Teh Interwebz

299 posts

Organized Hacking Contest: Pwn2Own

Hacking is usually an ‘underground’ sport, something nerdy Eastern Europeans do in their mother’s basements. The only time a hacker would come together to meet another hacker would be on an IRC channel. Not so anymore, with conventions like Defcon, Blackhat, and CanSecWest.

CanSecWest has an interesting contest. A hacking contest. The targets are the most common browsers: IE, Firefox, Chrome, and Safari. A new feature this year is the addition of smartphone hacking: Apple iOS, Windows Phone 7, Google Android, and BlackBerry OS. In total there is $125,000 in cash prizes. Another cool aspect of the competition: if you hack the computer running the target browser, you get to keep the laptop.

Like any good contest, there are the favorites. Charlie Miller, a software analyst from Baltimore has won the contest 3 times before. In 2009 Miller took down Safari running on an Apple in 10 seconds! He scored $10,000 and a laptop for his troubles. “Nils” (The contest allows anonymous entries) – a German computer science student, won last year, cracking Firefox, Safari, and Chrome in less than 10 minutes. In 2009, Nils broke the encryption for IE 8 the day before it was released, netting a new Sony laptop and $5k. George Hotz, the 21 year old who broke the Playstation 3’s copy protection (not to mention being the first person to ever jailbreak the iPhone) will be competing this year.

The biggest challenge this year is Google’s Chrome browser. Chrome runs in a ‘sandbox’ mode in Windows (basically insulating bugs in Chrome from affecting the underlying Windows system.) Google has put up $20,000 if someone can break Chrome’s sandbox mode in the first day.

Contests like this just aren’t cool in the computer security world. They provide vendors with information on how to improve the security of their products. When someone hacks a browser/device they also share technical information on how they did it with the contest organizers, TippingPoint. Details on the hacks aren’t released to the public until the vendor has time to fix the bug.

Pwn2Own runs during the CanSecWest conference, being held in Vancouver CA between March 9-11 2011.

Masterpiece Twitter: Ice-T and Coco

By Danzig and Dancing Queen

During its nearly five-year storied history, Twitter has remained steadfast in its commitment to bringing the best…or just bringing 140 character expressions from individuals around the world. The Twitterverse is filled with eclectic characters and contemporary celebrities who have filled the ether with their random thoughts on life, love and luxury.

In this weekly series, Danzing and Dancing Queen will risk brain cells and credibility scouring the Twitterscape to bring you the best of Twitter. We will then perform dramatic recitations of these tweets for your listening pleasure. Please, enjoy.

This week we feature Ice-T and his wife, Coco.

WARNING: Pictures and language are NSFW (Not safe for work, for the uninitiated)

Ice-T, as performed by Danzig: 

Coco, as performed by Dancing Queen: 

*Danzing and Dancing Queen are not professional actors, but do play actors on Crasstalk.

How Obsessed Are We With Facebook? This Much.

 

Yes, we all know that many, many people are on Facebook.  A lot.  But seeing the numbers, in visual as well as text form, shows that many of us spend way, way too much time on Facebook.

Is this where we want to be? But is Facebook a tool to enhance our social lives, or has it become a replacement for it, and does it matter? As for what it’s doing to users, it was reported on Wednesday that two researchers at Cornell found that using Facebook boosts self-esteem. On the other hand, an Oxford neuroscientist warned that Facebook and other social networking sites may be leading to less empathy, a shakier sense of identity, and an aversion to real-life interaction. While it remains to be see whether children are in imminent danger of growing up into sociopathic confused shut-ins, that a large percentage of people now spend more time interacting online (hi, guys!) than in face-to-face situations is vaguely troubling even to one who has been more or less glued to a computer since the age of eleven, when I discovered AOL message boards and was unaware that there would ever be anything better than a dial-up modem.

What does Mark Zuckerburg think about all of this? I don’t know, but I imagine it goes something like this.

 

Video: Alex Trimpe on Vimeo

Music: “Deadwriter” by RJD2

Image via smemon87’s flickr

Back up Facebook, simply, for free

Lots of you guys use Facebook. Facebook is notoriously hard to back up. Although I’m not aware of any large server outages, if you post a lot of pictures to Facebook its good to have the important ones saved in a secure place. There are a number of programs you can download that scan through the Facebook directories and download each and every file individually, they’re hard to use. There’s a simple solution.

Backupify will download and save your facebook profile and files on their server, for free. It requires you to sign up for an account with them, but its a very simple solution to a very tricky problem.

(Yeah, click the link above. It should be red.)

Follow the directions for the setup, and you’ll soon be on your way. If you have any problems, contact them!

The DrunkenNES breathalyzer

The 8 bit NES homebrew/modding scene is at it again. Not content at modding an NES to fit in to a Genesis, or modding an NES to fit in to PC, some guy got to hacking a breathalyzer in to an NES cartridge. You’ve been blowing on the cartridges forever (the only way to make them work, duh.) I already know that the only time you feel like playing Zelda is when you’re drunk (or depressed. You want to feel a sense of accomplishment, so you beat Zelda in 3 hours, for the 93rd time. But you’re depressed, so you’re probably drunk too.) So modding a breathalyzer in to an NES cart is actually a good idea. Function and form come together in perfect symmetry, yet again! This is actually sort of impressive because he coded a cartridge to display your score etc. Getting the “party frog” is the equivalent in getting the Soyuz rocketship in Tetris. Hah! Not really! Getting the “party frog” only tells your friends what they know and you’re hopelessly in denial about: You’re a drunk!

Snoop Dogg joins the war on cybercrime?

Snoop Dogg, prolific gangsta rapper, crack dealer, pimp, dog fighting breeder, felon, Norton Internet Security spokesman? Yes.

That was the OLD Snoop Dogg. 19 years later, he’s teamed up with Norton to bring you the “Hack is wack” contest, where if you spit the best rhyme on why hacking is “whack” you’ll win a free laptop (Loaded with Norton Internet Security 2011!!!!) a trip to LA to meet Snoop and his management, and tickets to a Snoop Dogg show! (2)

OMG HOW STOKED DOES HE LOOK IN THAT VIDEO?! Really, my life is complete. Snoop Dogg has legitimized heuristic discovery of suspect processes, polymorphic software, and x86 stack overflows. I can now walk through Watts and have street cred!

Creep with me as I crawl through the drive,
Maniac, lunatic, pay the bills to stay alive,

Hey. Its a job.

Clouds Are Not to Be Trusted

1 comment

Did you know that your precious pictures, videos and email live in a cloud and could disappear at any time?  This week Google accidentally lost data for 40,000 to 150,000 users (reports vary) and is trying to restore the data.  Flickr is well known for deleting photos and Facebook might remove your art photos because some old cat lady is a prude who is just thinking of the poor children.  Usually photos are on your computer since you had to retrieve them from your camera, but email often exists only on your provider’s servers.  Cnet has put together a video showing how to backup your data from Gmail and some other tips for backing up your other data.

Help us find today’s worst Politico article ever

1 comment

If we can agree on nothing else, let us at least agree to agree that POLITICO (All caps, please. K THX) is absolutely terrible. Politico is the Qadaffi of websites. No… Politico is the Charlie Sheen of websites. Unhinged, incomprehensible, obsessed with meaningless bullshit and you need a chlamydia test after fucking with it.

So why don’t we throw a little contest for the Crasstalk Army:

Let’s prowl Politico in search of the most execrable, mundane, pointless or otherwise awful article on the site today and post a link in the comments.

Tomorrow we’ll announce the winner. The prize is a very special Crasstalk post, written by me, extolling your virtues and affirming your place in history. Who wouldn’t want that?

So to inspire you, I found this pathetic aborted fetus of an article. Here’s the headline:

Smitten: GOP gushes with more Obama praise

First of all, stop gushing on Obama, GOP. Also, you can’t just put “Smitten:” at the front of a headline and expect it to make any sense. Usually you do something like that if you want to attribute the statement to someone. Like for example, “Scientists: Charlie Sheen Not Actually a Real Drug.” See, that would make sense.

To prove the writer’s point that the GOP is gushing on Obama, it goes on for about two solid paragraphs with a lukewarm Haley Barbour quote and then wraps up with this:

In his typical overly-Texan tone, Perry said the president is “a good talker” rather than communicator.

Perry though made clear that he thinks the Obama may like to hear himself talk, frequently mentioned how “long” the president took to answer some of the governor’s questions.

WHAT DOES THAT EVEN MEAN? GAHHHHHHHHHH POLITICO. WHY DO YOU TEASE US WITH SUCH BULLSHIT????

How to abuse Google’s search ranking, for fun and profit

J.C. Penney, one of the oldest and most trusted institutions of commerce, was recently caught bumping up their search rank in Google by using deceptive tactics.

Google has been around since 1998, and ever since they came online, people have been trying to exploit its algorithm to make it so their pages appear first on Google’s listing. Have you ever gone to a website and seen a bunch of terms at the bottom of the page, or sometimes hidden (only visible when you highlight them with the mouse)?

The site was trying to artificially bump its search ranking. Google has “robots” that search the web and extract pertinent words. Loading your site up with descriptive words is one of the oldest tricks to try to get in to Google’s index. Google keeps their search algorithm secret, but they do disclose some information about how their bots work.

J.C. Penney exploited Google’s search algorithm through site links. Lets say you’re selling tires. If a bunch of automotive-related websites link to yours, Google takes that in account and assume that your site’s content is highly relevant and deserves a high rank. The more sites that link to yours, the better.

Google is smart enough to rank sites in terms of overall importance, so a link from someone’s tiny blog might give you +2 points, but if a site like Walmart links to you (they’re big, and get a lot of traffic) – you’ll get +10 points. The more points, coming from relevant sources, means a higher rank. You’re probably thinking “who cares if you’re #1 vs #2 on Google’s search ranking?” but the exact position matters. A lot. Researchers have done studies that say most people are proportionately more likely to click on the #1 link. If you’re a business as big as J.C. Penney, millions of dollars are at stake.

J.C. Penney decided to hire a shady SEO (search engine optimization) company to register thousands of websites whose sole purpose was to link to J.C. Penney. The SEO company would fill these sites with commonly-used search terms, and links. For an example, here’s a link to a Huffington Post “article” that was published before the Super Bowl:

http://www.huffingtonpost.com/2011/02/05/what-time-superbowl-start_n_819173.html

See how most of the “content” is short, simple paragraphs which seem to be factoids (at best)? This site is designed to be indexed by Google so that someone searching for “What time does the Superbowl start?” will be directed to the HuffPo page. This is way more advanced than J.C. Penney’s stunt. (Their pages are so un-interesting they’re not even worth linking to, unless you like looking at lists of household goods.) This HuffPo page isn’t really an article, it’s not really a “listicle” … its a page designed to drive traffic to the site.

Simple tricks like this have been vetted by Google since its inception. Since Google relies on bringing pertinent search terms to people, they really frown on stuff like this. A couple of years ago BMW in Germany decided to post a bunch of invisible text on their website (terms like “cars, auto, which car is the best?” etc) and Google de-listed them. They removed BMW from any and all Google searches! (BMW changed their site and got re-listed.) Every couple of months someone will come up with a “super ninja SEO technique” to drive traffic to websites. Generally any “super ninja SEO technique” will work for a couple of weeks, until Google changes up its algorithm. (Look in the “computer” section of Craigslist, and you’ll find all sorts of ads from people with “super secret SEO techniques.” It’s mostly bullshit.)

In response to J.C. Penney’s deceptive tactics, Google changed its search algorithm. Sites that used techniques like J.C. Penney lost  a ton of traffic. In fact, Google came out and said that approximately 12% of their search rankings have changed in the past week. That’s a ton of upheaval!

Here’s another thing: Web users should be aware of how search rankings are calculated. The number one link in Google might not be the best result for you. If you run a website, its really deceptive to get traffic like this. As someone who buys a lot of stuff online, be wary of links!

Why the Feds Don’t Need a New Social Media Wiretap Law

21 comments

Are web 2.0 services like GMail, Facebook, and bit-torrent really making it harder for the FBI to wiretap people doing illegal things? Do they need congress to pass a set of laws to aid them in capturing someone who uses Facebook? As someone who works computer forensics with law enforcement agencies, I’d say no. Its not enough for them to get your data after a wiretap, they want it now!

Sure, if data lies on Facebook’s servers and not your local hard drive, the feds will have to get a separate warrant/subpoena for those locations. The government already can wiretap your e-mail using the Communications Assistance for Law Enforcement Act (CALEA).

CALEA requires telcos and ISPs to turn over real-time monitoring to the feds if they are presented with a wiretap order. If the FBI had it their way, when those providers get the wiretap order authorities would not only have access to your real-time data, but also everything stored remotely.

So you might not be updating your pics on Facebook, but since you logged in anyway, they’d have access. Its a scary thought that everything online would be this accessible. Compound that with the risk of warrantless wiretaps and it’s enough for normal people to be concerned about their privacy online.

The feds know how much they can push, though. They’ve decided that the best way for them to address real-time wiretaps is through a shady program known as “Going Dark.” It’s shady enough that the Electronic Frontier Foundation had to file a freedom of information act request to find out any info on it.

This program aims to offer “incentives” to software developers to join their program. What incentives they’re offering, they don’t say. This week a software security company was hacked and it was revealed that the government was paying them to write backdoors into software for them. Microsoft has long been accused of having a backdoor in all of their products for the NSA.

I’m guessing that the FBI is asking, politely, for similar things. I don’t know what incentives the feds could offer a company, but since the “Going Dark” program is multi-agency and spans defense, law enforcement, and the Department of Justice, they could offer all kinds of under-the-table deals that we’d never hear about.

One of the problems we’re going to face in the future is that the government has no real standards in terms of computing. One agency will run one piece of software, another will run a completely different piece, on a different platform. The government also gets bilked by IT companies. I’ve seen broke school districts paying $2,000 for a Dell workstation because that’s what their contract says they’ll do.

I’m sure the different federal agencies work in a similar fashion. I’ve given presentations at law enforcement seminars where the previous speakers were standing up and teaching computer crime units on how to use Google. (As in, “put what you want to search for in the text box, click “search!”) And while I’ve given presentations where people actually know what they’re doing, the majority however have no clue. The people who are dreaming up these projects are trying to win support from people who have absolutely no clue when it comes to technology.

Privacy might not be a major concern for you now, but if programs like “Going Dark” get slipped under the radar its going to be too late for any of us to have privacy online ever again.