To avoid saving the truecrypt password in history files and mounting the Truecrypt partitions on bash the following trick helps:

history -d $((HISTCMD-1)) && sudo truecrypt --mount <PATH_TO_TRUECRYPT_VOL> --non-interactive -p <PASSWORD>

This will avoid saving the password in the .bash_history file and also mount the truecrypt volume from the command line.  Of course, if you use this in a shell script then the shell script will have the password in it, so you must not do that.

Back in the day “recon” had a different meaning than it does today. Today, in the age of cyber-terrorism and cyber-stalking or Google stalking, reconnaissance comes from a variety of different sources including tools such as mash-up applications make things quite palpable for a social engineer. For the purpose of this discussion, let’s consider two entities “stalker” (the person seeking information about “someone”) and the “stalkee” (the “someone” whose information is being sought).
Back in the day (and man I’m only talking about 4-5 years ago!), the only source was public forums where users would post questions using constant email IDs. You would need to scourge through different Usenet groups and that was it…and possibly a Friendster account. Now, people have Facebook profiles which can be publicly viewed. This gives us the information about a person’s friends giving us information about the stalkee’s geographical location and may be even birthday. LinkedIn gives information about the stalkee’s job. You can even confirm the geographical location of the stalkee using LinkedIn. Now you have the name of the person and the geographical location. If you need more information about the person such as his/her age/birthdate, I’ve seen that ZabaSearch is a good resource. You can get a lot of information using ZabaSearch but if the stalkee needs he/she can remove this information using the block feature of Zaba located here. I do not know how they deal with this information but Zaba does have a “premium service” and I do not know if this premium service would give access to these “blocked records”. Now you have the information about the age of the stalkee. You could even search Twitter for the person’s twitter feed to see what the stalkee’s doing. I came across an interesting mashup application that crawls twitter to get information about where a person is and it’s aptly called Please Rob Me!. There are other great tools available such as Loopt and Tripit. Just as Twitter, Google Buzz can also give a lot of information. And the best part about google buzz is things are searchable …cool…the stalker’s job’s now easier.

On the recently concluded PlaidCTF (which was an awesome competition) by PPP there was a problem.  Here it goes:

Question: We managed to get the source code for an encryption service running at 54.234.224.216:4433.

I have listed the python source provided below:

#!/usr/bin/python
import os
import struct
import SocketServer
import zlib
from Crypto.Cipher import AES
from Crypto.Util import Counter

# Not the real keys!
ENCRYPT_KEY = '0000000000000000000000000000000000000000000000000000000000000000'.decode('hex')
# Determine this key.
# Character set: lowercase letters and underscore
PROBLEM_KEY = 'XXXXXXXXXXXXXXXXXXXX'

def encrypt(data, ctr):
    aes = AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr)
    return aes.encrypt(zlib.compress(data))

class ProblemHandler(SocketServer.StreamRequestHandler):
    def handle(self):
        nonce = os.urandom(8)
        self.wfile.write(nonce)
        ctr = Counter.new(64, prefix=nonce)
        while True:
            data = self.rfile.read(4)
            if not data:
                break

            try:
                length = struct.unpack('I', data)[0]
                if length > (1<<20):
                    break
                data = self.rfile.read(length)
                data += PROBLEM_KEY
                ciphertext = encrypt(data, ctr)
                self.wfile.write(struct.pack('I', len(ciphertext)))
                self.wfile.write(ciphertext)
            except:
                break

class ReusableTCPServer(SocketServer.ForkingMixIn, SocketServer.TCPServer):
    allow_reuse_address = True

if __name__ == '__main__':
    HOST = '0.0.0.0'
    PORT = 4433
    SocketServer.TCPServer.allow_reuse_address = True
    server = ReusableTCPServer((HOST, PORT), ProblemHandler)
    server.serve_forever()

The key on this challenge is to see that the stream encryption is being done on the compressed input. In the source provided, if the user input is similar to the secret value in the PROBLEM_DATA variable then the zlib.compress() function would show a reduced length ciphertext. This is somewhat (and I use the term loosely) similar to the CRIME vulnerability. The AES Counter mode RFC has the implementation details of the cipher. So I wrote the following script.

import socket
import sys
from itertools import *
import struct
def display(msg,numbytes):
	#print >>sys.stderr, 'received "%s"' % msg
	#print >>sys.stderr, 'bytes "%d"' % numbytes
	print >>sys.stderr, 'bytes %d ' % numbytes + msg.encode('hex')
# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect the socket to the port where the server is listening
server_address = ('54.234.224.216', 4433)
print >>sys.stderr, 'connecting to %s port %s' % server_address
sock.connect(server_address)
#mesage len = 20 lowercase and underscore letters
try:
	amount_received = 0
	nonce = sock.recv(8)
	amount_received += len(nonce)
	# Send data
	#strng = 'crime_some'
	#minciphlen = 1000
	#strng = 'crimes_pays'
	#strng = 'so_'
	#strng = 'crime_some_times_pays'
	#strng = 'somet_'
	strng = 'cr'
	minchar = ''
	ciphlen = 1000
	sampleset = 'hijklmnopqrstuvwxyz_abdefgc'
	#while True:
	strng = strng + minchar	
	minciphlen = ciphlen
	minchar = ''
	for s in map("".join,permutations(sampleset,1)):
		#message = nonce +  (strng + s)*10  #'\x00'*11 + s
		message = strng + s
		datalen = struct.pack('I',len(message))  # datalen = '\xe4\x00\x00\x00'
		sock.sendall(datalen)
		#print >>sys.stderr, 'sending '+ message
		sock.sendall(message)
		#print >>sys.stderr, 'message sent'
		amount_received = 0
		# Look for the response
		data = sock.recv(4)
		amount_received += len(data)
		ciphlen = struct.unpack('I', data)[0]
		#print >>sys.stderr, message + ' ' 
		amount_received = 0
		if ciphlen <= minciphlen:
			minciphlen = ciphlen
			minchar = s
			print str(ciphlen) + ' It is ' + strng + minchar
		data = sock.recv(ciphlen)
		#display(data,ciphlen)		
finally:
    print >>sys.stderr, 'closing socket'
    sock.close()

When you connect to the service it provides you the nonce, so I prepended the nonce to the plaintext. The above script shows the plaintext and the length of the cipher text. To start off with this, you start with a string of length 1, and see which is the smallest length response, that gives your first character. Then in the

strng

variable above, you add that character and run again, and the lowest length ciphertext tells you the next character and so on. I noticed that sometimes the output had a few characters with the lowest length. So I tried each of them and ended up with the following flag:

crime_sometimes_pays 

In the capitalist world, it is said that the companies survive on the hyper-consumerism of the people. The highly competitive economical scenario results in an environment where (as they say) consumer is the winner, but not without a fight.
A few weeks back, my Compaq Presario Laptop 2575us went bad. Well, the laptop is 2 yrs old and it has already been serviced twice so I guess my patience thresholds have diminished over a period of time. But this time around a person with even immense patience could have lost his mind. So here’s what happened. My laptop’s S-video port had been dysfunctional since the time I can recall but I never had so much time to let my laptop go out of my hands. This time when I sent it for repairs my laptop almost disappeared from the face of the earth for almost 25 days. And when they returned it to me to a wrong address I had a premonition of difficult times. The “repaired” laptop even failed to start.
This really infuriated me coz my 25 day wait had gone down the drain. So I called up the customer care and they asked me to ship the laptop to service center yet again. But this time around they wanted me to wait for 3 days before I could FedEx it to them. It was completely unacceptable to me. So I spoke to the supervisor and became as adamant as a stone. I continued to ask him for next day shipping and he continued to repeat that he could not do that. A 2hr45min sparring continued on the phone and it resulted in him being the loser as he disconnected the phone. He kept saying that this discussion is going nowhere as we cannot reach an agreement and I kept insisting that the call had multiple destinations : 1. To the HP supervisors and 2. To the BBB .
This guy called himself Nick and he also refused to give me his employee number. I knew very well (because of past experience that Compaq uses words like “You have no proof for your requests” etc.) so this time I needed some real strong evidence of my conversation. So I requested the permission from this Nick guy to allow me to record the conversation. I think this made him a little wary of my intentions. But still he did not give me his details. I think he was really scared because he felt that my wrath could result in him facing the music from his bosses in Palo Alto, CA. There were a few interesting discussions, for example, he said “I am Nick and you can identify me with this name alone.” to which I retorted by saying “Well…I know that Nick is a common name in U.S and you guys might as well redirect my call to NY Knicks judging by the way things are going.”.
So the next day I called up the HP Customer Care Service Manager’s Line at 1-877-917-4380 , code 94 option 1. This time I spoke to a guy called Douglas Gilmore who was equally tough with me (if not more). He refused to acknowledge any of my concerns initially. But later as the conversation progressed, it went on from being just a plain discussion to a heated argument. However, I did not utter even a single foul word because I knew that he could use my language as a pretext to disconnect my call which I was not willing to risk at all. So throughout the discussion I kept my head cool and tried to explain the things to him. But after going through the history of the whole thing, he realized that I had suffered a lot because of this laptop and that the attitude of the Customer care was rather cold. So he finally agreed to give me a replacement after much requests. This was probably my best argument till date and I think that it was some good thinking on my part as well as some codial behavior on the part of the managers that I could get what I truly deserved: a replacement to my defective laptop.
-Rajat.
Japanese art forms

Copy paste the text shown below into a file called madwifing-r3876.patch.

--- madwifi/ath/if_ath.c  2008-11-07 01:05:07.000000000 -0500
+++ madwifi-patched/ath/if_ath.c   2008-11-06 17:56:59.000000000 -0500
@@ -3000,6 +3000,7 @@
 ath_tx_startraw(struct net_device *dev, struct ath_buf *bf, struct sk_buff *skb)
 {
        struct ath_softc *sc = dev->priv;
+       struct ieee80211com *ic = &sc->sc_ic;
        struct ath_hal *ah = sc->sc_ah;
        struct ieee80211_phy_params *ph = &(SKB_CB(skb)->phy);
        const HAL_RATE_TABLE *rt;
@@ -3012,7 +3013,8 @@
        struct ieee80211_frame *wh;

        wh = (struct ieee80211_frame *)skb->data;
-       try0 = ph->try[0];
+       //try0 = ph->try[0];
+        try0 = (ic->ic_opmode == IEEE80211_M_MONITOR) ? 1 : ph->try[0];
        rt = sc->sc_currates;
        txrate = dot11_to_ratecode(sc, rt, ph->rate[0]);
        power = ph->power > 60 ? 60 : ph->power;
@@ -3036,7 +3038,8 @@
        rt = sc->sc_currates;
        KASSERT(rt != NULL, ("no rate table, mode %u", sc->sc_curmode));

-       if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+       //if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+        if (IEEE80211_IS_MULTICAST(wh->i_addr1) || ((ic->ic_opmode == IEEE80211_M_MONITOR) && (skb->data[1]&3) != 0x01) ) {
          flags |= HAL_TXDESC_NOACK;    /* no ack on broad/multicast */
          sc->sc_stats.ast_tx_noack++;
          try0 = 1;

Check out the madwifi driver as follows:

sudo ifconfig ath0 down
sudo ifconfig wifi0 down
svn -r 3876 checkout http://svn.madwifi.org/madwifi/trunk/ madwifi-ng
cd madwifi-ng
patch -Np1 -i ../madwifing-r3876.patch
sudo ./scripts/madwifi-unload
make
sudo make install
sudo depmod -ae
sudo modprobe ath_pci

These instructions are similar to the ones written here (for a different revision):
http://www.aircrack-ng.org/doku.php?id=madwifi-ng

Sometimes simplest of the errors get you bad….and this was one such time.
I was trying to connect to my Oracle XE DB using SQL*Plus but kept getting this errror

connect hr/************
ERROR:
ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist

Turns out I did not start the DB instance.
Start -> All Programs -> Oracle Database 10g Express Edition -> Start Database

If you are a South Indian, have a long name, use lotus notes and want to send encrypted e-mail using Internet Certificates…you may just be out of luck! Why?
Lotus Notes 6 does not support importing of PKCS#12 (.pfx) certificates which have the CN (Customer name), OU (Organization unit), O (Organization), CA (Certificatio Authority) fields together more than 255 characters. Many of my south Indian friends in fact have names that are 40 characters themselves! Alongwith the O, OU and the CA taken together this could easily exceed more than 255 characters. On encountering such a situation, Lotus Notes also gives a friendly error message which my friends may not find quite amusing at that point “Name too long”. Once you encounter this error, you cannot proceed with the import. To work around this see if you can reduce the characters in OU and O fields because your e-mail ID has to match the one in Lotus.
I also found a useless response from IBM to get rid of this problem. Their response was pretty much “learn to deal with it! we won’t correct our stupid software”.
Justin’s written a pretty useful how to on importing S/MIME certificates into Lotus notes.