Robert Hansen

The Effect of Snake Oil Security

By Robert HansenI’ve talked about this a few times over the years during various
presentations but I wanted to document it here as well. It’s a concept
that I’ve been wrestling with for 7+ years and I don’t think I’ve made
any headway in convincing anyone, beyond a few head nods. Bad security
isn’t just bad because it allows you to be exploited. It’s also a long
term cost center. But more interestingly, even the most worthless
security tools can be proven to “work” if you look at the numbers.
Here’s how.

Gaining Precision in Information Leakage Attacks

By Robert HansenIt’s hard to narrow down your life’s work into
one interesting event or tidbit. Even
picking 10 would be tough. So instead
of picking something I am well-known for, I wanted to look for something I had
a lot of fun coming up with that you probably didn’t read. I’ve always been interested in information
leakage as an exploit class. It’s
something most people like to overlook, in favor of the higher-profile
exploits. Sure, it’s a lot sexier to
go after the direct administrative compromise, but I enjoy the nuances of
piecing together big puzzles. Information leakage as a class provides me that kind of mental

Does Google Have a Double Standard on Full Disclosure?

By Robert HansenEarly this morning Google’s Tavis Ormandy published a vulnerability in the hcp protocol handler. It allows the attacker to run arbitrary commands as the user. In practice it created a lot of alerts and warnings for me – but the XP install I was using is somewhat locked down. So I’m not sure how practical this attack would be over any other attack that causes an alert, as the article mentions. Later his reports says it works around the alerts (I couldn’t reproduce that, but that was his intention). Either way, though, this is some pretty amazing research. However, there are some odd things about this that really struck me the wrong way.