Friday, November 28 2008
Wednesday, November 26 2008
so I got an Apple MacBook which is my first Apple computer (besides the
iPhone 3G which I bought 2 month ago). I got it as my main computer
for work so I guess I will get used to it quite fast. I primarily got it
to get to know Mac OS X and to do some funky programming for the iPhone.
The hardware is awesome fast processors (I got the 2.4Ghz version) and lots
of RAM (got 4Gigs). The glass touchpad is quite nice (also I often use
two finger to move the mouse - which of course doesn't work). The aluminum
case looks great still I would have gotten the black version if
it would exist.
So far the software is ok, I still have trouble finding/using stuff but
this should be normal after only 3 days with a new OS. The thing that
annoys me the most at the moment is the window handling. Apple+Tab just
switches between applications and not windows. Some windows don't even
appear in the list (e.g. the email that is currently being edited). I hope this
can be solved through configuration.
I really miss APT-GET based software installation, but I guess this is the
price of using a commercial OS. At least it is a un*x of some sort.
More Apple tails in the near future...
Tuesday, November 25 2008
the conference was
in Frankfurt at a nice hotel. The food was good and the event seemed to be organized quite well.
But unfortunately the conference was not technical enough in my opinion. The organizers actually
said that this is going to be the German OWASP theme: not be too technical and focus more on
management/organizational aspects. This is rather sad in my opinion - since I'm just starting
with the whole web security stuff now. (Of course I've played with web security many years ago
but this was really just for fun and not professional.)
Lets see if there is going to be a OWASP Germany conference in 2009 and how technical it will be.
Sunday, November 23 2008
the Fahrplan (schedule) finally got published tonight, also it is not complete yet but this is normal. After having to cancel my talk last year (for time reasons) I'm going to do two talks this year. I'll do my Symbian talk from BlackHat Japan and my NFC talk from EuSecWest. Both talks will be updated of course.
So far I'm pretty happy with the time slots I got. Also being selected for
speaking in Saal1 (the really big room) is awesome.
Thursday, November 20 2008
...from the weekend. On Friday I got my new Nokia 6212 classic Nokia's next NFC-enabled mobile phone. I haven't played much with it yet, but I will during my vacation before the 25th Chaos Communication Congress (25C3) where I will
do a talk on attacking NFC mobile phones.
I also finally jailbroken my iPhone after using it for two month. I must say
I should have done it earlier but I wanted to check it out in the state most
consumers use it. I actually only started looking at the whole iPhone software
scene today after the jailbreak. The funniest part was to realize that I
kind of know the guy (Jay Freeman) behind Cydia (the apt-based software installer) from going to the same University (of California Santa Barbara). Playing with all the free stuff will
keep me busy for the next weeks I guess.
Of course I also updated my iPhone to OS version 2.2 to verify that
Apple fixed the bug that I reported. As far as I can
see they fixed it. Google Street View looks cool, but seems slow, also it
doesn't cover either Frankfurt nor Darmstadt. Being able to switch of
keyboard auto correction is great. Podcast download on the device is the
best new feature of course.
Last but not least I'm looking for a place to buy a unlocked (no
sim/net-lock) Android-based G1 without a contract. I'm in Germany so
I need some online shop that will ship to Germany. I want a good price of
course. Any hints will be highly appreciated.
Sunday, November 16 2008
Today we published a small security
bug present in the iPhone OS until version 2.1. The bug is small but has
big impact in the way that it can be used to call arbitrary phone numbers
from visiting a website.
More details including a video (but not full-disclosure) can be found here (German only):
We will do a full-disclosure as soon as the update is out and people had time to install it. Details will be available here.
Tuesday, November 04 2008
I'm looking for a method to do phone number reverse lookups, more specific
for mobile phone numbers. I know there are plenty of services for the US but
I actually need this for the rest of the world and especially for Europe.
Any hints or tips would be very welcome, thanks!
NIST just released their Guidelines on Cell Phone and PDA Security here are some comments from my side.
Overall I think the document is quite good covering the field well. My main point of
critic is the way they present their references. The document cites many news sites
instead of the original publisher's site/document. Therefore some of the references are more
or less useless since they don't provide the path to more detailed information. I not only
write this because they quote theregister on my MMS vulnerability but
also because of quoting zdnet on various other vulnerabilities rather than the original
advisories. To make it clear I don't think the articles by these news sites are bad or
wrong, I just think people reading NIST publications expect a little more detail.