I am a hacker and you are afraid and that makes you more dangerous than I ever could be.
HTTP: The Application Transport Layer?
Topic: Miscellaneous
2:00 pm EDT, May 22, 2008
In the early days of the web HTTP sat at the application layer (layer 7) and rode atop TCP, its transport layer.
An interesting thing happened on the way to the 21st century; HTTP became an application transport layer. Many web applications today use HTTP to transport other application protocols such as JSON and SOAP and RSS.
This is not the same as tunneling a different application through port 80 simply because almost all HTTP traffic flows through that port and it is therefore likely to be open on the corporate firewall. They're essentially just pretending to be HTTP by using the same port to fool firewalls into allowing their traffic to pass unhindered.
No, this is different.
This is the use of HTTP to wrap other application protocols and transport them. The web server interprets the HTTP and handles sessions and cookies and parameters, but another application is required to interpret the messages contained within because they represent the protocol of yet another application.
The problem is, of course, that there are no standards beyond HTTP. My JSON-based Web 2.0 application looks nothing like your SOAP-based Web 2.0 application. And yet a single solution must be able to adapt to those differences and provide the same level of scalability and reliability for me as it does you. It has to be extensible. It has to provide some mechanism for adding custom behavior and addressing the specific needs of application protocols that are unknown at the time the solution is created.
Applications aren't about HTTP anymore, they're about undefined and unknowable protocols.
There's a lot of traffic out there that's just HTTP, as it was conceived of and implemented years ago. But there's a growing amount of traffic out there that's more than HTTP, that's relegated this ubiquitous protocol to an application transport layer protocol and uses it as such to deliver custom applications that use protocols without RFCs, without standards bodies, without the W3C.
This is why Layer 4 IDS/IPS will not win. There's an RFC that defined IPv4, IPv6, TCP, SSL, etc. You can easily test structure and determine malformed IP packets. You can use stateful packet inspection to check FTP. There is no RFC that defines JSON. There is no RFC that defines what what the data inside the JSON literals is going to look like. There is no RFC about the character encodings that I'm applying. I've seen web applications using pipe (|) separated quoted strings that are Base64-ed to transfer data back and forth. How do you deep inspect something when you don't know the format?
(actually, this reminds me of an awesome presentation I saw in Toorcon back in 2004, Protocol Analysis using Bioinformatics Algorithms)
HTTP has become the long haul, reliable application transportation protocol of web applications, and we have no idea what the traffic traveling over it is supposed to look like. So how is an appliance in your DMZ suppose to validate it?
San Francisco: Underground Theatre in Union Square - TripAdvisor
Topic: Miscellaneous
2:43 pm EDT, May 21, 2008
Stage Werx Theatre is a new cutting edge underground theatre in the Union Square Theatre District.
The owners, twin sisters, have been part of San Francisco's alternative arts community for years and have brought a bit of the mission district and burning man freak to the touristy center of San Francisco. As you approach the copper gate to the theatre you are aware that something different is going on here. Descending down the stairs transports you to an underground steampunk them
... oh hell yeah. I have an afternoon in SF before the red eye back to the ATL. Hmmmm
Circumventing Automated JavaScript Analysis Tools Billy Hoffman
[snip]
Next we explore multiple new techniques to circumvent the current generation of automated analysis tools by detecting their presence from inside malicious JavaScript. (JSPill? hmmmm) These methods include HTTP/browser fingerprinting, DOM testing and encrypting, Doman and Network testing, Execution environment testing, and cross plugin communication testing. We will demonstrate malicious JavaScript detecting analysis tools using these methods and refusing to give up its secrets until its running in the web browser of choice. We’ll demonstrate encrypting JavaScript to only run in particular browsers or environments. We’ll also demonstrate a couple other tricks, such as encoding malicious JavaScript as nothing but white space, and function clobbering for fun and profit.
Time to kick CaffineMonkey in the ass. Sorry Ben, I owe you a beer.
They are a kinetic energy device like the railgun, but instead of using electricity to achieve destructive velocities, they use gravity. The still-hypothetical system would be comprised of two satellites in orbit around the Earth. One would house the communications and targeting hardware, while the other would house the rods themselves, each up to a foot in diameter and twenty feet long. To fire, they would simply be released and allowed to fall back to Earth (with a bit of remote guidance). By the time they reached the surface, they'd be traveling at a speed of 36,000 feet per second and carry the destructive force of a nuclear warhead, only with none of the radioactive fallout.
!!! ... !!! Dropping telephone poles on people. From Space! Damn.
Rattle wrote: Remember Billy, when driving through the Internet Ghetto, put the windows up, radio off, and seats down.
When I drive through the Internet Ghetto my ports are open, my radio is pumping, and my all inputs be '/**/OR/**/5=5/*|id;cat</etc/p%61sswd%00<img src=x onerror=eval(location.hash.substring(1))>
Me: Why is Visual Studio taking 45 seconds to load? Computer: You appear to be running a disk intensive task... so I think I will run an anti-virus scan, and the file indexer for Desktop search!
I swear my laptop "knows" when I'm trying to do something important and runs schedule tasks at exactly those moments.
I was working on a project and noticed some odd DNS behavior. Behold:
C:\Documents and Settings\hoffmabi>nslookup google.com
Server: 24-197-160-17.static.gwnt.ga.charter.com
Address: 24.197.160.17
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: google.com
Addresses: 64.233.187.99, 64.233.167.99, 72.14.207.99
C:\Documents and Settings\hoffmabi>nslookup www.memestreams.net
Server: 24-197-160-17.static.gwnt.ga.charter.com
Address: 24.197.160.17
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: memestreams.net
Address: 72.9.237.202
Aliases: www.memestreams.net
C:\Documents and Settings\hoffmabi>nslookup shouldnotresolvefoooooo.com
Server: 24-197-160-17.static.gwnt.ga.charter.com
Address: 24.197.160.17
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: shouldnotresolvefoooooo.com
Addresses: 64.158.56.56, 63.251.179.56
C:\Documents and Settings\hoffmabi>nslookup fuckyoucharterthisshouldntresolve.com
Server: 24-197-160-17.static.gwnt.ga.charter.com
Address: 24.197.160.17
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: fuckyoucharterthisshouldntresolve.com
Addresses: 64.158.56.56, 63.251.179.56
Fuck! Charter is trying to be helpful and resolving all hostnames, even those that don't really exist. Instead of doing what they are supposed to do and returning an error that thissitedoesnotexistatall.com doesn't resolve, they are lying to me and my project and telling me it does. Hello again SiteFinder didn't we stop all this bullshit 5 years ago?
So, I try this with craziness in a web browser and I get this helpful page:
The search results on the prior page were provided because the domain name you entered into the address bar is either improperly formatted, currently unavailable, nonexistent, or part of a keyword search. This service is designed to enhance your web surfing experience
Only its not, it messing up my program because things that should not exist are being reported as existing!... ... [Grrrrrrrrrrrr]
Note: In order for opt-out to work properly, you need to accept a "cookie" indicating that you have opted out of this service. If you use a program that removes cookies, you will have to repeat this opt-out process when the cookie is deleted. The cookie placed on your computer will contain the site name: ".charter.net".
Great, just freaking great. There is no way to turn it off. They are always going to resolve the non-existent hostname, and then do an HTTP 302 redirect to their bullshit captive portal, only to then see a cookie that tells them to give me an error page, which is an HTML page made to look like Internet Explorers default DNS error page.
Way to consider programs that do DNS resolution that don't use HTTP.
I hate Charter so much right now.
Update They are doing very odd things. At first it seemed they are only doing this with domains directly off a TLD. So the non-existent dfklsdfaklsdafkldafkl.com resolves but the non-existent foobar.verisign.com does not. However the non-existent Fdsafdsfdsafdsa.google.com resolves.
God damn idiots.
In an odd bit of humor, their mocked up IE DNS error page is all messed up. First, it doesn't display images in in anything other than IE because they are using the res:// protocol. I hope Microsoft fucking sues them for using the IE DNS error page word for word.
