How a script weakness in’s password reset page cost Partap Davis $3000

5 03 2015

The Verge has posted an article of Partap Davis who lost his money being hacked overnight.

While he slept, an attacker undid every online security protection he set up. By the time he woke up, most of his online life had been compromised: two email accounts, his phone, his Twitter, his two-factor authenticator, and most importantly, his bitcoin wallets.

All of those accounts got hacked primarily because his main email address in was taken by the online perpetrator.

For simplicity’s sake, we’ll call her Eve.

How did Eve get in? We can’t say for sure, but it’s likely that she used a script to target a weakness in’s password reset page. We know such a script existed. For months, users on the site Hackforum had been selling access to a script that reset specific account passwords on It was an old exploit by the time Davis was targeted, and the going rate was $5 per account. It’s unclear how the exploit worked and whether it has been closed in the months since, but it did exactly what Eve needed. Without any authentication, she was able to reset Davis’ password to a string of characters that only she knew.

Read the full article here:

Selling Your Chrome Extension to The Devil

21 07 2014

It only took 1 hour for Amit Agarwal to create a Chrome Extention that serves as an alternative to Google Reader. When the extention hit 30000+ users, a person asked him to buy it for a four digit figure. A jackpot for Amit so he agreed.

But, here’s what happened next.

The extension was sold, they sent the money via PayPal and I transferred the ownership of the extension to a particular Google Account. It was a smooth transition.

A month later, the new owners of the Feedly extension pushed an update to the Chrome store. No, the update didn’t bring any new features to the table nor contained any bug fixes. Instead, they incorporated advertising into the extension.

These aren’t regular banner ads that you see on web pages, these are invisible ads that work the background and replace links on every website that you visit into affiliate links. In simple English, if the extension is activated in Chrome, it will inject adware into all web pages.

Read the whole story here:

Jeff Cogswell is Comparing C++ Compilers

6 11 2013

Jeff Cogswell wrote an article in Slashdot “Speed Test: Comparing Intel C++, GNU C++, and LLVM Clang Compilers”.

He concluded:

It’s interesting that the code built with the g++ compiler performed the best in most cases, although the clang compiler proved to be the fastest in terms of compilation time. But I wasn’t able to test much regarding the parallel processing with clang, since its Cilk Plus extension aren’t quite ready, and the Threading Building Blocks team hasn’t ported it yet.

Read the full article here:

[slashdot] Python Error cost trading loss $400 million

23 10 2013

How To Lose $172,222 a Second For 45 Minutes

Posted by Soulskill on Tuesday October 22, 2013 @08:14PM
from the step-one-accrue-at-least-$172,222 dept.

An anonymous reader writes"Investment firm Knight Capital made headlines in 2012 for losing over $400 million on the New York Stock Exchange because of problems with their algorithmic trading software. Now, the owner of a Python programming blog noticed the release of a detailed SEC report into exactly what went wrong (PDF). It shows how a botched update rollout combined with useless or nonexistent process guidelines cost the company over $172,000 a second for over 45 minutes. From the report: ‘When Knight used the Power Peg code previously, as child orders were executed, a cumulative quantity function counted the number of shares of the parent order that had been executed. This feature instructed the code to stop routing child orders after the parent order had been filled completely. In 2003, Knight ceased using the Power Peg functionality. In 2005, Knight moved the tracking of cumulative shares function in the Power Peg code to an earlier point in the SMARS code sequence. Knight did not retest the Power Peg code after moving the cumulative quantity function to determine whether Power Peg would still function correctly if called. … During the deployment of the new code, however, one of Knight’s technicians did not copy the new code to one of the eight SMARS computer servers. Knight did not have a second technician review this deployment and no one at Knight realized that the Power Peg code had not been removed from the eighth server, nor the new RLP code added. Knight had no written procedures that required such a review.’"

100x Faster DB Queries

23 09 2013

Oracle Promises 100x Faster DB Queries With New In-Memory Option
Posted by timothy on Monday September 23, 2013 @06:00AM
from the now-report-back-on-the-double dept.

Hugh Pickens DOT Com writes"ZDNet reports that Oracle’s Larry Elison kicked off Oracle OpenWorld 2013 promising a 100x speed-up querying OTLP database or data warehouse batches by means of a ‘dual format’ for both row and column in-memory formats for the same data and table. Using Oracle’s ‘dual-format in-memory database’ option, every transaction is recorded in row format simultaneously with writing the same data into a columnar database. ‘This is pure in-memory columnar technology,’ said Ellison, explaining that means no logging and very little overhead on data changes while the CPU core scans local in-memory columns. Ellison followed up with the introduction of Oracle’s new M6-32 ‘Big Memory Machine,’ touted to be the fastest in-memory machine in the world, hosting 32 terabytes of DRAM memory and up to 384 processor cores with 8-threads per core."

iOS7 Lockscreen Bypass

20 09 2013

Forbes’ Andy Greenberg wrote an article on the way someone bypass iPhone’s Lockscreen. Here’s the excerpt :

As the video shows, anyone can exploit the bug by swiping up on the lockscreen to access the phone’s “control center,” and then opening the alarm clock. Holding the phone’s sleep button brings up the option to power it off with a swipe. Instead, the intruder can tap “cancel” and double click the home button to enter the phone’s multitasking screen. That offers access to its camera and stored photos, along with the ability to share those photos from the user’s accounts, essentially allowing anyone who grabs the phone to hijack the user’s email, Twitter, Facebook, or Flickr account.

Read more :

“ss -n” is faster than “netstat -na” on high load servers?

12 09 2013

# ss -n |grep ESTAB |wc -l

# ss -n |grep CLOSE-WAIT |wc -l

# ss -n |grep FIN-WAIT |wc -l

# ss -V
ss utility, iproute2-ss061002


Get every new post delivered to your Inbox.

Join 66 other followers