Blogging from Bluehat V6 . . .

So I'm in the speakers lounge and so far today we've had MarkRuss talk at some length about what are and are not considered 'security boundaries' in Windows.  For example, user sessions are a security boundary.  Virtual Machines are a security boundary.  Various 'Defense in Depth' technologies like UAC, IEPM (protected mode), session 0 service isolation, KMCS and PatchGuard are not.  It was a great talk as usual.  Now I'm watching Roberto Preatoni (WabiSabiLabi - aka 'zero bay') explain to us why he thinks his "security marketplace" is such a great thing . . . next Kaminsky is going to do a talk on DNS which should be highly entertaining - Dan's a great speaker.

Here are some security related things going on today that I find interesting.

1. Google vulns including a nasty Gmail one: http://blogs.zdnet.com/security/?p=539
2. Apple vulns added to Metasploit (i.e. iPhone modules): http://www.darkreading.com/document.asp?doc_id=134869&f_src=darkreading_section_296 - note that it sounds like H.D. has some 0-days for the iPhone. :)
   Wow - Apple just released their most recent update for the iPhone fixing 10 CVEs: http://docs.info.apple.com/article.html?artnum=306586  What's interesting about the iPhone is that people don't seem to realize they are carrying OSX running as root in their pocket.
3. VMWare vulns announced: http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html (I counted 20 CVE's being announced / fixed in that update - holy crap!).