Wednesday, 31 July 2013

Day 1 - made it to Vegas, start of ASP.NET MVC research

So after an 18h flight (with stopover in Toronto) I made it to Las Vegas. It was a really productive flight and I was finally able to spend some time focus on really learning how the ASP.NET MVC actually works.

I read a large section of Professional ASP.NET MVC 4 book (by Wrox) which is a great way to quickly learn what can be done with MVC 4. Although still very light on security, that book is actually one of the best ones (of all ASP.NET MVC books I have) on 'mentioning' security. Unfortunately, on the ModelBinding vulnerabilities (aka over-posting), there is very little to alert the reader for the dangers of MVC's ModelBinding.


This is also the first 24h that I have been off-the-main-grid (see Trying to keep secure while at BlackHat and DefCon 2013) and there are still a couple things to sort out:

  • I got an US SIM card, but it looks like my IPhone is not unlocked after all, so either I unjailbreak it or get an cheap android phone for the week
  • At the airport I bough an Windows Surface RT, since they are now £250 and I needed something to do after my battery died during the flight over (I also want to run the O2 Platform on it, and create an TeamMentor app for it)
  • Before I left I also:
    • added the diniscruz_defcon@outlook.com email account to this blog as an author (so I can write posts like this :)  )
    • created a twitter account https://twitter.com/DCruz_DefCon which I wanted to link into my main account (I run out of time, where the idea was to have a bot somewhere retweeting that into my main twitter)
  • Going without email is interesting and very liberating (the people that matter know my new email address so I'm not missing nothing that urgent).
  • It is also quite interesting to think about how create an environment that is secure(r) and one that is easier to detect if there has been any type of compromise
  • On the topic of security John Wilander  just tweeted a link to this 272 page pdf on Mac OS X Security Configuration which looks quite good (and he is now using temp pwds which is a great thing)
Today I all about coding and researching (not really planning to go to BlackHat today). I'm going to stay around the Mirage and code/blog away on what I will present on Sunday with Abe (btw the DefCon schedule is out and we are presenting Resting on Your Laurels will get you Pwned: Effectively Code Reviewing REST Applications to avoid getting powned on Sunday at 11:00 am (track 4)