My Security Planet » Tags » Miscellaneous

Feeds

6078 items (0 unread) in 72 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

198 items tagged "Miscellaneous"

Curiouser and Curiouser

• 

  It's pronouced: shhhgeeee bin fuf right?

  Posted: January 7th, 2009, 4:41pm CST

  Tags:  Miscellaneous   [edit]

  Start at the bottom for maximum effect...

  Unbelievable!

  _____________________________________________
  From: Sima, Caleb
  Sent: Wednesday, January 07, 2009 4:33 PM
  To: Hoffman, Billy; QM Security-Labs
  Subject: RE: 1995 called

  A rush of nostalgia! A PHF in the wild.

  _____________________________________________
  From: Sullo, Christopher
  Sent: Wednesday, January 07, 2009 4:32 PM
  To: Hoffman, Billy; QM Security-Labs
  Subject: RE: 1995 called

  You see 'tproot'?

  _____________________________________________
  From: Hoffman, Billy
  Sent: Wednesday, January 07, 2009 4:30 PM
  To: Hoffman, Billy; Sullo, Christopher; QM Security-Labs
  Subject: 1995 called

  >

  [image of using PHF to dump the code of PHF]

  Now behold the power of PHFF

  _____________________________________________
  From: Hoffman, Billy
  Sent: Wednesday, January 07, 2009 4:28 PM
  To: Sullo, Christopher; QM Security-Labs
  Subject: RE: 1997 called...

  Pretty sure the extra "F" stands for fucked

  Billy Hoffman
  --
  Manager, HP Web Security Research Group
  HP Software – Application Security Center
  Direct: 770-343-7069

  _____________________________________________
  From: Sullo, Christopher
  Sent: Wednesday, January 07, 2009 4:25 PM
  To: Hoffman, Billy; QM Security-Labs
  Subject: RE: 1997 called...

  I didn't even notice 'phff' in the list...

  extra f doesn't seem to stop the exploit from working though... :-)

  http://XXXX/cgi-bin/phff

  _____________________________________________
  From: Hoffman, Billy
  Sent: Wednesday, January 07, 2009 4:18 PM
  To: Sullo, Christopher; QM Security-Labs
  Subject: RE: 1997 called...

  If only 1995 had called and given us the /cgi-bin/phf vuln. Guess we have to stick with finger.

  Billy Hoffman
  --
  Manager, HP Web Security Research Group
  HP Software – Application Security Center
  Direct: 770-343-7069

  _____________________________________________
  From: Sullo, Christopher
  Sent: Wednesday, January 07, 2009 4:16 PM
  To: QM Security-Labs
  Subject: 1997 called...

  Trying to benchmark against small-ish sites… since this one has little content I thought it'd be a good candidate, but it seems to have every ancient and horridly vulnerable script installed

  http://XXXXX/cgi-bin/nph-test-cgi?*

  The list of CGIs from that dir listing request. … those in red have known LFI/exec vulns based on the partial scan I just paused:

  addpass.pl adjuggler.cgi ajconfig allform animation archie begin.gif calendar cards.pl cardsa.pl ccmerchant.pl ccmerchant2.pl ccmerchant2.pl.old ccship.pl counter.pl cybercart.pl date discus donothing english.pl finger formmail.pl formmail.pl.1.92 formmail.pl.old.pre.verio.chris fortune ftpdiag.cgi getorder.pl guestbook.pl imagemap jj last.gif links.pl mail nph-animate nph-error.pl nph-test-cgi phff popconfig.pl popform.pl post-query postlogo.gif printenv query rand_image.pl rand_image2.pl rand_text.pl redirect smpro ssis subscribeme summary.pl test-cgi test-cgi.tcl test-cgii test-env uptime wais.pl wwwboard.pl

  What's funny (sort of) is that I was thinking there may be old/random tests that we could remove from Standard policy to get some performance gain, but this just made me question that line of thinking… clearly not an ecommerce or bank site, but that magazine is available in every grocery store and random place I walk into.

  _________________
  Research Engineer
  HP Web Security Research Group
  804-419-4184

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Family Jewels (Central Intelligence Agency)

  Posted: January 5th, 2009, 1:17am CST

  Tags:  Miscellaneous   [edit]

  On May 9, 1973, Schlesinger signed a directive commanding senior officers to compile a report of current or past CIA actions that may have fallen outside the agency's charter. The resulting report, which was in the form of a 693-page loose-leaf book of memos, was passed on to William Colby when he succeeded Schlesinger as Director of Central Intelligence in late 1973.

  hmmm, that sounds cool.

  The reports describe numerous activities conducted by the CIA during the 1950s to 1970s that violated its charter. According to a briefing provided by CIA Director William Colby to the Justice Department on December 31, 1974, these included 18 issues which were of legal concern:

  And then, like a surprise chocolate center, amongst admissions of assassination attempts, overthrowing governments, and giving unsuspecting people LSD, we have this gem:

  18: Testing of electronic equipment on U.S. telephone circuits.

  Nice to know that even the CIA goes boxing. ;-)

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Ha!

  Posted: January 2nd, 2009, 10:53pm CST

  Tags:  Miscellaneous   [edit]

  Digital never quite knew what to do with its software prodigy; it spun out AltaVista as a subsidiary, then pulled it back in. Acquired by Compaq when Compaq acquired Digital, AltaVista still languished in a company that didn't know what to do with a software asset.

  haha! I think the next fish down that chain is just as clueless ;-)

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Penny Arcade! - Once More Unto The Breach

  Posted: December 22nd, 2008, 11:10pm CST

  Tags:  Miscellaneous   [edit]

  World War Z (BTW) is a little slice of excellence that you are not reading it you are not living a full and healthy life.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Parsing Delimiters

  Posted: December 22nd, 2008, 10:52pm CST

  Tags:  Miscellaneous   [edit]

  [ Image Link ]

  ARRRRRRRRRRRR! [Rages at specific website] Its supposed to be commas damn it! Then for some reason people get IIS to spit out semicolons. But how in gods name did you get it to use a semicolon to delimit between #1 and #2 but a comma between #2 and #3.

  The web is a dirty dirty place (and I'm not talking about YouPorn). "Whats that sweetness? A vengeful rain will come and wash the streets clean?" I sure hope so.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  VACATION!

  Posted: December 19th, 2008, 3:11pm CST

  Tags:  Miscellaneous   [edit]

  [ Image Link ]

  Hurray! No more work until Jan 5th!

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  MFSA 2008-45: Uninitialized memory reading

  Posted: December 19th, 2008, 11:44am CST

  Tags:  Miscellaneous   [edit]

  I think this might be my first CVE.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Jeremy Piven: Mercury poisoning, possible from excessive sushi

  Posted: December 19th, 2008, 9:01am CST

  Tags:  Miscellaneous   [edit]

  Dr. Colker said that an initial battery of tests on Mr. Piven had shown normal results. But after Mr. Piven said he was a frequent sushi eater who consumed fish about twice a day, and that he used herbal remedies, Dr. Colker tested him for heavy metals.

  Dr. Colker said that these tests revealed “a very, very elevated level of mercury” in Mr. Piven’s blood, adding that it was five to six times the upper limit that is typically measured. Left untreated, Dr. Colker said, the condition could result in heart problems, cognitive problems, renal failure and, in very extreme cases, death. He said that he told Mr. Piven he could continue in the show, but only with extreme caution.

  ... ahhhh damn.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  The year of risks in review

  Posted: December 19th, 2008, 8:47am CST

  Tags:  Miscellaneous   [edit]

  So with the Great Depression II: Greater and Furiouser™ approaching, this was a year of massive risk-taking. At every turn, we used chaos as an opportunity to take the nest egg and gamble it--but only after leveraging that nest egg with complicated derivatives that would famously come back to bore the crap out of us.

  How crazy did we get? Our presidential election came down to a woman and a black guy, as if the presidency were no more important than those last two Supreme Court seats at the end of the bench. The Republicans picked their Vice President using the same criterion as guys in an Alaskan bar: by going for the only chick there. Sarah Palin got a $150,000 makeover when it was obvious to everyone outside the party that John McCain needed it more. As the year went on, people got even more entranced by risk, placing their roulette bets on green. Barack Obama picked Hillary Clinton as his Secretary of State. Heidi married Spencer. Coors got rid of Zima.

  When Obama faced the Rev. Jeremiah Wright scandal, instead of denying or attacking, he led a serious discussion about race--something that has never worked after the first semester of sophomore year. Mitt Romney made a similarly brave gambit when posing with some black children on Martin Luther King Jr. Day and opening the dialogue by saying, "Who let the dogs out? Who! Who!" The nation's fastest-rising politician, Joe the Plumber, got his start with the gutsy decision to ask for a tax break that he didn't remotely qualify for. Even crazier, opponents of gay marriage in California bought ads claiming kids would be taught gayness in schools, when everyone knows kids don't get taught anything in California schools.

  Governor Rod Blagojevich, already under suspicion for looking and dressing like a Serbian warlord, publicly dared people to wiretap him, insisting all they'd hear him discussing was what the Cubs should do in the off-season. Baseball things like taking government money in return for firing Chicago Tribune writers who hate him. When what the Cubs really need is a starting pitcher.

  Danger-seeking was so popular that somehow pirates came back. Someone gave Don Imus a radio job. When investment banks crumbled, we decided to hand over $700 billion to Henry Paulson, who used to run an investment bank. It was the kind of year when a famous football player could think, Sure, I've drunk a lot and have a loaded gun in my pants, but the music in this club makes me want to put my hands in my pockets and dance!

  Never before had non-French, non-soap-opera-character wife cheaters been so bold. After learning about the intricacies of prostitution rings by busting them, Eliot Spitzer sought out a girlfriend experience with a prostitute who is an aspiring singer with a MySpace account. He would have been more discreet making love to a screen live on CNN, as John King did. The mayor of Detroit communicated with his mistress by text-messaging, a form of communication so obviously insecure that the President is not allowed to do it and teenagers are.

  Other countries seemed just as insane. The President of Georgia dared the Russians to attack, which always results in invasion unless there is someone else at the exact same moment daring Russians to drink. And Canadians held countrywide protests demanding a new election--even though they'd just had one. When Canadians start acting crazy, America should fit itself for a giant straitjacket.

  Who wasn't taking risks? The banks. When the government gave them money to get them lending again, they pretended that they would hand it out as per the agreed-upon rules, and when no one was looking, they smartly held on to all of it, which we all know is the only real way to win Monopoly.

  The other person suddenly not taking risks is Obama. He hired old, experienced staffers--one of whom is so old, he was, impossibly, the Fed chairman before Alan Greenspan. It is possible that he's vetting people from Lincoln's Cabinet. Obama's economic scheme isn't to buy up vast amounts of mortgage-backed securities but to fix old roads and bridges. This is a guy who not only understood how to roll the dice in 2008 but might also have a good idea what we're going to be like for the next few years. We're probably all out of risks for a while.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [3] - Reply - Recommend
• 

  Creating pseudo 3D games with HTML 5 canvas and raycasting

  Posted: December 17th, 2008, 9:55am CST

  Tags:  Miscellaneous   [edit]

  With the increase in browser performance in recent times it has become easier to implement games in JavaScript beyond simple games like Tic-Tac-Toe. We no longer need to use Flash to do cool effects and, with the advent of the HTML5 Canvas element, creating snazzy looking web games and dynamic graphics is easier than ever before. One game, or game engine, I wanted to implement for some time was a psuedo-3D engine such as the one used in the old Wolfenstein 3D game by iD Software. I went through two different approaches, first attempting to create a "regular" 3D engine using Canvas and later going for a raycasting approach using straight DOM techniques.

  Very very sexy. Seems better than Canvascape. I think this is cooler than Wolf4K (Wolfenstein in 4K of JavaScript),

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Its not a 'Search.' Its just a search.

  Posted: December 15th, 2008, 10:12am CST

  Tags:  Miscellaneous   [edit]

  For some reason, the government did not appear to make the argument invited by the Supreme Court by its rulings in the FedEx and dog-sniff cases. The government could have argued that -- if the EnCase scan for a particular MD5 hash matches -- that the search is constitutionally permissible without a warrant because it revealed nothing except the existence of contraband. And, because there is no reasonable expectation of privacy in contraband, the government might argue, a search which only reveals the existence of contraband invades no legitimate privacy right.

  In the Crist case, however, the court never addressed that critical issue, because it never had to. The government merely argued that an automated search was no search at all.

  This unanswered question -- whether a scan of hash values looking for contraband is a permissible search -- is really the rub.

  If the government may conduct warrantless searches as long as they only reveal the presence of contraband, then they could lawfully put automated sniffers on any computer, searching for the presence of files for which the MD5 hash matched that of contraband. While the software categorizing the files might be considered to be conducting a search -- and I think it is -- the contents of this search are not revealed unless the program believes it is contraband.

  ... ... How did I not see this earlier? Pretty sure this is the same guy writing about how data stored "in the cloud" can be legally searched without a warrant because you have involved a 3rd party who can consent to the search.

  And don't think about kiddie porn. Think about the MPAA.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [3] - Reply - Recommend
• 

  The 2009 Bailout Car Ad

  Posted: December 15th, 2008, 10:04am CST

  Tags:  Miscellaneous   [edit]

  [ Image Link ]

  You won't buy our shitty cars.
  So we'll be taking your money anyway.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  President Bush at Summercon

  Posted: December 15th, 2008, 9:22am CST

  Tags:  Miscellaneous   [edit]

  [ Image Link ]

  Billy: [slurred] If I'm not making any sense ya'll just throw a shoe at me or something...

  [WHUMP!] (as shoe hits projector screen)

  Billy: ... Well ok then... [continues drunken hacker con preso]

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [7] - Reply - Recommend
• 

  Content Handling Mechanisms

  Posted: December 11th, 2008, 10:17am CST

  Tags:  Miscellaneous   [edit]

  Content handling mechanisms

  The task of detecting and handling various file types and encoding schemes is one of the most hairy and broken mechanisms in modern web browsers. This situation stems from the fact that for a longer while, virtually all browser vendors were trying to both ensure backward compatibility with HTTP/0.9 servers (the protocol included absolutely no metadata describing any of the content returned to clients), and compensate for incorrectly configured HTTP/1.x servers that would return HTML documents with nonsensical Content-Type values, or unspecified character sets. In fact, having as many content detection hacks as possible would be perceived as a competitive advantage: the user would not care whose fault it was, if example.com rendered correctly in Internet Explorer, but not open in Netscape browser - Internet Explorer would be the winner.

  As a result, each browser accumulated a unique and very poorly documented set of obscure content sniffing quirks that - because of no pressure on site owners to correct the underlying configuration errors - are now required to keep compatibility with existing content, or at least appear to be risky to remove or tamper with.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  "The Ratio" THE GTGs, Georgia Tech's gtg491y & gtg562h

  Posted: December 8th, 2008, 4:43pm CST

  Tags:  Miscellaneous   [edit]

  There's only one girl. Hope we get to meet the other one soon

  [sigh]. So so true.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [2] - Reply - Recommend
• 

  Google Trends: inflation, deflation, and "OH SHIT!"

  Posted: December 3rd, 2008, 4:26pm CST

  Tags:  Miscellaneous   [edit]

  Decius wrote:
  The news references chart is particularly useful.

  You get a much funnier graph when you trend "deflation" and "no shit"! Direct correlation baby!

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [3] - Reply - Recommend
• 

  CloudSQL?

  Posted: December 3rd, 2008, 9:27am CST

  Tags:  Miscellaneous   [edit]

  On Tuesday, software-as-a-service company Zoho announced CloudSQL: a new, cloud-friendly middleware layer giving cloud applications access to its SaaS reporting and database software, Zoho Reports. Though still in its early stages of development, CloudSQL will bridge the gap between software-as-a-service, cloud computing, and on-premises software by allowing cloud developers to access data on Zoho's servers through web services, and on-premises developers to access it using SQL as if it were a conventional database.

  Latency?

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [4] - Reply - Recommend
• 

  Oddness

  Posted: December 2nd, 2008, 8:43pm CST

  Tags:  Miscellaneous   [edit]

  Do an HTTP GET on http://www.ad-tech.com:80/ny/ and you get a 200
  Do an HTTP HEAD and you get a socket close. Odd.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Are you fucking kidding me?

  Posted: December 2nd, 2008, 7:42pm CST

  Tags:  Miscellaneous   [edit]

  On Monday, in response to a question about vuln disclosure, I had someone in Switzerland tell me "Why are you wanting to help other companies find and fix bugs or vulnerabilities in their products. That's not our business"

  Today I had someone in the UK tell me that, despite making an international detour to visit 3 countries on his behalf, his group would not be paying for the travel. After I've already made the trip.

  Are. You. Fucking. Kidding. Me? Its only Tuesday and I've already got 2 reasons to pull one of these...

  [breath breath breath, go to your happy place]

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Douglas Crockford - Ajax Security

  Posted: December 2nd, 2008, 3:41pm CST

  Tags:  Miscellaneous   [edit]

  A mashup is a self inflicted XSS attack

  I love this quote.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Behavioral screening -- the future of airport security? - CNN.com

  Posted: December 2nd, 2008, 11:42am CST

  Tags:  Miscellaneous   [edit]

  "The archaic system of an X-ray machine and metal detector cannot pick up other potential threats posed by passengers," Baum says. "I can have a ceramic weapon or chemical weapons and walk through an archway metal detector and it won't be picked up. Yet we have huge faith in these metal detectors that can only pick up one substance."

  Metal detectors are blacklists, but I'm nto sure if things like Layer Voice Analysis can be called whitelists. We need a whitelist device for airport security.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Rise and Fall, Rage and Grace

  Posted: November 30th, 2008, 4:05pm CST

  Tags:  Miscellaneous   [edit]

  [ Image Link ]

  Offspring has a new album and it is excellent. Easily their best since American in 1998. You can buy the album in MP3 format at Amazon.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [2] - Reply - Recommend
• 

  Kingpin on Prototype This

  Posted: November 30th, 2008, 11:35am CST

  Tags:  Miscellaneous   [edit]

  Lord Tivo (peace be unto him), decided that I should watch Prototype This. And when I saw (much to my surprise) Joe Grand in opening sequence I knew the show would rock. I especially loved the "Feds (heart) L0pht) t-shirt!

  When are we going to see Bunnie on a episode I wonder?

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [2] - Reply - Recommend
• 

  Nobody ever pulls the seams round here.

  Posted: November 26th, 2008, 3:12pm CST

  Tags:  Miscellaneous   [edit]

  Nobody ever pulls the seams round here,
  but I don't really mind and it's starting to get to me

  When did I join an organization surrounded by yes-men and full of people who plan and plan and plan never executing while the house burns down around them? When did I become unable to affect change? Why have I sat and accepted that for so long?

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Vodka in a stapler

  Posted: November 26th, 2008, 9:19am CST

  Tags:  Miscellaneous   [edit]

  My work vodka is sitting on the shelf next to the computer books.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Chris Shiflett, 2600, and 7 DAMN years

  Posted: November 24th, 2008, 11:54pm CST

  Tags:  Miscellaneous   [edit]

  I was digging through a boxes of books that I had not unpacked since the move to the new house and discovered a cache of old 2600 magazines. One of the first ones I saw was 2600 Vol 18 Issue 3 from Fall 2001.

  Here unedited, was my thought process:

  -wow, that guy looks familiar
  -wait, isn't that Dimitri? that crypo guy?
  -wait, didn't I write an article for this issue? [opens 2600]
  -yep, "Deconstructing a Fortres" the first article [reads alittle]
  -man I remember this. I hacked Tech's library systems so I could play Quake while skipping Calc in Skiles. That was awesome!
  -wait, didn't I end up in the square root club that semester?
  -[sigh]... damn georgia tech ... ... damn attention span
  -wow this article reads like I talk: fast and frantic and overly verbose
  -HA! awesome, implementing 16bit integers in TI-Basic
  -Hmm, I wonder what happened to Amatus? [google]
  -holy shit! haha, That right, now I remeber, that's how I met Lucky!
  -damn, this article is pretty long
  -sweet. the next article is about hacking Microsoft's passport.
  -Man, in 2001 I was all hardware. Did I even know what an HTTP cookie was?
  -wait, who wrote this. Holy shit, Chris Shiflett!
  -k2labs? does that even still exist? [googles]
  -wow, a those turkish translations?
  -... ... ... oh crap. this is from 2001. That was over 7 years ago.
  -... ... fuck, I'm getting old.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Zivity and other start-ups lay off workers to ride out economic storm

  Posted: November 24th, 2008, 3:00pm CST

  Tags:  Miscellaneous   [edit]

  [ Image Link ]

  The sexy San Francisco Internet start-up has always been an attention-getter. It was formed by serial entrepreneur Scott Banister (also a prolific investor who has backed the likes of Facebook, Hi5 and Powerset and sits on the board of Slide) and wife Cyan. It features tasteful photos that are billed as promoting female beauty and artistic expression (think women, including Cyan, in various stages of undress).

  Unlike many in the current Internet boom, this site has no advertising. For $10 a month, members can view and vote on the photos. Each vote delivers cash to models and photographers (60 cents for models, 20 cents for photographers). Casting votes also allows members to get updates from the artists. Members get five votes with their monthly subscription and frequently buy more to act as patrons of the arts, Cyan said. The Banisters like to say that it's a cross between Playboy and "American Idol." There are ground rules: No naked men, no sex acts, no extreme close-ups. Models must prove they are over 18.

  PearlSome of Zivity's top models (such as Pearl, pictured at right) have become big hits on the high-tech party circuit, as the Crunchies, TechCrunch's annual awards, show. But now it's Zivity that is taking a hit, joining the ranks of start-ups downsizing to make the money they raised from now skittish venture capitalists last longer.

  It was a difficult but necessary decision, say the Banisters, who are seasoned technology professionals. They have experienced the industry's ups and downs before.

  Scott dropped out of the University of Illinois at Urbana-Champaign to start a Web advertising company that he later sold to Microsoft. He co-founded spam-blocking company IronPort, which Cisco Systems bought last year for $830 million. That's where he met Cyan, who managed IronPort's blacklist of spammers. Together they came up with the idea for Zivity, which they launched in February 2007. They raised $8 million in two funding rounds from investors such as BlueRun Ventures and Founders Fund.

  But, with the slowdown in consumer spending and with venture capitalists zipping up their wallets, the Banisters took a realistic look at their start-up's finances. The Banisters wanted to make sure they had enough cash to remain in business as they prepare to open up to the public early next year and broaden into a place for artists of all kinds to strut their stuff. So they made the tough decision to cut eight out of 22 employees.

  "We did an internal budgeting exercise to stretch our cash into 2011 and presented it to the board," Cyan said. "They were very pleased that we were proactive."

  Well that sucks, but at least Cyan is thinking ahead, per Sequoia's RIP preso about cost cutting.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Memo from Work

  Posted: November 24th, 2008, 11:11am CST

  Tags:  Miscellaneous   [edit]

  Ran across an old document today at work. When SPI was purchased by HP a little over a year ago my boss had me compose a memo about why we needed completely unfiltered internet access. HP IT doesn't like us very much...

  Any content filter system, URL blacklist, application gatwways, internally facing Firewalls, or internally facing IDS/IPS systems that prevent access to any of the resources described below would have a severely adverse impact on SPI Dynamics’ ability to test our products and collect knowledge about current and emerging web security trends and techniques.
  ---

  SPI spends time each day reading variety of websites across the globe which may or may not be hosted in domains other than .com, .net, or .org to keep up with the latest security research and techniques. Some of these resources include: major IT news sites, major security sites, industry blogs, and mailing lists archives (by visiting the archives we don’t have to use an email address to subscribe)

  Malicious attackers are often farther ahead than traditional security researchers. As a result SPI researchers visit various resources attacker discuss their methods. These sites often advocate criminal activity and openly discuss live attacks or specific vulnerabilities in websites or products. Example websites include [REDACTED] and many, many others. From time to time we visit IRC webserver around the Internet. chatrooms to learn the latest security details.

  Websites that discuss, advertise or traffic in illegal or illicit materials often contain very sophisticated and non-standard interfaces that use JavaScript, VBScript, Flash and other technologies in unique combinations to try and track what users are doing and protect access to their materials. SPI visits these sites for 2 reasons: They are excellent stress tests of our parsers for JavaScript, Flash, etc and they also provide insight into how people are trying to use web technologies maliciously. Example illegal or illicit materials include pornography, 0day vulnerability information, root kits, and phishing kits.

  SPI routinely visits phishing websites (including legitimate websites that have been compromised) to assess what types of information an attacker is collecting and how the server was compromised.

  When interacting with different customers or acquiring new security tools SPI will content various non-web destinations on the Internet. Examples include FTP servers, SSH servers, Subversion of CVS source code repository server, and various web servers (SSL encrypted or not) running on none standard ports numbers.

  The (legitimate) web security research community is fairly small. SPI routinely uses instant messaging services to communicate with our peers in other companies and in academia. IM allows us to respond to breaking treats (such as the web worms like Samy and Yamanner) more rapidly than email. Many in our profession prefer to use encrypted channels for instant messaging so the conversations cannot be logged by inline devices.

  SPI has various test websites set up external of the company (such as atlantahacker.com) which we use for demonstrative purposes when access to internal SPI test sites is not practical or impossible. SPI will scan these sites from inside SPI from time to time as well as we develop them. As a result SPI is sending attack traffic out into the Internet.

  SPI performs large search engine queries and visits a sampling or sites to understand the scope of vulnerability and the number of affected platforms. These so-called Google Hacks can sometime set off intrusion detection systems that are monitoring SPI’s outbound traffic.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [2] - Reply - Recommend
• 

  Art collecting and yelling

  Posted: November 23rd, 2008, 7:56pm CST

  Tags:  Miscellaneous   [edit]

  "From the world of art collecting and yelling..."
  John McEnroe: "Why isn't there any good art in here?"

  I. Love. 30rock.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Some thoughts on security after ten years of qmail 1.0

  Posted: November 23rd, 2008, 9:43am CST

  Tags:  Miscellaneous   [edit]

  The qmail software package is a widely used Internet-mail
  transfer agent that has been covered by a security guarantee
  since 1997. In this paper, the qmail author reviews the history and security-relevant architecture of qmail; articulates
  partitioning standards that qmail fails to meet; analyzes the
  engineering that has allowed qmail to survive this failure;
  and draws various conclusions regarding the future of secure
  programming.

  Is security too sexy to leave?

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Virgil Griffith, Internet Man of Mystery

  Posted: November 21st, 2008, 11:32am CST

  Tags:  Miscellaneous   [edit]

  Girls hang on Virgil Griffith. This is no exaggeration. At parties, they cling to the arms of the 25-year-old hacker whose reason for being, he says, is to “make the Internet a better and more interesting place.” The founder of a data-mining tool called WikiScanner, Griffith is also a visiting researcher at the mysterious Santa Fe Institute, where “complex systems” are studied. He was once charged, wide-eyed rumor has it, with sedition. No wonder girls whisper secrets in his ear and laugh merrily at his arcane jokes. null

  Virgil is, without a doubt, a hacker rock star.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [5] - Reply - Recommend
• 

  An-arrgh-chy: The Law and Economics of Pirate Organization

  Posted: November 19th, 2008, 3:37pm CST

  Tags:  Miscellaneous   [edit]

  This article investigates the internal governance institutions of violent
  criminal enterprise by examining the law, economics, and organization
  of pirates. To effectively organize their banditry, pirates required
  mechanisms to prevent internal predation, minimize crew conflict,
  and maximize piratical profit. Pirates devised two institutions for this
  purpose. First, I analyze the system of piratical checks and balances
  crews used to constrain captain predation. Second, I examine how
  pirates used democratic constitutions to minimize conflict and create
  piratical law and order. Pirate governance created sufficient order and
  cooperation to make pirates one of the most sophisticated and successful
  criminal organizations in history.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [2] - Reply - Recommend
• 

  Coding Horror: Please Give Us Your Email Password

  Posted: November 18th, 2008, 9:36am CST

  Tags:  Miscellaneous   [edit]

  Number one with a bullet: your email account is a de-facto master password for your online identity. Most -- if not all -- of your online accounts are secured through your email. Remember all those "forgot password" and "forgot account" links? Guess where they ultimately resolve to? If someone controls your email account, they have nearly unlimited access to every online identity you own across every website you visit.

  If the Sarah Palin email hack taught us anything...

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  WEB APPLICATION AUDITING BASED ON SUB-APPLICATION IDENTIFICATION

  Posted: November 17th, 2008, 1:30pm CST

  Tags:  Miscellaneous   [edit]

  Abstract:

  A web application is more efficiently analyzed by identifying the sub-applications used to generate the various web pages available at the web application and then limiting the vulnerability assessment to just a subset of the web pages generated by each sub-application. The sub-applications can be identified by detecting similarity between the web pages, based on the user interface presentation, the inputs required or allowed, or both. For the user interface presentation, the markup language used to generate the user interface is reduced to common markup language elements by removing content, attribute values and white space and then determining the edit distances between the various pages. Small edit distance values indicate similarity and thus, likely generated by a common sub-application.

  Inventors: Sima; Caleb; (Woodstock, GA) ; Hoffman; William M.; (Atlanta, GA)

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Confidential Document Fight Club

  Posted: November 17th, 2008, 9:08am CST

  Tags:  Miscellaneous   [edit]

  [ Image Link ]

  The first rule of Confidential Document Fight Club is you cannot acknowledge the existence of Confidential Document Fight Club.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Syscan - Next Generation .NET Vulnerabilities.pdf

  Posted: November 14th, 2008, 10:21am CST

  Tags:  Miscellaneous   [edit]

  Pretty cool analysis. The "ASP.NET's ValidateRequest stops XSS so its up to the dev to mess it up" is incorrect. Ignore esoteric attacks like double/triple encodings, etc. Lets do something basic.

  " onmouseover="alert('xss')

  ValidateRequest does not stop attribute injection attacks.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Leather + Kilz = mess

  Posted: November 9th, 2008, 3:35pm CST

  Tags:  Miscellaneous   [edit]

  [ Image Link ]

  Today I ended up getting Kilz primer on my leather office chair. And I didn't notice the white paint on black leather for a few hours. Needless to say I thought I had ruined it.

  Then, I came across some advice on the Internet. Unlike most advice or opinions on the Internet this was not anatomically impossible! Simply use olive oil and paper towels. Surely this couldn't work! But the next step was astringent and shoe polish so I took a swing.

  Sure enough with a little bit of elbow grease the olive oil took the Kilz primer right off the leather leaving everything else in tact. Freaking amazing! Thank you Internet. You bring me pr0n, SQL injections, and household cleaning advice! Oh yeah!

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  System.Drawing.Imaging.Bitmap bug?

  Posted: November 4th, 2008, 5:20pm CST

  Tags:  Miscellaneous   [edit]

  This is interesting. wget this file: http://assets1.twitter.com/images/blank.gif

  Image image = Bitmap.FromFile(@"C:blank.gif");
  

  Gives you an out of memory exception. Hexing the file shows a valid GIF header to me... this is weird.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [2] - Reply - Recommend
• 

  YouTube - Sarah Palin Prank Call ( with transcript )

  Posted: November 4th, 2008, 3:00pm CST

  Tags:  Miscellaneous   [edit]

  6 minutes. They talked to her for 6 whole minutes!

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Election Night Drinking game

  Posted: November 4th, 2008, 12:33pm CST

  Tags:  Miscellaneous   [edit]

  I propose a election night drinking game:

  When a state goes red, you have to drink Pabst Blue Ribbon and eat a corn dog.

  When a state goes blue, you have to drink white wine and eat an arugula salad.

  When you see Larry King, you pull out a crucifix and scream "The power of Christ compels you!"

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  Researcher: ARM a safer bet than x86 chips

  Posted: November 3rd, 2008, 9:03am CST

  Tags:  Miscellaneous   [edit]

  If Dai Zovi seriously contends that the x86 architecture is a significant, unaddressable security risk to the smartphone industry, he's needs to release more details to show it.

  Pretty good spanking by Ars. Hypothesizing that cell phones might be more insecure if they switch to a more well known chip design is most definitely not newsworthy. Perhaps there is something more here he cannot talk about but on the face of it this seems like of silly to announce.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [2] - Reply - Recommend
• 

  Researcher: ARM a safer bet than x86 chips

  Posted: November 3rd, 2008, 9:03am CST

  Tags:  Miscellaneous   [edit]

  If Dai Zovi seriously contends that the x86 architecture is a significant, unaddressable security risk to the smartphone industry, he's needs to release more details to show it.

  Pretty good spanking by Ars. Hypothesizing that cell phones might be more insecure if they switch to a more well known chip design is most definitely not newsworthy. Perhaps there is something more here he cannot talk about but on the face of it this seems like of silly to announce.

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [2] - Reply - Recommend
• 

  Chrome beta update fixes Porn problem

  Posted: November 3rd, 2008, 8:53am CST

  Tags:  Miscellaneous   [edit]

  In addition to fixing security bugs, the developers also worked on improving the performance and reliability of plugins, such as those used to view PDFs, Flash, and other rich media. With previous versions, some users experienced problems where the browser would stall or consume 100 percent of the CPU while playing streaming Flash video.

  Why am I unsurprised that the first bug fix release addresses issues with the Flash plugin and stream flash media. Especially when Chrome has a build in "porn mode" where no cookies or search history are saved...

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [2] - Reply - Recommend
• 

  Chrome beta update fixes Porn problem

  Posted: November 3rd, 2008, 8:53am CST

  Tags:  Miscellaneous   [edit]

  In addition to fixing security bugs, the developers also worked on improving the performance and reliability of plugins, such as those used to view PDFs, Flash, and other rich media. With previous versions, some users experienced problems where the browser would stall or consume 100 percent of the CPU while playing streaming Flash video.

  Why am I unsurprised that the first bug fix release addresses issues with the Flash plugin and stream flash media. Especially when Chrome has a build in "porn mode" where no cookies or search history are saved...

  
  
  --
  Link (Direct) - Link (Reputation Tracking) - Discuss [1] - Reply - Recommend
• 

  V I G E L A N D - The Vigeland Park

  Posted: November 1st, 2008, 1:40pm CDT

  Tags:  Miscellaneous   [edit]