Sometimes we review books on this list, but I spent last week, for seven
days in a row, taking the R2-RingZer0-Amy-Burnett Browser Hacking
<https://ringzer0.training/advanced-browser-exploitation.html> class. But
before I do, I want to point out that 36 Minutes into this video (
https://vimeo.com/442583799) I ask Marco Ivaldi about what it's like to
switch from management back into the technical field. "It's hard, but it's
very rewarding."
Here's my one top tip for making remote classes easier as a student: TURN
YOUR FREAKING CAMERA ON. This forces you to pay attention to the trainer.
Also: trainers do better when they can see if you are picking up the
material.
I like the remote format better in many ways than the in-person format. I
like seeing everyone else's questions in the Discord. I like being able to
take a big break during the day to get food and then come back to the
exercises later and get real-time answers to my questions by Amy typing
things up on her cellular phone at the local Troy bar. I like continuing to
have lungs complete with working alveoli.
Also, the Browser Hacking class is effective. Everyone in the class (I was
quite nervous since I didn't even know Javascript and last wrote an exploit
in 1992AD) can write Chrome and Webkit exploits now. This is a useful
feature. Obviously the first half of the class is "This is the giant
optimized data structure they invented to allow people to check Gmail super
fast" and the second half is "this is what those bug-classes look like in
source code, and how you build your exploit primitives and plug them
together".
I guess my summary is this: Great class. It is well worth the money just to
feel the dragon inside you wake up and swallow something whole again.
-dave
(List Note: I have turned off bounce processing, since it was misfiring and
kicking people off the list for no reason.)
[image: image.png]
Bistahieversor or MS08-067?
If you had to list out the problems with CVSS it would be like analyzing
the anatomical issues of a children's drawing. No part of it fits together
properly. Here's a problem: Scoring of threats is not one dimensional, and
numbers can't carry the whole story. We need a vulnerability scoring system
that's extensible, and programable.
But I have an alternative: Take each vulnerability attribute and assign it
to a dinosaur part! Is it a client-side? Then it's got legs! Does it need
user interaction? Then short stumpy legs. Is it a true remote against a
service? Then it's got wings. Is it a root bug? Then it has a big mouth?
User-level access? Duckbill.
That way, the attributes of the vulnerability reflect themselves as a
literal model - a denizen of your Cretatous nightmares. But it rings true -
getting attacked by five hundred pre-auth XSS bugs in your web front-end is
exactly like getting attacked by a horde of ducks. And of course,
vulnerabilities can combine - a LPE + a remote user-level XSS + sandbox
escape has legs and teeth.
Modeling is better than scoring in every way. Maybe your network is a
Animantarx <https://en.wikipedia.org/wiki/Animantarx>, a living citadel,
but more likely you're a Diplodocus, a big bag of walking meat getting
nibbled to death by ducks.
-dave
