| |
| I am a hacker and you are afraid and that makes you more dangerous than I ever could be. |
|
LaTienda.com - Glass Porron Wine Pitcher |
|
|
|---|
| Topic: Miscellaneous |
1:49 pm EDT, Jun 10, 2008 |
The porron wine pitcher is a festive way to serve wine or sangria. Just pick up the porrón and tilt it so that a thin stream of wine pours directly into your mouth! It takes some skill, but it is fun at a party to see how well you and your friends master the technique. It is also a great way to share sangria with friends. Each porron holds 1 liter, well over a bottle of wine.
Ahhhh yeah!
LaTienda.com - Glass Porron Wine Pitcher |
|
|
|---|
| Topic: Miscellaneous |
1:18 pm EDT, Jun 10, 2008 |
Google's new Favicon pisses me off. I'm not sure why. I know this is irrational, but that doesn't make me dislike that lowercase "g" any less. |
|
.NET MD5 Crypto providers are *not* thread safe |
|
|
|---|
| Topic: Miscellaneous |
3:44 am EDT, Jun 8, 2008 |
So .NET MD5 Crypto providers are *not* thread safe. ... [sigh] 20 minutes of my life that I will not get back. .NET MD5 Crypto providers are *not* thread safe |
|
|
|---|
| Topic: Miscellaneous |
4:07 pm EDT, Jun 5, 2008 |
I went diving into my email archive today looking for something and located this gem quite by happenstance. From: "Billy Hoffman" [billy.hoffman@spidynamics.com]
To: ****
Cc: ****
Sent: 8/7/2006 1:29 PM
Subject: Re: **** I want to take all these no talent, tech trendy ass clowns and drown them in the ocean. The reason we have insecure programmers is these "evangelists" are spending too much time hyping things up to get people to buy into their shitty technology and are spending no time teaching those very people how to properly use it. They then turn around and say “no problem here, this is caused by novices” all while ignoring that their hip and witty blogosphere bullshit is what brought the “novices” into the field in the first place. This is like leading a horse to water, forgetting about him, yelling at everyone how stupid the horse is for not drinking, and then publicly shooting the horse. Now, unless you really want me to say all that to these fellows, I suggest someone else kindly point these guys to our whitepaper. Billy
|
|
Left Hand, meet right hand |
|
|
|---|
| Topic: Miscellaneous |
1:06 pm EDT, Jun 5, 2008 |
Left Hand: Hi, I'm the left hand. We've never met before, but I'm going to do things that make no sense whatsoever and that will undermine all the hard work of the right hand! Yeah team! Right Hand: Wait, what did you just say? [shit lands on right hand] Such is my life at times. |
|
Scaring the crap out of unvisited tribes! |
|
|
|---|
| Topic: Science |
11:12 am EDT, May 30, 2008 |
In this image made available Thursday May 29, 2008, from Survival International, 'uncontacted Indians' of the Envira, who have never before had any contact with the outside world, are seen during an overflight in May 2008, as they camp in the Terra Indigena Kampa e Isolados do Envira, Acre state, Brazil, close to the border with Peru. 'We did the overflight to show their houses, to show they are there, to show they exist,' said uncontacted tribes expert Jon
I think this started kind of like this: Jones: Steve! Steve! listen to me! I'm got a killer idea! Lets go take a giant gleaming helicopter, and fly it over a bunch of people who have never seen technology before! Steve: Brilliant!
... At least they didn't land and proclaim themselves gods. Because that went really well last time. Scaring the crap out of unvisited tribes! |
|
Operation Summercon 2k8 in Da House | summercon 2008 |
|
|
|---|
| Topic: Miscellaneous |
3:42 pm EDT, May 28, 2008 |
We're in the final week before Summercon 2008! Come out Friday night @ 7PM and meet at the Wyndham Hotel bar, a.k.a. "The Mojito Lounge". Don't be shy, just look for someone wearing a Summercon t-shirt and introduce yourself. They won't bite or fight... probably. We'll plan on hanging out at the hotel for a bit and then herd everyone to another fine drinking establishment. Friday night is an ice-breaker, so come out and get to know your friendly neighborhood hacker. Don't sleep in much past noon on Saturday, presentations start at 12:30PM.
Operation Summercon 2k8 in Da House | summercon 2008 |
|
Bypassing Web Authentication and Authorization with HTTP Verb Tampering |
|
|
|---|
| Topic: Technology |
12:46 pm EDT, May 28, 2008 |
This is a cool paper and all of you should read it for many reasons. First, because it’s a perfect example of hacking. Hacking is just critical thinking and understanding how a system works. In this paper by understanding the nuances of web technologies the researchers found a very trivial way to bypass the authentication systems of many popular web frameworks! Second, it’s a classic example how programmers with even a little security knowledge can make big mistakes. Here is the paper in a nutshell: Various web frameworks like Jave EE, ASP.NET, etc, allow you to configure the website so certain directories are only accessible to certain users with certain HTTP methods. So anyone can do a GET or POST to /public/ but only an admin can do a GET or POST to /admin/. Enter the HTTP HEAD method. This is usually used to diagnostics and caching. If you send an HTTP HEAD instead of an HTTP GET to a URL, the website is supposed to do everything it would normally do when processing a GET, only it should only the HTTP response contains only header and no body. To make sure the same response (sans body) is sent for an HEAD as a GET, web servers simply handle the response as if it was a GET, and suppress the body when sending the response. Do you see the trick yet? HTTP HEAD method can be used to side-step authentication systems in many web applications. An attacker simply sends a HEAD to /admin/deleteUser?user=billy? instead of an GET. The authentication framework checks and sees that anyone can send HEADs to /admin/ and does not stop the processing of the request. The web server runs all the back end code that it normally runs for a GET, which deletes Billy as a user. The attacker does not see the body on the response, so it’s a blind attack. However the attacker can see the HTTP status code that is returned with the response to the HEAD and based on its value (200, vs 500) the attacker can tell if it worked. This is exactly the reason why HTTP GET should be idempotent. In other works, GETs and HEADs should not modify the state of the web server so you can send multiple gets to the exact same URL and it should not cause problems. POSTs on the other hand are not idempotent. This is why e-commerce sites say things like “don’t click checkout again!” and your browser will say things like “You have already submitted POST data, are you sure you want to refresh and send this again?” (AMP, we aren’t doing this in our web frontend right?) We even have an idea about how widespread this problem could be. In 2005 Google launched Google Web Accelerator. This was a browser plug in that pre-fetched links on the page you were looking to better utilize your bandwidth. Unfortunately, thousands of sites started breaking because developers all of the world were using simple hyperlinks (which issue a GET) to modify the state of the web app. There was lots of kicking and screaming, and I acquired a healthy dislike for Ruby on Rails developers who kept insisted that the rest of the world was wrong and they were right, but I digress. In short, by knowing HTTP and understanding that a developer implemented a default “Allow All” feature, this very cool attack was discovered. Bypassing Web Authentication and Authorization with HTTP Verb Tampering |
|
MySpace Suicide Indictment: or TOS violation = crime |
|
|
|---|
| Topic: Technology |
11:09 am EDT, May 27, 2008 |
On Thursday, the U.S. Attorney for the Central District of California announced that Lori Drew, now 49 years old, was indicted on conspiracy and hacking charges. The indictment charges Drew, a resident of O'Fallon, Missouri, with three counts of unauthorized access by violation of MySpace's terms of service and one count of conspiracy.
... ? Where hacking = Computer Fraud and Abuse Act. So, the DA's logic is that that by violating MySpace's TOS, Drew was no longer an authorized user of MySpace's systems and thus by continuing to use MySpace she committed unauthorized access. There is a good write up over at The Volokh Conspiracy by Orin Kerr and I highly suggest you read it. A few choice quotes from Security Focus's coverage: Yet, legal experts argue that charging a person for violating computer-crime statutes because they broke the terms-of-service agreement of an online site could lead to the ability to charge nearly anyone with computer crime. Using residential broadband for business purposes? A violation of the terms of service and, thus, potentially a crime. Checking sports sites while at work? A violation of corporate policy and, thus, potentially a crime.
and "There is nothing in the indictment that differentiates between what is a serious violation of the terms of service and a trivial violation of the terms of service," Morris told SecurityFocus. "I would bet that the majority of U.S. Internet users have committed a federal crime, if the charges in this indictment are upheld."
and my personal favorite "Violating a website's 'TOS' is carte blanche to an imaginative prosecutor," Greenfield said. "We are all felons if this flies."
MySpace Suicide Indictment: or TOS violation = crime |
|
