PaulDotCom mailing list archives
party trick to shut up the non-believers
From: mike at snowcrash.ca (Mike Patterson)
Date: Tue, 04 May 2010 16:42:17 -0400
You're not worried that the first time something went wrong on their machine afterwards, you'd get the blame? I'm very careful about putting myself into positions where it's implied I might have *any* responsibility whatsoever for somebody's malware-laden $500 300 pound HP piece of junk. "Showed them MiTM" is a pretty strong implication to some folks - I'd guess the same sorts who have the temerity to suggest you need to prove your knowledge to them at a party. Mike On 2010/05/04 4:19 PM, Chris Blazek wrote:
To try and convince my wife to be very careful of public networks I did a little arp poison and cranked up webspy. I had her go into the other room and pull up whatever website she wanted and then come and look at what I had on my laptop. :) I have folks telling me I'm just paranoid and overreacting. When I show them a little mitm attack, they all see my point. Another fun thing to do is load beef into a crafted web page. Have someone visit it and use one of the tools in the framework. :) On Tue, May 4, 2010 at 12:37 PM, Robin Wood <robin at digininja.org> wrote:On 4 May 2010 18:36, Larry Pesce <larry at pauldotcom.com> wrote:He is, and I know of....I mean Bob knows of a setup similar to this. I'll see if I can get Bob to share his properly sanitized Asterisk config to do so.That would be good.- L On 5/4/10 10:45 AM, Chris Clymer wrote:Im assuming Mick is referring to Asterisk ------------------------- securityjustice.com <http://securityjustice.com> | <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> On May 3, 2010, at 11:37 PM, Michael McGrew <mmcgrew1 at mail.csuchico.edu <mailto:mmcgrew1 at mail.csuchico.edu>> wrote:Michael, I remember hearing about that software on a PDC episode. It has a name, do you know what that is? It was either the name of the software or they just gave the "attack" a catchy name. Thank you On Mon, May 3, 2010 at 7:00 PM, Michael Douglas < <mailto:mick at pauldotcom.com>mick at pauldotcom.com <mailto:mick at pauldotcom.com>> wrote: I got a little late to the party... this is *not* a hack, but itshutseveryone the hell up because it scares them. And I've never hadanyfollow up questions Here's what you do. It costs a few dollars (pounds in your case right?), but it's so worth it. ssh into a server that's runningsomeform of VoIP software. (skype can work for you i suppose, but Idon'tknow CLI for skype) Setup a call group that has the phone numberof agood amount of people at the party... the more numbers you have,thebetter. Have the VoIP software call the group all at once (the PCtophone rate is where you have to spend $) ... all phones ring at the same time. Even stranger, when they answer the call, they are all talking to each other. Warning: the effect is highly creepy. I thought folks would think it was funny (cause it is!) but it really freaked everyone out. That said, I tend to laugh off the "prove it" requests, unless it's some hot girl... in which case I wake up from my pleasant dream and remember there are no parties where hot ladies are asking anyone to show 1337 skills. ;-) - Mick On Mon, May 3, 2010 at 5:27 PM, Robin Wood < <mailto:robin at digininja.org>robin at digininja.org <mailto:robin at digininja.org>> wrote: > Thanks for all the suggestions, I think I like this one the best,I> might set something up on a site so I can access it from my phone. Tie > this with an SMS service I've got that lets me specify the sender > number I could have some fun. Email and SMS the person fromsomeone> else in the room. > > Robin > > On 3 May 2010 20:55, Andrew Ellis < <mailto:only.samurai at gmail.com>only.samurai at gmail.com <mailto:only.samurai at gmail.com>> wrote: >> A trick I've used for a while is keeping a protected emailspoofing>> form on my web server. That way when I'm asked to "demo" my skills, I >> can simply send the person an email from theirself or the like. >> >> This has the advantage of looking pretty cool to laymen and, as far as >> I know, isn't illegal. >> >> It's definitely not a "1337 hack" but it's a nice way to showthe>> types of things that can be done without getting in too much trouble. >> >> -Andrew >> >> On 5/3/10, Chris Clymer < <mailto:cclymer at gmail.com>cclymer at gmail.com <mailto:cclymer at gmail.com>> wrote: >>> Rather than a live demo, better tactic might be telling a story about >>> a vulnerability in joe sixpack terms. The pizza coupon thing >>> (dominos?) a few months back is a good example. >>> >>> I see a lot of downsides to letting folks at a party pressure you into >>> a live demo. You are basically allowing strangers to SE you. If you >>> show a successful demo, you just know the next question will come: so >>> can you hack into so-and-so's facebook account? ;) >>> >>> When you consider the potential for demo fail too, this is really a >>> lose/lose situation :( >>> >>> ------------------------- >>> <http://securityjustice.com>securityjustice.com <http://securityjustice.com> | <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> >>> >>> >>> On May 3, 2010, at 11:54 AM, Robin Wood < <mailto:robin at digininja.org>robin at digininja.org <mailto:robin at digininja.org>> wrote: >>> >>>> Hi >>>> At a party the other day I was asked the normal question of what do I >>>> do for a living. I said security and kept it a bit vague butwas>>>> pressed so explained what pen-testing is and roughly what I do. I then >>>> got the challenge, prove it, prove you can hack a company. >>>> >>>> People would say to a dentist, prove you can do a filling but this >>>> person insisted they wanted a demo. I explained the legalities and >>>> finally fobbed them off and got away but it got me thinking,has>>>> anyone got any good party tricks that they can pull in this kind of >>>> situation that give an instant wow but are easy to do and legal? Not >>>> quite legal but I was thinking if I knew any big sites withXSS I>>>> could rewrite but none came to mind at that time. >>>> >>>> Robin >>>> ______________________________________________________________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- party trick to shut up the non-believers, (continued)
- party trick to shut up the non-believers Chris Clymer (May 03)
- party trick to shut up the non-believers Andrew Ellis (May 03)
- party trick to shut up the non-believers Robin Wood (May 03)
- party trick to shut up the non-believers Tim Krabec (May 03)
- party trick to shut up the non-believers Michael Douglas (May 03)
- party trick to shut up the non-believers Michael McGrew (May 03)
- party trick to shut up the non-believers Chris Clymer (May 04)
- party trick to shut up the non-believers Larry Pesce (May 04)
- party trick to shut up the non-believers Robin Wood (May 04)
- party trick to shut up the non-believers Chris Blazek (May 04)
- party trick to shut up the non-believers Mike Patterson (May 04)
- party trick to shut up the non-believers Craig Freyman (May 04)
- party trick to shut up the non-believers Rob Fuller (May 04)
- party trick to shut up the non-believers Bugbear (May 05)
- party trick to shut up the non-believers Robin Wood (May 05)
- party trick to shut up the non-believers Robert McGrew (May 05)
- party trick to shut up the non-believers d4ncingd4n at gmail.com (May 05)
- party trick to shut up the non-believers Andrew Ellis (May 03)
- party trick to shut up the non-believers Chris Clymer (May 03)
- party trick to shut up the non-believers John Strand (May 05)
- party trick to shut up the non-believers Robin Wood (May 04)
- party trick to shut up the non-believers John Strand (May 03)