37 posts • joined 14 Aug 2009
There is defense
just because defense is hard doesn't mean there isnt any defense... if you have a public API someone is scraping it doesnt matter if its against TOS is up to you to be smarter than them... google created on time access tokens so you can pass a secret to lookup one call and one call only
yes its easier to break then build duh... you have to find 1 hole and we are trying to find and plug all the small leaks in the dam that may lead to the catastrophic failure and total breech
tell me im wrong... im @cartercole and id love to argue with you :)
can someone lend me a Beowulf cluster?
quick someone make up some text that makes them sound really dumb for using a insecure hashing algorithm then calculate the collision to match their mission statement hash... lolz
too busy blowing stuff up
im sad i missed this xss attack... google seems like they fixed it quick.
i so called this would friggen happen
not that it wasnt totally predictable but i called this
all i see is a universal key for spys
like why not write virus code to open any rfid door or cell like that guy said... i mean ton of code and exploits but for reals military put some people on that (id bet you a penny there already are) and make a way cool electronic lockpick
10k reasons why
you can make 10k virtual machines for free but even with old 386 your going to pay more for power and each machine to the point where it becomes ineffective to try and scale
another feature to add to the code in my head
to have a giant botnet would be awesome but i must confess ive been writing code in my head for one (and how to make it beat all the other) thanks for the heads up on another feature i need to add in :)
man what a great company...
im guessing some sql injection
sounds to me like they found a few sql injection holes and they are modifying the template after they fix each hole... iono its just speculation
it produces molten iron that could burn through an engine block
aluminium and iron oxide (rust)
it was a phish email...
they got an email from a rich foreign investor who wanted to give some funds to the kids but needed the collateral to make the transfer
i thought he confessed when they picked him up...
new hacker defense... leave malware on your computer and claim that they stole your identy and made your evil blog posts as you and that you actually know nothing about computers... when the judge asks you about your ip then you can just claim "ip in the toilet"
sql injection ftw
i just peeked at screen shots it looks like it was compromised with sql injection...
use pass phrase
instead of using passwords that are one word you should use pass phrases like "ilovetoeat" upper and lower i think help the most but just to get length they usually haven't computed hash for passwords that long and brute-force would take forever
dont they use a custom ua to request those urls?
ok so i made a page that returns the ua of the request in the title and shortened it with bit.ly
i got the title back as "bitlybot" (bitly bot is the ua that bit.ly uses) then i made it so it would "cloak" the page when bit.ly was requesting it <a href="http://bit.ly/cloakua">http://bit.ly/cloakua</a> now you get different page if bit.ly requests it rather than a regular user. this is even better if you know all bit.ly ip then you can do ip based cloaking which is even better
i know this is a simple attack but i think it demonstrates my point
man i love php
i think this will be a growing trend compromised web hosts will be used in bot-net style attacks using php as more and more c&c and "bulletproof hosting" options are taken down or disconnected on the internet
thats a bunch of bs
i have vanity urls and hope this never happens to me... i bet the company complained and they killed the name...
my server doesnt save all the request headers
yea i dont think that header was saved and like the others said if all they used was a proxy shame on them they could sit outside a house and use that wifi
so does someone have details of the bug?
id really like to know more
but most of all sammy is my hero...
the same was true of one of my favorite xxs attacks the myspace hero worm
seen here with technical description http://namb.la/popular/
myspace got pissed and brought up charges so even tho hes not a for pay hacker malware guy he still may have some legal trouble in his future
ok how bout this one
so you use Anti-Pinning DNS attack to bypass firewall after you have identified a target with an office of windows 7 then use flash to send the broken packet to the broadcast then the loop-back and shut down the entire office...
social engineering is used to tweet to an employee during the day to allow for the DNS attack
would that work? would broadcast kill all the venerable computers? can flash send a "broken" packet?
remember when they figured out the domain algorithm for confricker
good idea because it would be really hard to predict what the next days twitter trend will be so you cant preregister or block those domains to keep them from contacting command and control like they did for some of the other C&C domain generators that are predictable so you can get in front of the hackers
ooooh they changed the names of some groups...
conspiracy by apple or at&t?
if its just jailbroken phones perhaps its apple doing it or at&t they dont want you to have that functionality and everyone is jailbreaking the way to stop it is to spread fear of a worm that will f your phone
not good programing
like they said if its not implemented properly anything can fall. as far as the first comment on it being illegal to modify computers i think they modified the C&C servers not the bot PCs (like BBC did) so it would be hard pressed to find the owner of the computer
this will happen more and more
i think that this is only beginning when i have thought about writing a bot the services that many provide are ideal for use with a botnet. what if they start adding stenography to the images they upload to Facebook and the profile looks real and everything looks natural but its all a bots page to keep its settings saved and relay commands
do you not get oauth?
i know its new to alot of people but i was thinking this the other day what if they get your google oauth then the can do all kinda nasty but you just revoke the tokens and if you have already been hacked then you already prolly sent some spam for them so a couple more messages because you forgot to revoke tokens isnt that bad. could they make it more clear how to clear the tokens and such yes but its not that bad
oh noes the hackers didnt knock on our door and tell us that the "secure" wap was really controlled by them bla bla bla well now ur on a wall the only networks you can trust are your own the isp can watch everythign go by do deep packet inspection and all kinds of other bs and you would never know
everyone already saying it but i gotta chime in too
windows is not the issue its dumb ass users yes trojans are nasty and they can even do tricky stuff like rewriting the banking webpage so you don't even see your funds are gone but if you use even a little common sense you wont get infected. when i get a virus (usually because i was slumming it on the nastier parts fo the internet looking for viruses) i wipe my computer. i don't log into online banking anywhere i make sure that i trust that the machine is not compromised and if i even start to suspect it i wont go to online banking. i mean its like saying use macs because they dont get viruses well now they are and while some other options may be less likely to get infected but if you are just safe in the first place you will never have an issue
i would so be part of the american version
so when yall dudes at the network are looking for american contestants for the tv show id love to be part of it
how bout a warning for bad urls
how bout before it sends you to destination ti warns you that this link is for security researchers and that it has malicious code behind it and if you click your ok
god i love gamers...
i agree not stego
i want to write a bot that uses true steggo like knows where to find the original image (from some google page or a image hosting site) and then keeps its data stored like in the sample pictures of the computer or something i think that would be a cool bot.
if thats true recaptcha is broken
if they are making new profiles with any kind of speed or volume it isnt humans filling in captcha and recaptcha has been broken
why the hell?
why the hell were they emailing a document like that to a gmail account anyways? shouldnt they use a secure ftp server or something to do that?
i think this an start to be a net neutrality issue at what point do we consider a machine infected and what if the person is sending mass mailing and one doesn't like the email they get. do you knock the entire server off because of one bad review if everyone else likes the emails? what about competitors abusing the system could i disconnect your business with enough reports that you ip is bad
SQL Injection is easy to fix
this is just dumb i cant believe they leave such stupid venerabilities open i hope this article pushes them to fix the issue for their sake and their users
- Vid Hubble 'scope scans 200,000-ton CHUNKY CRUMBLE ENIGMA
- Bugger the jetpack, where's my 21st-century Psion?
- Google offers up its own Googlers in cloud channel chumship trawl
- Interview Global Warming IS REAL, argues sceptic mathematician - it just isn't THERMAGEDDON
- Apple to grieving sons: NO, you cannot have access to your dead mum's iPad