Note: This is an historic article originally published on Hungry Hacker, which I moved here instead.
Hrm, I guess OurStory.com fixed the XSS I notified them about a while ago. I was going through all the crap I'd found, and checking it out on XSSed.com to see if there were any that weren't listed who also hadn't fixed their shit. OurStory.com sort-of fixed it - they just check for <script>, rather than sanitizing the text passed to the keyword parameter, so stuff like this is still vulnerable. I put very little effort into that URL, but you should be able to see where I'm going with it. The website was notified (again) this morning.
So I took a break from... whatever it is I do... this morning to change out the filter on our ADSL. It's been acting up periodically, I assumed the ol' Speedstream 4100 was dying because of the heat (a couple weeks back the data closet got really really hot on a warm day, now I keep it open to keep it ventilated until I figure out another way), so I changed it out this morning for an older 5100. It kept doing it, getting worse. This morning, it was dropping about every half an hour. So I called up AT&T, to see what they said. They ran some tests, and said everything looked normal, and suggested that it was the cordless phone that's about 15-20' from the data closet. That phone's been there forever, and it's just started acting up.
After some umming and aahing, and suggesting it might be the firewall software on my Windows machines (it's the PPPoE connection itself dropping), she came upon the idea of removing a filter. I didn't take her silly idea (unplug all phones and filters, just have the ADSL modem in the wall), but I went out and changed the filter out for a new one (I have spares, plenty of them) because it struck me that I had been lucky enough not to have a single filter go out in the two years we've been here. For reference, I had three die on me in that time in Sacramento. I changed it out, and tidied up some wires which may also have been the culprit (though doubtful) and we'll see how it goes.
Grrr, it just dropped again while I write this article.
Anyway, it looks like the Dish box I haxed is dead. I can't flash it any more. I have a couple more tricks up my sleeve before I yank the JTAG cable out of it and toss it in the trash - still though, $2 for an article and a few hours' entertainment is cheap in anyone's language.
Strykar's been on the lookout for an ISA NIC for a while now, he got excited because Spike mailed him one, only to find out it's EISA, which wouldn't fit in his archaic router box. I managed to find one a little while ago digging through some boxes looking for DSL filters, and I took some goofy shots to show that I had an ISA NIC and he didn't. The one to the left is the best of the bunch - it's a shame the one of me licking the NIC didn't come out.
What else is new? Not much... Whitedust dropped off the face of the earth a while back, amid ZF0 ownage. I've mixed emotions about this - WD didn't really turn out the way I wanted it to... it was lacking something... what was it... credibility? Yeah that's it. Don't get me wrong, Cronus and PSG have been good friends of mine for a long time, but you don't poke the beast without making damn sure you have somewhere to run. Claiming you're a hacker (come on PSG, adding the phrase [...]hacker (a label he has denied on many recorded occasions) and adding yourself to the category "British Hackers" is laying claim to the title), skirting the blackhat side, and then not spotting a backdoor in the backups of your own website is pretty sloppy. Furthermore, I'm a little disappointed that I have to read about two of my oldest IRC friends giving up the ghost in a vague notice on their website.
If you've not read through the issues of ZF0, I suggest you do. The guy(s) that write it, do so exceptionally well (though the formatting sometimes doesn't make it clear whether you're reading a comment of theirs, or actual dumped data) and it'll give you a chuckle at the expense of others. Furthermore, once you're done laughing/feeling pity, you might actually learn a thing or two about covering your own arse.
I guess there's not much to do except sit back and watch the circus unfold. Don't take it personally, try to learn all you can (and don't overestimate your knowledge), and have a good chuckle at it all at the end of the day. ZF0, if you're ever in India, Strykar wants to buy you a round.