What Programming Language Should I Use to Build a Startup?

Often entrepreneurs ask me 'What technology should I build my startup on?' There is no right or wrong answer to this question. It's a decision every company makes for itself, depending on what it's trying to build and the skills of its cofounders. Nonetheless, there are a few rules that one should adhere to. We discuss them in this blog post.

Incident Response Policy

What happens in your company when a production incident occurs? Usually in a typical startup, you will see engineers running around frantically trying to resolve the problem. However, as soon as the incident is resolved, they forget about it and go back to their usual business. A good incident response policy can help bring order into chaos. We provide a sample template in this blog post.

Why Software Deadlines Never Make Sense

We discuss why software deadlines usually don't make sense.

Analyzing Front-End Performance With Just a Browser

We discuss a number of freely available online tools which can be used to analyze bottlenecks in your website.

Why Smaller Businesses Can't Ignore Security and How They Can Achieve It On a Budget

In this article, we show that security is both important and achievable for smaller companies without breaking a bank.

Sunday, December 19, 2010

Experimenting with Facebook API

I've got to be honest.
The Java API for Facebook was horribly documented and is out-of-sync with the current version of their library. The following code works for JAR version 1.7.*.
My goal was simple - login to facebook and download names of a person's friends.

public static void main(String[] args) {
IFacebookRestClient client = new FacebookXmlRestClient(API_KEY, SECRET_KEY);
try {
String token = client.auth_createToken();
String url = "" + API_KEY
+ "&v=1.0" + "&auth_token=" + token;
Runtime.getRuntime().exec("explorer \"" + url + "\"");

System.out.println("Use browser to login then press return");;

String session = client.auth_getSession(token);
System.out.println("Session key is " + session);

FriendsGetResponse friendsResp = (FriendsGetResponse)client.getResponsePOJO();

List friends = friendsResp.getUid();
System.out.println("ID List of Your Friends");

client.users_getInfo(friends, EnumSet.of(ProfileField.NAME));

UsersGetInfoResponse userResponse =
(UsersGetInfoResponse) client.getResponsePOJO();

List users = userResponse.getUser();
for (User user : users) {

} catch (FacebookException e) {
} catch (IOException e) {

Saturday, December 18, 2010

Wait for me - Moby

A really nice music video.

Wednesday, December 15, 2010


I discovered this nice tool for keeping track of latest security vulnerabilities. It's called Cassandra (
It allows you to specify the software that you use in your company and subscribe to security updates just about them.

Tuesday, December 14, 2010

Why Gawker was targeted

"We went after Gawker because of their outright arrogance," a source claiming to be from Gnosis told blog Mediaite "We have had access to all of their emails for a long time as well as most of their infrastructure powering the site. Gawkmedia has possibly the worst security I have ever seen. It is scary how poor it is. Their servers run horribly outdated kernel versions, their site is filled
with numerous exploitable code and their database is publicly accessible."

Read more:

Tuesday, December 7, 2010

Parsing HTML in Java

I am working on a social engineering tool that requires me to download a webpage's content, parse HTML as DOM, and then replace certain parts of the page with custom code.

So I thought - no problem. HTML is a subset of XML, so I'll just use a standard SAX parser. The first stab at the code looked like this (where site is a string variable containing the HTML):

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
Document d = db.parse(new InputSource(new StringReader(site)));

Looks good? Wrong!!
Most HTML in websites is not well-formed XML, so the parser crashed after consuming 4 lines of HTML.

So I stumbled across a really neat Java library JTidy ( which first beautifies the HTML by making it a well-formed XML, even if the website's author has been sloppy, and then parses the XML into DOM representation.
The resulting code is just as short as the original, except it actually works:

import org.w3c.tidy.Tidy;
final Tidy tidy = new Tidy();
Document d = tidy.parseDOM(new ByteArrayInputStream(site.getBytes("UTF-8")), null);

8 fallacies of distributed computing

Nice post by Peter Deutsch on 8 fallacies of distributed computing:

1. The network is reliable
2. Latency is zero
3. Bandwidth is infinite
4. The network is secure
5. Topology doesn't change
6. There is one administrator
7. Transport cost is zero
8. The network is homogeneous

Monday, December 6, 2010

Nice Git cheatsheet

Sunday, December 5, 2010

New website

Having a cold can sometimes be a good excuse to lock yourself in a room, and not allow anyone in. Spent 4 productive hours revamping my webpage

Thursday, November 25, 2010

Summary of a "Remote binary planting talk" at DeepSec by Mitja Kosek by

Remote binary planting talk
This was given by Mitja Kolsek at DeepSec. Excellent overview of this vulnerability.

1998 - nsa windows nt security guidelines
2000 -georgi guninski : two office bugs
2001 - nimda uses dll spoofing for propagation
2006 - microsoft introduces safe search order
2008 - acros reports bp bugs to apple, google, microsoft, vmware

DLL search order
How about when LoadLibrary is called with a relative name?

1. Dir where app loaded
2. C:\Windows\System32
3. C:\Windows\System
4. C:\Windows
5. Current working directory (CWD)
6. System path; User path

Current working directory stands out. This is a dangerous location.
If permissions set correctly, first 4 locations malicious code can't be planted there.
But CWD can not only point to loc on local file system but also can point to remote share (e.g. on a server in China).

"Unsafe search order" before 2004, current working directory was in location #2.
Safe search order changed to put CWD in #5.

Causes for not finding DLLs in primary locations.
1. Programmer checks for local capabilities by trying to load a library
2. Some DLLs are present on OS1 but not OS2 (dwmapi.dll) - with visual studio
3. Custom/partial installs
4. Backward compatibility
5. Forward compatibility
6. Application written so that it finds its binaries in PATH.
7. OS porting (loading on Windows)
8. Wrong assumptions about installed components - media players assuming codecs are available on the system.
9. Incomplete uninstalls.
10. ....

3rd party components

3-step attack:

1. Plant a malicious DLL (eg remote windows share)
2. Somehow get vulnerable app on user's computer to set CWD to location of DLL
3. Wait

How to set working directory
1. Double clicking a file in explorer (in remote share) (automatically sets cwd of launched app to that location)
2. File open, File save dialogs
3. Some apps change CWD to last open/save
4. cmd.exe : cd command

8. Local priv escalation
9. Advanced binary planting attacks

Internal network attack... malicious.dll
Do your firewalls block SMB? Yes, but what about WEBDAV traffic?

\\hack.attacker.dom\Share --- sets up web server, enables WebDAV, sets up share on the server... Hi john checkout this document.

WebClient service.. on windows workstations. If SMB protocol doesnt reach that share, then WebClient is going to try WebDAV.

=> click twice on the webpage
Address Book

Double click VCF file \\\demo\web32res.dll
Process Monitor - SysInternals

Binary Planting - Goes "EXE"

Searching for non-absolute exe.
Looks in CWD as #2 in the search path.

Q: did you try doing anything similar in Linux with shared objects?

Inspected 200+ Windows applications
At least one exploitable binary planting issue in almost every one!

Tool for detecting binary planting.

ACROS binary planting detector (DLL planting: 400+, exe planting 120+)
~100 affected vendors at Secunia

Block outbound SMB, WebDAV traffic on corporate firewall.
- test your exposure to remote binary planting attacks

Sunday, November 14, 2010


After last week's sprint, I realized I have a nasty habit of overcommitting.
On Wednesday afternoon, I spoke at SC magazine congress, on the topic of social engineering. The audience was very welcoming and really enjoyed my talk. It was also interesting to learn about some of the standardization efforts that people work on, such as MAEC ( to enumerate different types of malware, infecting people's computers, and SCAP (, a broad family of security specifications, the best known of which is probably CVE.
Having given my talk, I chatted to a few folks, and had to dart off towards Penn Station to hop on a train to Washington D.C. It was a gorgeous, sunny day, with temperature in the 60s (a rarity in November), so I wish I didn't have to spring and could instead take a leisurely walk. I arrived to Hyatt D.C., which was a great hotel. And the next morning I was off to AppSec DC. Here the talks were a lot more technical than at SC world congress. Again, I wish I had more time to walk around Washington but I didn't. I picked up a few interesting ideas on instituting secure coding in organization during AppSecDC. Will be interesting to see if they will work in an agile development environment.

Wednesday, November 3, 2010

Yesterday I spoke on exploiting weak random numbers at the OWASP NY/NJ chapter meeting. It's a repeat of my talk "Much ado about randomness" that I gave earlier on in "The Next Hope". The meeting was great and contained some interesting presentations.
Escaping the Sandbox, Stephen Ridley
Groundspeed, Felipe Moreno
Much Ado about Randomness, Aleksandr Yampolskiy
Memory Corruption, Exploitation, and You, Dino Dai Zovi

I've uploaded the slides right here:

Monday, November 1, 2010

Malware goes to the movies

This month, I will be giving a talk "Malware goes to the movies" in AppSec DC 2010 (Washington D.C., US) and DeepSec 2010 (Vienna, Austria) conferences.
More details are available at this link.
This talk will examine new types of malware that spread through online videos, music files, and images.

Typically, there are two ways an attacker can trick you to install malware on your computer through videos:
1) URLANDEXIT command
Most Windows media files (WMV, ASF, WMA, etc.) allow embedding of script commands to "enhance viewer's experience." Bad guys abuse one such command called URLANDEXIT that launches a specific webpage from your Media player. They will make the player pop up a "Codec missing" or "License missing" message box on your computer, and trick you into installing a malware masquerading as a plugin.

2) DRM functionality abuse.
The same idea as above is used except a Windows mechanism to retrieve software licenses is used to distribute the payload.

I've implemented a Python tool that allows you to scan video files on your HD for the presence of these abusive commands in the video and music files. It implements a simple pattern recognition for byte sequences of URLANDEXIT command, extracts the URL out of the file, and then uses Web of Trust API to check how trustworthy the webpage is.

The tool is still in alpha stages. But the source code is available right here:
There are two ways of using it:

1) To scan the file on the HD
$ python -f VIRUS-VIDEO.AVI

Video searcher v1.0 Copyright Aleksandr Yampolskiy
Looking for malware in file: VIRUS-VIDEO.AVI
Positions of ['U', '\x00', 'R', '\x00', 'L', '\x00', 'A', '\x00', 'N', '\x00', 'D', '\x00', 'E', '\x00', 'X', '\x00', 'I', '\x00', 'T', '\x00'] and ['\x00', '\x00', '\x00', '6']
startPos = 1939
endPos = 2017
The extracted URL:
Checking reputation of url:
(Trustworthiness, Reliability)= [5, 42]
Reliability is > 20, so I'll proceed

2) To scan the URL containing a torrent file.
The tool will start downloading the video specified in the torrent, and analyze the incoming stream of data on the fly.

$ python -u

Video searcher v1.0 Copyright Aleksandr Yampolskiy
Looking for malware in url:
Downloading torrent information from
Downloading: 0.00% complete (down: 0.0 kb/s up: 0.1 kB/s peers: 0). Pieces [ ] None : -1

Thursday, September 9, 2010

Old presentations

I decided not to let my old presentations from various security conferences go to waste, and started uploading them to Slideshare. It's a great site. I recommend you to check it out if you want to keep track of your talks.

"Here You Have" virus

Today was a busy day. A zero day attack propagated across the Internet in the form of an email with the subject "Here you have". I ended up frantically reaching out to various heads of security in diff companies trying to get more insights. Now more details are emerging and looks like it was a VB variant (similar to Kournikova) virus which got re-crypted in a new way.

There are two mitigation steps:
1) Block all incoming emails with that subject line in your spam filters.
2) Block any outgoing web access to the following sites because the virus downloads additional malware from them.

The patches from A/V companies should be available soon.
More details on how the virus works are available at:

Tuesday, June 29, 2010

We're hiring multiple engineers at Gilt Groupe. If you are interested, drop me a note to "yampolskiy AT gmail DOT com"
  • App Engineers for Gilt and Gilt City. Lead Engineers too.
  • App Engineer for New Sales Types initiative
  • Technology generalist with 3+ years experience developing web applications and an understanding of the full web stack. Experience with java/jsp and a passion for iterative development and constant refinement of code by utilizing automated tests.
  • Finance Engineer
    Web/database app developer with 5+ years experience, preferrably with at least 2 of them finance-focused
  • Warehouse Engineer
    Web/database app developer with 4+ years experience, including significant systems integration.
  • Senior/Principal Mobile Engineer
    Help establish our mobile strategy for all Gilt properties. Participate in the design of our mobile products for all Gilt properties. Help improve our mobile infrastructure and platform for all Gilt properties. Implement our mobile products for all Gilt properties.
  • Dir/VP Eng Gilt City
  • Data Architect/Engineer
    Experienced, solution-focused Data Engineer/Architect who is passionate about data and understanding data relationships. Able to analyze and interpret requirements for logical and physical data models in order to design, develop, and review data storage strategies/techniques (e.g., ODS, DM, OLAP, HOLAP, ROLAP, MOLAP, ELT, ETL, MR)
  • QA Manager
  • DW QA Engineer
  • Finance QA Engineer
  • Internal Support Analyst
  • Senior Systems Engineer (Tech Ops)
  • Experienced systems engineer from web or similar environment. Team lead experience a plus
  • Platform Engineer
    Solid Java Experience, interested in more business and internal facing work

Tuesday, April 20, 2010

I get cited in NY times on secure ways to shop

A rather good article to read about how to securely shop online without becoming a scam victim
I get cited in it too

Monday, March 22, 2010

Experimenting with BackTrack installation

For those who don't know, Backtrack is an OS which embeds all the useful hacker utilities on it.
Now installing it on a USB is heaven for a hacker, or a penetration-tester like myself.

Saturday, February 20, 2010

Using THC Hydra to bruteforce passwords

I've started experimenting with THC Hydra to brute-force passwords on my home Ubuntu box.

1. First, install OpenSSL and GTK toolkit dependencies, which are required by Hydra.
sudo apt-get install libssl-dev libgtk2.0-dev

2. Next, get the Hydra source code.
wget -c

3. Unpack the archive.
tar -xzvf hydra-5.4-src.tar.gz
cd hydra-5.4-src/

4. Compile the Hydra
vi Makefile <- and remove the "-lpq" and "-DLIBPOSTGRES" statements

5. hydra -L users.txt -P password.txt -e ns -vV -t 1 http-post-form "/bb/login:email=^USER^&password=^PASS^:Not allowed"

768-bit RSA modulus has been factored

A rather exciting paper appeared on ePrint a few days ago:
A team of researchers succeeded in factoring a 768-bit RSA modulus.
In many practical applications nowadays, we use a larger 1024-bit RSA modulus for signatures and encryption. This result raises a question of "For how long are 1024-bit encryption/signatures secure?". The authors claim that they are for the next three-four years, and suggest switching onto larger modulus such as 2048.

Friday, February 19, 2010

The security blog is born.

Today, I decided to create a blog with my ruminations on the theory and practical applications of information security. I hope that my readers will find it useful!