| |
I am a hacker and you are afraid and that makes you more dangerous than I ever could be. |
|
Topic: Technology |
11:36 pm EDT, Sep 10, 2006 |
Nice site that helps you design logos and exports them in various formats (include Photoshop's PSD and The Gimp's XCF) Cool Text: Logo designer |
|
Topic: Technology |
6:00 pm EDT, Sep 3, 2006 |
Let's admit it—we're so accustomed to the idea of session state that we forget that session state is an artifice introduced with Active Server Pages (ASP) back in 1997
Let's admit it, Microsoft is so accustomed with dealing with morons and self promoting MVPs that they think everyone else will forget that Netscape introducted the idea of session state in 1994 with cookies. Dino Esposito is a no talent ass clown who should be ashamed of himself. Too much MS koolaid = shitty journalism. Let's Admit it... |
|
Topic: Technology |
10:13 am EDT, Aug 29, 2006 |
There are several security issues with having an Ajax enabled application. Some of them are traditional web security issues that are magnified because of Ajax, and some a new issues. Here are just a few. I refer you to my BlackHat presentation Ajax (in)Security for more info. Old Issues: Issues:Ajax applications have a larger attack surface. Results: Its easer to hack your webapp. Traditional applications have a relatively few number of forms or other parts that accept user input. We already do a poor job protecting these (just look at Full Disclosure any given week). Some web apps accept file format input, and we do a really bad job securing that input (see numerous PNG/JPG attackers, WMF, ZIP attacks, etc). Ajax increases yet a 3rd type of application inputs, Web services. Most Ajax requests are destin for a web service that woudln't exist if the app didn't use Ajax. As a whole, web services are rarely protected because most programmers don't think of these are inputs, they think of them as functions. This is really bad when retrofitting a traditional application to an Ajax application. Before, the web service or function was hidden inside your enterprise with no way for the client to directly call it. With an Ajax app, large parts of the applicaitons API are now publicly exposed and are rarely secured. Issue: Ajax applications are very complex. They are written in multiple languages, the code must work on multiple platforms/OSes, and they are multi-threaded. Results:Ajax applications are much harder to debug and test than traditional applications. JavaScript is highly dynamic, loosly typed, and can add new exection paths as well as edit current execution paths in a program. This means most JavaScript errors are runtime errors and its very hard to examine all possible paths the program will take. This, coupled with the the asynch nature of Ajax means most Ajax apps contain deadlocks and race conditions that can be exploited. New Issues: Issue:Your application straddles the network and exists on both the client and the server. Results:Attackers can see data types, return types, function names, and program flow of your application by analyzing the plaintext JavaScript. While you should push not business logic to the client, most people do and Ajax Frameworks like CPAINT/"Atlas" make it easier to make this mistake by abstracting a control. Programmers don't know (and don't want to know) how much of a control is on the client and how much is on the server. CPAINT makes it very easy to "export" or "share" a PHP function so your client code can call it directly. I've seen apps in the wild that have a webservice you can send PHP or Perl to that simply get past to an eval statement. Issue: Ajax is something that on the client, not the server. Websites cannot turn it on or off Result: Ajax has amplified the damage XSS attacks. Ajax allows XSS to make hidden, asynchronous HTTP requests that the browser will automatically add the necessary cookies and HTTP auth to. The XSS has full access to response as well. Even sites like Yahoo's webmail that don't "use" Ajax per say can still be contacted by an HTTP request that Ajax makes. Ajax has directly lead to the creation of self propagating XSS worms. Issue: The Server cannot tell the difference between a request made by the browser in response to a user event (clicking on a link) and a request made by the browser because JavaScript told it to. Result: As a user, you cannot prove beyond a reasonable doubt that you did or did not issue an HTTP request. The effects of this in a financial application are frightening. |
|
Its offical! I'm writing a book. |
|
|
Topic: Technology |
3:53 pm EDT, Aug 28, 2006 |
I signed a book contract today with Addison Wesley to write a book on Ajax Security with a co worker. The manuscript is due June 1st, so outside of Phreaknic (and Security Opus and AJAXWorld and Toorcon and Shmoocon...) you won't see much of me :-) |
|
Topic: Miscellaneous |
6:15 pm EDT, Aug 24, 2006 |
Jason : [ Simone is all over him ] She’s making me really uncomfortable. Simone : Ohhhh Tu es un beau garcon. Donnez-moi l’argent. [ Simone puts her hands in Jason’s pockets ] Jason : Hey! Simone : Donnez-moi l’argent… Jason : Come on! Simone : Donnez-moi! Jason : No! Simone : Tu es très beau… Je t’aime! (You’re good-looking boy, give me the money, give me, give me, you’re handsome, I love you.) Jason : Listen I want a new partner sir. She smells like whisky and feet! Don Barbrell : Is that your answer? Jason : Get off me Ma’am! [ "wrong answer" sound. Kevin hits his buzzer ]
Best. French Whore Skit. Ever. Old French Whore! |
|
China bans strippers at funerals | The Register |
|
|
Topic: Technology |
1:57 pm EDT, Aug 24, 2006 |
China has added strippers at funerals to its burgeoning list of proscribed activities, the BBC reports. Bare-assed ladies are apparently deployed at rural send-offs to boost mourner numbers, since "large crowds are seen as a mark of honour". To show they mean business, the authorities have arrested the leaders of five striptease troupes, including two involved in a farmer's funeral in Donghai county, Jiangsu province on 16 August, which was exposed by a Chinese TV station. Local officials subsequently ordered an end to the traditional practice - which they dubbed "obscene performances" - and declared that "funeral plans have to be submitted in advance", according to Xinhua news agency. And just to make sure the ban sticks, the powers that be have set up a hotline where concerned citizens can earn cash rewards for reporting "funeral misdeeds".
Lap dances would be *so* much better than singing Danny Boy China bans strippers at funerals | The Register |
|
Topic: Technology |
6:06 pm EDT, Aug 23, 2006 |
There are few things in life funnier than reading a Gartner report trying to define and quantify "Web 2.0" |
|
EchoStar Must Disable DVRs |
|
|
Topic: Technology |
9:39 am EDT, Aug 18, 2006 |
A U.S. federal judge ordered EchoStar Communications on Thursday to disable its digital video recorders (DVRs) that infringe on a patent held by TiVo. Judge David Folsom of the U.S. District Court for the Eastern District of Texas granted an injunction mandating that all but 192,708 DVRs violating a TiVo patent should be shut off within 30 days. In addition to the injunction, Folsom added $5.6 million in interest and $10.3 million in supplemental damages for infringement, bringing the total judgment close to $90 million.
... Holy Shit! I feel like I dodged a bullet. I came **extremely** close to working for Echostar right out of Tech. I was offered a position in their hardware dev team to write software for the set top boxes, possibly their DVRs. They really liked my (now incorrect) article about hacking XM radio because I already know about the security issues involved with one to many broadcast systems. SPI Dynamics got their offer letter to me a few days before Echostar did. I took a day or so, did more research on how cool web app security was, and decided I really didn't want to work for a big company. I suppose if I had gone to work for Echostar, I'd be lecturing on destroying the Intarweb using DSLAMs instead of JavaScript... EchoStar Must Disable DVRs |
|