loftrat

@pizzaguy: Think I'm gonna need a bigger hard drive :D :D @digininja: Thanks, if you could that would be useful :)

Did consider that (thanks :) ), but I don't think it's a particularly large list. It should suffice if they've chosen something blindingly obvious, but I think it's more likely to be something a bit more esoteric or maybe random.

Evening All :) I'm soon to be doing a bit of web app testing on one of our internal sites. It's only very small, and there's not a lot of dynamic content, so I'm not expecting there to be very many 'interesting' issues ;) One thing that I'm almost positive that I'm going to see is either 1) basic auth, or 2) a brute-forceable login page (with no lockouts, and no tarpitting). I'd like to really go to town on the authentication, because I think that's going to be the only place that there's really going to be a problem. For this though I'm going to need a seriously comprehensive password list to run through Burp (or similar). Ideally I'd be looking for something that contains masses of dictionary words, or (probably better still) a list of all the possible combinations of letters numbers up to a reasonable length password (say 14 characters). This would then automatically include a whole host of 'real' words, but would cover other bases as well. Anybody know of, or have, such a list - or (if necessary) have a tool that would allow me to create one? I don't need any hashes or anything, just plain text passwords. Cheers all :)

All the passwords are available on the Interwebs for everybody to see now.....it was only a matter of time - mine's on there as well, I guess I must have been having finger trouble when I logged in though because there's about 4 different versions of it :D

Mine was ultra secure. I used upper case, lower case, and numbers, and I made sure I obfuscated letters so that it wasn't an obvious dictionary word. I know what you hax0rs are like. As it can't do any harm I'll post it here so you loosers can see what a real password looks like.....ready? Here it is: Pa55w0rd :D

Do we know if any large portions of data were harvested (does the server log show any such activity)? WHat I guess I'm wanting to know is, what are the chances that my email address is currently being targetted by people wanting to sell me penis enlargements?

No drama, password changed, thanks for the heads-up guys.

No it isn't. The AES standard is open source and available for all to see. Any such 'backdoor' would be in plain site, and (given the many thousands of people that are researching it continually) would have been found by now.

Can I ask why you want to encrypt a live CD?

Oh, sorry, missed a bit of your question :S Nope, no performance hits that I can notice - everything's running just fine. I've not managed to break it yet, but that's more because it just seems to work quite nicely than because of any particular lack of effort on my part.

Ubuntu 9.04, installed using the alternate CD, and it's as stable as you like. Have it running on one of the dev machines at work, trying to use it as often as I can for as wide a range of tasks as I can, haven't had a chance to throw encase at it yet - I'll probably aim to do that next week. Looking at the mechanics of it I'm thinking that might be a waste of time though, the main reason I'm doing it is to make sure that Ubuntu's not caching anything enywhere unusual - although I can't see that being the case.

Thanks, but: <error> − <reason> Sorry, this action could not be completed because of a permissions error. </reason> </error>

Tried to watch this the other day, but it just wouldn't stream right - was jumping all over the damn place. Anybody got a location I can actually download it from so I can watch it from a local drive?

LoL Worrying people is something I do well :D

Thanks for the continued thoughts guys, much appreciated. I've installed Ubuntu 9.04 using the alternate CD and setup the encryption that way (must really learn how to do it manually.....maybe one day ;) ). Going to play with that for a while and then pull the drive and run it through a forensic analysis and see if I can pull anything back, in theory I shouldn't be able to but it never hurts to check :)