Found a business logic flaw in a major online "pay-for-content" site (not p0rn), though I can verify that it has problems in their parent family of sites, I wonder how many other sites have this problem...probably most of them...

Waiting for a response from the vulnerable company before I post details

So, after much ado, its live: http://blogs.technet.com/office2010/archive/2009/12/16/office-2010-file-validation.aspx

Its what I've been working on for some time...

So I've been playing with proxy chaining recently and some have suggested just using TOR (or Freenet). I just wanted to point out that though TOR and FREENET do a decent job of making multi-hops automatic, you have to install software. So from a pure attacker's POV its not as useful. Though it might be a good starting point, it would be more difficult to use it in an attack.

From Schiener on Security - My Reaction to Eric Schmidt:

Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide.

Amen.

I wonder if I can put my hobbies into a single project...hmmm...

Keeping Big Brother Out: A VERY Brief Guide to Privacy Online

The Principles

1. Once something is online, it is eternal! This goes for all email, tweets, blog posts, forum posts, comments, etc
2. Encrypt everything you want private, if its not encrypted assume others read it and know it came from you! Again this goes for all email, tweets, blog posts and comments, forum posts and comments, anything everywhere.
3. Encoding is not Encryption! So if you have a "secret message" that only you and your buddy know how to read its encoding, not encryption. For it to be true encryption it has to be a method of making it "secret" that even if someone knows the method, they still can't read it.

The Practices

1. Never log into a website where the URL doesn't start with HTTPS; If you get to a website that asks for credentials (i.e. username and password) make sure it has the https in the address bar of your browser. If it doesn't add it in, sometimes this works...but most often it doesn't. If it doesn't you have two things to do:
   1. Contact the webmaster / administrator of the site and tell him to add SSL support for the login page; Many will respond with a "NO, we're good enough" or "Sorry, we don't have the budget for it"...don't accept it pressure them (or their bosses more likely) to give them the budget for it
   2. Assume that your login information (remember these are called credentials) will be stolen...i.e. don't use the same username/password as other sites.
2. Encrypt ALL messages that you don't intend to be read by EVERYONE. Use PGP, a Digital Certificate, or some other form of RELIABLE Cryptography That's all for now, please ask questions or give comments...thanks