...said Fyodor Vaskovich, creator of the popular Nmap network port scanning tool...

"But a key advantage of the SPI Dynamics vulnerability is that it is difficult to fix without breaking many Web applications. So it may be around for years to come."

There have been similar attempts to craft JavaScript-based network scanners, but none as advanced as the SPI Dynamics example, Vaskovich said. "SPI Dynamics deserves credit for a clever attack vector and a solid demonstration of the issue. Their method of fingerprinting servers by checking for default image paths and names is slick."

When the definitive source on port scanning gives you massive props in a public forum, you should do a little dance...

[dance] [dance] [dance]

My dance makes HR sad.

JavaScript opens doors to browser-based attacks

Or: How I learned how to port scan company intranets using JavaScript!

Imagine visiting a blog on a social site like MySpace.com or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours.

This scenario is no longer one of fiction.

You can visit the proof of concept page I created and test drive it now.

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

Robert Morris is an associate professor of computer science at MIT, where he is a member of the PDOS group. He has published extensively on wireless networks, distributed operating systems, and peer-to-peer applications. In 1988 his discovery of buffer overflow first brought the Internet to the attention of the general public.

... by bringing the entire Internet to a crashing halt.

About Y Combinator

In return, sites like the notoriously sluggish MySpace.com load significantly faster, thanks to the way OpenDNS caches IP addresses. Users who type "wordpres.sorg" or "craigslist.or" into their browser's address field are automatically routed to the correct address, instead of getting a 404 error page.

This is such a very bad idea. Any time you have a computer try to figure out what you meant at the end of a connection, you are creating a serious security vulnerability.

Prime example: Apache's mod_speling (SIC). If I send a request for indexh.tml, mod_speling detects the mistake and will serve back index.html. The problem is any security products like an IDS/IPS won't have this intelligence to try and "fix" the request before they analyze it. The IDS/IPS simply sees and logs a request for indexh.tml Modspelling, like this feature in OpenDNS, allows an attacker to side step the attack signatures on a IDS/IPS to exploit a site because the web server will "fix" the attack once it reaches its target.

OpenDNS Autofix: Very Bad Idea (tm)

While MSOs risk losing some of their DVR customers if fast-forwarding were blocked, Shaw said the cable operators--who are beefing up their own local ad sales operations--"are in the same business we're in." "They've got to sell ads too," he said. "So if everybody's skipping everybody's ads, that's not a long-term business model for them either."

Don't buy the network exec's bullshit about DVRs destorying the broadcast business model. The business model isn't going anywhere, it just needs to change. 8 minutes of interlaced ads in a 22 minute show just doesn't work anymore.

A change in the broadcast business model also happened back in in the 50s and 60s. Before that, one company like Jello pudding would sponser an entire show for an entire season. They are called soap opera's for a reason! But that model stopped working when people had more choices. Companies had to places their TV ad dollars in more baskets to get the same amount of exposure. I wonder if network execs bitched as much then as they do now.

Business models shift, but they rarely disappear. Stop issuing press releases about how you fail to understand basic business theories.

ABC wants to break DVR's fast forward feature.

-How to ride a motorcycle
-How to take your hand off the throttle *before* shifting gears
-How to do a wheelie, for about half a second, when the bike's transmission jerks it upward
-How to properly bandage road rash
-How not to ride a motorcycle

This crazy dude is running a blog by posting articles, comments, even advertisments in his /robots.txt file! WTF?

Blogging in your Robots.txt

This is Ted Stevens explaining how the Internet works and why accordingly we don't need net neutrality laws. It is such a gem, I don't know what block text to quote. Instead, here are a few choice quotes:

I just the other day got, an internet was sent by my staff at 10 o'clock in the morning on Friday and I just got it yesterday. Why?

We use this internet to communicate and we aren't using it for commercial purposes. We aren't earning anything by going on that internet.

Maybe there is a place for a commercial net but it's not using what consumers use every day.

[the Internet]'s not using the messaging service that is essential to small businesses, to our operation of families.

Now we have a separate Department of Defense internet now, did you know that?

No, I'm not finished. I want people to understand my position, I'm not going to take a lot of time.

Seantor Ted Steven explains the Internet

aestetix
The Temporary Autonomous Zone
Synopsis

Ever suspect there's more to life than what meets the eye? Or glance at art and wonder what inspired it? The Temporary Autonomous Zone (TAZ) concept is based on an anarchistic principle of freedom between the cracks of society. As the forerunning ethic behind the rave scene, various conventions, and events like Burning Man, it is highly relevant to understanding where the "hacker ethic" holds root.

Aestetix apparently gave a presentation about Temporary Autonomous Zones.

As I just finished reading the assorted essays of Hakim Bey (and am developing the strange PT desire to blow up a TV tower...) it will be cool to discuss this with him at Phreaknic. Tom also some some insight, with some pretty cool stories about TAZsque commerce zones in the slums of Hong Kong.

Aestetix and TAZ

So why are people trying to use the internet as a baby-sitting service? There are a lot of places where it isn't safe to leave unsupervised kids. The TV isn't a babysitter, the pub isn't a creche, and the internet isn't a safe place where innocent and naive people can be allowed to operate unsupervised either. Why are we trying to pretend it can be?

You can't let children roam the streets on their own; so why are we trying to be scandalised by the discovery that the net can't be sanitised?

The lesson is one that doesn't need a sermon about this week's MySpace scandal to drive home. The world is a dangerous place, and if you want your children to be safe you have to keep an eye on them.

What we know from studying security systems for large corporations is that a perimeter protection doesn't work. As soon as you have a stone wall you find yourself believing that everybody inside that stone wall is on your side.

El Register hits the nail on the head with this article. The internet is just like the real world. They are parts that are slummy and full of misinformation and crazies. Once you stop believing that the Internet can be controlled and made "safe" you see that things like the .xxx domain, COPA, banning IRC chatrooms, traffic filtering, and the like are backwards and counterproductive.

MySpace case part of larger issue