Category Archives: Hackmeck


Hacker oeconomicus

Ein Markt wie jeder andere – Handel mit Zero-day-Exploits – Studie von Rand


Learning from History

Everyone knows the story of Clifford Stoll and and West-German KGB hackers (see the video below) in the late 80s.  Does this history teach us something today? What strikes me as I watch this documentary again is the effort ratio between attackers and defenders. To fight a small adversary group, Stoll invested considerable effort, and from some point involved further people and organizations in the hunt. In effect, once they had been detected, the attackers were on their way to being overpowered and apprehended.

Today, we take more organized approaches to security management and incident response. However, at the same time we try to become more efficient: we want to believe in automated mechanisms like data leakage prevention and policy enforcement. But these mechanisms work on abstractions – they are less complicated than actual attacks. We also want to believe in preventive security design, but soon find ourselves engaged in an eternal arms race as our designs never fully anticipate how attackers adapt. Can procedures and programs be smart enough to fend off intelligent attackers, or does it still take simply more brains on the defender’s than on the attacker’s part to win?


Neat XSS Trick

I just learned a neat XSS trick from a blog post by Andy Wingo. This is old news to the more proficient web application testers among my readers, but it was new to me and I like it. I wasn’t aware that one could redirect function calls in JavaScript so easily:

somefunction = otherfunction;

somewhere in a script makes somefunction a reference to otherfunction. This works with functions of the built-in API, too, so any function can become eval:

alert = eval;


window.alert = eval;

So if you can inject a small amount of script somewhere, and a function parameter elsewhere, you can turn the function that happens to be called into the eval you need. This PHP fragment illustrates the approach:

// XSS vulnerability limited to 35 characters
print substr($_GET["inject1"], 0, 35);

// URL parameter goes into a seemingly harmless function - which we
// can redefine to become eval
<?php $alertparam = htmlspecialchars(addslashes($_GET["inject2"]), ENT_COMPAT ); ?>

The first PHP block allows up to 35 characters to be injected into the page unfiltered through the inject1 URL parameter, just enough to add to the page this statement:




The second block embeds the value of the inject2 URL parameter in JavaScript as the parameter of alert() after some (imperfect) escaping. This one has unlimited length but goes into a seemingly harmless function – until somebody exchanges the function behind the identifier alert.

To see it work, put the PHP code on your web server and call it with a URL like this:

xss.php?inject1=<script>window.alert=eval;</script>&inject2=prompt('Did you expect this? (Yes/No)');

This works fine with Firefox 9 and, if XSS filter is disabled, IE 9. Safari 5.1.2 silently blocks the exploit, telling me about it only in debug mode. If you really need to, you’ll probably find an evasion technique against client-side XSS filters. IE seems to need window.alert, while Firefox is happy with just alert in inject1.


Das fast perfekte Verbrechen. Dem Finanzamt falsche Gehaltsabrechnungen untergejubelt, später mit falschen Steuererklärungen Erstattungen kassiert und Ermittlungsverfahren gegen sich kurzerhand beendet:

»… auch eröffnete hin und wieder eine Staatsanwaltschaft ein Ermittlungsverfahren. Geschah dies, tarnte der Angeklagte sich kurzerhand als Rechtsanwalt, wies sich bei der Staatsanwaltschaft mit ebenfalls gefälschten Papieren aus, bekam seine Akten zugeschickt und vernichtete die dann genüsslich.«

(Echo Online: Einkommensteuererklärungen für erfundene Menschen)

Am Ende haben sie ihn doch gekriegt. Aber den Trick mit den Akten muss ich mir merken.

P.S.: Zwei Jahre und neun Monate gab’s dafür.

28C3: CFP for 28th Chaos Communication Congress

Und noch ein CfP:

The Chaos Communication Congress the annual four-day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany. First held in 1984, it has since established itself as “The European Hacker Conference” attracting a diverse audience of thousands of hackers, scientists, artists, and utopists from all around the world.
The deadline for submission is October 11th, 2011 Midnight (23:59) UTC. Notification of acceptance will be sent by e-mail on November 20th, 2011 the latest. However, you may very well get your notification earlier than that if needed.
– October 11th, 2011 (Midnight UTC) Submission due
– November 20th, 2011 (Midnight UTC) Final notification of acceptance (or earlier)
– December 27th – 30th, 2011 Chaos Communication Congress


Einer plappert es dem anderen nach, bis alle ganz fest dran glauben: Fehler in der IT-Sicherheit fügen Unternehmen schwere Reputaitonsschäden zu, die sie an den Rand des Untergangs bringen. Das klingt zunächst plausibel – stimmt aber vielleicht überhaupt nicht. Oder ist schon mal eine Bank pleite gegangen, nachdem ihre Kundendaten an deutsche Steuerbehörden verkauft wurden?

Wir brauchen langsam mal ein neues Marketing und neue Beraterpasswörter.

47 ways of manipulating people

Successful games manipulate people, creating artificial tasks and challenges that people love to spend time on. This is hard but one can learn it. Hard it is because one need to carefully balance difficulty. A game must pose a challenge to be interesting but avoid being too hard and thus frustrating. Guess why so many games come with some concept of levels of difficulty?

The learnable part is game mechanics. Game mechanics is about the building blocks of a game, design patterns for artificial tasks and challenges that engage the player. The SCVNGR Game Dynamics Playdeck documents 47 such patterns. Their use is not limited to recreational games. Applications and Web sites may employ some of the elements, and con artists and social engineers are exploiting some very similar strategies to trick people into compliance.

Jonglieren für Nerds

Schon wieder ein Sommer vorbei: Zeit für die MRMCD 1001b am Wochenende. Zusammen mit Jan (Evil Jan, um genau zu sein) werde ich dort am Samstag um 15 Uhr einen Workshop Jonglieren für Nerds geben. Wenn ein Geek Point auf der EJC funktioniert, klappt das ja vielleicht auch andersrum. Wir werden die Siteswap-Notation für elementare Jongliermuster einführen. Damit kann man Software füttern, die das spezifizierte Muster vorjongliert – oder ohne lange Vorübungen auf dem Tisch jonglieren:

Die Préchac-Transformation macht aus diesen einfachen Siteswaps Passing-Muster für mehrere (Tisch-)Jongleure. Treffen Tischjonglage und ein Passingmustergenerator aufeinander, kommt so etwas heraus:

Mitjongleure findet Ihr hinterher hier.