Scott Yang's Playground

You know what those “security questions” are. The ones that usually spell something like “what is your mother’s maiden name?” or “which city were you born?” They are usually required when you sign up a service. What were they for? It appears that some services use it for verification to reset your password, in situations [...]

MacRumours reports a Mac OS X box hacked in 30 minutes in a competition. Sounds like a local exploit to me, as hackers are free to create shell accounts on the box, although it tells nothing about how remotely-exploitable Mac OS X is. However (1) a local exploit with privileged escalation is still an exploit [...]

Microsoft has finally released security patch to a vulnerability in reading Windows Meta File (WMF). Hurry up! Run, download and apply this patch (if you haven’t got yourself infected). Unless you are running Mac or Linux of course :)

This morning when I tried to sign on with Google Talk, a warning message popped up saying “You account has been locked“, and asked me to go to Google’s website to unlock my account. As I have been reading too much AdSense forum on WebmasterWorld lately, my immediate reaction was “uh-oh“. I thought Google has [...]

Via B. Schneier, a pedophile was convicted, and existence of PGP on his desktop is one evidence. That guy is guilty regardless, but now the verdict is – if you have something to hide, you might be guilty! Better go and Rot26 all my world domination plans.

I know it is going to come sooner or later, but now there is a wide-spreading worm that attacks vulnerable phpBB installations, by exploiting its now infamous “highlight” bug prior to 2.0.10. It overwrites every .php file found on your system, which makes a quite big mess. I patched the only copy of phpBB installed [...]

Brice Schneier talked about how one should secure your own personal computer against uninvited intruders from the Internet. Many pure gold here, straight from one of the best security experts in the field. You might think of it as being too paranoid, but these tips might save your life one day.

Saw it on /. Multiple Browsers Window Injection Vulnerability Test. Secunia claimed that all most modern browsers are vulnerable to this attack, which allows another site to replace the URL of a popup window in a legitimate site. For example, go to a bank site, click on the link to popup the login window, and [...]

As Bruce Schneier has shown in an email he has received, virus cannot spread effectively without clever social engineering. It does not work, however, when you are the one and only person in your own domain’s support team.

I have received the following logs on my mail server regularly over the last 2-3 months, showing attempts of spammers trying to send me a junk mail. The log is generated by Postfix automatically, and send to my postmaster box.

Well. I am not revealling my private keys so that you can read my previous post. However, somehow I felt that I might need to put my public PGP keys somewhere on this blogsite, so that in case you need to send me encrypted emails or verify my signatures, you would be able to do [...]

EveryDNS, the free DNS provider that I have used for two of my domains, was under DDoS attack back in February this year. It took a few days to recover from the downtime, and many people who have hosted their domains on EveryDNS suffer as result. Unfortunately this seems to be happening again. This morning [...]

The saga continues from the story yesterday… Last night at around 10′ish, I thought EveryDNS has already been fixed because I can now see their website and use their web interface to modify my DNS configuration. I woke up this morning, and found some of my spooled emails still cannot be sent because source domain [...]