spoonfork

Here's a quick summary of my trip to Bahrain for HITBSecConf2005:

• The Hotel. It's called Taj Palace, probably a two-star hotel somewhere near the outskirts of Manama City. The hotel rocked, and I mean it in its literal sense. It rocked, yo! For two days straight, Iron Maiden was the muzak du jour. Nevermind the fact that the hotel's tap water was salty, or that they do not provide any kinds of complimentary items such as coffee or tea, but hell, they got Iron Maiden for you.


• Manama City. The city-centre itself is nice, and shows signs of rapid development. The outskirts are littered with rows of uneven shoplots, and most shops are no more than 10x10 square feet in size. There aren't much greens (duh, it's the Middle East yo!). And the buildings? They're just different shades of sand-yellow. Haven't they heard of Nippon Paint or Dulux?


• The chix0rs. What?


• The pizza. The best part of this trip was probably eating pizza. Samih Bakery, near Taj Palace is a small pizza shop, and the pizza was fuck-kau-damn nice!


• The people. Bahrain is made of up of mostly Bahrainians (duh), Indians and Pakistanis. There's quite a number of Filipinos as well. And they drive fuck-kau-damn nice cars. Including Satria. I kid you not. Here's the thing though - being a first timer to Middle East, I find it difficult to differentiate one Arabian from another, especially when all of them are wearing galabiyyas and that thing around their heads.


• The con. What con?


• The money. 1 dinar == RM 0.10. What more can I say?


• The F1 circuit. Considering that we have Sepang International Circuit, and that I've been to F1 races at Sepang before, there's nothing much I can say about it. Gah, I was not impressed at all.


• The weather. Since the weather was in transition from spring to summer, it was cool and windy. On the days that we were there, it was around 26 degrees all day - that's like 6 to 8 degrees lower than the temperature in KL yo! According to our hosts it will get as high as 45 degrees in one and a half month's time.

All in all, the conference could have been better. We take the Bahrain conference as a learning experience. Fyodor has uploaded some pics, and blogged about the trip here. As usual, Alphademon provided a trip report as well.

UPDATE: More pics here and here.

Listening to: Iron Maiden - Face In The Sand

Decide to unmask Gnome 2.10 yesterday - after adding a few other packages manually into /etc/portage/package.unmask and /etc/portage/package.keywords, I started performing parallel emerges - manually that is. Compilation went fine, no problem at all, and Gnome 2.10 started up gracefully. Apart from a few new applications (soundjuicer, totem movie player) I don't really see any significant changes from 2.8. But I found that Gnome 2.10 started a few seconds (maybe 2 - 3) slower than 2.8. And gnome-terminal, the only program that I use frequently (besides xmms and firefox) performed terribly slow when transparency was enabled, compared to 2.8. Nautilus has improved a lot, and it's quite faster too.

Other than that there's nothing much that I can comment about Gnome 2.10 simply because i) I rarely use my PC and even if I do, I normally ssh in to it and ii) I use my notebook a lot and I run fluxbox on it.

Listening to: Daft Punk - Digital Love

Sensepost just released Wikto 1.6, an advanced Web Assessment Tool (or web hacking tool if you prefer it that way) that uses Nikto db, Google Hack DB and "fuzzy metric" to find vulnerabilities and penetrate into web applications. It also uses Net-Square's httprint for web server fingerprinting and httptrack for offline mirroring.

One of the best thing about Wikto is directory and file discovery technique. The technique is called "fuzzy metric" in which responses to a request is compared against a database of similar requests and a calculation is performed. The result of the calculation will determine wether a file or directory exists. For example, the following query is sent:

http://mel.icious.net/foobar.pl - this will return a 404 and the result will be given a value, say 0.75.
Subsequent queries are then sent, for example:

http://mel.icious.net/admin (score: 0.75)
http://mel.icious.net/test (score: 0.75)
http://mel.icious.net/backup (score: 1.27)

For the first two, we know that the directories do no exist because the values are similar with the inital query - however, querying for backup gives a different value, and this is something interesting.

The are also a lot of other features of Wikto - I have yet to tried it out since I don't have a Windows box handy and I don't have enough mono/C# skills to compile the source code yet.

Charl gave a very interesting presentation about web security assessment which includes an introduction to Wikto at Bellua BCS 2005, and I think that his presentation was the best in the technical track. And he's a nice fella too. He helped us with the CtF setup in Jakarta. You can find his presentation here (PDF, 36MB).

Via TheStar: HITB Security Conference goes to Bahrain.

Building on the successes of past security conferences, the organiser of the annual Hack In The Box Security Conference (HITBSecConf), has decided to stage another conference outside of Malaysia.

According to Hack In The Box Sdn Bhd, the conference will be held in Manama, Bahrain, from April 10-13 and will feature more than 18 of the worldÃ

Tomboy runs beautifully on fluxbox! Finally, I found myself a better replacement for devtodo and tdl. While Tomboy is a graphical program (i.e. with GUI and stuff), devtodo and tdl are both command-line apps. The reason why I decided to use Tomboy as a replacement is simple: I want something that is visible. That way I can always view my TODO lists - as opposed having it obscured somewhere in my home directory and soon forgotten.

Tomboy also provides friendly editing of notes, so you can highlight, bold, underline, and resize words according to your taste.

However, one thing that is lacking (even with devtodo and tdl) is the lack notification tool for Tomboy. Maybe there's one out there - I need to search for it. Also, on fluxbox, the key bindings do not work. I'm yet to figure that out...

The screenshot is here. Give it a go!