IPv6, C&C (not botnets, coffee and cats)

So, someone sent this to NANOG:
An IPv6 address for new cars in 3 years?

From: Rich Emmings
Date: Thu Jun 28 17:47:46 2007

Mark IV systems has a spec for OTTO. Mark IV makes automatic
toll collection and related systems O(Not to mention other
automotive products)

The system spec’s show support for IPv6 and SNMPv3. Notably
absent was IPv4 as far as I could tell. No notes on if the IPv6
would be used for Firmware updates or live data collection.
802.1p radio is the spec’d LLP. O/S is VxWorks.

The expectation is for 100% of new cars to have OTTO around


Topicality: Looks like someone, somewhere intends to be live
with IPv6 in 3-5 years.
Off Topic: The privacy and security ramifications boggle the

Which I didn’t read.

Then, this thread happened:

> – — “Suresh Ramasubramanian” wrote:
> >On 6/29/07, Rich Emmings wrote:
> >>
> >> Topicality: Looks like someone, somewhere intends to be live with
> >> IPv6
> >> in 3-5 years. Off Topic: The privacy and security ramifications
> >> boggle
> >> the mind….
> >>
> >
> >Fully mobile, high speed botnets?
> *bing*

That last bing was from Paul Ferguson, our Fergie.
If I was drinking coffee, I’d have dropped it!

Other followups included Chris Morrow’s:
> I can’t help it:
> “If a bot-car is headed north on I-75 at 73 miles per hour for 3 hours
> and a bot-truck is headed west on I-90 at 67 miles per hour, how long
> until they are 129 miles apart?”

And Steve Bellovin’s:
Hmm — I was going to say 127.1 miles apart, but that’s not a v6
address… 1918 miles apart?


Month of Random Months

From full-disclosure’s Month of Random Hashes (MoRH):

Dear list,

You asked for it, and we delivered! Due to the increased demand
for more “Month of” projects, and the growing popularity of posting
hashes to this list, we proudly present… THE MONTH OF RANDOM

Every day for the next month we will be providing a list of not
one… not two… not three… not four… not five… not six…
not seven… not eight… not nine… not ten… not eleven… not
twelve… not thirteen… not fourteen… not fifteen… not
sixteen… not seventeen… not eighteen… not nineteen… not
twenty… not twenty-one… not twenty -two… not twenty-three…
not twenty-four… not twenty-five… not twenty-six… not twenty-
seven… not twenty-eight… not twenty-nine… not thirty… not
thirty-one… not thirty-two… not thirty-three… not thirty-
four… not thirty-five… not thirty-six… not thirty-seven…
not thirty-eight… not thirty-nine… not forty… not forty-
one… not forty-two… not forty-three… not forty-four… not
forty-five… not forty-six… not forty-seven… not forty-
eight… not forty-nine… not fifty… not fifty-one… not fifty-
two… not fifty-three… not fifty-four… not fifty-five… not
fifty-six… not fifty-seven… not fifty-eight… not fifty-
nine… not sixty… not sixty-one… not sixty-two… not sixty-
three… not sixty-four… not sixty-five… not sixty-six… not
sixty-seven… not sixty-eight… not sixty-nine… not seventy…
not seventy-one… not seventy-two… not seventy-three… not
seventy-four… not seventy-five… not seventy-six… not seventy-
seven… not seventy-eight… not seventy-nine… not eighty… not
eighty-one… not eighty-two… not eighty-three… not eighty-
four… not eighty-five… not eighty-six… not eighty-seven…
not eighty-eight… not eighty-nine… not ninety… not ninety-
one… not ninety-two… not ninety-three… not ninety-four… not
ninety-five… not ninety-six… not ninety-seven… not ninety-

not even ninety-nine…


To make the project even more successful, this number (100) only
represents the number of random strings that hashes are generated
for, and not the total number of hashes we provide daily! You will
receive an md5sum, sha1sum, and sha256sum of all 100 random strings
every day.

That is THREE HUNDRED hashes. In your mailbox. Free. Every day.

Stay tuned for more details!

And another post on a newly invented term by Michael Silk:


you shall use it when hacking your way into something.

“i just hackcessed the mainframe”

kittens can use it in the form of “i’m in ur server because i
hackcessed my wai in”

and so on.

i’d post a hash of myself posting this message, to prove i’m the one
that posted it, but you know, it’s hardly worth it.

This message brought to you by MoNST* in the spirit of MoAPI**

68 65 6c 6c 6f 20 74 6f 20 79 6f 75 2c
20 68 65 78 20 64 65 63 6f 64 65 72 2e

* month of new security terms
** month of annoying project ideas



Fergie sent this to funsec after reading it at Schneier’s:

Now, isn’t that true.


Worse luck

It’s been a while since I got out to the trade seminars. You know, marketing’s traveling bumpf show, where they trot out the VP of sales, plus a “security evangelist” or somebody with some such title (who has a technical background, but likes schmoozing more than doing actual research). I used to go to lots: it’s a good way to get up to speed when you first enter a field, but the law of diminishing returns tends to set in real fast in terms of actual information.

There were actually two that I signed up for this week. SANS had one, and I’ve never been to any SANS stuff, so I went to that. Intel also had a real dog and pony show, with extra associated vendors. When I get home from these things, Gloria always asks me whether I’m glad I went.

I’m glad I went to the SANS show. Didn’t get much out of the presentation itself. But the style of the presentation was intriguing: an awful lot of “cute stuff” demonstrated, without much actual information being relayed. The attitude of the presenters was also interesting: they were definitely in it for the cash.


Putting Cross Site Scripting to Good Use

My favorite April’s fool prank so far is a combination of two cross site scripting attacks on Cisco’s web site and Maria Sharapova’s site to announce that she has passed the Cisco certification test and will now become a security engineer.
It’s a neatly done attack (just a small noticeable error on the Cisco site) and it shows pictures of Sharapova which gives it extra credit score :-)

Well done Security Lab!

(queue in the backdoor jokes)


AV Marketing and Babes

we discussed nod32′s marketing with putting “nod32 protects your ass” on babes while playing sports (!!!), now we need to discuss something much more exciting, although less innovative.

bit defender! :)

words are a-wasting, go watch their babes (not just booth-babes) at this gaming show. make sure and not just stare at the babes, but listen to the bit defender song!

note: not work-safe, and may be offensive to some viewers.


and specifically:

now, go and watch the symantec version:

tell me who rocks more!


gadi evron,


CCC: Monochrom, hackers and art

one of the greatest surprises for me at 23c3 was my personal introduction to monochrom (wikipedia page), a group of hacker artists from austria. i know jacob appelbaum.. but i had no idea about the austrian group, or how great they are.

in very simple terms they are artists, very contemporary and very very scene-connected. life hacking, real hacking and any type of hacking, these guys are just l33t. we need to get them a stage one evening at defcon so they can play for us.
as a quick introduction to them, sing along with their rfid song (special for 23c3). i know i did… (although i couldn’t follow their german songs, danke sounded like a lot of fun – yes, i saw you singing fukami!)

for their lecture at 23c3, which is very cool and presents a lot of very interesting art projects heavily relating to hacking (not work safe! porn! could be considered very offensive! pg18, etc.) download the wmv:


some of the projects they discuss include porn, indeed, but others are more interesting. they created an entirely fictional artist (georg paul thomann) and had him represent austria in an international art show (and “save” taiwan when china wanted them out of the show). they showed (both by using 50 real euros and with a mathematical calculation) how many times it would take to blow the several trillian euros in circulation by going to a bank and exchanging to usd and euro again and again, etc.

cool people! rfid!!
gadi evron,


Botnets, Security Ops and Boxing

What do they have in common?


Second Life: Virtual Worlds Botnet Attacks

hey, do i smell history repeating itself? bots on irc used to be useful too, and then used for local flooding. only later did they become the botnets that they are today. :)

so, from automated playing when you are not around to keep stuff active (rings a bell?) to botnets that throw… privates at people. :)


worth a read. i always love when the real world and the virtual meet, whether by marriages or by physical world police taking complaints because “someone stole my weapon on world of worldcraft!!”

we do live in interesting times. :)

gadi evron,


419 French (Polite) Spam

I got this polite spam which is the French version of the infamous Nigerian 419 (if that’s what it is, it lacks a dead relative.):

Je me présente je suis Madame Delanoë, la collaboratrice directe d’Annie Dupas étoile d’or de la voyance 2006.

Je vous contacte car vous avez été tiré au sort et vous avez la chance de pouvoir bénéficier d’une voyance par e-mail totalement gratuite avec Annie Dupas.


It’s Y2K, no, it’s 32 bit unix time, no, it’s Slashdot!


“2^24 comments ought to be enough for anyone” — cmdrtaco

slashdot posting bug infuriates haggard admins
posted by cmdrtaco on thursday november 09, @10:45am
from the this-is-never-good dept.
last night we crossed over 16,777,216 comments in the database. the wise
amongst you might note that this number is 2^24, or in mysqlese an
unsigned mediumint. unfortunately, like 5 years ago we changed our primary
keys in the comment table to unsigned int (32 bits, or 4.1 billion) but
neglected to change the index that handles parents. we’re awesome! fixing
is a simple alter table statement… but on a table that is 16 million
rows long, our system will take 3+ hours to do it, during which time there
can be no posting. so today, we’re disabling threading and will enable it
again later tonight. sorry for the inconvenience. we shall flog ourselves

gadi evron,


M$ Firefox

While there are Windows 0-day exploit (XML core) again, I have found some funny web site. It’s about M$ Firefox‘s features, http://www.msfirefox.com/microsoft-firefox/index.html. Having fun :)

Trirat Kira P.


Anecdotal story about myself, worm writing and Emergent behavior in Worms

When I first started [I was about 13 & 1/2] working with computers I was really interested in figuring out how the ‘did what they did’. So much so that I was tinkering with assembler within 6 months of getting a computer, not that I accomplished much at that time. I didn’t have internet access so my only ‘escape’ from the real world was delving deeper into the machine. I quickly developed programming skills and was becoming trapped by the limits imposed in QuickBasic (hey we all learn somehwere :D ). I went back to looking at assembler since I knew I could encode byte code into the basic programs. After that I made some great mode 13 games and demos. (more…)


The real story behind BT buying Counterpane!

From “Schneier on Security“:

FLUNKY: Sir, that Schneier person called again. He left a detailed


Clippy’s take on Security :)

Clippy has decided to get into security, more details are available here: http://www.halon.org.uk/stuff/clip_php_cms.png :)


Mooooooooooore fun with Google Code Search [updated]

i still update the fun with google code search post daily with new regex searches, but i decided this one warrants its own post.

on the daily wtf they discuss some different types of searches.. among which the more polite and less funny ones are “idiot” and “wtf”.


a must search!

also, as somebody noted in the comments to this post, searching for tbd is interesting. searching for tbd security even more so:

38: *
* tbd: this file needs a security audit.

gadi evron,