Paul's Journal
My Podcast Link
02/24/2006 00:20 #32494
IE 6 for windows Clipboard security 2Category: web
I decided to write to the Buffalo News about this as my newest version of the IE clipabord security exploit is so sinister that it can constantly monitor your clipboard data in IE for windows and send it to my database, no matter what app you are in as long as you leave IE open.
Although, there is a solution for this which I posted in the computer journal, almost no one has it installed as I have collected thousands of clipboard for my news epoem entitiled "Microsoft Security" which I am reading that I am reading at the e-poetry symposium next week.
Here was my letter, let's see where it goes.
Hey Steve,
I think you will find this extremely interesting. This week I accidentally discovered a major security flaw that affects IE for PC which allows me to read the visitors clipboard contents from a website with just a few lines of code. Just think what is in your clipboard, sensitive data such as passwords, account numbers, contact data, copied emails, copied instant messenging conversations, private documents, etc. Also, there is essentially no limit to the size of the clipboard, so the amount of data can be pages long including entire documents.
While people may have already known about this clipboard security exploit, as far as I know, no one has combined this flaw with current AJAX (Asynchronous Javascript and XML) technology. With this technology combo I can create a web site that continuously monitors the contents of a user's clipboard and forwards it to a database any time the content has changed without any indication to the user. It doesn't even matter what windows application they are using when copying new data, as long as the web page is open somewhere in the background. This is the global system clipboard, not something specific to the browser.
You can see it for yourself. Copy some innocuous data to your clipboard and then visit with IE for windows. You should see your clipbaord data echoed into the page. Then for the extraordinary part, leave the site open but switch apps. Anything you copy into your clipboard gets copied onto the page and sent to my database.
I think this particular security flaw is newsworthy because people can see the results right in their browsers. What is most incredible is that unlike flaws where you could say search for data on a users computer, using this method, it's almost like the users brings you their most sensitive data to you.
There is a solution to this that involves disabling paste scripting in your internet options but by default it is enableed which leaves 90% of people wide open.
You cannot believe the data I have collected with this, remember that each bit of data can be associated with an IP addr. If a particular organization was targeted your could definately compromise security in a serious way.
Feel free to email me if you have any questions.
Paul Visco
02/23/2006 00:34 #32492
The Gym and ProgrammingCategory: life
I have to say I do not know if it will be worth it over the longhaul as it takes up valuable evening programming time but I suppose a little moderation is in order in my life.
Sometimes I want to look like this. I got the chest hair part going, lol.
Today (e:enknot) and I were talking about how we are not just professional but also recreational programmers. Speaking of recreational programming, I was so thrilled with fixing the mobile post from email bug followed by solving the PPC 6700 jpeg corruption error all in my spare moments within the last 24 hours. I think tomorrow I plan on turning the corrupt jpeg fixer into a native mobile phone application. I have a feeling that it will be ueber addictive. If microsoft won't fix it, I will fix it for them - which is ridiculous.
I also started writing about my mobile phone soap opera on my new web site which is barely populated with data yet.
02/22/2006 19:40 #32491
PPC 6700 extraneous data in jpegsCategory: programming
The only problem is that the 1.3 Megapixel camera produces faulty jpegs that have 16 extraneous bytes in their EXIF data. The unfortunately cause the photos to not work with many web sites which use open source Jpeg libraries to resize images. I heard they even have problems being viewed in gmail.
In order for the phone to be truly useful I had to be be able to take images from the phone and use them on my journal. So it was time to get out the old fashioned hex editor and begin experimenting with which bytes were the extraneous ones. Turns out it was a regular sequence right at the end of the EXIF data. The etxra string looks like this:
"x00x10x4Ax46x49x46x00x01x01x00x00x01x00x01x00x00"
I found that this string identifies the images as from the PPC 6700
"x41x70x61x63x68x65x00x48"
Unfortunately, the string is sometimes repeated but only the first one was extraneous, so you can't just doa blind search and replace. instead you have to just repalce the first one. here is some PHP code that would allow you to use these images as normal ones using GD. You an find a copy of this
<?php
function checkFixPPC6700($orig){
//get the file contents
$data = file_get_contents($orig);
//if its a PPC 6700 image cut out the extraneous 16 bits
if(strstr($data, "x41x70x61x63x68x65x00x48")){
$bad_data = "x00x10x4Ax46x49x46x00x01x01x00x00x01x00x01x00x00";
return substr_replace($data, "", strpos($data, $bad_data), strlen($bad_data));
} else {
//if not from a PPC 6700 return data unaltered
return $data;
}
}
$data = checkFixPPC6700('IMAGE_006452.jpg');
//$im = imagecreatefromstring($data);
if (($im = imagecreatefromstring($data)) !== false) {
header('Content-Type: image/jpeg');
imagejpeg($im);
}
?>
02/21/2006 19:24 #32490
When flickr, boyscouts and vintage mixCategory: photos
They have lots of old pics
I can't believe how few people paid attention to my journal about the clipboard reading flaw in IE. I have read about 3000 clipboards to use in my newest epoem for the epoetry symposium at UB. It is entitled, "Microsoft Security" with a refrain of get firefox, get firefox.
I love vintage photos.. I really love the one you posted. I checked out the remainder on Flikr. Nice.
02/23/2006 22:03 #32493
I'm going to explain myselfCategory: war
My attack on (e:be)'s journal may have seemed like some random attack on some poor little solder boy who didn't know better and just wanted to defend his country. Well that is not the case. Maybe you don't rememeber be|brandon that used to be the dread locked, hippy granola, anti-war boy that worked at coop.
You may, however, remember him when he lived as a woman. You would know him because he wore the skankiest mini skirts and looked a lot like a prostitute. I disliked him back then because I felt as though he was making it harder on gay people by living like she did for what I perceived to be pure shock value. Then, after a while, I felt bad for her because I thought, oh man maybe he is really a woman trapped in a man's body and I tried to learn to not hate him. His newest metamorphosis just makes me sick.
I am outraged not by the choice of a human to defend their country but by the choice of that particular human to become a solider.
And just as (e:be) has the right to make the choice he did. I have the right to criticize him and call him out on his disturbing choice. In fact I think I have a particular responsibility to do so as I am the one providing him with the public vehicle to brag about his new killing power.
I don't want to feel repsonsibile for giving someone a voice who is choosing to kill people just to see what it feels like.
Here is his repsonse to my comment.
Damn, that's some harsh shit. I wouldn't call it ignorance, really. I know full well that I work for an organization that does "bad things." I went into it knowing that. How much did I know it though? I've been anti-war and government forever, but what did I really know of such things? I'm going through alearning experience here that may very well cost me my life. This I also am aware of. Really, as I believe
I've wrote, I'm fucking over myself -seeing how it feels to betray completely everything I thought I had that made me "me." It's not something that most sane people would do, but I'm into it for an aspect of the depths of human experience that would be otherwise impossible to, well, experience. This puppet theatre of world events is going to keep playing out no matter which side I'm on. The sacrifice I make now will allow me to be able to converse intelligently about things that
before I could only have opinions about.
This is reality. If it weren't me, it'd be someone else, and they could've just as easily been me. I have so little time on this planet, and I need to see from as many viewpoints, and learn as much as possible. So, here I am, spending some time finding out firsthand about part of society that people either love or hate. Myself, I don't love or hate. Life is too short.
And shit man, you may as well laugh, because that brain matter dance isn't likely to happen any time soon. I'm more of a minor wound type. However, should my head succumb to entropy before the rest of me, I would invite such revelry. Just try not to feel too sad, just appreciate the absurdity of corporeal existence.
Rock n' roll...
ok so apparently you do know be is brandon. weeeiiirrdd!
Paul (e:Be) is brandon! The one who used to dress pretty.
OMG... he needs to have big muscles -- to lift everything in his shorts! Are those workout balls he has?
Of course you are a recreational programmer, (e:Paul)! All us members of (e:strip) are thankful for it, too.
building muscle is a slow, slow process. keep it up and you'll reap the benefits. increase weight, increase intensity and keep workouts short to prevent muscle cannabalization. in good circumstances figure about building 1/4 lb of muscle a week naturally but double now because your still a begginner.
my robot finds them for me
Any of us could have told you that you are a recreational programmer, fortunately for us! (thank you! thank you!)
oh yeah paul- meant to tell you that i got a text this am saying that my mobl post (from weeks ago) had gone through. It didn't appear, but it seems like something was fixed. I'll try again when I find a worthwhile pic.