You're not worried that the first time something went wrong on their machine afterwards, you'd get the blame?
I'm very careful about putting myself into positions where it's implied I might have *any* responsibility whatsoever for somebody's malware-laden $500 300 pound HP piece of junk. "Showed them MiTM" is a pretty strong implication to some folks - I'd guess the same sorts who have the temerity to suggest you need to prove your knowledge to them at a party. Mike On 2010/05/04 4:19 PM, Chris Blazek wrote: > To try and convince my wife to be very careful of public networks I did a > little arp poison and cranked up webspy. I had her go into the other room > and pull up whatever website she wanted and then come and look at what I had > on my laptop. :) > > I have folks telling me I'm just paranoid and overreacting. When I show them > a little mitm attack, they all see my point. > > Another fun thing to do is load beef into a crafted web page. Have someone > visit it and use one of the tools in the framework. :) > > > > > > On Tue, May 4, 2010 at 12:37 PM, Robin Wood <[email protected]> wrote: > >> On 4 May 2010 18:36, Larry Pesce <[email protected]> wrote: >>> He is, and I know of....I mean Bob knows of a setup similar to this. >>> I'll see if I can get Bob to share his properly sanitized Asterisk >>> config to do so. >> >> That would be good. >> >>> >>> - L >>> >>> >>> >>> On 5/4/10 10:45 AM, Chris Clymer wrote: >>>> Im assuming Mick is referring to Asterisk >>>> >>>> ------------------------- >>>> securityjustice.com <http://securityjustice.com> | >>>> <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> >>>> >>>> >>>> On May 3, 2010, at 11:37 PM, Michael McGrew <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>>> Michael, >>>>> >>>>> I remember hearing about that software on a PDC episode. It has a >>>>> name, do you know what that is? It was either the name of the software >>>>> or they just gave the "attack" a catchy name. >>>>> >>>>> Thank you >>>>> >>>>> On Mon, May 3, 2010 at 7:00 PM, Michael Douglas < >>>>> <mailto:[email protected]>[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> I got a little late to the party... this is *not* a hack, but it >> shuts >>>>> everyone the hell up because it scares them. And I've never had >> any >>>>> follow up questions >>>>> >>>>> Here's what you do. It costs a few dollars (pounds in your case >>>>> right?), but it's so worth it. ssh into a server that's running >> some >>>>> form of VoIP software. (skype can work for you i suppose, but I >> don't >>>>> know CLI for skype) Setup a call group that has the phone number >> of a >>>>> good amount of people at the party... the more numbers you have, >> the >>>>> better. Have the VoIP software call the group all at once (the PC >> to >>>>> phone rate is where you have to spend $) ... all phones ring at the >>>>> same time. Even stranger, when they answer the call, they are all >>>>> talking to each other. Warning: the effect is highly creepy. I >>>>> thought folks would think it was funny (cause it is!) but it really >>>>> freaked everyone out. >>>>> >>>>> That said, I tend to laugh off the "prove it" requests, unless it's >>>>> some hot girl... in which case I wake up from my pleasant dream and >>>>> remember there are no parties where hot ladies are asking anyone to >>>>> show 1337 skills. ;-) >>>>> >>>>> - Mick >>>>> >>>>> >>>>> On Mon, May 3, 2010 at 5:27 PM, Robin Wood < >>>>> <mailto:[email protected]>[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> > Thanks for all the suggestions, I think I like this one the best, >> I >>>>> > might set something up on a site so I can access it from my >>>>> phone. Tie >>>>> > this with an SMS service I've got that lets me specify the sender >>>>> > number I could have some fun. Email and SMS the person from >> someone >>>>> > else in the room. >>>>> > >>>>> > Robin >>>>> > >>>>> > On 3 May 2010 20:55, Andrew Ellis < >>>>> <mailto:[email protected]>[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >> A trick I've used for a while is keeping a protected email >> spoofing >>>>> >> form on my web server. That way when I'm asked to "demo" my >>>>> skills, I >>>>> >> can simply send the person an email from theirself or the like. >>>>> >> >>>>> >> This has the advantage of looking pretty cool to laymen and, as >>>>> far as >>>>> >> I know, isn't illegal. >>>>> >> >>>>> >> It's definitely not a "1337 hack" but it's a nice way to show >> the >>>>> >> types of things that can be done without getting in too much >>>>> trouble. >>>>> >> >>>>> >> -Andrew >>>>> >> >>>>> >> On 5/3/10, Chris Clymer < >>>>> <mailto:[email protected]>[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>> Rather than a live demo, better tactic might be telling a >>>>> story about >>>>> >>> a vulnerability in joe sixpack terms. The pizza coupon thing >>>>> >>> (dominos?) a few months back is a good example. >>>>> >>> >>>>> >>> I see a lot of downsides to letting folks at a party pressure >>>>> you into >>>>> >>> a live demo. You are basically allowing strangers to SE you. >>>>> If you >>>>> >>> show a successful demo, you just know the next question will >>>>> come: so >>>>> >>> can you hack into so-and-so's facebook account? ;) >>>>> >>> >>>>> >>> When you consider the potential for demo fail too, this is >>>>> really a >>>>> >>> lose/lose situation :( >>>>> >>> >>>>> >>> ------------------------- >>>>> >>> <http://securityjustice.com>securityjustice.com >>>>> <http://securityjustice.com> | >>>>> <http://chrisclymer.com>chrisclymer.com <http://chrisclymer.com> >>>>> >>> >>>>> >>> >>>>> >>> On May 3, 2010, at 11:54 AM, Robin Wood < >>>>> <mailto:[email protected]>[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>> >>>>> >>>> Hi >>>>> >>>> At a party the other day I was asked the normal question of >>>>> what do I >>>>> >>>> do for a living. I said security and kept it a bit vague but >> was >>>>> >>>> pressed so explained what pen-testing is and roughly what I >>>>> do. I then >>>>> >>>> got the challenge, prove it, prove you can hack a company. >>>>> >>>> >>>>> >>>> People would say to a dentist, prove you can do a filling but >>>>> this >>>>> >>>> person insisted they wanted a demo. I explained the >>>>> legalities and >>>>> >>>> finally fobbed them off and got away but it got me thinking, >> has >>>>> >>>> anyone got any good party tricks that they can pull in this >>>>> kind of >>>>> >>>> situation that give an instant wow but are easy to do and >>>>> legal? Not >>>>> >>>> quite legal but I was thinking if I knew any big sites with >> XSS I >>>>> >>>> could rewrite but none came to mind at that time. >>>>> >>>> >>>>> >>>> Robin >>>>> >>>> _______________________________________________ >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
