Impressed: it has been years since I've been hacked this well :(

Fri Jun 15 06:02:54 EDT 2007

From: "David Bovill" <david at openpartnership.net>

> I was also doing research into video and Flash based projects, and with a 
> tabbed browser I had 30 or so tabs open - my guess at the moment is one of
> those Html pages contained a hidden movie - harmless to all but the 
> paranoid.

I really think that is the source of the issue, David.

> Either that or this guy or one of his mates i met down the pub are as good 
> as he said they were, and can hack "anyone".

Thing with "hackers", in my own experience with them (and curse the media 
for disassociating the name "Hacker" from those it belonged to originally - 
programmers, the former should be called "crackers" or in most cases "script 
kiddies) is so many of them are full of bull dust.  They puff out their 
chest and tell of their "exploits" but for most of them they've either 
ridden on the shoulders of those who are better than them or fabricated the 
whole thing.  Most of the "cracks" and "exploits" are available for download 
or reading from various sources and very few can truly "hack anything" or 
"anybody".  In the course of the things I do in the software industry I have 
been threated with hacking many times over - but it's never happened.  I 
have been successfully email bombed on one occasion (until I set the server 
to reject based on size and volume) but that's about it.  At one time there 
was a Windows exploit that allowed spammers to issue an instruction to 
create a dialog window showing an error.  The message told you that "Windows 
has detected a fatal error" and then gave instructions on how to download a 
product to fix it (and pay for it) and there were variations on this.  Most 
ISP's plug this port now and any competent firewall certainly does.  Though 
I don't think this was ever an issue for the Mac or Linux.  Anyway - my 
point is there are far deadlier ways of hacking someone than letting you 
know they are there with a video or audio passage.  No doubt there's a whack 
job out there that would enjoy "ghosting" you <g> but generally silence is 
the rule asd much more can be achieved by it.  Further - most of the "real" 
hackers aren't into Joe Sixpack's computer - there are far more worthwhile 
targets wiating out there with surprisingly poor security.  If it were an 
attack by one of the organized crime syndicates they wouldn't be playing 
audio or video salutations.  They'd get what they want and leave.

> Coincidence or paranoia? I've got my credit card here - ready to recharge 
> my Skype account, and would like to ssh into my server - what would you 
> do?

If I was really worried I might beef up my defences with a software firewall 
(or beef up the one you already have if you are using OSX or *nix), encrypt 
any stored passwords or credit card numbers, consider getting a credit card 
with a security code, consider (if you do online banking) getting a security 
widget.  I have a little electronic number generator that voids previous 
numbers after they are entered into my banks web server - they are issued by 
some banks.  Thus you can't get into my account using just my account number 
and pin/password.  You need the little gizmo (fits on your keychain) to get 
in.  Not 100% hack-proof as a brute force attack might yeild entry - but 
then *nothing* is truly 100% hack proof.  ;-)

Scott