tansqrx

Could you post a version that is not so obfuscated? It scares me a little to insert unknown code into my site that looks very much like shellcode or some sort of attack code. Perhaps there is a good reason for hiding the code but I would still like to see how it works first.

Yahoo! announced on their official Messenger blog (ymessengerblog.com) that unspecified changes will be made to the way firewalled users will use Messenger. The article mentions that only users that are using version 8.x and signed in from behind a firewall will be affected. An official message will be sent by Yahoo! urging users to upgrade to the latest 9.x version of the software.From a programming standpoint this will most likely only affect Messenger operations that require a peer to peer (p2p) connection such as file sharing. When performing a peer to peer operation, Messenger makes a discussion (largely based on the firewall settings but not always) to either create a true peer to peer connection or to use the Yahoo! servers to create a pseudo peer to peer connection. The pseudo p2p connection uses a Yahoo! server as a proxy to create the connection because one of the clients does not have to ability to accept unsolicited connections. I do not know why this is only affecting 8.x users because the 9.x series has the same capability to offer proxy connections. Perhaps this is a drive to get users to switch to the latest version but at any rate, users of 8.x software should still be able to use that version as long as you don’t need to use the pseudo p2p connection.

I think this is a good example from the quoting discussion (http://forums.xisto.com/topic/96223-topic/?findpost=1064394894) on what not to do. The original can be found at http://www.pcguide.com/care/data/virus/bgTypes-c.html.

I don’t know if the user vote would work very well because if Yahoo! has taught us one thing it’s that the system can and will be hacked. Here is what I would do. If I wanted to flag someone for SPAM just to cause problems for a user then I would load my list of “clean” names and log them all into the chat room. I would then initiate a vote and all of the clean bots would vote to kick them. Same story different method for harassment in Yahoo! chat rooms.I have to say that I am impressed with how this thread has taken off. Some really good discussion.

I’m not necessarily against CAPTCHAs, just that you have to enter one every single time you change rooms. From what I have seen I also think it would be easy create a bot identification program on Yahoo!’s end. Most of the SPAM bots point back to only one or two websites and if they advertise such a site then they could be placed on a list. Also most bots use the same template for profile pages that can be easily identified. Lastly, many bots use a very distinct username such as <common woman’s first name><common adjective (usually provocative)><random three digit number>.I don’t think a user should be kicked automatically by the system but instead a suspicious account should be put on a list in real time and a human make the final decision. The sad fact is that it is obvious that Yahoo! does not have even one real human monitoring the system at all. I believe that just one shift of workers monitoring 24/7 could improve the Yahoo! chat rooms drastically. Instead chat is running on some server in a deserted closet and it never gets any attention.

Since the CAPTCHAs have been introduced I haven’t visited the chat rooms very often but I did make a visit about a week ago. I have to say that the rooms are now completely broken and are basically unusable. You now have to enter a CAPTCHA for every room you visit which got really old really quick. At least before you had a valid CAPTCHA for around 5 minutes.I am starting to think that Yahoo! should just open the system up to the users and let the SPAM flow. Yes there will be SPAM but at least the user/SPAM ratio would be better than it is today. When I visited last week you had 4 users and 15 SPAM bots. At the height of Yahoo! chat you still had 15 SPAM bots but you also had 30 users which created a better ratio. IRC has been around for much longer than Yahoo! chat rooms but they are still functional. In the beginning I was on the side of the CAPTCHAs but now I am starting to go the other way. Yahoo! is killing SPAM at the cost of content.

When I am reading a post, punctuation does make reading a more enjoyable experience.Astahost does have several non-English members and I am more than happy to overlook misspelling and punctuation errors as long as the writer is well intentioned. The reverse of that is that some of the top posters here are not from a natively English speaking country and they have better grammar than most Americans. Punctuation and grammar are usually the first clue to me that a writer is not well educated or is just plain full of you know what.For our non-English members here are a few dirty little secrets of commas.1. In many cases the use of commas are subjective and may or may not be used and still be grammatically correct. The best example is in the use of lists. “One, two, and three” and “One, two and three” are both correct. 2. Use a comma when there is a pause.3. Be consistent in your comma usage.I learned the most about grammar not in elementary or high school but in my British Literature class during my second year of college. One of the required books was a writing handbook called “Simon & Schuster Handbook for Writers.” When grading a paper the teacher would only put the handbook section number by the mistake (i.e. 21C) and nothing else. By the end of the class I had most of that book memorized almost as well as she did because she would routinely quote section numbers and rules from memory. During one of the classes an argument broke out over grammar (this was a class of engineering students that enjoyed debating with the teacher, myself included). She told us that some of the grammar rules that we learned previously were nothing less than a lie. One of these included the optional commas. Even though some teachers will swear up and down and mark off for certain comma mistakes, there are instances where commas can go either way and as long as you can argue your point you can use them as you please as long as you are consistent.As with many of the hardest teachers you have ever had, I always remember her and never forgot what she taught. I even think of “some” of the memories as fond. I still remember the biggest WTF grammar moment of my life when I got a paper back. There was only a “9h improper use of a gerund.” I never knew what a gerund was but I do now. I still have that writing handbook and I have it beside me as I am writing this.

Even if the above solutions work I would still recommend reformatting the computer. Once one piece of spyware has gotten into your computer you never know what it brought with it and that second piece of spyware may not let itself be known. The problem is that spyware has become so complicated that most of it now has rootkit ( http://forums.xisto.com/no_longer_exists/ ) components and once a rootkit is on your computer you can never trust it again.

I’m going to vote for Avast! also. I haven’t had any viruses in years mostly because I don’t do the stupid things to get them but I also have to think Avast! had something to do with it.

It is hard to imagine that this will compete with any of the social networks. If anything Yahoo! will say that they have this grand plan but never implement it or it will be five years from now and the next new thing will have already hit. The old profiles were just plain Jane with the username and name, age, location, and links if provided. The old profile system served its purpose well because it was not driving traffic and only acted as an additional source of information from the properties that were driving traffic; i.e. Messenger, Chat, and mail.

I have to say that I come down on xboxrulz’s side on this one only because I am guilty of quoting myself. If the yordan rules are upheld then I shouldn’t be saying this but I regularly double post on both my webpage and this site if applicable. My argument is that I usually put a lot of time and effort into my posts and I see most of them as being for the greater good of the Internet at large. I try to cite all of my references and if I do quote from a different source then I put that in the quote box. I would like to think that the posts that I make are held up to the same journalistic standard as you would find in a newspaper.That being said I don’t think that you are losing any Google standing by me double posting. One of the consistent top referrers to my website is Xisto. Over the last few months the top link from Xisto has been Hacking Yahoo! Messenger (http://forums.xisto.com/topic/94847-topic/?findpost=1064383224). At the same time I have had almost no direct links to my site where the same article is posted in my forum. This means that when someone types “hacking yahoo messenger” into Google, they are first presented with the Xisto article because Xisto has a higher PageRank and then if they are still interested in learning more they will follow the link to my website. I see both Xisto and myself winning in this scenario because Xisto gets the ad revenue from my “expertise” and I get my own referrals from Xisto.Secondly not being able to double post would make Xisto a less attractive option for web hosting. I don’t post that often but like I said before I like to post quality content. After spending so much time composing an article it would just piss me off not to be able to also post it on Xisto for credit.

Yahoo! has changed their profile system and more has changed besides the layout of the page. When transitioning to the new system all of the user data was cleared and pages for aliases were removed. Additionally, personal information such as age and location are now protected in a manner similar to Facebook or MySpace where you must be accepted by the user. Apparently many users are not happy with the new system as shown in (http://forums.xisto.com/no_longer_exists/), (https://yahoomessenger.tumblr.com/), and (https://tech.slashdot.org/story/08/10/19/017209/yahoo-changes-user-profiles-to-massive-outrage). I personally noticed the changes when I looked up someoneâs profile and saw that all of the information had been cleared. If for some reason you consider you profile page a work of art and need all of the information back then you can request a copy of the old profile page from Yahoo! Customer Support at https://help.yahoo.com/kb/account.

How in the world is this thread still alive? Just in case some unsuspecting “victim” has jumped into this thread from outside this board, think REALLY hard before you trade e-gold or any other service or goods in exchange for PayPal money. Always keep in mind that PayPal will issue a charge back to your account if the person you sold to complains to their credit card company. I found this out the hard way when selling on eBay. If you have already shipped the goods and then find out the buyer sent a stolen credit card then you are just out the money and they will not even talk to you, especially over virtual merchandise.Sorry for commenting so much on this topic but I hate to see this very suspicious activity go unchecked.

I have to say that they shouldn’t get rid of the CAPTHCA just yet. Yes it may be broken but it at least it keeps out the script kiddies. As it stands now, a programmer still has to go through some considerable effort to implement a fully operational and automated CAPTCHA cracker. If you don’t have the programming skills then you will have to pay the non-trivial amount to a third party to do the programming for you. While this does not stop even a moderately motivated spammer or hacker, it will stop almost all of the 13 year olds trying to “hack” Yahoo! If anything this removes some of the low hanging fruit from the people not willing to reach up and pick it.

Yes, pick the cat is what Rapidshare used to use (https://www.geeksaresexy.net/2008/04/24/rapidshare-captcha-will-drive-you-crazy/). I have to say that being able to pick the cat is beyond most humans so having a computer doing it is quite impressive. Yahoo’s CAPTCHA has been “broken” since January of this year where broken is about a 35% success rate. The 35% may seem low but when you are sending spam or using a computer, 35% is more than enough to accomplish your goal.Apparently using Xrumer is not free because you have to buy a service agreement for $450 or so dollars. The upside is that you get free online customer support. The downside is that the people using the service will try to recoup their investment.

A CAPTCHA cracking company called Xrumer (botmaster.net) is claiming to have broken the latest Microsoft CATPCHA and the Google CAPTCHA (https://it.slashdot.org/story/08/10/02/1415205/now-googles-captcha-is-broken) (https://it.slashdot.org/story/08/10/01/2243241/spammers-targeting-microsofts-revised-captcha).

During the University Yahoo! Hack Days (https://developer.yahoo.com/hacku/) a developer discovered or announced a vulnerability in Zimbra (http://forums.xisto.com/no_longer_exists/) that sent the password as cleartext over the network (https://www.cnet.com/news/yahoos-zimbra-e-mail-program-exposes-passwords/). The vulnerability has already been fixed (https://www.cnet.com/news/yahoo-to-fix-password-exposure-problem-in-zimbra/) but it is recommended that if you used Zimbra, you should change your Yahoo! password. From my standpoint this was surely a big goof for Yahoo! but I donât think it will yield any substantial results. Before this article I had never heard of Zimbra and the attack is only possible if you can tap into the network between the user and Yahoo! (man in the middle attack). Unless you have a highly targeted attack is it doubtful that this will yield any Yahoo! credentials. The thread at http://forums.xisto.com/topic/96078-topic/?findpost=1064393724 may also tie into this.

Here is another question about the authentication process What part of the âauthâ are you referring to? This could mean the entire authentication sequence to login or the specific act of getting the challenge response string. Either way I think that you are safe from a drastic change from Yahoo! in the near future. The authentication sequence that is similar to a TCP three way handshake has changed some over the years with the change and addition of data fields but the basic principal remains the same. The current protocol has for the most part remained unchanged since version 12-13 and we are now in I believe 16. The hash string function has undergone no changes since it was introduced and you can still use the same function from four years ago today. It is possible for Yahoo! to change this but I donât see that anytime soon. They just released Messenger 9 out of Beta today and it still uses the same old hash function. If it does change then it could go one of two ways; it could get even more draconian and hard to reverse engineer or it will go to an open standard. My feeling is that it will go open because Yahoo! has been better to embrace open standards in the past few years. Similar to Microsoft, they have realized that the functions will eventually be broken so there is no need for all the extra work. If it goes the other way then it will be up to smarter people than I to reverse it. Once again there will be a few weeks where the Messenger network will be closed off to third party clients but after that the work around will be posted all over the Net. Also realize that Messenger is ultimately the property of Yahoo! and Yahoo! can change it at anytime without consulting us. I experience this all the time with YCC Yahoo! Bot Maker where Yahoo! changes a minor part of their signup page and I have to make corrections and release a new version. I too am actively looking for the source for the hash algorithm but I am happy with what I have currently. P.S. If you are looking to design an entire client around Messenger and not fool with .NET then let me know. I have been considering making a separate tutorial on how to make your own language independent client. This would involve programming paradigms to how to sniff and capture traffic. I donât know how much demand for a tutorial like this would be so I havenât worked on it.

If you want to discuss more on the topic of Yahoo! then I invite you to come over to my website at ycoderscookbook.com and http://forums.xisto.com/no_longer_exists/. There you can ask any question you like and hopefully get the same full answer as here. As for my security question answers they look similar to the following: âafdkljadshflaksdjfhkdsaâ They are long, full of garbage, and I donât think anyone will be guessing it, especially since I donât know what it is myself. I have the belief that if you forget your password then you donât deserve an account anyway.

Yes like I said before the previous scheme may have been vulnerable but the current scheme looks to be safe.I have come to understand that being a Yahoo! programmer automatically puts you into some of the more shady areas of the Internet. Most of the “programmers” that experiment with Yahoo! are not what I would call upstanding citizens. Like it or not you have a lot of script kiddies and just plain down right liars. Some of these Yahoo! experts say that they have an email exploit just to get attention and then can never produce results. When someone contacts me about a new Yahoo! exploit or hack I always have to say prove it. If I never hear from them again or they try to side step the issue then I usually know that they are either exaggerating or lying. We actually have several good Yahoo! programmers here on Xisto that you can generally trust. I know that turbomax and a few others will not blow smoke up your tail. You may have to review some of your “firm evidences” to see if this is actually the truth.

I also forgot to mention that Yahoo! Messenger and mail use two different means to authenticate users. Email uses SSL while Messenger uses the method described above (http://forums.xisto.com/no_longer_exists/). Once again I have never heard of any reliable method of cracking this authentication even off line. The protocol is much like Kerberos (https://en.wikipedia.org/wiki/Kerberos_(protocol)) which prevents against such things. A challenge is sent and the password is then mixed into the challenge using encryption. Even if you were able to see the response code, it is only good for that one challenge string and the challenge always changes.

I have to admit that I am not very familiar with hacking Yahoo! mail but I will give this a shot. About two years ago Yahoo! relied on a JavaScript to generate a MD5 hash of your password and then the browser then sent that to the mail servers. In that case it may have been possible to reverse the hash using rainbow tables or similar techniques if you had the MD5 hash in question.Modern Yahoo! servers use SSL (https://) to login to the mail servers. This has drastically increased the security of the login process. When sending your password now it is written to the network stream in plain text compared to MD5 in previous years but before it goes onto the wire it is encrypted via SSL. If there is a weakness at the protocol level now then it will be with SSL and if that is the case we have much bigger problems than securing Yahoo! mail.One very recent example of breaking into Yahoo! mail happened this past week and involves one of the Vice President candidates in the United States. Governor Palin from the state of Alaska had her Yahoo! mail compromised and the resulting data was posted to the Internet. From several news stories (http://www.securityfocus.com/brief/824) it appears that the attacker guessed her “lost password” questions and then gained access. Using freely available information from the Internet the attacker guessed the questions such as “Where did you meet your spouse?”There may have been weaknesses in the Yahoo! system in the past but all of these have been fixed to my knowledge. The current weak link in the system appears to be password recovery mechanism used on almost every social system on the Internet. From the very beginning I recognized this to be a problem and I never enter guessable information into these forms (usually I just slam my fingers against the keyboard a few times). To me if I loose my password then there is no way for me to access the account again. If you are asking me to tell you how to hack into Yahoo! email then I can’t do that per rules of this forum (as you can see I don’t know anyway) but I do want to highlight the importance of not only the strength of your password but also the guessability of your security questions.

Here is a question that came into my forum and I thought it needed wider coverage. Q: Can you explain the Yahoo! Messenger challenge response algorithm? The Yahoo! Messenger challenge response sequence is quite complex and unique to Yahoo! The challenge comes from the server and is then run through an algorithm on the client. When looking at the challenge and response in ASCII view it almost looks like a mathematical equation but it is not. This complex algorithm came from several years ago when the username and password was sent in plain text over the network and was eventually exploited. Basic encryption such as MD5 was then added. This is when things got interesting and politics stepped in. In 2004 Yahoo! was having a battle with several third-party applications such as Trillian as to if they could make their own client and join the Yahoo! Messenger network (http://forums.xisto.com/no_longer_exists/). Messenger has an ad driven revenue model so Yahoo! did not appreciate having an unofficial client not displaying ads. The solution from Yahoo! was to implement an outrageous and very complex authentication algorithm that the other companies could not reverse engineer. As anyone with a third person view could have predicted, the new monster algorithm did hold off Trillian for a while but was eventually cracked and the code was leaked to the Net. Several years later the authentication code is not a huge secret but Yahoo! sill uses this beast to authenticate their users. I have never been able to find the original leaked code but it does live on in Pidgin which is an open source multi-platform client. To get a look at the code go to the Pidgin website (pidgin.im) and download the source for the latest build (https://sourceforge.net/projects/pidgin/files/Pidgin/). Pidgin is written in c/c++ so it can be hard to read for someone not familiar with c. The code is also very integrated with the Pidgin base so it is next to impossible separate it out without having to rewrite the entire code base. I have looked at the code and studied it for many hours and have come to the conclusion that it is overly complex and a nightmare to decipher. If Yahoo! wanted to make an algorithm that is hard to reverse engineer then this is a successful effort on their part. The downside is that a person would have to spend an insane amount of time to write their own representation of the code. The algorithm is a custom hash that has no direct relation to any common hash or encryption function. Parts of the code resemble MD5 while other parts look like DES. The majority of the code is based in lookup tables which is a common encryption technique. A few years ago I wanted to make my own implementation in .NET because the DLL that YCC Trainer uses has been marked as a âvirusâ by most of the antivirus companies. (The DLL is not a virus but it appears that is has been marked that way because it is commonly distributed with booters. Most booters are also not viruses but in the infinite wisdom of the antivirus companies, we should be protected from ourselves but this is a different article all together.) After spending about a week trying to get the basics to work I realized that I hadnât even scratched the surface and gave up. I still use the shady booter DLL that I found many years ago. In the end I donât want to discourage you from looking at the code for yourself but this is one fight that I decided not to take. It is ugly, nasty, and complex to the point of being a coding nightmare. If you do decide to look at the code I would love for you to post your findings, especially if you make another implementation. For now I am happy with my shady virus laden DLL that I once found in the far corners or the Internet.

Tomorrow starts the next official Yahoo! Hack Day(s) (https://yahoomessenger.tumblr.com/). This has traditionally been where Yahoo! employees come together and share some of the odd ball âhacksâ that they have been working on to make any number of Yahoo! products better, including Yahoo! Messenger. This year is a bit different because Hack Day is now two days long and it is open to the general public. You can sign-up for a spot at http://forums.xisto.com/no_longer_exists/ where you can either be a developer or press. Unfortunately the only location is at the Yahoo! headquarters in Sunnyvale, CA so if you are not in the area then you are out of luck. P.S. I know it is a little late but if anyone wants to send me a plane ticket to CA then I will be more than happy to accept.

Thank for the advice on the credit card tip. Right now it has been over 30 day and is close to 90 at the moment. I wish I would have thought of that soon.Another thing that I look for now is what grade of hard drive it is. Hard drives are generally grouped by either consumer or enterprise (server) grade. The server grade hard drives have a larger mean time between failures (MTBF) and are of course more expensive. It is hard when you are on New Egg and have a list of the same manufacturer, size and cache size to not automatically for the cheapest one. I have found out that the consumer grade hard drives might be fine for grandma, for the average Xisto member it is wise to spend the extra money.I also have never had any problems with returning hard drives to the manufacturer. I have done this will all the major hard drive companies and had little hassle. The problem is they send you back the exact same model (usually refurbished) that has the same inherent problems and you will end of sending the replacement off in another year anyway. In addition to the $10 or so it costs me in FedEx fees, after around three times returning the same hard drive it just isn’t worth it any more.My worst experience is still with my IBM 45Gb DeskStar hard drive which I ended up sending back the same original and string of replacements 8 times.