| |
I am a hacker and you are afraid and that makes you more dangerous than I ever could be. |
|
Fuck you Dean Hachamovitch |
|
|
Topic: Miscellaneous |
12:30 am EST, Dec 6, 2007 |
So, yes, the version after IE7 is IE8. We looked at a lot of options for the product name. Among the names we considered and ruled out: Of course, some people care about other aspects of IE8 much more than they care about the name. As I’ve walked different people through the plan, I’ve gotten “Does it have feature X?” “When is the beta?” “When does it release” and even the more thoughtful “What are you trying to accomplish with this release?” You will hear a lot more from us soon on this blog and in other places. In the meantime, please don’t mistake silence for inaction. Dean Hachamovitch General Manager
Dear Dean Hachamovitch, General Manager Internet Explorer Team. Fuck you Fuck you for thinking a browser with some tabs and RSS support somehow warrants praise Fuck you for Notepad as "View Source" Fuck you for the CSS hacks I shouldn't have to do Fuck you for your phony adoption rate and security comparison reports Fuck you for the hell that is IE/JavaScript debugging Fuck you for winning the web browser wars and then stagnating innovation Fuck you for 6 years of inaction and silence Fuck you for telling the world how the web is going to be Fuck you for your utter contempt of web developers and web standards Fuck you Dean Hachamovitch and fuck the team you lead. You are hurting us far more than you are helping us This shit has got to end Sincerely, Billy Hoffman Update Fuck you Dean Hachamovitch |
|
Massive breach in Canadian Passport website |
|
|
Topic: Miscellaneous |
11:50 pm EST, Dec 5, 2007 |
A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports. The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser.
[lolcat]I has a session hijacking vuln. I is in your Oracle, pwning all your numberz[/lolcat] Massive breach in Canadian Passport website |
|
Topic: Technology |
12:40 pm EST, Dec 4, 2007 |
Sweet, sweet flash vuln analysis SWFIntruder |
|
Oops! PayPal Security Key fails |
|
|
Topic: Technology |
11:04 am EST, Dec 4, 2007 |
When eBay rolled out the PayPal Security Key earlier this year, its executives hailed it as an important measure that would make users more secure. And it was. By generating a random, six-digit number every 30 seconds that users needed to authenticate themselves online, the small electronic token provided an additional layer of protection against phishers and other online criminals.
Yey Two Factor Auth! But according to Chris Romero, an IT administrator who has used the Security Key for several months now, a bug could allow phishers and others with bad intent to work around the measure. When accessing his PayPal account from merchant sites and other third-party destinations, he says, his account is validated when he types in any six-digit number, as long as he provides a valid user id and password and answers an accompanying security question.
Oops! Not good. And now for the money shot! Update The aforementioned spokeswoman said on Thursday that over the past 24 hours PayPal security people are now able to reproduce the bug and are working on a fix. As we noted above, she said the flaw shouldn't be regarded as significant security risk because users are still required to enter a password and enter a security question
Are you kidding me? Your two factor auth isn't two factor anymore! The whole point is stealing someone's password doesn't grant access to the account because the attacker must also physically possess something. Only PayPal messed up and you don't need to possess anything. That is a radical backstep in security and some silly marketing chick is telling people its not an issue? Are you kidding me? Is that PayPal's official position? WOW! Just... WOW. Oops! PayPal Security Key fails |
|
Topic: Society |
12:34 am EST, Dec 4, 2007 |
American reading habits have turned south. Only 30 percent of 13-year-olds read almost every day, according a recent NEA study. The number of 17-year-olds who never read for pleasure increased from 9 percent in 1984 to 19 percent in 2004. Almost half of Americans between ages 18 and 24 never read books for pleasure, which may explain why one out of three does not make it to high school graduation. As teachers cite the lack of parents’ involvement as a primary cause of faltering of education, parents blame that lack of discipline as the major cause. Both camps, however, can agree on one thing: lack of funding is the second biggest problem. Indeed, even if nobility is still associated with the profession, the economy is far from showing its appreciation. Many young people who would have gone into teaching have told me they were deterred by financial insecurity. “I would consider teaching seriously but if I ever want to own a house in the Bay Area, I might as well forget that profession,” a graduate from Berkeley recently told me. In Silicon Valley, in order to keep talented teachers, there are now housing units being built for many who couldn’t afford a home, as the average salary for a beginning high school teacher is $44,000 in a county where the median income is around $85,000. Something about our fast-paced, super consumerist society seems to have robbed the teaching vocation the respect it deserves, disposing that once concrete and tender human relationship to a matter of mere transaction. "You’re a paying customer!” said the yoga student. If in my mother’s world of North Vietnam, the word “teacher” is still interchangeable with the word “father,” in the world I live in now, I fear teaching as a profession is in danger of being reduced to "humble scutwork."
I interview a lot of people and I always ask interview candidates what was the last book they've read. I've never recommended to hire anyone who didn't have a good answer to that question. Thats not because that question is a deal breaker, its just that people who don't have a good answer to that question pretty much also fail to our technical questions. Reading habits dropping |
|
Topic: Technology |
3:57 pm EST, Dec 2, 2007 |
Wow, the world is an amazing place. I was amused when industry veterans purchased Google ads words on my name, but you know you have really made it when someone posts spoofs a mail to Full Disclosure pretending to be you! A couple things: -SPI Dynamics (sadly) ceased to exist on August 1st. -I don't use the Billy @ SPI email address any more, and it will start bouncing soon -I'm actually not lead researcher anymore. I got promoted and I run the web security research group :-) -This video looks like something my partner in crime Virgil would send me. Bravo though, while this is a fairly intricate post it sadly is not true. If I did something like that, it would be under a Roman sounding name in a 2600 article :-). Besides, there are too many manual web application pen-testing frameworks as-is. I have little to add the work that far smarter people have done. Web Beam! Oh yeah |
|
Topic: Miscellaneous |
2:07 pm EST, Nov 30, 2007 |
You gauge a task's importance based on whether your boss calls you from another hemisphere about it or not. So far I have several important tasks! |
|
Topic: Current Events |
11:08 am EST, Nov 30, 2007 |
Cleaning out my desk at work today (not fired, moving offices), I ran across some Summercon T-Shirts Redpantz gave me. All my xterms -DISPLAY in Texas
|
|
Topic: Miscellaneous |
4:33 pm EST, Nov 29, 2007 |
Today in a meeting... JavaSteve: Every variable is global in JavaScript Billy: Thats not true, you can locally scope variables to functions using var JavaSteve: No you can't. That's not what I've seen Billy: JavaSteve, trust me, you can JavaSteve: Sorry Billy, I'm positive you are wrong Billy: ... ok, I didn't want to play this card, but everyone who has written a book on JavaScript, please raise their hand [Raises hand], ok then. JavaSteve: oh now it's on! Billy Go check Chapter 2 in the Rhino book and get back with me JavaSteve. [5 minutes later] JavaSteve: HA! You were wrong! ... ... It was Chapter 3, not Chapter 2! People called Steve JavaSteve to differentiate him from Steve Millar and because JavaSteve works on our JavaScript parsers and interpreters. I asked JavaSteve once why no one called him JavaScriptSteve. He looked at me like I was an idiot. |
|
PlayStation 3 to Crack Passwords |
|
|
Topic: Technology |
4:22 pm EST, Nov 29, 2007 |
Using a PS3, a senior security consultant has come up with a way to drastically increase the processing capability of cracking passwords. Nick Breese, a senior security consultant at Auckland-based Security-assessment.com, has come up with a way to drastically increase the processing capability of cracking passwords, using a PS3. By implementing common ciphers and hash functions using vector computing, Breese has pushed the current upper limit of 10--15 million cycles per second -- in Intel-based architecture -- up to 1.4 billion cycles per second. Breese, who has been working on the project, called "Crackstation", for the past six months, used the Sony PlayStation 3 gaming console for his break-through research. Breese says the initial reason for embarking on the research project was to get the company to buy him a PS3.
This is exactly why Bryan and I hacked the iPhone , only Caleb got to keep the phone :-( PlayStation 3 to Crack Passwords |
|