TinyDisk is a program from saving and retrieving files from TinyURL and TinyURL-like services such as Nanourl. It overlays a write-once-read-many anonymous, persistent and globally shared filesystem. Once something is uploaded, only the database admin can delete it. Everyone can read it. No one can know who created it. Think of it as a magical CD-R that gets burned and placed on a network.

This is a file system I demoed at Phreaknic that runs on top of the link shortening service TinyURL. Its the perfect case study of how to write meaningful extensions on top of existing web applications, which was the topic of my presentation.

I've already uploaded some fun stuff into TinyURL, like The Adventures of Sherlock Holmes, and even TinyDisk itself. Thats right, the program to read and write to TinyURL is stored inside TinyURL! It was also very cool to see other people starting to use it.

Go download it and have some fun!

TinyDisk - An anonymous shared file system on top of TinyURL.

What is the Modern Marvels Invent Now� Challenge?
The Modern Marvels Invent Now� Challenge is a contest that invites the everyday inventor to share his/her vision and ingenious design with the world. Twenty-five semi-finalists will have the opportunity to be recognized, have their invention exhibited and receive valuable information to help them in the pursuit of their invention concept. The most remarkable invention submitted will be named the 2006 "Modern Marvel of the Year." The Challenge celebrates mankind's ingenuity and provides a forum for the independent inventor to be recognized

Apparently Steve Wozniac is associated with this. I know lots of Memestreams with various inventions up their sleeves.

Modern Marvels Invent Now� Challenge

Wikipedia founder admits to serious quality problems

Tom will be talking about some enhancements he is working on for Wikipedia at Phreaknic. Looks like this issue is only growing.

Wikipedia founder admits to serious quality problems | The Register

One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, "Samy" had amassed over 1 million friends on the popular online community.

Basically the worm was XSS embedded in someone’s profile on MySpace. When someone would view the profile, they would execute the Javascript in their own browser. The payload of the XSS was Ajax which would make GET and POST requests to MySpace, adding the XSS Payload to that user’s profile. This spreads the worm!

As with most worms using a new attack vector, this was harmless, adding the message “samy is my hero” to each infected profile along with the XSS payload

Update: Here is the source code of the XSS Payload. I haven't had time to format it properly. I'll do an analysis of it later and post it to Memestreams.

BetaNews | Cross-Site Scripting Worm Hits MySpace

I got an email approving my CFP to Shmoo! I got to meet all those folks out at Toorcon, and I am very excited about this chance.

Hopefully all the victims of hacker flight afflicting Atlanta right now will all meet up there.

Presentation Title: Covert Crawling: a wolf among lambs
Track Preference: Break it!
---

Web application IDS evasion techniques and countermeasures is a mature area of study. LibWhisker-based apps and Snort have been in a tug-of-war for years. However, the initial reconnaissance of a website or web app has been largely neglected. Its either done by hand (which is tedious) or with a traditional crawler like wget (which is very noisy). An automated crawl appears as an enormous spike in hit count and byte transfer that is well outside the bell-curve for normal users.

This presentation will discuss theories and methods to hide an intelligent automated crawl of a target website or application inside the buzz of normal user activity. Some techniques include:

-Spreading crawl across multiple IPs and time.
-Following paths to links -vs- deep links.
-Throttling crawl based on publicly available traffic stats and IP fragment ids.
-Dynamic creation of fake Google referrers to a deep linked pages based on content of that page -Intelligent selection of proxies based on target country and website type.
-Randomized link selection and overlap
-Filtering of link targets based on popularity.
-Intentional Traffic escalation (Slash-bombing)

This covert crawl will identify a subset of likely vulnerable pages that can later be attacked using IDS evasion techniques. You're attacking fewer pages, and there is no advanced warning that an attack is eminent.

Code for a covert crawler implementing these techniques will be released.
---

A rant one of my co-workers had this morning.

(11:28:02) ---: no IDS company actually has that poor of a product
(11:28:15) ---: if you can get passed that dont be impressed
(11:28:35) ---: it can only find stuff that is directed at itself
(11:28:47) ---: and thats only some of the time
(11:29:10) ---: hearing the word snort depresses me
(11:29:26) ---: its like yelling Jesus is the lord to muslims
(11:29:37) ---: for folks that actually did IDS work
(11:29:53) ---: [earphones]
(11:29:55) ---: ahhhh

Dave Aitel, vulnerability researcher at New York-based Immunity Inc., unveiled a research-level demo of the "Nematode" framework at the Hack In The Box confab in Kuala Lumpur, Malaysia, insisting that good worms will become an important part of an organization's security strategy.

"We're trying to change the way people think," Aitel said in an interview with Ziff Davis Internet News. "We don't want people to think this is impossible. It's entirely possible to create and use beneficial worms and it's something businesses will be deploying in the future."

For years, security experts have debated the concept of using good worms to seek and destroy malicious worms. Some believe that it's time to use the worms' tactics against them and build good worms that fix problems but the chaos and confusion associated with self-propelled replicating programs have left others unconvinced.

Whats old is new again! Dr Fred Cohen invented computer viruses and invisioned "helpful viruses." He proposed a COM and EXE infector that compressed the actual executable. Xerox invented the "network worm" in Palo Alto in the late 70s. It would transfer from machine to machine on the network, performing maintenance. They never could write it properly and the worm keep crashing machines. A few years back, we had worms which would patch the vuln other worms exploited because if both worms existed on a box it would crash.

Nematodes: The Making of 'Beneficial' Network Worms

Google and Sun are holding a press conference today, but the buzz is its about a web-based version of OpenOffice. Didn't you wonder why version 2.0 is so Java based? Whether the version will ultimately be Java-based or some kind of Javascript/Ajax app is unknown. If this annoucement is true, it also lends creditability to the rumor that Google will be offering a "Internet disk" to save your info on Google servers (talk about RAID!).

What is known is Microsoft must be freaking out. OpenOffice has already started to cause them headaches, but a free, web-based version backed by Google is their worst nightmare. Microsoft is only profitable in 2 areas: Windows and Office. Everything else (MSN, Xbox, their games, Encarta, Money, Hotmail) loses them money. Web applications bypass the need for an OS (the browser is the OS), and directly attacks Microsoft.

Whether the system is a success or vaporware really makes no difference. This is a very public shot across Microsoft's bow letting them know that Google can hit them where it hurts.

Update - It's official. A web-based version of OpenOffice will be offered. I wonder if Google will display ads on the side of documents.

Google and Sun: Web based Office Suite!

I've be doing quite a bit of work on anonymously and permanently publishing information on top of existing webservices (often without the service's knowledge/consent).

I thought I'd meme the grand daddy work on the subject Ross Anderson's Eternity Service paper. A must read about using the fragmented nature of USENET to overlay a hypertext-based layer where thing can never be unsaid.

The Eternity Service

The course instructor was a legendarily incompetent teacher, even by the dubious standards of Smartypants U's engineering department. He was so incoherent and capricious that academic advisors were warned to steer students away from his courses. So why was he kept on staff? His research was outstanding. My tuition dollars at work.

You will not produce thronging bevies of pocket-protector-wearing number-jockeys simply by handing out spiffy Space Shuttle patches at the local Science Fair. If you want more engineers in the United States, you must find a way for America's engineering programs to retain students like, well, me: people smart enough to do the math and motivated enough to at least take a bite at the engineering apple, but turned off by the overwhelming coursework, low grades, and abysmal teaching. Find a way to teach engineering to verbally oriented students who can't learn math by sense of smell. Demand from (and give to) students an actual mastery of the material, rather than relying on bogus on-the-curve pseudo-grades that hinge upon the amount of partial credit that bored T.A.s choose to dole out. Write textbooks that are more than just glorified problem set manuals. Give grades that will make engineering majors competitive in a grade-inflated environment. Don't let T.A.s teach unless they can actually teach.

While I'll save the long discussion about why having large barriers of entry into an engineering discipline is a *good* thing, this article did touch on a lot of what is wrong at Georgia Tech and other universities: complete disregard for their undergraduate students. I remember taking a 2nd year CS class where the average final grade was a 34. I had a 38 which earned me a B. When the average grade is *half* the value of the lowest passing grade, you are doing something very, very wrong.

Confessions of an Engineering Washout