Busses in Ulm using Windows (2)
After my first post on this topic, someone send me an Email with some more funny images concerning Windows systems in Ulm. Have fun!
Want to send an error report to Microsoft?
The good old BSOD.
And even the university in Ulm is using Windows...
Thanks go to David of [datenschrott.de] for this pictures!
Google Chrome exploits out
Whow, that was damn fast! Only a few hours after the release of Google Chrome, the browser developed by Google, the first exploits were out, demonstrating how to hijack the users system with a little user interaction. Two bugs have been reported until now: The first one allows to infect the system, the second one makes the browser crash. So, that is interesting, let's look a bit deeper.
First of, the Denial-of-Service bug. The interesting thing about this bug is, that it makes the whole browser instance crash, something that shouldn't happen at all as far as the developers of Google have promised. In their comic about the browser they showed, that every browsers tab in running in a sandbox. One tab crashing shouldn't affect other tabs, but the bug discovered by Rishi Narang (psy.echo) does exactly this: Shutting down the whole browser and it' really simple. That's the code to do so:
PoC: http://evilfingers.com/advisory/google_chrome_poc.php --- <a href="EVIL:%">CRASH ME</a>
The second bug is even more fun. It is actually not a problem of Google Chrome itself, it's a problem of the technology, that Chrome uses. The browser uses the WebKit, that is also included in Apple's Safari and in an older version this software had a bug, that allowed a Carpet Bomb attack, meaning, that the attacker was able to download files to the users system without any user interaction. Now there are some things to think of. First off, in the original exploit it was a combination of Safari and Internet Explorer on Windows, that made the attack possible because the downloading itself isn't that risky, the problem got critical when the user surfed with Safari, a DLL got downloaded to the desktop and then the user used Internet Explorer again, which searched the desktop for files to include, such as the DLL. And then the exploit was successfull. In Google Chrome it's slightly different. Same thing: The user surfs to a website, a file gets downloaded by the browser and then(!) the user clicks on a specific button in Chrome being placed on the downside of the browser window as far as I read. With a little bit of Social Engineering it shouldn't be hard to make someone surf a website and click the specific button, so I would consider this a critical threat. Even worse: It wouldn't have been there if Google would have used up-to-date software... Ouch!
PoC: http://raffon.net/research/google/chrome/carpet.html
Blood and Honour owned
It finally happened: One of the biggest fascist networks worldwide has been hacked by left orientated activists. The network known as Blood&Honour is one of the last really big remaining possibilities for fascists to talk freely about their ideology, share information and plan stuff. I guess it was only a matter of time until the hackers would find a way into the servers and last week it happened. Officially this is only a music network, but yeah... guess what the music is for: Transport their ideology and get new people for the movement! The nice thing about the hack: They archived the WHOLE forum and loaded it up to servers of Rapidshare and Megaupload. So you can download the files, extract them and set up a Webserver on your own machine, browsing through the forum without restrictions. If you want to check it out, here are the links:
http://www.megaupload.com/?d=08K7HVI0 http://www.megaupload.com/?d=XMYS4W63 http://www.megaupload.com/?d=SKDPG4B0 http://www.megaupload.com/?d=EJ0DB1X5
The Rapidshare links are down. Seems the administrators of the site have done something against this. It is too late anyway. Enough people have downloaded it, yet.
The forum of Blood&Honour shall be back soon, but the comments they made on the stolen data is just too lame to not be mentioned:
In regards to any data that has been stolen off this website. Once any data, from whatever source, is downloaded onto a personal computer such as a hackers, that data can be changed and forged to anything that hacker wants. IP addresses can be changed; Private Messages can be altered or even created. The data is simply a text file that anyone can open and change on their computer.
To be precise, the forum was saved in a database and as far as I know, this is not a simple textfile, furthermore it is a special binary format used by MySQL. But hey, be fair, let the fascists believe all is fine and there is no risk for them. Ah and besides: If they think the data can't be used against them, it is possible to check whether something has been changed or not, so the argumentation sucks, but well... When the administrators argue this way, no wonder they got hacked.
From RE:SOLUTION to E:VOLUTION
On the 9th of July in 2007 the skandinavian AntiVirus company F-Secure published a video called "F-Secure RE:SOLUTION" on their Youtube's channel [fslabs]. Now, on the 28th of August in 2008 they brought out a new version, called "F-Secure E:VOLUTION". I somehow enjoyed watching that new video and listening to Mikko stating, that everyone is getting worth... Now have fun yourself:
(F-Secure RE:SOLUTION)
(F-Secure E:VOLUTION)
Busses in Ulm using Windows
Before I go home for today, something funny for you. I took some images of the system used in busses in Ulm (the city I live in).
First off, the normal way it looks when you press STOP to make the bus driver let you out:
Now the way it looks, when something goes wrong:
Can't you see, what I mean? Look at the zoomed-in version below:
And finally when everything goes down, we have this:
Hope you liked it...
Apple's NDA: STFU!
Some people might still know it, for all the others: I am currently going deeper into OS X development, especially for the iPhone. The market is very interesting and growing rapidly, every manager wants an iPhone and more and more companies use the iPhone for all their employees. Now I downloaded the SDK from Apple and the first videos to start with, everything fine so far and well done, BUT I had to sign a NDA (Non-Disclosure Agreement) as every other developer and that NDA is really strange. I really ask myself why Apple tries to control it that hard, it's a gunshot in their own knees. Anyway, read it yourself. That's, what I got when I registered to the development mailinglist on list.apple.com:
Until an announcement is made otherwise, developers should be aware that the iPhone SDK is still under non-disclosure (section 5.3 of the iPhone Development Agreement). It can't be discussed here, or anywhere publicly. This includes other mailing lists, forums, and also blogs. Violating the NDA will result in WWDR being notified of the breach. Further action is at their (and legal's) discretion. The iPhone SDK situation is somewhat different than a Mac OS X release, in that a Mac OS X release includes a copy of the developer tools with the distribution. The iPhone OS 2.0 release on devices and as an upgrade does _not_ include the development tools. As a result, the SDK is not automatically considered public because the release has occurred. Section 5.3 of the iPhone Development Agreement remains in force at this time, and will so remain until iPhone Developer Program members are specifically and personally notified by an authorized representative of Apple.