tag:blogger.com,1999:blog-13574908020946686402024-03-08T18:33:39.326-06:000x5380x538http://www.blogger.com/profile/04822121072150280886noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-1357490802094668640.post-25165914706307210712009-01-13T16:21:00.004-06:002009-01-13T16:50:49.902-06:00Dear cleartext-email password people,An open letter to websites that require your registration, then email you your details, including the password, in cleartext.<br /><br />Dear cleartext-email password people,<br /><br />You've got to be fucking kidding me.<br /><br />Firstly, let's pretend you have some kind of technology that allows you to safely store passwords in cleartext. Let's further pretend that there's a way to safely transmit and store those password through email. Pretending that, why are you sending people the password they just set 30 seconds ago? Do you think they've forgotten already? Do you think they blindly mash the keyboard, in order to keep their password SO SECRET that not even THEY know it? Did you not bother to code a "I forgot my password" function?<br /><br />Secondly, let's merely pretend you have the magic Safe Storage of Cleartext Passwords technology. Why are you sending cleartext passwords through email? Suppose a Bad Guy gets into the user's email account, whether it's the user's fault [poor password, unattended session, insecure environment] or not [server hack, vulnerable authentication method, session hijacking]. Thanks to the miracle of YOUR technology, all the Bad Guy needs to do is search for "Password:" and now he has your user's account details, along with the details for any other crappy sites just like yours. If the user doesn't choose a different password for every account (and who does? I don't even do that, and here I am writing obscene security rants), the Bad Guy now has a nice user/pass pair to try for more significant services than your crappy site [banks, paypal, etc.]. Thanks for doing your part to deploy Vulnerability In Depth!<br /><br />Thirdly, let's abandon all pretense and face it: there's no reason for you to store cleartext passwords in your crappy database. I'll let you in on a secret: thanks to time travel, I've come up with a more secure way to do things! I've traveled back in time to the 1970s and brought back a magical pile of voodoo called <a href="http://en.wikipedia.org/wiki/Cryptographic_hash_function#Applications">password hashing</a>. If you want to go nuts, you might even consider salt! [Haha, I do not refer to food in the previous sentence. An explanation of "salt" is <a href="http://en.wikipedia.org/wiki/Salt_%28cryptography%29">here</a>, and an explanation of "nuts" is that you're retarded.]<br /><br />Fourthly, go to hell. If you actually wrote that code, fuck you. Put some forethought into it. If you merely use that code, fuck you. Don't make your users pay for someone else's stupid mistake.<br /><br />Love,<br />Mehogghttp://www.blogger.com/profile/06699552595577461857noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-40389116419275377582008-11-27T22:05:00.003-06:002008-11-27T22:10:34.841-06:00__stack_chk_fail_localSo there I was, trying to build <a href="http://www.immunitysec.com/resources-freesoftware.shtml">SPIKE</a> in an Ubuntu 8.10 VM. GCC gave about 9,000 warnings, then said something like this:<br /><br />/usr/bin/ld: (blahblahblah)<something>: hidden symbol `__stack_chk_fail_local' in /usr/lib/libc_nonshared.a(stack_chk_fail_local.oS) is referenced by DSO<br /><br />Since it took me longer than 10 minutes to find the solution, I'm posting it here. The solution is to manually edit the Makefile and add "-fno-stack-protector" to the CFLAGS. Then make clean; make. The end. Happy Thanksgiving.</something>hogghttp://www.blogger.com/profile/06699552595577461857noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-40296127081741306012008-10-10T22:32:00.002-05:002008-10-12T00:44:37.311-05:00FUCKING ECONOMY<a href="http://www.scmagazineus.com/Prices-for-stolen-information-plummet/article/119263/">http://www.scmagazineus.com/Prices-for-stolen-information-plummet/article/119263/</a>hogghttp://www.blogger.com/profile/06699552595577461857noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-5813181786139320382008-08-30T00:52:00.002-05:002008-08-30T01:00:15.306-05:00libpcap 0.9.8Because tcpdump.org is shit, and I had to scour pages to the ends of the internet to find this, I'm putting it here in this easy-to-find location. Enjoy the fruits of my labor.<br /><br /><a href="http://sites.google.com/site/0x0538/Home/libpcap-0.9.8.tar.gz?attredirects=0">Download libpcap-0.9.8.tar.gz</a>hogghttp://www.blogger.com/profile/06699552595577461857noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-46469522432785786722008-08-13T22:12:00.003-05:002008-08-13T22:19:56.213-05:00Broadband Speed and Whiny McCryfaceEvery now and then one of <a href="http://www.technewsworld.com/rsstory/64157.html?welcome=1218682790">these stories</a> comes along saying "WAAAAAAAAAAAAH, the United States has broadband that's way slower than everyone else in the world!"<br /><br />Let's ponder this for a moment. Can you think of a reason why Japan, South Korea, and France have more bandwidth on average?<br /><br />Maybe it's because, compared to the United States, they're THE SIZE OF A FUCKING POSTAGE STAMP?<br /><br />I mean, I have a network in my living room that has over fifteen fucking times the bandwidth Japan does. It's called a gigabit LAN, and at this rate it'll take Japan a few millennia to catch up to its "speed." The United States will never catch up, largely because the United States is a big bunch of retarded stupidheads (at least that's the implication in most of these articles). What do we even know about the internet, anyway? Like... nothing. We basically copied it from Japan.hogghttp://www.blogger.com/profile/06699552595577461857noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-49273018976699486032008-07-17T15:26:00.002-05:002008-07-17T15:28:47.446-05:00Slippery slopeToday, <a href="http://gizmodo.com/5024550/zing-laser-brings-laser-cutting-goodness-to-the-average-guy">this</a>.<br /><br />Tomorrow, kids are downloading and printing handbags, TVs, and cars.<br /><br />(And yes, I most certainly <span style="font-style: italic;">would</span> steal handbags, TVs, and cars, if they cost 100 times what they should and if I could download them for free with a trivially small chance of getting caught.)hogghttp://www.blogger.com/profile/06699552595577461857noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-42627645581868817632008-07-12T23:16:00.004-05:002008-07-14T11:54:51.214-05:00Failing Windows UpdatesAfter installing Service Pack 3 on a Windows XP Pro machine, I needed to download some security updates. After downloading the updates, Windows Update informs me that it cannot install them. I've had this problem before and just reformatted every time it happened, but this time it was personal. It ends up being a simple fix:<br /><br />Go to Start/Run/cmd.exe<br /><br />run the following commands:<br /><div class="indent"><span class="userInput"><br />net stop wuauserv</span></div><br /><div class="indent"><span class="userInput">regsvr32 C:WINDOWS\system32\wups2.dll<br /><br /></span><div class="indent"><span class="userInput">net start wuauserv<br /><br />Finally, run Windows update again.<br /></span></div><br /></div>kn1ghtmarehttp://www.blogger.com/profile/14289811270068475980noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-16484485017864337052008-06-11T03:14:00.003-05:002008-06-11T03:18:29.227-05:00Have faith in humanity?Then read <a href="http://attrition.org/security/rant/dl-compensation.html">this rant at Attrition</a>. They should know what they're talking about; after all, they keep better tabs on <a href="http://attrition.org/dataloss/">data loss</a> than anyone else I've heard of.<br /><br />I kinda wish one of those incidents would happen to the credit bureaus ("Experian accidentally posts complete credit history of everyone in the world to the Pirate Bay"), and then maybe we could get this silly outdated shit behind us.hogghttp://www.blogger.com/profile/06699552595577461857noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-36052873251525900922008-06-09T13:59:00.003-05:002008-06-09T14:06:02.770-05:00A Lighter Ubuntu<span style="font-size:85%;">To display all of the installed packages in Ubuntu (installed via apt) by size, use the following command:</span><br /><pre>dpkg-query -W --showformat='${Installed-Size} ${Package}\n' | sort -nr | less<br /><br /><span style="font-family: times new roman;font-family:verdana;font-size:85%;" >To uninstall packages completely as if you were making a live-cd, use:</span><br /><br />apt-get remove --purge package name<br /><span style="font-size:100%;"><br /></span><span style="font-family: times new roman;font-family:verdana;font-size:85%;" >There is a new package called remastersys in the repositories</span><span style="font-family: times new roman;font-size:85%;" > that make creating a live-cd simple.<br />The howto can be found at:</span><br />http://www.howtoforge.com/ubuntu-linux-mint-livecd-with-remastersys<br /></pre>kn1ghtmarehttp://www.blogger.com/profile/14289811270068475980noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-38778218504601397692008-05-25T22:04:00.008-05:002008-05-25T22:38:57.683-05:00Verified By IdiotsYesterday I was helping a friend order something online. It was the first time she'd used her Visa card to purchase something on the internet, so she had to go through the steps to create a Verified By Visa password. Verified By Visa is a service that Visa performs that basically creates an out-of-band authentication whenever you make a purchase with participating retailers. So basically, it adds another bit of authentication to your purchase - not only do you need the credit card details and CVV, but also this password you set up with Visa.<br /><br />So far, so good. I really can't complain about that. Problem was, when my friend tried to enter her usual password, which is a decent password (non-dictionary, both letters and numbers), a Javascript alert box popped up saying her password did not meet the Password Policy, please try again. It didn't say why.<br /><br />So she and I started trying all kinds of things to make her password better, introducing more characters, mixed case, more numerals, special characters, all over the place but to no avail. Same message every time. At this point, I was already annoyed that they do this checking client-side (hence the Javascript alert box) and I considered bypassing the script and forcing it through anyway. But, just to be a good sport, I decided to look at their code to find out what the damn Password Policy requires.<br /><br />Let me back up: I had to look at the code because I looked at the "Verified By Visa" FAQ pages about password requirements and they said that the password policies are set by the card issuer. Well then.<br /><br />So I viewed the source of the frame containing the Verified By Visa password entry form. I didn't see the code for the alert box there, so I looked for includes that might contain it. "pwdbase.js" looked promising, and sure enough, there it was. The javascript file is currently <a href="https://secure2.arcot.com/acspage/en_US_WellsFargo_DC_pilot/pwdbase.js">here</a> . (Yes, the card was issued by Wells Fargo.)<br /><br />So I looked through the code, found the alerts about the password policy, and finally found the offending code:<br /><br /><pre>else if( (/\W/).test(document.passwdForm.pin1.value) || (document.passwdForm.pin1.value.length < 6) || (document.passwdForm.pin1.value.length > 8) )<br />{<br />alert("Your password does not conform to the Password Policy. Please try again.");<br />document.passwdForm.pin1.focus();<br />return false;<br />}</pre>I almost couldn't believe it, but I know people are idiots. The reason it wouldn't accept the password is that PASSWORDS CANNOT BE LONGER THAN EIGHT CHARACTERS, and hers is longer.<br /><br />Un-fucking-believable. Let alone the fact that they do their checking client-side, which at best is unnecessary (if they're not brain-dead and do checking server-side too), and at worst allows any password to be sent, even a blank one. Let alone their popup boxes that tell you nothing (browsing the code, you can see one that helpfully says "isbad " and then the password you entered). This extra bit of security, that involves your name, address, SSN, and PIN (they have to verify that you're you when you set your password, after all), cannot be longer than eight characters. And I'm pretty sure, looking at the rest of the code, that it can only contain letters and numbers.<br /><br />I wish this weren't so commonplace, but the fact is, I have to have a dumbed-down password that I can use for online shit like this. I had to make it exactly eight characters, and remove the special characters from it. But to see this from a BANK? In a measure that's supposed to IMPROVE security?<br /><br />So I went to the website for the Wells Fargo Verified By Visa thing and I used their little contact form to send them an email. The gist of it was "Are you INSANE? I'm glad I'm not a Wells Fargo customer, and with this I'll probably never be one, since I don't know if I can trust my data with a company that does this." They emailed me back:<br /><blockquote>I understand your concern about the Verified by Visa program. This program is run by Visa directly.<br /><br />For information about Verified by Visa, please contact them directly at 1-800-318-9617 for enrollments with check cards or 1-877-262-8636 for credit card enrollments. Bankers are available to assist you 24 hours a day, 7 days a week.<br /><br />Chris Cataldo<br />Wells Fargo Online Customer Services</blockquote>No, idiot. Fuck. I know it's not Chris's fault he doesn't understand the problem. But at least he could have asked his manager about it or something.<br /><br />And what about <a href="http://arcot.com/">these Arcot jackasses</a>? Apparently they run all the "Verified By" programs. Maybe they could enforce a little password common fucking sense of their own? But then, their banner graphic says it all: "Strong authentication so simple, even a child can use it." Well, sorry, but I don't think credit card authentication should be so simple a child can use it. Grownups should be able to do more to protect themselves than children can. Of course, experience would suggest they can't, since everyone's inclined to type "password" into every box asking them to set a password. Maybe Wells Fargo is onto something after all, and the world isn't ready for passwords longer than eight characters. (Although if their shitty Javascript is any example, maybe someone has already snatched their client database, and if they want passwords, they only need to generate tables for six- to eight-character alphanumeric strings. Have fun!)<br /><br />So here we have a team effort to produce crappy security: Arcot, not putting an ounce of effort into guaranteeing protection in the systems they set up; Wells Fargo, having client-side Javascript checking to enforce their retarded password policy; and people in general, doing the best they can to make sure it's easy to steal their data. As someone who's supposed to go forth and protect the people in general, I know I need to get used to the idea that they're trying to be bigger idiots than idiot-proof systems can handle. Fine. But it's just really disappointing to see such negligence and stupidity on the part of a bank and a credit card protection system, who should fucking know better.hogghttp://www.blogger.com/profile/06699552595577461857noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-60515971016408965112008-05-21T19:11:00.008-05:002008-08-22T02:29:34.121-05:00mod_security on Debian EtchFor licensing reasons, mod_security is no longer in the Debian repositories. To add it there, add the following to /etc/apt/sources.list:<br /><p><span style="color: rgb(102, 102, 102);font-family:courier new;font-size:85%;" >deb http://etc.inittab.org/~agi/debian/libapache-mod-security2/etch ./ </span><br /></p><p>Then add the gpg keys with the following commands:</p><p style="margin: 0px; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(102, 102, 102);font-family:courier new;font-size:13px;"><span style="font-size:85%;"><span class="Apple-style-span"> <span style="font-family:arial;">gpg --keyserver </span></span><span class="Apple-style-span" style="font-family:arial;">pgpkeys.mit.edu --recv-keys C514AF8E4BA401C3</span></span></p> <p style="margin: 0px; min-height: 16px; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(102, 102, 102);font-family:courier new;font-size:13px;"><span style="font-size:85%;"><span class="Apple-style-span"><br /></span></span></p> <p style="margin: 0px; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; font-size-adjust: none; font-stretch: normal; color: rgb(102, 102, 102);font-family:courier new;font-size:13px;"><span style="font-size:85%;"><span class="Apple-style-span"> gpg --export -a C514AF8E4BA401C3 | sudo apt-key add -</span></span></p><br /><span style="color: rgb(102, 102, 102);font-family:arial;font-size:85%;" > sudo apt-get update</span><br /><br />You can now install mod_security to Apache2 through apt:<br /><br /><span style="color: rgb(102, 102, 102);font-family:courier new;font-size:85%;" > <span style="font-family:arial;">apt-get install libapache2-mod-security2</span></span>kn1ghtmarehttp://www.blogger.com/profile/14289811270068475980noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-91631952255200409352008-04-30T18:10:00.003-05:002008-04-30T18:17:31.251-05:00Anti-ForensicsHere is Brad and I's Anti-Forensics presentation given at the <a href="http://its.ne.gov/cybersecurity/conference/index.html">Nebraska Cyber Security Conference</a> on April 22, 2008.<br /><br /><a href="http://ajnewmaster.googlepages.com/antiforensics.pdf">Anti-Forensics</a>kn1ghtmarehttp://www.blogger.com/profile/14289811270068475980noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-53141408934157877882008-04-15T02:21:00.001-05:002008-06-11T03:19:57.595-05:00anyway, this cake is greatit's so delicious and moisthogghttp://www.blogger.com/profile/06699552595577461857noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-65760736676546465642008-04-10T02:10:00.007-05:002008-04-10T02:25:45.009-05:00BookmarkletsHere is something you can drag up to your bookmark toolbar in Opera, Firefox, and IE to clean up annoying web pages.<br /><br />Simply drag the link to the bookmark toolbar.<br />To clear CSS: <a href="javascript:(function(){var i,x;for(i=0;x=document.styleSheets[i];++i)x.disabled=true;})();">ClearCSS</a><br /><a white="" black="" link="" 0000ee="" visited="" 551a8b="" important="" else="" newss="document.createElement('link');" rel="stylesheet" href="javascript:(function(){var newSS, styles=" head=""></a>kn1ghtmarehttp://www.blogger.com/profile/14289811270068475980noreply@blogger.com0tag:blogger.com,1999:blog-1357490802094668640.post-65957529152101429642008-03-25T01:49:00.001-05:002008-03-25T01:49:39.236-05:00FIRSTPOSThogghttp://www.blogger.com/profile/06699552595577461857noreply@blogger.com0