Posts by Carter Cole

There is defense

just because defense is hard doesn't mean there isnt any defense... if you have a public API someone is scraping it doesnt matter if its against TOS is up to you to be smarter than them... google created on time access tokens so you can pass a secret to lookup one call and one call only

yes its easier to break then build duh... you have to find 1 hole and we are trying to find and plug all the small leaks in the dam that may lead to the catastrophic failure and total breech

tell me im wrong... im @cartercole and id love to argue with you :)

can someone lend me a Beowulf cluster?

quick someone make up some text that makes them sound really dumb for using a insecure hashing algorithm then calculate the collision to match their mission statement hash... lolz

too busy blowing stuff up

im sad i missed this xss attack... google seems like they fixed it quick.

i so called this would friggen happen

not that it wasnt totally predictable but i called this

all i see is a universal key for spys

like why not write virus code to open any rfid door or cell like that guy said... i mean ton of code and exploits but for reals military put some people on that (id bet you a penny there already are) and make a way cool electronic lockpick

woohoo competition

man what a great company...

im guessing some sql injection

sounds to me like they found a few sql injection holes and they are modifying the template after they fix each hole... iono its just speculation

thats thermite

it produces molten iron that could burn through an engine block

aluminium and iron oxide (rust)

http://en.wikipedia.org/wiki/Thermite

it was a phish email...

they got an email from a rich foreign investor who wanted to give some funds to the kids but needed the collateral to make the transfer

i thought he confessed when they picked him up...

new hacker defense... leave malware on your computer and claim that they stole your identy and made your evil blog posts as you and that you actually know nothing about computers... when the judge asks you about your ip then you can just claim "ip in the toilet"

sql injection ftw

i just peeked at screen shots it looks like it was compromised with sql injection...

use pass phrase

instead of using passwords that are one word you should use pass phrases like "ilovetoeat" upper and lower i think help the most but just to get length they usually haven't computed hash for passwords that long and brute-force would take forever

dont they use a custom ua to request those urls?

ok so i made a page that returns the ua of the request in the title and shortened it with bit.ly

i got the title back as "bitlybot" (bitly bot is the ua that bit.ly uses) then i made it so it would "cloak" the page when bit.ly was requesting it <a href="http://bit.ly/cloakua">http://bit.ly/cloakua</a> now you get different page if bit.ly requests it rather than a regular user. this is even better if you know all bit.ly ip then you can do ip based cloaking which is even better

i know this is a simple attack but i think it demonstrates my point

man i love php

i think this will be a growing trend compromised web hosts will be used in bot-net style attacks using php as more and more c&c and "bulletproof hosting" options are taken down or disconnected on the internet

thats a bunch of bs

i have vanity urls and hope this never happens to me... i bet the company complained and they killed the name...

my server doesnt save all the request headers

yea i dont think that header was saved and like the others said if all they used was a proxy shame on them they could sit outside a house and use that wifi

so does someone have details of the bug?

id really like to know more

but most of all sammy is my hero...

the same was true of one of my favorite xxs attacks the myspace hero worm

seen here with technical description http://namb.la/popular/

myspace got pissed and brought up charges so even tho hes not a for pay hacker malware guy he still may have some legal trouble in his future

ok how bout this one

so you use Anti-Pinning DNS attack to bypass firewall after you have identified a target with an office of windows 7 then use flash to send the broken packet to the broadcast then the loop-back and shut down the entire office...

social engineering is used to tweet to an employee during the day to allow for the DNS attack

would that work? would broadcast kill all the venerable computers? can flash send a "broken" packet?

conspiracy by apple or at&t?

if its just jailbroken phones perhaps its apple doing it or at&t they dont want you to have that functionality and everyone is jailbreaking the way to stop it is to spread fear of a worm that will f your phone

not good programing

like they said if its not implemented properly anything can fall. as far as the first comment on it being illegal to modify computers i think they modified the C&C servers not the bot PCs (like BBC did) so it would be hard pressed to find the owner of the computer

this will happen more and more

i think that this is only beginning when i have thought about writing a bot the services that many provide are ideal for use with a botnet. what if they start adding stenography to the images they upload to Facebook and the profile looks real and everything looks natural but its all a bots page to keep its settings saved and relay commands

do you not get oauth?

i know its new to alot of people but i was thinking this the other day what if they get your google oauth then the can do all kinda nasty but you just revoke the tokens and if you have already been hacked then you already prolly sent some spam for them so a couple more messages because you forgot to revoke tokens isnt that bad. could they make it more clear how to clear the tokens and such yes but its not that bad

lolz

oh noes the hackers didnt knock on our door and tell us that the "secure" wap was really controlled by them bla bla bla well now ur on a wall the only networks you can trust are your own the isp can watch everythign go by do deep packet inspection and all kinds of other bs and you would never know

everyone already saying it but i gotta chime in too

windows is not the issue its dumb ass users yes trojans are nasty and they can even do tricky stuff like rewriting the banking webpage so you don't even see your funds are gone but if you use even a little common sense you wont get infected. when i get a virus (usually because i was slumming it on the nastier parts fo the internet looking for viruses) i wipe my computer. i don't log into online banking anywhere i make sure that i trust that the machine is not compromised and if i even start to suspect it i wont go to online banking. i mean its like saying use macs because they dont get viruses well now they are and while some other options may be less likely to get infected but if you are just safe in the first place you will never have an issue

i would so be part of the american version

so when yall dudes at the network are looking for american contestants for the tv show id love to be part of it

how bout a warning for bad urls

how bout before it sends you to destination ti warns you that this link is for security researchers and that it has malicious code behind it and if you click your ok

god i love gamers...

lolz commentz...

i agree not stego

i want to write a bot that uses true steggo like knows where to find the original image (from some google page or a image hosting site) and then keeps its data stored like in the sample pictures of the computer or something i think that would be a cool bot.

if thats true recaptcha is broken

if they are making new profiles with any kind of speed or volume it isnt humans filling in captcha and recaptcha has been broken

why the hell?

why the hell were they emailing a document like that to a gmail account anyways? shouldnt they use a secure ftp server or something to do that?

slippery slope

i think this an start to be a net neutrality issue at what point do we consider a machine infected and what if the person is sending mass mailing and one doesn't like the email they get. do you knock the entire server off because of one bad review if everyone else likes the emails? what about competitors abusing the system could i disconnect your business with enough reports that you ip is bad

SQL Injection is easy to fix

this is just dumb i cant believe they leave such stupid venerabilities open i hope this article pushes them to fix the issue for their sake and their users