Monday, July 21, 2008


I've been wasting a bunch of time on, a MTWWTOSNS (massively time-wasting web-two-oh social-networking site.) If you'd like to descend into madness with me, click here join join for my personal gain:
Be Ryan's Friend

Several interesting aspects to this one, for security people. First, the are many sociological aspects. For example, what happens if you tell people they can't post naked pics? Second, there is a play money currency, which drives everyone's behavior. Finally, they are getting phished left and right from within the site.

And the staff there appears to be so woefully unprepared to deal with it. When I saw the phishing, I thought I might mail their abuse contact info (only email address I found published), and see if they needed info, if I could put them in touch with a takedown group, etc. I got bounces from gmail. Um, your abuse email at your own domain depends on gmail?

The site is absolutely begging for someone to start using XSS. The game model they have basically demands it. For example, your popularity depends on profile views. And I can post a pretty wide range of HTML to someone in about 20 different ways. I haven't tried to see if I can find any XSS. Mostly because I don't trust myself not to abuse it.

But my favorite thing about MyYearbook that I just realized, while sitting in JFK coming back from HOPE. This site is teaching millions of people how to do simple HTML. And nearly half of these people are below average intelligence.

Edutainment, indeed.

Friday, July 18, 2008

Politics, $8.34 worth

This post is about politics, which I normally would avoid. But humor me this one time.

Click on the pic to have your geek heartstrings pulled. Short version: If he's willing and able to put this up, that's all I need to know. Don't care if he's pandering.

Yeah, I gave him $8.34.

Long version: Doesn't matter if he's in Kansas, I want people like this to succeed. Doesn't matter if I agree with all of his policies, you never get a candidate that matches exactly, and you can't count on them to implement them once in office. Plus, he appears to be able to change his mind based on feedback, holy crap.

If you want more candidates like this, consider giving him the token donations (US only), and blog him up.

Tuesday, July 15, 2008


I'll be in NYC for HOPE, starting tomorrow. Any of you going to be there?