“HACKERS, welcome! Here are detailed circuit diagrams of our products — modify them as you wish.”

That’s not an announcement you’ll find on the Web sites of most consumer electronics manufacturers, who tend to keep information on the innards of their machines as private as possible.

But Neuros Technology International, creator of a new video recorder, has decided to go in a different direction. The company, based in Chicago, is providing full documentation of the hardware platform for its recorder, the Neuros OSD (for open source device), so that skilled users can customize or “hack” the device — and then pass along the improvements to others.

The OSD is a versatile recorder. Using a memory card or a U.S.B. storage device, it saves copies of DVDs, VHS tapes and television programs from satellite receivers, cable boxes, TVs and any other device with standard video output.

Because the OSD saves the recordings in the popular compressed video format MPEG-4 (pronounced EM-peg), the programs can be watched on a host of devices, including iPods and smartphones. The OSD is for sale at Fry’s, Micro Center, J&R Electronics and other locations for about $230.
I recorded a show from a DVD this way and, to my delight, I was soon watching it on my iPod. Thank you, hackers!

What This Gadget Can Do Is Up to You

The files listed here are all ZIP files, which contain a REG (Registry) file. Each of the REG files contains the default settings for the file extension indicated.

So I went and downloaded Netscape Communicator 4.something to test some of the JavaScript I'm writing for Memetreams. After shuttering at how arcane installers were back-in-the-day, I find that the front page of Memestreams crashes it. I figure the some of embedded Flash for Google/Youtube videos might be doing it, so I go into the browser's preferences and remove every file association hoping it will not spawn the Flash player (which in retrospect wouldn't have worked anyway... stupid object tag GUIDS...). Unfortunately, this actually killed the file associations not for the browser, but for Windows!

Windows XP File Assocation Fixes

WGET doesn't support PAC files. Damn it. ... [starts hacking WebInspect]

I'm working on an app spanning hundreds of domains all over the place (don't ask) so I actually need to compute PAC lookups while crawling.

I've mentioned Richard Bejtlich in passing before. He is a TCP/IP ninja and if you are in the computer security biz you should know who he is. I'm pleased to announce that he just posed a 5/5 review on Amazon.com about our book Ajax Security. Here is a little snip:

The book is absolutely compelling and every security professional and Web developer should read it. It's really as simple as that.

They start by introducing a technology, which is critical for someone like me who doesn't deal with Web development issues. Next they describe how it is broken. They continue with defensive recommendations and summarize their findings in the conclusion. This is a perfect technical writing style that is too often lost on other authors.

Truly this an awesome honor and I think Richard for the praise. However, not only does Richard like the book, Richard goings on to declare that Ajax Security is the best book of 2007!

And, the winner of the Best Book Bejtlich Read in 2007 award is...

1. Ajax Security by Billy Hoffman and Bryan Sullivan (Addison-Wesley). Ajax Security was the last book I read and reviewed in 2007. However, it was the best book I read all year.

TaoSecurity says 'Ajax Security' Best Book of 2007

Unrestricted Warfare (超限战, literally "warfare beyond bounds") is a book on military strategy written in 1999 by two colonels in the People's Liberation Army, Qiao Liang (乔良) and Wang Xiangsui. Its primary concern is how a nation such as China can defeat a technologically superior opponent (such as the United States) through a variety of means. Rather than focusing on direct military confrontation, this book instead examines a variety of other means. Such means include using International Law (see Lawfare) and a variety of economic means to place one's opponent in a bad position and circumvent the need for direct military action.

PDF of book. Look at Network attacks. Frame this with how the DoD is reporting the PLA has been screwing with our networks over the last few years.

Unrestricted Warfare (book)

Ajax Security is out and the feedback I'm getting is incredible.

Andrew van der Stock The Executive Director of OWASP reviewed a draft of Ajax Security and here is what he had to say about it:

If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserves success. Go buy this book.

Is it just a re-hash of old presentations? No. The book breaks some new ground, and fills in a lot of the blanks in all of our presentations and demos. I hadn’t heard of some of these attacks in book form before. The examples improved my knowledge of DOM and other injections considerably, so there’s something there for the advanced folks as well as the newbies.

I really liked the easy, laid back writing style. Billy and Bryan’s text is straightforward and easy to understand. They get across the concepts in a relatively new area of our field.

The structure flows pretty well, building upon what you’ve already learnt ...
there is advanced stuff, but the authors have to bring the newbie audience along for the ride.

Billy and Bryan spend a bit of time repeating the old hoary “no new attacks in Ajax” meme which is big with the popular kids (mainly because their products can’t detect or scan Ajax code yet and still want money from you), and then spend the rest of the book debunking their own propaganda with a wonderful panache that beats the meme into a bloody pulp and buries it for all time.

Web security guru dre offers up this review of Ajax Security:

It’s quite possible that many Star Wars Ajax security fans will be calling Billy Hoffman, the great “Obi-Wan”, and pdp “Lord Vader” to represent the “light” and “dark” sides that is The Force behind the power wielded by Ajax.

The book, Ajax Security, covered a lot of new material that hadn’t been seen or talked about in the press or the security industry. The authors introduced Ajax security topics with ease and provided greater understanding of how to view Javascript malware, tricks, and the aberrant Javas... [ Read More (0.2k in body) ]

Ajax Security Book Out! Awesome buzz!

Jello wrote:

function show_props(obj, obj_name) { var result = "" for (var i in obj) result = obj_name "." i " = " obj[i] "\n" return result; }

Super convenient when peeps don't document their objects.

You can do this on the window object and you get all global objects. This means all global variables and all the user-defined functions! You can valueOf() on the function object to extract the source code! valueOf() even automatically inserts the appropriate whitespace and indenting for you to easily read the code You can recurse down objects and check their childern so this handles JavaScript "names spaces" as well.

Hook this up to a setInterval() call and you can also perform runtime monitoring of the JavaScript environment! On-demand Ajax?, no problem! With firebug, you have the JavaScript equivalent of "View Source." With this method, you have the JavaScript equivalent of "View Generated Source!"

Super convenient when peeps don't document the Ajax applications you are hacking!

Take a read of Chapter 7 of Ajax Security. Bryan and I wrote a JavaScript tool called HOOK which does this very thing! On-demand monitoring and hijacking of JavaScript functions! Even better, it's cross browser. Oh Yeah!

In the interest of disclosure, websec guru Amit Klein came pretty close to this in 2006. He discovered the joy of valueOf() but didn't take the next step of how to discover/enumerate all the user-defined functions in the JavaScript environment.

List all properties the entire JavaScript environment!

Three more individuals have admitted they participated in a series of phone phreak hoaxes that prompted raids by armed special weapons and tactic police teams on the homes of unsuspecting victims.

Jason Trowbridge, of Louisiana and Texas, and Chad Ward of Texas pleaded guilty to multiple felonies, including conspiracy, access device fraud and unauthorized access of a protected computer. Each faces maximum penalties of five years in prison, fines of $250,000 and costs for restitution.

Swatters, as the malicious pranksters are referred to, use a combination of social engineering, phone phreaking prowess and computer hacking to spoof the phone numbers of individuals they want to harass. They then make emergency calls to police departments and report crimes in progress, in many cases prompting a response from SWAT teams who conduct emergency raids on the homes of people whose numbers were spoofed.

Police, meet the ANI fail; ANI fail, this is the police. If you want to know more, look up my man Lucky.

In many cases, the victims were fellow participants in telephone party lines, which largely act as the phone equivalent of internet relay chat groups. Trowbridge, who went by the names "Jason from California" and "John from California," furthered the scheme by mining personal information about the victims from a host of sources, including consumer reporting agencies, pizza delivery records and newspaper subscription records, according to court documents signed by the defendant.

The personal information Trowbridge provided allowed the gang to make fake emergency calls that had the ring of authenticity. In one case, they posed as an Alvarado, Texas man whose daughter was a party line participant. They told a police dispatcher that he had shot and killed members of his family and was armed with an AK47 machine gun. The caller, who claimed to be high on hallucinogenic drugs, then threatened to kill his remaining hostages unless he was given $50,000 and safe passage out of the country.

Police responded by sending police to the residence of the real man.

During the course of the conspiracy - which lasted from late 2002 to June of this year and involved as many as 20 individuals - the participants also initiated calls to employers, landlords, families and friends of party line members they held a grudge against. Some of the members who refused to stop using the line found their friends and families swatted.

This is ridiculous, especially when you see the quarter of a million dollars in "damages" that occurred.

Phone phreaks spoof LSD-induced multiple homicide

You know its a slow news day when a story about Commodore 64 enthusiasts appears on the front page of CNN.

C64 on CNN Homepage?

I received an amazing amount of mail from my friends in Microsoft (none of whom work on IE) regarding my IE post. Surprisingly, much of it was positive, but some were a little astonished. Allow me to clarify a bit.

I don't personally dislike anyone on the IE team.

I do, however, abhor what the team creates. A non-standards compliant browser that hurts web developers and security professionals alike. I firmly believe that Microsoft's actions over the last 10 years illustrates their complete lack of commitment about web browsers or web development. And 1.5 years of non-evil behavior and a tabbed browser doesn't change that.

So when I see posts saying "look at us, we have 300 million downloads and awesome security" I'm shocked. And when faced with a year's torrent of requests for info about bugs, CSS hacks, standards compliance, and future browser plans the community is still faced with stony silence or a pompous "don't worry, we are working on it" post I felt the need to unload though, granted, perhaps with more expletives than necessary. But I don't believe what they say any more. There has been too much "its coming, and it will be so cool" followed by failing to deliver. You don't get to make those statements anymore, certainly not without some blowback.