| |
| Current Topic: Technology |
|
RE: I like it old-school! - An Explanation |
|
|
|---|
| Topic: Technology |
9:09 pm EST, Feb 15, 2007 |
Tsudohnimh wrote:
I clicked a link for hot judicial action and I got 0wn3d. I'd like to thank the academy, my parents for warping me, Tom and Nick for letting me do this, and my hero Acidus.
OK, let me explain what the story is with this. Its possible to embed a link in a MemeStreams page to /recommend. When people who are logged in click on it, it will automatically post a message to their MemeStream, and then redirect them back to the page they were looking at. Ironically, this tends to result in lots of clicking, as it seems like the browser has done something wrong. If Acidus had really wanted to be nasty he could have included a redundant link in the posts he was adding to your pages to that people who read your MemeStreams would also spread the post. Its like a meme worm. This is actually a problem that Rattle and I anticipated when we first built this website. We used to have protection in place that prevented this. It worked by checking to make sure that when you submitted a post the referer header in your http request came from /recommend and not some other page. Unfortunately, we ran into trouble with this feature. Some Internet privacy software screens referer headers out of http requests, and so people who used such software were unable to post. After struggling through the process of explaining to a few users how to fix this problem we decided to disable the security feature for /recommend until we had time to revisit the problem. The security feature is still present in /delete and /edit, because we decided that a self propagating MemeStreams Meme was only a bit of an annoyance, but if someone wrote a javascript that wiped out your whole blog that would be a serious problem. This explains why a few of you have trouble editing or deleting posts sometimes. We have a fix for this problem which is unlikely to cause problems for people running Internet privacy software. Its checked into subversion. However, we haven't shipped it yet because it is boiled in with a bunch of other changes to the UI that aren't quite ready for release yet. We decided it might be fun to go ahead and let Acidus propagate one of these Memes as he uncovered this issue a few weeks back and advised us on how to implement a better fix. I'd like to say that we're shipping this weekend, but I don't think its going to happen. I'm skiing and Rattle is attending Outerz0ne. Acidus is actually giving a talk at Outerz0ne which includes a discussion of this issue, so its not out of the question that you might see a few more people screwing around with it. Fortunately I don't think you can do anything terribly malicious with this. Its all in good fun. Hopefully we'll have our update out soon. RE: I like it old-school! - An Explanation |
|
|
|---|
| Topic: Technology |
5:33 pm EST, Feb 15, 2007 |
Well, its over. Memestreams now has a cron job running every 2 minutes which deletes the "I like it old-school!" posts that got posted to a user's blog without their permission when they clicked on a link. Welcome to the wonderful world of the XSRF attack. Originally, the hyperlink that caused a user to make the post was in the SRC of an image. This means simply looking at an HTML page with the image would make a user create a new post. Every time they looked at the page. Once this image attack reached the front page. everyone would be owned, and every time they refreshed the page, they would get owned again. I almost took down my Memestreams dev box with the flood of hits against the database. Anyway, thanks to Tom and Nick for letting me do this. I found the vuln a few weeks back, and when we roll out the site update in a few days, it will be fixed. |
|
Social networking goes mobile |
|
|
|---|
| Topic: Technology |
7:03 am EST, Feb 15, 2007 |
The technology executives and analysts here in Barcelona this week are trying to figure out how take all the content found on the Web and migrate it to your mobile device. The mobile phone network operators like to charge for content. One executive, who didn't want to be quoted, told CNN this creates a "closed garden" of content that is controlled by your mobile operator and is dependent on what deals the operator has with a select group of content providers.
I'm pretty sure this will fail. That was the lesson of AOL. Remember all those ads that said "Go to AOL keyword [blah]?" AOL tried to be both an ISP and a rich content provider. Their product was access to a wide range of content, presumably styled and vetted by AOL for "safeness" and accuracy, all in a single easy to access place. This wasn't a bad deal in the mid 90s, when free websites with quality content supported by advertising didn't really exist in large numbers. And even the few sites that did exist were difficult to find because search engines sucked so much. I distinctly remember having to explain to people in 1996 that AOL was not the Internet. So what happened? Things matured. Why spend $20 a month and go to AOL keyword "WebMD" when I can spend $10 a month and go to www.webmd.com. Why visit AOL's software library when I have download.com? Even if everyone at AOL was in the business of generating content for AOL, there was still an several orders of magnitude more people generating content for the web. Suddenly there were hundreds of gates into the theme park that was the Internet, and nobody wanted to wait in line at the most expensive gate. What about mobile phone providers? They are just gates onto a data network. They are trying to provide content their users want, and charge for it. However, they can never provide all the types of content their users want. This is a classic Long Tail issue. You are targeting mobile content at kids. But why? What about the millions of housewives? Coupons, sales, what about recipes? Take a picture of a barcode, and a website tells you meal ideas involving that item. There is definitely something there. This "mobile ISPs providing content" plan will fail as soon as one mobile provider decides to focus on leveraging the content of the entire Internet. If companyA provides the fastest possible access to existing content, put money in caching proxies and into software gateways that automatically reformat HTML to fit a mobile screen they would win. Mobile providers need to embrace their role as "provider of the tubes" and make their money on charging for packets, not trying to decide what I want those packets to contain. Social networking goes mobile |
|
Wired: 27B Stroke 6- Ajax Security at RSA |
|
|
|---|
| Topic: Technology |
12:54 pm EST, Feb 8, 2007 |
The best conference presenters have a story to tell, and this morning, Billy Hoffman -- the lead researcher at Web application security company SPI Dynamics, had a great story to tell Wednesday morning at the RSA security conference about how all your favorite new Web 2.0 applications are a boon to criminals.
I like Wired. I like them alot. Wired: 27B Stroke 6- Ajax Security at RSA |
|
Super Bowl XLI website owned |
|
|
|---|
| Topic: Technology |
2:45 pm EST, Feb 2, 2007 |
Websense® Security Labs™ has discovered that the official website of Dolphin Stadium has been compromised with malicious code. The Dolphin Stadium is currently experiencing a large number of visitors, as it is the home of Sunday's Super Bowl XLI. The site is linked from numerous official Super Bowl websites and various Super Bowl-related search terms return links to the site. A link to a malicious javascript file has been inserted into the header of the front page of the site. Visitors to the site execute the script, which attempts to exploit two vulnerabilities: MS06-014 and MS07-004. Both of these exploits attempt to download and execute a malicious file.
Thanks to Jeremiah Grossman for sending me a message today bringing this to my attention. Declan McCullagh posted some good resources about this. All are plain text and will not harm you. The original HTML page with the nasty JavaScript
Nasty JavaScript file it loads
VBScript file which gets bootstrapped from one of the HTML files Super Bowl XLI website owned |
|
Wordpress Template.PHP HTML Injection Vulnerability |
|
|
|---|
| Topic: Technology |
12:44 am EST, Feb 2, 2007 |
Wordpress is prone to an HTML-injection scripting vulnerability because the application fails to properly sanitize user-supplied input. Versions prior to 2.0.6 are vulnerable to this issue.
Beware all you Memestreams Wordpressians, You have an XSS vuln Wordpress Template.PHP HTML Injection Vulnerability |
|
|
|---|
| Topic: Technology |
1:25 pm EST, Feb 1, 2007 |
Why oh why does Firefox send an HTTP request when I click "View Source?" I already have the source! Its being rendered! Its in the cache! Why the hell are you fetching it again? This is especially nasty when looking at the source for the response to an HTTP POST. That's it. Firefox is going on my "punch in the face" list. |
|
GNUCITIZEN - JavaScript Remoting Dangers |
|
|
|---|
| Topic: Technology |
11:49 am EST, Jan 31, 2007 |
For those unfamiliar, GNUCITIZEN is quite possibly the best site on the internet for web security research that is not affiliated with a vendor. pdp has covered topics such as backdooring Quicktime files, building XSS attack libraries, improving existing protscanners and history stealers, and even a JavaScript web crawler (which is currently receiving a massive improvement...). Much of his work ends up appearing in live attacks a few months after the info is released. Needless to say I was really happy when pdp asked me to write a blog entry for his site. I wrote up a meaty overview of the different methods JavaScript can use to send HTTP requests, as well as the pros and cons of each. GNUCITIZEN - JavaScript Remoting Dangers |
|
|
|---|
| Topic: Technology |
11:23 am EST, Jan 31, 2007 |
The MT-85 is a LoCo manual swipe magstripe encoder-reader that allows financial cards, ID badges, or passbooks to be instantly encoded and issued to customers. Its compact footprint and rugged design make it an ideal choice for magstripe card, badge, or passbook issuance at financial institutions, schools, businesses, and government environments. An RS-232 interface and simplified command set allow for quick integration with software applications. An LED provides clear status indications to the operator. Available in either Track-2 only, or Track 1, 2, 3 configurations, the MT-85 encodes and read-verifies magnetic data per the ISO 7810 low-coercivity magstripe standards.
These guys give C code driver examples. They ROCK. This is a good reason to start working on StripeSnoop some more. I haven't touched the project since I graduated from GaTech in spring of 2005, but there is still a fair bit of interest in it. Elliot over a Hack a Day tells me its one of the best magstripe suites out there and people love it. MT-85 |
|
|
|---|
| Topic: Technology |
2:36 pm EST, Jan 29, 2007 |
The Amazon Elastic Compute Cloud (Amazon EC2) web service provides you with the ability to execute your applications in Amazon's computing environment. To use Amazon EC2 you simply: 1. Create an Amazon Machine Image (AMI) containing all your software, including your operating system and associated configuration settings, applications, libraries, etc. Think of this as zipping up the contents of your hard drive. We provide all the necessary tools to create and package your AMI.
2. Upload this AMI to the Amazon S3 (Amazon Simple Storage Service) service. This gives us reliable, secure access to your AMI.
3. Register your AMI with Amazon EC2. This allows us to verify that your AMI has been uploaded correctly and to allocate a unique identifier for it.
4. Use this AMI ID and the Amazon EC2 web service APIs to run, monitor, and terminate as many instances of this AMI as required. Currently, we provide command line tools and Java libraries, and you may also directly access our SOAP or Query based APIs.
Think Sun's Grid computing, only cheaper, with virtualized machine images. I've got an immense project needing lots of CPU power and RAM but it should only last a few weeks if I do it right. This might be the ticket. Amazon - EC2 |
|
