The Edge of I-Hacked

After spending a few days at Shmoocon, I have officially claimed the title Badge Hacker or maybe ConSocial. The talks were very educating and ranged from “almost hacking your own company” to “0wn1ng a business man every which way”. It was great to see that what is being exposed is actually being used to make change. Deviant of http://deviating.net/lockpicking/topics.html spoke out that companies such as Master Lock are making changes to their locks after exposing how easy it is to bump a lock.

I meet up with Johnny Long and we chatted about his new book and how 100% of his proceeds will be going to Africa. We hooked him up with some i-hacked.com swag for his new foundation hackers for charity. I did meet up with Muts from offensive-security who did show off some of his bad ass BackTrack skills. I must thank him for his time and the swag. If you want Back Track training offensive-security is the place to go.

Later that night I met up with the pod cast crew of hak5. After many “non-alcoholic” (yeah right) drinks I talked everyone into crashing “katsucon”. For those like my self that have no idea what the hell I am talking about, it’s a con for animation. To make a long evil story short – we got in, we partied like rock stars and we were amazed at the huge arcade that they had. Props to the DJ of katsucon who mixed in samples of Anonymous. Check back soon for the video of the CON.

Photos

digg story
For those that have not heard, there is an ebay strike happening - This was the info being passed around the yahoo groups, I did not write it, but it is very informative of the changes ebay is making and why everyone is upset. Its important to know about the strike if you are listing and ending your auctions in the next two weeks you will not get good bids due to this strike. I’ve heard this strike can go on till the end of Feb… the change - as a “fee reduction”. However, if you read the fine print you’ll find that they are slyly raising Final Value Fees (the fee the seller pays when the item sells at auction) by as much as 66%. The percentage of increase differs by seller because all sellers sell items with different values and the Final Value Fee is based on the dollar amount of the item. So we save a nickel to list an item, but pay 33% more after the auction is over. This first part of the changes, while quite disgusting, IS bearable.

Second, they are removing the ability for sellers to leave feedback for buyers. Now, Ebay has always been successful on the basis of both buyer and seller being able to rate each other based on the success of a single transaction. They are removing this for sellers. This is very scary for the seller population because as sellers, we already are held hostage by what we call “Feedback Extortionist Buyers”. These are
the buyers that buy something in an auction and then send an email that says:

“You send me the item free or I will leave you a negative and ruin
your Ebay reputation!”.

While people like this are quite rare they do exist. I’ve got over 792 transactions and I’ve come across 4 difficult
buyers who no matter what I couldn’t please them. I managed to scrape by without a negative because they were booted from Ebay, but the point of the matter is that while most buyers are wonderful, these psycho types of buyers DO exist. Now with this new feedback system, ONE rogue buyer (and even my selling competition) could ruin my reputation very easily. Even if I provided a 100% perfect transaction and the item was received the very same day and all was perfect with the world, that one person could ruin me if they wanted to. All they would need to do is buy 5 or 10 items from me and leave five feedbacks separately - because each and every negative will count against the seller. This would mean the end of my store and my business on Ebay over one rogue buyer. Why? Read the next section.

Third, as if one and two weren’t bad enough, if a seller has below a 95% satisfaction rating on Ebay, Ebay will not display your auctions in the search engine. For example, if I sell 20 items one month and 1 of them has a neutral or negative left for it by a buyer (deserved or not), I can no longer list auctions on Ebay and have them be seen in the search engine. Yes, thats right. I can list, Ebay will take my money, but all of my auctions will be on page 857 of the listing and never be seen by any buyers. So once I get one negative, it is virtually impossible to recover from that by selling additional items because none of my items will be seen to be purchased by another buyer later. It’s a no win situation for a seller.

Fourth, as if all of this wasn’t the most horrific thing you’ve ever heard, they’re making changes to Pay Pal - which is the method most people use to accept payment over Ebay. From now on, if you have less than 100 feedback and you sell an item Pay Pal will not give you your money for 21 (TWENTY ONE!) days. Yes, you read that right. Say, Susie sells a 50 dollar item and the buyer pays through Pay Pal. Susie is then forced to ship the item FREE without any payment. After 21 days has passed, THEN Pay Pal will forward Susie her money. This folks is just horrible. Do you know anywhere else on the planet where you can demand that someone selling you an item give you the item FREE and ship it to you FREE while you hold on to your money for 21 entire
days? I sure don’t. On top of this “under 100 feedback” thing, again if I have less than a 95% rating or get one negative or get one neutral - again - Pay Pal will hold my money for 21 days. Imagine how must interest Pay Pal and Ebay will accumulate on billions of dollars being held in 21 day increments - yet another disgusting way for them to squeeze MORE money out of the system.

Fifth, they instituted “Seller Rewards”. Essentially, if you meet certain criteria as a seller you can earn 15% credit on your account. The catch is that you have to sell 1,000 dollars or more on your account every month and have to have a 4.8 rating on all your “stars”. I feel that these guidelines are impossible to reach and that they were designed to be impossible to reach on purpose so that Ebay, yet again, would not have to actually pay out the discounts. To give you an example of how hard these are to reach, out of Ebay’s top 500 Powersellers (the crop on Ebay and make lilke $100,000 a month on Ebay) only SEVEN qualify for the 15% discount. SEVEN.

And finally, when all these changes were announced, the Ebay sellers went ballistic. The response from Ebay management? We were told that our complaints and anger and frustration and tears were - and I quote - “NOISE!”. Yes, we are nothing but “noise” to the Ebay management, yet they are making million dollar salaries off of us.

I know I am so mad, myself. I have 100% positive feedback and I’ve completed almost 800 transactions. I’m not a bad seller and I bend over backwards to make a buyer happy. I have a very good record. But ALL THAT HARD WORK and ONE rogue person could ruin it for me. Or even someone who competes against me can very easily get a new nickname, buy stuff from me, leave negs - and take my listings right out the search engine!!). It’s not fair at all. Not to mention, if somehow I do screw up or get a rogue buyer, Pay Pal won’t even let me have my
money for 21 days. When you do this type of work full time, that is a terrifying thought.

So I’m here to beg you guys, if possible, and even if you don’t understand all the ins and outs of Ebay and what a seller has to go through to sell on Ebay - PLEASE RESPECT THE STRIKE we are organizing. Please don’t buy or sell on Ebay from Feb 18th through Feb 25th. Please tell your friends and family members to do the same. We know that not everyone can respect it - some people make ends meet by selling on Ebay. But for those of you who can, us sellers would very much appreciate it if you could respect the strike on those days.

Also - if you are an Ebay seller - and you are angry like the rest of us, CNN and FORBES is quite interested in how we feel. Quite a few people, including myself have flocked to CNN MONEY to get their attention. So far, the comments and anger and speaking out are actually working - the media is starting to pay attention and Ebay has
stepped up their marketing tactics. We feel that they’re getting a little worried over all the outrage.

digg story

 

Despite all the talk of various retailers only getting a low supply of Super Smash Bros. Brawl, it seems that the Kyoto Company was still able to pour enough units onto shop shelves to ensure the hotly anticipated Wii fighter would blow away the competition this coming week and become the fastest-selling Wii game so far in Japan. Below are its sales, along with some other new releases, all courtesy of Japanese blogger sinobi (first day numbers are based on Famitsu leaked numbers):

• Super Smash Bros. Brawl (Wii, Nintendo) - 500,000 (80% sell-through of initial stock)
• Devil May Cry 4 (PS3, Capcom) - 140,000 (60% sell-through)
• Haruhi (PS2) - 105,000 [Limited Edition - 80,000 (over 80% sell-through), Normal - 25,000]
• Tales of Destiny Director’s Cut (PS2, Bandai Namco) - 70,000 (Limited Edition - 60,000, Normal - 10,000 60% sell-through)
• Disgaea 3 (PS3, Nippon Ichi) - 40,000 (Limited Edition - 20,000, Normal - 20,000)
• Devil May Cry 4 (360, Capcom) - 30,000 (60% sell-through)
• Assassin’s Creed (PS3, Ubisoft) - 20,000
• Family Ski (Wii, Bandai Namco) - 10,000
• Houkago no Shounen (NDS) - 4,500
• Sega Rally REVO (PS3, SEGA) - 2,000
• Sega Rally REVO (360, SEGA) - 1,600
• Sega Rally REVO (PSP, SEGA) - 1,000 (Overall 10% of initial stock on all formats sold)
• Mushishi: Amefuru Sato (NDS) - 1,000

But just how quickly can Nintendo get more stock onto the shelves? When it releases NEW Super Mario Bros., the initial stock levels were meant to be lower than expected, around 700,000, but the game ended up selling 900,000 in its first week due to quick re-stocking. Could that be the case here and the game could end up closer to the million mark by next Wednesday’s Media Create chart update?

I can’t wait for the US release

from New York Times Blog

Network-level filtering means your Internet service provider – Comcast, AT&T, EarthLink, or whoever you send that monthly check to – could soon start sniffing your digital packets, looking for material that infringes on someone’s copyright.

“What we are already doing to address piracy hasn’t been working. There’s no secret there,” said James Cicconi, senior vice president, external & legal affairs for AT&T.

Mr. Cicconi said that AT&T has been talking to technology companies, and members of the MPAA and RIAA, for the last six months about implementing digital fingerprinting techniques on the network level.

“We are very interested in a technology based solution and we think a network-based solution is the optimal way to approach this,” he said. “We recognize we are not there yet but there are a lot of promising technologies. But we are having an open discussion with a number of content companies, including NBC Universal, to try to explore various technologies that are out there.”

Internet civil rights organizations oppose network-level filtering, arguing that it amounts to Big Brother monitoring of free speech, and that such filtering could block the use of material that may fall under fair-use legal provisions — uses like parody, which enrich our culture.

If you have At&t as your ISP (Uverse everyone?) you need to call them and tell them you will cancel if they begin filtering webtraffic — seriously.

from Download Squad

Remember Octobers news of Comcast throttling Bit Torrent traffic? The debacle not only created a firestorm of bad press for the nations largest cable provider but also re-ignited the nationwide debate about Net Neutrality. We had numerous signs that Comcast was inhibiting our use of this legal and legitimate file transfer protocol, but to have the AP catch them red handed was icing on the cake.

To add to our pleasure, we learned today that the Federal Communications Commission FCC has finally taken notice of Comcasts indiscretion as well. According to FCC Chairman Kevin Martin, a group of consumer advocates and legal scholars have asked the commission to look into Comcast discriminating against specific types of data read: Bit Torrent. The groups have also requested the FCC to fine Comcast $195,000 per affected subscribers. In case you were wondering, at last report, Comcast has 9.1 million subscribers.

We dont really think Comcast will be forced to fork out the projected $1.77 trillion, but we do hope they get scraped through the mud on this one. They completely disregarded their entire customer base and should receive far more than just bad press as a result of this. If you are a company and youre going to filter network traffic, be transparent and disclose it up front. If not, be ready to pay up to Mr. Martin.

from New Zealand PC World Magazine

The hacker who posted an exploit last week that threatened a large swath of Hewlett-Packard’s laptop lineup followed up with new attack code that can “brick” nearly every HP laptop.

In a post to the milw0rm.com Web site, a Polish security researcher who used the alias “porkythepig” spelled out a pair of vulnerabilities in an ActiveX control used by HP’s Software Update, the patch management program bundled with virtually every HP- and Compaq-branded laptop.

According porkythepig’s post, the Software Update bugs let an attacker corrupt Windows’ kernel files, making the laptop unbootable, or with a little more effort, allow hacks that would result in a PC hijack or malware infection. In either case, a drive-by attack could be conducted by feeding users an e-mail message with a link to a malicious Web site.

“Every HP notebook machine containing the HP Software Updates application is vulnerable,” claimed porkythepig. “It is possible that the vulnerable machine model list disclosed by the vendor as a confirmation to the previous issue concerning HP laptops, [the] HP Info Center case, will be similar in this case.”

Last week, porkythepig disclosed multiple flaws in other software included with HP’s portables. When the company patched the vulnerabilities a day later, it listed 83 affected laptops.

The scenario in which an attacker overwrites the kernel and thus “bricks” the HP or Compaq notebook, was out of the ordinary, since most hacks aim to snatch control of the machine or infect it with identity-stealing malware. But the crippling attack, said porkythepig, is actually the simpler of the two. “This attack vector doesn’t require any additional victim social engineering, because the system files are always placed in the predictable locations,” he said.

A drive-by attack that hopes to execute rogue code, however, requires more work. To successfully exploit the ActiveX bug in Software Update and compromise the computer, the hacker needs to know the location of certain files.

The researcher said he had tested the exploit code on Windows 2000, XP, Server 2003 and Vista, and that the vulnerabilities pose a risk to any user with either Internet Explorer 6 (IE6) or IE7 on the PC. Nor will HP be able to use the down-and-dirty fix it deployed last week, said porkythepig. After he revealed several bugs in HP’s Info Center a week ago, HP issued an update that simply disabled the vulnerable software.

“Simple disabling of the vulnerable control by the vendor’s patch, like in the other HP software vulnerability case, HP Info, [could still] result in the machine[’s] software update system [being] compromised, and would leave the user vulnerable to future security issues,” porkythepig said in the milw0rm.com write-up.

HP did not reply to e-mailed requests for confirmation and comment.

from eff.org

San Francisco - In the wake of the detection and reporting of Comcast Corporation’s controversial interference with Internet traffic, the Electronic Frontier Foundation (EFF) has published a comprehensive account of Comcast’s packet-forging activities and has released software and documentation instructing Internet users on how to test for packet forgery or other forms of interference by their own ISPs.

(more…)

from blog.wired.com

One of the nation’s largest telecommunications companies is using a controversial technique to cripple certain kinds of Internet traffic traveling across its networks, says a new report from the digital rigthts group the Electronic Frontier Foundation in San Francisco.

“Comcast is essentially deploying against their own customers techniques more typically used by malicious hackers (this is doubtless how Comcast would characterize other parties that forged traffic to make it appear that it came from Comcast or its subscribers,)” write the authors of the new report. “In other words, Comcast is essentially behaving like a telephone operator that interrupts a phone conversation, impersonating the voice of one party to tell the other that this call is over, I’m hanging up.”

The nine-page investigation was conducted by EFF staff technologists Peter Eckersley, Seth Schoen and senior intellectual property attorney Fred von Lohmann.

The investigators say that their tests confirmed an earlier one conducted by the Associated Press that showed that Comcast is interfering with BitTorrent traffic. BitTorrent is a protocol used to efficiently distribute the online transmission of large files, and some entertainment companies have partnered with its creators to distribute its content online.

Comcast has said that it doesn’t block BitTorrent, or any kind of content.

(more…)

from techcrunch.com

A pact between the French Government, French ISP’s and the local music and film industry will see French users who download material from P2P networks losing their internet access.

French internet users will face a three strikes and you’re out policy, according to the NY Times. Users will receive a warning for each illegal download before losing their service on the third infringement.

French president Nicolas Sarkozy endorsed the deal with rhetoric that is bound to win him an Honorary Life Membership of both the RIAA and MPAA: “We run the risk of witnessing a genuine destruction of culture…The Internet must not become a high-tech Far West, a lawless zone where outlaws can pillage works with abandon or, worse, trade in them in total impunity. And on whose backs? On artists’ backs.”

The Far West of where? Perhaps I’m mistaken in believing that the far East (ie China) is the global hotbed of Internet piracy…or did he mean the wild west? lost in translation perhaps.

An independent authority supervised by a judge will manage the scheme and decide if and when users should lose their internet access.

Not surprisingly the recording and music industry loves the move, with the head of the IFPI (the international recording industry body) John Kennedy telling the Times that “this is the single most important initiative to help win the war on online piracy that we have seen so far..President Sarkozy has shown leadership and vision. He has recognized the importance that the creative industries play in contemporary western economies.”

from arstechnica.com

Over the weekend, a small storm erupted over new legal language that Verizon Wireless is passing quietly on to its subscribers. It appears as though the cellular provider is changing its terms of service to give the company the right to share sensitive calling data with third parties.

At issue is so-called Customer Proprietary Network Information (CPNI) data. While CPNI data does not include explicit information identifying your name and address or your phone number, it does include data on the calls you make and receive, and the services that you may make use of. This includes information about the features of your phone and its capabilities. The data could easily be mined to see what kinds of businesses you call and how often.

Verizon Wireless has been contacting its customers via snail mail to inform them of their intent to share CPNI data with its “affiliates, agents and parent companies (including Vodafone) and their subsidiaries.” The company says that customers who do not want their CPNI data shared need to call 1-800-333-9956 to “opt-out.” Upon dialing the opt-out number, Verizon customers will be prompted for their phone number, billing ZIP code, and last four digits of their Social Security Numbers (in the case of businesses, their Employer ID numbers). Failure to opt-out will be interpreted by Verizon Wireless as “consent” to the company’s data-sharing practices.

Although the Federal Communications Commission has said that it is very concerned about the protection of CPNI data, and is exploring the possibility of strengthening its rules on the issue, Verizon’s opt-out notice appears to fulfill the Commission’s CPNI disclosure requirements.

The Skydeck company blog was the first to suggest that what Verizon wants to do here is use CPNI data to offer targeted advertising. For its part, Verizon Wireless only says that it hope to improve its “services,” but give no concrete examples of what such improvements would look like. Without a doubt, the notice given by the company is extremely vague. Skydeck has a scanned PDF copy available for your perusal.

Verizon Wireless may just be a first mover among other telcos. The race is on in the telecom industry to tap the well of advertising for mobile services, and this opt-out approach is guaranteed to give Verizon a lot of CPNI data to share, an undeniable treasure trove of information for marketers. We don’t envision Verizon selling this data to third parties, using it instead  to build its own analytic advertising system to capitalize on the targeting in-house. The company isn’t likely to broadcast such plans until they are very close to fruition, however.

We will update this story when we hear back from Verizon about this new policy. In the meantime, if you’re a VZW customer and don’t want your CPNI data shared, you know the number to call.