Hey all,
I am looking for Memoryze dumps of various pieces of malware -- the more the merrier. Does anyone here have some ?
Cheers,
Halvar
Thursday, October 22, 2009
Monday, September 21, 2009
Saturday, September 05, 2009
Restaurant Review: "Le Surfing", Les Estagnots
Hey all,
I know it is a bit odd to post restaurant reviews on this RE-centric blog, but ... err ... I'll do it anyhow.
So I am currently on my vacation (yay) in southwestern france -- close to Seignosse/Hossegor. On my search for wifi, I ran into a place called "Le Surfing", which is a small ... well ... surf-bar (?) at the beach "Les Estagnots".
The place is definitely pretty damn relaxed -- it seems that a bunch of folks that want to be at the beach decided the easiest way to finance it is through this bar. When I first walked in, I was greeted with "hey, there's a customer, we need someone behind the bar".
So tonight I decided to eat here. After trying to order the Thai-style beef salad, the waitress convinced me that it's saturday, and on saturdays they have sushi, and I absolutely have to eat their sushi. So I ordered their sushi.
And I didn't regret it. It's rather unorthodox -- e.g. it features rice, raw fish, nori, wasabi, and soy sauce, but I wouldn't describe it as traditional sushi. Not that this is bad: I had a stellar roll that consisted of crab meat, a mild goat cream cheese, cucumer, and bell pepper. There was some tuna, fresh crevettes, an onion-heavy-salad, and various other things.
All in all, it was really good. Seriously.
I know it is a bit odd to post restaurant reviews on this RE-centric blog, but ... err ... I'll do it anyhow.
So I am currently on my vacation (yay) in southwestern france -- close to Seignosse/Hossegor. On my search for wifi, I ran into a place called "Le Surfing", which is a small ... well ... surf-bar (?) at the beach "Les Estagnots".
The place is definitely pretty damn relaxed -- it seems that a bunch of folks that want to be at the beach decided the easiest way to finance it is through this bar. When I first walked in, I was greeted with "hey, there's a customer, we need someone behind the bar".
So tonight I decided to eat here. After trying to order the Thai-style beef salad, the waitress convinced me that it's saturday, and on saturdays they have sushi, and I absolutely have to eat their sushi. So I ordered their sushi.
And I didn't regret it. It's rather unorthodox -- e.g. it features rice, raw fish, nori, wasabi, and soy sauce, but I wouldn't describe it as traditional sushi. Not that this is bad: I had a stellar roll that consisted of crab meat, a mild goat cream cheese, cucumer, and bell pepper. There was some tuna, fresh crevettes, an onion-heavy-salad, and various other things.
All in all, it was really good. Seriously.
Thursday, August 20, 2009
Open position :-)
Hey all,
we have an open full-time position in our office in Bochum, Germany -- in essence, a vuln-dev-using-BinDiff-and-BinNavi-position.
What are the tasks in this job ?
What we can offer:
we have an open full-time position in our office in Bochum, Germany -- in essence, a vuln-dev-using-BinDiff-and-BinNavi-position.
What are the tasks in this job ?
- Use BinNavi and BinDiff to find bugs in software & write exploits
- Test BinNavi/BinDiff features. Test them some more.
- Provide feedback to the developers about the tools
- Write up your results
- (Potentially) train clients in the use of the tools
What we can offer:
- A no-bullshit environment
- Small team, good mood in the office :-)
- Direct influence over the development of the tools
- Probably more than that, but it is late and I am tired
Friday, July 24, 2009
Klartext please !
Hey all,
I won't comment too much here right now (I am kinda busy with work), but imaginably in relation to my last blog post:
http://www.microsoft.com/technet/security/bulletin/ms09-jul-ans.mspx
Now my favourite quote from http://blogs.technet.com/msrc/ :
"While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications."
I would be tempted to say that "if you can't say anything useful, say nothing at all", but I am often guilty of writing useless things, so I won't.
The above formulation inspired me though:
There is a German expression called "Klartext reden" (literally translated 'to speak clear text'). If you know a german, grab him, and ask him to explain the meaning of the word to you. I wish there was more of this around.
So my 2 cents of speculation:
I won't comment too much here right now (I am kinda busy with work), but imaginably in relation to my last blog post:
http://www.microsoft.com/technet/security/bulletin/ms09-jul-ans.mspx
Now my favourite quote from http://blogs.technet.com/msrc/ :
"While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications."
I would be tempted to say that "if you can't say anything useful, say nothing at all", but I am often guilty of writing useless things, so I won't.
The above formulation inspired me though:
- "While I have no clue what this out-of-band patch is all about, it will address an issue that has to do with a programming mistake."
- "While going into the specifics would be dangerous to the safety of the world, the issue that will be addressed is an issue that can affect computers."
There is a German expression called "Klartext reden" (literally translated 'to speak clear text'). If you know a german, grab him, and ask him to explain the meaning of the word to you. I wish there was more of this around.
So my 2 cents of speculation:
- MS will patch a bunch of libraries (the ATL ?) in Visual Studio
- A "certain type" of application is affected and will need recompiling. The msvidctl thingie was an ActiveX component. Anybody wants to add 2 and 2 together ?
Thursday, July 09, 2009
Poking around MSVIDCTL.DLL
Hey all,
I have to admit that I did not follow the msvidctl.dll situation all that closely, except for my short tweet that this bug was apparently reported more than a year ago. Yesterday, my old friend Dennis Elser piqued my interest: He had isolated the bug down to a function called ATL::CComVariant::ReadFromStream. He had determined that the function in question made a rather strange mistake: Instead of passing a pointer to a data buffer to IStream::Read, it took the address of a (small) local variable, and passes this address as output buffer to IStream::Read, along with a length read from the stream previously.
Somebody clearly got confused.
So Dennis and me sat down tonight and did a bit of digging around and tried to clarify what was going on. So we dug in a bit deeper, and ended up with the following understanding of the situation:
Everybody loves bugs in libraries. Few things fill my heart with quite as much amusement as bugs in heavily-used, statically-linked libraries. OpenSSL (and libeay) was good for many laughs in the past, zlib was a favourite for a long time, too.
So what we have here is a bug in a component that is used fairly widely, and that has the property of being statically linked (yay templates !).
Now, a quick search of my harddisk turned out that a lot of third-party components (flash) contain the same function -- but in old and non-vulnerable versions (for an extra dash of irony, the function used to be safe before all this SafeArray-stuff was added). Only a small fraction of the files that use the ATL and contain this function appear to contain it in a vulnerable version.
We ended up building a really naive / stupid / false-negative-and-false-positive-prone regexp to scan for the vulnerable basic block. This is of course going to fail if anyone has tweaked their optimization settings etc., but it would still be interesting to find out how many files contain this "trivial" byte string.
So I searched my windows directory for the following regexp pattern:
pattern = "\x8B\x07\x6A\x00\xFF\x75\x2E\x8D\x4D\x2E\x51\x57\xFF\x50\x0C\x53"
r = re.compile( pattern, re.DOTALL )
There were a few files in which this pattern was found (XP):
Found pattern in file c:\Windows\system32\ieframe.dll
Found pattern in file c:\Windows\system32\mstscax.dll
Found pattern in file c:\Windows\system32\msvidctl.dll
Found pattern in file c:\Windows\system32\wmp.dll
Found pattern in file c:\Windows\system32\wmpdxm.dll
Dennis searched for the same pattern on his disk (Vista) and found:
c:\windows\system32\cic.dll
c:\windows\system32\comsnap.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mmcndmgr.dll
c:\windows\system32\mstscax.dll
c:\windows\system32\MSVidCtl.dll
c:\windows\system32\puiobj.dll
c:\windows\system32\rdpencom.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\wiaaut.dll
c:\windows\system32\wmp.dll
c:\windows\system32\wmpdxm.dll
Why the difference ? Well, amusingly, shdocvw.dll on my XP machine doesn't have this SafeArray-stuff in it yet -- it is probably compiled using an older, not vulnerable variant of the ATL -- wheras Dennis variant of the same DLL is much newer, compiled with the 'broken' variant of the ATL.
So, where does this leave us ?
Anyhow, I really need to get to sleep -- I have a train to catch in a bit more than 4 hours.
A lot of credit for this post has to go to Dennis Elser -- he did most of the hard work before we sat down.
I have to admit that I did not follow the msvidctl.dll situation all that closely, except for my short tweet that this bug was apparently reported more than a year ago. Yesterday, my old friend Dennis Elser piqued my interest: He had isolated the bug down to a function called ATL::CComVariant::ReadFromStream. He had determined that the function in question made a rather strange mistake: Instead of passing a pointer to a data buffer to IStream::Read, it took the address of a (small) local variable, and passes this address as output buffer to IStream::Read, along with a length read from the stream previously.
Somebody clearly got confused.
So Dennis and me sat down tonight and did a bit of digging around and tried to clarify what was going on. So we dug in a bit deeper, and ended up with the following understanding of the situation:
- If the stuff that is supposed to be deserialized does not contain the proper value in the first 2 bytes, 8 more bytes are read, and SafeArrayCreate is used to create a new array with a 4-byte size obtained from these bytes.
- A pointer to the allocated memory is obtained by ways of calling SafeArrayAccessData. This function places a pointer to the memory in question into a memory cell pointed to by it's second argument.
- Instead of passing the CONTENTS of the memory cell pointed to by the second argument to IStream::Read, the code in question passes the address of this variable in. This happens to be the re-used memory for the first argument of ReadFromStream, hence it is on the stack. Memory corruption hilarity ensues.
Everybody loves bugs in libraries. Few things fill my heart with quite as much amusement as bugs in heavily-used, statically-linked libraries. OpenSSL (and libeay) was good for many laughs in the past, zlib was a favourite for a long time, too.
So what we have here is a bug in a component that is used fairly widely, and that has the property of being statically linked (yay templates !).
Now, a quick search of my harddisk turned out that a lot of third-party components (flash) contain the same function -- but in old and non-vulnerable versions (for an extra dash of irony, the function used to be safe before all this SafeArray-stuff was added). Only a small fraction of the files that use the ATL and contain this function appear to contain it in a vulnerable version.
We ended up building a really naive / stupid / false-negative-and-false-positive-prone regexp to scan for the vulnerable basic block. This is of course going to fail if anyone has tweaked their optimization settings etc., but it would still be interesting to find out how many files contain this "trivial" byte string.
So I searched my windows directory for the following regexp pattern:
pattern = "\x8B\x07\x6A\x00\xFF\x75\x2E\x8D\x4D\x2E\x51\x57\xFF\x50\x0C\x53"
r = re.compile( pattern, re.DOTALL )
There were a few files in which this pattern was found (XP):
Found pattern in file c:\Windows\system32\ieframe.dll
Found pattern in file c:\Windows\system32\mstscax.dll
Found pattern in file c:\Windows\system32\msvidctl.dll
Found pattern in file c:\Windows\system32\wmp.dll
Found pattern in file c:\Windows\system32\wmpdxm.dll
Dennis searched for the same pattern on his disk (Vista) and found:
c:\windows\system32\cic.dll
c:\windows\system32\comsnap.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mmcndmgr.dll
c:\windows\system32\mstscax.dll
c:\windows\system32\MSVidCtl.dll
c:\windows\system32\puiobj.dll
c:\windows\system32\rdpencom.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\wiaaut.dll
c:\windows\system32\wmp.dll
c:\windows\system32\wmpdxm.dll
Why the difference ? Well, amusingly, shdocvw.dll on my XP machine doesn't have this SafeArray-stuff in it yet -- it is probably compiled using an older, not vulnerable variant of the ATL -- wheras Dennis variant of the same DLL is much newer, compiled with the 'broken' variant of the ATL.
So, where does this leave us ?
- The bug is actually much "deeper" than most people realize.
- The killbit-fix is clearly insufficient, as there are bound to be many other ways of triggering the issue.
- The bug might have weaseled it's way into third-party components, IF anyone outside of Microsoft had access to the broken ATL versions.
- If this has happened, MS might have accidentally introduced security vulnerabilities into third-party products.
- Depending on the optimization settings applied to the executables, it might require a bit of an effort to find out whether a vulnerable or non-vulnerable version of the code is present.
- There might be a lot of recompiling next week.
- IF this has gotten into third-party-products, I would bet that only a tiny fraction of software vendors will push out proper/timely updates.
Anyhow, I really need to get to sleep -- I have a train to catch in a bit more than 4 hours.
A lot of credit for this post has to go to Dennis Elser -- he did most of the hard work before we sat down.
Monday, July 06, 2009
Las Vegas / Blackhat / DefCon
Hey all,
the annual Blackhat / DefCon thing is coming up again, and I just wanted to announce here that I will be in Las Vegas from the 24th of July to the 2nd of August. I will be busy teaching classes until the 28th of July, but thereafter I am mostly free (e.g. roaming the conference). If you wish to schedule a demo for any of our products (BinDiff, BinNavi, VxClass) or just generally have a chat about all things related to reverse engineering, vulnerability analysis, malware classification, deobfuscation, math or business, do not hesitate to contact me beforehand :-)
Cheers,
Halvar
the annual Blackhat / DefCon thing is coming up again, and I just wanted to announce here that I will be in Las Vegas from the 24th of July to the 2nd of August. I will be busy teaching classes until the 28th of July, but thereafter I am mostly free (e.g. roaming the conference). If you wish to schedule a demo for any of our products (BinDiff, BinNavi, VxClass) or just generally have a chat about all things related to reverse engineering, vulnerability analysis, malware classification, deobfuscation, math or business, do not hesitate to contact me beforehand :-)
Cheers,
Halvar
Wednesday, July 01, 2009
Strange Cellphone Behavior
Hey all,
I know this blog post is a bit weird, but I reckon I'd share this: For some reason that is quite unknown to me, my cellphones have a habit of developing strange behaviors. I used to use a Nokia N73, which developed the following habit:
When in foreign time zones (Japan, Norway, USA) the phone would send more-or-less random old text messages to more-or-less random people from my address book. There would be a merry mix & match between the two, leading to more than one amusing misunderstanding that needed clearing up.
Then, at some point last fall, I switched to the silly shiny Apple telephony device (perhaps people do better QA on their backdoors on that platform). For a few months, the problems went away.
This changed last week -- now, when I send text messages to certain numbers, the phone seems to send a more-or-less random old text messages that has already been sent to the same number along with the message. This is a bit nicer (as it will not mix & match), but still annoying.
So .. uhm ... I am trying to come up with plausible explanations for this behavior. Can anyone offer one ? My total-guess-in-the-dark ideas would be:
I know this blog post is a bit weird, but I reckon I'd share this: For some reason that is quite unknown to me, my cellphones have a habit of developing strange behaviors. I used to use a Nokia N73, which developed the following habit:
When in foreign time zones (Japan, Norway, USA) the phone would send more-or-less random old text messages to more-or-less random people from my address book. There would be a merry mix & match between the two, leading to more than one amusing misunderstanding that needed clearing up.
Then, at some point last fall, I switched to the silly shiny Apple telephony device (perhaps people do better QA on their backdoors on that platform). For a few months, the problems went away.
This changed last week -- now, when I send text messages to certain numbers, the phone seems to send a more-or-less random old text messages that has already been sent to the same number along with the message. This is a bit nicer (as it will not mix & match), but still annoying.
So .. uhm ... I am trying to come up with plausible explanations for this behavior. Can anyone offer one ? My total-guess-in-the-dark ideas would be:
- Current behavior is caused by international text message routing weirdness -- e.g. text messages I sent a few days ago in the US get duplicated for some reason and re-sent
- Both current and N73 behavior is triggered by shoddy QA on lawful intercept systems
- Both current and N73 behavior is triggered by shoddy QA on the side of the parties that backdoor my phones
- If you backdoor my phone, fix your software. Kthx.
- If you write LI software, fix your software. Kthx.
- If there are multiple people backdooring my phone, please test for interoperability between your tools.
Monday, March 09, 2009
Reverse Engineering / Bug hunting trainings in Amsterdam
Hey all,
I haven't given a reverse engineering trainings class in Amsterdam for a few years, but this year is different :-) -- I will be at BH Amsterdam, and there are still seats open in the trainings class for April 14th and 15th.
What will be done in the course ? Well, for one thing, we'll go bug-hunting in some interesting piece of code. Furthermore, we'll talk quite a bit about C++ and it's effects in the binary. We'll do a fair bit of differential debugging, some more bug-hunting, and a lot of IDA automation. Questions like
So, if you still have some trainings/travel budget left in spite of the crisis, you can find more
details here.
I haven't given a reverse engineering trainings class in Amsterdam for a few years, but this year is different :-) -- I will be at BH Amsterdam, and there are still seats open in the trainings class for April 14th and 15th.
What will be done in the course ? Well, for one thing, we'll go bug-hunting in some interesting piece of code. Furthermore, we'll talk quite a bit about C++ and it's effects in the binary. We'll do a fair bit of differential debugging, some more bug-hunting, and a lot of IDA automation. Questions like
- given a C++ executable, how do I recover an inheritance diagram of the classes ?
- given a big and ugly executable, how do I find the interesting places to focus on ?
- how do I make sure IDAPython and NaviPython make my life easier ?
So, if you still have some trainings/travel budget left in spite of the crisis, you can find more
details here.
Wednesday, March 04, 2009
Diffing x86 vs ARM code
I posted a while ago about the new DiffDeluxe comparison engine, and that we'd release it in Q1 2009. Well, we're almost there, the engine is now in beta. If you are a BinDiff user and wish to give the new engine a try, send mail to info@zynamics.com :-)
I mentioned in my last post on the topic that DiffDeluxe was designed to facilitate symbol porting, and to allow comparisons between executables that are "far away" from each other.
In the last post I wrote about Mozilla JS engine vs. Acrobat EScript.dll. Today I am going to try something slightly crazier: In order to evaluate how well these matching algorithms work, we will be diffing an executable that was compiled for ARM against a very similar executable compiled for x86.
My coworker Vincenzo is a big fan of all things OSX, and he brought up the idea of comparing x86 and ARM versions of the OSX dynamic loader -- namely the disassembly of dyld on the iphone against the disassembly of dyld on OSX.
Now, the first voices are going to yell: "You have names for all functions, BinDiffing is easy then!". Well, true, but we will run DiffDeluxe without taking the names into account, and then just using the names to validate the results.
The two executables have 704 (x86) and 618 (ARM) functions respectively. Without name
matching, we match 345 functions. Inspecting the symbols, we see that we have matched
160 of these functions in full accordance with the symbols. Let's have a look at some of the details:
It is almost surprising how far one can get without actually looking at the instruction semantics.
If we take the names into account, matching functions becomes easy, but matching basic blocks properly ends up the difficulty. With name matching enabled, DiffDeluxe matches 3809 basic blocks, out of 7904 respective 5196.
So to summarize: The structural comparison is sufficiently strong to yield some useful results even accross two different CPUs. While there is still (a good amount) of room for improvement, I am quite happy with these results so far :-)
So, if you want to beta, and you already use BinDiff, drop us a line !
I mentioned in my last post on the topic that DiffDeluxe was designed to facilitate symbol porting, and to allow comparisons between executables that are "far away" from each other.
In the last post I wrote about Mozilla JS engine vs. Acrobat EScript.dll. Today I am going to try something slightly crazier: In order to evaluate how well these matching algorithms work, we will be diffing an executable that was compiled for ARM against a very similar executable compiled for x86.
My coworker Vincenzo is a big fan of all things OSX, and he brought up the idea of comparing x86 and ARM versions of the OSX dynamic loader -- namely the disassembly of dyld on the iphone against the disassembly of dyld on OSX.
Now, the first voices are going to yell: "You have names for all functions, BinDiffing is easy then!". Well, true, but we will run DiffDeluxe without taking the names into account, and then just using the names to validate the results.
The two executables have 704 (x86) and 618 (ARM) functions respectively. Without name
matching, we match 345 functions. Inspecting the symbols, we see that we have matched
160 of these functions in full accordance with the symbols. Let's have a look at some of the details:
Cute, eh ? Let's look at some more...
It is almost surprising how far one can get without actually looking at the instruction semantics.If we take the names into account, matching functions becomes easy, but matching basic blocks properly ends up the difficulty. With name matching enabled, DiffDeluxe matches 3809 basic blocks, out of 7904 respective 5196.
So to summarize: The structural comparison is sufficiently strong to yield some useful results even accross two different CPUs. While there is still (a good amount) of room for improvement, I am quite happy with these results so far :-)
So, if you want to beta, and you already use BinDiff, drop us a line !
Thursday, February 05, 2009
Washington DC, Trainings, Demos :-)
Hey all,
I will be in Washington DC from the 16th to the 20th of February. Amongst other things, I will be teaching a course at Blackhat DC. The economic crisis is clearly hitting -- e.g. there are still seats available. We will also get around to using some of the nice features of BinNavi v2 in class, which I am looking forwards to.
Now, aside from the course: If you are in the DC area and interested in a product demo for BinDiff (and the upcoming DiffDeluxe), BinNavi v2 (including REIL), or the latest VxClass (now available as service and virtual appliance), do not hesitate to drop a line to info@zynamics.com :-)
I will be in Washington DC from the 16th to the 20th of February. Amongst other things, I will be teaching a course at Blackhat DC. The economic crisis is clearly hitting -- e.g. there are still seats available. We will also get around to using some of the nice features of BinNavi v2 in class, which I am looking forwards to.
Now, aside from the course: If you are in the DC area and interested in a product demo for BinDiff (and the upcoming DiffDeluxe), BinNavi v2 (including REIL), or the latest VxClass (now available as service and virtual appliance), do not hesitate to drop a line to info@zynamics.com :-)
Monday, January 05, 2009
Correction: Clam *does* have some unpacking support
Correction of my last post: It appears that Clam has *some* unpacking support. It is not as comprehensive as some of us would like, but progress is being made :-)
Sunday, January 04, 2009
ClamAV and unpackers
Hey all,
this might be a rather odd question, but given the (unfortunate) fact that ClamAV can't unpack
even the simplest packers, has nobody ever contemplated writing packer-specific unpackers
for ClamAV ?
Cheers,
Halvar
this might be a rather odd question, but given the (unfortunate) fact that ClamAV can't unpack
even the simplest packers, has nobody ever contemplated writing packer-specific unpackers
for ClamAV ?
Cheers,
Halvar
Friday, December 26, 2008
TAOSSA blog post I didn't see but will comment on :-)
http://taossa.com/index.php/2008/10/13/bugs-vs-flaws/#more-83
I didn't see this post beforehand, and I would like to comment on it (mainly because commenting on his blog post might be the easiest way of getting into a conversation with Mr. McDonald these days ;), but I don't have time right now. Will fix this later this week hopefully.
I didn't see this post beforehand, and I would like to comment on it (mainly because commenting on his blog post might be the easiest way of getting into a conversation with Mr. McDonald these days ;), but I don't have time right now. Will fix this later this week hopefully.
Sometimes, diffing can remove obfuscation (albeit rarely)
Hey all,
apologies for the sensationalist title, but I found another amusing example today where the same function was present in two different executables -- in two differently obfuscated forms. Amusingly, DiffDeluxe identified the "common components" between these two functions, effectively removing a lot of the obfuscation.
While this is clearly not a typical case, it nonetheless made me smile.
Merry Christmas everyone !
apologies for the sensationalist title, but I found another amusing example today where the same function was present in two different executables -- in two differently obfuscated forms. Amusingly, DiffDeluxe identified the "common components" between these two functions, effectively removing a lot of the obfuscation.
While this is clearly not a typical case, it nonetheless made me smile.
Merry Christmas everyone !
Saturday, November 15, 2008
A good protocol attack ...
... is like a good joke. This one, while requiring special circumstances to succeed with high probability, was responsible for a lot of laughter on my side.
Tuesday, November 11, 2008
BinDiff / BinNavi User Forum
Hey all,
we have re-activated the BinDiff / BinNavi User Forum under
https://zynamics.fogbugz.com/default.asp?BinNavi
https://zynamics.fogbugz.com/default.asp?BinDiff
There is not a whole lot there at the moment, but that should change soon :)
we have re-activated the BinDiff / BinNavi User Forum under
https://zynamics.fogbugz.com/default.asp?BinNavi
https://zynamics.fogbugz.com/default.asp?BinDiff
There is not a whole lot there at the moment, but that should change soon :)
Malicious Office/PDFs
Hey all,
for some research that I'm doing, I'm looking for a collection of malicious Office/PDF documents. If anyone has such documents (e.g. because he was targeted in an attack, or because he found one somewhere), I'd much appreciate submissions ! :)
for some research that I'm doing, I'm looking for a collection of malicious Office/PDF documents. If anyone has such documents (e.g. because he was targeted in an attack, or because he found one somewhere), I'd much appreciate submissions ! :)
Monday, November 10, 2008
BinNavi v2 and PHP !
Hey all,
we have written about the SQL storage format for BinNavi quite a few times on this blog, and how we'd like to encourage third parties to use it. I am quite happy to say that Stefan Esser of
SektionEins GmbH has built code to export PHP byte code into the database format. The (cute) results can be seen under
http://www.suspekt.org/2008/11/05/php-bytecode-in-binnavi-20/
we have written about the SQL storage format for BinNavi quite a few times on this blog, and how we'd like to encourage third parties to use it. I am quite happy to say that Stefan Esser of
SektionEins GmbH has built code to export PHP byte code into the database format. The (cute) results can be seen under
http://www.suspekt.org/2008/11/05/php-bytecode-in-binnavi-20/
Saturday, November 08, 2008
German ways of expressing optimism
One of my favourite things when travelling and interacting people from other cultures is observing differences in conversational conventions -- and (most importantly) different forms and perceptions of "conversational humor". Aside from comedic protocol screw-ups (e.g. literally translating an essentially untranslateable expression to another language, earning -- at best -- puzzled looks and -- at worst -- thoroughly offending the conversation partner), it often provides interesting insights into one's own culture and habits.
This weeks special: German forms of expressing optimism.
There are many expressions in German that are horribly difficult to translate.
One of my favourites that could cause confusion is the German custom of wishing people luck by wishing them "Hals- und Beinbruch!" (literally: 'broken neck and broken leg') or 'Kopf- und Bauchschuss' (literally: 'shot in the head and stomach') or (for sailors) 'Mast- und Schotbruch' (literally: 'broken mast and ripped sail') upon parting.
A common reply for this would be "wird schon schiefgehen" (literally: 'I have no doubt it's going to go badly'). Counterintuitively, the semantics of this is optimistic -- e.g. whoever says that things are going to turn out badly indicates by this that he is not worried, and that he actually expects that things will be fine.
In essence, one expresses optimism by claiming that an improbably horrible outcome is a near-certainty.
Even though I try hard to not have an all-too-obvious German accent any more, I do catch myself all the time in using the above pattern, even though it does not translate. I (deservedly) earned puzzled looks today by clumsily attempting to use the following German saying to indicate my optimism about the future:
"Lächle und sei froh, sagten sie mir, denn es könnte schlimmer kommen. Und ich lächelte und war froh, und es kam schlimmer."
This has a certain elegance in German, which is totally lost in my clumsy translation:
"Smile and be happy, they told me, because things could be a lot worse. So I smiled and was happy, and things got a lot worse."
Aside from the clumsiness of the expression when translated, the semantics (e.g. the intention to express optimism) was thoroughly lost -- the effect was a thoroughly puzzled and slightly worried look by my conversation partner. I think it is situations like these where Germans earn their bad reputation for being thoroughly unfunny.
Other things that are good for causing confusion between a native English speaker who interacts with someone from the German-speaking world are differences when it comes to acceptable replies to the question "How are you ?". The usual form of this in German is "Wie gehts ?", essentially "How is it going ?". In the English speaking world, acceptable replies seem to be restricted to "good", "good good", or "great".
Proper replies to the question "How is it going" over here would be:
"Muss." -- literal translation: 'it has to somehow'
"Naja, ganz ok." -- 'well... ok ...'
"Könnte schlechter/besser gehen" -- 'could be worse/better'
"Bergauf" or "Bergab" -- uphill / downhill
If the other party feels inclined to have a longer chat, they could reply with
"Yesterday, we stood on a cliff. Today we have advanced by a significant step."
or "Katastrophe". This is usually followed with a short anecdote or complaint about something work-related. From a social perspective, this does wonders as an ice-breaker.
Whenever I catch myself in such a situation, I realize that no matter how much one travels, and no matter how much time one spends in a different cultural climate, certain components of the social interaction are nigh-impossible to change.
Anyhow, time to go to sleep.
This weeks special: German forms of expressing optimism.
There are many expressions in German that are horribly difficult to translate.
One of my favourites that could cause confusion is the German custom of wishing people luck by wishing them "Hals- und Beinbruch!" (literally: 'broken neck and broken leg') or 'Kopf- und Bauchschuss' (literally: 'shot in the head and stomach') or (for sailors) 'Mast- und Schotbruch' (literally: 'broken mast and ripped sail') upon parting.
A common reply for this would be "wird schon schiefgehen" (literally: 'I have no doubt it's going to go badly'). Counterintuitively, the semantics of this is optimistic -- e.g. whoever says that things are going to turn out badly indicates by this that he is not worried, and that he actually expects that things will be fine.
In essence, one expresses optimism by claiming that an improbably horrible outcome is a near-certainty.
Even though I try hard to not have an all-too-obvious German accent any more, I do catch myself all the time in using the above pattern, even though it does not translate. I (deservedly) earned puzzled looks today by clumsily attempting to use the following German saying to indicate my optimism about the future:
"Lächle und sei froh, sagten sie mir, denn es könnte schlimmer kommen. Und ich lächelte und war froh, und es kam schlimmer."
This has a certain elegance in German, which is totally lost in my clumsy translation:
"Smile and be happy, they told me, because things could be a lot worse. So I smiled and was happy, and things got a lot worse."
Aside from the clumsiness of the expression when translated, the semantics (e.g. the intention to express optimism) was thoroughly lost -- the effect was a thoroughly puzzled and slightly worried look by my conversation partner. I think it is situations like these where Germans earn their bad reputation for being thoroughly unfunny.
Other things that are good for causing confusion between a native English speaker who interacts with someone from the German-speaking world are differences when it comes to acceptable replies to the question "How are you ?". The usual form of this in German is "Wie gehts ?", essentially "How is it going ?". In the English speaking world, acceptable replies seem to be restricted to "good", "good good", or "great".
Proper replies to the question "How is it going" over here would be:
"Muss." -- literal translation: 'it has to somehow'
"Naja, ganz ok." -- 'well... ok ...'
"Könnte schlechter/besser gehen" -- 'could be worse/better'
"Bergauf" or "Bergab" -- uphill / downhill
If the other party feels inclined to have a longer chat, they could reply with
"Yesterday, we stood on a cliff. Today we have advanced by a significant step."
or "Katastrophe". This is usually followed with a short anecdote or complaint about something work-related. From a social perspective, this does wonders as an ice-breaker.
Whenever I catch myself in such a situation, I realize that no matter how much one travels, and no matter how much time one spends in a different cultural climate, certain components of the social interaction are nigh-impossible to change.
Anyhow, time to go to sleep.
Subscribe to:
Posts (Atom)