-->
ROOM ZKE
USAComment.com
Zicutake USA Comment | Search Articles



#History (Education) #Satellite report #Arkansas #Tech #Poker #Language and Life #Critics Cinema #Scientific #Hollywood #Future #Conspiracy #Curiosity #Washington
 Smiley face
PROXY LIST

[Calculate SHA256 hash]
 Smiley face
Zicutake BROWSER
 Smiley face Encryption Text and HTML
Aspect Ratio Calculator
[HTML color codes]
 Smiley face Conversion to JavaScript
[download YouTube videos in MP4, FLV, 3GP, and many more formats]

 Smiley face Mining Satoshi | Payment speed
CALCULATOR DIMENSIONS AND RECTANGLE

 Smiley face
CREATE ADDRESS BITCOIN
Online BitTorrent Magnet Link Generator
[PERCENTAGE CALCULATOR]
JOURNAL WORLD:

SEARCH +8 MILLIONS OF LINKS ZICUTAKE STATE

Finals ENDED !

Finals was finally over, such a big relief for me.
Everyone here is waiting for Christmas. My uni decoration definitely fanstatic. See this.


One day when I woke up and need to settle my car insurance stuff, I realized that there was snowing outside. Manage to capture the remaining snow on my car's mirror before they melted. First time to touch and see REAL snow, really excited after-all.


So I started to try on my winter wear and the sad thing was I found that they are oversized. Before I came here I am so fat and now I slim down so all the winter apparel I brought from Malaysia are too big for me. Anyway I don't plan to buy another new one because all these cost me thousand.. Still looks OK right? aha.


Then one day when I was cooking, my finger get burnt again! YES,AGAIN! This time more serious, burnt by hot oil.  Aww, so pain during the first few days...


Randomly went to Ihop to have breakfast together with Sze Yi. The most expensive breakfast set I had in my entire life, $27 for the set = RM85, just for breakfast. I just can convinced myself to not care about it. Heart so pain when the bill came. Anyway, just for first try. The orange juice was so fresh anyway.


We left this amount of money inside the car in an envelope, how careless was that. And we normally do not lock the car at here since no one will steal your car, unlike Malaysia. Luckily really no one to take away the money. There was $3000 in total! = RM9k+ ?? Really made me shock when Sze Yi told me he left the money in the car. ==


Went to Oklahoma Community City College to attend a talk and unfortunately the car broke down on the highway. Then we wait beside highway for like 1 hour until a police passed by and helped us out. I really respect the police here for their responsibility and attitude. Late for the talk, professor din't blame us anyway. Fuh, the outwear of that day. My sweater is too long that made me keep think that I was not wearing pants that day. :( Love my new dark blue flat.


Random photos of FOOD.
Single cheese bacon with fries at Steak n' Shake.

Sweet and Sour chicken rice box at Tao Cafe.

Self-cooked Spaghetti.

Get a new wood bed frame for myself! I am so happy like a kid when the bed frame arrived just after my last final paper.


What to do after finals? DRINK of course. Went to the cottages and join a bunch of really awesome friends to chill out.

ME with tired face after finals.


The shots !

And I get high, din't get drunk though. I still can remember what happened. But I vomited for 3 times, memang lousy and paiseh. Thanks for those who taking care of me yesterday night. THANKS! 

My red face, started to headache that time.


Lastly, as usual..My babe photo is a MUST !
Babe was enjoying her massage.


Her super round face this really kill me.


Till then. Will update after Christmas.  Is going up to Wichita to meet with Zhi Yang & Niza then head down to Dallas,Texas for to pass my Christmas. It is really sad when I think back last year I was admitted into hospital and passed my Christmas at there. Time passed really fast, 1 year gone and I already came here for 4 months. 人生苦短,想做什么就去做。

Short takes

During my blog absence, I've been studying, designing, and implementing a style of programming I call temporal programming. It is useful for, among other things, implementing smart contracts. Meanwhile, I encourage readers interested in programming to check out Node.js. Temporal programming starts with event-oriented programming and takes it further. Temporal programming will give us control over when our instructions get executed: the plodding do this, then that, then the other, as if machine activities are only supposed to happen in one big long sequence and merely output some big long tape, will be relegated to secondary status. More to come.

--------

Is Netflix management really stupid? To summarize Megan McCardle, no: under copyright law, DVDs are covered by the first sale rule -- once you buy a DVD, you can't make a copy, but you can sell, rent or give away the DVD itself. Streaming, on the other hand, essentially involves making a copy, and you can't do it legally without the copyright owner's permission. So to stream the most demanded content, you usually need the permission of owners, and thus have to pay what they demand.

It thus makes complete sense that Netflix has to charge high prices for streaming -- because for the kind of content they want to stream (i.e. the copyrights that are so valuable that their owners bother to prevent the content from being distributed on YouTube), content owners are demanding revenues similar to what they are accustomed to via cable.

I'd add that the first sale rule also explains why Netflix, contrary to its name, originally succeeded in out-competing a gaggle of Internet video streaming companies by the stone-age method of shipping DVDs by mail. The main thing Netflix may have done wrong was, after succeeding in pivoting from Internet streaming to mailing DVDs, going back to their original goal in a way that set false expectations about prices (i.e. that streaming prices would be closer to DVD rental prices than to cable TV). Probably what happened is that Netflix CEO Reed Hastings thought he could use his mail-order rental business as leverage to negotiate lower prices with copyright owners, but this strategy did not succeed.

It also makes sense that Netflix (and their streaming competitors) lack licensed content due to copyright owners' long-standing aversion to Internet streaming. All this was happening to Netflix's video-streaming competitors long before Netflix's much more recent emphasis on that business. Netflix apparently hasn't, after all, solved the institutional problem that their DVD-shipping model worked around.

---------

Bit gold and I make brief appearances in Wired's Bitcoin article.

---------

Water remains fun. Digital fountains show how precisely drops can be located and timed:





This one is a bit different, drops fall with uniform regularity but are used to display light:

SET (social engg toolkit ) metaspliot

type:2
 type:3
 type:2


 hit enter:
 there you go to find the phish page u need to forward ur ip and your fake page is ready


thats it you got the pass




METASPLOIT EMAIL HARSVESTING

IN THIS TUT I WILL SHOW YOU CAN TO USE METASPLOIT TO GET LIST OF EMAIL ADDRESS

OPEN TERMINAL AND TYPE
Quote:msfconsole

[Image: NU7xE.png]


NEXT STEP:
NOW WE HAVE TO SEARCH FOR EXPLOIT BY TYPING
Quote:search gather
[Image: Ib0ue.png]
YOU WILL FIND MANY EXPLOITS WE ARE GOING TO USE IS
auxiliary/gather/search_email_collector
[Image: UIQpF.png]

NEXT STEP:
SELECT THE EXPLOIT BY TYPING

Quote:use auxiliary/gather/search_email_collector
[Image: fqYEW.png]

NEXT STEP:
NOW WE ARE GOING TO CON FIG THE EXPLOIT ACCORDING TO US LIKE SETTING THE DOMAIN BY TYPING [YOU CAN EVEN VIEW THE OPTIONS AVAILABLE BY TYPING (SHOW OPTIONS) ]

Quote:set domain site.com
[Image: FPtO8.png]

NEXT STEP:
AFTER SETTING THE DOMAIN WE ARE GOING TO RUN THE COLLECTOR
BY TYPING

Quote:run
[Image: mRcMu.png]

NEXT STEP:
NOW THE COLLECTOR WILL START COLLECTING THE EMAILS FROM GOOGLE
BING YAHOO


NEXT STEP:
BOOOM U GOT THE LIST

[Image: CXmuh.png]

HOPE U LIKE THIS TUT

PLZ COMMENT AND REPLY VictoireVictoireVictoire
YOU CAN COPY PASTE IT VictoireVictoire IF POSSIBLE GIVE CREDIT SupermanSupermanSuperman

Node.JS Security - the good, bad and ugly

At the moment, dev world is full of rave about Node and server side JavaScript (databases like MongoDB and the likes). There hasn't been a better time for front-end and JS developers. On the first look - it appears great, promising and exciting.

On the down side, as with most upcoming technologies, there isn't enough security analysis, consideration and advisory to reference and understand gotchas with server side JS. Nothing wrong with that - it's functions, coolness and innovation that brings business and not security (history/economics is a testimony).

In this post, I will share my security view point as I see it. This could be an ever growing list and the kind of things you can achieve with server side JavaScript - there is no early end to this.

Let's start with the good things. Node inherently introduces a great security benefit over
traditional server side programming paradigms and that is "secure by default" (reminds me of my NetBSD days). As highlighted in white below, your create your web server - a bare bone types and not a full blown with bells and whistles like Apache.



And then chose and pick what you want. Like define what your doc root will have - unlike anything and everything in a traditional web doc root. Like highlighted in yellow below - that is what your web server will respond to for requests. Rest needs to be caught by a 404.



Summarizing - your web server isn't configured and capable more than what you want it to be unlike Apache, Tomcat or IIS. I recall countless instances of Tomcat compromises due to default admin and manager apps that come installed and running with default passwords. And IIS getting exploited with WebDAV buffer overflow when in reality the web app never really needed it in first place. Typically web servers sent a false sense of security where developers mostly considered them to be secure. And we all know, more features, bigger the attack surface. Bigger the attack surface more chances of things going wrong. And something that can go wrong will go wrong!

On the flip side - the bad parts. Node carries over the known dangerous JavaScript APIs like the eval that can be trivially exploited to do server side injection (that were earlier only client side exploits like XSS).

Let's look at a PoC exploit where app evaluates the input and returns  an output like below


Abusing eval on client side would result an XSS but on server-side it induces a server side injection alike SQL Injection as seen below where we inject an HTTP response.


 The screenshot below highlights execution of server side injection.


To best of my knowledge, this issue was first brought to notice in context of Node by Bryan Sullivan at BlackHat. Not a brand new exploit. We know eval is evil. What is worth note here is most developers wouldn't imagine this happening at the first go. From that perspective this exploit vector server side is novel.

What do I see ugly? The ugly parts are the ones that introduce new attack vectors. There should have been default protection built-in ideally. The event driven single threaded programming model is not what web developers are used to. Node is single threaded and a simple error can create a denial of service condition as highlighted in the screenshot below.


As highlighted, hitting submit crashes the node server.


Similar DoS condition would result when messing with global variables - intentionally or unintentionally. Above scenarios are quite likely considering JS developers are usually quite used to errors. I see thousands of live sites day in and out that have a number of errors showing up in Firebug console and running absolutely ok which will not be the case as you go server side.

Another  ugly part is that web developers are not quite used to service permissioning. Web developers had it outsourced to Apache/IIS, would now end up running their node services as root, that earlier ran as nobody.

A 1000 feet high apple to apple comparison between let's say PHP and Node tells me - it took a step back in security. At least, you would come to expect a sanitization/validation library for a new programming language, if not a fancy new auto-sanitization module like PHP Filter (aah yes - Filter isn't a complete auto sanitization in PHP but you get what I mean).

An honest look and I feel node isn't meant to be used as is.  With a strong framework, is how it should be used. There are many in the fray right now - Express probably is the most widely used. I haven't tried it yet but from what I see, security in node is a work in progress.

Being a Yahoo, how can I end without not mentioning Yahoo Cocktails. Haven't played around with it yet, but this is something I have super high hopes with. The engineers I met there are fabulous. Come Q1 2012 it would be there for all of us to play around. Yahoo is a great company, the best  I have worked for - no doubt I would love to see it scoring high.

Learning more and more of Node, I keep reminding myself "Node is powerful, and with power comes responsibility".

Back to December


Thanks Giving Breaks passed as well as Black Friday.
Hard to believe that I stayed at home playing Tetris from day to night and didn't go out for shopping. Pretty much regret as I forgot I still need a pair of sunglasses ! Everyone said I should get Ray-ban as Ray-ban FTW! I know it! But I tried few on they seems like not suit me and that's why I tend to choose Burberry now. I will get it after my finals, definitely.

So, I get my favorite cotton V-neck tee and long sleeve tee from Tommy Hilfiger ! I love them so much, they quite pricey but I don't care, I think they are worth for the materials.


Randomly snapshot of my favorite perfume - Anna Sui Flight of fancy. This is a gift from my best friends and I not really use perfume I just smell it. Kinda weird right but I will spray some when I go out for shopping.


And as my previous post said, bought a Honda Accord. I still like the Acura more as the engine power is 3.6 which is so powerful when speeding on highways. I guess Accord only 2.4 ? hmm. Anyway, quote from Honda - The Power of Dream.


Food! Randomly went to different places to have nice food ! slurrrppp



The people here are so kind and generous? I am not sure but I just get this Wooden like NEW study desk for FREE ! Yeah, it is free I didn't pay any cents for it. Freaking happy and I returned my previous desk which I bought at $32. Love this desk so much as it has 2 other spaces for me to put stuff. Thanks GOD.


Snapshot of babe & me !


Did a donation at Walmart and wtf I am so Short. == short.........


Lastly, get Louis Vuitton! This is the most expensive bag I get so far, bloody hell. Anyway, this is a present for my mum so never-mind as long as my mum like it.


Will only update after 15 December which my finals will be ended that day.
Need to work up my ass to study now.
I am so lazy.
=___=