Writely is a web word processor that provides simple and secure document collaboration and publishing on the web using only the browser.

Neat web appliation that includes some nice collaboration features.

Writely - Tour the Web Word Processor

One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, "Samy" had amassed over 1 million friends on the popular online community.

Basically the worm was XSS embedded in someone’s profile on MySpace. When someone would view the profile, they would execute the Javascript in their own browser. The payload of the XSS was Ajax which would make GET and POST requests to MySpace, adding the XSS Payload to that user’s profile. This spreads the worm!

As with most worms using a new attack vector, this was harmless, adding the message “samy is my hero” to each infected profile along with the XSS payload

Update: Here is the source code of the XSS Payload. I haven't had time to format it properly. I'll do an analysis of it later and post it to Memestreams.

BetaNews | Cross-Site Scripting Worm Hits MySpace

Dolemite wrote:

Yes, yes, I just put that title up there to bring more attention to the meme. Yes, I'm a shameless whore when it comes to garnering more publicity for the convention.

Acidus wrote to me asking to change the content of his presentation to what you see here. Looks very interesting, so if you want to hear more, come to PhreakNIC!

Oh, and you might also notice that I "fixed" Dementia's code so that we can now reference specific pages.

My brother once described me as "like a ferret in a glitter shop." The thing with conferences is I tend to discover something cool, do the research, write an app, and then submit it to a con. 3 months later, when the con is just around the corner I'm normally excited and working on something new.

Its not that the other top topic wasn't cool. It is and I highly suggest people download my Toorcon talk, The Phuture of Phishing, as it touches on what my original Phreaknic talk was to be on. I just came across something so awesome that I'm sure will get slashdotted and wanted to present it at Phreaknic, who has treated me so nicely these past few years.

Acidus, like a woman, changes his mind

The Birth of geocoder.us

Strangely enough, the removal of useful features from online map services seemed to occur right before a surge of interest in free sources of geodata among the free and open source software community.

Collecting this data and keeping it up to date with "ground truth squads" who go around and verify that streets are where they are supposed to be and that houses haven't up and run off, is quite expensive.

An alternative to the full expense of this data lies in the U.S. Census Bureau. They have compiled TIGER (Topologically Integrated Geographic Encoding and Referencing system) data. TIGER data is used as part of the normal fulfillment of their duties to do an actual enumeration of the people every 10 years. This data is imperfect, but the regular tasks of census workers are similar to our own needs. They wish to identify the location of a residence based on a street address, just as we do when we geocode.

Again, it is important to stress that TIGER data is imperfect, however "imperfect but free" has its own charm. TIGER data is also used as the basis for the free TIGER Map Server offered by the Census Bureau at http://tiger.census.gov/cgi-bin/mapsurfer.

There is a lot of interesting information about geography and the challenges of capturing complex and inconsistent information to be found in the TIGER documentation. But for simple geocoding, all you really need to know is that the TIGER data endeavors to include information on every street segment in the U.S. For each block, the TIGER data includes the street name, the latitude and longitude at each end of the block, and the range of address numbers for the left and the right side of the street.

O'Reilly: Hacking Maps and addresses with US Census data

Atlantic Station, the giant developement on 17th St in Atlanta next to the I-75/I-85 connector has its grand opening next week!

I will be able to walk a block to a grocery store and a movie theatre.

Atlantic Station - Grand Opening next week.

We got a new bulletin board in the kitchen at work. When I went to get a coke around noon, someone had pinned a sign that said "First Post!!!111." About an hour later than was a sign hanging slightly below and to the right that said "+1 Funny."

A videotape made by the Associated Press Television News crew shows two patrolmen repeatedly punching a man identified as 64-year-old Robert Davis. The tape shows a third officer grabbing and shoving an APTN producer.

The Video CNN has of this is amazing. I don't have speakers at work, for all I know this old guy is cussing up a storm, but he is hardly fighting the police when they start punching him in the back of the head.

Video: NOPD beating up 64-year old

I got an email approving my CFP to Shmoo! I got to meet all those folks out at Toorcon, and I am very excited about this chance.

Hopefully all the victims of hacker flight afflicting Atlanta right now will all meet up there.

Presentation Title: Covert Crawling: a wolf among lambs
Track Preference: Break it!
---

Web application IDS evasion techniques and countermeasures is a mature area of study. LibWhisker-based apps and Snort have been in a tug-of-war for years. However, the initial reconnaissance of a website or web app has been largely neglected. Its either done by hand (which is tedious) or with a traditional crawler like wget (which is very noisy). An automated crawl appears as an enormous spike in hit count and byte transfer that is well outside the bell-curve for normal users.

This presentation will discuss theories and methods to hide an intelligent automated crawl of a target website or application inside the buzz of normal user activity. Some techniques include:

-Spreading crawl across multiple IPs and time.
-Following paths to links -vs- deep links.
-Throttling crawl based on publicly available traffic stats and IP fragment ids.
-Dynamic creation of fake Google referrers to a deep linked pages based on content of that page -Intelligent selection of proxies based on target country and website type.
-Randomized link selection and overlap
-Filtering of link targets based on popularity.
-Intentional Traffic escalation (Slash-bombing)

This covert crawl will identify a subset of likely vulnerable pages that can later be attacked using IDS evasion techniques. You're attacking fewer pages, and there is no advanced warning that an attack is eminent.

Code for a covert crawler implementing these techniques will be released.
---

A rant one of my co-workers had this morning.

(11:28:02) ---: no IDS company actually has that poor of a product
(11:28:15) ---: if you can get passed that dont be impressed
(11:28:35) ---: it can only find stuff that is directed at itself
(11:28:47) ---: and thats only some of the time
(11:29:10) ---: hearing the word snort depresses me
(11:29:26) ---: its like yelling Jesus is the lord to muslims
(11:29:37) ---: for folks that actually did IDS work
(11:29:53) ---: [earphones]
(11:29:55) ---: ahhhh

Hendon is also adamant: "The really important point is that the EU doesn't want to see this change as bringing new government control over the internet. Governments will only be involved where they need to be and only on issues setting the top-level framework."

Will a new UN sanction be knocking someone off the DNS tree? Or assigning the TLD to whoever the UN feels should control it? I have very very bad feelings about the UN controlling the root servers and acting on "top-level" issues regarding the Internet.

Breaking America's grip on the net