To cut down on any lag added by php, I setup some forwarding permissions on devz3ro.com. I did this specifically for those that desire to use imeem.com's 'music / photo / video' features on myspace. Also, this may help those that had trouble with the php forwarding script.

Instructions:

What you will do is copy your imeem (music / video / photo - doesn't matter which) code and paste it into 'Microsoft Notepad'

After pasting the code into Notepad, go to Edit, then Replace... from the top menu.

In the 'Find what:' box type media.imeem.com
In the 'Replace with:' box type devz3ro.com/media

Press the 'Replace All' button, then 'Cancel'

Copy the new code you created into your myspace profile and save.

For advanced users: You can copy the entire imeem code into your myspace profile, just make sure you change any occurrences of media.imeem.com to devz3ro.com/media before you save.

· devz3ro on October 07 2007 04:33:01· 22 Comments · 3881 Reads ·

Sorry for my absence - I've been working and partying a lot lately, thus a huge lack of updates. I am still alive though, if you were wondering or... care =).

Onto bigger and better things though. I mostly have an audience from the imeem player on myspace. It was a real small project from my perspective, and using scripts that I didn't even code to make it happen made it even smaller.

In my spare time I have read some XSS or cross-site scripting books. There is a XSS 'cheat-sheet' floating around the internet which I stumbled across as I was skimming through this book. I had an idea to combine 2 of the scripts on this cheat sheet (with a little input of my own) in a way that would allow scripts to be ran on the current domain, communicating outside of the internal domain even if we aren't permitted to do so (what xss is =]). I passed along my theory to a friend that has more knowledge in this area than myself. He setup a temporary php/mysql server to see if he could use this 'obfuscated' code on current online networks - such as friendster, myspace, imeem, facebook, zanga etc. The script he was using was basically a 'cookie-stealer'. While this sounds funny, it's actually very bad (I'm not going into why). His results came back positive for all except facebook.

My options were the following:
#1. try to get this published in an 'updated' cheat-sheet. #2. contact a friend I have who works for securityfocus.com. #3. just release it to the public.

I chose option #2. While having it published sounds good, I would never be credited. Releasing it to the public would just cause abuse from webmasters and those seeking a easy 'buck' - having it patched on all networks immediately.

While securityfocus.com really doesn't bother with such 'small-and-easily-patchable-vulns' like this, I still wanted to see what they have to say about it. Who knows maybe I could be mentioned in an article if they ever wrote one.

· devz3ro on August 30 2007 02:17:36· 12 Comments · 472 Reads ·

If you have been trying to access the site, or anything on it recently you would have noticed that everything had a 'forbidden' (403) error.

Reason (story behind it if you care to read):

Well, recently in my email inbox I received an email which 'appeared' to be from ebay - a buyer asking me a question about an item. With no current auctions, and because email spoofing is extremely easy, I inspected the email for suspicious links that lead away from the ssl ebay domain. Sure enough there was one as soon as you tried to 'contact the buyer' back. I visited this page, stripped all the code, and viewed it to see how it all worked. It was a few .js (script) files which recreated the positioning of the real ebay site, a cgi file which emailed whatever address they wanted with the information you put in, and a plain html file to hold it all together.

Where I went wrong was I was going to write a news story and post some of these files (with the malicious email line stripped of course) as a proof of concept. As I was testing the cgi file (replaced their email address with mine to see if it actually worked) I received this email from abuse@oneandone.net (my web host).

This letter is complete bullshit. "We received several complaints stating that a so called phishing site was uploaded to your web space" is a lie, and "This was possible because your are using outdated/exploitable scripts on your web space" is false. They were there because I put them there - not to steal anyones information, but to explain how to avoid such sites and how easy it is to be fooled by them. I didn't have the files available to the public at this time so it's impossible they 'received several complaints'. What probably really happened was they have an alert system built into the host (that they don't tell their customers about). This system probably 'alerts' on certain named files that are uploaded to be scanned for any malicious code. Very good idea, I agree with such a system, but don't lie to me thinking that I don't know what I'm doing and someone compromised my account.

So next I login to my web space and delete the files they asked. After deleting them I try to load up http://devz3ro.com/ and I see this 403 'forbidden' error. It was expected, I knew I would have to CHMOD (CHange MODe) a few files because of this email. I ftp into my webspace and all my php-fusion files are untouched, so CHMOD would do nothing if they already have enough permissions. After scratching my head and removing & granting myself permissions I STILL get a 403 error using http. Still messing around I stumbled across a .htaccess file in the root of my web space that I KNOW I didn't put there. After trying to download, delete, view, rename, edit, etc. and getting a 'permission denied' error I knew this had to be the culprit. This .htaccess file should have been within the folder of the 'so-called malicious' files (which I had hidden from the public). NOT IN THE ROOT OF THE WEB SPACE. Had it been in the correct location it could have been deleted easily because the parent directory (root) would of had enough permission to do so. So my web host basically screwed up and made my entire web page inaccessible with no reversal option.

Yup you got it, now I'm calling these people. The first 'customer support tech' (I have know idea how they can give them such a title) had ABSOLUTELY NO IDEA what I was trying to explain to her. She barely spoke English so she 'escalated me up to level 2 support'. Apparently level 1 and level 2 support are the same level (or are damn close to each other). The next 'tech' spoke English a little better than the last woman but it still wasn't great. He understood what permissions were and that I couldn't access my site, but he had no clue about CHMOD. He only knew what his control panel allowed him to do, so I asked him to delete the .htaccess file in the root of my web space. After some verifications to prove who I was he attempted to delete the file unsuccessfully. I EXPLAINED TO HIM how to CHMOD the file using smartftp and still no go, he was obviously no admin or had admin privileges so he would be no help =(. He said he would escalate this up to their fantastic level 3 support team and have them email me when it's been resolved.

While waiting for an email from the geniuses at the level 3 1&1 support team I replied to the abuse letter I received initially asking them to delete the .htaccess file. Since someone from the abuse team put it there they should be able to remove it right?. I received an apology email 6 hours later noting that the problem has been resolved. Still nothing from the level 3 support.

This is the second time I had to speak with the web host over the phone. The first time the issue was dealt with in a timely fashion (sub domain not available) and I was sent a 'survey' of how my experience was on a scale of 1 to 5. No survey yet on this one, I was kind of looking forward to it =).

I purchased web hosting from 1and1.com originally because it offered more than godaddy.com & networksolutions.com for a cheaper price.

I guess the old saying is true: "You get what you pay for."

· devz3ro on July 18 2007 11:52:09· 14 Comments · 479 Reads ·

MySpace has announced the official beta release of its MySpaceIM instant messaging service which soft-launched informally a year ago. According to a release from MySpace, over 17 million of the social networking site's 180 million members worldwide have installed the downloadable client.

MySpace, which was acquired by News Corp. in 2005, used to operate a browser-based instant messaging service, which it has since phased out.



The MySpaceIM service competes with other ubiquitous and well-established instant messaging clients, like Yahoo Instant Messenger, Microsoft's Windows Live Messenger, and the formidable AOL Instant Messenger. But MySpaceIM hopes to set itself apart from the pack with tight integration to the site's homepage and member profiles, as well as media-heavy features like a music player and drag-and-drop image sharing. Also included is a system to alert members when they have new messages in their MySpace inboxes, comments on their profiles, or new friend requests. Localized versions of the tool have been created for all 16 global regions that the company operates.

For Web users who use multiple IM services, Cerulean Studios' popular all-in-one client, Trillian, will support MySpaceIM in its impending Trillian Astra release (currently in an alpha test mode).

The MySpaceIM beta isn't available to all computer and browser users, though: it requires a Microsoft operating system (anywhere from Windows 98 through Vista) and an Internet Explorer browser (version 5.0 or above). In the FAQ for MySpaceIM, the company explains that while the client is in beta, the focus will be on "working out the kinks" in the Windows version but that it has been "assessing various options" for Windows and Linux editions. Additionally, the FAQ continues, a mobile client is in the works.

In its release, MySpace hinted that not only are new MySpaceIM features on the way, but so are other impending announcements, calling the instant messaging client the "first in a series of enhanced products and services the company plans to unveil over the coming months to make it more efficient for MySpace users to express themselves, manage their social lives, and connect with friends."

· devz3ro on June 20 2007 04:45:21· 19 Comments · 452 Reads ·

EDIT: THIS METHOD IS OUTDATED - PLEASE FOLLOW THE LATEST @ http://devz3ro.com/news.php?readmore=25

So the cat and mouse game continues...

Well myspace noticed the hole I pointed out with their msplinks.com domain and patched it up. I don't think it was fixed because they didn't want imeem.com to benefit. It was potentially dangerous because it could be used to point to *ANY* website - even the malicious ones that were blacklisted way back when. So them fixing it is a sort of good thing.

But anyways, on to business, imeem.com shut out once again - blah blah blah - not really. Always a step ahead, or, one step behind in this case I put up a url shortening script which I found for free on hotscripts.com. It's function is much like what myspace.com was doing when I explained how to encode your urls. This particular script has an option for you to login and change where your url is redirected to at any time without touching myspace. I chose this script just in case myspace decides to filter out my webpage (which I highly doubt - but possible).

http://devz3ro.com/spoof

EDIT: Link fixed.
Short tutorial of how to use

· devz3ro on June 06 2007 02:14:40· 33 Comments · 2868 Reads ·

The air waves may no longer be free

Recent studies show that sales of music have actually increased over the last several years despite arguments from the Recording Industry Association of America (RIAA) that online MP3 sharing negatively impact sales. Thus, the RIAA has been desperately trying to seek out a new source of revenue and it believes its found one: public radio.

The RIAA says that radio has been given free play time for too many years, and when compared to other sources of revenue, is unfair. Yet, it's not only the RIAA that thinks the new royalty program is justified. Mary Wilson, one of the original members of the Supremes agrees too.

"After so many years of not being compensated, it would be nice to now at this late date to at least start. They've gotten 50-some years of free play. Now maybe it's time to pay up," says Wilson. According to Wilson, the exemption given to public radio was unfair and forced many musicans to continually go on tour for money.

RIAA chief executive Mitch Bainwol indicates that music creation is suffering a decline in sales, attributing most the loss to gaps in revenue. "We clearly have a more difficult time tolerating gaps in revenues that should be there," says Bainwol.

The National Association of Broadcasters (NAB) disagrees with the RIAA, claiming that public radio benefits all parties. "The existing system actually provides the epitome of fairness for all parties: free music for free promotion," says NAB president David Rehr. Public radio stations agree too, that having a royalty "tax" would cause serious financial harm to radio stations.

Unfortunately for public radio, the music industry appears to be lobbying its stance in a very strong manner. SoundExchange, the group that collects and distributes Internet and satellite radio music royalties, feels that royalties have now become a necessity. SoundExchange already forces webcasters to pay royalties for music played.

"The time comes that we really have to do this," says John Simson, executive director for SoundExchange.

· devz3ro on May 28 2007 12:48:08· 18 Comments · 433 Reads ·

With the amount of posts we see on our forums ... it's clear, Microsoft decided to start banning Xbox360 with modified firmwares today (both Hitachi-LG and Toshiba-Samsung drives). While it's the same release date as Halo3 beta, it seems that people who didn't download Halo3 also get banned. They probably detect backup discs (and not the modified firmware) when you play 'em online (not confirmed yet). Even people using the new firmwares with disc-jitter added get banned, so it looks like Microsoft found another way to detect it. Just like on Xbox1 it looks like Microsoft bans the console unique ID (serial), not the LIVE user. Microsoft will not allow anyone to login on LIVE on a banned console. Many people on the official xbox.com forums also claim they got banned but didn't have a flashed firmware ... we'll have to see how that story develops in the coming hours and days.



This is what you get when you go to test connection and after xbox live fails click on network adapter