Posts

via Julien: % S=(sleep code) ; echo ${S[$(($RANDOM % ${#S[*]} + 1))]} sleep Guess it’s time to goto :BED :-(

Dana got Alex thinking about RSS Spoofing, which in turn got me thinking about RSS Hijacking. Imagine you find some reliable, popular site that is cross-site scriptable. Send out a few million phishing emails that add an RSS feed to the page via scripting and “target” adds said RSS feed to their reader. Continue with the thought Alex had about tracking valid info for a while, and then pouncing. Now of course there are some diminishing returns here - most RSS readers are fairly tech savvy and not likely to fall pray to a phishing scam, but RSS is gaining popularity…

I attended my first Chicago Nerd Dinner tonight and had a great time. I was afraid I would miss most of the night as I had an appointment in Naperville until 6pm, but despite the rush hour and snow coming down, time from Naperville to Downtown was only 30 minutes! I thought a “1” was missing in front of that time, but the highway’s were clear…everybody must have left work early to beat the snow. ...

Like so many others, I stumbled across Filangy over on Jeremy’s blog. Being hip and trendy, I signed up for a beta and no less than a few days later received an invite. The theory behind Filangy is awesome and would greatly benefit how I use the web, however I cannot in good conscience use the service. Why? Simple - security. I have discovered two fairly major security flaws with their implementation, which I have informed Filangy about, that put Filangy users at risk with respect to the (limited) personal information stored in Filangy. However, it is fairly obvious that this tool was not built with security in mind and that worries me. In my experience, if their developers were not aware of these issues prior to this point, the fixes will likely be tacked on solutions and will fail to fully correct the problem. The fact that the JavaScript rollovers seem to be snagged from Dreamweaver do not make me very optimistic… ...

Should I be worried that whenever I am about to receive an incoming call or message on my cell phone and have headphones on, I can detect it due to some fairly loud clicks and buzzes in the earpiece. Perhaps I should take a look at how much radiation my phone is emitting. I do appreciate knowing that a call is about to come in, though, so I can dig my phone out of my pocket.

I stumbled across a post a couple days ago that challenged to solve the Hanoi problem using batch. Being a batch aficionado and scripting everything from IPSec policies and network configuration to remote VNC installs, I thought I would give it a shot. The algorithm to solve the Hanoi problem is actually quite simple and with the exception of N-1 not being set properly the second time around, it was pretty easy to convert the pseudo-code to batch. To make it a little bit more challenging, I configured the script to be fairly dynamic in that it determines how many Hanoi disks there are and initializes it’s variables based on that. I am very much against writing scripts that you need to modify when an external factor has changed. My solution is available here: hanoi.bat ...

How Microsoft builds an attack and penetration testing team. Some good points in that paper, including: Less cost over the long term.The hardest part of starting an Attack and Penetration Testing program is finding the first person.It is important to find people who not only have the technical skills to find vulnerabilities and the personality that drives them to try to break systems, but also good interpersonal and team skills.Three people are the recommended minimum Attack and Penetration Testing team, one with each of these specialties (Host, Network, Application).There is a spirit of competition on the team that drives each team member to be the first to find the vulnerability in a new target being tested. Different people on the team take the lead on different projects on a rotating basis, to balance growth opportunities across the team.One prime motivation of all of the testers on the team is the pursuit of knowledge and understanding.As team members become more senior, a greater portion of their time is devoted to research and managing or mentoring other team members.Wow...this is so right-on.

I just wrote up a Chicago version of this, then happened to hit the side-button of my mouse that also acts as “Back” and consequently lost the fairly large post I had made…argh!

After my recent Domain Controller failure, I brought up a virtual machine as a second DC and then demoted my original DC. Ever since, I had been receiving SceCli (Event ID 1202) errors every five minutes. Microsoft support was actually very helpful this time. The error message made reference to http://support.microsoft.com and indicated I should query for “troubleshooting 1202 events”. I did so and was directed to this knowledgebase article, which instructed me to enable some detailed logging. After doing that and examining the log, I found the source of the problem: “Error 1355: The specified domain either does not exist or could not be contacted. Cannot bind to the GC.” ...

I came home from my trip to find my Domain Controller down and out for the count. It was almost as if the power supply was completely dead, because I couldn’t even get LED’s. So after a couple days of grieving, I ripped all the hard drives out and started putting them in my other box to find out which one held all my data that I never backup. Turns out that’s the one that doesn’t spin up at all - an old IBM Deskstar 34GXP (Model DPTA-373420). ...