Surf's Up - Exploring CSRF
At The Next HOPE convention in NYC this summer I presented a talk on Cross Site Request Forgery (CSRF) entitled “Surf’s Up – Exploring Cross Site Request Forgery through Social Network Exploitation“.
The idea of the talk was to present the background, theory, and use of CSRF by exploring a vulnerability found in Vampirefreaks that allowed for a password stealing social network worm to be developed. Additionally, some protective measures and attack variations were presented. Overall I feel the talk was a great success and had a blast presenting it.
Surf’s Up – Exploring Cross Site Request Forgery from Daniel McCarney on Vimeo.
The slides from this talk are available under a Creative Commons license in both PDF format and Open Office Impress format
Dropping Drop.io
I was recently tasked with the mundane job of downloading ~40 images from a Drop.IO hosted album. Drop.io is one of the several providers of online file swap, similar in purpose to the Dropbox service
What irked me about Drop.io is that there was no immediately apparent way to download the full size versions of the pictures quickly. To download even a single picture took far more clicks than I was willing to endure. Downloading the ~40 images I needed was akin to a hardcore session of Diablo 2. My mouse may never recover. Web 2.0 AJAX-y interfaces have their place, but I want efficiency.
To that end I dug through all of their javascript and was able to uncover how I could automate getting access to the full URL for each image (not an easy task by any means through the normal UI). I spent an hour or two brushing off my Javascript skills and learning how to write a Greasemonkey user script for Firefox. My script automatically links all of the thumbnail images in an album to their full downloads.
read more...Thoughts on Diaspora
The other day a friend sent me the link to a story about an interesting upstart web project called Diaspora. The article piqued my interest and I decided that I wanted to do some more reading. As usual the reading led to more questions and thoughts. It soon after became apparent that a short reply wouldn’t do things justice.
read more...An open letter to DuneMUD
For the past seven or so years I’ve been an active volunteer (note the word volunteer) with DuneMUD. I’ve increased my skill, my responsibility, and the scale of my contributions as I went. I’ve had the chance to learn from a lot of great people and meet a lot of new friends. You might not expect it but you will find my name all over the codebase. I can’t claim to have been the most active coder in the past 5 years, but I’ve certainly been in the top #3.
The time has come for me to evaluate my purpose on Dune, and where I want to be. I’ve climbed as high on the promotion ladder as I’m interested in going, and quite frankly, I’ve lost my passion for the work. There are lots of factors that have led to this, but I’m going to do you all the service of highlighting the core ones.
read more...High-speed note taking with Textile
It’s no secret that I’m a Computer Science student. From this you can infer a couple of things fairly reliably:
- I have terrible handwriting
- I take class notes frequently
- My computer spends enough time with me that it might as well be an appendage
- I’m lazy and want to script away anything mundane
This article is the result of my experiments with note taking strategies. The final result is a Python script for processing notes taken in a simple wiki-like Textile markup and outputting nicely styled XHTML.
read more...Darwinian Security - Evolving the PWN
Lately I’ve been thinking a little bit about experimenting with the amalgamation of Artificial Intelligence algorithms and different aspects of Information Security. I’m hardly an AI expert, but I’ve had some limited academic exposure to the foundation of a few branches of AI research. I think the important thing is that I’ve seen enough of the material to get my mental wheels spinning.
I’ve thought of two specific concepts I think deserve exploration when time permits. I’m posting my interim thoughts here about one of them mainly to garner some constructive feedback and hopefully some resources. I’m an info sec enthusiast, but certainly not an expert. It would be a great help if I could try finding some related journal publications. Due to the… more obscure… nature of the areas of study I’m also interested in any “less formal” (see: ezines, blogs, mailing lists) research that may relate.
read more...
