daveimmunitysec.com
Date: Mon Jul 07 2003 - 16:21:29 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Big wheels keep on turning
Carry me home to see my kin
Singing sounds about the southland
It's my Alabama once again."
-Sweet Home Alabama

So now that Immunity can accept credit cards directly, I can say this:
PayPal needs to fire its CSO. I'm going to relate a few experiences I've
had dealing with accepting payments from PayPal and maybe afterwards
you'll agree.

So I've done about five thousand dollars of business over PayPal, which is
slightly more than the average copied-CD ebay salesperson is doing.
Unfortunately, when I went to withdraw my money, PayPal kindly requested a
bank statement and a photocopy of my ID to be sent to them. They said that
they'd get back to me afterwards in 3-5 days to tell me what they thought.

Now I'm a fully registered user, trying to get money into the very account
I used to register with them. I don't know what AI they're using to
determine fraudulent behavior, but it (or the management team behind it:
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/team-outside) is clearly a
moron.

So I asked my Credit Union to fax me a copy of my latest statement, and
faxed that plus my ID to them. Ignoring the privacy violation that
involves, in three days they actually REJECT my statement because it was
printed out by a computer.

So I have to wait a month to get my next statement and fax that to them.
Nevermind that the five thousand dollars sitting in my PayPal account
would be pretty useful to pay my rent. There's no customer service phone
number or possible way to speed this up, other than filing suit in small
claims.

As a bonus, PayPal reserves the right to do this every time I try to
withdraw money, most likely to skim the interest. However, they'd make a
lot more money by learning where to draw the security line, so that
merchants don't flee them in droves and call them morons in random mailing
lists on the net. Normally I wouldn't say anything bad about Ken A Miller,
Vice President of Risk Analytics, except even though it's his actual job,
he clearly can't figure out a system that doesn't unduly tax normal use
while preventing fraud, and should clearly go back to working for the
airlines (I'm just making an educated guess that's where his previous job
was).

As a side note my Credit Union's customer service representatives told me
that PayPal was their number two complaint. Anyways, if any of you are
thinking of becoming merchants, I recomment getting a real merchant ID -
try www.paypalsucks.com and looking at their alternatives.

----------

So I've gotten a lot of questions about MOSDEF and I wanted to offer this
as a explanation: What if you had an API that would allow you to create a
cross platform, multithreaded asynchronous server, in shellcode. I.E. no
more asking for a command, and waiting for the result. You literally will
have a clean and easy way to download a file, run commands, and do
portforwarding, all at once, and all while within the process you first
exploited, with job control like you were in a real shell, as shellcode
dynamically generated by a pure Python engine.

Having a C compiler and an assembler has other uses - once you have a tree
of a C program you can do taint/untaint data-flow analysis, for example.
I'm not twenty anymore, so I can't keep up with the kids these days
tracing through megs of source code to find where some data sent from a
socket flops finally into a strcpy(). Like all aging athletes I make up
for it with better equipment.

----------

So the senate.gov people called me - thanks everyone who forwarded the
previous daily dave to them. Of course, it's been several days now, and
Senator Hatch's people can't quite figure out how, or haven't bothered, to
fix it. I'd comment on that, but it's almost not necessary. When they
finally fix it, I'll post the .png for all to have a good laugh at. After
his comments on how in the RIAA's pocket he was, all us of us kin to the
hacker spirit deserve a good laugh at him.

Dave Aitel
Chief Cantor
Immunity, Inc.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]