party trick to shut up the non-believers

[tkrabec at gmail.com (Tim Krabec)]

I'd set up a Trojan thumb drive to report home to a c&c server. Thn  
you could message the machine to change the background & shutdown

On May 3, 2010, at 5:27 PM, Robin Wood <robin at digininja.org> wrote:

> Thanks for all the suggestions, I think I like this one the best, I
> might set something up on a site so I can access it from my phone. Tie
> this with an SMS service I've got that lets me specify the sender
> number I could have some fun. Email and SMS the person from someone
> else in the room.
>
> Robin
>
> On 3 May 2010 20:55, Andrew Ellis <only.samurai at gmail.com> wrote:
> > A trick I've used for a while is keeping a protected email spoofing
> > form on my web server. That way when I'm asked to "demo" my skills, I
> > can simply send the person an email from theirself or the like.
> >
> > This has the advantage of looking pretty cool to laymen and, as far  
> > as
> > I know, isn't illegal.
> >
> > It's definitely not a "1337 hack" but it's a nice way to show the
> > types of things that can be done without getting in too much trouble.
> >
> > -Andrew
> >
> > On 5/3/10, Chris Clymer <cclymer at gmail.com> wrote:
> > > Rather than a live demo, better tactic might be telling a story  
> > > about
> > > a vulnerability in joe sixpack terms.  The pizza coupon thing
> > > (dominos?) a few months back is a good example.
> > >
> > > I see a lot of downsides to letting folks at a party pressure you  
> > > into
> > > a live demo.  You are basically allowing strangers to SE you.  If  
> > > you
> > > show a successful demo, you just know the next question will come:  
> > > so
> > > can you hack into so-and-so's facebook account? ;)
> > >
> > > When you consider the potential for demo fail too, this is really a
> > > lose/lose situation :(
> > >
> > > -------------------------
> > > securityjustice.com | chrisclymer.com
> > >
> > >
> > > On May 3, 2010, at 11:54 AM, Robin Wood <robin at digininja.org> wrote:
> > >
> > > > Hi
> > > > At a party the other day I was asked the normal question of what  
> > > > do I
> > > > do for a living. I said security and kept it a bit vague but was
> > > > pressed so explained what pen-testing is and roughly what I do. I  
> > > > then
> > > > got the challenge, prove it, prove you can hack a company.
> > > >
> > > > People would say to a dentist, prove you can do a filling but this
> > > > person insisted they wanted a demo. I explained the legalities and
> > > > finally fobbed them off and got away but it got me thinking, has
> > > > anyone got any good party tricks that they can pull in this kind of
> > > > situation that give an instant wow but are easy to do and legal?  
> > > > Not
> > > > quite legal but I was thinking if I knew any big sites with XSS I
> > > > could rewrite but none came to mind at that time.
> > > >
> > > > Robin
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom at mail.pauldotcom.com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> > --
> > Andrew
> > http://blog.psych0tik.net
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com