Securing Users with Tor and SSL

A number of users were victims of hacks because of SSL stripping attacks on the Tor network. We implemented a Tor hidden service and secured it with a signed SSL certificate and other steps.

FBI seizes fake Tor hosted Jihad funding website as part of Operation Onymous, leaves up real site.

As part of Operation Onymous the FBI seized some 276 Tor hidden services, many of which were clone or scam websites. One of the websites the FBI seized that we located during our crawl was titled “Fund the Islamic Struggle Anonymously”. The website had a short message for visitors where it asked for donations towards […]

Large Number of Tor Hidden Sites Seized by the FBI in Operation Onymous were Clone or Scam Sites

This post is the first in a series dealing with the takedown of Silk Road 2.0 and Operation Onymous. The data in this post was put together with @secruedmh and @imposter. A big thanks to Juha Nurmia and his Tor Hidden Service Index, and researchers who share their work or report on stories such as […]

60 Minutes Australia on Silk Road and Bitcoin

60 Minutes Australia produce and air a report on Silk Road and Bitcoin.

Analyzing the FBI’s Explanation of How They Located Silk Road

As part of pre-trial hearings in the case of Ross Ulbricht, accused of operating online drug marketplace Silk Road, the FBI has filed an affidavit detailing how they uncovered the location of the Tor hidden service. In analyzing the filing we find that the technical experts at the FBI are not being completely transparent about how they uncovered the server.

Notes on the Celebrity Data Theft

An interesting aspect of information security is how periodically it collides with other industries and subcultures. With more information than ever being stored and shared online and on connected devices hacking stories are frequent and are mainstream news. This was the case yesterday as dozens of celebrities fell victim to hackers who leaked hundreds of […]

Multiple Vulnerabilities in Disqus WordPress Plugin

Vendor: Disqus for WordPress Affected versions: up to v2.7.5 Patched: v2.7.6 release Exploit: Manage.php CSRF+XSS admin exploit Disqus is an extremely popular third-party commenting system used on blogs and media sites. The disqus plugin for WordPress has been installed over a million times and is the 15th most popular overall WordPress plugin. I recently performed […]

CS-Cart v4.2.0 Session Hijacking and Other Vulnerabilities

Vendor: CS-Cart Affected versions: up to v4.2.0 Patched: v4.2.1 released CS-Cart is a semi-popular open source e-commerce shopping cart application. It contains a homebrew session management system that utilizes an insecure source of randomness to generate session tokens. The poor source of randomness combined with other bugs makes it possible to hijack an administrators session […]

Multiple Vulnerabilities in myGov, the Australian Government Single-sign-on Solution for Citizen Services.

Update: This story has been published by Fairfax on the Sydney Morning Herald website. The previous Australian government introduced a policy called Digital First, which is a mission to make the majority of Australian government services available online by 2017. The new government elected in 2013 adapted this policy and extended it further, requiring that […]

Two Google Chrome Privacy Issues

I have recently discovered two privacy issues with Google Chrome that users should be aware of. They both relate to browsing history data not being deleted despite the user taking action to delete browsing history. A Google Chrome user can delete browser history by going into Preferences -> Show Adavanced Settings -> Clear Browsing Data. […]

Yahoo Axis Chrome Extension Leaks Private Certificate File

Preamble: The tl;dr for users is to not install (in my opinion) the Yahoo! Axis extenion for Chrome until this issue is clarified. See update below about disclosing this issue. Yahoo! today announced their new Axis web browser. It is implemented as an extension to Chrome, Firefox and Internet Explorer. I installed the Chrome extension […]

BlockPlus v4 Released: Block Google+ widgets and links from other Google sites

Google recently added a Google+ widget to the search engine homepage. I wrote BlockPlus when Google+ was first released and first integrated into other Google properties. The idea was to remove all the links to Google+ and Google+ widgets from other Google properties so that you aren't distracted by them and so that the page […]

Facebook and many other sites also bypass Internet Explorer privacy controls

There is a post today on a Microsoft MSDN blog about how Google bypasses third-party cookie control in Internet Explorer by setting a false P3P header. The post author is Dean Hachamovitch, who is the VP for IE, and follows up from a big story last week about how Google and a number of other […]

Facebook Is Losing E-Commerce

Bloomberg has a report out today about retailers shutting down their online Facebook stores due to lack of interest and activity from users. The headline example is Gamestop – who, despite having some 3.5 million fans on Facebook – recently shut down its Facebook shopfront because it didn't take off with users. From the article: […]

How Megaupload Was Investigated and Indicted

The popular file upload site Megaupload was taken down today as part of a US DOJ investigation into the site for breaches of US copyright law. From reading the indictment and digging around online you can start to reverse-engineer how the investigation was carried out. The evidence in the grand jury indictment is of four […]

The Google Firefox search deal, Chrome and Lady GaGa

In a response to MG Siegler's post about the Google and Firefox deal, Chrome engineer Peter Kasting posted to Google+: People never seem to understand why Google builds Chrome no matter how many times I try to pound it into their heads. It's very simple: the primary goal of Chrome is to make the web […]

The Crunchpad is proof of obviousness in the iPad design

The patent case between Apple and Samsung regarding the iPad and Galaxytab has been an ongoing issue. Apple won an injunction against the sale of the Galaxy Tab in Australia, then saw the decision reversed, only for it to be re-applied by a higher court. A number of outlets reported on the advice Apple has […]

The Download Dot-Con

Fake software downloads are a huge problem on the web. A few weeks ago a non-technical friend called me and asked how to play some Xvid encoded movies he had downloaded. I told him that the best and easiest software to use is VLC Player. He asked if I could send him a copy or […]

Google Android: The Accidental Empire

What Google has done with Android is amazing. The mobile operating system is now 44% of the smartphone market and its rise, along with iOS, has contributed to the utter destruction of both RIM (peak market cap of almost $80B, down to $8B today) and Nokia (peak market cap of $158B, down to $19.5B today). […]

Introducing Frictionless: Taking the friction out of Facebook social-sharing applications

Today we are launching Frictionless, a browser extension (chrome only at the moment) that rewrites the default features of Facebook social-sharing and provides users with privacy and the ability to read the original source websites for shared articles. If you are a Facebook user, you have probably seen the new social-news sharing applications such as […]

Lies, Damn Lies and Google+ Statistics

One of the big stories making the rounds in the tech world today is that traffic at Google+ has 'plummeted' a full 60% this week over last week. All of these reports cite a graph from advertising company Chitika (who conveniently become a 'web analytics firm' in the

Unicode U+F8FF: aka. The Apple Logo Character, on Macs

With the death of Steve Jobs this week many users on Twitter added the Apple logo to their names or to their tweets in tribute. Some bloggers also used the character in blog posts, which can be input by pressing option + shift + k. The logo is a Unicode character, at address U+F8FF. The […]

Facebook Re-Enables Controversial Tracking Cookie

In May of this year the Wall Street Journal reported that Facebook like buttons and other website widgets were setting cookies on visiting browsers. This cookie could then be read later and used to track the user across different web properties and back to the Facebook site. The cookie was being set even if the […]

HowTo: Setup secure and private Facebook browsing

This howto guide will take you through securing your Facebook account, enable settings for improved privacy, disabling features where your Facebook information can be shared with third-party sites, and finally setting up your browser for private sharing Step 1. Securing your Facebook account Go to Security Settings Edit 'Secure Browsing' and enable it.

Facebook Fixes Logout Issue, Explains Cookies

I wrote a post two days ago about privacy issues with the Facebook logout procedure which could lead to your subsequent web requests to third-party sites that integrate Facebook widgets being identifiable and linked back to your real account. Over the course of the past 48 hours since that post was published we have researched […]

Logging out of Facebook is not enough

Important Update: Facebook has responded and issued a fix for this issue. See the follow up blog post “Facebook Fixes Logout Issue, Explains Cookies” Dave Winer wrote a timely piece this morning about how Facebook is scaring him since the new API allows applications to post status items to your Facebook timeline without a users […]

Persistent and Unblockable Cookies Using HTTP Headers

There was a big story last week about published research that claimed analytics company KissMetrics were tracking users across multiple sites using a unique ETagspec. KissMetrics denied that they were using ETags to track users, and they have filed a lawsuit against the author of the research piece (Note: see update at the bottom of […]

BlockPlus: A browser extension to block Google+ notifications

Google recently launched their much-publicized social network Google+. I signed up early on, but found that having the new status bar across the top of all the other Google applications was becoming a distraction. Earlier today I went into Gmail to send a simple email, and the Google+ notifier caught my attention. I clicked on […]


i18n is a popular abbreviation for 'Internationalization'. It is abbreviated by taking the first and last letters and replacing all the characters in the middle with the number of characters replaced. l10n is the abbreviation for localization. I am not sure if a lot of developers who are familiar with the terms understand the origins, […]

Pain and Gain

I can't remember how I found this story, but it is amazing. The incidents covered occurred during the early to mid 90s, and the Miami New Times article was published in 1999. The story is about the manager, some employees and members of a body building and gym club in Miami who move into violent […]

Cutting Off Burners

From the David Sedaris essay, Laugh Kookaburra, Laugh: Pat was driving, and as we passed the turnoff for a shopping center she invited us to picture a four-burner stove. “Gas or electric?” Hugh asked, and she said that it didn’t matter. This was not a real stove but a symbolic one, used to prove a […]

Finding a Technical Co-Founder

My own anecdotal evidence indicates that the number of tech startups being founded is on the rise again. YCombinator received a record number of applicants in the most recent batch, and has extended the number of interview slots this year because of both the increased number of applicants and the quality of applicants. In the […]

Guide to Finding a Good and Safe Company or Product Name

I enjoy the process of coming up with a new product or project name and finding a domain. I am currently in the process of doing this with my new startup (still negotiating the domain), and have gone through the process at least a dozen times in the past. Here are some basic rules that […]

The Google IPO Skeptics

The market cap of Google today is $196 Billion. The company has grown to become one of the largest and most influential technology companies of all time. It is difficult to imagine, but there was a time where many were skeptical of Google and its potential to be successful. In August of 2004, in the […]

Relevance Time for Twitter

A little over a year ago on Techcrunch I wrote Relevance over Time, a post about how the default view of chronological ordering of messages in applications was not suited to the web, where applications now have enough gestures from users to be able to sort by relevance. Chronological ordering in Twitter, Facebook, Gmail, blogs […]

Fidelio: A browser plugin for secure web browsing

A Firefox plugin called Firesheep was released this week. It allows users to hijack sessions sniffed from WiFi or other network through simple point and click. Session hijacking is a well understood security risk, but the script kiddie nature of Firesheep has caused a lot of response and reactions. Website developers and administrators are scurrying […]