Fri, 09 Mar 2007
SNR on Bugtraq is way too high.
Here's an email that ended up on Bugtraq recently:
Date: 8 Mar 2007 08:20:40 -0000 From: r00t2000@hush.com To: bugtraq@securityfocus.com Subject: Word Press Sensitive Directory exposure (SQL) #Found By: r00t[ati] #Web App: Word Press #Version(s): unknown #Level: low #File Name: admin-functions.php //SQL EXAMPLE ERROR: Fatal error: Call to undefined function __() in /usr/local/www/****/data/wp-admin/admin-functions.php on line 1593 Thanks, r00t
Here's another email that ended up on Bugtraq a while ago:
Date: 23 Dec 2005 09:16:00 -0000
From: hackeriri@yahoo.com
To: bugtraq@securityfocus.com
Subject: Found new bug
In GOD We Trust
Kachal667 Under9round Team (KuT)
Hi,
Here's my(LrK) new advisory about PHP Website.
PHP System - Input Data(simple XSS) vulnerabilities
Date: 02/11/2005
Summary
-------
PHP is a language for programming and it is very good language for portal programming.
we se some portal with php like:
PHPBB , PHPNuke and ....
Details
-------
If programmer is not professional, probably he will have make a mistake.
if he dont stop some tages like:
<script>alert(document.cookie)</script>
<iframe src=http://eg.com/deface.htm>
for fix it u should write simple code for stopping iframe or script or ...
http://www.PHP.com
Lone Rider Knight
Why does Full-Disclosure (the mailing list) suck? Because it's unmoderated and any random person who wants to flex his e-wang (or woman doing whatever the equivalent is) can post the most worthless things. Bugtraq, last I checked, is moderated. So please tell me why the hell are complete worthless posts making it through.
Stop the posts about [insert random poorly written piece of web software here] or the "hey, we just updated a package in our linux distribution because it was vulnerable to something" posts. If I want to know when you update your package I'll go read your mailing lists (like I do with FreeBSD). And let's be entirely honest here. Anyone who is going to install one of those piece of crap web things is not going to read Bugtraq so stop letting stupid posts through.
The obvious argument against me is: "well, who the hell are you to decide what is important software and what isn't?" You're right, I'm nobody to say such things but the research and security communities need a viable outlet to have open, honest, and productive discussions regarding these things. Bugtraq is, on a VERY rare occasion, the place for it; but fighting through the worthless drivel on the list is very tedious and annoying.
posted at: 15:20 | tags: rant | path: /entries/rant | permanent link to this entry
Thu, 01 Mar 2007
Stupid Hippies and Circuit Bending
I really don't know what's funnier. The female playing the guitar behind her head, the three drugged out stoners on the couch, the guy dancing on the pad in his socks in the background or some of the awesome phrases such as "rewiring the veins of the organism." Let's be perfectly honest here: I am all for experimentation and hacking on electronics of any form but making it out to be some artistic zen-like art form is pure stupidity. You're not doing anything but producing some interesting sounds out of a circuit which was not intended to produce sounds in that way. God damn hippies.
posted at: 19:33 | tags: circuit bending, hippies | path: /entries/rant | permanent link to this entry
Wed, 31 Jan 2007
I'll take "Stupid Software Tricks" for $400.
And the answer is: This piece of software will not let you create virtual machines over a remote desktop connection. Any attempt to finish the creation of a virtual machine from scratch results in a "The handle is invalid" error with absolutely nothing else for debugging. Attempts to use google to find out exactly what is going on lead you to forums on the vendor's website which indicate you must be at the console in order to create a VM, or must be using Terminal Services - which apparently has an (undocumented?) feature to make the Terminal Server believe you are actually at the console. After finding out that the Remote Desktop Client provided by Microsoft has no such ability you give up and get off the couch only to walk 10 feet over to the rack and login and make the virtual machine. After the VM has been created you go back to your laptop and make a new remote desktop connection into the server only to find out that you can now boot your brand new VM.
What is: VMWare Server?
Honestly, VMWare Server can kiss my ass.
posted at: 20:57 | tags: vmware, stupidity | path: /entries/rant | permanent link to this entry
Wed, 29 Nov 2006
ICMP and TCP 445? WTF!
Start -> Settings -> Control Panel -> Windows Firewall -> Advanced Tab -> Settings (Button under ICMP).
Can someone please explain to me what ICMP Echo Request/Reply messages has to do with TCP 445? My complete lack of knowledge regarding the SMB protocol probably has a lot to do with not knowing the details of this relationship, but I can also point my finger at my complete lack of caring about anything MS does anymore. It doesn't make any sense in my head, but I'm sure they have a reason somewhere.
It is briefly documented towards the bottom of this TechNet article. Some other quick Google searches and hunting through Wikipedia didn't help much, so I guess I'll just throw my hands in the air and say "WTF!"
posted at: 12:01 | tags: windows, protocols, stupidity | path: /entries/rant | permanent link to this entry
Wed, 22 Nov 2006
Why Don't They Just uuencode the File in the Filename?
Can someone please explain these updated packages and how the version numbering works. Multiple ubuntu kiddies have tried on multiple occasions and it just never makes any sense to me.
Ubuntu 5.10: firefox 1.5.dfsg+1.5.0.8-0ubuntu0.5.10 firefox-dev 1.5.dfsg+1.5.0.8-0ubuntu0.5.10 Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.8-0ubuntu0.6.06 firefox-dev 1.5.dfsg+1.5.0.8-0ubuntu0.6.06 libnspr-dev 1.5.dfsg+1.5.0.8-0ubuntu0.6.06 libnspr4 1.5.dfsg+1.5.0.8-0ubuntu0.6.06 libnss-dev 1.5.dfsg+1.5.0.8-0ubuntu0.6.06 libnss3 1.5.dfsg+1.5.0.8-0ubuntu0.6.06
Those were taken from here. But honestly, what the hell do they mean? I'd like to know what version of a piece of software I'm running, and it shouldn't take a complicated explanation of some almost random string of characters to make me understand it.
Though nothing beats the way they name their CUPS packages...
The problem can be corrected by upgrading the affected package to version 1.1.20final+cvs20040330-4ubuntu16.5. In general, a standard system upgrade is sufficient to effect the necessary changes.
posted at: 07:34 | tags: ubuntu, linux, stupidity | path: /entries/rant | permanent link to this entry
Tue, 07 Nov 2006
CNN Sucks - Part #(I lost count).
Is anyone else surprised by this "breaking news?"
What really gets me is that it's actually considered breaking news. Stop reporting on stupid things and report on important things. Take a page from NRP's book and get it right.
posted at: 16:34 | tags: news, stupidity | path: /entries/rant | permanent link to this entry
Wed, 04 Oct 2006
Reason #858509133596079er why Windows sucks.
I have no idea if this is true for all versions of Windows but I believe it to be true for every version of Windows I deal with. Let me also state that I'm only basing this on the limited Windows knowledge that I have.
A few days ago at work I had the need to watch for ICMP echo/response messages on a span port. Not a problem, just fire up tcpdump on the box connected to the span port (it happened to be a Linux box, but I washed my hands afterwards so I'm clean again) and filter for only ICMP messages. Everything was working great until I was receiving constant and fairly regular ICMP echo/response messages between a pair of Windows machines that I wasn't expecting at all. Curiosity got the better of me and I pursued this a bit further.
They are ICMP messages so it's not like they have TCP or UDP sockets listening for them. That means anything that would show me which process is holding which port open would not work. This brings me to my first gripe: why does Windows not include something like sockstat(1) by default. Instead I have to go to sysinternals.com and download it seperately.
My second gripe is that with DTrace this is a no-brainer to track down. If Vista doesn't have a facility to profile a system at run-time I'm going to refuse to use it more than I already am.
The quickest solution I could come up with was to download process explorer from sysinternals and use that to find all the processes that are using icmp.dll and start killing them off one by one to see when the messages stop going on the wire. This would have been great but some of them were running under SYSTEM context, which meant I would have had to elevate my privileges (not hard, it is Windows after all) to kill those processes or find the correct ones in the service listing (probably would have been a lot of guess and check work, or using google) and stop them. Of course, this whole approach assumes that what ever was sending out the ICMP messages was actually using icmp.dll and not their own wacky (raw?) socket library.
Honestly, running Windows systems in a server environment is a great thing provided you don't ever have to debug a problem on your own. You are given piss poor debugging tools in the base OS, and have to often rely on third party tools or other people and google to resolve the problem. Personally, I'll stick with FreeBSD and Solaris any day of the week, and twice on Sundays. Hell, I'd rather deal with Linux (not ever gentoo, that's another rant that I can elaborate on later (why the hell does every gentoo box I've ever touched not have nslookup, dig, host, nc, telnet, tcpdump, or any other USEFUL FOR DEBUGGING THINGS WHEN THEY BREAK program installed?).
Now that that is out of my system I'm going to spend some time this weekend attempting to port Jordan's keynav to Win32. I'll work on an OS X port if I ever get a Macbook Pro.
posted at: 09:44 | tags: windows, stupidity | path: /entries/rant | permanent link to this entry
Wed, 20 Sep 2006
Further proof that the world is going to hell, fast.
Venezuelan President says Bush smells like sulfur because he is the devil and it makes front page of CNN.com. If you don't like somebody call them names! That's an elementary school technique and it doesn't surprise me that politicians are doing it, nor that the media is reporting on it.
If NPR makes a big deal out of this then I have officially lost all faith in humanity. NPR is about the only thing that doesn't suck for news now-a-days.
posted at: 14:57 | tags: news, stupidity | path: /entries/rant | permanent link to this entry
Tue, 08 Aug 2006
Stupid quirk of firefox #248972469er
Having unplugged for a week and gone to Vegas to geek out without touching a computer myself I come back and decide I want to take 10 minutes out of my busy (catch-up) work day to read some news sites I missed. I have a bunch of bookmarks grouped together just for this purpose. I normally go through them one at a time but today I decided to risk clicking the "Open in tabs" option from my bookmarks. Firefox decided to (sort-of, I'll explain later) wipe out all my current tabs in favor of the ones I had in my bookmarks. Gee, thanks for completely obliterating all the tabs I had open for reasons firefox. I suppose this is an option that can be turned off somewhere, but it's pretty god damn stupid I think. This type of behavior should be turned off by default. When I want to open my bookmarks in tabs open them in new tabs don't wipe out my old ones.
I had rougly 8 tabs open in my browser, and 3 in my bookmarks that I wanted to open at the end of the list. Firefox ended up opening the first bookmark in the first tab, the second bookmark in the second tab, the third bookmark in the third tab, and then completely closing all the other tabs. I can get my first three tabs back by hitting back on each tab, but the rest are gone. What a piece of crap idea by firefox people.
posted at: 12:47 | tags: firefox, stupidity | path: /entries/rant | permanent link to this entry
Mon, 03 Apr 2006
Another rant, on more crappy software.
I have a friend who takes really good photographs. Most of the backgrounds I use on my laptop come from him. I'd highly suggest checking out his work, it's good stuff.
Apparently he recently upgraded his gallery install. Now, I'm still running the original gallery on syn and while I admit it's not nearly as snazzy looking as his gallery I can't bring myself to migrate away from the old gallery. In fact, I'm probably going to go to something less sucky than my current version when I put my new hardware in place for the replacement of syn. Why do I dislike Gallery (I'll refer to the old gallery as Gallery 1 and the new one as Gallery 2 from now on) so much?
First, Gallery 1 just looks old and out-dated - which it is. I'm sure I could go find some fancy skin/template somewhere on the web and hack it into place, but that is far more effort points than I care to spend on such a thing. The point is to get pictures out as quickly as possible. Looking nice is a bonus, not an essential.
Second, Gallery 2 is a bloated pile of crap. Yes, it has some nice features but do I really want to maintain a database (and all the crap that comes with that, like keeping it up to date, dealing with upgrades between versions, etc) just for pictures? When trying to present pictures I think moving to a database is probably a stupid idea. There are appropriate uses for a database, and binary storage of my images is not something I consider to be an appropriate use of a database.
Third, Gallery 2 does things I don't like. I hope you can turn these things off, but if you can't it's another reason why I think it's a bloated pile of junk. Features are a nice thing to have, but too many of them causes confusion when trying to determine which to have turned on or off, and too many turned on by default causes headaches when trying to use the application. I'm a big fan of KISS in applications. As an example, I recently wanted a new background for my laptop so I found this image from Nuzz's Gallery. While I used to be able to right click the picture on that page to get the smaller version I apparently can't do that anymore. Now each half of the picture is a link to the previous, or next, image in the series. While this makes for easier navigation there is no way for me to download and save the smaller image, which is the only one I want, for my background. The only download link is a 1600x1064 photo, which simply looks obnoxious to me. Now my only options are to download each half of the smaller photo and composite them together or download the big one and resize it myself. Gee, thanks Gallery! You really made my life easier by removing one useful feature in order to make navigation easier - despite no visual indication that I can click on either half of the image to navigate around until I actually mouse over it, and even then half of the indication is my cursor changing thanks to my browser while the other half is a small white arrow you put at the top corner of the corresponding half of the image I just moused into.
And yes, I just used "mouse" as a verb.
posted at: 11:01 | tags: stupidity | path: /entries/rant | permanent link to this entry
