A mashup is a self inflicted XSS attack

I love this quote.

Douglas Crockford - Ajax Security

"The archaic system of an X-ray machine and metal detector cannot pick up other potential threats posed by passengers," Baum says. "I can have a ceramic weapon or chemical weapons and walk through an archway metal detector and it won't be picked up. Yet we have huge faith in these metal detectors that can only pick up one substance."

Metal detectors are blacklists, but I'm nto sure if things like Layer Voice Analysis can be called whitelists. We need a whitelist device for airport security.

Behavioral screening -- the future of airport security? - CNN.com

Offspring has a new album and it is excellent. Easily their best since American in 1998. You can buy the album in MP3 format at Amazon.

Lord Tivo (peace be unto him), decided that I should watch Prototype This. And when I saw (much to my surprise) Joe Grand in opening sequence I knew the show would rock. I especially loved the "Feds (heart) L0pht) t-shirt!

When are we going to see Bunnie on a episode I wonder?

Kingpin on Prototype This

Nobody ever pulls the seams round here,
but I don't really mind and it's starting to get to me

When did I join an organization surrounded by yes-men and full of people who plan and plan and plan never executing while the house burns down around them? When did I become unable to affect change? Why have I sat and accepted that for so long?

My work vodka is sitting on the shelf next to the computer books.

Vodka in a stapler

I was digging through a boxes of books that I had not unpacked since the move to the new house and discovered a cache of old 2600 magazines. One of the first ones I saw was 2600 Vol 18 Issue 3 from Fall 2001.

Here unedited, was my thought process:

-wow, that guy looks familiar
-wait, isn't that Dimitri? that crypo guy?
-wait, didn't I write an article for this issue? [opens 2600]
-yep, "Deconstructing a Fortres" the first article [reads alittle]
-man I remember this. I hacked Tech's library systems so I could play Quake while skipping Calc in Skiles. That was awesome!
-wait, didn't I end up in the square root club that semester?
-[sigh]... damn georgia tech ... ... damn attention span
-wow this article reads like I talk: fast and frantic and overly verbose
-HA! awesome, implementing 16bit integers in TI-Basic
-Hmm, I wonder what happened to Amatus? [google]
-holy shit! haha, That right, now I remeber, that's how I met Lucky!
-damn, this article is pretty long
-sweet. the next article is about hacking Microsoft's passport.
-Man, in 2001 I was all hardware. Did I even know what an HTTP cookie was?
-wait, who wrote this. Holy shit, Chris Shiflett!
-k2labs? does that even still exist? [googles]
-wow, a those turkish translations?
-... ... ... oh crap. this is from 2001. That was over 7 years ago.
-... ... fuck, I'm getting old.

The sexy San Francisco Internet start-up has always been an attention-getter. It was formed by serial entrepreneur Scott Banister (also a prolific investor who has backed the likes of Facebook, Hi5 and Powerset and sits on the board of Slide) and wife Cyan. It features tasteful photos that are billed as promoting female beauty and artistic expression (think women, including Cyan, in various stages of undress).

Unlike many in the current Internet boom, this site has no advertising. For $10 a month, members can view and vote on the photos. Each vote delivers cash to models and photographers (60 cents for models, 20 cents for photographers). Casting votes also allows members to get updates from the artists. Members get five votes with their monthly subscription and frequently buy more to act as patrons of the arts, Cyan said. The Banisters like to say that it's a cross between Playboy and "American Idol." There are ground rules: No naked men, no sex acts, no extreme close-ups. Models must prove they are over 18.

PearlSome of Zivity's top models (such as Pearl, pictured at right) have become big hits on the high-tech party circuit, as the Crunchies, TechCrunch's annual awards, show. But now it's Zivity that is taking a hit, joining the ranks of start-ups downsizing to make the money they raised from now skittish venture capitalists last longer.

It was a difficult but necessary decision, say the Banisters, who are seasoned technology professionals. They have experienced the industry's ups and downs before.

Scott dropped out of the University of Illinois at Urbana-Champaign to start a Web advertising company that he later sold to Microsoft. He co-founded spam-blocking company IronPort, which Cisco Systems bought last year for $830 million. That's where he met Cyan, who managed IronPort's blacklist of spammers. Together they came up with the idea for Zivity, which they launched in February 2007. They raised $8 million in two funding rounds from investors such as BlueRun Ventures and Founders Fund.

But, with the slowdown in consumer spending and with venture capitalists zipping up their wallets, the Banisters took a realistic look at their start-up's finances. The Banisters wanted to make sure they had enough cash to remain in business as they prepare to open up to the public early next year and broaden into a place for artists of all kinds to strut their stuff. So they made the tough decision to cut eight out of 22 employees.

"We did an internal budgeting exercise to stretch our cash into 2011 and presented it to the board," Cyan said. "They were very pleased that we were proactive."

Well that sucks, but at least Cyan is thinking ahead, per Sequoia's RIP preso about cost cutting.

Zivity and other start-ups lay off workers to ride out economic storm

Ran across an old document today at work. When SPI was purchased by HP a little over a year ago my boss had me compose a memo about why we needed completely unfiltered internet access. HP IT doesn't like us very much...

Any content filter system, URL blacklist, application gatwways, internally facing Firewalls, or internally facing IDS/IPS systems that prevent access to any of the resources described below would have a severely adverse impact on SPI Dynamics’ ability to test our products and collect knowledge about current and emerging web security trends and techniques.
---

SPI spends time each day reading variety of websites across the globe which may or may not be hosted in domains other than .com, .net, or .org to keep up with the latest security research and techniques. Some of these resources include: major IT news sites, major security sites, industry blogs, and mailing lists archives (by visiting the archives we don’t have to use an email address to subscribe)

Malicious attackers are often farther ahead than traditional security researchers. As a result SPI researchers visit various resources attacker discuss their methods. These sites often advocate criminal activity and openly discuss live attacks or specific vulnerabilities in websites or products. Example websites include [REDACTED] and many, many others. From time to time we visit IRC webserver around the Internet. chatrooms to learn the latest security details.

Websites that discuss, advertise or traffic in illegal or illicit materials often contain very sophisticated and non-standard interfaces that use JavaScript, VBScript, Flash and other technologies in unique combinations to try and track what users are doing and protect access to their materials. SPI visits these sites for 2 reasons: They are excellent stress tests of our parsers for JavaScript, Flash, etc and they also provide insight into how people are trying to use web technologies maliciously. Example illegal or illicit materials include pornography, 0day vulnerability information, root kits, and phishing kits.

SPI routinely visits phishing websites (including legitimate websites that have been compromised) to assess what types of information an attacker is collecting and how the server was compromised.

When interacting with different customers or acquiring new security tools SPI will content various non-web destinations on the Internet. Examples include FTP servers, SSH servers, Subversion of CVS source code repository server, and various web servers (SSL encrypted or not) running on none standard ports numbers.

The (legitimate) web security research community is fairly small. SPI routinely uses instant messaging services to communicate with our peers in other companies and in academia. IM allows us to respond to breaking treats (such as the web worms like Samy and Yamanner) more rapidly than email. Many in our profession prefer to use encrypted channels for instant messaging so the conversations cannot be logged by inline devices.

SPI has various test websites set up external of the company (such as atlantahacker.com) which we use for demonstrative purposes when access to internal SPI test sites is not practical or impossible. SPI will scan these sites from inside SPI from time to time as well as we develop them. As a result SPI is sending attack traffic out into the Internet.

SPI performs large search engine queries and visits a sampling or sites to understand the scope of vulnerability and the number of affected platforms. These so-called Google Hacks can sometime set off intrusion detection systems that are monitoring SPI’s outbound traffic.

"From the world of art collecting and yelling..."
John McEnroe: "Why isn't there any good art in here?"

I. Love. 30rock.

Art collecting and yelling