| |
| Current Topic: Technology |
|
Cloning western technology, and getting a better result! |
|
|
|---|
| Topic: Technology |
10:12 am EDT, Aug 10, 2007 |
How to Clone Anything
The easiest way to clone a product is to use a "ghost shift": A factory contracted to make legitimate goods moves to 24-hour operation, churning out copies—some made with inferior materials, and others exactly the same, designed to be sold on the black market—from midnight to morning. The only problem with ghost shifts is that they can't run full time. In the mid-'90s, developers began constructed from the same blueprints legitimate manufacturers used to launch their ventures. Sometimes the plans were sold by managers at the genuine facilities. Other times, local officials and organized crime conspired to create a second set of blueprints. Cloners look for opportunity first, and manufacturers often give it to them, often in the form of a hot product that is released in a limited number of markets. Desire spreads worldwide, and the cloners are ready to fill any gaps that emerge in supply or distribution. (That's what's happening now with the iPhone, which for nearly a year will be sold in North America only.) The cloners start by deciding what phones would be most profitable to clone. They then learn everything they can about the device. They attend trade shows, furiously snapping photos of not-yet-released products until someone notices and shoos them away. They will be first in line to buy the new product whenever it hits stores. And they will look for shortcuts, such as a patent filed in China that can act as the beginning of an actual production guide. The cloners hire a team of between 20 and 40 engineers to begin decoding the circuit boards. At the same time, coders start to develop an operating system for the phone with a similar feature set. (The typical cloner either uses off-the-shelf code, writes something entirely new, or modifies a publicly available Linux-based system.) Both processes take about a month. By then, ancillary items—plastic casings, accessories, manuals and packaging—are ready as well. Full production begins at another factory, one that is already building phones, within about eight weeks from the time the engineers are hired. After a run of about 30,000 units, the cloners move the operation to a new facility in order to avoid detection.
This is a fascinating read! Cloning western technology, and getting a better result! |
|
Securing Ajax Applications |
|
|
|---|
| Topic: Technology |
9:21 am EDT, Aug 7, 2007 |
There is a reason this book's animal is a laughing hyena. Unfortunately, the joke's on you. |
|
|
|---|
| Topic: Technology |
4:08 am EDT, Aug 2, 2007 |
This is the end
Beautiful friend
This is the end
My only friend, the end Of our elaborate plans, the end
Of everything that stands, the end
No safety or surprise, the end
We gave it a great send off over the last few days. Many drinks. Many toasts. To those who aren't here, but who got us here. To those that did without to build something great. But all good things come to an end. And now it's gone. Remember Mantra #2 Make it work. Then make it great. Then take it live. Then change the world. Then make your money. Then make it free. Then start again.
|
|
DOMinatrix - The JavaScript SQL Injector |
|
|
|---|
| Topic: Technology |
2:05 am EDT, Jul 26, 2007 |
DOMinatrix is, well, incredibly awesome. It's a full automated SQL Injection tool written in JavaScript, which will dump out data from MS SQL Server databases (more to come). I'm be demoing DOMinatrix at my Black Hat presentation. XSS + Web worm + DOMinatrix = oh crap. In the last 5 months we've seen the development of web scanners and SQL injectors in JavaScript. These aren't a browser exploits.
These aren't buffer overflows.
These aren't something that affects only a single browser and only on pages that don't explicitly set a character set. This is using JavaScript in perfectly valid ways to do extremely malicious things. There is no way to patch this.
End users are pretty much screwed. Here is a screen shot of DOMinatrix in action. |
|
|
|---|
| Topic: Technology |
2:31 pm EDT, Jul 23, 2007 |
Billy, I submitted your title to the Conference Advisory Board and we were hoping you could possibly re-phrase the “Premature AJAX-ulation” references. While some of us appreciate the play on words, we have a feeling it would not be well received by all and we do not wish to offend anyone.
|
|
The SPI laboratory : SPI Labs advises avoiding iPhone feature |
|
|
|---|
| Topic: Technology |
11:39 am EDT, Jul 17, 2007 |
The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various attacks, including: * Redirecting phone calls placed by the user to different phone numbers of the attacker’s choosing
* Tracking phone calls placed by the user
* Manipulating the phone to place a call without the user accepting the confirmation dialog
* Placing the phone into an infinite loop of attempting calls, through which the only escape is to turn off the phone
* Preventing the phone from dialing These types of attacks can be launched from a malicious website, from a legitimate website that has Cross-Site Scripting vulnerabilities, or as part of a payload of a web application worm. For example, an attacker could determine that a specific website visitor “Bob” has called an embarrassing number such as an escort service. An attacker can also trick or force Bob into dialing any other telephone number without his consent such a 900-number owned by the attacker or an international number. Finally, an attacker can lock Bob’s phone forcing Bob to either make the call or hard-reset his phone resulting in possible data loss.
Told you it would mention an escort service. The SPI laboratory : SPI Labs advises avoiding iPhone feature |
|
Generic Http Handers in ASP.NET |
|
|
|---|
| Topic: Technology |
4:25 pm EDT, Jul 10, 2007 |
Today I finally got the memo about the joy that is Generic Handlers in ASP.NET. These things are a great way to emulate PHP-style webservices and Ajax callbacks. |
|
|
|---|
| Topic: Technology |
4:32 pm EDT, Jul 5, 2007 |
Literals are a pain to tokenize, especially when the literal can start with a valid math operator. I'm looking at you JavaScript Regex Literal and signed integer literals! You broke my code.
var x = /123/;
var y =5 /2;
z(5,+54.1, -13);
This is where you can blur the line between what the tokenizer should do and what the parser does. Going the wrong way makes things bad. Like, crashing bad. |
|
