I have run across a design issue in VMware’s scripting automation API that diminishes VM guest/host isolation in such a manner to facilitate privilege escalation, spreading of malware, and compromise of guest operating systems. Read the rest of this entry »

In my previous post on CAPTCHAs I mentioned that “…you need to make sure the end user can’t do anything to influence what code you pick.”

For this example, I will pick on captchas.net, which provides a free CAPTCHA service for anyone to use on their web site. While this is pretty cool of them to provide this for free, there is a serious flaw with their implementation. In fact, it is actually a flaw I have seen more than once in some form or another. Read the rest of this entry »

Filling out a web form without also having to pass a CAPTCHA test nowadays is pretty rare. CAPTCHAs weren’t really that annoying to me when they were more of a rare occurrence but I have been finding myself more and more bothered with them lately, especially because my success rate in entering the correct letters seems to be around 75%. There are some CAPTCHAs I have encountered lately that take me several tries to get right. And when I get annoyed at some security measure my first thought is to try to break it. Read the rest of this entry »

I almost feel embarrassed writing a post like this because it is such old news. Google hacking really shouldn’t be that interesting anymore. But it still is.

Although Google Code Search hacking has been mentioned in the news many times already, the power of regex searches and the fact that it indexes files inside zip files and other archives still makes it quite a gold mine. Read the rest of this entry »