loftrat

@pizzaguy: Think I'm gonna need a bigger hard drive :D :D @digininja: Thanks, if you could that would be useful :)

Did consider that (thanks :) ), but I don't think it's a particularly large list. It should suffice if they've chosen something blindingly obvious, but I think it's more likely to be something a bit more esoteric or maybe random.

Evening All :) I'm soon to be doing a bit of web app testing on one of our internal sites. It's only very small, and there's not a lot of dynamic content, so I'm not expecting there to be very many 'interesting' issues ;) One thing that I'm almost positive that I'm going to see is either 1) basic auth, or 2) a brute-forceable login page (with no lockouts, and no tarpitting). I'd like to really go to town on the authentication, because I think that's going to be the only place that there's really going to be a problem. For this though I'm going to need a seriously comprehensive password list to run through Burp (or similar). Ideally I'd be looking for something that contains masses of dictionary words, or (probably better still) a list of all the possible combinations of letters numbers up to a reasonable length password (say 14 characters). This would then automatically include a whole host of 'real' words, but would cover other bases as well. Anybody know of, or have, such a list - or (if necessary) have a tool that would allow me to create one? I don't need any hashes or anything, just plain text passwords. Cheers all :)

All the passwords are available on the Interwebs for everybody to see now.....it was only a matter of time - mine's on there as well, I guess I must have been having finger trouble when I logged in though because there's about 4 different versions of it :D

Mine was ultra secure. I used upper case, lower case, and numbers, and I made sure I obfuscated letters so that it wasn't an obvious dictionary word. I know what you hax0rs are like. As it can't do any harm I'll post it here so you loosers can see what a real password looks like.....ready? Here it is: Pa55w0rd :D

Do we know if any large portions of data were harvested (does the server log show any such activity)? WHat I guess I'm wanting to know is, what are the chances that my email address is currently being targetted by people wanting to sell me penis enlargements?

No drama, password changed, thanks for the heads-up guys.

No it isn't. The AES standard is open source and available for all to see. Any such 'backdoor' would be in plain site, and (given the many thousands of people that are researching it continually) would have been found by now.

Can I ask why you want to encrypt a live CD?

Oh, sorry, missed a bit of your question :S Nope, no performance hits that I can notice - everything's running just fine. I've not managed to break it yet, but that's more because it just seems to work quite nicely than because of any particular lack of effort on my part.

Ubuntu 9.04, installed using the alternate CD, and it's as stable as you like. Have it running on one of the dev machines at work, trying to use it as often as I can for as wide a range of tasks as I can, haven't had a chance to throw encase at it yet - I'll probably aim to do that next week. Looking at the mechanics of it I'm thinking that might be a waste of time though, the main reason I'm doing it is to make sure that Ubuntu's not caching anything enywhere unusual - although I can't see that being the case.

Thanks, but: <error> − <reason> Sorry, this action could not be completed because of a permissions error. </reason> </error>

Tried to watch this the other day, but it just wouldn't stream right - was jumping all over the damn place. Anybody got a location I can actually download it from so I can watch it from a local drive?

LoL Worrying people is something I do well :D

Thanks for the continued thoughts guys, much appreciated. I've installed Ubuntu 9.04 using the alternate CD and setup the encryption that way (must really learn how to do it manually.....maybe one day ;) ). Going to play with that for a while and then pull the drive and run it through a forensic analysis and see if I can pull anything back, in theory I shouldn't be able to but it never hurts to check :)

I'll take a look at that, thanks. Yeah, the ones I managed to find were a) very expensive, and B) normally only being sold to laptop vendors. It's the only solution that I can think of that will allow proper dual booting though. That's fine if you a) have a machine to remot into, or B) have a route to the machine that you want to remote into. Sensitive work sometimes has to be carried out locally unfortunately, and the information on the laptop therefore needs to be secured accordingly. I'd looked at running a VM within a host and then just storing the VM in an encrypted container. It's not an ideal solution as you still get some paging outside of the container, and obviously you get a performance hit - unfortunately that's not even a goer as one of the machines I want to run on is a netbook.....and it doesn't like VMs :D I'll take a look at LUKS/LVM and see what that gives me. Thanks.

Anybody got any good solutions for providing whole disk encryption on a linux system (laptop)? I would like to fully encrypt my netbook, and at least one other laptop in the house, but can't find any way of doing this. I'm running Windows at the moment, because I've happily been able to fully encrypt the drive using TrueCrypt - the same approach doesn't work under Linux though. Ideally I think I need some sort of hardware based encryption (a nice, self encrypting, HDD would be nice - then I could probably have a dual-boot system as well ;) ) - unfortunately I can't seem to find a vendor willing/able to sell me one. What are you guys using, if anything?

I'm having the same problem (still) and haven't found a fix yet. I'm actually thinking about starting from scratch (again), but to be honest I don't think that's going to accomplish much.

That actually looks more like a scene from the Transformers series that was aired on TV. The only feature length movie that I'm aware of that's was made in that era is "Transformers: The Movie" (aside from the more recent offerings of course).

Layer 8 = User

Be careful with your demo's though. Don't just go grabbing/sniffing private content and passwords without permission. The kids won't like it and you'll alienate them, the parents won't like it and you're likely to end up in hot water. Number on rule of all InfoSec engagements....C Y A Cover Your Ass ;)

If I come across encrypted data on a system the first thing I'm gonna do is work out what available encryption/decryption methods that system has. Little point in having it there if it can't be decrypted by the users. Work out what's on the machine, then use that to decrypt the data.

Don't think you can do it the way you want to, because of the way the virtual NICs are 'bridged' across your host machine's physical adaptor it needs to be up and running. The only way of doing this (as has been suggested already) is to completely bypass the host machine's adaptor using something like a USB wireless adaptor. You could also try firewalling it off completely. Drop a firewall between you and the Internet, then block the IP of your host machine inbound and outbound. That should still allow your VMs to communicate, but stop anything getting to/from your host.

Don't know if the Team are planning any new sticker designs at all, but how about one of these:

Nope.....you've lost me.....someone care to explain to me how this works? Is this some sort of brute force attack, or does the '>>Show Passwords' function inject some shell code or something?