I uploaded the Damon Moguls video mentioned by rnast to YouTube.

Well it’s that time of year again. It was only a year ago earlier this month that I summited that large volcano a mere 60 miles away from Seattle known as Mt. Rainier. It was a great experience, but I didn’t really have any plans to do it over again…until rnast and I agreed to climb the mountain, he for the first time and myself for the second so I could hopefully have a clear view from the summit.

Ryan flew into Seattle on Saturday and after the 30-minute turbo-tour of Seattle’s hotspots, we grabbed some grub, caught up and called it early. We went shopping for gear and supplies on Sunday, then drove down to Ashford, WA to begin our trek.

The 3-day summit climb begins with a day of climbing school where you load up a limited amount of gear into your pack and hike up to approximately 7,000ft and learn basic climbing skills, crampon usage, pressure breathing, team-arrest and self-arrest techniques in the event of a fall. The day is pretty relaxed and not too strenuous. You get to meet your guides as well as some of the people that you’ll be roping up with on the upper mountain. That day starts around 9am and ends in the late afternoon, which means you get to relax and grab a beer before you gear up for the big climb.

The next day starts around 9am again, but this time you have a backpack full of 40lbs of gear and food on your back. You hike from Paradise (5,000ft) up to Camp Muir (10,000ft) in about five hours. The hike consists of about 2 hours hiking on pavement and dirt paths that are generally consumed by tourists on the weekends. Following that is a good 3 hours on the Muir Snowfield where you think that little shack at the top of the hill is never going to get any closer. But after many steps and thoughts of “why am I hauling this huge pack up this mountain on my back”, you reach it…and you’re very happy to relieve the weight off your back.

After a brief rest, you start unpacking your bag and bringing most stuff inside the bunkhouse. Then organizing your pack for the upper mountain, dinner, and a talk by the guides to prepare for what’s next. This is the point where your mind starts racing and your heart starts beating a little faster. You’re at Camp Muir - the climb up was pretty taxing…and you know that in a mere 5 hours, you’ll be waking up and heading for the top. So you roll out your sleeping bag. Crawl in. And try to sleep. But it’s five-o-clock in the evening. And when you’ve just eaten, at least for me, my metabolism jumps through the roof. So you turn. And you toss. And you try to think of different ways to fall asleep. You close your eyes. You open them. You stare at the wall. But nothing works. Until finally…finally you doze off. Only to be woken up what seems to be five minutes after you fell asleep by the guides turning on the lights and saying it’s time to get ready!

At this point, it’s about 11:30pm. You wake up, make yourself some oatmeal and slap on your base layer, climbing pants, fleece, avalanche beacon, and helmet. You stumble out into the darkness along with about 15 other people and get your pack ready. Soon enough, you find yourself roped up to 3 other people and heading out across a glacier toward what’s known as Cathedral Gap.

That’s the view you have in the daytime, but at night it’s just you, your head lamp, and a rope strung out in front of you. Except for this climb where we had a nearly-full moon and barely even needed our headlamps. The next 6 hours are more or less a blur of repetitive, focused steps up the mountain. The guides say it takes approximately 80,000 steps to make it up Rainier…and when you’re sidestepping up a plateau of snow not much wider than your own boots at 1am…you quickly believe that it’s true.

I like to say about my summit climb this time that it was more difficult than I remember, but somehow easier. Part of that is the route difference. As opposed to climbing Disappointment Cleaver, we had to skirt around the bottom of that and then climb up via the Emmons Glacier. This is due to the crevasses that have opened up (as is typical late in the season) at the top of the cleaver. Although the Emmons portion was difficult in its own right, I have no disappointment about not having to climb for an hour over rock with crampons on. Descending via Emmons was also much easier than climbing back down the cleaver. I think what also helped is that I was much better prepared this time in terms of knowing what to expect.

Nevertheless, after hours of climbing I reached the summit successfully for the second time.

I was pretty excited - it was an amazingly beautiful day to summit. The guides said it had to be one of the top 4 days of the season. What do you think?

Perhaps I’ll post more eventually, but for now - here’s me at the top of Mt. Rainier on a beautiful day. Feel free to check out the rest of the Flickr photos of my Rainier Summit.

OK, so perhaps the title is a little misleading, but here’s an interesting excercise in taking a look at issues that have been patched within the .NET framework. There’s a great tool out there by Lutz Roeder called .NET Reflector. Reflector allows you to generate source code (C#, C++, ILAsm, heck even PowerShell) from .NET assemblies. This will be our primary tool for this task.

There was an advisory last month regarding some critical vulnerabilities in the .NET Framework (MS07-040). There was one in issue in particular that was quite interesting:

An information disclosure vulnerability exists in .NET Framework that could allow an attacker who successfully exploited this vulnerability to bypass the security features of an ASP.NET Web site to download the contents of any Web page.

That sounds pretty interesting, but I had yet to see many details beyond that and I was somewhat curious as to where in the code this seemingly simple issue lay. So let’s dig in.

I made a copy of my Framework in C:\WINDOWS\Microsoft.NET\Framework and then installed the relevant patch. Assuming that the issue was in System.Web.dll, I opened each version of that dll in Reflector and exported the source code. Although Reflector does include an assembly diff utility, I wasn’t able to open the two dll’s at the same time as they have the same assembly version. So I had to manually diff the source files until I came on something…”interesting”.

internal static void CheckSuspiciousPhysicalPath(string physicalPath)
{
    if (((physicalPath != null) && (physicalPath.Length > 0)) && (Path.GetFullPath(physicalPath) != physicalPath))
    {
        throw new HttpException(0×194, “”);
    }
}

This CheckSuspiciousPhysicalPath didn’t exist in the previous revision of System.Web.dll and seems like it is attempting to address the issue mentioned in MS07-040. Note that CheckSuspiciousPhysicalPath compares the results of the original physicalPath variable and Path.GetFullPath(physicalPath) and GetFullPath will throw an exception if the path contains any invalid characters.

So now we have at least one potential place where an additional check for nulls is being performed. What’s left is to see if there are other locations and at the same time drop a breakpoint on this piece of code and see if we can trigger it.

It was earlier this year that I became a PCI Qualified Security Assessor. For those not familiar with the Payment Card Industry, this basically means that I am now certified to validate an organizations compliance to the PCI DSS standards, a set of standards enforced by the PCI Security Standards Council to attempt to prevent credit card data theft such as the incident at TJX earlier this year, which has ultimately cost them $118 million. My experience in a broad set of security technologies as well as several years spent auditing various financial institutions left me well-positioned to achieve this certification. Nevertheless, I am always on the lookout for useful references I can continue to rely on.

I came across a good page on Oracle’s site today about Oracle Database Security and the Payment Card Industry Data Security Standard (PCI-DSS). It’s basically a big chart that describes how various facets of Oracle Database Technology can be utilized to meet the different PCI requirements. Quite useful when analyzing an environment with an Oracle backend. I’ll have to look around and see if other vendors have similar references. Then…I’ll have to automate it. *grin*

In a related note, I’m also maintaining a custom Google search for PCI information that I am expanding on a regular basis. Feel free to give it a shot:

I stumbled across an odd little easter egg in the most recent beta build (5060) of Parallels. If you want to check the version number and go to About Parallels Desktop, a quote from Through the Looking Glass starts playing via the voice synthesizer. Kind of freaked me out when I had my headphones cranked up, but no music turned on yet. I posted it to Parallels forum to see if anybody else noticed it.

As August continues to move on, I must shift gears. It’s been a busy one so far. I spent 10 days in Vegas, which felt like a month. I didn’t even remember what it was like to live in my own house when I returned home. BlackHat and DefCon were great, though. Met up with lots of great people both old and new and have subsequently burned all the pictures I took while down there.

On my return to Seattle, I recovered for a few days only to welcome my parents into town. I had a great time with them doing all sorts of touristy stuff. We had dinner the first night at Ivar’s Salmon House. Apparently, my father’s charm was in full swing that night as the hostess seated us at a table with a perfect view of Lake Union and downtown Seattle. We all enjoyed an excellent salmon dinner, which my mother claimed was the best she had ever had. A couple nights later, we decided to take a walk down to Gasworks after dinner and stumbled upon some lavish event that was in progress. It was totally unexpected, but pretty crazy to see 10 tour ducks roll into Gasworks and unload 300 people. We also checked out the Japanese Gardens, the sculpture park, the Space Needle (of course), Pikes Place Market (of course), The Underground Tour, and a driving tour of Fremont, Wallingford, Greenlake, Cap Hill, Ballard, and downtown. Finally, on their last night we wandered around trying to decide what to have for dinner. We finally agreed that I would make a nice pork chop dinner on my back porch. My mother’s camera has the pictures, but it turned out to be a great dinner with great food, great wine, and great company. A suiting end to a great few days.

The other highlight of the weekend was the Arthur Murray Summer Showcase. This event was the first time my parents had ever seen me perform in ballroom dancing, with the exception of the couple videos I’ve sent them. Despite the looooong day (9am-10pm), I think they enjoyed themselves, but I know they particularly did when they were able to see the spectacular Joe and Leisa Howard perform mere feet away from where they were sitting. The Howard’s were also adjudicators during the day and gave me some very flattering comments on my dancing.

Now it’s back to work and a shift in gears as I prepare to attempt to summit Mt. Rainier again in…not very long from now.

I’m more than halfway done with Vegas so far. BlackHat was fun. DefCon starts up today and I’ll be chilling at the CTF table. My 10-day Vegas tour is almost done… I knew it would be a long haul, and that is certainly proving to be the case thus far! Only three more days.