- A brief account of the history of logic, from the The Oxford Companion to Philosophy (edited by Ted Honderich), OUP 1997, 497-500.
- A biography of Peter Abelard, published in the Dictionary of Literary Biography Vol. 115, edited by Jeremiah Hackett, Detroit: Gale Publishing, 3-15.
- Philosophy in the Latin Christian West, 750-1050, in A Companion to Philosophy in the Middle Ages, edited by Jorge Gracia and Tim Noone, Blackwell 2003, 32-35.
- Ockham wielding his razor!
- Review of The Beatles Anthology, Chronicle Books 2000 (367pp).
- A brief discussion note about Susan James, Passion and Action: The Emotions in Seventeenth-Century Philosophy.
- Review of St. Thomas Aquinas by Ralph McInerny, University of Notre Dame Press 1982 (172pp). From International Philosophical Quarterly23 (1983), 227-229.
- Review of William Heytesbury on Maxima and Minima by John Longeway, D.Reidel 1984 (x+201pp). From The Philosophical Review 96 (1987), 146-149.
- Review of That Most Subtle Question by D. P. Henry, Manchester University Press 1984 (xviii+337pp). From The Philosophical Review 96 (1987), 149-152.
- Review of Introduction to the Problem of Individuation in the Early Middle Ages by Jorge Gracia, Catholic University of America Press 1984 (303pp). From The Philosophical Review 97 (1988), 564-567.
- Review of Introduction to Medieval Logic by Alexander Broadie, OUP 1987 (vi+150pp). From The Philosophical Review 99 (1990), 299-302.
Tuesday, January 25, 2011
Web
A Web hack that can endanger online banking transactions is ranked the No. 1 new Web hacking technique for 2010 in a top 10 list selected by a panel of experts and open voting.
Called the Padding Oracle Crypto Attack, the hack takes advantage of how Microsoft's Web framework ASP.NET protects AES encryption cookies.
FROM THE SECURITY WORLD: Quirky moments at Black Hat DC 2011
If encryption data in the cookie has been changed, the way ASP.NET handles it results in the application leaking some information about how to decrypt the traffic. With enough repeated changes and leaked information, the hacker can deduce which possible bytes can be eliminated from the encryption key. That reduces the number of unknown bytes to a small enough number to be guessed.
1.Padding Oracle was voted No. 1 by a voting process that included Ed Skoudis, founder of InGuardians; Girogio Maone, the author of NoScript; Armorize CEO Caleb Sima; Veracode CTO Chris Wysopal; OWASP Chairman and CEO Jeff Williams; security consultant Charlie Miller of Independent Security Evaluators; IOActive director of penetration testing Dan Kaminsky; Steven Christey of Mitre; and White Hat Security vice president of operations Arian Evans.
The ranking was sponsored by Black Hat, OWASP and White Hat Security, and details of the hacks will be the subject of a presentation at the IT-Defense 2011 conference next month in Germany.
Here are the rest of the top 10 Web hacks voted in the competition:
2. Evercookie -- This enables a Java script to create cookies that hide in eight different places within a browser, making it difficult to scrub them. Evercookie enables the hacker to identify the machine even if traditional cookies have been removed. (Created by Samy Kamkar.)
3. Hacking Autocomplete -- If the feature in certain browsers that automatically completes forms on Web sites (autocomplete) is turned on, script on a malicious Web site can force the browser to fill in personal data by tapping various data stored on the victim's computer. (Created by Jeremiah Grossman.)
4. Attacking HTTPS with Cache Injection -- Injection of malicious Java script libraries into a browser cache enables attackers to compromise Web sites protected by SSL. This will work until the cache is cleared. Nearly half the top 1 million Web sites use external Java script libraries. (Crated by Elie Bursztein, Baptiste Gourdin and Dan Boneh.)
5. Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution -- Gets around cross site request forgery defenses and tricks victims into revealing their e-mail IDs. Using these, the attackers can reset the victim's passwords and gain access to their accounts. (Created by Lavakumar Kuppan.)
6. Universal XSS in IE8 -- Internet Explorer 8 has cross-site scripting protections that this exploit can circumvent and allow Web pages to be rendered improperly in a potentially malicious manner.
7. HTTP POST DoS -- HTTP POST headers are sent to servers to let them know how much data is being sent, then the data is sent very slowly, eating up the servers' resources. When many of these are sent simultaneously, the servers are overwhelmed. (Created by Wong Onn Chee and Tom Brennan.)
8. JavaSnoop -- A Java agent attached to the target machine communicates with the JavaSnoop tool to test applications on the machine for security weaknesses. This could be a security tool or a hacking tool, depending on the user's mindset. (Created by Arshan Dabirsiagh.)
9. CSS History Hack in Firefox without JavaScript for Intranet Port Scanning -- Cascading style sheets, used to define the presentation of HTML, can be used to grab browser histories as victims visit Web sites. The history information can be used to set the victim up for phishing attacks. (Created by Robert "RSnake" Hansen.)
10. Java Applet DNS Rebinding -- A pair of Java applets direct a browser to a pair of attacker controlled Web sites, forcing the browser to bypass its DNS cache and so make it susceptible to an NDS rebinding attack. (Created by Stefano Di Paola.)
Called the Padding Oracle Crypto Attack, the hack takes advantage of how Microsoft's Web framework ASP.NET protects AES encryption cookies.
FROM THE SECURITY WORLD: Quirky moments at Black Hat DC 2011
If encryption data in the cookie has been changed, the way ASP.NET handles it results in the application leaking some information about how to decrypt the traffic. With enough repeated changes and leaked information, the hacker can deduce which possible bytes can be eliminated from the encryption key. That reduces the number of unknown bytes to a small enough number to be guessed.
1.Padding Oracle was voted No. 1 by a voting process that included Ed Skoudis, founder of InGuardians; Girogio Maone, the author of NoScript; Armorize CEO Caleb Sima; Veracode CTO Chris Wysopal; OWASP Chairman and CEO Jeff Williams; security consultant Charlie Miller of Independent Security Evaluators; IOActive director of penetration testing Dan Kaminsky; Steven Christey of Mitre; and White Hat Security vice president of operations Arian Evans.
The ranking was sponsored by Black Hat, OWASP and White Hat Security, and details of the hacks will be the subject of a presentation at the IT-Defense 2011 conference next month in Germany.
Here are the rest of the top 10 Web hacks voted in the competition:
2. Evercookie -- This enables a Java script to create cookies that hide in eight different places within a browser, making it difficult to scrub them. Evercookie enables the hacker to identify the machine even if traditional cookies have been removed. (Created by Samy Kamkar.)
3. Hacking Autocomplete -- If the feature in certain browsers that automatically completes forms on Web sites (autocomplete) is turned on, script on a malicious Web site can force the browser to fill in personal data by tapping various data stored on the victim's computer. (Created by Jeremiah Grossman.)
4. Attacking HTTPS with Cache Injection -- Injection of malicious Java script libraries into a browser cache enables attackers to compromise Web sites protected by SSL. This will work until the cache is cleared. Nearly half the top 1 million Web sites use external Java script libraries. (Crated by Elie Bursztein, Baptiste Gourdin and Dan Boneh.)
5. Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution -- Gets around cross site request forgery defenses and tricks victims into revealing their e-mail IDs. Using these, the attackers can reset the victim's passwords and gain access to their accounts. (Created by Lavakumar Kuppan.)
6. Universal XSS in IE8 -- Internet Explorer 8 has cross-site scripting protections that this exploit can circumvent and allow Web pages to be rendered improperly in a potentially malicious manner.
7. HTTP POST DoS -- HTTP POST headers are sent to servers to let them know how much data is being sent, then the data is sent very slowly, eating up the servers' resources. When many of these are sent simultaneously, the servers are overwhelmed. (Created by Wong Onn Chee and Tom Brennan.)
8. JavaSnoop -- A Java agent attached to the target machine communicates with the JavaSnoop tool to test applications on the machine for security weaknesses. This could be a security tool or a hacking tool, depending on the user's mindset. (Created by Arshan Dabirsiagh.)
9. CSS History Hack in Firefox without JavaScript for Intranet Port Scanning -- Cascading style sheets, used to define the presentation of HTML, can be used to grab browser histories as victims visit Web sites. The history information can be used to set the victim up for phishing attacks. (Created by Robert "RSnake" Hansen.)
10. Java Applet DNS Rebinding -- A pair of Java applets direct a browser to a pair of attacker controlled Web sites, forcing the browser to bypass its DNS cache and so make it susceptible to an NDS rebinding attack. (Created by Stefano Di Paola.)
Subscribe to:
Post Comments (Atom)
1 comment:
Ευχαριστώ για το like στο blog μου!
Το δικό σου blog, είναι μοναδικό! Εχει καταπληκτικά άρθρα, που θα μου πάρει μήνες για να τα διαβάσω!
Μου έδωσες πολυ μεγάλη δουλεία για μελέτη!
Θα σε μελετήσω με πολυ προσοχή.
Ποιο άρθρο μου σου άρεσε κι απόδάσισες να κάνεις subscribe?
Post a Comment