The problem with TiVo is that you never see commercials. So I almost missed that the The Venture Bros. returned for a 3rd season.

If you aren't watching this show you are a fool.

From last night's episode:

Dean: She's the Wereodile!
Dr Venture: I almost f@$&ed a wereodile?
Dean: Don't worry dad [grab chair]... [smacks Dr Quymn] The power of Christ compels you!

and of course:

Henchman 24: Come on! They have one female servicing a large group of males. That implies a species that lays eggs.
Henchman 21: Oh my God, you're crazy! They're so obviously mammals!
Henchman 24: Please! She'd be in estrus 24/7 if she didn't lay eggs.
Henchman 21: Smurfs don't lay eggs! I won't tell you this again! Papa Smurf has a fucking beard! They're mammals!

Venture Bros. Season 3

Start at bottom for maximum effect...

update: patched

_____________________________________________
From: Hoffman, Billy
Sent: Thursday, June 26, 2008 5:27 PM
To: Wood, Matt (); Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

This is too great. I'm posting this to Memestreams.

Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software – Application Security Center
Direct: 770-343-7069

_____________________________________________
From: Wood, Matt ()
Sent: Thursday, June 26, 2008 5:27 PM
To: Wood, Matt (); Hoffman, Billy; Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

Stivo! you crazy! Change-set 27173. 6/21 @ 6:37pm in SimpleUrlCrawler.cs 

I guess the build-box is building with the debug symbols in it?

So the crawl limit is 2.1 billion right now  2^31-1

_____________________________________________
From: Wood, Matt ()
Sent: Thursday, June 26, 2008 5:19 PM
To: Hoffman, Billy; Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

Whoops! Here:

private void buildCrawlLimit()
{
crawlLimit = 1500;
#if DEBUG
crawlLimit = int.MaxValue;
#endif
}

Pretty sure the Labs build box is pumping out debug builds...

_____________________________________________
From: Hoffman, Billy
Sent: Thursday, June 26, 2008 5:19 PM
To: Wood, Matt (); Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

... ... STFU! Are you telling me the limit most people are bitching about doesn’t even exist? Haha, Should we even patch that?

Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software – Application Security Center
Direct: 770-343-7069

_____________________________________________
From: Wood, Matt ()
Sent: Thursday, June 26, 2008 5:15 PM
To: Hoffman, Billy; Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

Haha… scrawlr may not have a limit…

I just set a break point in the function that checks it and it never gets called… apparently it got lost somehow…

_____________________________________________
From: Hoffman, Billy
Sent: Thursday, June 26, 2008 5:10 PM
To: Wood, Matt (); Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

Then explain this:
[Screen shot removed]

Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software – Application Security Center
Direct: 770-343-7069

-----Original Message-----
From: Wood, Matt ()
Sent: Thursday, June 26, 2008 5:07 PM
To: Hoffman, Billy; Millar, Steve A
Subject: RE: uhhhh does Scrawlr really have a limit?

Nah, just a lot of parameters. We will only crawl 1500 pages, but we will audit more.

-----Original Message-----
From: Hoffman, Billy
Sent: Thursday, June 26, 2008 5:09 PM
To: Wood, Matt (); Millar, Steve A
Subject: uhhhh does Scrawlr really have a limit?

Guys,

I noticed a Chinese site offer Scrawlr for download. Its classic ASP so I decide to scan it with Scrawlr.

Site is: [Site Removed]

The only thing is, Scrawlr is saying it has visited 3879 pages so far and is still going. Perhaps a bug in our limiting?

Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software – Application Security Center
Direct: 770-343-7069

Matasano gives some love, which is nice.

Some of my favorite reads (there are others) have recently written about about Scrawlr and some of what I have read has been critical. Critical enough? Depending on your level of pedantry with respect to webapp security and/or free software, probably not.

Stop that. Right now. Overlook the limitations of the tool that was released, realize that this is a closely targeted thing designed to help alleviate a specific problem. Go back and think a little harder about what is going on and why this is actually A Good Thing(tm).

[snip]

The scanner is built to look for things being indexed by search engines. If those sites are fixed, 99.999% of the problem should go away.

Trying to compare Scrawlr to a full blown SQL Injection scanning tool is like comparing a letter opener to a Swiss Army Knife. Sure, you can do other things with a letter opener (and some of you probably want to slit my throat for that simile. That’s fine, use the knife) —- but its stated purpose is to open letters.

The feedback we've been getting from developers has been "Thanks for the tool, I didn't understand [other tool]/couldn't make it work." Not surprising. These are people 5 years behind the security curve, with only a passing understanding of SQL injection and still believing XSS is all alert boxes and cookie theft. You average classic ASP dev can no more use Burp than my mom can use a methane digester. In both cases the fundamental concept of what the tool does is lost on the end user.

The feedback I've gotten from security folks is "why isn't this WI Lite. I'm sick of paying you guys $30k a year." Well, not exactly, but the subtext is there. :-)

Believe me, I really wish I could talk about the challenges of writing modern web crawlers. The fact I got to do it once was a bit of a fluk and was extremely limited in scope. So if I cannot even talk about it publicly, do you really think I would be allowed to manage a team to write a free one?

Matasano Chargen » And Now For A Few Words About HP’s “Scrawlr”

In response to all the Mass SQL Injection attacks this year, Microsoft approached HP and the Web Security Research Group (formerly SPI Labs) for assistance. While there was nothing they could patch, Microsoft wanted to provide tools to help developers find and fix these issues. After a month of development HP created Scrawlr.

Scrawlr (short for SQL Injector and Crawler) is a free tool that will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr was designed specifically to help protect against these mass injection attack which are using Google queries to find older web applications and automatically injection them. As such, Scrawlr crawls a websites using the same techniques as a search engine: it doesn’t keep state, or submit forms, or execute JavaScript or Flash. This Scrawl is finding and auditing the pages that would have been indexed by the search engines.

To reduce false positives Scrawlr provides proof of the vulnerability results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

Microsoft Advisory
HP Web Security Research Group Blog
Scrawlr Download
Scrawlr FAQ

So, last week I was at HP Software Universe. With the Practical Software Quality and Testing conference, the SANs web security summit, HPSU marked my 3rd trip to vegas in 6 weeks and my 5th business trip in 7 weeks. Needless to say after yet another week in Vegas I was absolutely exhausted.

Only then I got word that I needed to take a day trip straight from Vegas to Seattle on Friday to meet with an extra special customer. They were doing an internal security conference and wanted me to speak. So, I mustered up, flew out of Vegas at 8am, spent the day with the customer, got some dinner with them, went to my hotel, crashed, and flew out first thing the next morning. All having been in Seattle for less than 24 hours.

And then the calls and texts began. "Why didn't you call me?" "Billy, where's the love?" "WTF man?"

First of all, damn you guys have crazy spies. I specially didn't tell anyone about my trip so avoid this very thing. Second, to my Seattle Homies, I'm truly sorry I didn't hang out with you all or let you know I was coming. Travel's been kicking my ass and as much as I wanted to go to Queen Sheba and hang at Public N3rd Area, I would have been poor company. I should be back soon and can make it all up to you all, [ducks pillow], serious I promise [throws pillow].

So you all can stop harassing me now :-)

So to celebrate the release of Firefox 3 I bring you your (old news) moment of Zen.

2006? How did I not know about this before? Come on IE8, your Acid2 compliance is getting better but your super model compliance is completely unacceptable. A sweaty Ballmer is as unsexy as a totally broken implementation of the box model...

Of course, a search for "sexy firefox" returned this not safe for work link of topless Firefox anime (never thought I'd string those words together), as the first link no less.

As such, I've decided to deduct another point from the entire country of Japan, making the new score 1 win and 2 losses.

Sexy Firefox

The 17-year-old was the star of Nickelodeon's "Zoey 101," a sitcom about prep school friends, and is the younger sister of pop star Britney Spears. The Spears family announced in December that Jamie Lynn was pregnant. The father is Casey Aldridge, a pipe-layer from Liberty, Mississippi. The couple is not married but announced an engagement several months ago.

A pipe layer? HA! Someone at CNN has a good sense of humor. :-)

Jamie Lynn Spears gives birth to girl - CNN.com

A severed foot -- the sixth in 11 months -- washed up on the shore of a Canadian island on Wednesday, police said.

"You could see the foot that's inside the running shoe," she said. "The leg bones were coming out of the running shoe about 3 to 4 inches. There were no tissues or anything attached."

But she said the foot appeared to have been deliberately severed, as the bones "had been cut clean across."

The foot was the sixth discovered on shorelines in the area since August, according to local police and media reports. Another foot -- a left foot still in a shoe -- was found Monday on the shore of Westham Island, south of Vancouver. Police said it was taken to a coroner for DNA testing.

What on earth is happening in Canada?

Sixth severed foot surfaces off Canadian coast - CNN.com

China denied accusations by two U.S. lawmakers that it hacked into congressional computers, saying Thursday that as a developing country it wasn't capable of sophisticated cybercrime.

[Southpark] So Small [/Southpark]

China denies hacking into US computers - Yahoo! News

CypherGhost wrote:

RE: 9RFmdzLCr9k7b8lfx2psnb9L_500.jpg (JPEG Image, 353x500 pixels)