EricR23's comments

Anybody notice the table of contents and page numbers?

Thanks! I agree that things like this are pretty fantastic. Part of me misses those days of being so experimental and new to tech. Sorry to hear about your hard drive, though :)

I'm sure. I'm not exactly surprised that it happened now ;)

Ah, yeah, I remember that too now :)

Yep, I remember both being sent via plaintext.

The Steve Gibson story was really interesting. He's a really cool guy, too. My botnet adventures happened around the same time as his, and I too was DDoS'd. We even exchanged a few e-mails about botnets and the script kiddie culture. Those were fun times.

When I was a teenager I found it fun to intentionally infect myself with malware and try to study it. I know realize this wasn't the most responsible thing to do, as I wasn't in a sandboxed environment, but it was a great learning experience and taught me a lot about networking and security.

One of the biggest malwares I ever managed to infect myself with was a bot, which caused my computer to become a zombie on a ~10K botnet. I spent hours running a packet sniffer and seeing how the client interacted with the IRC network it called home to. Upon connecting to the privately run IRC network, the bot would authenticate with a user and pass. I assume it created one upon connecting the first time to the network. My best guess as to why this is is so that the bot master could track the total number of zombies and compare it to how many were actively connected to the botnet. Kind of a cleaver way to get metrics, now that I think about it.

When I temporarily stopped the bot from connecting to IRC, I decided it might be fun to login as the bot and join the channel I saw it connecting to. Upon joining the channel, I saw thousands of other users on the channel. I spent a couple of days sitting there, masquerading myself as a bot, and watching the botmaster interact with the bots. The botmaster would issue commands that I can't really recall anymore, but I do remember seeing a lot of commands that I assumed told the bots to download extra malware from a remote host. I remember seeing URLs for zip and exe files.

Eventually I got a little bored of this, so I decided to message the botmaster. It was easy to spot him; out of the three ops on the channel, he was the only full op. I tried a "hello" and waited. And waited. And then I was k-lined from the IRC network.

The next day when I logged onto my computer, I found my Internet connectivity was being overwhelmed with bogus TCP requests. I had pissed off the botmaster by snooping, and now I was getting DDoS'd. I imagine he/she commandeered a small number of the bots to do this. It wouldn't take many... I imagine back then, given my bandwidth, 10-15 would have done it.

Fun times. I remember posting about my botnet adventures to Security Focus way back when. Some people got really interested and followed my posts, while other professionals asked me to stop because I wasn't running a sandbox.

IMO, those were different times. I'm not sure I'd recommend something like this these days. After hearing about certain botnets being tied to various mafias and gangs around the world (which is probably more common than you think. See http://www.ibtimes.co.uk/articles/321149/20120329/mafia-cont...), I'm not sure I'd really want to risk interfering with their activities.

This reminds me of the push here in NYC for all of the city agencies to open their data via an API. It's gotten better over time, but when the initiative first took flight, it was terrible. Some of the APIs flat out did not work, and the ones that did often returned all sorts of malformed, non-normalized data. It was a nightmare to work with. I'm curious if the government can do better.

Ahem. That's "phreaking"... As in phone phreaking. -- coming from an ex-phone phreak ;)

Interesting. I wonder, though, what the advantages of executing sandboxed ruby in the browser are?

To my knowledge, this vulnerability is anything but new. It's been around for years.

Why not just change the storage strategy to saving files locally while in your test environment? Fog lets you do this easily with its configuration options.

This is wonderful. I love the feel of interface.

If I hadn't just got a Nike Fuel band, I'd probably get one of those! Don't think I could pull off wearing both.

I like this idea. Sounds like a "nicer" interaction.

This is awesome! I had a couple of free hours, so I hacked together a little Ruby app that validates a telephone number and full name pair. This could be used for sign-up security, etc. You can find the repo here: https://github.com/EricR/sinatra-cnam-lookup

This is really cool! I just setup my own deployment of this at rubynews.heroku.com :) I've fixed some styling issues and I'm thinking of tweaking a few things... I may contribute to this on github. Thanks!

Personally, I wouldn't want to use this. The whole idea of my friends submitting gift ideas to me feels like I'm asking for a little much. It feels unfair. I'd rather my friends get me whatever they feel is right without my say, this way it's a real gift.

The jQuery team is well aware of this issue.

I don't think something has to be missing here. My experience tells me otherwise, that many botnet ops go for fun and profit and it's not so strictly "just business".