nick84

Agents of the Revolution
  • Content count

    1,674
  • Joined

  • Last visited

Everything posted by nick84

  1. Looks like your ISP is http://www.auna.net/ (based on the IP address used to make the above post) Put your IP address http://www.whatismyip.org/ into the RIPE whois lookup tool at http://www.ripe.net/whois and it will give you more info.
  2. Audio recordings of some of the panels are now available at: http://alt.rootsecure.net/content/media_ar...3c3/listing.htm
  3. Definitely odd - I did just notice the database going very slowly, and a high number of mysql processes running. Perhaps that had something to do with it.
  4. To automatically do the dates, replace $graph_start / $graph_end with either of the following: $graph_start = date("Y-m-d H:i:s", strtotime('yesterday')); //Yesterday $graph_end = date("Y-m-d H:i:s", strtotime('today')); //Today $graph_start = date("Y-m-d H:i:s", mktime(0, 0, 0, date("m"), date("d")-1, date("Y"))); //Yesterday $graph_end = date("Y-m-d H:i:s", mktime(0, 0, 0, date("m"), date("d"), date("Y"))); //Today For more info see http://uk2.php.net/mktime and http://uk2.php.net/manual/en/function.strtotime.php If anyone has a VoIP wiki account please do post it up there.
  5. Just had a go at a php script to make an ascii graph of total calls within a specified start/end date/time. See http://www.digitaldawgpound.org/?p=180 for more details.
  6. It is up on the website at http://www.2600.com/radio/shadow/
  7. The password is not stored as plain text in the cookie, it is stored as an md5 hash If you are looking for extra security, I would recommend using a token approach - user posts username/password, server checks they are valid, and if so issues the user a "token" (ie 32 char unique string), this string is then associated with the user account at the server level, and the username/password or any hash of the password is ever stored on the users PC. The above code was a "simple example".
  8. I can not really give out the login code, it is class based anyway so probably more complicated than you need. I have coded up a simple example see below that should get you started. Only problem with it at the moment is that if the user has a "|" in their username / password it will break - but rather that than using two cookies. Ideally a regex should be used and the "|"'s escaped if entered as user data, but I have not managed to find a regex that will work so far. Another approach rather than using cookies directly is to use php's sessions (however I tend to stay away from them due to concurrency / locking issues). <?php //Set blank username / password vars $username = ''; $password = ''; //If logout clicked if (isset($_GET['logout'])) { //Then remove cookie setcookie('auth', '', 0); } else { //If form is posted if (isset($_POST['login_username'])) { $username = $_POST['login_username']; $password = md5($_POST['login_password']); } else if (isset($_COOKIE['auth'])) { //Otherwise if there is allready a cookie set //Split cookie value into username / password $cookieparts = explode('|', $_COOKIE['auth']); $username = $cookieparts[0]; $password = $cookieparts[1]; } } //If is a username (ie user has a cookie, or attempted to login via post if ($username) { //Check if username / password are valid / look them up in the database if ( ($username == 'myusername') && ($password == md5('mypassword')) ) { //Set logged in flag $loggedin = true; $statusmessage = 'Login ok'; //Set cookie to remember login or future (save both username / password in same cookie) setcookie('auth', "{$username}|{$password}"); } else { //Set not logged in flag $loggedin = false; $statusmessage = 'Username / password incorrect'; } } else { //Set not logged in flag $loggedin = false; $statusmessage = 'Please login'; } if ($loggedin == true) { $self = htmlentities($_SERVER['PHP_SELF']); echo <<<EOHTML {$statusmessage} <br /> Secret info here....<br /> <br /> [<a href="{$self}?logout=1">Logout</a>] EOHTML; } else { $usernameh = htmlentities(isset($_POST['login_username']) ? $_POST['login_username'] : ''); $self = htmlentities($_SERVER['PHP_SELF']); echo <<<EOHTML {$statusmessage} <form method="POST" action="{$self}" name="frm_login"> <table border="0" cellpadding="5" cellspacing="0" style="border-collapse: collapse" width="100%" bordercolor="#C0C0C0"> <tr> <td width="100">Username:</td> <td><input type="text" name="login_username" id="login_username" value="{$usernameh}" size="30"></td> </tr> <tr> <td width="100">Password:</td> <td><input type="password" name="login_password" id="login_password" value="" size="30"></td> </tr> <tr> <td colspan="2"><input type="submit" value=" Login " name="login"></td> </tr> </table> </form> EOHTML; } ?>
  9. Unfortunately not, I would like to someday, but it will not happen anytime soon. Saying that it is pretty standard code at the moment - PEAR POP3 for reading emails from a catchall / *@willhackforfood.biz, and some custom login / reading code. If there is any specific parts / concepts you are interested in, I could probably post up bits and pieces - let me know.
  10. Due to requested features, development time available, and the available server platform, it was coded in a certain way, which meant it was more open to be abused. We knew this from the start, but at the time thought the risks were acceptable. If / when it is recoded, the balance between security / usability + features will be tilted more in favour of security. Before we were using Squirrel mail as the front end, however to increase security a Squirrel mail type interface will likely need to be written from scratch - which is no quick job. Along with the abuse problem, the code we have is customised to our server setup, therefore it will likely not work on just any other server. Binrev / DDP ran willhackforfood.biz, we have nothing to do with the HaXXX0r DVD series.
  11. Yes that is correct, and the folder is not "down" or need "fixing" - I suggest you read my previous post. linlin PM'd me with FTP details, and I am currently uploading the files, so hopefully when I am done he will post a url. Also someone was asking about mirrors of other conferences - there is a pretty comprehensive mirror of blackhat / defcon content at http://mirrors.easynews.com/blackhat&defcon/ Edit: I have now finished uploading all the videos - just waiting for linlin to post the link.
  12. I put up the citizen engineer, and implanted rfid videos at http://umap.binrev.com/archives/misc/hopenumbersix_videos/ If someone PM's me in a couple of days, I will swap those two for two others, depending on how the bandwidth usage is. Those are not all the talks, the full list is at http://www.hopenumbersix.net/speakers.html I only bought the DVD's for the ones I though would be worth watching. I do have videos / audio from other conferences but have not got the bandwidth / space to host them.
  13. I have a couple of the videos in divx - if anyone has a server with a reasonable amount of bandwidth for mirroring (or would like to make a torrent), PM me the details and I will upload them. Otherwise if there are any one / two people are particularly interested in I could probably put them up on http://umap.binrev.com/ for a day or so depending on how much bandwidth it starts to use. Personally I found the rfid, privacy is dead, tracksploits, urban exploring, defensive technology, citizen engineer, and low level firmware analysis talks worth watching.
  14. Your first link is missing the .com on the end http://www.asteriskblog.com/
  15. An interesting read. Do you know if it lets you edit config files manually (extensions.conf etc) along with the web interface / if you do does it overwrite them? I downloaded it 3 months or so ago, but could not seem to get it working. The install went fine, but then after a reboot I was left at a terminal, and asterisk did not seem to be installed. So I just downloaded / compiled it manually (I was guessing either the installed crashed out due to my hardware - a reasonably spec'd P4 from memory - either that or I was meant to do something manually, but I could not find any documentation as to what that was.
  16. Just put up a new article, on how to RFID enable your front door using a Parallax RFID reader, a TTL serial to Ethernet module, and some custom C# .net code.
  17. It is not particularly designed to make it any more secure. Since the normal key (or lockpick set) will still work (also the backup in case the server crashes / there is a power cut). The 'electronic strike' replaces the part the lock goes into, rather than the lock itself. The way I see it, it is far easier to pick the lock / break a window than to build the equipment to capture / duplicate duplicate an RFID tag.
  18. Works just fine as long as you give it a *regulated* 5v power supply, although mine does seem to get very hot. I have left it on for a couple of hours without problems so I am guessing it is normal. It has got a reasonable read distance on it - good 5-8cm or so, even through a 2cm block of wood. I have had some problems using it with the "Parallax Basic Stamp 1", but I think it has to do with the stamp module's software serial port, not the reader.
  19. I would definitely recommend the book RFID Toys by Amal Graafstra http://www.amazon.com/RFID-Toys-11-Cool-Pr...9727903?ie=UTF8 It has a number of do-it-your self projects, and lists of suppliers. Also see http://www.digitaldawgpound.org/nick84/post=125 for some more info. I bought the Parallax reader and am currently experimenting with it http://www.parallax.com/detail.asp?product_id=28140 but depending on what you are trying to do, the Phidgets USB reader may be a better option http://www.phidgetsusa.com/cat/viewproduct.asp?SKU=93002
  20. I would also doubt it is bricked - the Cisco 7960’s seem quite resilient in that area. Have you tried leaving it pluggin in for 10 minutes or so, then pressing the settings button a couple of times - does it come up with any menu’s? From there you should be able to set the IP / TFTP server / check software etc. If you are unable to get any menu’s up I would guess the phone may have been in the middle of a firmware upgrade / attempted automatic downgrade (on failure) when previously unplugged. I tried to upgrade the SIP firmware on one of mine, and something went wrong in the middle of it, then the phone kept rebooting. I was unable to access any of the phone settings etc, however I eventually checked the tftp server logs, and found that it was attempting to downgrade back to the previous SIP software (which was not on the tftp server), using the previously set tftp server. I therefore put a copy of the old SIP image there, and it downgraded successfully, then started working again. I have also seen some odd issues with one phone not being able to get an IP address from my DHCP server (all the others work ok) - only way I got round the problem was setting it on a fixed IP / subnet / gateway etc.
  21. I watched it a year or so ago when it was on the BBC, and found it interesting. Wikipedia has some more info on it at http://en.wikipedia.org/wiki/Spy_(television) Apparently there are some similar series called "Spymaster" and "Spymaster USA", has anyone seen these / were they any good?
  22. Just posted up a new article on the DDP Blog: http://www.digitaldawgpound.org/nick84/
  23. No idea, it is nothing to do with us.
  24. Clickatell http://clickatell.com/ and SMS Driver http://www.smsdriver.com/ have some info on sending ringtones on their websites.
  25. Adobe PDF restrictions are generally generally optionally implemented by the client pdf reader application. If you open it in GSview - it should just ignore any restrictions. http://www.cs.wisc.edu/~ghost/