I am a hacker and you are afraid and that makes you more dangerous than I ever could be.
Veracode: But That’s Impossible!
Topic: Miscellaneous
12:13 pm EDT, May 20, 2009
Chris Eng has a hilarious post over on the Veracode blog. God knows I've heard a number of these over the years...
I polled the Veracode research group, most of whom have been security consultants at one time or another, and ask them about the best responses they’ve heard from customers that reflect a lack of understanding or respect for a pen test finding. These often start with the proclamation, “that’s impossible…” followed by one of the statements below.
Developer doesn’t understand how the web works
* “Users can’t change the value of a dropdown” * “That option is greyed out” * “We don’t even link to that page”
Developer doesn’t understand the difference between network and application security
* “That application is behind 3 firewalls!” * “We’re using SSL” * “That system isn’t even exposed to the outside”
Developer doesn’t understand a vulnerability class
* “That’s just an error message” (usually related to SQL Injection) * “You can’t even fit a valid SQL statement in 10 characters”
Developer doubts attacker motivation
* “You are using specialized tools; our users don’t use those” * “Why would anyone put a string that long into that field?” * “It’s just an internal application” (in an enterprise with 80k employees and a flat network) * “This application has a small user community; we know who is authenticated to it” (huh?) * “You have been doing this a long time, nobody else would be able to find that in a reasonable time frame!”
LAMPSecurity.org is pleased to announce the release of the second in our series of capture the flag exercises. Like the previous release (http://lampsecurity.org/capture-the-flag-4), this exercise is a full Linux virtual machine that is vulnerable to remote root compromise due to a number of vulnerabilities. This exercise is notable in that it includes the use of a 0-day exploit.
A 35,000-year-old ivory carving of a busty woman found in a German cave was unveiled Wednesday by archaeologists who believe it is the oldest known sculpture of the human form. The carving found in six fragments in Germany's Hohle Fels cave depicts a woman with a swollen belly, wide-set thighs and large, protruding breasts.
[snip] Cook suggested it could be symbol of fertility, perhaps even portrayed in the act of giving birth.
Mellars suggested a more basic motivation for the carving: "These people were obsessed with sex."
The oldest known sculpture of a human in the world.... has really really big boobies. Yeah, I guess we haven't progressed that far now have we?
if (document.images) {
var currImg;
var ImgFound = 0;
var LinkFound = 0;
//alert("checking images..");
for (var d=0; d < document.images.length; ++d) {
currImg = document.images[d];
if (currImg.src.indexOf("banner") > -1) {
ImgFound = 1;
}
}
if (!ImgFound || AdBlockTest) {
if(deny) {
location = "/sorry.html";
window.location(location);
} else {
document.getElementById('warning').style.visibility = 'visible';
}
}
}
Interestingly simple. All the Adblock detection I've seen in the past checked CSS properties of elements surrounding an ad to see if the ad was rendered or not. This implementation requires a separate <img src> tag but I imagine this could be refactored into a (new Image()).src call and have a pure JavaScript solution.
Court Upholds Hacking Conviction of Man for Uploading Porn Pics from Work Computer | Threat Level | Wired.com
Topic: Miscellaneous
4:11 pm EDT, May 13, 2009
Decius:
An Ohio appellate court has upheld the felony hacking conviction of a man who was found guilty of unauthorized access for misusing his computer at work.
This case supports the very very bad idea that it is a crime to do something with a computer that you weren't authorized to do with it. This idea would have people go to prison with felony convictions for reading MemeStreams from work. Stupid, stupid, stupid.
This not getting the attention it deserves. This entire legal interpretation is frightening beyond words.
With the Ohio case and the Lori Drew nonsense, legal precedent is being created that says violating a site's Terms of Service is committing a felony.
This is unbelievably scary.
Violating laws is what should be punished. But we have a legal interpretation of a law, the Computer Fraud and Abuse Act, that says "Doing something a person says you cannot do violates the CFAA." This interpretation has in essence extended law passing power to anyone in the world.
Think about it. Some random dude somewhere in MySpace put in there TOS "You cannot lie in your profile." Lori Drew did lie. Thus Lori Drew violated MySpace's TOS which violates the CFAA and bam! Conviction.
Is Lori Drew a horrible human being? Without a doubt. Do I hope all her and her family's assests get seized in a wrongful death civil suit? Completely. Should she get hit with a felony conviction for violating the CFAA because some dude put a "don't lie" clause in MySpace's TOS? Not at all.
I'm violating a Terms of Service right now. Am I a felon?
Kevin Smith Raves About 'Star Trek' Actor Chris Pine - Movie News Story | MTV Movie News
Topic: Miscellaneous
8:29 pm EDT, May 12, 2009
Smith is so enamored of Pine, he's willing to do almost anything to take in another of the actor's performances. "I'd watch that dude do anything," Smith said with a laugh. "I'd watch that dude have sex with my wife at this point. He's such a good actor." null
Wow! Star Trek was good and all.... but not "Ok, its cool, go have sex with Jill now" good.
