I was just told to "not worry about" all the SSL and SSH cert violation warnings I'll see while using the network at a client's site. Its because they "have uber security."

...

You mean not worry you are man in the middling all of my traffic?

[grrrrrrrrrr]

Its like hiring Beethoven to teach a 3 year old to play piano, and when Beethoven gets there he finds no piano. But he's told they might soon have a trumpet. Maybe. In like 3 weeks. Can he teach the trumpet instead?

[sigh]

Today is not a good day.

This document is intended to describe structure ofa HTTP Archive file (*.har) that should be used when exporting data from Firebug Net panel. The current version of the format isn't finalized and is open for further proposals.

This is sexy. I hope this gets adopted. Importing HTTP capture data from all the different tools is a pain in the ass. The best I've found is Web Scarab, which can export/store captured HTTP traffic requests and responses as simple flat files with the raw HTTP. Many of the capturing proxies and web security tools have flaky export as best, or export into a encrypted, undocumented format (*cough*SPIProxy*cough*). The ones that do export to a plain text typically fail on binary responses or gzipped responses as soon as they hit an unprintable ASCII character. Of the few remaining many will export a normalized version of the response, where GZIP is undone and responses are dechunked and HTTP header order has been normalized.

Need to look at this more. Already see some potential issues and have some questions about this JSON format.

-Is order preserved? headers? postdata? query strings?
-What about nameless/valueless params? (http://site.com/foo/php?sorted&grouped)
-Multiple forms in post data?

HAR - Http ARchive File Format

I'd like to change the design of the Internet by introducing regulation--Internet passports, Internet police and international agreement--about following Internet standards. And if some countries don't agree with or don't pay attention to the agreement, just cut them off.

Papers please comrade?

Eugene Kaspersky == Crazy Fuck

But the point is, Crackhead, that you have done me wrong. Now, I get that you love crack. That is totally understandable. I've heard it is really fun, at first, and quite addictive. What I don't understand is,

YOU ARE A CRACKHEAD. WHY DON'T YOU OWN A CRACKPIPE?

I am an engineer. Do you ever see me shaking down bums in the Loin for a calculator and sliderule? No, you don't. Because engineering is the main thing I do, I went and bought myself a calculator.

This is hysterical.

Get the right gear at least!

The EFF is representing Tom against TI their DMCA takedown filed against Memestreams.

The crux of this letter from the EFF to TI was the same point many of us were discussing on Memestreams the very day the DMCA notice was served: The TI signing key that was cracked does not protect access to copyrighted material. This is not the same thing as using DeCSS to decrypt the contents of DVDs on a unauthorized and unlicensed devices. That would be circumventing an encryption method (CSS) used to protect copyright material (the film on the DVD). That *would* be a violation of the DMCA. Just go ask 2600 about that...

But that's not whats happening in this case.

The TI signing key allows software written by anyone to run on TI hardware that someone owns. The TI hardware checks the signature (created by signing key) of any software it tries to run. Now that the signing key has been published anyone can run new, non-TI software on TI hardware they have ownership of.This is not a copyright issue in anyway, shape, or form. The DCMA does not apply. This (among other things) is what the EFF is asserting.

Frankly, that's fairly obvious, cut and dry. Having been on the receiving end of a DMCA threat and the countless other cases where baseless DMCA claims are used to shut smart people up, I'm optimistic that the EFF will prevail.

But that's not what's interesting.

What *is* interesting are the legal issues around private keys. Is a private key a trade secret? A 3rd party, through no illegal act, who independently discovers the a trade secret can utilize or publish that secret. Only we aren't talking about the Coca-Cola formula here. Public and private keys are mathematically linked. You can derive a private key, given a public one. It just can be very very (infinite grains of sands on a beach) hard. Or not. As in the TI case. You can't patent a private key, that kind of makes it public. ;-) So what do we do? Does there need to be some new kind of IP protections beyond traditional ones like patents, trademarks, and trade secrets? Are massive efforts to compute a mathematical value legal? Is it based on what that value protects or unlocks? Is it based on the intent of the people who derive the value? Homebrew software developers vs. Blueray crackers?

While I hope this matter is resolved quickly for Tom's sake, I would like to see some of these other legal issues addressed.

EFF representing Memestreams again DMCA attack from TI

I love seeing HTML comments like <!-- inserted per Pat Aug 13 2008. Don't touch -->

Here is some fun, a Ning ad spammer. Someone popped this website threw this up, most likley due to the web server's IP and upstream connection.

Hint: You can find a ton of compromised web servers by doing goggle searches for odd Cookie names. Found this looking for info on Ning's "xn_visitor" cookie. They turn up in the NEtscape cookie files that Curl creates and Google somehow indexes them.

http://www.nightstarproductions.com/lolmoney/

Fun: Ning Spam Kit

CARLSBAD, Calif., Oct. 7, 2009 — Breach Security, Inc., the leader in web application integrity, security and PCI compliance, today announced it has secured $5 million expansion financing from existing investor Sid R. Bass Associates. Funds will be invested in Breach’s product development and to further market expansion efforts.

WAFs don't die. They just fade away into more rounds of funding.

Breach keeps kicking

Thank god for this Article. I recently got a laptop with Vista. After turning of UAC and a few other tweaks it was usable. However Windows Explorer under Vista is so very very painful, and the "Folder Types" feature absolutely sucked. Now I am free of it, and will not have to harm this bunny rabbit.

Disable Automatic Folder Type Discovery for Templates in Vista