Extra88

Nasty WiFi hacker trick

Oooh, this is bad. A fellow at this year's DefCon came up with a program that exploits the weak (or absent) security of an 802.11b WiFi network. His program, airpwn, inserts HTML into an HTTP transaction. What was his favorite thing to insert? How about replacing all the images on a web page with the goatse.cx picture? (If you don't know what it's a picture of, you really, really don't want to. Seriously.)

Favicon, security hole

I find this exploit amusing for some reason. You're probably familiar with "favicons," the images web servers can deliver to some browsers so you can have a tiny logo (or whatever) instead of a generic bookmark graphic on your address bar or in your bookmarks. Normally they're really small, like 15 pixels square. Well the folks at GreyMagic discovered that the Opera web browser could handle much wider graphics and that the graphic would cover up the URL in the address bar. This means a malicious web site could cover their hostname with a graphic displaying the URL of another site, say, "http://www.ebay.com." Here's the sample graphic from GreyMagic's site:

I wish they had a screenshot of what this looked like in Opera, the demonstration page is only a demonstration if you have the browser. Opera has already issued a patch.

Teen girls train FBI 2B teen girls

It's an obvious problem and they chose the obvious solution. Agents are posing as teen girls online to catch pedophiles. How do the agents learn to act like a teen girl? They get teen girls to train them!

The first time the girls gave a quiz, all the agents failed.

"They, like, don't know anything," said Mary, 14, giggling.

"They're, like, do you like Michael Jackson?" said Karen, 14, rolling her eyes at just how out of it adults can be.

Putting this in my "Comp. Security" category was a bit of a stretch but, hey, knowing who you're communicating with is a part of security.

90% Give Away Password

I almost put this in the "Work" category since password security is a part of my job. Instead, I made up a new category since the general subject is something in which I'm interested.

Office workers give away passwords for a cheap pen

"Workers were asked a series of questions which included: What is your password? Three in four (75 per cent) of people immediately gave their password."

The other 15 percent gave it up after just a couple of leading questions.

"Of the 152 office workers surveyed many explained the origin of their passwords. The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent)."

The methods used weren't very scientific but I think the results are probably pretty representative.

Slashdot put this story in their "Funny" category which tells you what computer geeks think.

Fugu 1.0 available

"Fugu is a native Mac OS X Cocoa GUI wrapper for OpenSSH's commandline sftp client. SFTP is a secure replacement for FTP: the session is encrypted via ssh, so nothing--most importantly passwords--is sent in the clear."

It's also free and open source.