DVL Strychnine + E605 now in size of 850 MB

Finally I have managed to reduce the DVL size from 1 GB to 850 MB. To reach CD format we still need 150 MB. Lets see what we do not need

DVL Strychnine+E605: 350 MB less!

I manage to reduce the DVL Strychnine+E605 by 350 MB. Free Pascal stays but the Lazarus frontend has gone, as well the Free Pascal sources. Result -165 MB. I identified an Oracle directory containing a client for Oracle. Result -100 MB. Some other parts and we have 350 in Live less. I remaster tomorrow to see which size we have now!

Harry Adams joins the DVL team / DVL mag

We have a new DVL team member. Harry Adams from U.S. will help as VAPI (Vulnerable Application Provider and Integrator) and will build up the vulnerable application section with focus on PHP and MySQL.

With the help from Vitor and Harry we increase speed for the next release DVL Strychnine + E605.

Meanwhile I will work this weekend on the DVL magazine prototype. It might happen that we drop the idea of a PDF magazine (hell of work) and move directly to an online magazine with integrated Flash videos (which we still can convert to a real magazine). These contents can be converted to a nice CD format - later.

A warm welcome to Harry!

Translators needed at SecurityDistro.com

Josh Sweeney is in need of people who can help to translate some articles at www.SecurityDistro.com. If you can help out to translate from english to any language get in contact with him via his website!

My blog about Secure Software Engineering

I just have started my second blog with focus on Secure Software Engineering. There I will post frequently information about models, processes, activities and methods on how to integrate the development in the software development lifecycle. Not much yet but visit me at www.Secure-Software-Engineering.com. By the way: this blog will be not very management friendly due my experiences with all these management autists out there…

Damn Vulnerable Magazine - Articles wanted!

As mentioned before I will focus soon on the first prototype of the Damn Vulnerable Magazine. However we need some good articles to fill the real mag. For this I will prepare a CfP (Call for Paper) to make it clear which contents we are looking for. As well we might exclude the videos from the .pdf file and place them separated. A .pdf file with a size between 50 and 150 might be a little big. But let the community decide when the prototype is available. Btw: we are still looking for an editor. If you are good at such things contact me!

DVL Strychnine + E605

What do you get if you mix Strychnine and E605? Some evil poison! Same with the next release of DVL. I just added some more few tools (Boomerang decompiler still makes troubles) and remastered the current DVL. Astonishing 980 MB of size. This is really poison! I had to to replace the JRE with a real JDK. DVL is now more related to IT security AND programming. I have added Free Pascal with Lazarus which has itself some evil size. Removing Lazarus might release 30 MB but what are 30 MB against 1 GB? So we need really to think about this. Shrinking to CD size means we need to drop some parts. Which? KDE? Pentesting folder? I will have some deeper look into DVL again if we can shrink the size to a CD.

We should not forget that DVL is meant to teach people at university security and programming. Adding videos will let explode the next release to something very evil. One resolution might be to go another way. (1) Shrink DVL to something in CD size and (2) to rethink the video concept. One idea is to place the training and videos into the Damn Vulnerable Magazine. Two advantages: (1) DVL size keeps small as training system and (2) we can publish more frequently lessons.

I am currently building the first Damn Vulnerable Magazine as a prototype with videos included. Still have to test if the videos included in PDF are running under Linux.

If we have Web 2.0 (which is bullshit) why shall we not have IT Security 2.0 (which is cool)?

DVL E605 under work…

Damn Vulnerable Linux E605 is now under construction. I plan to release it around October since it shall include videos and they will take some more time. The DVL size exploded now to 1 GB - I am not lucky with such size. So we see how to reduce it. maybe we need to kick KDE, who knows. Overall some few more nice tools are installed including WebGoat, Boost, and FreePascal. With this we should be final with all these tools. The /pentest/ folder has a size of 230 MB size and without KDE we might hit 500 MB less in size. But I don’t want to drop the /pentest/ folder At least the last poll “Does size matters?” said: NO. Keep the size. So OK, we move to 1,5 to 2 GB DVD size.

Thanks to Vitor for providing the WebGoat plugin which I will release soon (oh, btw: it will NOT run under DVL Strychnine which has JRE and not JDK only! I provide a link to a JDK as well)

Videos for Tools

DVL is now (from the tool perspective) 99% final. A huge collection of tools. Do you know how to use these tools? At least I believe we need a hello world for some of the important tools. This can be done as text tutorial or as tiny videos. Producing such tiny video is simple but if we include sound this starts to get time-consuming. Without sound we could integrate community much better since sound requires some good spoken english.

What do you think about this? Would this be useful or useless effort?

Editor at DVL - Magazine 2.0

One of the next steps to support and to extend the DVL project is to have a community magazine. The Damn Vulnerable Magazine is meant as a frequently published high quality magazine containing tutorials, articles, code snippets and - huhu - possible integrated videos. Newest Acrobat by Adobe supports such integrated videos and even the file size might be large(r) this might be worth to experiment with. What I do not understand is why do they convert the videos to QuickTime and not to Flash format?

However I would like to give it a try - imagine a tutorial explaining how to use a tool and you can directly see how to do this with DVL. I will place a prototype soon.

The pin point is that we need at least one editor and two journalists to produce such magazine. If you believe this could be your position in the DVL team contact me. I will add this job at Jobs@DVL as well. Experiences in such topic would be great, at least you should have some feeling for good writings and how to design a mag (tool experience!). Maybe I ask some people from other communities (e.g. Multimedia Design) as well to fill the position as an editor.

Exercises@DVL and Challenges@DVL

We have the first submitted solutions at Exercises@DVL. Check it out at the DVL portal. Meanwhile you can think about Challenges@DVL. Contact me if you have a nice challenging problem to get solved by the community.

About DVL and OWASP WebGoat

As commented in a recent blog comment I will have a look at the OWASP WebGoat project. It may be a good solution to solve some problems of integrated PHP vulnerability training. Additional OWASP seems to provide some (more?) tutorials which would be excellent to integrate into the DVL project. At least this would save much work. I do some experiments this evening and if successful I provide a DVL plugin this week. Meanwhile Vitor starts to seek for the first binary vulnerabilities. If this project would be a ship I would say that we increase speed now.

A new VAPI is arriving…

The DVL team gets a new member. He takes the position of the VAPI for binary vulnerabilities. More about him and his tasks for the DVL project in my next blog entry…

Have you ever thought of being a team member? More c2c jobs at Jobs@DVL soon!

Peace!

Still looking for assistance

DVL is a c2c project which means it is community to community. And this project needs help - your help! At the moment we are looking for people who can provide vulnerable applications for DVL either binary or PHP/SQL. So come on and spend some few time for this project. More informations are located at Jobs@DVL.

Tutorials & Mirrors

After adding new features to the DVL portal it is now time to concentrate on filling it with more content. 3 more tutorials will be added (the formatting makes some trouble).

The mirrors will receive a download link to DVL Strychnine during the next few days. Sorry for the delay but too much work lately.

If you have time visit my new WarBlog at http://blog.secure-software-engineering.com - my personal fight for Secure Software Engineering and against management autism. Btw: the main website will contain (when I have enough time) a magazine on this topic…

Jobs@DVL & Exercises@DVL

Two more addons placed at the website.

Jobs@DVL helps us to let this project grow. We are still seeking for qualified persons willing to help us to let DVL grow.

Exercises@DVL will contain kind of weekly exercises to train programming, networking or whatever. With this we will soon open the Challenges@DVL containing a monthly “special task”.

stay tuned!

First plugin arrived

Josh Sweeney has submitted the first plugin for DVL. The Iodine module adds Iodine version 0.4.0 to BackTrack 2, Iodine version 0.4.0 is default. This module adds Iodine to /pentest/tunneling/iodine-0.4.0. It does not change the menu link in KDE or Fluxbox. Nor does it remove the old version. BTW: he has a nice website, check it at http://www.SecurityDistro.com.

Jobs@DVL

Jobs@DVL is a new menu item listed in the top menu of the DVL website portal. Using this you will get soon a list of non-commercial jobs for the DVL project and other community driven projects. Sorry, no payment for them But the list can be extended by registred users posting other and commercial jobs.

I can not do all projects on my own so I really need some professionals who would like to spend some time. It is not as much work as it all looks like….

Tracking projects…

I just have installed a project tracker at the main DVL portal to handle the upcoming activities. Not a perfect project planning tool (Gantt charts, milestones and much more is missing) so I would better call it a “project tracker”. The tracker is closed to public until I have full knowledge of the system. With the tracker it should be easier to coordinate the projects and to hold the project documentation.

Who thought project management is for commercials only is wrong!

Assembly Language - How to start?

I am often confronted with the question “how to start with assembly language programming”. One solution could be to install a DVL related assembly language programming course.

The “how” is the most problematic question. Should it be theoretical or practical style? Mentorship based or self-education? Exercises with solutions or not? Or more like a challenge from easy to hard?

I try to plan something, place your comments on it below…

• Tags

  DVL 1.5 Wargame

• Recent Posts

  • DVL 1.5 has now left planning status. Bug Fixing started!
  • DVL 1.5 has left planning status!
  • Damn Vulnerable Linux Strychnine+605 1.4 final
  • DVL Strychnine+E605 1.4 release in January 2008!
  • Damn Vulnerable Linux Strychnine+E605 - version 1.4 under construction

• Recent Comments

  • Schneider on Damn Vulnerable Linux Strychnine+605 1.4 final
  • Benjamin on Damn Vulnerable Linux Strychnine+605 1.4 final
  • rick hall on Damn Vulnerable Linux Strychnine+605 1.4 final
  • Schneider on DVL 1.5 has now left planning status. Bug Fixing started!
  • saber on DVL 1.5 has now left planning status. Bug Fixing started!

• Categories

  • DVL E605
  • DVL Project
  • DVL Strychnine
  • Reverse Code Engineering