SecTor Conference

by Joey deVilla on October 31, 2007

SecTor conference banner

If you’re interested in security and in the Toronto area on November 20 and 21st, the SecTor conference might be for you. Eldon Sprickerhoff tells me that it’s organized by TASK (Toronto Area Security Klatch). Although it’s a local grassroots effort, I’m told that they’ve corralled “a great group of speakers – basically, some of the best speakers from security conferences around the world” to speak at this event.

SecTor takes place on Tuesday, November 20th and Wednesday, November 21st and takes place at the Metro Toronto Convention Centre. Registration is CDN$950, and if you use the promo code “ESENTIRE”, you’ll get a 10% discount.


Thoughts on the Facebook Leak, Part 1

by Joey deVilla on August 13, 2007

1950’s businessman whose pants have fallen downBy now, you’ve probably heard that for a brief period, a server configuration error caused some Facebook users to see its PHP code rather than the familiar Facebook pages that the code was supposed to render.

How the Code Got Out There

Tony Hung at Deep Jive Interests asked the question “Could a server misconfiguration send out the whole source code in its entirety when you put in the Facebook URL?”

It seems strange that such a simple thing could give away your source, but as anyone who’s set up PHP on a server a number of times will tell you, it can happen.

When you visit a static HTML page — that’s a plain old HTML page that wasn’t generated by some server-side script written in PHP or any number of programming languages — the web server simply hands over the contents of the page (the HTML) over to your browser. Your browser renders the HTML as a web page:

How static web pages are served

The opposite of a static page is a dynamic one, in which the content is generated on the fly — the server isn’t just handing over the contents of a file. Instead, it calls on some program to cull data from one or more sources and then use that data to assemble some HTML which is then sent to your computer:

How your Facebook homepage is served.

What happens when the server is configured incorrectly in such a way that the code for a dynamic page never gets sent through the code interpreter? One common result is that the code gets sent directly to the user. Instead of seeing the result of running the code, the user ends up seeing the code itself. That’s what seems to have happened with Facebook.


Geek Squad: Awright, more free porn! (Giggety)

Based on a ten-page (!) confession by a former Geek Squad member in which he wrote that Geek Squad agents scour your computer for those porn and personal pictures and videos and copy them onto their thumb drives, Consumerist set up a string operation in which they rigged a computer to record all user activity and brought it in to a number of Best Buy stores to have Geek Squad install iTunes on it.

They report:

We took it to around a dozen Best Buy Geek Squads and asked them to perform simple tasks, like installing iTunes. Most places were fine, sometimes doing the job right on the counter, sometimes even for free.

Then we caught one well-seasoned Geek Squad Agent copying personal and pornographic images and video from our computer to his company-issued thumb drive.

Click here to see their blog entry and (work-safe) video, and be sure to read these follow-up articles:

There remains one question that I’m sure a lot of guys are asking: Where’d they get that desktop wallpaper image, and could they please share it?

Desktop of the computer used in the Consumerist sting: three women in cowboy hats and skimpy tanktops.