Mike Kelly’s blog

Cem and I have announced that we are suspending activity on the Open Certification project to focus our efforts on the AST Black-Box Software Testing (BBST) courses and working to develop a skills-based certification based on that material.

The original Open Certification project was focused on providing an open alternative to question-based certification exams, focusing the following advantages over current industry certifications:
1. The large pool of questions will be public, with references. They will form a study guide.
2. The pool is not derived from a single (antiquated) view of software testing. Different people with different viewpoints can add their own questions to the pool. If they have well-documented questions/answers, the questions will be accepted and can be included in a customizable exam.
3. The exam can be run any time, anywhere. Instead of relying on a certificate, an employer can ask a candidate to retake the test and then discuss the candidate’s answers with her. The discussion will be more informative than any number of multiple-false answers.
4. The exam is free.

The open certification was intended to serve as a bridge between the current certifications and skill-based exams that might someday be available. AST’s current implementation of the BBST courses provide a balance between quizzes and exams along with interactive reviews of debate and work-products by peers and instructors. The current implementation of the course provides a skills-based evaluation.

We want to focus our efforts on the efforts that best support our original goals, and we feel that the skills-based evaluations that take place in the BBST courses are the best current alternative to existing certifications. In support of that focus, we are doing the following:
• Transitioning the existing Open Certification question server technology to support the BBST courses
• Transitioning the existing Open Certification vision for creating a pool of open and available content for study material to the AST Basic Concepts SIG. The Basic Concepts SIG is an effort to create a reference for testing terminology structured in the format of the Oxford English Dictionary or the Blacks Law Dictionary and ask, what are the many ways that this word is used and what are good examples of each usage? We want to mirror the field in its diversity, rather than impose a false uniformity.
• Transition existing energy for question development to developing questions and course materials in support of the AST implementation of the BBST courses.

If you have any questions about the Open Certification project, please contact Cem or I at kaner@kaner.com and mike@michaeldkelly.com.

From Lesson 2 - Basic commands in Linux and Windows I learned three cool new Windows tools I didn’t know about.

tracert host
Show the route that packets follow to reach the machine “host”. The command tracert is the abbreviation of trace route, which allows you to learn the route that a packet follows from the origin, (your machine) to the destination machine. It can also tell you the time it takes to make each jump. At the most, 30 jumps will be listed. It is sometimes interesting to observe the names of the machines through which the packets travel.

route print
Display the routing table. The command route serves to define static routes, to erase routes or simply to see the state of the routes.

netstat
Displays information on the status of the network and established connections with remote machines.

When I tried “tracert www.michaeldkelly.com” I got over 30 hops. PerfTestPlus.com had 21 (it was twice as fast as mine - darn hosting company) and Satisfice.com had 14 hops (twice as fast as PerfTestPlus).

My next step is to figure out how to actually use this information. All with time. This at least gives me a place to start.

I’m doing some self education with security testing again. It’s been a while. I’m back to Hacker High School working the lessons.

Today, it’s fun with Google. I can’t hack any real sites, so I thought I would try to find stuff on some of my sites. I found a lot of good detail by reading Google Hacking Mini-Guide by Johnny Long.

Even something so simple as the following can return a lot.

allintitle: “index of” xls

I couldn’t find a problem with any of my sites, but that’s probably because they are so poorly designed that Google can’t even index them properly.

This is a lot of fun and a bit addictive. I recommend turning Safesearch on if you have an aversion to elicit material.

Crap.

That’s what I have to say.

First paragraph:

We value the trust people place in |Company|. Regretfully, we have learned that a computer, which contained information about you including your name, address, Social Security Number from your |Company| inquiry or application on |Date|, is missing and may have been stolen. The computer had two layers of security, and we have no indication that the information has been accessed or misused.

First, how do you not know if it’s stolen? The letter goes on to say it was lost while shipping. Shipping! It’s digital information! Just FTP my account information! What the heck is my information doing on the back of a UPS truck?!?!

(To be fair, I don’t know if it was UPS.)

Second, you’re telling me it has two layers of security and that’s going to make me feel better? So I’m supposed to think hacking a Windows password and bypassing your homegrown application security is going to be a problem? Give me a break!

Banks suck.

First, a must read article Anatomy Of A Break-In by Ira Winkler. What an incredible experience report.

Second, I’ve been reading Security in Computing, 3rd Edition by Pfleeger and Pfleeger. I’m reading this text for a class. In general, I hate textbooks. I think they tend to say in 700 pages what a good author can say in 200 pages. I’m pleased to say that (for the most part) I find this one well written, challenging, and informative.

It’s got some great overview material, some great taxonomies for security, and some great explanations of the mathematics behind encryption, along with practical examples. It’s a little dated (you can tell it’s a third edition), but it does contain most large recent events in security.

The chapter titled Program Security is available online. This chapter is a fairly representative of the rest of the book, but it doesn’t have any of the cool math (that’s in the chapters on encryption). While reading this chapter, I started thinking of the errors and how I would test them.

That leads me to one of the next articles I want to write. I’ve written one article on security testing with open source tools and I would like to write another one. I was thinking about using the Program Security chapter as an outline.

I would like to make an official call for interest in co-authoring something like this. I would like to write using real examples (change the names to protect the guilty and all that) and hopefully show how to do the testing with open source tools. I don’t really care how many co-authors we have, I just want it to be good (I think my other article is ok, but real examples are always better).

If you would like to co-author something like this, or you just want to contribute a real experience, drop me a line.