My Seattle homie Divide has got some great photos from Black Hat.

Divide's Black Hat 2007 Day 1

I am so done with it all.

People who publicly bash my projects as evil or malicious, while privately asking me for the source code. (and I don't mean Jikto)

People who write entire articles dismissing my contributions as irrelevant, but at the same time are so frighten by them that they purchase Google ad words on my name to ride on my success.

People who publicly question my integrity from moral high ground, and then offer me a beer like nothing has happened.

Instead of feeling hurt or angry, I just feel plain sad. Because once you’ve been sued for doing the right thing, once you’ve been tarred and feathered for being smart, you really don’t care about impressing much of anyone. But for some reason folks sure feel the need to feel more impressive than you.

I’m a curious hacker. That’s what I do. The fact that someone wants to pay me to be curious is just a happy coincidence for me. Lawsuits and mud-raking and “drama” and two-faced “friends” and the many other things I’ve seen so far, and all the things I’m sure to see in the future really don’t factor into it for me. They aren’t going to change what I like to do, what I’m damn good at, and what I’ll continue to do. They are, if anything, unfortunate, sad roadblocks.

I stand by my achievements, whether they are appreciated or not.
I stand by who I am.
I stopped caring how people accept me a long ago.

Ed Felton is a genius. In this paper he discusses using timing between HTTP requests to determine whether certain URLs have been cached in a user machine. He extends this to detecting secondary cache hist to determine if two arbitrary machines are on the same network subnet.

He discuss doing this both with and without JavaScript.

Yes, essentially, Ed Felton published Grossman's and RSnake's Black Hat presentation 7 years before they did.

Long ago RSnake claimed I stole his research and suggested I edit my paper to reflect that someone else has done work in this area. It will be interesting to see whether RSnake is willing to do that when confronted with the same situation. What's the phrase? Put up or shut up?

Of course, I've never seen Grossman or RSnake reference Ed Felton's work in any of their presentations. Was it willing omitted? If not, how could they not be aware of it if they did any type of due diligence for their research? It's not like Edward Felton is some obscure person in the security space. Some of his work was required reading in a class I took as a sophomore in college.

Update Ahh the Drama...

Timing attacks on web privacy

Saw this on full disclosure yesterday. Very cool and faster than using JavaScript.

Design flaw in AS3 socket handling allows port probing

# Summary
Due to a design flaw in ActionScript 3 socket handling, compiled Flash movies are able to scan for open TCP ports on any host reachable from the host running the SWF, bypassing the Flash Player Security Sandbox Model and without the need to rebind DNS.

# Technical background
In AS3 Adobe introduced a new socket-related event called SecurityErrorEvent. This event is always thrown when a Flash Player tries to connect to a socket that it is not allowed to connect to by policy.

The problem with the SecurityErrorEvent is that it's thrown immediately when a Flash Player tries to connect to a closed TCP port. If a service is listening on that port the Flash Player writes the string "" and waits for response from the service. Nearly no TCP-service will respond to this request.

We can assume the following: When trying to connect to a socket that the SWF is not allowed to and it doesn't get a SecurityErrorEvent within 2 seconds the port is most likely open.

A new Flash player instance is used for every probed port because the Flash Player sends only one policy-file request per player per host per port.

# Tested platforms
Works on:
* Windows XP SP2: Internet Explorer 6 / Flash Player 9.0.47.0
* Windows XP SP2: Firefox 2.0.0.5 / Flash Player 9.0.47.0
* Windows XP SP2: IE 7.0.5730.11 Flash Player 9.0.47.0
* Ubuntu Edgy: Firefox 2.0.0.5 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Safari 2.0.4 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Safari 3.0.2 / Flash Player 9.0.47.0
* Mac OSX 10.4.10: Firefox 2.0.0.6 / Flash Player 9.0.47.0
* Solaris 10 i86: Firefox 2.0.0.3 / Flash Player 9.0.47.0 Doesn't work as expected on:
* Mac OSX 10.4.10: Opera 9.22 / Flash Player 9.0.47.0

# Known limitations
* The Scanner does not work on services that close the TCP- Connection immediately after they receive Bytes that they don`t "understand". The port is reported as closed because the SecurityErrorEvent is thrown when the TCP-Connection is closed.
* The Scanner does not always work as expected when scanning hosts located in the internet (e.g. google.com). This maybe happens due to stateful inspection firewalls that close the connections or long TCP-response times.

# Disclosure Timeline
* 2007/07/23: Problem discovery
* 2007/07/24: PoC available
* 2007/07/25: Vendor notification
* 2007/08/09: Public demonstration at CCCamp

# Possible Fixes
Flash-Player Side (Adobe)
* TOTALLY REMOVE the SecurityErrorEvent (it`s useless, it`s just harder to find errors with socketservers without the event)
* Remove the SecurityErrorEvent in the Release-Players and keep it in... [ Read More (0.1k in body) ]

How to Clone Anything
The easiest way to clone a product is to use a "ghost shift": A factory contracted to make legitimate goods moves to 24-hour operation, churning out copies—some made with inferior materials, and others exactly the same, designed to be sold on the black market—from midnight to morning.

The only problem with ghost shifts is that they can't run full time. In the mid-'90s, developers began constructed from the same blueprints legitimate manufacturers used to launch their ventures. Sometimes the plans were sold by managers at the genuine facilities. Other times, local officials and organized crime conspired to create a second set of blueprints.

Cloners look for opportunity first, and manufacturers often give it to them, often in the form of a hot product that is released in a limited number of markets. Desire spreads worldwide, and the cloners are ready to fill any gaps that emerge in supply or distribution. (That's what's happening now with the iPhone, which for nearly a year will be sold in North America only.)

The cloners start by deciding what phones would be most profitable to clone. They then learn everything they can about the device. They attend trade shows, furiously snapping photos of not-yet-released products until someone notices and shoos them away. They will be first in line to buy the new product whenever it hits stores. And they will look for shortcuts, such as a patent filed in China that can act as the beginning of an actual production guide.

The cloners hire a team of between 20 and 40 engineers to begin decoding the circuit boards. At the same time, coders start to develop an operating system for the phone with a similar feature set. (The typical cloner either uses off-the-shelf code, writes something entirely new, or modifies a publicly available Linux-based system.) Both processes take about a month. By then, ancillary items—plastic casings, accessories, manuals and packaging—are ready as well. Full production begins at another factory, one that is already building phones, within about eight weeks from the time the engineers are hired. After a run of about 30,000 units, the cloners move the operation to a new facility in order to avoid detection.

This is a fascinating read!

Cloning western technology, and getting a better result!

WHOOOO! Stock payout day! WHOOOO!

...

OK, so its not quite hookers and drugs and fast cars and "fuck you I'm fully vested" money, but it will make my down payment on a house much nicer!

There is a reason this book's animal is a laughing hyena. Unfortunately, the joke's on you.

I am half of all the references in OWASP's guide for Ajax security testing.

Testing for AJAX Vulnerabilities - OWASP

This is the end
Beautiful friend
This is the end
My only friend, the end

Of our elaborate plans, the end
Of everything that stands, the end
No safety or surprise, the end

We gave it a great send off over the last few days. Many drinks. Many toasts. To those who aren't here, but who got us here. To those that did without to build something great. But all good things come to an end. And now it's gone.

Remember Mantra #2

Make it work. Then make it great. Then take it live. Then change the world. Then make your money. Then make it free. Then start again.

k wrote:

Kerry bought some flip flops for $2.44 at Wal Mart. After wearing them for a while, she noticed a tingling sensation on her feet. She immediately stopped wearing the flip flops. Soon after, her skin turned red and blistery.

When she took the matter up with Wal Mart, they told her to take it up with the Chinese manufacturer.

Apparently, Wal Mart is still selling the flip flops.

ARRGFGHGHGHHGHGHGH!

I'm glad the Kerry in this story is not this Kerry. This Kerry doesn't roll with Wal Mart.

That Kerry is also a chick. This Kerry doesn't roll with chicks... wait... ... crap... That's not what I meant.

uhhhhh. This Kerry is all man! ... shit...

That's not what I meant to say. Please Kerry, don't get mad... NOT IN THE FACE! NOT IN THE FACE!

... ... [smacks forehead] ... ok I *really* didn't mean that!

You all know what I'm trying to say here!

K = all about the females

I owe you some Scotch Kerry. :-)

RE: Boing Boing: Wal Mart flip flops cause nasty chemical burn