On Thursday 28 February 2002 00:46, LS wrote:
> http://www.security7.ch.vu/
> When entering, it claims that you are exposed and tracked and a lot of
> information is stored on your computer (doh..altho i dont keep names on
> it etc..). What caught my attention is that the show you the contents of
> your root directory (c:\ for a windows machine...).
> What's alarming is that I don't see how this thing could've been done. I
This is an really old trick, used by many jokers and "security experts"
claiming they can access all data on your computer (and therefore it is
insecure, and therefore you have to buy a decent protection system, and
since they know how to break into your computer then they must be the best
to know how to protect you from that, therefore you should buy *their*
protection system...)
What is really going on there is a simple thing. It is nothing more than a
HTML link pointing back to your computer. It doesn't reveal anything about
your computer!
If you look at the source of the HTML page, you'll notice something like
this:
<a href="file:/c|/"> This is your hard disk, I've broken into it and I am
the best hAx0r blah blah blah </a>
What it does is to simply put a reference on your local file system (thus
"file" in tag), pointing to your local disk C ("/c|/") or D ("/d|/"). Most
of the time it will be your C disk, since everyone on MS platform does
have a C drive, but not all of them have D drive.
Your web browser interprets this tagline as a reference to your local hard
drive (note that this is done on your computer, not on web server,
therefore it is just you viewing the contents of your local hard drive,
and noone else can do this remotely using such tagline!), and interprets
it the way it presents you the contents within the web page.
Many people don't know that trick, and it is completely benign. There's no
security risk within this trick (and this one is fairly easy to write,
just try it and copy-paste the example above. If you do a little bit of
javascript to wrap around it you can get some fancy looking but harmless
pranks. :-)
P.S. If you want to do pranks on Unix machines, put "file://" and no drive
name.
--
Radoslav Dejanovic
Senior Associate to Mayor's Office
City of Zagreb, Croatia
