, simply add www.linkedin.com/in/ to the "never force https connections" portion of NoScript.
For the longest time I've been using Bloglines to read RSS feeds. I've used standalone readers in the past (NewsFox and Viigo) but I've found that there's no way to sync them (I read feeds on 3-4 computers, as well as my phone) and that was a real problem for me. Bloglines is very clean and fast. It's easy to use and works well when I'm on my phone. However more and more I've been noticing it "down for maintenance", and I've noticed others use Google Reader so I decided to give it a go.
I exported my feeds from Bloglines and imported them into Google Reader. I noticed right away that the layout was familiar (since it was similar to GMail), however I would prefer if I could have subscriptions at the top of the left pane, with Home, Trends, etc below them. As I browsed, I noticed that there were a few other annoyances. One of the things I enjoy about Bloglines is that if don't want to read a certain feed, I can simply click on it as I work my way through new feeds. With Google Reader, if you don't visit the article, it isn't actually marked as read. While technically more accurate, it's not what I'm accustomed to, and unfortunately there isn't a setting to change this. The other annoying issue, was related to Google Reader on my Blackberry... instead of being able to browse based on subscription, the items from the feeds are grouped together and displayed chronologically. This is horrid design compared to Bloglines mobile solution, however I'm finding I can live with the pain in order to have the standard Google Reader UI.
The thing that finally won me over to Google Reader is shortcut keys. I love keyboard shortcuts. The less often I have to use the mouse, the better and Google Reader is great for that. g + u and then you can type the name of the feed you want to read. Even better though is for when I'm browsing my feeds. I can use Shift+n (down) or Shift+p (up) to scroll through my subscription list, Shift+o will open that subscription and then n (down) or p (up) will let me scroll through items in that feed, using enter to open/close the items. It is extraordinarily handy and I highly recommend it to anyone that hasn't tried it yet.
I'll start of by saying the second day of SecTor was amazing compared to the first day. We started off with Stepto giving the opening keynote. While it wasn't anything groundbreaking, it was exactly as advertised and well presented. I fully enjoyed hearing him walk through how he got into security, his time with MSRC and how things he'd learned working in security applied to other aspects of his life... it was great.
Following the keynote, I was torn between Pwning the Proxy and Lock picking. In the end personal interest won out and I attended the lock picking session. There was quite a bit of interest information shared and I managed to take a couple pages of notes. One of the coolest things was the how-to on making a combination lock shim using a piece of aluminum from a pop/beer can.
Following the lock picking session was lunch. The meal was much better than the day before. One thing that I didn't get was why so many tables were reserved and there was staff keeping people from sitting at them. The same thing existed on day 1 and the tables were never used, so why were they there are day 2?
Lunch was also great because Johnny Long was the lunch keynote. If you've never seen Johnny speak... make every attempt you can to see him somewhere. He spoke with regards to his No Tech Hacking book (proceeds of which go to Charity) and the presentation was quite amusing and a lot of fun to watch. He gave examples of information gathered by shoulder surfing, dumpster diving, etc. It essentially centered around the non-technical side of reconnaissance or pen-testing. The entire crowd spent the time laughing and fully enjoying themselves (or at least that's how it seemed).
After lunch I checked in on Hoff's virtualization talk. It actually had some interesting information and I was really glad that I'd attended it. I was unaware that there was a Cisco vSwitch for ESX but I really like the concept. It'll enable some very interesting things to happen.
I had planned on attending the talk on identifying crypto in code for the last session of the day, but a old coworker showed up and we spent the session catching up in the keynote room. Following that there was some brief conversation and the wrap-up (which including the awarding of prizes). I did note that a couple of the prizes weren't given away (Checkpoint wireless router/firewall for instance), so hopefully that wasn't just a scam to get business cards.
Then a small group of us (9 people I believe, both speakers and attendees) went out for all you can eat sushi, and a few drinks. I really enjoyed myself day 2 and really enjoyed the con as a whole, there were just some really bad experience on the first day.
I'm definitely looking forward to SecTor 2009!
I debated what to write here, and if I would present the positive or negative points but I figured the only fair way was to describe both, so without further ado, I present SecTor Day 1 - The Good, The Bad and the Ugly.
I figured I'd describe my day from start to fishing, instead of breaking it up by what I did or didn't enjoy. The day started off with breakfast at Cora's, a group of us met there only because this years SecTor schedule made no mention of a breakfast similar to the one provided last year. Of course, when we showed up, it turned out there was a provided breakfast... at least we know for tomorrow.
The initial keynote was done by the RCMP and I don't even know what to say. Last year's RCMP presentation was depressing (many people that I spoke to today said it was the worst part of last year, and there was a debate over which RCMP keynote was actually worse. This years was made worse by the fact that it was first thing in the morning. It was presented with little enthusiasm and I'll say it... it sucked.
When the RCMP speaks, you'd expect to learn something interesting, in fact a number of attendees mentioned that to me today. Yet nothing interesting was learned. I was eager for this talk (as I was eager for the keynote last year), I figured they had learned from last year and that this year the RCMP would do better. I took about a page of notes, but got nothing of interest. The names of a few councils (ITAC Cyber Security Forum and CBOC's Council on Security & Tech) and learned that there was a Cyber Security Conference in Gatineau on Nov. 5 & 6. That could have been a single slide, or better yet a hand-out. The rest was useless, this was evident by the people falling asleep and the notes left on Twitter.m
I was also rather offended by a closing remark that David Black made regarding them looking for trained University graduates. I attempted to open my notebook and write down his email address to contact him but unfortunately the slide was removed from the screen. If anyone wants to pass this along to him, it would be appreciated. [Begin Side Rant] I'm getting really tired of this biased hiring practice in many places that requires a University degree, it's a useless, archaic requirement (much like the requirement for various certifications [which we see more and more people dropping from job postings]). Many of the really bright IT/IS people that I know have no formal education or a college education... it's a shame to see so many places discriminate... especially places like the government. I'd think that workplace equality would include method of education, and place the importance on actual skills and knowledge[End Side Rant].
Needless to say... KeyNote #1 was a fail.
Up next was the first session. None of the session interested me, so I decided to check out the lock picking village. I was in the hall by the vendor displays, so I visited each display on my way over, and failed to make it to the lock picking village before the first session was over. I did have some great conversations with the vendors that were present though. A big thank you to all of them for the sponsorship that they provide.
While there was nothing that caught my interest, I know people that attended both 'Double Trouble: SQL Rootkits and Encryption' and 'Network Security Stripped: From layered technologies to the bare essentials". I can say that I didn't hear negative reviews about either presentation. In fact most people liked what they saw, and those that didn't like it were fairly neutral in their comments.
Lunch and a Panel Discussion were up next. The lunch was Monday's left overs... my chicken fell off the plate and bounced; there was Twitter discussion around having a chicken bouncing competition. Yet that was almost the highlight of the lunch. The real saving grace on the panel was Hoff. I understand why everyone was up there; a number of them were sponsors and probably wanted to say their piece, but still... We basically had 8-minute, extremely dry lightning talks. A panel usually involves some sort of discussion or interaction, they was basically everyone bragging about themselves and drew quite a bit of twitter traffic
Following lunch, we had what I would call worst organizational decision made by the organizers. They did fairly well this year... there is some good content (you just have to dig to find it -- My favourite part of today was hearing (a couple of times), 'the talk that you submitted would have been much better than this'), the swag was cool, a lot of people had positive comments about the notebooks and the bags and there's an increased social aspect. The mistake however, was a really bad one... it was the mistake of placing the bulk of the good speakers in competing time slots. This happened today by having HD Moore, Jay Beale and Raven in the same time slot. Those are three talks I would have gladly gone to see, and I had to pick one. From what I hear this happens tomorrow as well. I'm really looking forward to Hoff's talk, however I've been told that James Arlen is quite the impressive presenter as well.
In the end I decided to go with Jay Beale's discussion of the concepts behind his new tool, 'The Middler'. It was everything that a tool presentation should be. The tool wasn't shown or mentioned... the concepts and techniques were discussed. Not only did the presentation have some interesting information (I filled three pages in my notebook) but Jay did an amazing job with his presentation. This presentation alone made up for the lackluster performances up to that point (although I was quite disappointed about the stacking of the time slot).
To briefly go back to the time slot, I believe the concept that was tried was to put the big speakers up against each other and then everyone else was grouped together, this was to ensure a somewhat even distribution of attendees and to avoid empty rooms. My feeling on this... if the persons presentation runs the risk of an empty room, regardless of what they are up against... don't accept the presentation. I'll stop ranting on this now... it's done and unfortunately it can't be fixed.
For the next time slot, I decided on attending Googless. I was excited... it seemed really relevant to some of the work that I do. I don't even want to talk about this presentation... the slide show background was disturbing, and Christian had no life to him, as well he asked for donations on like the third slide (also the first time I've seen a license on a presentation) and informed us that would have to wait until December to see obtain the slide deck. I guess Christian thought that this was the most popular presentation at SecTor... judging by how many of us walked out during the presentation, I really doubt that. It wasn't good.
I spent the last portion of that presentation speaking with colleagues before the rooms emptied out and the last series of sessions were to begin. I had originally intended to see the RFID presentation, however I managed to catch up with Jay Beale to further discuss the Middler as I was rather intrigued. So we were able to sit and discuss it for a short period of time. A few more people joined us and we moved to the keynote room for discussion and to await alcohol. This once again was an amazing opportunity to network with people, and proved to be more useful than attending the talks (or so I read (and heard)). I once again have to say kudos to the organizers for this... Anything that lets you get together with other people to basically 'talk shop' is a great thing and many opportunities were presented.
During the Microsoft sponsored reception our table grew and we had a lot of fun. Then speakers departed and the bar closed, and unfortunately I wasn't able to make it to the party, however the day still had a number of high points. I realize this may seem like a griped a lot, but given that this was year two, I had higher expectations than last year and I'm not sure those expectations were fully met... but as I said, I did enjoy quite a bit of it. Tomorrow is another day, and there are a number of time slots where I'm interested in more than one presenter, so we'll see how it goes.
So I was lucky enough to be able to take part in SecTor training this week (as I previously mentioned). I spent all day Monday in HD Moore's Metasploit training.
Having been been an avid metasploit user for quite some time, I was hoping that the training would include some features that were unknown to me. I definitely wasn't disappointed.
The initial portion of the training was fairly straight forward and included writing a basic auxiliary module and a plugin. The basics of Metasploit use were also covered.
This occupied roughly half the day, at which point we had lunch... the food wasn't great but it also wasn't awful. Then we were right back into the training.
Over the course of the afternoon we covered meterpreter, NTLM (smb_relay, and some others), Wireless and IPv6. A number of new and interesting things were covered and I really enjoyed the afternoon.
Following the training, myself and a colleague who also attended to the training met up with HD and a few other speakers and attendees to grab dinner. This was the sort of thing that I really enjoy about the cons, sitting around the table with a few beer talking shop. While I enjoy the talks, a lot of the time there's nothing overly new and it's when you're chilling and chatting that you really get a chance to discuss the interesting things.
At the end of the day, the training was definitely worth it. The only real shame (although a bonus for those of us attending) was that the training room was so empty... We had ~11 people. My worry is that SecTor won't be able to get decent trainers next year unless they can increase the attendance numbers.
Stayed tuned for another post on SecTor - Day 1... (which will eventually be followed by SecTor - Day 2).
So I spent today in training @ SecTor. I attending HD Moore's metasploit training and rather enjoyed myself... I picked up a couple of things that I'd been previously unaware of. Since I was already onsite, I took advantage of the open registration booth and picked up my SecTor goodies.
Instead of the cooler bag (last years very cool SecTor registration goodie), there's a rather nice tote with the SecTor logo on it. Inside the bag was the usual advertising literature, a nice Leed's notebook with a metal (I think) cover, with the SecTor logo, and a pen and BlackBerry screen cleaner.
The badges are quite nice... given that the program includes a picture of the DefCon badge, I imagine they were trying to go with something along those lines. Rather than the hard plastic, "corners will cut you when you attempt to touch it" badge of last year, the badge this year is rather cool. There's a usb cable enclosed on the back of the badge and when you connect it, you find that it's a 1GB storage device. Definitely a step up.
I took pictures to attach, but I'm getting an error, so I won't be uploading them tonight... I'll try again tomorrow.
Now given that it's 2AM and I'm meeting people for breakfast in 5.5 hours, I should probably grab some sleep... but on that note... The program this year doesn't mention a breakfast, so some of us are meeting at Cora's on Spadina (not far from the MTCC) at 7:30 if anyone happens to read this between now and then and wants to join us.