party trick to shut up the non-believers

[mmcgrew1 at mail.csuchico.edu (Michael McGrew)]

Michael,

I remember hearing about that software on a PDC episode. It has a name, do
you know what that is? It was either the name of the software or they just
gave the "attack" a catchy name.

Thank you

On Mon, May 3, 2010 at 7:00 PM, Michael Douglas <mick at pauldotcom.com> wrote:

> I got a little late to the party... this is *not* a hack, but it shuts
> everyone the hell up because it scares them.  And I've never had any
> follow up questions
>
> Here's what you do.  It costs a few dollars (pounds in your case
> right?), but it's so worth it.  ssh into a server that's running some
> form of VoIP software.  (skype can work for you i suppose, but I don't
> know CLI for skype)  Setup a call group that has the phone number of a
> good amount of people at the party... the more numbers you have, the
> better.  Have the VoIP software call the group all at once (the PC to
> phone rate is where you have to spend $) ... all phones ring at the
> same time.   Even stranger, when they answer the call, they are all
> talking to each other.  Warning: the effect is highly creepy.  I
> thought folks would think it was funny (cause it is!) but it really
> freaked everyone out.
>
> That said, I tend to laugh off the "prove it" requests, unless it's
> some hot girl... in which case I wake up from my pleasant dream and
> remember there are no parties where hot ladies are asking anyone to
> show 1337 skills.   ;-)
>
> - Mick
>
>
> On Mon, May 3, 2010 at 5:27 PM, Robin Wood <robin at digininja.org> wrote:
> > Thanks for all the suggestions, I think I like this one the best, I
> > might set something up on a site so I can access it from my phone. Tie
> > this with an SMS service I've got that lets me specify the sender
> > number I could have some fun. Email and SMS the person from someone
> > else in the room.
> >
> > Robin
> >
> > On 3 May 2010 20:55, Andrew Ellis <only.samurai at gmail.com> wrote:
> > > A trick I've used for a while is keeping a protected email spoofing
> > > form on my web server. That way when I'm asked to "demo" my skills, I
> > > can simply send the person an email from theirself or the like.
> > >
> > > This has the advantage of looking pretty cool to laymen and, as far as
> > > I know, isn't illegal.
> > >
> > > It's definitely not a "1337 hack" but it's a nice way to show the
> > > types of things that can be done without getting in too much trouble.
> > >
> > > -Andrew
> > >
> > > On 5/3/10, Chris Clymer <cclymer at gmail.com> wrote:
> > > > Rather than a live demo, better tactic might be telling a story about
> > > > a vulnerability in joe sixpack terms.  The pizza coupon thing
> > > > (dominos?) a few months back is a good example.
> > > >
> > > > I see a lot of downsides to letting folks at a party pressure you into
> > > > a live demo.  You are basically allowing strangers to SE you.  If you
> > > > show a successful demo, you just know the next question will come: so
> > > > can you hack into so-and-so's facebook account? ;)
> > > >
> > > > When you consider the potential for demo fail too, this is really a
> > > > lose/lose situation :(
> > > >
> > > > -------------------------
> > > > securityjustice.com | chrisclymer.com
> > > >
> > > >
> > > > On May 3, 2010, at 11:54 AM, Robin Wood <robin at digininja.org> wrote:
> > > >
> > > > > Hi
> > > > > At a party the other day I was asked the normal question of what do I
> > > > > do for a living. I said security and kept it a bit vague but was
> > > > > pressed so explained what pen-testing is and roughly what I do. I then
> > > > > got the challenge, prove it, prove you can hack a company.
> > > > >
> > > > > People would say to a dentist, prove you can do a filling but this
> > > > > person insisted they wanted a demo. I explained the legalities and
> > > > > finally fobbed them off and got away but it got me thinking, has
> > > > > anyone got any good party tricks that they can pull in this kind of
> > > > > situation that give an instant wow but are easy to do and legal? Not
> > > > > quite legal but I was thinking if I knew any big sites with XSS I
> > > > > could rewrite but none came to mind at that time.
> > > > >
> > > > > Robin
> > > > > _______________________________________________
> > > > > Pauldotcom mailing list
> > > > > Pauldotcom at mail.pauldotcom.com
> > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > Main Web Site: http://pauldotcom.com
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom at mail.pauldotcom.com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > > --
> > > Andrew
> > > http://blog.psych0tik.net
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100503/3259e556/attachment.htm