"The tendency for entropy to increase in isolated systems is expressed in the second law of thermodynamics -- perhaps the most pessimistic and amoral formulation in all human thought."

Name .... Michal Zalewski Age . 0919669796 seconds Longevity . 2239056000 seconds Height .... 184 centimeters Weight ....... 80 kilograms Nationality ............. Polish Residence ........ secret lair

Silence on the Wire is an illustrated guide through some of the most beautiful and elusive aspects of information security. Click here for sample chapters, plenty of reviews, and other useful information. You can buy SotW through O'Reilly, Amazon, B&N, etc. If you prefer Polish, try Helion; French, Italian, German, Chinese, and Russian translations are also available.

security projects & thoughts NEW Browser Security Handbook is meant to provide web application developers and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities (Slashdot). Ratproxy is a passive web application security assessment tool. The utility looks at regular HTTP traffic, and automatically detects and annotates broad classes of web application security problems, such as dynamic cross-site trust model shortcomings, script inclusion issues, content serving woes, insufficient XSRF and XSS defenses, and much more. Detailed documentation is available here (Slashdot). Enjoy - and check out unlocker, too. tmin is a simple but nice fuzzing test case minimizer. Unlike delta, a general-purpose relative, the tool is meant for dealing with complex or unknown datasets (with no need to tokenize and re-serialize the data), and for easy integration with external testing harnesses. It's very simple, but also probably useful. DOM Checker is a tool for automated browser security restriction validation, and is notable for two reasons: first, it found a fair share of important security issues in Safari and Firefox; and second, it is a nifty framework for future research, as it offers some interesting IPC-based write validation and DOM hierarchy analysis capabilities. See official page. Bunny is a fairly cool C code fuzzer that uses automatically injected instrumentation and closed-loop control to optimize flow path / parameter variation coverage, and bail out early on dead-end routes. What's neat is that it does it without a significant performance penalty, and that setup is trivial for even very large, monolithic projects. You can also visit its nice project page and read some documentation (awesome, eh?). It's the triannual intercontinental browser bug-o-la-palooza! My newborn son is not giving me a chance to get any good night's sleep, and so I'm fooling with web browsers instead. See entrap open, cache attack, bait & switch, IFRAME snatch, clickme bug, URL spoof, focus bugs, location, blank, bookmark, srand(), unload, tailgate, trap bugs, and then some. InfoWorld article incorrectly stating I didn't notify Firefox developers is here (Slashdot 1, Slashdot 2, Slashdot 3, Slashdot 4). Stompy is an advanced utility to test the quality of WWW session identifiers and other tokens that are meant to be unpredictable. It is fully automated, employs a remarkably advanced collection of tests, and probably scratches an important pen-testing itch. 0trace is a hackish utility to run traceroute within an established TCP connection, thereby bypassing some stateful packet filters. Also see Jagger's improved version, or a Python port by Jon Oberheide. Fl0p is a passive L7 flow fingerprinter that does not examine packet payloads, only their relative sizes, the sequence of client-server traffic, and its timing. The tool can be thus used to peek into encrypted tunnels, automatically tell users from robots, and far more. Still somewhat of a PoC - the database of signatures is very small (but cool). Cracking safes with thermal imaging, or a mildly amusing demonstration of why science fiction ain't fiction (as seen on Hack-a-Day and at Schneier's). Cross-site cooking is a set of problems that allow injection of cookies into certain browsers. Not earth-shattering, but interesting nevertheless (featured on Slashdot). P0f v2 is a 100% passive OS fingerprinter capable of identifying parties during casual communication, detecting NATs, connection sharing, etc. P0f is included with many distros, integrated into OpenBSD, amavisd, milter, and so on. Some of the articles on P0f: "Nmap's Silent Partner", "Dynamic Honeypots". "Strike that out, Sam" is a brief research paper on Microsoft and their blunders with managing Office metadata in own documents. The text comes with a handy pen-testing tool, the revisionist (featured on Slashdot, Silly Valley, Securityfocus, The Inquirer, and on RISKS). Mangleme experiments - I did some early tests on the robustness of web browsers by feeding them with auto-generated malformed HTML and images. This resulted in discovery of a large number of flaws - see: script action handlers, OBJECT tag, corrupted JPEGs (The Inquirer), initial batch on BUGTRAQ (the utility itself, a quick demo, and a Slashdot feature); and Ned's variant of my scripts that helped him find IFRAME overflow (also see: Bofra worm). The disclosure of these flaws prompted Larry Seltzer of eWeek to write a lengthy rant on how much I suck. Fakebust is a fairly simple but handy utility that enables the user to run suspect malware or other suspicious applications under strict supervision. Any potentially dangerous operations are carefully annotated, subject to operator's review and approval. This is a quick and easy option for poor man's forensics. Memfetch is a yet another small but useful security tool that allows instant and non-intrusive dumping of ALL process memory, including the information absent from core files. This is a neat way to see what, exactly, is running at a particular PID. Memfetch is shipped with a couple of distros. I realized that IP fragmentation makes TCP/IP initial sequence numbers inherently vulnerable to data injection attacks, something that went unnoticed for quite a while. A more rigorous discussion of the problem is included in SotW. Juggling with packets is a semi-humorous write-up on the feasibility of using core Internet technologies for a delay-line memory (co-authored with Wojtek Purczynski). This has some interesting anonymity applications; more so given the advances in parasitic computing. Again, SotW includes an in-depth analysis of such scenarios. I did some research on 3-dimensional attractor reconstruction to attack PRNGs used for TCP/IP and other networking applications. This resulted in two notable papers with pretty graphics: the original TCP/IP ISN research and the 2002 followup publication. These papers were featured in various literature and on Slashdot (twice - here and here). Also see Dan Kaminsky and his PRNG graphics, and the DNS security paper by Joe Stewart. Rise of the Robots was a FUD masterpiece I authored for Phrack magazine back in 2001. It talks about the prospects of widespread abuse of automated web crawlers and search engines, and tasking them with the execution of actual security attacks. The attack was reinvented several years later by these bold dudes. Fenris is a runtime analyzer and debugger that can detect and understand high-level C language structures, memory layout and data flow, reconstruct symbols, etc - all in absence of any debugging information (some demos here). As of 2006, the program is no longer maintained (if you're interested in taking over, drop me a mail). 2c2 is a programming experiment in developing a practical deniable encryption tool. For the ultra-paranoid. James Kehl has developed a more sophisticated successor to 2c2, codenamed 4c. Snowdrop is a small tool that implements provable text document watermarking (for mails, memos, C programs, etc). It uses several redundant channels for steganography, so a run of indent, sed or fold is not enough to thwart recovery of watermarks. Museum of Broken Packets - need I say more? Not really updated too often, but still worth visiting (featured on Slashdot). Delivering Signals for Fun and Profit is my 2001 paper on a class of vulnerabilities related to asynchronous signal delivery (something that plagued most of software back then, and isn't really sorted out today). Absence of fd-based unlink() is an issue on most unix systems, and causes some interesting, if hypothetical, attack possibilities. Probably my first English-language write-up longer than vulnerability reports on BUGTRAQ was "I don't think I really love you", an analysis of the areas of development for Internet worms. It is certainly somewhat childish by today's standards, but, unexpectedly, managed to get mentioned in mainstream media back then. In the same vein, see unicorns PoC. Various minor or ancient security stuff (some of which might be unsafe or broken): code mangler, my ancient fuzzer, unix socket nc, uptime changer, netsed (realtime TCP sed), nosuid ping, world's best exploit, exhaustive testing, and some other random crud in this directory. As a general rule, this site does not include product security information. For all my advisories, bugs, patches, and exploits, go to Securityfocus, PacketStorm, or use Google.

hobby & misc I am a half-baked photographer. This is an expensive hobby, so feel urged to visit my photo gallery to improve my ROI (I promise, no Macromedia Flash). Also, here are some of our QE2 cruise photos. Bonus: fanmail. My second, equally expensive and fruitless hobby is robotics and electronics. Click here to see a gallery of my prototypes - some are pretty, some are not. For the curious, I authored a quick guide to CNC robot building or a cheesy Geiger-Mueller mood lamp (NEW) . The Wreck of the Steamer "Stella" - bad poetry, executed! This is a pretty ridiculous concept on the verge of steganography, programming, and general nuttiness. The basic premise is to make it possible to hide algorithms in text, and to find algorithms where there were none, by making random text executable. I set up eProvisia - a Palmyra Atoll company like no other. What was meant as a silly joke got picked up by ZDNet (they even got an expert to comment!), Slashdot, Ars Technica and some other media. Hooray? Catty v3 is an experiment in artificial futility. It is a chatbot, plain and simple, but it's unique in that it does not even try to comprehend what you say, and instead, cross-correlates input with a database produced by crawling a good chunk of the Internet. You're talking to the Web, and boy, is it dumb! Sources here. Blog generator is a variant of Catty, hand-fed on thousands of blogs. Give it a subject to start with. It will then recursively fuel itself and spawn an elaborate blog entry on any subject. Actually, quite frightening. Sources up for grabs. I have this fascination with the Web, can you tell? See Who runs the alphabet to uncloak a sinister conspiracy; or Culture shock for some weird pictures. Evil finder is a cool hack that employs numerology to conclusively prove the evilness of a given subject. The database of entries is kinda goofy, but you're free to alter it to your liking (sources here). The tool got Farked and is a part of FreeBSD. Click here and here for creepy fanmail. Argante was a hobby operating system I developed with a number of friends. It had some cool features - and sucked in many ways, but that didn't stop folks from contributing third-party compilers, etc. The efforts were later restarted under the codename hardcore. My three permanently unfinished projects: Leith, a language in which every text file is a valid program, and there's a "Hello world" poem; shell hell, an assembler-based login shell; DIX adventure game engine (done a couple of times, but lacking content). I'm an aquarist. I might set up a detailed page on this boring subject one day, until then, enjoy the photos. Bottomless pit of stupid ideas is a list of concepts so ridiculous or outlandish, I didn't even get to begin working on them. Looking for inspiration? Then stay away! Lost souls is a list of searches that led to this page. Yeah, mostly child porn. See: fanmail #1, #2, #3, #4, #5, #6. Assorted other software: text-mode JPEG viewer, GFX #1, GFX #2, bad coding, Powerpoint for Linux (another version here), and other items in this directory. Random feats: authored a foreword for Jose's excellent book on Internet worms; got sort of mentioned in Matrix; sucked at coding. I served as a sysop with checkuser privs on pl.wiki. I have a son. Various semi-interesting links: Lucy, secret life, 20 questions, sinfest, no telemarketing, antigoogle, mind reading, roulette, core network, pokey, IOCCC, can glass, science made stupid. Personal homepages: neutrinka, venglin, isec, shykta, wifey, taviso, scarybeasts, asirap.