Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 

Pages: 1234Next
Current Page: 1 of 4
Results 1 - 30 of 107
5 years ago
istari
@thrill & thornmaker - Thanks for the info! I'll start sniffing around to see what I can find out... should be fun ;-) @rvdh - Yes, Paris' metro system is just huge! This was in place in all the urban subway stations (and some RER ones too). You could still use the old magnetic tickets (or buy them individually), but they wouldn't sell the weekly, monthly or anual ticket unless you had the
Forum: OMG Ponies
5 years ago
istari
OK, so I was visiting Paris a few days ago, and to my surprise I found out that since my last visit a few years before the traditional subway tickets (which had a magnetic stripe just like credit cards) had been replaced by a more modern card, called NaviGo, which has an RFID tag (built into a conector somewhat similar to those used in the old telephone cards). This got me thinking I have never
Forum: OMG Ponies
6 years ago
istari
Haha, we don't have that "Mary" problem here ;-) It's usually people with Caribbean accents tho, and it works best when you ask them for directions and they can't tell the difference between two cities 3000 km apart...
Forum: OMG Ponies
6 years ago
istari
@Malkav - I'm just starting my twenties, and I'm a Physics student in my third year of university... So I'm somewhat used to running experiments and simulations, only not in the field of information security or IT (more in the line of physical systems and such). My current location is usually a huge deterrent for job offers tho ;-) Anyway, I can't even imagine how much money was wasted with thi
Forum: OMG Ponies
6 years ago
istari
@CrYpTiC_MauleR - This concerns ATM's not in the US but in Argentina. Your comment is still a good point tho :-( Anyway, here goes a summary of the simulations I made. In a nutshell, they confirm my suspicions about the uselessness of this measure. Just as background, I'm assuming the attacker has no limit in the number of tries he/she can make to crack a code, and that trying may take a very
Forum: OMG Ponies
6 years ago
istari
Yes, they are... If you're asking because that would make my 10^3 estimation wrong, I meant that in average: in the worst case you can fail forever, and then truly be the most unlucky person ever! I'm currently in the process of running a few simulations to determine how hard it really is to crack this system. If anyone is interested I can post the results here when I'm done...
Forum: OMG Ponies
6 years ago
istari
Well, thanks everybody for throwing some light on this... I suspected this measure was no good, but I needed to check nonetheless ;-) @tx - The 3 letter code works like this: suppose your personal code is ABC (once you set it, this code will be yours until you change it yourself), and you want to make an extraction. After you input the amount of money you want, the screen shows something like:
Forum: OMG Ponies
6 years ago
istari
Where I live, banks have recently forced us users to adopt an extra 3 letters for the security codes we use in ATM's (we previously had a 4 digit code). Now, at first this seems a good idea, as you jump from 10.000 [=10^4] possible codes to 17.576.000 [=(10^4)*(26^3)] possible combinations. However, a closer inspection tells me this really isn't such a great idea, so I'm asking all of you for a se
Forum: OMG Ponies
6 years ago
istari
Of those three I can only code in Python, so I may be biased. I can tell you, however, that if you have previous experience in C++ then learning Python will be really easy, so you could just try it out and see if you like it or feel comfortable with it. I think the same goes for Java and Perl, so in the end you could learn at least those two and decide which one is better for your purposes later o
Forum: OMG Ponies
6 years ago
istari
And on top of those PoC's, you can't tile Chrome's windows using that neat "Tile horizontally" feature in Windows XP... That's a no-go for me (???)
Forum: News and Links
6 years ago
istari
Well, I think I won't be using Chrome at least for a while: those PoC are scary!
Forum: News and Links
6 years ago
istari
And now, even if he does edit his original post, thrill has provided us all with an unedited copy of this demand, so we all know how it was phrased before he took politeness classes...
Forum: SQL and Code Injection
6 years ago
istari
RSnake gave a demo about this? Are there any videos / writeups?
Forum: OMG Ponies
6 years ago
istari
Hehe, if you found one you could corrupt the data in the tables and say it's for the protection of everyone's passwords. Of course, you'd have to download everything before doing that, just to make sure the data was there in first place ;-)
Forum: OMG Ponies
6 years ago
istari
Well, I was actually thinking of going the whole nine yards, and building a custom program to do the injection for me. I read the BitTorrent protocol specification, and sniffed my client's traffic using the Proxomitron, and it looks like it wouldn't be too much work, as it's only a matter of sending the correct headers in the requests. The only thing that bothers me is that most sites require you
Forum: SQL and Code Injection
6 years ago
istari
@id: I have only one decent CPU to put on the job (which is my personal box, so I may not even be able to put it to work 24/7), and maybe a really crappy one too. It'd be really cool to have my own SHA1 rainbow tables, though, so I'm all for it... However, I don't have any experience doing this, so I really wouldn't know where to start (as I'm not going to try and make a huge text file containing
Forum: OMG Ponies
6 years ago
istari
@PaPPy: Thanks! I thought so, but I asked anyway because I don't know of any BitTorrent clients that allow you to fully customize the tracker requests where the passkey is sent, so I wanted some confirmation before starting to look more into it... Now that it looks feasible (at first I couldn't believe sanitation was so poor :-P ) I may try to edit the requests using a proxy, or even better I m
Forum: SQL and Code Injection
6 years ago
istari
I don't know how long this has been around, but I recently noticed GMail warns users whenever there's two sessions of the same account running simultaneously, as you can see in the image below: The detection system is pretty accurate, as I tested this opening my GMail account with two different IP addresses, but also opening it both in Firefox and IE on the same computer and on another comp
Forum: OMG Ponies
6 years ago
istari
Well, the subject sums it up, actually: some BitTorrent trackers have a backend MySQL database where they store information on the torrent files they host; this is especially true for private trackers, which have to confirm the user requesting peer information is valid before they provide it... I've downloaded a few opensource PHP + MySQL trackers just to see what kind of sanitation they have,
Forum: SQL and Code Injection
6 years ago
istari
OK, so I got a few MD5 and SHA1 hashes I'd like to crack (who doesn't ;-D ), and although for MD5 hashes I found many decent rainbow tables (freerainbowtables.com is massive!), for SHA1 hashes I can't find anything quite as good... Any suggestions? Or should I get a hashing program and start making my own tables?
Forum: OMG Ponies
6 years ago
istari
Great article! Thanks for the link Gareth... I've actually been seeing a lot of work put into understanding the ways to use (and abuse) pseudo random number generator states. For those interested in a different approach to this subject, this page has a rather interesting description of a way to establish a covert channel of communication using random numbers...
Forum: News and Links
6 years ago
istari
In order to test if the queries are being run, you could use time delays and see if page load times change... Last time I checked, in MSSQL something like WAITFOR DELAY '00:00:05' will hold the page in the server side for 5 seconds, enough to notice it on a broadband connection. Of course, you can also check how many queries are being run, or see if other statements work using conditionals and
Forum: SQL and Code Injection
6 years ago
istari
Yet the CAPTCHA he is trying to break is so easy I doubt he is in the CAPTCHA breaking business...
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
istari
@Malkav I had seen these conversations you can make SmarterChild have (and even some more hilarious ones!), and I consider them unavoidable in any bot coded with the current AI knowledge. However, I was aiming at a lower level: these bots can analyze the semantics of a sentence, discover nouns, subjects, etc, and act upon that. Of course, they have nothing interesting to say about anything, so
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
istari
Not really: There's been a lot of improvement on this kinds of bots. Try to chat with SmarterChild or any other good IM bot to see what I mean...
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
istari
Well, if it has a lower limit of 10 characters, try registering accounts with passwords: aaaaaaaaaa bbbbbbbbbb ... AAAAAAAAAA ... 1111111111 ... And so on... You may even try weird characters to see what happens: passwords with something like ⌠, ² or √ may break custom algorithms if they're behind the base64 encoding and the coder didn't take them into account...
Forum: OMG Ponies
6 years ago
istari
This is the base64 encoding of binary data. In Python, you can use the base64.binascii.b2a_base64 function to do this kind of encoding. Obviously there is a similar decoding function... As Matt said, the clear text is probably encrypted or transformed in some other way to binary data, and then encoded to store in the server. From the looks of it, you may be dealing with a hash function, as &quo
Forum: OMG Ponies
6 years ago
istari
Well, the last image in my previous post was my first step, and it already deals with one of the CAPTCHA's more important features (i. e. the perspective). The next step would be to analyze the amount of black and white in non-data areas (which is quite constant for small rectangles), and then discard all the parts of the image which have that same amount. That leaves the areas with too much bl
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
istari
Yeah, consistent distortion is equal to no distortion at all... You should randomize the lines, probably make them non-vertical (Del.icio.us' CAPTCHA used dashed lines in angle or forming spirals, and it worked for a while... now that CAPTCHA is dead tho), use different fonts for the different numbers (two different fonts for the same two-digit number would be cool), and maybe randomize the positi
Forum: Robots/Spiders/CAPTCHAs, oh my
6 years ago
istari
The images themselves aren't difficult to OCR, the variation in the position of the CAPTCHA could go against a site's design, and clicks can be automated by the attacker... so yes, this is a rather weak CAPTCHA, although it may be strong if unpopular: you'd need to code a bit to get a solver working, so unless it's in a lot of sites or in one that is very popular, it's safe to say nobody will care
Forum: Robots/Spiders/CAPTCHAs, oh my
Pages: 1234Next
Current Page: 1 of 4