Maltego, Technorati, and Creative Commons Licensing Failure

I’ve been using Paterva’s Maltego software quite a bit lately in my testing. This software is a fantastic tool, and provides a great way to obtain a great deal of information about an organization or individual. It comes in two flavors, a community edition which is free, and a commercial edition which is not. Because I am using this for my job, I have the commercial version of Maltego.

Like I said, Maltego is a fantastic tool, but there’s one thing that bugs me about it; A number of the most interesting transforms that come with the product use the Technorati search engine to provide information about an entity (for those that don’t know, Technorati is a search engine that pulls information from the blogosphere and various social networks).

The problem is that the Technorati search engine uses the Creative Commons license for its technology, and they chose to go with the one that disallows commercial use.

That’s fine, it’s their code, they can license it however they want. My problem isn’t so much with them, as with Paterva for choosing to use their stuff in the Maltego product. Because I am hired by clients to perform this discovery, I am unable to use these transforms in Maltego (at least, as far as my understanding of the licensing goes) and so I have them disabled.

“So what?” you may ask. Well, what this means is that attackers using the free version of Maltego can get potentially useful information about a given company which a tester hired by the company, using the paid version of Maltego, can’t legally provide. (I should mention here that I have tried looking into whether Technorati provides a way to license their technology for commercial use, and as far as I can tell, there is no way to do so.)

This strikes me as insane, and not a GoodThing(tm) at all.

twitter badness?

so, a few days ago i was working on a project, and noticed that GoDaddy allows web sites which use their SSL certificates to post a flashie thing on their website allowing visitors to check the status of the cert. (see the bottom of tweepme.com for an example).

It turns out that GoDaddy actually has the blank certificate image stored on their servers, and that it is accessible via http in addition to https.

This means it could easily be used for spoofing by anyone that knows how to:
a) manipulate an image in an image editing software application or
b) manipulate an image in any number of programming languages

So, I decided to make the following tweet at twitter:

“interesting. if you know how to manipulate images, you too can spoof godaddy’s SSL seal: http://is.gd/o1pM”

It was posted, and then disappeared about 15 minutes later.
I reposted it. Half an hour later, it was gone again.

So I talked to a friend of mine that follows me on twitter and had him pull up my page in his browser, and also in his third party application on a mobile device. I then posted again. He confirmed that it showed on my twitter profile page, but that it didn’t hit his feed, nor his mobile device. About half an hour later, it disappeared again.

I then posted a tweet about the fact that my tweets were going missing for some reason. That also vanished about 20 minutes after posting.

So, I posted a tweet about something completely unrelated, that stayed.

At that point, I sent a request into twitter support asking whether I was triggering their ToS violation or such and that this was leading to my tweets vanishing. As yet (3 days later), it’s not even been assigned to anyone to review.

Hmm… Interesting.

captcha madness

i went to gmail today to login to an older email account i haven’t checked in a while… apparently *too* long, because i got presented a captcha upon entering the username and password.

i was having a hard time reading the text (no surprises there, captcha’s really suck as a technology), so for fun i decided to try clicking the “handicap” icon so i could listen to the captcha in audio format.

for some reason, it’s never occurred to me that, just as visual captcha uses random crap in the image to try to prevent OCR from determining the letters, the audio version would contain a whole lot of noise in an effort to prevent text to speech from doing the same.

if you’ve ever wondered what an audible version of the mass confusion that is a modern captcha file might sound like: here you go.

all i can say is, it’s a good thing i can see.