Hiding the Payload

Just read this interesting post on sneaking an Easter Egg into the Cucumbertown application. The source code was being watched by peer reviewers. So they had to get tricky. They wanted a song to play when they pressed the secret key combo. They hid the data for the song within an image. The tactic is nothing new. But I like the ideas behind using this to get past the watchguards.

Still not sure I understand how they hid the code that actually played the music. Maybe you can follow. Check out the original post on this early hack. Be warned. These peeps code in C#. Ouch.

Veti-Gel Stops Bleeding Immediately

New York University student Joe Landolina has come out with an amazing product. It is called Veti-Gel. It stops bleeding immediately when applied. We are talking about 10 seconds or less here. You apply it to the wound. It holds its own pressure. You don't need to press down on it.

The gel uses plant polymers to get the job done. Joe calls this platform technology. It also helps to start the healing process. It allegedly can stop the bleeding from punctured organs. Orignally this was called Medi-Gel. That name matches the one from the Mass Effect video game.

This obviously has military applications. Joe is trying to get a grant from the Department of Defense. The Army already has a similar product calls QuickClot that it uses. Hospitals use another product that is similar.

Right now Joe is trying to get approval from the Food and Drug Administration. They will start doing tests on animals next. Joe has filed a patent for this breakthrough tech. Obviously this need to go through a lot of trials. Others call this in the early stages. But damn. This is exciting stuff if it is for real.

Software License

I needed some software for a class I am taking. Thought I could just download the free version. Nope. The company took that version off the market. Okay. Let's price the commercial version. It costs $1000. WTF? That does not even include documentation or install media. They do have a lite version for $500. Also a fail. That's about how much my whole college course for the semester costs. What's a starving student to do?

My initial instinct was to head to the Windows registry. I had signed up for a free 30 day trial. Maybe I could hack that somehow. It was not obvious how to do that. Then I searched around for some license codes on the net. They were easy to find, and surprisingly, they worked. If that had failed, I would maybe have to resort to running a keygen. I always fear it would also leave some malware on my system though.

I told my instructor about the fail. He said that as an instructor, he might be able to get 1 copy of the software for free. But he was going to keep that for himself. He did share some ideas on how to extend the trial. He thought we could just keep resetting the system clock on our PCs. Our he thought the key might be stored in a browser cookie. That seemed weird since this is not a web app.

There was one piece of good news to go the legit route. My instructor said the company does provide a 30% discount to students. So the lite version costing $500, with a 30% discount, would be $350. That is still way too much money for the piece of software I needed. Sure it was good software. But it did not do that much. As a last ditch legit effort, I could talk my company into buying me a copy of the software. They have big bucks in their budget. And I am learning this stuff for work.

Pwn2Own Happening Now

I just heard about the Pwn2Own competition going on in Vancouver right now. It is taking place at the CanSecWest conference. The conference specializes in digital security. Hewlett Packard and Google are backing the contest with some sweet prizes. Prizes for pwning the latest version of browsers top out at $100k. Bamm.

This is not a new competition. It has been held in previous years. But Pwn2Own had previously focused on browser vulnerabilities. Now the goal has been broadened to include browser plugins. You got to break the latest version of the browsers running on the latest operating systems. And they got all the current patches installed.

You cannot work for HP or Google to enter. And yeah you got to be 18 years old at a minimum. You must be registered for the CanSecWest conference to qualify. Bad news is that it costs $2200++ USD to get into the conference at this late date. I guess this only makes sense if you were already planning to attend the conf. Then again, the high cost of entry might minimize the competition.

One cool thing about the compeition is that you get drawn at random to attack the machine and browser. Then you go to work to hack an exploit. You got 30 minutes to break in. Then you got to hand over all your details to collect your prize. Of course HP will pass the info on so the holes can be plugged. This is a legit opportunity.