I am a hacker and you are afraid and that makes you more dangerous than I ever could be.
Wikipedia gateway for Mobile
Topic: Miscellaneous
1:50 pm EDT, Jun 27, 2006
Doing some work with WML and WAP today and came across this gateway to Wikipedia for Mobile phones. Does a good job stripping and formatting the HTML to help low bandwidth devices like Sidekicks.
A little slow at first, but these kids made a live action walkthrough (with some liberties...) of Goldeneye 64, complete with sound effects, disappearing corpses, talking to Q, going to the sub screens, dying, and more.
I just received an email with an html attachment, on a yahoo account.
When I opened the mail, yahoo automatically displayed the html, and executed the code within. What the hell. =) It forwarded the message to my contacts list, (or some other set of addresses, dunno,) and redirected my browser to a website.
XSS-based worm spreading through Yahoo's web mail. Looking an an email message causes the XSS to run. The XSS uses AJAX to make an HTTP POST to the URL on YAhoo for sending mail. The worm does this to send email containing the worm to everyone in your address book and sends your address book to a 3rd party. Probably to sell your email address to spammers.
This is a great example of XSS+AJAX=BAD! Even if Yahoo mail doesn't use AJAX, the XSS can use AJAX to make requests for you using your credentials.
Found this while doing some massive crawls. Has links like to information about each of Qwest's phone switches like features, activition date, replacement date, etc.
The biggest hacking incident in the web-hosting history!
Topic: Current Events
5:01 pm EDT, May 23, 2006
******************************************
UPDATE 11.30 PM GMT
We are receiving 17,000 more defaced websites in these minutes. We will account them in this news but we are not sure we will ever be able to handle such a huge amount of notifications as to mirror all of them we should possess a distributed platform such the one Google is having on Akamai. The latest notified defacements seems to belong to the ISP secureserver.com
We have not examined the source code to the asp file in detail or done more than superficial research on this mass defacement, but this does not appear to be a vulnerability in IIS. This appears to be a problem with poor script coding and / or failing to properly validate user form input. I would guess that the hacker is able to inject their own code into the asp or php script being used to send mail."
Holy Shit! I was just handed something fun to look at for work.
Basically, this guy found 0day in the godaddy administration pages for every godaddy account. The count is 22,000+ and rising!
As a consequence of that experience, I intend to provide the following instructions to students (until something changes):
1. If you find strange behaviors that may indicate that a web site is vulnerable, don’t try to confirm if it’s actually vulnerable.
2. Try to avoid using that system as much as is reasonable.
3. Don’t tell anyone (including me), don’t try to impress anyone, don’t brag that you’re smart because you found an issue, and don’t make innuendos. However much I wish I could, I can’t keep your anonymity and protect you from police questioning (where you may incriminate yourself), a police investigation gone awry and miscarriages of justice. We all want to do the right thing, and help people we perceive as in danger. However, you shouldn’t help when it puts you at the same or greater risk. The risk of being accused of felonies and having to defend yourself in court (as if you had the money to hire a lawyer — you’re a student!) is just too high. Moreover, this is a web site, an application; real people are not in physical danger. Forget about it.
4. Delete any evidence that you knew about this problem. You are not responsible for that web site, it’s not your problem — you have no reason to keep any such evidence. Go on with your life.
5. If you decide to report it against my advice, don’t tell or ask me anything about it. I’ve exhausted my limited pool of bravery — as other people would put it, I’ve experienced a chilling effect. Despite the possible benefits to the university and society at large, I’m intimidated by the possible consequences to my career, bank account and sanity. I agree with HD Moore, as far as production web sites are concerned: “There is no way to report a vulnerability safely”.
Dc0de has joined what we have started referring to as "the club." People we know who have received legal threats for saying true things in a public place. This seems to happen a lot to computer security people.
People who use the legal system to squash critics instead of appropriately addressing their criticism in print are operating in a manner that is out of sync with the core values of this nation. I hold this sort of behavior in very poor esteem.
All around scary stuff. Its a sad day when opinions get silenced by lawsuits.
That slander charge is a bitch. I said a lot of very bad, public things about Blackboard, their executives, and the sexual habits of their mothers. Thankfully no one ever pulled that crap on me.
Actually, slander is a growing concern of mine. The way you all have seen me give a presentation at say, Phreaknic, is the same way I give a presentation at BlackHat: rather informal with a fair amount of profanity directed at those who deserve it.
Its only a matter of time before some no talent ass clown somewhere takes offense.
The ice age is coming, the sun's zooming in Meltdown expected, the wheat is growing thin Engines stop running, but I have no fear Cause London is burning and I, I live by the river
