Your security, networking, programming, and application news source.

Saturday, December 13, 2008

Virtual Desktops in Windows with VirtuaWin
  The lack of virtual desktops in Window XP and Vista has slowed my work on Windows boxes for too long. I recently revisited a free Virtual window manager for Windows (Vista, XP, and older) named VirtuaWin.

  <VirtuaWin> is a small, light weight, and minimal virtual window manager. VirtuaWin is found free and open source at our favorite, <>. The application consists of a system tray icon in your task bar:

(the green box)
System Tray Screenshot: YahElite, VirtuaWin, PrivilegeSpawner, and more
  Out of the box you get 4 desktops, although the limit is 20. These are switchable in several customizable ways. The configurable hotkeys and mouse edge bumping seem to do well for me. Virtual desktops and multiple monitors make things even better!

  You can then refine this tool with the <great collection of add-on modules>. Modules provide a desktop pager, auto switching, visual and audio desktop change notifications, and more. The system tray icons can be easily customized by dropping in icon sets. VirtuaWin has quite a <collection of icon sets> you can browse.

Thursday, December 11, 2008

[Link] Slackware 12.2 Released

Slackware 12.2 Released (Dec 10, 2008)

A quick look at what Slackware 12.2 ships with:

  • Linux kernel

  • Xorg X server  1.4.2

  • Xfce  4.4.3

  • KDE  3.5.10 (4.1 is in /testing directory)

  • HAL

<Slackware 12.2 Release Announcement>

Friday, December 5, 2008

Py3k: Python 3.0 Officially Released


<Python 3.0 (a.k.a. Python 3000) was officially released> on Dec 2, 2008. You can find <a nice long rundown> describing the many changes. The lack of backwards capability caused by the changes has been noted in the news for quite awhile.

In case you your not aware, the home of Python is .ORG. If you accidentally go to .COM = Pr0n you will find High Def teen pr0n with explicit flash video playing on load as well as plenty of explicit pictures, nice! That would suck to load up at work while people are around!

Monday, December 1, 2008

[Link] 100 Best Open Source Security Tools

A great list of 100 open source security tools. They are categorized; each having a short description and link to it's home page. I can see most of my favorites in the list.

Masters in Criminal Justice (Nov 26, 2008)

<100 Best Open Source Security Tools>

Sunday, November 30, 2008

Saturday, November 29, 2008

Ubuntu Linux Kernel Vulnerabilities Advisory


Ubuntu has released a security advisory (below), detailing 9 potential kernel vulnerabilities. The advisory appears to encompass all Ubuntu's and suggests a kernel image upgrade. This will require a reboot and require a reinstall of all third party kernel modules that are installed.

<Ubuntu: USN-679-1: Linux kernel vulnerabilities> (Nov 27, 2008)

Wednesday, November 26, 2008

Assembly Programming in Python!


CorePy 1.0 Officially Released! (Nov 17, 2008)

  <CorePy> is a <Python> package that allows executing assembly instructions for x86, Cell BE, and PowerPC processors (32 and 64 bit) from within Python. It is an open source project available under a BSD license

  CorePy's usage is comparable to inline assembly in other languages, but provides much more control than most provide.

"high-performance applications that take advantage of advanced processor features, including multiple cores and vector instruction sets (SSE, VMX, SPU), usually inaccessible from high-level languages."

  CorePy works by using an ISA, a library of architecture instruction sets, to build a list of instructions in a InstructionStream. This is called a synthetic program and is converted to a stream of reusable processor instructions. These synthetic programs can be executed by the processor synchronously or asynchronously, passing parameters to and from other synthetic programs.

  A print function is built in that supports plugins for printing the instruction stream out to assembly. Nasm seems to be ready, but GAS-compatible output seems to be incomplete.

A simple example from the website:

# Load the x86_64 instructions and environment
>>> import corepy.arch.x86_64.isa as x86
>>> import corepy.arch.x86_64.platform as x86_env
Platform: linux.spre_linux_x86_64_64

# Create a simple synthetic program
>>> code = x86_env.InstructionStream()
>>> code.add(, 12))

# Execute the synthetic program
>>> proc = x86_env.Processor()
>>> result = proc.execute(code, mode='int')
>>> print result


<Download Page>

Tuesday, November 25, 2008

Fedora 10 is Here!

Fedora 10 is here!

<Get Fedora KDE> <Get Fedora GNOME>

<Fedora Torrents>

Major new features at a glance:
  • Wireless connection sharing enables ad hoc network sharing

  • Better setup and use of printers

  • Virtualization storage simplified

  • SecTool intrusion detection system

  • RPM 4.6 is a major update

  • Rewrite of the PulseAudio sound server

  • Improved webcam support

  • Better support for infrared remote controls

<Full release notes>

Thursday, November 20, 2008

Tired of Stupid Questions People Should Have Googled?

Let Me Google That For You [dot] Com


Tired of people asking stupid questions they could have easily Google'd themselves? This website generates a link for you like so:

This link you can share with your local lazy fool. The link will show an informative animation showing how to enter their particular query into Google, click search, declare "Was that so hard?", and then show the results. Try it above!

(Requires JavaScript access to and

[Link] The 7 Deadly Linux Commands

Tech Source From Bohol (Nov 20, 2008)

<Tech Source From Bohol - The 7 Deadly Linux Commands>

Wednesday, November 19, 2008

[Link] ASCII Mandelbrot Created With Single SQL Statement

This is a single T-SQL statement that is less than 50 lines, with source code. A screen shot of the resulting ASCII Mandelbrot is included.

The Daily WTF (Nov 19, 2008)

<Stupid Coding Tricks: The T-SQL Mandelbrot>

Thursday, November 13, 2008

[Link] USB 3.0 is Blazing Fast

The Future of Things has put together a great collection of information about USB 3.0, saying,

"Devices employing USB 3.0 specifications are planned to be available to consumers in 2009 or 2010 and would be backwards compatible with USB 2.0 and USB 1.1."

The most mouth-watering is the speed; 25GB should take 70 seconds!

(Nov 11, 2008)

<The Future of Things - 25GB in 70 seconds with USB 3.0>

Tuesday, November 11, 2008

[Link] Windows 7 is , You Guessed it, Vista Rebranded

Kernel process profiling shows it looks like a Vista; performance testing shows is walks like a Vista; claims of being a high performing Linux-laptop-killer falling flat on it's face, make it sound like a just another disappointing Vista.

InfoWorld 5 pages (Nov 10, 2008)

<InfoWorld - Test Center benchmarks: Windows 7 unmasked>

Thursday, November 6, 2008

Adobe Reader Exploite Using Java Script


  Core Security Technologies reported a critical vulnerability to Adobe about it's Adobe Reader. Adobe has already released an update to address the vulnerability in version 8.1.2. The vulnerability was found in Foxit Reader (CVE-2008-1104) and later successfully tried in Adobe Reader. Adobe Reader and Foxit Reader both have different security approaches that lead people to think Adobe Reader wouldn't be affected.

Foxit Reader 2.3 build 2825 security bulletin from Secunia Research details the following:

"The vulnerability is caused due to a boundary error when parsing
format strings containing a floating point specifier in the
"util.printf()" JavaScript function. This can be exploited to cause a
stack-based buffer overflow via a specially crafted PDF file."
(Secunia Research, May 20, 2008)

Help Net Security's coverage of the Adobe Reader vulnerability added that the util.printf() function "converts the argument it receives to a String, using only the first 16 digits of the argument and padding the rest with a fixed value of “0” (0x30). By passing an overly long and properly formatted command to the function, it is possible to overwrite the program’s memory and control its execution flow."(Help Net Security)

Help Net Security - Critical vulnerability in Adobe Reader (Nov 4, 2008)

Security Focus - Secunia Research: Foxit Reader "util.printf()" Buffer Overflow.
(May 20 2008)

Wednesday, November 5, 2008

[Link] Windows 3.x Still Dying

Microsoft ended support for Windows 3.x at the end of 2001, but 3.x continued on as an embedded operating system. Windows 3.x continued to power cash registers, ticket systems, and even in-flight entertainment systems.

"On 1 November Microsoft stopped issuing
licences [for Windows3.x]"

BBC News (Mark Ward) (Nov 5, 2008)

<BBC News - The end of an era - Windows 3.x>

Will iPwn for Food

Will iPwn for Food

  Forbes reports on <(blog)Piergiorgio Zambrini>, 38 year old Italian systems engineer who created the first popular iPhone carrier break application named <Ziphone>. Zambrini is reported to be "revealing a bug that can crash the iPhone and, he says, other devices including iPods and Apple computers."(Buley)

  Zambrini is holding the details for Apple. Forbes reported this bug to be in the audio portion of Apple's video format, that able to crash Apple iPod and latest generation iPhone. Forbes says this bug is in a shared library used in most Apple operating systems(i.e., Mac) and has confirmed this claim on iPhones.

  Zambrini goes on in the interview with Forbes about wanting a job in the Apple security department and wanting to talk to Steve Jobs. Yeah, it got weird, but apparently Zambrini made a nice chunk off Ziphone already. (Taylor Buley), Crashing The iPhone
[Feed]<> (Nov 3, 2008)

Sunday, November 2, 2008

[Release] OpenBSD 4.4 Released


Free, Functional & Secure

"Only two remote holes in the default install, in more than 10 years!"

OpenBSD 4.4 released Nov 1, 2008:


<OpenBSD 4.4 Release Details>

<OpenBSD Download Page>

Thursday, October 30, 2008

Almost Every Music Video Now Availible Free

  Video giant <YouTube> has been making lots of music videos available among their other user submitted videos. Using <Fire Fox> browser <add-ons> like <Fast Video Download> and automated web sites like <> (formerly, you can download a nice video/music collection from YouTube.

  The once popular music video cable TV station <MTV> has replied to YouTube by opening it's own video site which is likely to host most every music video produced, <MTV Music>. YouTube does host remixed and modified videos, user posted music videos, and home made videos that you wouldn't expect to find on MTV Music, but MTV is likely to have a consistent quality collection. MTV doesn't appear to openly allow downloading, but like with YouTube; if there is a will, there is a way.

Tuesday, October 28, 2008

New hosting

Update: Lock still in effect Oct 28, 2008
We have hosting at <> and have imported the blog to Wordpress. This transition might take some time. We are still looking for the right domain name.

Tuesday, October 14, 2008

Sunday, October 12, 2008

[Link] Russian researchers achieve 100-fold increase in WPA2 cracking speed

Security and the Net(Oct 12, 2008)
(Distributed cracking with GPUs.)

Microsoft's open source multi-touch SDK

  Microsoft released (Oct 6 2008) <Microsoft Office Labs: Touchless>. Touchless is a multitouch software that uses a regular webcam to track color based markers (like on a dry erase marker board). It's sort of a low-end version of <Microsoft's Touchwall technology> you may have seen <demo videos> of.

  The project has <4 demos and the SDK>. The project is open source (at quick glance it looks to be mostly C#) and isn't a revenue-bearing product. This is a significant change of pace for the maker of proprietary software solutions, although Microsoft has been expressing interest in open source recently. Some people argue that the term 'open source' implies more than just the availability of source code which isn't consistent with the restrictive nature of the <Microsoft Public License> it's released under.

Tuesday, October 7, 2008

Google Project: Obfuscated TCP

From the <Obfuscated TCP Project's Home>,

"Obfuscated TCP is a transport layer protocol that adds opportunistic encryption. It's designed to hamper and detect large-scale wiretapping and corruption of TCP traffic on the Internet."

View the <quick YouTube explanation>:

[Link] Microsoft programming contest hacked, defaced

Monday, October 6, 2008


Saturday, September 27, 2008



  Clickjacking is the buzz word for the week. Robert “RSnake” Hansen and Jeremiah Grossman had planned a presentation on clickjacking at the <world OWASP conference in New York>. After sharing the information with Adobe they were <asked to delay> releasing of details because of it's impact on one of their products.

  Clickjacking is underappreciated, but well known. Traditionally JavaScript had many implications in this area, but this does not require JavaScript. This zero day is purported as a fundamental flaw in how browsers handle web pages that affects all (or most all?) graphical browsers. From <Jeremiah Grossman on his blog>, "At the time, we believed our discoveries were more in line with generic Web browsers behavior, not traditional 'exploits,' and that guarding against clickjacking was largely the browser vendors' responsibility."

It's been said by many people that turning off JavaScript will not prevent this attack. The Firefox plugin/add-on <NoScript> does much more than micro-managing JavaScript. <ZDNet's Blog> posted the following email from <Firefox Noscript>:

Hi Ryan,
  I’ve seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
  I had access to detailed information about how this attack works and I can tell you the following:
  1. It’s really scary
  2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
  3. For 100% protection by NoScript, you need to check the “Plugins|Forbid <IFRAME>” option.

Through <Jeremiah Grossman's blog> (referred to in the email above) and <Robert Hansen's blog at> some information about the zero day can be found, but it seems the rest of the details have been kept pretty tight.

<Breaking Point Systems> has been speculating on this vulnerability and posted <source to some forms of web jacking>. Later they realized that these weren't exactly the zero day and then posted this <proof of concept "IFrame Trick"> which seems to fit the details of the vulnerability.

Tuesday, September 23, 2008

FLOSS Weekly

FLOSS Weekly

  <FLOSS Weekly> is an audio netcast (also known as a podcast) about 'Free Libre Open Source Software'. Hosted by Leo Laporte and Randal Schwartz, supported by Cachefly, and hosted on <TWiT.TV> (This Week in Tech). This is all reminiscent of Steve Gibson and Leo Laporte's once very popular netcast, <Security Now>.
  For many of us Security Now paved our interest in podcasts, then renamed them to netcasts. Steve Gibson coined the term netcast when podcast's copyright status came in question. Security Now caught our attention with it's early networking, encryption, and security episodes. It pioneered as one of the first semi-professional tech shows with real topics. They brought tech media away from the trend of underground bumbled garage shows battling it out against commercial fluff-tech. Fusing a respectable quality show with respectable topics.
  Security Now has slowed down in it's innovation at over 160 episodes. Pushing of products as a shows topic seemed cool when it was great new software like <Tor> and <True Crypt>, but recent plug episodes have left a bad taste in listeners' mouths.
  <FLOSS Weekly> continues this start with a different focus, open source software. FLOSS Weekly started off slow, sometimes going 2 months without a new episode, but recently has began full steam carving a schedule that is fitting of the show's title. Let the show's topics do the talking:

<FLOSS Weekly 41: DotNetNuke> - The open source content management and Web application system that runs under the .NET framework. (September 19th, 2008)

<FLOSS Weekly 40: Jeff Robbins on Drupal> - Jeff Robbins talks about Drupal the popular open source PHP/LAMP web content management system. (September 12th, 2008)

<FLOSS Weekly 39: Simon Phipps> - Simon Phipps, chief open source officer of Sun Microsystems. (September 5th, 2008)

<FLOSS Weekly 38: Asterisk> - Asterisk, an open source PBXi, telephony engine, and telephony applications toolkit. (August 30th, 2008)

See the full list of 40+ episodes and growing at <TWiT.TV / FLOSS>.

Other episodes talked about open source software you shouldn't miss. Just to name a few:

Smalltalk / Squeak

Sunday, September 14, 2008

SoCo Software Releases C++ Yahoo Source Code

  <SoCo Software> has released <XLibrary>, a C++ repository of source code modules. Included are Windows sockets, Yahoo chat, and Yahoo captcha modules. This library is released under a custom license similar to the <OS-CPL> which doesn't force adoption of open source licenses.

  SoCo Software has provided free tools, scripts, and applications with source code, for a few years now. It is one of the few places where you can find a <free proxy tester> with source code. Most free proxy testers are released by proxy list sites, so you can help them find fast proxies, while getting the bottom of the barrel.

  The software site is using this library release as the beginning in a line of additions of source code libraries and snippets, including embedded (ASM and Dynamic C) and web application (JavaScript and PHP) source code.

Monday, September 8, 2008

White Jaguar Has Hex Color Tag

<CAR model="Jaguar" color="#FFFFFF">


Friday, August 22, 2008

Fedora Servers Compromised


  <Fedora announced> (Aug. 22, 2008) that some servers were illegally accessed 'last week'. One of the compromised servers was for signing Fedora packages. Despite being optimistic about the security of the passphrase used to secure the signing keys, Fedora has decided to convert to new signing keys.

  A RHL <security advisory> eludes to successfully compromised OpenSSH packages. "In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)"

  RHL released an update to OpenSSH to address this as well as <script> to detect these black listed packages.

Wednesday, August 13, 2008

BitTorrent's .torrent File Buffer Overflow Vulnerability

A critical vulnerability was found in uTorrent and BitTorrent. The torrent clients' processing of .torrent files fail to do proper bounds checking for the 'Created By' field. This allows a maliciously crafted .torrent file to do a buffer overflow. From there, arbitrary code execution is a step away.

Confirmed vulnerable versions (previous version are assumed but not confirmed to be vulnerable):

  uTorrent version 1.7.7 (Build 8179)
  BitTorrent versions 6.xx.

TorrentFreak urges users of uTorrent to upgrade to <uTorrent 1.8> and claims there is no upgrade/patch for the mainline BitTorrent client yet, but an update will be available soon.

<TorrentFreak - Critical Vulnerability Discovered in uTorrent>(August 12, 2008)

<Secunia - Security advisory for uTorrent>(August 12, 2008)
<Secunia - Security advisory for BitTorrent>(August 12, 2008)

Monday, August 4, 2008

New PHP Features Coming v5.3

<Skip to the run down>

  PHP(Wiki) is becoming a popular web development language with the recent boom of LAMP(Wiki) servers.

  In general, PHP is a script language with very similar syntax to C/C++. It uses type safe(Wiki) variables that support arrays and tuples(Wiki)(associative arrays), much like Perl and Python.

  PHP is typically embedded into HTML pages (with the .php extension) on a web server. When a PHP page is requested, the PHP content is parsed server-side and only the resulting HTML is replied to the requesting browser.

  PHP 5.3 alpha <was released>(Aug 1, 2008). Version 5.2.6 was recently released in May and was the first release in a couple years. Version 5.2.6 was mostly security and bug fixes. Version 5.3 sports the most new features and improvements seen in a long time. The expected date for a stable PHP 5.3 is mid October 2008.

A quick rundown of some new features in PHP 5.3 Alpha:

 Namespaces(Wiki) - This should allow much shorter class names and grouping flexibility.

 Late Static Binding(Example) - For some more robust class inheritance.

 __callStatic( -  __call is a built in class member function that allows you to define behavior for calls to non-existent member functions. __callStatic extends this functionality to static member calls.

 Lambda Functions( - Quick, throw away, inline functions.

 Closures( - Associate a list of the parent scope's variables to be imported into a function. This also make Lambda functions much more useful.

 __DIR__ - This constant will replace the commonly used dirname(__FILE__) statement to retrieve the current script's directory.

 Phar - A PHAR file is a compressed archive and can contain a complete PHP application. Similar to a Java's JAR files, a Phar file could allow large multi-file PHP scripts to be distributed and used as one, compressed, file.

 PHP goes Windows 2000 and up only

<PHP.NET 5.3 Alpha1 Release announcement>(Aug 1, 2008)

Wednesday, July 23, 2008

Friday, July 18, 2008

New True Crypt Release Features Hidden, Encrypted, OS Partitions

   We know True Crypt as the free-open source application for Windows/Mac/Linux that creates on-the-fly-encrypted drive volumes. You create a file or volume with the combination of several heavy, industry standard, encryption algorithms. With the password, that file or volume can be mounted as a drive letter (in Windows).

   True Crypt has been around a while; it's based on E4M (Encryption for the Masses) and released it's first version at the beginning of 2004. It's popularity exploded when it was the featured topic of a <GRC's Security Now> audio podcast. This was near the popular beginning of the series, which then featured informative, weekly, encryption and network protocol discussions.

   Since it's start, True Crypt has acquired additional innovative features. It can encrypt entire partitions, like an entire hard drive, as well as devices such as USB flash drives. It later featured the ability to create <hidden volumes> through <steganography>(wiki) techniques (hiding the encrypted volume inside a larger one filled with cryptographically random free space).

   The new True Crypt version 6 can not only encrypt your hard drive/partition containing your operating system, prompting you for your password at boot up, but can also make that a hidden volume. This creates an innovative situation of <plausible deniability>.

<True Crypt Downloads>

Monday, July 14, 2008

Open Source Lojack System For Laptops (beta)

   <Adeona> is the first Open Source system for tracking the location of your lost or stolen laptop that does not rely on a proprietary, central service. Adeona instead uses the open source <OpenDHT> distributed storage service to store location updates.
   Protect your laptop, for free, without giving away your privacy to a proprietary central server (and any organizations who could persuade them to share your location information).


"We are exploring the possibility of Adeona for mobile devices, like the iPhone or Windows Mobile."

Beta notes:
   The current version of Adeona is 0.2.1. This is a beta version. Being the first public distribution for deployment, Adeona has been made easy to uninstall. It also shows readily in your system process list. No mention of GPS support. Location information includes: internal IP address, external IP address, nearby routers, access point, photos (Macs only via <isightcapture>).

Wednesday, July 9, 2008

DNS Design Flaw Allows Spoofing


(July 8, 2008) United States Computer Emergency Readiness Team (US-CERT) Vulnerability notice <#800113> regarding a DNS Cache Poisoning Issue.

"It is a fundamental issue affecting the design. Because the system is behaving exactly like it is supposed to behave, the same bug will show up in vendor after vendor after vendor.", says Dan Kaminsky, director of penetration testing, at the <IOActive> security firm. Kaminsky found this flaw more than six months ago while doing non-security related research of the DNS system.

A number of software vendors released patches Tuesday, July 8th. A patch <was released>(July 8, 2008) by Microsoft, being it's scheduled update day, and a patch <was also released> (July 8, 2008) for the Berkeley Internet Name Domain (BIND) server. The <Security Focus article> (July 8, 2008) claims both Cisco and Juniper also acknowledged flawed systems (but haven't released patches).

Thursday, July 3, 2008

Firefox 3 World Record Is Official: 8 Million Downloads

Download Day

Thanks to the support of the always amazing Mozilla community, we now hold a Guinness World Record for the most software downloaded in 24 hours. From 18:16 UTC on June 17, 2008 to 18:16 UTC on June 18, 2008, 8,002,530 people downloaded Firefox 3 "

< World Record>

Wednesday, July 2, 2008

Solid State Drives Aren't Saving Battery Life

  One of the big hopes for solid state hard drives (SSDs) is that they will reduce power consumption, saving on your battery's life. Tests ran by Tom's Hardware of many SSDs from several vendors showed significantly more power consumption than a standard SATA drive. The tests ran are considered pretty reliable.
  This means solid state drivers aren't quite up to snuff for power consumption alone, although certain types of SSDs already provide significant performance advantages. This let-down paired with the current high price of solid state storage over traditional hard drives, will keep SSDs on the back burner for a bit while the technology is refined.

Tom's Hardware: (Contains many pages of extended details of the tests)
<The SSD Power Consumption Hoax : Flash SSDs Don’t Improve Your Notebook Battery Runtime – they Reduce It> June 27, 2008

CrunchGear: (A single page review containing a graph of the data)
<Shock, horror: Apparently SSDs don’t save you any power> July 1st, 2008

Which Linux Distros Are Dying

  An interesting post at has been circulating for a couple days. It has graphed Google search trends for Linux distribution names. Showing a downward trend in Google searches for Debain, Fedora, Red Hat, SUSE, Slackware, and 'Linux' it's self. It shows a interesting gain for 'OpenSUSE', despite the drop in SUSE, and the expected gain dwarfing all others for Ubuntu.

View the whole article and graphs:
< - Which Linux Distributions Are Dying?> June 30th, 2008

<Found noteworthy by Linux Today>

Thursday, June 12, 2008

Mozilla announces Firefox 3 release date

Of course this is just an expected release date, but the big day is...
Tuesday, June 17th, 2008

<Download Day 2008 Headquarters>
<Mozilla Development Center news post> (posted June 11th, 2008 at 4:47 pm)
<Firefox 3 mass-download world record attempt> (posted May 29, 2008)

Sunday, June 8, 2008

Programming Salaries Compared

I came across a great post from <The Unix Geek - Blogspot>. He had grabbed average pay for different programming languages, operating systems, and API's from <Indeed> and listed them in order. I've used his findings and the same method to expand on them.

Programming Languages

    $82,000 - Objective-C
    $80,000 - C++
    $80,000 - TCL
    $79,000 - C#
    $79,000 - Java
    $78,000 - Python
    $77,000 - Perl
    $74,000 - Ruby
    $72,000 - JavaScript
    $64,000 - Delphi
    $64,000 - PHP
    $64,000 - Visual Basic
    $60,000 - C
    $54,000 - Smalltalk
Operating Systems (generic average)
    $86,000 - GNU/Linux
    $55,000 - Microsoft Windows
    $51,000 - Mac OS X
    $86,000 - Win32
    $81,000 - Tcl/Tk
    $76,000 - Qt
    $75,000 - GTK+
    $71,000 - .NET ($75,000 for "Visual Studio")
    $43,000 - Cocoa ($60,000 for "Mac Programming")

Embedded (Various)
    $71,000 - AVR
    $70,000 - RFID
    $67,000 - PIC

Friday, May 30, 2008

TCP Reset Injection Detection Utility

  An interesting source, <NNSquad> (Network Neutrality Squad), has released an open source tool (licensed under <LGPL>) to detect TCP reset (RST) packets that may have been injected into a TCP connection by a party other than the endpoints.
  The <NNSquad Network Measurement Agent (NNMA)> tool's available downloads are beta and include a Windows 2000/XP/Vista installer binary and <VC++ 6.0> Windows source code.
  TCP reset injection has been discovered being controversially used by internet service providers, such as <Comcast>, to disrupt torrent and P2P file sharing.

Thursday, May 29, 2008

Firefox 3 Preparing for World Record Attempt

Download Day
  The official release of Firefox 3 maybe be the most anticipated software releases of the year. Firefox 3 shows many promising improvements, most notably major memory usage cutbacks and performance improvements. <Early memory comparisons> have shown impressive numbers. Many other changes and improvements are already locked in since the first <release candidate> was released. A quick run down of feature comparisons can be found <here>.

  <The Mozilla Blog> has announced an attempt to break a world record for most software downloads in 24 hours. The release date for Firefox 3 isn't set yet, but is expected some time in June. Mozilla has a <Download Day Headquarters> site where you can monitor for the release date, read more, and even pledge to download on the release date.

Sunday, May 11, 2008

BSD fixes 25 year old bug

The flaw for reading MS-DOS directories in all BSDs (including Mac OS X) tracked back to 1983 was recently fixed. SAMBA uses a special workaround in order to function properly on BSD systems. OpenBSD developers received an email from an OpenBSD user which led to unraveling the bug.

Source with quotes from <Marshall Kirk McKusick>, the original developer of the *dir() library:

<OS News - The 25 year Old BSD Bug> (May 10, 2008)

Monday, April 28, 2008

Automated SQL Injection Mass Attack Hits IIS Websites

“Exploits of a Mom” by <xkcd>

  An automated attack against Microsoft’s IIS servers has hit some 500,000 websites. Websites affected include the United Nations, UK Government sites and the U.S. Department of Homeland Security.

  These attacks targeted Microsoft IIS servers which allow generic SQL commands that don’t require specific table-level arguments. The attack targets IIS servers which run ASP allowing them to pollute database servers in a generic way that doesn't require prior knowledge of the database's table and field structure.

  The attacking script injects malicious JavaScript code into every text field of the database. The JavaScript then loads an external script that can compromise a user’s PC. So far there have been no details about who is behind the attacks.

<Wired Blog - Massive Attack: Half A Million Microsoft-Powered Sites Hit With SQL Injection> (4/28/2008)
<Hackademix - Mass Attack FAQ> (4/26/2008)

Saturday, April 26, 2008

When Logo Design Goes Wrong

  The Office of Government Commerce, an office of the treasury in the United Kingdom, is commonly known as OGC. An investment of £14,000 was put into a logo design, which resulted in a nice formal image of the OGC acronym.

According to insiders, within seconds of unveiling employees spotted the problem with this proud logo. This despite it already being etched in mouse pads and pens. If you turn it on it's side, you should notice the problem.

<A hallarious animated version (gif) was posted here>

<The UK Telegraph - OGC unveils new logo to red faces> (4/25/2008)

Saturday, April 19, 2008

Microsoft Works SE (Sponsored Edition) Marketing Trials

  Microsoft is silently trying it's hand at ad-funded software with Microsoft Works SE (Sponsored Edition). The trials are being kept secretive, but United States, France, Canada, Poland and the United Kingdom are said to be involved. It is available only through select computer makers and Microsoft won't say which computer makers those are. Some searching has showed <Sony offering it in the U.S.> and <Packard Bell offering it to the U.K.>, both bundled with notebooks.

Microsoft Vice President Chris Capossela, on this and the some subscription based announcements: "These are all experiments."

Read more at:
<CNET News - Microsoft quietly offering ad-funded Works> April 18, 2008

Friday, April 18, 2008

Microsoft Vista Users: Bend Over

  Didn't listen to all those Vista bashers? Chances are your already kicking yourself over issues your having with Vista. Since you're all waiting for some reassuring words from Microsoft, you've got it.
  Last Thursday, at an annual Seattle event Steve Ballmer, Microsoft CEO, called the Vista OS "a work in progress"! I hope they warned you about this when you dropped $200-300 or more on a copy.

You could petition:
<Info World's Save XP Petition>

You could jump on the Linux bandwagon:

Or you could keep your hopes up waiting for the next Windows:
<Windows 7 (Wikipedia)>

Anyone think a Mac is an option? (comments are wide open, as always)

Thursday, April 17, 2008

The WIFI Predator [DIYS]

  Do it yourself high-powered antenna with custom firmware to activly search out open wireless connections.

Assembly Instructions:

<The Wifi Predator> - 4 Step Assembly Instructions at (April 14 2008)

Hardware List:

  • Buffalo WHR-HP-G54

  • HyperLink 2.4GHz 14.5 Yagi Antenna

  • Reverse Polarity SMA Male to Male N-type adapter.

  • Sears’s Ultra-Cheap camera tripod

Sofware/Firmware List:

  • <DD-WRT firmware>modification of the original Linksys Firmware

  • <AutoAP add on> to DD-WRT that allows routers to continuously scan for and connect to open wireless networks.

Quantum Computing Creation

<Prem Kumar>, a professor of electrical engineering and computer science at Northwestern University, and his team have shown that they can create a quantum logic NOT gate within an optical fiber. Quantum logic with laser beams, that passed through the air have been built before. Because the gate is within fiber, it could be part of a circuit that relays information securely, over hundreds of kilometers of fiber. This gate is one of the building blocks needed to build a <quantum computer>.

<Technology Review - Toward Quantum Internet> Published by MIT (Tuesday, April 15, 2008).

Tuesday, April 15, 2008

Hotmail CAPTCHA Massacre

<Recent reports> of streamlined Windows Live CAPTCHA bot attacks are slamming Hotmail. <New reports> show this process in action with success rates purported one in 8 to 10 attempts being successful (10 - 15%). One bot can <reportedly> create at least 1,440 accounts a day. These accounts are then used for mass mail spamming.

SQL Exploit by Recent Example

  Oklahoma sets up a <sex offender violent offender site>. Right off the bat you can see the site is still managed by numskulls. On their front page 'Notice to public:' has a broken non-breaking-space HTML tag hanging out.
  Apparently until several people stressed the problem and severity, the site sent and accepted SQL queries with no sanitation through web requests. This allowed anyone with minimal SQL knowledge to retrieve social security numbers and other personal information of tens of thousands of people on this registry.

<The Daily WTF>
(contains some examples as well as details)

Find sites with similarly poor design with a crafted Google search:
<Google Search Example>

Tuesday, April 8, 2008

XSS Cross- Site Scripting Explained

I've read about cross-site scripting techniques for years, but when I ran across an IBM article about XSS posted on <tweako>, it stuck out as a great explanation.

<IBM Rational AppScan: Cross-site scripting explained>

Monday, March 24, 2008

Google Search Within A Site

  Google silently added a new feature that allows searching within a site to search results. This could have normally been done with some well crafted search queries, but this is much nicer. (the screen shot will make this clear)

  While this is a awesome feature, it has some sites mad because it will detour people from using their crappy on-site search features, which serve up their own ads and surely don't show competitor's ads.

<The New York Times>
<Google Blog>

Wednesday, March 19, 2008

RFID Credit Cards

  RFID is becoming more popular for many things. Credit cards using RFID technology sporting names like 'EZ Pass', 'quick pass', and 'speed pass' are growing. A recent Boing Boing <video netcast episode> is re-raising concerns about the security of such cards.
  An older <The New York Times report> featured tests on 20 cards from Visa, MasterCard and American Express, showed that the data was being broadcast in plain text. This data frequently includes the card holder's full name, sometimes even the card number and expiration date.

  A common misconception is that RFID is totally insecure by nature. This isn't true. RFID's are just a family of inexpensive devices that broadcast via radio frequencies. Other than their price, these devices are most notable for their tiny size and ability to be self-powered. These devices can capture power from the radio frequency of a requesting device, powering it's self, to make a radio frequency reply.
  This misconception comes from frequent news headlines where a poor attempt, or no attempt, was made to protect the data or signals a RFID made. These signals are easily captured, but encryption techniques can be used to protect this data. Designers frequently don't bother.
  In some cases, like this credit card situation, an ideally secure encryption scheme may require more elaborate equipment for legitimate readers, possibly an expensive central payment system. This could defeat the entire purpose of making transactions fast.

  Some effort should be made using one of many encryption techniques to protect this data. Although the card number maybe be useless without the security code, a plain text card holder's name is surely a bad idea.

  A Boing Boing TV <video netcast episode> claims a suitable RFID reader can be purchased for as low as $8 from eBay. Some lady with her hair dyed till its falling out, and a dude who has never washed his hair, demonstrate reading a card through your pocket with a similar device. Their demonstration revealed that the full goods may still be broadcast in plain text by these type of cards.

Lingering VCL Bof exploit

A buffer overflow exploit vulnerability was found in the popular <VideoLAN VLC Media Player> in the parsing of subtitle files. The last release, VLC 0.8.6e was supposed to fix this along with some other issues, but this issue is <reported> to still exist.

The simple fix is to not process untrusted subtitles using VLC. Alternatively you could use a <nightly build>, all though you may run into a bug or stability issues.

<Secunia advisory>

Thursday, March 13, 2008

Accessing 'Must Sign Up to View' sites

  More and more sites try to capture you as a repeat visitor from your casual viewing of their site by forcing you to create an account to view or download their content. We will list a few techniques and services which will help you circumvent this annoying process.
  There is a ton of additional services/techniques more than we will list. Feel free to post your favorite in the comments. No account or sign up is required to post comments. The best technique to use may vary by site and the content you are after, but in general the following suggest should be considered in order.

BugMeNot is a site that allows people to share login accounts for accessing sites.


<BugMeNot Firefox Add On>

Web caches are saved copies of web pages. They can let you view sites who are no longer accessible and sometimes can cache sites not normally accessible.

Google automatically shows a link to cached versions of search results as shown above.

<More about Google caches>

The Wayback Machine (referring to the time machine in 'The Rocky and Bullwinkle Show' cartoon) is another web caching service.

<Internet Archive: Wayback Machine>

  User Agent spoofing is another possible technique. When a web page is requested by your browser some information is sent along. Part of that information is your <user agent> witch identifies your browser and possibly your operating system and their versions. This is to help websites display properly across many software clients and platforms.
  Web search engines have 'spiders' crawling the web indexing web sites. To comply with standards and prevent getting low search engine scores web sites typically do what they can to allow web spiders a larger amount of access to content. Spiders typically are identified by their user agent string. So, by spoofing a web spider's user agent string, you may have some less restricted access to content of sites. The following tools will help you spoof your user agent.

<Firefox add on: User Agent Switcher>
(this may require a quick <Google search of 'user agent list'> to find a list of common user agents to load into the tool.)

<Be The Bot> A web based proxy meant to request pages using a Google or Yahoo spider's user agent string.

Wednesday, March 12, 2008

Firefox 3 Browse On A Diet

Firefox 3 puts a nice effort into further reducing memory consumption. Initial testing of Firefox 3 Beta 4 shows a dramatic change. In the mist of Internet Explorer 8's less than fantastic standards progress, along with rumors of the IE8 beta being horribly buggy, Firefox's competitive outlook seems good.

Memory change highlights:

  • Reduced memory fragmentation
  • Cycle collector
  • Tuned Caches
  • Image data storage adjustment
  • Leak cleanups

<Source: Firefox 3 Memory Useage>

Wednesday, March 5, 2008

Internet Explorer 8 beta availible for download

Microsoft has made the IE8 betas available for download.
<Internet Explorer 8 beta Download>

To help developers with compatibility testing, Microsoft has made <Virtual PC> images preloaded with XP-SP2 or Vista available with IE6, IE7, or IE8 beta. Microsoft claims they will expire on July 3, 2008.
<VPC Image Dowloads>

AOL OpenAIM 2.0, a step in the right direction?

  <AOL Developer Network> unveils OpenAIM 2.0. Totally unrestricted development for the failing instant message network. Previous attempts at opening the network to developers where hindered by quotas and developer licenses. In a total about face they seem to be intending to go the other direction, removing quotas and double faced developer logins. They also have released the OSCAR protocol documentation!
  This looks nice and fuzzy on the outside, but <Wired's coverage> mentions the following concerning information:

"AOL is going even further, offering such services the option to run AOL-served advertisements as part of a revenue sharing plan."

Despite this, it's obviously a step in the right direction. Hopefully other chat services will take notice and follow suit, otherwise reconsidering AIM, again, might be in a lot of chatters' future.

Hacking Through Firewire Connection

Apparently someone just noticed that unrestricted direct write access to RAM is a feature of Firewire (according to the article). This allows one to compromise password protection code, and probably most anything else one can imagine. This is described as being done with a physical connection to the target system through a firewire port, using another system. Windows and OS X are said to be vulnerable to this.

<Engadget: Windows passwords easily bypassed over Firewire>

Thursday, February 28, 2008

Monday, February 25, 2008

MetaRAM's MetaSDRAM™ Allows 8GB DDR2 DIMM!


MetaRAM has announced it's production of DDR2 DIMMs that can hold 4GB or 8GB that are still a drop-in replacement for normal DIMMs. They demonstrated working samples back in July 2007 and released it's first chipset into production in November 2007. These DIMMs don't just allow for quadrupled memory size in the same slot, but also sport some fancy features such as WakeOnUse™.

One of MetaRAM's channel partners will soon announce a server with 256GB of main memory for under $50,000, with 500GB boxes on tap for a higher price points.

It seems for now that compatibility is limited to Dual and Quad core platforms based on AMD Opteron™ and Intel® Xeon® (with the 5100 MCH) processors.



<MetaRAM DDR2 Product Page>

<Ars Technica Coverage>

<Fox Business News Coverage>

Wednesday, February 20, 2008

Microsoft Developer Tools Free To Students

Microsoft Corp. is giving students free access to download Visual Studio Professional Edition, Expression Studio, XNA Game Studio 2.0, SQL Server 2005 Developer Edition, and Windows Server Standard Edition. The program is called Dream Spark.

"We give up some revenue, but we gain the fact that we'll get the feedback of these students, get more courses to incorporate our tools into the programs and get more startups where kids are familiar with [ Microsoft development software]" said Bill Gates.

<Associated Press Article>

<Announcement (Channel 8-MSDN)>

<Sign up info and Download>

The Next Ubuntu Announced

Planning for the 9th Ubuntu release is announced:

"And so I'd like to introduce you to the Intrepid Ibex, the release which is planned for October 2008, and which is likely to have the version number 8.10."

(It seems an ibex is a wild mountain goat with large recurved horns.)

Friday, February 15, 2008

Wednesday, February 13, 2008

The US Air Force is looking for Hackers

  <Wired News is reporting> that the US Air Force's new <Cyber Command> is looking to recruit hacker-types.

  'We have to change the way we think about warriors of the future,' General William Lord says. 'So if they can't run three miles with a pack on their backs but they can shut down SCADA system, we need to have a culture where they fit in.'

Prono QVC Prank Call In

<YouTube - porno prank call>

Thanks to Zarabyte for finding this hilarious clip.

Tuesday, February 12, 2008

1337 Eye Chart

Found at 2flashgames

Haiku resurects BeOS as open source

   The Haiku Operating System project is a BeOS clone that started as “OpenBeOS” in 2001 as BeOS was discontinued. Haiku, like BeOS is focused on being a the ideal desktop operating system. This differs from Linux and other open source operating systems which are are intended for use in diverse environments including servers and embedded devices.
   Haiku is still in an unstable development stage. The team does not have a firm target for a R1 release yet. They don't seem to have any ISO's, but they do have raw HDD and VMWare images available for download. Again they are a very early development stage.

<Haiku Home Site>

<An Ars Technica review by Ryan Paul>

<Wikipedia article>(always good for a quick summary)

Monday, February 11, 2008

Linux vmsplice Local Root Exploit

A working local root exploit for Linux has been released on milw0rm recently. It's supposed to affect vmsplice in Linux Kernels 2.6.17 to

<Milw0rm working code>

Bug reports:

[video] Zarabyte's Rain effect in Photoshop

Saturday, February 9, 2008

Drunk Shammings

You can always catch a good laugh from a page with a list of pictures and videos of people who have passed out at a party and have been written on or otherwise messed with. CO-ED Magazine put together a top 25 list of these videos and pictures, dubbed drunk shammings.

Thursday, February 7, 2008

Goodbye Nero - Free burner apps

  Say goodbye to expensive Nero CD/DVD burning applications, expiring Nero licenses bundled with your burner, Nero offer spam, as well as unexplained startup entries and drivers.

  Most of these appear to be Windows only, although ImgBurn, the most full featured of them all seems to have a Linux version also. The article seems to think CDBurnerXP is the most popular.




DeepBurner (Free Edition)

Ultimate CD/DVD Burner

Burn At Once

Burn Aware (Free Edition)

The <original list> contains a screen shot and short description of each.

Tuesday, February 5, 2008

One Million PS3 Folding@Home

Sony Computer Entertainment announced that since Playstation®3 took part in Stanford University's Folding@home™ project on March 22, 2007, the team has reached over one million users. This equates to roughly 3,000 PS3 users registering per day.

<PRNewswire: One Million PLAYSTATION(R)3 Users Participate in Folding@home Research Project>

<Folding@Home - Standford University>

YahELite team
<YahELite Folding@Home>

Yahoo Music Subscription users to be pawned off on Rhapsody


Yahoo will end its online music subscription service and switch its customers to RealNetworks' Rhapsody music service as part of a new deal between the companies. Current users will be pawned off on Rhapsody. Rhapsody has substantially high rates leaving new customers without the cheaper Yahoo service.

The article assumes for some reason, that Yahoo will continue it's free, ad-supported media offerings.

<Feb 4, 2008 - Google Associated Press: Yahoo Music Users Going to RealNetworks>

Monday, February 4, 2008

there was this one time I was wanking to porn...


Sunday, February 3, 2008

[rumor] Vista SP1 to be released Monday

<This site> is claiming that they 'received word' (without mentioning from where) that Windows Vista Service Pack 1 will be released on Monday, February 4, 2008. This report is being echoed by many other Vista fan-boy sites as being accurate.

It's been let on by Microsoft for a couple years now, and later confirmed, that they planned to ship SP1 alongside Windows Server 2008, which is now due in February 2008.

<For quick info check out this knowledgeable SP1 FAQ>

Saturday, February 2, 2008

Smiley found on Mars

Smiley face crater found by
Mars Reconnaissance Orbiter
(on January 28, 2008).

<Planetary Society article>


Avast Antivirus Error

(look at the 'License is valid until' part)

While updating Avast! 4.7 Home Edition (the free one),
logged in as a restricted Windows user (not Administrator)...

Friday, February 1, 2008

[video] Zarabyte's Basic Layout in Dreamweaver

[captcha]Visual Basic Fags

Visual Basic kiddies are Fags!

[BBC News] Microsoft offer to buy Yahoo

BBC News Logo

Microsoft has offered to buy the search engine
company Yahoo for $44.6bn (£22.4bn) in cash and shares.
...62% above Yahoo's closing share price...
There has not yet been any comment from Yahoo.


Wednesday, January 30, 2008

It's always 4:20 at Synaptics

(click for full sized)

No matter what time it is, every time I open the control panel,
it's always 4:20 on Synaptics' touch pad settings.

Stoner's Steakhouse and Bar

Y!mLite dead?

Onoez! Y!mLite iz dead?

/ X X \
\ --u /

[video] Yahoo Booters...lolz

Yahoo Booters...lolz

(Youtube video)

Russian Hackers crack Yahoo captcha

A group of Russian hackers claim to have found a way to decipher Yahoo captchas with 35% accuracy.

<The blog announcement>

<The site with a rapid share RAR link that claims to be a proof-of-concept>

Hello World!

#include <stdio.h>
int main( int argc, const char* argv[] )
printf("Hello World!");
return 0;