| |
Current Topic: Technology |
|
Topic: Technology |
10:09 am EDT, Aug 24, 2005 |
There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale of discovery as much as the process of exploitation.
Very good site showing how SQL Injetcion works, and shows how people discover tuple and table names from a website. Much better than SPI's whitepaper by far. SQL Injection Attacks |
|
HDCP: what it is and how to use it - 4/18/2002 - EDN - CA209091 |
|
|
Topic: Technology |
2:22 pm EDT, Aug 23, 2005 |
Traditional copyright protections (such as infringement lawsuits) are suitable only in specific cases and are impractical on a mass scale. They would be entirely useless against the millions of people who might buy DVDs and copy them for their friends and relatives. Therefore, much of the consumer-electronics equipment available today incorporates copy-protection mechanisms. Different types of devices use different kinds of copy protection. Most techniques stem from cooperation between content providers and equipment manufacturers. For DVI, such a cooperative effort has produced a mechanism called HDCP (high-bandwidth digital-content protection), a two-part cryptographic method to control video delivery.
Bookmark for me. Nice overview of HDCP. Basically, a secure pipe to transmit content between a device and an output (ie computer to monitor, DVD to TV, etc). To protect against piracy. HDCP: what it is and how to use it - 4/18/2002 - EDN - CA209091 |
|
Unique vistor identification reloaded |
|
|
Topic: Technology |
1:05 pm EDT, Aug 23, 2005 |
If lots of people delete their cookies and NAT/other technologies pissed all other the single machine=single IP concept, then how do you reliably know the number of different people visiting a website? Excellent work! Their solution is to do away with a single method and use a hierarchy of steps to determine if we have a unique visitor. Before I detail the steps, it’s time to take the paradigm shift. Here it is: We have been assuming that we can use a single method to identify unique individuals. We have been looking for yes-no answers and absolute numbers. We have done all the analysis within the framework of a single software system. We can’t do this any more. No single test is perfectly reliable, so we have to apply multiple tests. Some of those tests yield yes-no answers, and some of them yield probabilities, so the count of unique visitors will be a probabilistic estimate. Some of the tests depend on knowledge of IP topology, so we can’t restrict our analysis to a confined block of data analyzed by an isolated system. In a nut-shell: To determine a web metric we should apply multiple tests, not just count one thing. The Magdalena and Thomas methodology Each of these steps is applied in order: 1. If the same cookie is present on multiple visits, it’s the same person. 2. We next sort our visits by cookie ID and look at the cookie life spans. Different cookies that overlap in time are different users. In other words, one person can’t have two cookies at the same time. 3. This leaves us with sets of cookie IDs that could belong to the same person because they occur at different times, so we now look at IP addresses. 4. We know some IP addresses cannot be shared by one person. These are the ones that would require a person to move faster than possible. If we have one IP address in New York, then one in Tokyo 60 minutes later, we know it can’t be the same person because you can’t get from New York to Tokyo in one hour. 5. This leaves us with those IP addresses that can’t be eliminated on the basis of geography. We now switch emphasis. Instead of looking for proof of difference, we now look for combinations which indicate it’s the same person. These are IP addresses we know to be owned by the same ISP or company. 6. We can refine this test by going back over the IP address/Cookie combination. We can look at all the IP addresses that a cookie had. Do we see one of those addresses used on a new cookie? Do both cookies have the same User Agent? If we get the same pool of IP addresses showing up on multiple cookies over time, with the same User Agent, this probably indicates the same person. 7. You can also throw Flash Shared Objects (FSO) into the mix. FSOs can’t replace cookies, but if someone does support FSO you can use FSOs to record cookie IDs. This way Flash can report to the system all the cookies a machine has held. In addition to identifying users, you can use this information to understand the cookie behavior of your flash users and extrapolate to the rest of your visitor population.
Unique vistor identification reloaded |
|
Topic: Technology |
12:05 pm EDT, Aug 23, 2005 |
I wrote a ASP .NET app using a Datagrid. IE refuses to execute any javascript-enabled links embedded in the table created by the datagrid . Firefox, on the other hand, renders and executes everything perfectly. Fucking IE. |
|
SHA-1 compromised further | The Register |
|
|
Topic: Technology |
1:29 pm EDT, Aug 19, 2005 |
Crypto researchers have discovered a new, much faster, attack against the widely-used SHA-1 hashing algorithm. Xiaoyun Wang, one of the team of Chinese cryptographers that demonstrated earlier attacks against SHA-0 and SHA-1, along with Andrew Yao and Frances Yao, have discovered a way to produce a collision in SHA-1 over just 2^63 hash operations compared to 2^69 hash operations previously. A brute force attack should take 2^80 operations.
SHA-1 compromised further | The Register |
|
Topic: Technology |
9:38 pm EDT, Aug 15, 2005 |
I've found this quite handy recently. Several chucks of O'Reilly books are available (legally!) for free on their website. This isn't some random excerpt or the introduction from a book, but full, meaningful chapters about all kinds of subjects. Best of all they organize the material by topics, with descriptive titles about what each parts covers. Hell yeah! O'Reilly Book Excerpts |
|
ONLamp.com: A Simpler Ajax Path |
|
|
Topic: Technology |
12:48 pm EDT, Aug 7, 2005 |
Nice article on O'Reilly about writing AJAX apps (which are interactive web programs like Google Maps). Walks you through an example. ONLamp.com: A Simpler Ajax Path |
|
C# From a Java Developer's Perspective |
|
|
Topic: Technology |
5:04 pm EDT, Aug 3, 2005 |
A COMPARISON OF MICROSOFT'S C# PROGRAMMING LANGUAGE TO SUN MICROSYSTEMS' JAVA PROGRAMMING LANGUAGE
I am having to write some Web apps for work, both for us to attack, and to assist internal development and testing. I did some ASP Back In The Day, and found it clusmy at best. I am pretty impressed with writting ASP .NET pages with C#. Impressed only because MS finally caught up to Java/JSP 8 years late after a little stop to try and kill it along the way. Sure there are some features of .NET that I am not even touching, but for 90% of what I am doing, its a clean rip of Java. And forget this is ".NET is available for multiple languages." That like saying you can compile Perl to Java byte code. Sure, but you will make your Perl so nasty in the process, why bother. If you code.NET, you pretty much have to code in Microsoft Java ... I mean C#. C# From a Java Developer's Perspective |
|
Topic: Technology |
12:52 am EDT, Aug 2, 2005 |
Nice little site that generates the urpmi commands needed to add and support source mirrors, update rpms, devel stuff. Very handy! Mandrake : Easy Urpmi |
|
Agent String Switchboard. |
|
|
Topic: Technology |
1:46 pm EDT, Aug 1, 2005 |
Some giant tab delimited lists of all types of browser and robot user agent strings. Useful if you happen to be writting evil crawler/attack tools. Agent String Switchboard. |
|