Search the Community

A former cop and owner of the website Polygraph.com has pleaded guilty to five charges of obstruction of justice and mail fraud for teaching people how to cheat lie detector tests. Douglas Williams, 69, of Norman, Oklahoma, faces up to 20 years in jail and up to a $250,000 fine for selling polygraph-evasion training to two clients who were actually part of an undercover sting operation. The first undercover operative posed as an agent with the Department of Homeland Security and told Williams that he wanted to conceal the fact that he been involved with smuggling drugs through the airport where he worked. A second undercover agent told Williams he was applying for a job with the Border Patrol and wanted to hide his criminal history. Williams told both clients – who paid him $1,000 if they traveled to his home and $5,000 if he traveled to meet them (plus travel expenses) – that they should deny they had received his training. According the indictment [PDF] brought against Williams, when the operative posing as a DHS agent admitted he was lying about his innocence, Williams exploded: "I told you I’m assisting you under the assumption that you are telling the truth. What the fuck do you think you’re doing dumbass? Do you think you have, do you think you have like a lawyer confidentiality with me?" But in truth, Williams was undeterred and continued to train the self-styled DHS agent. He grew paranoid and told his client to change his cell phone number and to respond to a new email he sent him from "the paranoid chicken." Then just hours later he changed his mind about changing the telephone number and focused instead on getting paid through an untraceable money order. Money talks Ten days later, Williams flew to meet the so-called DHS agent, who again admitted he had helped smuggle drugs on four occasions. Nonetheless, Williams continued to train him in how to lie – which is a big no-no when you work for the US Department of Justice. "Lying, deception and fraud cannot be allowed to influence the hiring of national security and law enforcement officials, particularly when it might affect the security of our borders," said Assistant Attorney General Caldwell of the Justice Department’s Criminal Division in a statement announcing Williams' guilty plea. "Today’s conviction sends a message that we pursue those who attempt to corrupt law enforcement wherever and however they may try to do so." Williams was more careful when talking about his services in a promotional video. "Even if you tell the complete truth, you will fail 50 per cent of the time," he said in the video, explaining that lie detectors assume that being nervous when you are asked a question indicates you are guilty of whatever was asked. "Why fail?" Williams asks. "Just because you're nervous doesn't mean you're lying. I can teach you how to pass, nervous or not, no matter what." But the Justice Department holds that he crossed the line when he readily trained people who he believed had criminal records and were hoping to conceal their crimes from government authorities. According to the indictment, which was handed down in November, Williams told one of the undercover agents, "I don’t give a damn if you’re the biggest heroin dealer in the fucking United States." Later he added: "I haven't lived this long and fucked the government this long, and done such a controversial thing that I do for this long, and got away with it without any trouble whatsoever, by being a dumb ass." The DoJ would beg to differ. Source

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Product: phpTrafficA Product page: phpTrafficA Homepage Affected versions: Up to and including 2.3 (latest as of writing). Description: The user agent string provided by the browser is not sanitized nor escaped when handled. This string is then outputting into HTML code on the "Latest visitors > Details" page, leading to HTML injection that can be abused to perform XSS. For example, the following user agent will cause a JavaScript dialogbox to pop up as soon as the page is visited: "><script>alert();</script> This page can be hidden from the public, in which case only admins can visit it. However, the script still executes when they do, which could enable a malicious user agent to steal the phpTrafficA cookie (no expiry) or other admin credentials. Proposed fix: Escape the HTML characters with htmlspecialchars before outputting the user agent string. In: Php/stats/statsRecent.inc.php Line 304: echo "<tr class=\"data av $even $clrobots $clreturn\"><td nowrap>$end</td><td> $dur</td><td align=\"center\"> ".format_float($hits)." </td><td> <a href=\"./index.php?mode=stats&sid=$sid&show=clickstream?=$lang&ip=$ip\" title=\"".$strings['Moreinfovisitor']."\" class=\"basic\">$ipText</a> </td><td align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,$agent)."</td><td>$page</td><td>$refString</td></tr>\n"; becomes: echo "<tr class=\"data av $even $clrobots $clreturn\"><td nowrap>$end</td><td> $dur</td><td align=\"center\"> ".format_float($hits)." </td><td> <a href=\"./index.php?mode=stats&sid=$sid&show=clickstream?=$lang&ip=$ip\" title=\"".$strings['Moreinfovisitor']."\" class=\"basic\">$ipText</a> </td><td align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,htmlspecialchars($agent))."</td><td>$page</td><td>$refString</td></tr>\n"; Line 369: $echo = "<tr><td valign=\"top\" colspan=\"3\">$ip ($whoislink$baniplink)<br>$host<br>$labelTxt<table class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td valign=\"top\" colspan=\"2\">".$strings['Agent'].": $thisagent<br><table class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].": "; becomes: $echo = "<tr><td valign=\"top\" colspan=\"3\">$ip ($whoislink$baniplink)<br>$host<br>$labelTxt<table class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td valign=\"top\" colspan=\"2\">".$strings['Agent'].": ".htmlspecialchars($thisagent)."<br><table class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].": "; Best regards, Daniel Geerts -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVJPGzAAoJEHn1bVIKHk5N5egP/0FRgNCiTwYyFwmqgcNLxOQ5 yuJtnGdGFvH0axXlvm+AgVYOtmM4erduSR3hCaSx4ER7f30SZkRCUuaW8aR1/Tow bdYzLXNHcY21gXkhHt+bWH7ZkEpUWxXR6ZzrwL5QO3Ez+QkDr1HUmg8QQPUia8Qk KGY+dbkRXqVR7MYRGjAbyceOEXpxpOtxaZ9UTSmQTGW31Upu+dmqkkOTbvV20tEj N07T4UwMffCGNWloeuXg8QvIlvwe22kV3+frA2qGxdWKHVl66iJAV0pQ+bxDgoxe Y3JsYKdeIhB6T0Yt7rpEbzlgaupQ9pg279bzGVVD4Z+AuNhvDY/4K6RZsFB11DGv eY4VR8KLyNuw5N/wLBGf9ZSL9dLBGatYxi0HoQtrmFqLppo1x6nhEV6A0gRulWRa 9L04PdWKmv+2/prwW9ygT7UFIdApT1q3Uljq9QQIWmdDxGx3YxFmvMVpC5NThtxO ElN8fhQpUKFss439qiLaGEMKO/D4bNC71Ydo6jvZOWQ+9eBxmMUT7XfK6fnB811c RTRON1SG73AWcbfpIJ/dM+g0jm6bcvVVQxNmaARdlf+E2ihXnMPU2k39ndfV/vqD 7iuZQraH1ZrQJAqjVmzHWvEfEPyeaiJPRguu1kmnG8QkSMDtBHIpGvvHCHSU4ioF +wxMYqlgbfJGakc4s5RO =wCVy -----END PGP SIGNATURE----- Source: http://packetstorm.wowhacker.com/1504-exploits/phptraffica23-xss.txt