20 August 2009

Next Target Acquired - Twitter

So, I'm going on holiday in a little while and will be afk for about 3 weeks, and I can't wait. In the interim though, I have decided to focus my sites on a new target, with a hope of finding something new and fun, namely Twitter. I'll update if I do manage to find anything interesting, and I hope that they're response is as good as Facebook's if of course I find anything.

Facebook and responsible disclosure

Okay, so a few nights ago, I decided to spend some time finding some vulnerabilities on Facebook, and lo and behold, I found one. Once I managed to find a contact for the security team at Facebook, I dropped then an e-mail on what I found, and I got a response the same evening. All I can say on the topic of a quick response from a company in response to Facebook is WOW! These guys really are serious about security. I was planning on publishing the details on what I found over at SecuriTeam, but I have decided against it, purely because of the response that I received from Facebook. Thank you Facebook, you have restored my faith in social networking. A huge thanks to Gerry.Eisenhaur and Technocrat for their help in testing, couldn't have done this without you guys.

12 August 2009

SQL Injection Cheat sheet

SQL Injection cheat sheet

[From SQL Injection Cheat sheet: Esp: for filter evasion - by RSnake]
Been meaning to blog this one for a while, hope it helps someone out.

Pirate Party UK - The party is registered!

The party is registered! Submitted by Andy_R on 11 August 2009 The long-awaited news has finally arrived, the Pirate Party UK is now officially registered as a political party! This means we can raise funds, have Pirate Party Candidates at the next general election, and do all the other things that political parties do. Getting to this stage has been a long process, we've had to elect officers, raise funds, fill out forms, meet with some (very helpful) people at the Electoral Commission, and learn far more about electoral law and the special party funding rules that apply to Gibraltar than any same person would ever want to. Andrew Robinson, Party Leader and Eric Priezkalns, Party Treasurer at the Electoral Commission offices in Westminster. Andrew Robinson, Party Leader and Eric Priezkalns, Party Treasurer at the Electoral Commission offices in Westminster. Now the party can really start. It's time for us to tell the world that we exist, to recruit members, raise funds and gear up to fight the General Election. The officers and web team have built the framework that the party needs to get going, now it's time for YOU to make things happen. Join the party, tell the media about the party,tell your friends about the party, take part in policy and news debates on the forum, join our Facebook group, donate or set up a regular payment to provide financial support, set up a branch in your constituency, school or workplace, join the specialist workings groups for members with key skills like lawyers and journalists and volunteer to take part in canvassing and campaigning in your constituency at the general election... The success of Britain's newest party depends on you, the members!

[From Pirate Party UK - Blog - The party is registered!]

Half A Million Intercepts of Communications Data in 2008

Via eff.org

This week, the United Kingdom's Interception of Communications commissioner, Sir Paul Kennedy, announced his latest statistics for Britain's phone and email surveillance systems, to generally shocked responses by the British Public. In 2008, law enforcement, local authorities and the secret services in that country demanded "communication data" — the "who, how, when and where", but not the actual content of messages — 504,073 times. That's 1,381 times a day; or one inquiry every year for every 78 people in the UK.

Sir Kennedy's report is, in many ways, all the public oversight these half a million requests get.
In the United Kingdom, there is no judicial review of these requests; law enforcement together with the Information Commission regulate their own regime, and are bound only to a government "code of conduct".

Communications data continues to be viewed by lawmakers as non-invasive and therefore not regarded as requiring strict regulation, despite the growing range of personal information that can now be revealed by a communications data intercept request. These orders can reveal lists of websites visited, email headers, name and address lookups, and, perhaps most controversially, the real-time location of a particular mobile telephone.

Such a breadth of information so readily available make these intercepts increasingly tempting for law enforcement; modern technology makes them far easier to capture and process en masse; and with no probable cause or other conditions on obtaining such data, these numbers will keep rising. To guard against the misuse of these invasive powers, we need more than just aggregate statistics presented at the end of the year. Across the world, these frequent invasions of privacy need full judicial oversight, once case at a time.


This has got to stop soon!