Friday, June 29, 2007

The penetration tester

As I mentioned in the last post, I was slated to interview a potential penetration tester.
At the appointed time, the guy walks in, with a voluminous stack of printouts of emails from various sources crediting his work.
Boy...was I impressed.A guy with close to 8 years of experience, well versed with both black box and white box, with experience on security focused code reviews, a member of a web app security group, exploits under his belt and what not ...
Still, I need to talk to him , assess his competencies.So, I write a few lines of code that creates an SQL query string on the fly using a fixed sized stack buffer, and ask for a review.
And then the punishment began.
He identified the buffer overflow . I asked him to explain the working of a buffer overflow.I got a "are you stupid" stare, and my candidate went on tangentially about a tool which can detect all "unsafe" function calls, and report it.I prompted him to focus on the question, he goes on again on a remarkable tool that he used ( No, he wasnt the author of the tool, but an user) to discover web app security vulnerabilities. Well done, I said and moved on...

"Explain to me an XSS".He jumped to it. He explained.And I listened.We went to a site which had a blatant "staring you on the face" XSS. He explained to me again that he uses yet another "tool" for detecting XSS, and wont be able to answer my question without access to his tool.

But then, I do look for a possible flash of brilliance from people I interview. You can't expect people to know everything, can you? So, I go back to the code , and ask him how to mitigate the buffer overflow.

The contrived code was something like this

int userExists( const char *name)
{
char buffer[1024];
sprintf(buffer,"select * from users where name='%s'",name);
return runQuery(buffer);
}

Solution...replace sprintf with
memcpy(buffer,name, strlen(name) - 1);

At this stage, I had two options...thank him for his time and interest, or pull my hair out.
I still have hair on my head...

Resume padding can only get you an interview.Beyond that, you gotta know your stuff dude...

Tech Jargon

Two days ago, I was chatting with a lady ( lets call her Mary ) in the HR department.I was about to conclude the conversation
Me : I have to go now , Mary, I am scheduled to interview a guy.
Mary : Why don't you take up some of my work and let me interview the guy ?
Me : You can do an interview on "penetration testing" ??

Mary goes red in the face, looks embarrassed, and returns to her desk without replying.I wonder why.
Later in the day I realized . To the uninitiated, "penetration testing" seems to have a generous helping of sexual connotation.

I emailed her a wikipedia link which explains penetration testing :-)

Moral of the story: Do not use tech jargon in day to day life

Sunday, June 17, 2007

To hell with privacy

I am in an important discussion at office , and my cell rings.

Caller: Good evening Sir, This is **** from citibank. You have a "first citizen" card with Shoppers stop , right.
Me : Yeah , I do
Caller: Sir , we are offering life time free credit card to "First Citizen" card holders.
Me : No I am not interested , thank you.(Disconnects)

I have been getting 2 calls a day now , one on my fixed line ,and one on my cell, wanting me to signup for a citibank credit card. Its a different person each day , with the same story. shopper's stop, citibank ...
All this , because I signed up with SHOPPER'S STOP 's loyalty program,a store that doesn't care 2 hoots for your privacy , and goes on to share your personal information with every tom dick and harry


The bottom line : Unless your life depends on it , be wary of divulging your personal details, because once you do , there is no respite.

Friday, June 15, 2007

So here it is

During my last post I talked about a networking site that looked to have a problem with their site. Sine then, I have written to them detailing my understanding and interpretation of the issue, and they haven't got beyond thanking me and promising to have someone talk to me about it. Well , its been a long while, and apparently, they aren't interested.
So , here are the details on it:

http://linkedin.com/redirect?url=http://anerobic.blogspot.com sends you to this page.
url encoding the request to obfuscate it used to work earlier, when I first reported the problem, but stopped working after that. So , apparently, they did something, I mean, some fixing, to weed out potential phish bait urls which were url encoded. So, this doesnt work anymore

http://linkedin.com/%72ed%69re%63%74?url=%68tt%70%3A%2F%2Fw%77w%2Ey%61ho
%6F%2E%63om


but this still works

http://linkedin.com/%72ed%69re%63%74?url=%72ed%69re%63%74?url=%68tt%70%3
A%2F%2Fw%77w%2Ey%61ho%6F%2E%63om


Keep up the good work LinkedIn.com :-)