Now.. because i have about a zillion accounts, i kinda group my passwords.. since i know services admins on most irc networks read your password, i use XXX for low level access (this might include try once trial software logins).

Slightly more reliable software logins (vmware page / ms partner page) i will use YYY.. i think most people do this..

Whats interesting is that biometric readers deny us this luxury.. So, while my complex thinks its cute.. they take my reading and store it on their win95 machine (clearly i exagerate) but if Internet Banking ever goes biometric (which it often threatens to do) i’ve just given away my login.. Can you tell someone “no.. i dont want to auth using biometrics, cause its the only finger i got!” i think maybe we should..

/mh

So.. with R140 worth of VIRO lock we made our way home.. i set a combination and started fiddling while driving.. Turns out the exact same principles used for lockpicking work ferpectly here too. Apply some downward pressure on the lock, turn the dials (ive always done it in order) and you would find that either the audible click on the correct digit is louder or the dial simply sticks on the correct digit (or a combination of both).

I have it down now so i can open the lock in about as long as it would take to pick it (sub 10 seconds consistantly with “blind testing”*)

Ahh well.. maybe we should just tie a piece of string.. might take longer to cut through!

* blind testing == me closing my eyes while deels sets a new combination :>

If you are running OSX, you probably want to make sure your samba isnt exposed while you grab the latest source and build..

/mh

pdp has already covered pipes in his OWASP talk where he used it to re-write a jikto equiv. in almost-0 lines of code, along with a tinyurl filesystem. pdp also mentions Dapper, which i have not checked out till now, but looks like fun waiting to happen too..
In all the services look leet, and look like a cool way to get “unification” going for browser attacks*. Check them out, the possibilities for evil’ness should start running through your head from click 1.

/mh

* evil thoughts aside, the services offer cool hack possibilities like Al-Jazeera News networks news-2sms-service courtesy of twitter and some quick pipes..

-snip-

Linden Lab filed two motions to dismiss the suit, arguing that Bragg came into possession of his land wrongfully, but the Pennsylvania judge denied those motions.

-snip-

A few things about this are super interesting..

• Linden Labs (creators of Second Life) literally sells online assets for real world money..
• Martin Bragg (from accounts read) found that by simply adjusting his HTTP GET parameters was able to bid on not yet opened auctions.(1)
• Bragg apparently invested thousands planning to buy low and sell high

We have just started to consider the attack possibilities and where this is going but again, i suspect fun times are ahead (2)..

/mh

(1) A public facing web-app that deals with real money, that is vulnerable to an 80’s style parameter passing attack? tsk.. tsk.. (someone needs to have their web-apps audited!)

(2) i have not yet checked out Hoglund’s new book [Exploiting Online Games: Cheating Massively distributed Systems] but suspect ill take a look soon..