chaostic

Members
  • Content count

    724
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by chaostic

  1. I'm trying to find one of those php ip logger things that when i link a image in one page, logs the ip, maybe time/date, and reffering page (or page that holds the image). Mainly, cause I want to see who is checking my myspace page (Yea, i know.) I don't need it to change the image every time (Image rotator), or depending on the ip (Like vipersig) but being able to use my image rotator php in it would be nice. But what I would like aside from the ip logging, would be if I can log which myspace user is visiting my page. All I know is each page gets a token added to the end of the address when I'm logged in, so is that token id usable to me to identify someone to a myspace account? Er, and I want to run the code on my web host, not use one of those other services.
  2. I have never been able to crack WPA2. If you have a video of you doing it or someone else I would love to see it. The recent WPA crack is a TKIP problem. WPA2 with TKIP has the same exact flaw. So WPA2(TKIP) is cracked. Since half of all WPA2 devices only have TKIP option, it is a big problem. WPA2 + AES has not been cracked. JFGI.
  3. And since Lexmark is using GPLd software on the printer, and provided Ag here the sources as required, why would he be sued?
  4. Of course, the first install should be cross-compiled on a better desktop. Everything else wouldn't be a problem.
  5. You should offer Lexmark the right to distribute your work in exchange for pay/free new printers and crap/swag. Nice work.
  6. Un-flipping-believeable!!! The uuber-stupidity of this is that there are TWO attack vectors. Since anybody can sniff the BSSID, that's a no-brainer. But wait, there's more...the other vector is: Are you familiar with OUIDs? The first three octets are assigned by manufacturer by IEEE. http://standards.ieee.org/cgi-bin/ouisearch So if you know (or guess) the maker of the device, you've got the first, second, and third octets as a gimmee. For example, if the rocket-scientists at Verizon are using Actiontec, then 00:34:95 is going to be the first half of tens of thousands of pass-phrases. From there the rest of the pass-phrase is a simple six character combination of 0-9 and A-F. 470,184,984,576 combinations, or around 70 minutes at 500,000 PPS. In reality you would create a ~600mb rainbow table with the values pre-populated, and it would take less than 20 minutes (since mac addresses are pairs of hex digits, it would be a smaller pool). The blinding irony of this is that the keyspace for the AES encryption of WPA2 is gi-normous. Unless you're NASA with a room full of FPGAs, you are not going to ever get within a galaxy of brute-forcing AES. And yet, some Telco leaves the key under the mat..... With both WAP being cracked, and one version of WAP2 cracked as well, wtf is secure anymore? WEP/WAP/WAP2 is security against the inpatient and lazy, or the average freeloader. If someone wants in, etc. etc.
  7. I assume this is the reason why if you send a file while talking to someone on skype, it sends at a miserably slow speed, i.e. bytes per second, but if you put the call on hold it does a good job of using up all your upload bandwidth? No. That is bandwidth throttling, QOS, packet prioritization/queuing. With things like vonage and hardware voice adaptors acting as another router that can ensure that it tries to use the most bandwidth that your network has for voice when you are trying to use voice. Also, some dsl connections (Don't know about cable) get degrading upload speeds if you are also downloading alot. Using both up and down is worse than using them individually.
  8. OSx86 works fine on some netbooks. The Dell Mini9/VostroA90 where perfect for it. http://gadgets.boingboing.net/2008/12/17/osx-netbook-compatib.html The problem with 10.6 is that it is too new for a working x86 hack to be out and about yet. And with the large variety of netbooks, its a crapshoot.
  9. Wouldn't three passwords be better? 1- Low Level Throw Away Web passwords 2- High Level Web passwords (banking) 3- Local passwords (Computer logins) Any network password can be found out, leaving your local computers at risk. Three passwords would prevent that. A further step would include a high level password for local encrypted files/access.
  10. XMMS v1.14 noXMMS (XMMS without the gui) 1.12 VLC for some other stuff.
  11. Setup a computer with two modems/FXS/Phone adaptors, one plugged to each line, and install Asterisks.
  12. Agreed. Must be something to it, ever notice how junk mail or bills never seem to be post-marked anymore? An interesting experiment might be to take some BS mail you get, drop it off in a drop box across town, and see if it makes it's way back to you. If it does, it would have some interesting implications. Bulk mail is pre-sorted by the mailer, and essentially pre-paid by contract with the USPS. No need to post-mark digitally scannable mail.
  13. Just giving you a warning. White hat or not, ""hacking"" is hacking, and can land you in jail if an over-zealous prosecutor or cop gets on your ass. And just like the chart that PS posted, some of that info is human readable. Just look at some of the mail stamped by that machine at your office, and you will see what the serial number of the machine is. Honestly, I thought that info to be pretty common knowledge in regards to barcodes and tracking of postage use.
  14. Trying to Hack Government property Trying to defraud a Government organization Messing with the Postal Police All federal pmita prison offenses. Word to the weary, those machines tend to stamp the unique machine ID as well as the postage paid stamp. They do audit usage. You or the company that owns the machine would be caught eventually.
  15. Most newer WRTs have a VXWorks platform instead of just linux, so it is harder to replace. Also, skimping on hardware options like flash and ram made full dd-wrt options impossible, so you get the mini packs. Eh.
  16. So wrong, that "Wrong!" is not enough. http://www.dd-wrt.com/wiki/index.php/Supported_Devices http://www.dd-wrt.com/dd-wrtv3/dd-wrt/hardware.html dd-wrt runs on more routing hardware than toasters run linux and pornsites have popups.
  17. That's interesting...I didn't know bank of America does that...I'm probably misunderstanding you but do you realize that that setup is by far even less secure? The fact that it displays anything of the 'real' password has just increased the chances of someone breaking it, literally, exponentially. Even if they were bogus numbers all they are doing is using a substition which is in essence what the star is anyway. BTW...Both my bank and college are vulnerable to this trick. I have come across authentication programs that use 'tags.' Is that what you are talking about with the cookie? If you have more information on what they do please post.Also, it isn't hard to do what they are doing...all they are doing is turning on and off the password and text attribute of the Object for the Password Field; however, the variable containing the typed in password is plaintext. The 'stars' are just a 'graphic' to prevent people from literally looking over your shoulder and seeing the password. Like I said in my last post, just experiment and see...you can turn the attribute on and off at will while in the browser. Also I didn't mean that HTML is flawed and prevents you from coming up with a solution...HTML with Javascript/VBScript/or any other powerful web scripting language can make HTML jump through hoops...the 'flaw' if it is a flaw (at some point plaintext must be transmitted to the point where it will be encrypted that's why key loggers even though simple are so pernicious) is that an Input field box (I don't know the 'official' designation for this in HTML but I think we all know what I mean) can be toggled to either show or obfuscate the inputted text. My point about third party solution was that you would have to come up with your own inputing program/solution to bring the encryption of the input 'closer' to the keyboard but there will always be a hack here since at some point plaintext is inputed. The point about changing the standard was so that an exclusive password/secure input box would be developed whereby the text is actually never placed onto the page but immediately encrypted and stored in a buffer in memory waiting to be transmitted to the external site, but since the current method of input is so widespread I thought that that would be very unlikely. I also wanted to explain that you are not cracking the password or anything too; the secure fetching and decrypting process had already occured and deposited the decrypted info in the the Object of the Password Field. The box is plaintext, not password object. The site uses javascript to live write the page, and fills in the plaintext box with the saved "olb_signin_prefill_multi" (or "olb_signin_prefill_multi_secure") information, the first 4 digits of the passcode + 6 asterisks. This prefill information is saved in a cookie, with a hash and date of last input. All you need to do to know the users passcode (Really, just a user name, you still need to recognize a picture and put in a password on a second page) is copy all the boa cookies to another computer. But by using the hash in a cookie instead of relying on the browser to store the password, you do prevent displaying what it is to someone using that javascript trick. On a locked down computer, it would make it harder to find out.
  18. Not just 256. You would need alot more than that. 192.168.x.x 172.(16-31).x.x 10.x.x.x And that's if they stick within the reserved private ip ranges. OpenWRT is alot more flexible with hardware mods. OpenWRT on the fonera or Linksys was the first to have bit-banging i2c and SD card interfaces, and DD-WRT hasn't successfully ported most of those features, but tries to keep up. Better packaging system too.
  19. There was a vulnerability for DD-WRT that was published a while back. It's only a problem if you have decided to allow management of the router via the web. That's probably not a very good idea anyway. The info is here. http://www.dd-wrt.com/dd-wrtv3/community/developmentnews/34-dd-wrt-httpd-vulnerability-milw0rmcom-report.html Well, there's more to it than that. <img src="http://192.168.1.1/cgi-bin/;reboot"> Combined with an img bbcode tag on these forums (with a redirect if needed) and anyone who views your thread is kicked offline. Anyone who leaves their router/network on the default network range isn't security minded in the first place.
  20. Some places use an encrypted cookie or something like that, and make the password box display a mix of stars and the last four of the password. The stars are plaintext asterisks. Bank of America does this. So it is possible to avoid this problem in normal html.
  21. The thing about both DD-WRT and Linksys's firmware is that the source is out for both of them. You can check for backdoors, and as heavily worked on as both are, any would have been found and announced by now. DD-WRT uses iptables I believe for its firewall. IPtables is old and well established as one of the best firewalls out there.
  22. Use a different computer to download and burn the drivers, or copy them to a flash drive.
  23. javascript:(function(){ var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if (s) alert("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page."); }) (); ~ Edit: Fixed /n to \n
  24. Apple's Mail.app has a "Bounce" option, that would tell the sending server that the mail actually bounced instead. It can also redirect a message to another address but still have the original sender as the from address, instead of a regular forward.
  25. All of them? My old pc has PCM1, PCM2, Master, and some other channel. Master and PCM1 where useless.