Secure passwords

June 16th, 2011 magma No comments

Lulzsec just delivered a big batch of emails and passwords from somewhere. Here is some statistics:

# cat LulzSec\ Delivers.txt | wc -l
62178

# cat LulzSec\ Delivers.txt | grep naruto | wc -l
8

# cat LulzSec\ Delivers.txt | grep qwerty | wc -l
35

# cat LulzSec\ Delivers.txt | grep mamma | wc -l
10

# cat LulzSec\ Delivers.txt | grep fuck | wc -l
19

# cat LulzSec\ Delivers.txt | grep shit | wc -l
11

Categories: Uncategorized Tags:

Annoying your co-workers: Change all profile pictures on Facebook

May 6th, 2011 magma No comments

Facebook is a big website with a lot of content. Most of the content is hosted on CDN servers, like all the profile pictures. In this case, all profile pictures are hosted on fbcdn-profile-a.akamaihd.net (it used to be profile.ak.fbcdn.net). As a sysadmin who wants to annoy his co-workes, this can be exploited.

  • Change the DNS record for fbcdn-profile-a.akamaihd.net to your own web server
  • Configure lighttpd (or the http server of your choice) so all urls on the domain are rewriten to your own pictures
  • Receive emails from your co-workers
  • Respond that they should not play with Facebook at work
  • ??????
  • Profit

*_n.jpg are the large profile picture, *_q.jpg are the small one.

Here is the lighttpd config:

$HTTP["host"] =~ “^fbcdn-profile-a\.akamaihd\.net” {
url.rewrite-once = (
“^/hprofile-ak-snc4/.*\/.*_n.jpg$” => “/profile_n.jpg”,
“^/hprofile-ak-snc4/.*\/.*_q.jpg$” => “/profile_q.jpg”
)
}

The result will look like this:

This will only work if the users does not have HTTPS activated, but since most troll victims does not, this should not be a problem.

Categories: Annoying your co-workers, Trolling Tags: