The Good, The Bad, and the Insecure

Two years ago I decided to get a personal site. I was after two things: flexibility and low cost. I didn’t want to get a VPS but I also didn’t want the hosting packages of one domain and 350MB of space. So I found IPage.com a shared hosting provider that was giving me unlimited hosted sites, unlimited databases, unlimited bandwidth and unlimited disk space for about 35 euros for a year… that in my book was a great deal! So I went ahead and bought it. In that year I was generally happy with them. My pages where occasionally a bit slow but still fast enough for my sites’ needs. The problem was that the 35 euro price was an introductory price and the next year IPage asked me for triple that amount… Since I didn’t feel like that was a good thing (now that you are a customer we’ll suck you dry) I decided to look elsewhere. A colleague at work recommended Bluehost.com. Bluehost offered me the same things as IPage plus SSH access for about 50 euros per year. I went for that and I was quite happy…. until this week… Continue reading →

Stored XSS on popular Web statistics framework Statcounter. Log yourselves out of Statcounter and if possible disable JavaScript for the domain (possible in Chrome, not sure about Firefox)…  Will give more details when Statcounter fixes it. The only reason I am saying it here is because my Statcounter logs just started popping alert boxes!

Joke I just made up:

What do you call a woman who first says to you “I love you” but ten minutes later she adds “I actually don’t, but don’t feel bad because I say that to all men”?

Continue reading →

Since the beginning of October I’ve been following the online AI course from Standford, taught by Sebastian Thrun and Peter Norvig. In the last two months, I’ve given up a great part of my free time to look at videos, do quizzes, read clarifications on the AI page on Reddit and complete assignments. I will not say it was not worth it. It definitely was. I’ve
learned so much and I already have ideas on how to use Artificial Intelligence (specifically Machine Learning) in my own field (Computer Security).

Last night, I noticed a link on the course website that lead me to a YouTube video
of the latest Google+ Hangout where two AI professors, along with Sal Khan, the founder
of Khan Academy and a handful of students from some universities in the US where talking about the future of education and how these new ways of teaching are “reinventing education”.

I was listening to their  discussion when the following comment by Prof. Thrun really jumped out of the page and hit me on the head…

Continue reading →

You have to love phpinfo() . This simple PHP function prints out a truck-load of information regarding all kinds of configuration details of your Apache + PHP installation. It is very helpful to a Web administrator who is trying to debug his installations and also very “helpful” to attackers who can get a quite good peak of what
goes on inside your installation, such as:

• PHP Version running on the machine (cough*exploits*cough)
• Operating System
• Paths to your Web applications
• All modules installed
• …

Continue reading →

While I was in Eindhoven for OWASP BeNeLux 2010 I was at some point searching online for WikiLeaks posts regarding greek politics. I was checking the results from the first page of Google when suddenly this caught my eye:

Continue reading →