Folks,

I'm speaking at Toorcon and have a free ticket if anyone wants it.

September 17th and 18th in sunny San Diego.

This movie came out on TNT in Sept. In it, a Tropical Storm hits New Orleans, destroying off shore oil rigs and damaging major pipelines.

Oil Storm

President Bartlet: This kid is in highschool and he doesn't know that I can't parden a turkey?

CJ Craig: I'm betting on it sir.

President Bartlet: Where was this kid when I tried to pass my education bill?

Cisco's theory, then, was that by decompiling the source code to find the vulnerability, Lynn (and presumably his employer, ISS) violated the terms of the EULA - a contract. This contract violation then meant that the license to acquire or use the software was violated, and Lynn was using a copyrighted work (the software) without the consent of the copyright holder - thus a copyright violation - which gets Cisco into federal court rather than state court. When Lynn and Black Hat sought to publish the bits of source code in the presentation, they were alleged to be distributing the code in violation of the EULA and copyright law, and also violating Cisco's right to protect its trade secrets. Finally, Lynn was alleged to have violated the terms of his ISS non-disclosure agreement by disclosing information at the conference that he learned "in secret" from ISS under the NDA - presumably information that ISS obtained by unlawful reverse engineering!

The Register has a good piece on the legality of disassembling code and the reach of End User License Agreements (EULA). The cite Mike's case heavily.

Very nice (even though they keep saying "decompiling the source code." If you have the source code, you wouldn't need to decompile it!).

Legal disassembly

There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale of discovery as much as the process of exploitation.

Very good site showing how SQL Injetcion works, and shows how people discover tuple and table names from a website. Much better than SPI's whitepaper by far.

SQL Injection Attacks

Traditional copyright protections (such as infringement lawsuits) are suitable only in specific cases and are impractical on a mass scale. They would be entirely useless against the millions of people who might buy DVDs and copy them for their friends and relatives. Therefore, much of the consumer-electronics equipment available today incorporates copy-protection mechanisms. Different types of devices use different kinds of copy protection. Most techniques stem from cooperation between content providers and equipment manufacturers. For DVI, such a cooperative effort has produced a mechanism called HDCP (high-bandwidth digital-content protection), a two-part cryptographic method to control video delivery.

Bookmark for me. Nice overview of HDCP. Basically, a secure pipe to transmit content between a device and an output (ie computer to monitor, DVD to TV, etc). To protect against piracy.

HDCP: what it is and how to use it - 4/18/2002 - EDN - CA209091

If lots of people delete their cookies and NAT/other technologies pissed all other the single machine=single IP concept, then how do you reliably know the number of different people visiting a website?

Excellent work!

Their solution is to do away with a single method and use a hierarchy of steps to determine if we have a unique visitor.

Before I detail the steps, it’s time to take the paradigm shift. Here it is:

We have been assuming that we can use a single method to identify unique individuals. We have been looking for yes-no answers and absolute numbers. We have done all the analysis within the framework of a single software system. We can’t do this any more. No single test is perfectly reliable, so we have to apply multiple tests. Some of those tests yield yes-no answers, and some of them yield probabilities, so the count of unique visitors will be a probabilistic estimate. Some of the tests depend on knowledge of IP topology, so we can’t restrict our analysis to a confined block of data analyzed by an isolated system.

In a nut-shell: To determine a web metric we should apply multiple tests, not just count one thing.

The Magdalena and Thomas methodology

Each of these steps is applied in order:

1. If the same cookie is present on multiple visits, it’s the same person.
2. We next sort our visits by cookie ID and look at the cookie life spans. Different cookies that overlap in time are different users. In other words, one person can’t have two cookies at the same time.
3. This leaves us with sets of cookie IDs that could belong to the same person because they occur at different times, so we now look at IP addresses.
4. We know some IP addresses cannot be shared by one person. These are the ones that would require a person to move faster than possible. If we have one IP address in New York, then one in Tokyo 60 minutes later, we know it can’t be the same person because you can’t get from New York to Tokyo in one hour.
5. This leaves us with those IP addresses that can’t be eliminated on the basis of geography. We now switch emphasis. Instead of looking for proof of difference, we now look for combinations which indicate it’s the same person. These are IP addresses we know to be owned by the same ISP or company.
6. We can refine this test by going back over the IP address/Cookie combination. We can look at all the IP addresses that a cookie had. Do we see one of those addresses used on a new cookie? Do both cookies have the same User Agent? If we get the same pool of IP addresses showing up on multiple cookies over time, with the same User Agent, this probably indicates the same person.
7. You can also throw Flash Shared Objects (FSO) into the mix. FSOs can’t replace cookies, but if someone does support FSO you can use FSOs to record cookie IDs. This way Flash can report to the system all the cookies a machine has held. In addition to identifying users, you can use this information to understand the cookie behavior of your flash users and extrapolate to the rest of your visitor population.

Unique vistor identification reloaded

I wrote a ASP .NET app using a Datagrid. IE refuses to execute any javascript-enabled links embedded in the table created by the datagrid .

Firefox, on the other hand, renders and executes everything perfectly.

Fucking IE.

Crypto researchers have discovered a new, much faster, attack against the widely-used SHA-1 hashing algorithm. Xiaoyun Wang, one of the team of Chinese cryptographers that demonstrated earlier attacks against SHA-0 and SHA-1, along with Andrew Yao and Frances Yao, have discovered a way to produce a collision in SHA-1 over just 2^63 hash operations compared to 2^69 hash operations previously. A brute force attack should take 2^80 operations.

SHA-1 compromised further | The Register

nvestigators told local paper Helsingin Sanomat that the suspects wrongly believed that the use of an insecure wireless network in commission of the crime would mask their tracks. This failed when police identified the MAC address of the machine used to pull off the theft from a router and linked it to a GE Money laptop. Police say that stolen funds have been recovered. Four men have been arrested over the alleged theft with charges expected to follow within the next two months

The lession of the day: Always Always Always change your MAC Address before doing something you shouldn't.

Finnish security exec arrested over bank hack | The Register