akram, here is the translation of the website.. google is always ur best friends..
http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&u=http://www.8dou.net/html/article_show_30715.shtml&sl=zh-CN&tl=en&history_state0=

In the enterprise: domain controllers and PAM are capable of enforcing the usage of strong passwords enterprise-wide.

Application: it’s entirely up to the developer. When was the last time maybank2u ask it’s user to change password?

Users are hard to educate, but with the right enforcement, education and the correct usage and deployment of the right technology, a lot of problem can be solved.

I think weak passwords are usually concern with human error/problem. And for this layer, I believe it should be governed by security policies.

But then there’s no patch for human stupidity rite?

yomuds,

chill bro chill! hehe

We showed/demoed how people can abuse RFI/SQL and command injection problem to get people realize the problems, later on we show them the real problem which is the insecure CODE practices. And we ask them to spot and fix the CODE(in handsout). and later on we ask them to study the apache log to find any pattern of those attacks.

*sighh*.we didn’t bother to get people excited which demoing demm plain and old method of attacking RFI/SQL/etc..etc. Hence the training is cal as “analyzing the intrusion” instead of web hacking.*sighh*.

Dear ‘my_friend’,

Again, the whole class is to do analysis of RFI attack. seriously, what the fuss is about attacking?. and we’re just try to show the impact of the bugs.*sighh*.That’s the reason why we showing the demo. and demmit, the ctf thingy is just to get people not so sleepy (who want to learn analyzing stuff compare to breaking stuff? : ) ) ..*sighh*.

And then again, we never ever claim ourself as demm rockstar in infosec world and as always, we have our own weaknesses and learning curve.

And yes, i told everybody that RFI/SQL is freaking old and everybody know about it (RFI/SQL). But does anyone bother do any free training for analyzing and fixing the bugs to public at large?. ‘sembang kosong’ is always what we do better, dude.:)

Do u really were there from the beginning i started our presentation. if u weren’t there and still complaining abt old attack on RFI,u’r absolutely talking out of context. We keep telling ppl that this is the “BASIC and OLD attacks. Please google for more advance RFI/SQL injection stuffs”.*sigh*

Dear ayoi,

since when collecting/analyzing pcap is new stuff..heheh.just kidding dude. We just want people to be able to analyze their own code and their own web server log and spot any pattern of attacks and react to it.:).yeah, that’s all i guess. we didn’t intend to talk about breaking/hacking stuff at all.

Regards,
y0muds
n00b.
p.s:i apologize in advance if i accidentally offended someone with my comments on ayois’ blog.:). sorry.

p.s.s:sorry ayoi for long comments.hahaha

What we need is better education of developers, not to show off what attackers can do.