A security researcher at ShmooCon on Saturday demonstrated, but did not release, a tool that turns the PCs of unknowing Web surfers into hacker help.

As expected, SPI Dynamics researcher Billy Hoffman demonstrated a Web application vulnerability scanner written in JavaScript. The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said.

"The whole point was to show how scary cross-site scripting has become."

"Once one person has talked about the ability to do it, it doesn't take that long for somebody else to come up with it," said one ShmooCon attendee who asked to remain anonymous. "It will come out."

There are already 50k hits for a Google search on "Jitko". A few comments from around the web: Jeremiah Grossman, of Whitehat Security, and "Pascal". Anurag Agarwal offered a Reflection on Billy Hoffman, along with a photo:

This week on Reflection we have a very young guy from the webappsec field.

Billy’s knowledge on Ajax is tremendous ... his ability to think differently has helped him achieve so much in such a short time.

I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen.

JavaScript bug hunting tool demonstrated

Shocking News:

There exist routing algorithms such that even if all of 2^128 IPv6 ‘nodes’ are completely de-aggregated (i.e., all IPv6 addresses are used as flat IDs), the ‘DFZ’ (default-free zone) routing tables still contain less than 128^2 ~ 16,000 entries (~1000 entries for IPv4)

Scalability of Routing: Compactness and Dynamics

The Thorup-Zwick (TZ) compact routing scheme is the first generic stretch-3 routing scheme delivering a nearly optimal per-node memory upper bound. Using both direct analysis and simulation, we derive the stretch distribution of this routing scheme on Internet-like inter-domain topologies. By investigating the TZ scheme on random graphs with power-law node degree distributions, Pk
k−γ, we find that the average TZ stretch is quite low and virtually independent of γ. In particular, for the Internet inter-domain graph with γ
2.1, the average TZ stretch is around 1.1, with up to 70% of all pairwise paths being stretch-1 (shortest possible). As the network grows, the average stretch slowly decreases.

We find routing table sizes to be very small (around 50 records for 104-node networks), well below their theoretical upper bounds. Furthermore, we find that both the average shortest path length (i.e. distance) d and width of the distance distribution σ observed in the real Internet inter-AS graph have values that are very close to the minimums of the average stretch in the d- and σ-directions. This leads us to the discovery of a unique critical point of the average TZ stretch as a function of d and σ. The Internet’s distance distribution is located in a close neighborhood of this point.

This is remarkable given the fact that the Internet inter-domain topology has evolved without any direct attention paid to properties of the stretch distribution. It suggests the average stretch function may be an indirect indicator of the optimization criteria influencing the Internet’s inter-domain topology evolution.

Compact Routing on Internet-Like Graphs

Huge gulf in operational good practices between “older” and “newer” Internet

* Threatens the very existence of the Internet as we know it

BGP Deaggregation Report | NANOG, Feb 2007

Are you ready to pay $100 a month for residential access to the Internet?

Summary of the IAB Routing and Addressing workshop - Dave Meyer

The Internet’s routing system is facing a set of serious scaling problems ... none of the existing IETF efforts provides effective solutions

The scalability of the routing system is a problem and must be addressed in the near term; IPv6, in its current form, does not fix these problems

These problems are urgent

IP routing scaling issues - Vince Fuller

There are reasons to believe that current trends in the growth of routing and addressing state on the global Internet may not be scalable in the long term

• An Internet-wide replacement of IPv4 with IPv6 represents a once-in-a-generation opportunity to either continue current trends or to deploy something truly innovative and sustainable

• As currently specified, routing and addressing with IPv6 doesn’t really differ from IPv4 – it shares many of the same properties and scaling characteristics

... These kinda look exponential or quadratic; this is bad ... and it’s not just about adding more cheap memory to systems

... Without architectural or policy constraints, costs are potentially unbounded; even with constraints, service providers are doomed to continual upgrades, passed along to consumers

Looming Issues in Internet Architecture

Now, this is interesting.

Next week Cisco plans to announce one of its most unusual deals: it is buying the technology assets of Tribe.net, a mostly forgotten social networking site.

It is a curious pairing.

... Tribe.net ... has been trampled by newer social sites ...

But along with the recent purchase of a social network design firm, Five Across, the deal will give Cisco the technology to help large corporate clients create services resembling MySpace or YouTube to bring their customers together online. And that ambition highlights a significant shift in the way companies and entrepreneurs are thinking about social networks.

This is precisely the news I needed.

There's a great big beautiful tomorrow, shining at the end of every day /
There's a great big beautiful tomorrow, shining at the end of every day /
And tomorrow is just a dream away

Social Networking’s Next Phase

Why is this in the news? The company is more than a year old.

UPDATE:

After months of fine-tuning, Ning is finally ready to make its big push with a free toolkit designed to make it easy to launch a social network with a few mouse clicks. Ning's package includes all the social networking staples -- videos, photos, music, forums, personal profiles and blogs.

The site does have some desirable features:

Members can set different privacy settings for every photo, video, or blog post they contribute.

From Ning:

Ning is the only online service where you can create, customize, and share your own Social Network for free in seconds.

You can make it public or private and for anything - and anyone - you'd like.

Wire story:

Although both MySpace and Facebook have become smash hits by offering the same features, Andreessen is convinced people dislike the big social networks' one-size-fits-all approach. With Ning's products, even technology neophytes can customize social networks around narrowly shared interests, such as a sports team, church group, hobby or TV show.

"This is the next logical step (for social networks)," said Andreessen.

Andreessen has discovered MemeStreams Circles.

Apparently Andreessen is unfamiliar with Metcalfe's Law.

From the FAQ:

For other Ning sites you might have created, like bookmarks or a discussion board, you'll need to create a new social network from scratch. We don't have an easy way to migrate them over. Sorry about that!

Thank you for being an early adopter. Now start over. Do not pass go, do not collect $200.

Ning - Create your own Social Networks!

Moggridge's new book, Designing Interactions, was recently discussed here.

Dr. Moira Gunn speaks with IDEO co-founder Bill Moggridge. They look at how some of our favorite technology came into being, from the very first laptop right up to the iPod.

Some of you bought the book; any thoughts?

Bill Moggridge, author of 'Designing Interactions'

Pipes is an interactive feed aggregator and manipulator. Using Pipes, you can create feeds that are more powerful, useful and relevant.

Is this useful?

Pipes: Rewire the web

Groovy is ...

An agile dynamic language for the Java Platform with many features that are inspired by languages like Python, Ruby and Smalltalk, making them available to Java developers using a Java-like syntax.

Developing web applications , writing shell scripts easily, writing concise, meaningful, test cases using Groovy's JUnit integration, or prototyping and producing real industrial strength applications have never been so concise and groovy.

Groovy works cleanly with all existing Java objects and libraries and compiles straight to Java bytecode in either application development or scripting mode.

Groovy