Archive for category Uncategorized

Red Teaming the CCDC

At BSides San Antonio this year, I gave a talk on Red Teaming the CCDC, including the CCDC red team year-end highlights, lessons learned, and all the secrets we’ve been hiding from the regional qualifiers to the national finals. I covered how we hacked and hid from the most paranoid student sysadmins in the nation, […]

No Comments

March – Pass the Hash Awareness Month

March is Pass-the-Hash Awareness Month! It’s not as simple as you might think, but to break it down, I did a guest post on the passing-the-hash blog:

No Comments

A Comparison of HTTPS Reforms

An old adage in cryptology is that encrypting data is always easy, but key distribution is always hard. Just a few days ago, Google reported that yet another wrongfully-issued certificate had been found for Google’s domains. As a result of many incidents and problems with CA-issued certificates, many different proposals have been made to improve the system. Google’s Certificate Transparency page compares some of the proposals; but it did not include my favorite idea, I thought it did not do justice to some of the other competing proposals, and it glossed over some of CT’s big issues. I evaluated all the proposals according to these criteria and put together the below spreadsheet to compare their strengths and weaknesses.

, , , , , , , , , , , , ,


Windows API Function Definitions

All of them. Or at least a good chunk of ’em. Why? Because sometimes you just need to know what the parameters are for some obscure function. Download here: winapi.txt and enjoy.

No Comments

Network Nightmare (Intel)

You can see the slides I put together for my talk Network Nightmare – Intel PXE at It is a modification of the Defcon talk, and adds some lessons learned/suggestions for developers. I also added a few slides evaluating the PXE attack according to the most common vulnerability severity criteria, as if it was […]


Important Stuff

I am adding a page Important Stuff with some thoughts on non-information-security stuff. As fun and interesting as hacking is, there are more important sides of life. So I summarized just four of the reasons why I believe what I believe, and a bit of what that means. As you may know, I am a […]

No Comments

Cryptology, Academics, and Chaos

I saw an article the other day critical of the ACM (here also see this linked to in comments) and I have to say, I completely agree. As far as I can tell, the ACM, like the IEEE and other publishing houses, exists to leech off of the academic world, charging large amounts of money […]

, , , , ,


Black Hat & Shmoocon

Just got accepted to both Black Hat DC 2011 and Shmoocon 2011! Unfortunately, I will not be able to attend Shmoocon. I wish I could come; I have never spoken there before, and it’s a great conference. Instead you will have to see me at Black Hat. Link:

No Comments

Sessionthief linux

In response to a number of questions about how to get sessionthief running on linux, here are the steps to get it working on Ubuntu: First, I apologize, because if anyone tried, the compilation failed due to a case-mismatch on a filename. I had not noticed because I had stored the files on a FAT-formatted […]