Hacking and Security « Hot Dorkage

fb_xd_fragment Facebook Bugfix

By Colleen, on January 18th, 2011%

My server suddenly logged a rash of weird requests with something like ?fb_xd_fragment= in the URL. This is not good, because if you try this manually it renders a blank page, and blank pages are BAAAAAAAD! So upon googling I found it’s a bug with new Facebook API and (you guessed it) . . . → Read More: fb_xd_fragment Facebook Bugfix

ACH Fraud becoming ever more clever

By Colleen, on April 27th, 2010%

Last week I saw Hal Pomeranz of the SANS institute give a talk on how ACH (Automated Clearing House) fraud has become increasingly more sophisticated. It is a serious problem and it’s beginning to have a non negligible economic impact on business here in the USA. In this blog post I will summarize the takeaway points and suggest some counter strategies for people who are likely targets.

Continue reading ACH Fraud becoming ever more clever

MySQL CSV’s with column headings — Part 1

By Colleen, on August 4th, 2009%

mysql In a previous post I discussed the stumbling blocks and security concerns that the mysql documentation doesn’t tell you about having a mysql user create csv files on the filesystem.

I ran into yet another issue. In order to do what I want with these csv’s, they have to have column headers. I thought surely by now MySQL must have come up with some syntax in the query to do this, but Paul DuBois assured us all in a 2006 forum post, that there is no such thing. I thought maybe Zend Framework might have such a thing in it’s DB class, but I didn’t locate one. Correct me if I’m wrong–Zend Framework is huge, and I might have missed it.

So, what to do? We have several options:
Continue reading MySQL CSV’s with column headings — Part 1

How to access ext2 FS from WinXP and Leopard

By Colleen, on July 4th, 2009%

Here’s the scenario: I’m trying to get data together from several old hard drives that are laying around. Some of them are dual boot Linux ext2 and a variety of Win’s all the way back to 2000. Then I have a fairly large drive that is pure ext2. I don’t want to haul the . . . → Read More: How to access ext2 FS from WinXP and Leopard

Zend Tool bug and work around

By Colleen, on June 26th, 2009%

I have fired off the new Zend Framework tool several times now to automatically create a scaffolding for a new project. It’s pretty handy, though for a lot less work they could have just included a premade scaffolding in the download. The Zend Tool is fairly new and evolving, and will only get . . . → Read More: Zend Tool bug and work around

OAuth: Totally!

By Colleen, on May 16th, 2009%

What is OAuth, and why should you care? Here’s the deal: Just like Skynet of Terminator fame, web apps have lately been doing a lot more talking to each other on the “back-end” instead of all web communication being between a human and a web app. This is a GOOD thing as long as the humans control what talks to what and what data is shared. Instead of copying and pasting a whole bunch of data from Web App A into Web App B, you can now just give Web App B permission to go get it. And if you ever change anything on Web App A, you only need to change it there: Web App B will pick it up. This makes things convenient, but in the past it required giving Web App B your password to Web App A! As a developer, I understand why they really do need this info, but you don’t need to be a paranoid security analyst like me to imagine how easily an evil person could promise an app that does something cool, suck up your credentials, and use them for nefarious purposes. And nowhere is this more true than on Twitter.
Continue reading OAuth: Totally!

Booby Trap your Email: catch common snoops

By Colleen, on April 23rd, 2009%

THIS ARTICLE IS NOT SERIOUS DORKAGE. ANYONE SHOULD BE ABLE TO DO IT. You’re probably here because you suspect someone (parent, spouse, sibling, roomate, etc.) is reading your email. That’s the problem. Before I describe the booby-trap I will insert this caveat: Problems like this are best avoided from the get-go. Did you ever consider logging out of your facebook, hotmail, etc., and/or not leaving your computer on all the time? Didn’t think so. Secondly, what kind of a significant other would spy on you? On the other hand, if you act suspicious you deserve it. If it’s parents or your sister who’s graciously letting you sleep on her couch you could move out. That would require you paying your own rent of course and may not be an attractive option for you. Thirdly why are you getting emails that you don’t want your near and dear ones to know about in the first place? OK, I withdraw that question. If you must get dicey emails, it’s not that hard to remove all footprints. That does require a bit of work and we’d all rather not do that. Nah…… these bits of wise living advice are usually ignored. You want to:

continue living with the snoop so you can continue eating their food
continue getting the dirty emails
not clean up after yourself
not get caught.

And besides, you would really like to trap someone in the act of snooping in your email, wouldn’t you?
Continue reading Booby Trap your Email: catch common snoops

New offline phish technique targets noobs & luddites

By Colleen, on April 11th, 2009%

Who is least likely to recognize a phish when he sees one? A noob or a luddite right? As more and more people get online, more and more people are getting savvy about phish scams. The only people still likely to be highly vulnerable are those people who still don’t have internet woven into their daily life. We all know someone like this, and if you are reading this blog you are probably NOT one. These folks hate going online and they check their email once a week or so, if at all. They delete all email unless someone phones them and tells them “Look for an email from me.” They are clueless about the internet and tend to believe things are what they seem to be. Ideal victims, but how would you push a phish in their face in the first place?
Continue reading New offline phish technique targets noobs & luddites

Back at the Zend Framework… finally!

By Colleen, on March 13th, 2009%

Warning: HARD CORE DORKAGE!!!! I hope beyond all the hope that I have obtained the book that will drag me over the learning curve for Zend Framework for real. The book I am referring to, Zend Framework In Action by Allen, Lo & Brown, was meant to come out in September, but it finally made it.

Continue reading Back at the Zend Framework… finally!

Ultra Custom Twitter REAL Mosaic Poster

By Colleen, on March 2nd, 2009%

In a recent blog post on the Twitter Mosaic Web App I showed an example from a twitter app that randomly tiles your follower avatars into a grid and then tries to sell you the design on shirts, mugs, etc. This is not a true mosaic. In a true mosaic you place the tiles taking into consideration their color, in a way that forms a bigger meta picture. There is free software that will do this if you give it a folder full of tile graphics. So all I would need to do is download the follower avatars for any given user. I wrote a script to get the avatars of the followers of any twitter user. Then I fed those files to a free Desktop Mosaic creator. The graphic at the head of this article is a reduced version of the result of this experiment. Click it to see a larger, but still quite scaled down version where you can see the component avatars more clearly.
Continue reading Ultra Custom Twitter REAL Mosaic Poster

Hot Dorkage