Start: 2007-12-15 18:00
End: 2007-12-15 23:59
Timezone: Etc/GMT-5
Location: Vortex, Atlanta

That's right kids, it's that time again. SantaCon is coming!!! I've seen the pics from the last few years and have to say, Yall do it right!!!! Just to remind everyone, I have listed the rules for SantaCon again. There is no Santa in charge to call. If you can't show up for the start, get the phone number of someone who can help you catch up later.

1 AGAIN! Santa does not make children cry. Really - If you see kids, give them nice toys, candy, or something pleasant. Parents and Tourists are a different matter altogether -- adjust based on their attitude.

2 Santa dresses for all occasions. It's December. Smart Santas wear mutliple costume layers. Dress to maximize merriment whether singing christmas carols in the snow, or swinging from a stripper pole.

3 Santa doesn't whine! We will be outside alot and commuting mainly on foot -- bring enough "snacks" to keep your pie-hole filled until we get indoors.

4 Bring gifts -- NAUGHTY gifts to give grown ups; NICE stuff to give kids. Throwing coal at people is discouraged no matter who they are. YES THAT INCLUDES POLITICIANS

To my west coast homies who think Atlanta is boring, I present to you SantaCon. Dan, trade in you 1337 limo races. Peter, set down those urban golf clubs.

Embrace the joy of the Santa-themed pub crawl.

Atlanta SantaCon

Jello wrote:

function show_props(obj, obj_name) { var result = "" for (var i in obj) result = obj_name "." i " = " obj[i] "\n" return result; }

Super convenient when peeps don't document their objects.

You can do this on the window object and you get all global objects. This means all global variables and all the user-defined functions! You can valueOf() on the function object to extract the source code! valueOf() even automatically inserts the appropriate whitespace and indenting for you to easily read the code You can recurse down objects and check their childern so this handles JavaScript "names spaces" as well.

Hook this up to a setInterval() call and you can also perform runtime monitoring of the JavaScript environment! On-demand Ajax?, no problem! With firebug, you have the JavaScript equivalent of "View Source." With this method, you have the JavaScript equivalent of "View Generated Source!"

Super convenient when peeps don't document the Ajax applications you are hacking!

Take a read of Chapter 7 of Ajax Security. Bryan and I wrote a JavaScript tool called HOOK which does this very thing! On-demand monitoring and hijacking of JavaScript functions! Even better, it's cross browser. Oh Yeah!

In the interest of disclosure, websec guru Amit Klein came pretty close to this in 2006. He discovered the joy of valueOf() but didn't take the next step of how to discover/enumerate all the user-defined functions in the JavaScript environment.

List all properties the entire JavaScript environment!

When did "message" become a verb? I was in a meeting today with fancy uses of "message" such as "I'll message that information" or "Who will be messaging this?"

Does anyone else find this silly?

UPDATE: It really is a Verb!

Not much for the smiley to cover in -103 degrees Fahrenheit

The Loneliest Place on Earth (for your balls)

Virgil made the list with Wikiscanning. Congratulations, Virgil!

(Interestingly, one of the other ideas was also one Virgil came up with a few years ago, but didn't pursue perhaps due to discouragement from several friends.)

Actually, Virgil's idea was to create www.suicidenotes.cx so people wouldn't find your note before you killed yourself. Revenue models included creating, and I shit you not, a coffee table book of suicide notes.

It was one of the most surreal conversations I have ever had in my life: Strick and I sitting in the student center at Georgia Tech trying to explain to Virgil that this was a bad idea.

This was back in Summer 2003 or so. Got to give my partner-in-crime credit, he's a visionary!

Things that were not to be: suicidenotes.cx

Three more individuals have admitted they participated in a series of phone phreak hoaxes that prompted raids by armed special weapons and tactic police teams on the homes of unsuspecting victims.

Jason Trowbridge, of Louisiana and Texas, and Chad Ward of Texas pleaded guilty to multiple felonies, including conspiracy, access device fraud and unauthorized access of a protected computer. Each faces maximum penalties of five years in prison, fines of $250,000 and costs for restitution.

Swatters, as the malicious pranksters are referred to, use a combination of social engineering, phone phreaking prowess and computer hacking to spoof the phone numbers of individuals they want to harass. They then make emergency calls to police departments and report crimes in progress, in many cases prompting a response from SWAT teams who conduct emergency raids on the homes of people whose numbers were spoofed.

Police, meet the ANI fail; ANI fail, this is the police. If you want to know more, look up my man Lucky.

In many cases, the victims were fellow participants in telephone party lines, which largely act as the phone equivalent of internet relay chat groups. Trowbridge, who went by the names "Jason from California" and "John from California," furthered the scheme by mining personal information about the victims from a host of sources, including consumer reporting agencies, pizza delivery records and newspaper subscription records, according to court documents signed by the defendant.

The personal information Trowbridge provided allowed the gang to make fake emergency calls that had the ring of authenticity. In one case, they posed as an Alvarado, Texas man whose daughter was a party line participant. They told a police dispatcher that he had shot and killed members of his family and was armed with an AK47 machine gun. The caller, who claimed to be high on hallucinogenic drugs, then threatened to kill his remaining hostages unless he was given $50,000 and safe passage out of the country.

Police responded by sending police to the residence of the real man.

During the course of the conspiracy - which lasted from late 2002 to June of this year and involved as many as 20 individuals - the participants also initiated calls to employers, landlords, families and friends of party line members they held a grudge against. Some of the members who refused to stop using the line found their friends and families swatted.

This is ridiculous, especially when you see the quarter of a million dollars in "damages" that occurred.

Phone phreaks spoof LSD-induced multiple homicide

What's included?

New features

* Allows windows to be resized from any side
* Includes an additional font smoothing option ("standard")
* Adds International text input methods
* Adds advanced text options (contextual forms, international scripts)
* Supports NTLM
* Includes auto-detection of PAC files

PAC Files are the devil's candy.

* Supports listing FTP directories

It's about time guys! This was a pathetic and glaring hole inthe feature set.

* Links to proxy settings from Safari (Safari respects the proxy settings in the Windows Internet control panel)
* Adds cookie management
* Adds LiveConnect support

Thank You! Thank You! Thank You!

* Includes tooltips
* Adds spell checking and grammar checking
* Allows printing of page numbers, titles, margins
* Improves bookmark collection interface
* Maintains original order of imported bookmarks
* Adds an interface for editing AutoFill information
* History searches now search the full text of visited websites
* Adds a new preference to manually mark RSS articles as read
* Includes support for tilt wheels

Safari 3 Beta Update 3.0.4

You know its a slow news day when a story about Commodore 64 enthusiasts appears on the front page of CNN.

C64 on CNN Homepage?

At the end of January 2007, Adobe submitted its Portable Document Format (PDF) to the ISO. Now, as the year winds to a close, Adobe has announced that PDF 1.7 has been approved by the ISO and will become the ISO 32000 standard (DIS).

Although previous subsets of PDF (specifically PDF/Archive and PDF/Exchange) have been considered by the ISO, the approval of the entire document format as a new standard will impact its development in the future. From this point forward, the ISO, rather than Adobe, is in charge of the PDF specification and any changes that are incorporated into it. According to King, none of the current licensing terms for the PDF standard will change, as it's already licensed for free and readily available to anyone wishing to develop software capable of reading, writing, or processing PDF, but he posits that Adobe's Acrobat suite might see an increased level of competition from other companies as a result of the ISO certification.

I wasn't even aware of that this was in the pipeline. Now only if they'll turn over SWFs!

if(ISO.contains(PDF)) { dance();}

I received an amazing amount of mail from my friends in Microsoft (none of whom work on IE) regarding my IE post. Surprisingly, much of it was positive, but some were a little astonished. Allow me to clarify a bit.

I don't personally dislike anyone on the IE team.

I do, however, abhor what the team creates. A non-standards compliant browser that hurts web developers and security professionals alike. I firmly believe that Microsoft's actions over the last 10 years illustrates their complete lack of commitment about web browsers or web development. And 1.5 years of non-evil behavior and a tabbed browser doesn't change that.

So when I see posts saying "look at us, we have 300 million downloads and awesome security" I'm shocked. And when faced with a year's torrent of requests for info about bugs, CSS hacks, standards compliance, and future browser plans the community is still faced with stony silence or a pompous "don't worry, we are working on it" post I felt the need to unload though, granted, perhaps with more expletives than necessary. But I don't believe what they say any more. There has been too much "its coming, and it will be so cool" followed by failing to deliver. You don't get to make those statements anymore, certainly not without some blowback.