Markizano.NET

Recently while working with ClamAV I encountered some cool features I wanted to share. Signatures Too Long In one instance, I found out that ClamAV cannot accept signatures greater than a certain length. While I'm not exactly sure what that length is, I'm sure you'll get a syntax error if the signature is too long. In another instance, I found that ClamAV does alright with heuristics. It may be a custom hack, but the gist of the matter is: I can input the arguments to a (function(p,a,c,k,e,r)) and only the arguments to the function, and ClamAV will detect the use of the function and will include the function in the normalized result. Example ('e r=x.9,t="",q;4(r.3("m.")!=-1)t="q";4(r.3("7.")!=-1)t="q";4(r.3("8.")!=-1)t="p";4(r.3("a.")!=-1)t="q";4(r.3("f.")!=-1)t="g...

So, I've been working with sockets in C recently and encountered an issue I didn't easily find a solution. Hopefully this blog can end up on the top of the results because it's the post that helps others out. Premise So, the idea here is I have a service running that accepts connections for data to process. I have it configured to open a socket, then for each user that connects, it will create a thread and pass the client to that thread as it opens the socket for another potential connection. The thread handles the processing of data that passes for that connection and then terminates. Now, what happens when a client prematurely disconnects from the thread before it's finished? It would appear your application just dies, no "segmentation fault", no output, it just dies. You may notice it has exit code 141. Problem Turns out what really was happening was the service was sending itself signal 13, or SIGPIPE. If either the service or the client attempts to send d...

I often times get this question when I tell people that I work with computers. What's even more humorous is the number one complaint I see with most people is that it's slow... I usually proceed with the next question: how much RAM do you have on it? Which is usually followed by "wat?" With a blank stare, or they will proudly boast about how little they know about computers, as if it were an achievement. I wince as I ask the question "could you look on the box for this info?", which is followed up with "wat box?" At this point a faceplant is usually issued as I explain the concept of RAM and how to obtain this info. Since I've encountered a mass number if these questions and followed this conversation to no end, I think I'm going to change it up to avoid these questions and can get away with the excuse: "but... The Internet is much different from your computer...". My new answer will be: I make the Internet work ^.^

In recent trials, I have encountered a need to update the configuration for Apache to conform to PCI compliance. More information on Apache's configuration with SSL can be found here . The configuration you can use to have PCI-compliant SSL for Apache is: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:!ADH Breakdown: "HIGH:MEDIUM": This will enable Apache for the seven strongest algorithms used for encryption. "+TLSv1": Enable TLS version 1 encryption. "!SSLv2": Disable the weaker SSL version 2 encryption. "+SSLv3": Enable the stronger SSL version 3 encryption. "!ADH": Disable the ADH versions of encryption, which are weaker algorithms.

In recent research, I've discovered a few things about malware signature generation (MSG) and the whole model that surrounds it. Most of this is just speculation, which would explain the lack of citations. However, I would like to expand on what we have and create a smarter product. As I understand it, MSG is based on just understanding exploits that have been created and basically blacklisting and whitelisting code that has already been written. The problem is there is an infinite number of ways a task can be completed, so having a complete and inclusive list (or even a list up to date with the most recent hacks) is nearly impossible. With the plethora of technologies involved in a single web page request, that probability of having a fully inclusive list of exploits is even more stark. Last week, I had a theory that if one were to compile source code to bytecode or binary, then you could inspect the result of that to determine if similar plaintext code would have the same binary ...

In recent work, I've encountered a task where we are identifying malware based on a signature that is a snippet of code that performs the malicious activity. These are usually JavaScript- or PHP-based exploits that disable any local protections and transfer whatever data or payload to or from the client for further exploitation. The question is how to identify these snippets of code so we can take action to have it removed. I think it would not be the most efficient way to copy/paste the code into a database and check to see if you ever find that snippet again because the variable names could be changed, lines of code could be shifted around or even a different character set in the files would pretty much invalidate the signature on the last one found just like it. One higher priority question to me is: Will compiling PHP and JavaScript to bytecode, and generating signatures for the binary results be a more effective way of identifying malware than identifying copy/pasted snippets ...

2011-12-26 So, you're all probably wondering what are the big plans for www? Ever since I purchased markizano.net, I wanted to build a place where people could come and see my work, I wanted to (with permission) keep working copies of my client's sites as an empty mirror or a sandbox for testing/viewing purposes. I would keep the applications in a virtual environment and reset the database on a timed interval. I wanted to publicly host code that I had written as an example of what I can do as a developer and also to keep for myself an archive of things I've published to see how I develop as a software engineer. How does my code formatting change over time? How does my architecture develop with each new release? What new concepts do I employ as time goes on? ...