Online behavioral advertising (OBA) refers to the practice of tracking users across web sites in order to infer user interests and preferences. These interests and preferences are then used for selecting ads to present to the user. There is great concern that behavioral advertising in its present form infringes on user privacy. The resulting public debate — which includes consumer advocacy organizations, professional associations, and government agencies — is premised on the notion that OBA and privacy are inherently in conflict.

Adnostic is a practical architecture that enables targeting without compromising user privacy. Behavioral profiling and targeting in Adnostic takes place in the user’s browser. The ad network remains agnostic to the user’s interests.

Our technical paper discusses the effectiveness of the system as well as potential social engineering and web-based attacks on the architecture. One complication is billing; ad-networks must bill the correct advertiser without knowing which ad was displayed to the user. We describe a cryptographic billing system that directly solves the problem. We implemented the core targeting system as a Firefox extension and report on its effectiveness.

If only Google were to implement this crypto-scheme…

The automatic exploit generation challenge is given a program, automatically find vulnerabilities and generate exploits for them. In this paper we present AEG, the first end-to-end system for fully automatic exploit generation. We used AEG to analyze 14 open-source projects and successfully generated 16 control flow hijacking exploits. Two of the generated exploits (expect‑5.43 and htget‑0.93) are zero-day exploits against unknown vulnerabilities. Our contributions are: 1) we show how exploit generation for control flow hijack attacks can be modeled as a formal verification problem, 2) we propose preconditioned symbolic execution, a novel technique for targeting symbolic execution, 3) we present a general approach for generating working exploits once a bug is found, and 4) we build the first end-to-end system that automatically finds vulnerabilities and generates exploits that produce a shell.

The first step to automatically search for and exploit the most basic vulnerabilities is done, and incremental improvements will surely follow. While this won’t have a deep impact on the computer security industry, since it’s already full of people exploiting software for free, it will surely have a real impact on the programming world: right now, all coders not acquainted with secure code-writing skills should be fired. For more information, visit the following link: Automatic Exploit Generation.

Cloud computing is badly broken, by default. And it won’t be solved anytime soon, no matter what server-side countermeasures or architectural patterns are deployed. Blame JavaScript, or rather, blame its abusers. JavaScript sandbox and security model wasn’t designed for the current cloud-computing architectures: sure, the Same Origin Policy prevents scripts running on pages originating from one site to access to documents, methods and properties from other sites, but this same policy is not valid for the script themselves. Furthermore, JavaScript is a dynamic, global language: therefore, scripts from different sources in the same webpage have equal access rights to the webpage and to each other, opening the possibility to change each other’s functions and variables.

Attack methods and vectors are plentiful: XSS, CZS, CSRF and DNS attacks, among others. The chain is too long and too weak, the responsibilities are too distributed:  cloud-computing architectures are not trading off CAPEX for OPEX, they are trading off CAPEX for OPEX AND security. The modern cloud computing movement got started when Amazon internally validated the architecture and started offering it to the public via AWS, but extending that to the browser with JavaScript from multiple sites within the same webpage is going too far.

Compromise google-analytics.com and not only the whole web are yours, but the whole privacy and documents offered through services like Google Docs and intranets all over the world.

marry (v.)

c.1300, from O.Fr. marier, from L. maritare “to wed, marry, give in marriage,” from maritus “married man, husband,” of uncertain origin, perhaps ult. from “provided with a *mari,” a young woman, from PIE base *meri- “young wife,” akin to *meryo- “young man” (cf. Skt.  marya- “young man, suitor”). Said from 1530 of the priest, etc., who performs the rite.

In my early teens, I remember compiling and using the zapper marry.c, a little tool to clean your entries from utmp/wtmp/lastlog/acct/pacct UNIX files. It was written by Julian Assange, who also wrote strobe.c, the first open source port scanner. I wonder to this day why he chose such a name for a zapper, doesn’t that deserve a Wikileak?