I'm moving my blog to http://radi.r-n-d.org/

Although I'd still keep this as an archive, all new posts will be published there.

Over the past few months I heard plenty of fairy tales about how Bulgarian hackers are l33t. They break anything and everything. Well... that's the myth. Here is the reality.

 

A few years back I registered to a web service, neterra.net, which was streaming Bulgarian television. The service required a name and an e-mail address. So far nothing wrong... except that a few months back I began receiving SPAM & newsletters that were intended for other people. Cool! I get behind enemy lines. :)

 

To keep the story short: today I received a newsletter from Skype. I've had an account there before, so my initial thoughts were that the newsletter was associated with my account somehow. Negative -- somebody else registered their own Skype account using my e-mail address. Sweet! I have a new Skype account. :)

 

Moral of the story: Don't be a dumbass registering yourself for different services using other people's e-mail addresses. This is extremely true especially if you're going to pay for some of the services! :)

Recently Microsoft launched a charity campaign via its MSN Messenger. More details about it can be found at http://im.live.com/Messenger/IM/Home/.

 

I encourage everyone who uses the service to participate.

The Matrix owns us... officially. :)

 

Recent story that I ran into was talking about a phishing attempt where the victims were asked for their CC info. Nothing unusual until I started reading the comments where the following case popped up:

 

So aside from the legal actions that should be taken, I wonder what would be the technological meassures against such fraud.

Although I respect the SSL idea, I was wondering what would be the consequences of implementing a custom encryption mechanism for passing data between a browser and a server. Ideally it would have to be a public/private key encryption using a well known algorithm. This would allow the public key to be stored within the page and the data to be encrypted through the use of Java Script. The data would then be decrypted using the private key on the server-side. The limitations to this, however, involve the inability to verify the server's identity. Therefore, phishing would be always a threat.

 

 

So in a more direct way: was anybody able to break the client-side encryption mechanism that Yahoo used when transmitting passwords between client and server? :)

If you like "The Constant Gardener", go watch "Injection". The information in it is impressive!

 

Recently I had an interesting case with an eBay phishing scam. The e-mail was definitely fake... you could smell it from miles away, but they did try to cover their urls by mingling their content with some legit eBay content. Anyhow, the phishing site was based in Poland and the scammer had his e-mail in azerimail.net. Obviously I went to see the site, only to find out that the kid did only a simple HTML page (probably just ripped off from eBay) that used the mail script of some photographer from New Orleans. Which brings me to the next point: why do you leave a wide-open mail script on the web?

Due to eventful times in the recent months I haven't posted much around here. And since I'm burried down with some engineering concepts my mind keeps bringing up the 2 basic concepts of security as presented by Dark Avenger more than a decade ago:

1. Never buy a computer

2. If you buy a computer, never turn it on.

 

 

These 2 very important rules illustrate very clearly the problem of security vs performance. How far is too far when it comes to security? Or better yet: what's the opportunity cost of security?

I've been often asked what happens if so many players get yellow or red cards. Well... here is the rule: 5 red cards = forfeit. Check this out :)

A recent post in Bugtraq caught my attention: XSS in Google. Two things come out of this:

Just makes you proud to have such kid on your team :)

 

 

Lesson 1:

A man is getting into the shower just as his wife is finishing up her shower, when the doorbell rings.
The wife quickly wraps herself in a towel and runs downstairs.
When she opens the door, there stands Bob, the next door neighbour.
Before she says a word, Bob says, ” I’ll give you $800 to drop that towel.”
After thinking for a moment, the woman drops her towel and stands naked in front of Bob.
After a few seconds, Bob hands her $800 dollars and leaves.
The woman wraps back up in the towel and goes back upstairs.
When she gets to the bathroom, her husband asks, ” Who was that?”
” It was Bob the next door neighbour,” she replies.
” Great! ” the husband says,” did he say anything about the $800 he owes me?”
Concept: If you share critical information pertaining to credit and risk with your shareholders in time, you may be in a position to prevent avoidable exposure.

 

 

Lesson 2:

A priest offered a lift to a Nun.
She got in and crossed her legs, forcing her gown to reveal a leg.
The priest nearly had an accident. After controlling the car, he stealthily slid his hand up her leg.
The nun said, ” Father, remember Psalm 129? ”
The priest removed his hand.
But, changing gears, he let his hand slide up her leg again.
The nun once again said, ” Father, remember Psalm 129? ”
The priest apologized ” Sorry sister but the flesh is weak. ”
Arriving at the convent, the nun went on her way.
On his arrival at the church, the priest rushed to look up Psalm 129.
It said, ” Go forth and seek, further up, you will find glory.”

Concept: If you are not well informed in your job, you might miss a great opportunity.

 

 

Lesson 3:

A sales rep, an administration clerk, and the manager are walking to lunch when they find an antique oil lamp.
They rub it and a Genie comes out.
The Genie says, ” I’ll give each of you just one wish.”
” Me first! Me first! ” says the admin. Clerk.
” I want to be in the Bahamas , driving a speedboat, without a care in the world. ” Poof! She’s gone.
” Me next! Me next! ” says the sales rep. ” I want to be in Hawaii , relaxing on the beach with my personal masseuse, an endless supply of Pina Coladas and the love of my life. ” Poof! He’s gone.
” OK, you’re up, ” the Genie says to the manager.
The manager says, ” I want those two back in the office after lunch.”

Concept: Always let your boss have the first say.

 

 

Lesson 4:

A crow was sitting on a tree, doing nothing all day.
A rabbit asked him, ” Can I also sit like you and do nothing all day long? ”
The crow answered: ” Sure, why not. ”
So, the rabbit sat on the ground below the crow, and rested.
A fox jumped on the rabbit and ate it.
Concept: To be sitting and doing nothing, you must be sitting very high up.

 

 

Lesson 5:

A turkey was chatting with a bull.
” I would love to be able to Get to the top of that tree, ” sighed the turkey, but I haven’t got the energy. ”
” Well, why don’t you nibble on my droppings? ” replied the bull. “They’re packed with nutrients. ”
The turkey pecked at a lump of dung and found that it gave him enough strength to reach the lowest branch of the tree.
The next day, after eating some more dung, he reached the second branch.
Finally after a fourth night, there he was proudly perched at the top of the tree.
Soon he was spotted by a farmer, who shot the turkey out of the tree.

Concept: Bullshit might get you to the top, but it won’t keep you there.

 

I like it how Puma placed the Bulgarian coat of arms as the embeded pic.

Levski defeated Artmedia. The boys made it to the 1/8 final for the UEFA Cup where they meet Udinese. The dream continues.

 

Everyone interested can see the game here.

Something I received earlier today from Pavel Kalinov at gbg.bg:

 

Joe receives 3 apples.
He eats 2.
How many apples does Joe have?
You think 1?
I didn't tell you how many apples Joe had before he received the 3 apples.
Conclusion: xor/clear your variables!

 

 

Joe has 3 apples.
He receives 3 more.
He eats 2.
How many apples does Joe have?
4? Noooooooo! 6! He ate the 2 apples a day earlier.
Conclusion: synchronize your threads!

 

 

Joe has 5 apples.
He eats 2.
How many apples are there left?
3? Noooooooooooo! He didn't eat from his apples.
He still has 5!
Conclusion: protect your address space!

 

 

Joe receives 3 apples.
He eats all of them.
During the following day, somebody asks for his apples because they were given to him only for storage.
Conclusion: read your requirements!

This morning I ran into a very interesting posting on a forum (thnx for the link, Dimitar). Two links that just made my day:

Who said football (a.k.a. soccer) is a boring game?

 

Schalke 04 - Bayer Leverkusen (11 Feb 2006)

 

1:0 S. Larsen 9'

2:0 M. Krstajic 17'

3:0 Z. Bajramovic 34'

3:1 A. Voronin 40'

3:2 D. Berbatov 50'

4:2 K. Kuranyi 55'

5:2 S. Larsen 63'

5:3 A. Voronin 64'

5:4 J. Krzynowek 70'

6:4 Lincoln 76'

7:4 G. Asamoah 81'

 

 

:)

 

Imagine you have a land (far far away) where the major institutions decide that they need to maintain a certain level of care when handling customer/user data. Since SSL has the reputation of being strong enough and useful for the transactions at hand, the people in that land turn their attention to the technology behind SSL. However, acquiring such certificate requires certain funding (depending on the purpose of that certificate). End of story is: somebody stands up, self-signs himself as a certification authority, and begins selling (and certifying) SSL certificates to various financial, government, and telecommunication agencies.

 

The fundamental problem outlined here is that the SSL chain of trust has been broken. When a fresh, out-of-the-box PC hits such pages, there is no way the computer can differentiate the real certificate from a spoofed one. Therefore any attacker *can* still be able to steal the users' data by intercepting their traffic.

 

For more info, please look at the following urls:
https://egateway.government.bg
https://www.stampit.org

 

P.S. - This is a classic example when social politics *should* not interfere with technology!

Three terms brought together by one man and one article: Kevin Mitnick on white box vs black box testing. As much as I respect Kevin's social engineering skills, I have to disagree that code reviewing can be considered much of hacking. I agree that it helps in finding bugs; yet, imo it kills the enjoyment in hacking and turns it into something else. Let's face it... would you be more pleased with yourself if someone gave you a map to go by or you found a treasure by yourself (without external help)? Also, if the map is available to the community, how would you consider your chances of getting to that treasure first?