Category: hackers

  • Track Down

    Kevin Mitnick will probably totally disagree, but the movie Track Down was pretty entertaining. 

    Its a hollywoodized version of Tsutomu Shimomura‘s book called Takedown detailing his attempts to capture computer (now reformed) cracker Kevin Mitnick.  Russel Wong plays Shimomura and living legend Kevin Mitnick is played by none other than Skeet Ulrich.  Skeet does a great job.

    I found myself laughing out loud at some of the stuff Kevin pulled off in the movie.  I have not read Shimomura’s book so I don’t know how much of the movie was acurate.  But either way they made Kevin out to be one bad, bad MF.  

    Appearently, there is some controversy on how truthful Track Down and Takedown are to the the events that actually took place with Kevin’s conviction.  A lot of this is talked about in Emmanuel Goldstein’s Freedom Downtime.  I guess I’ll have to check that out next.

    If you’re an overall security geek like my self you’ll get a kick out of the movie.  Just keep in mind that it is a work of fiction… with actors like Master P, I suppose that is not hard to do.  I also noticed that Shimomura appears in a scene in which he is laughing at his character getting heckled… ironic.

  • There is no such thing as Security

    I’ve noticed that there are two types of security people: anal “type A personalities” who live every moment by the rules, and those that realize that there is no real security.  Please understand that these two mindset don’t seem to have anything to do with talent.  I’ve met talented people with both mindset.  A talented security professional is mindful, aware, and always pays attention to detail.  The very best seem almost psychic in their ability to spot wrong doing, security breaches and even malicious intent.

    Type A security people seem to thrive on “catching bad guys”.  Its like they are kids playing cops & robbers.  These people thrive on structure, order and regulations.  In information security they know how important it is to have lots of centralized control and a stardard configuration for all systems.  In the Meyers-Brigg’s personality test, these people are ESTJ’s (Extraverted Sensing Thinking Judging).  The thought of any getting away with breaking the law (ANY LAW) is unacceptable.  These guys make great Directors of Security, CSO’s and other policy creators as long as they don’t micromanage their people.  Their employees will either love them as a great mentor or hate them with every fiber of their being.

    Those who realize that there is no such thing as security are hackers.  They are many times INFP’s (Introverted iNtuitive Feeling Perceptive).  Unlike the ESTJ’s they don’t care about structure and rules because the realize that rules are only suggestion to keep an acceptable level or order.  For them the most important rules are in a persons heart.  ESTJs will usually see these people as lazy and don’t really care but these people are just trying to find an easier way to do things.  If they don’t enforce certain rules or cut corners, it because the sincerely believe that the rule or enforcement (in that particular situation) is not needed.  Employees will usually love INFP’s unless they happen to be ESTJ’s.

    I am a bit biased because I am in the second camp, INFP.  I don’t believe there is a such thing as “security”.  No one is ever completely safe.  All a malicious intending person needs is the element of surprise, time, and pressure an they can get away with anything they want.  Further, anyone at anytime can have malicious intent: employees, kids, bosses, friends, family not just random strangers.

    Security is just an illusion.  The one good thing security does is ensure you are faster than the slowest person, organization, network or whatever on the block.  Those with malicious intent will typically go for the easiest target. 

    Since many crime happen from people that the victims know all we can really do is not worry about it.  Life is too short to waste too much time fretting about every possible thing that can happen to you.     

    I guess that is what Ben Franklin meant when he said:

    “Those Who Sacrifice Liberty For Security Deserve Neither”  

    If you worry so much about security that you can’t enjoy the fruits of your labor, then what is the point of the living and if you can’t enjoy living whats the point of protecting ANYTHING. – elamb

  • theBroken part4?

    Double D is rolling a *”burrito sized Mummy” with Kevin Rose trying to get him to do the next broken episode.  This is the type of irreverance of all things holy that fans have come to expect from theBroken.   

    With complicated xbox 360 hacks and illegal cell phone jamming techniques it is no wonder it took the Broken 2 years to put out a new episode.  Dub and K_rose filter about a score of 40s though their shriveled young livers to the background gansta of Ice Cube, NWA and Dr. Dre.  Perhaps it is best that they don’t do regular episodes as the Broken could land them in jail or in the hospital. 

    It is an incredible concept.  Jackass meets Defcon.  One of my personal favorites is Ramzi.  He is hilarious.  Where did they meet this guy?  The outakes were also very entertaining. 

    Hopefully, next years thebroken will be just as deficient of morals. 

     

    *burrito sized mummy – a giNORMOUS joint.  Slanquage coined from the ambassador of the bay, e-40.

  • Pirates Vs. Ninjas

    PIRATES 

    A pirates mission statement is to rape and pillage.  They steal as a way of life.  Morals and values be damn.  A pirate would steal from his own mother if she left her guard down.  He would take advantage of his sister if she had the booty.  New pirates really don’t appreciate anything.  Some pirates steal because they really do appreciate a quality product.  Some of these pirates are activists for individual freedom.  They live by the code and freedom of the sea/nature.  To them ownership and property is an illusion created by man.  These are the most devious types of pirates who usually end up being captains of ships full of pirates.  If these pirates ever get caught it will usually be too late because they will have already exploited, liquidated and stolen so much that most assets they have pilfered will never be recovered.  Furthermore, they are probably completely beyond being rehabilitation by external means such as torture, imprisonment or indoctrination into high society.

     

    NINJAS

    A ninja, on the other hand, lives and dies by a code because of this they can be very dangerous.  They have a certain belief that they are willing to kill for.  Assassination is what the ninja is trained to do.  They sneak in silently, make the kill and get out quickly without a trace.  A great ninja will only be detected by the absence of evidence.  You will only know that they were there if they want you to know.  To the untrained eye, the ninja’s target died of natural causes.  The ninja’s skill is a thing of deadly grace and beauty like a black widow spider.  The especially good ninjas have an almost spiritual code and mental discipline that gives them seemingly supernatural powers.  To the lay person, ninjas don’t exist, they are just ancient legends.  If someone brags about being a ninja they are more than likely NOT a ninja.  A ninja is so close to the edge that they are love, hated and feared by those who know they exist.  Contrary to popular belief, not all ninja’s are evil.  Some ninja’s are mercenaries, some ninjas only kill bad guys, some ninja don’t kill at all… but they could if they wanted to.      

  • What is a Hacker?

    “A hacker is someone who thinks outside the box. It’s someone who discards conventional wisdom, and does something else instead. It’s someone who looks at the edge and wonders what’s beyond. It’s someone who sees a set of rules and wonders what happens if you don’t follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.”
    The above is a quote from crypto living legend Bruce Shneier’s book, Beyond Fear.  This is exactly how I feel about hacking.  Hacking is a major asset to Information System Security… if fact is THEE only real asset.  I’ve had arguements with some of my peers about this.  Information Security Pro vs. Hacker.  If the typical information system security pro doesn’t get smart on hacking (security/programming) techniques, security will continue to be a losing battle.  Cyber criminals have no problem learning the latest exploits, they have no boundaries and this gives them a “superpower” against security professionals.  Some Information security professionals, on the otherhand, restrict themselves by categorizing hacking as bad.  They see it as unethical and not responsible. 

    It is unethical and not responsible to NOT know hacking techniques that might exploit a customers system.

    Thanks for the post Bruce.  I hope you will make another appearance at the Defcon. 
    read more | digg story

  • Defon14 was great!

     

    There was a lot of great stuff at Defcon 14.  

    defcon 14 bus

    The last Defcon that I went to was Defcon11 in 2003.  Defcon 14 has grown quite a bit since then.  According to DarkTangent it was about 7000 geeks/hackers/security pros/phreaks strong.  The great thing about this particular Defcon was the change of venue.  Defcon 11 was at Alexis Park.  This one was at the Riviera hotel. 

    Many of the rooms at Alexis Park had no A/C.  The worst thing was that many of the rooms would get packed and have to turn people away.  At times it seemed that this might cause a riot!

    As far as I know, only one room got too packed this time it was “Googling: I’m Feeling (un)Lucky” by Greg Conti. 

    I have a lot of favorites but what stands out for me was “Beyond Social Engineering: Tools for Reinventing Yourself” by Theime Richard.  He had interesting ideas about the importance of integrating spirituality into your life to balance the difference personality profiles and life changes that happen more and more in a world of fast moving technology.  He discussed modifying your persona with reference to your “meta-self”, or hacking yourself.  Very interesting and insightful.

    I loved all the breifings on privacy and the legal battles against the government and AT&T.  I will definitely be getting involved. 

    Others that stand out are The Making of atlas: Kiddie to Hacker in 5 Sleepless Nights, by atlas.  I thought it was a great introduction to REAL hacking, which is pretty damn hardcore.  Atlas and his team 1stPlace actually won Capture the Flag, the main event at Defcon.

    There was S. Korean team their that got honorable mention, since the flew all the way around the world just to play the game.

     

     

  • Defon14 was great!

    There was a lot of great stuff at Defcon 14.  

    The last Defcon that I went to was Defcon11 in 2003.  Defcon 14 has grown quite a bit since then.  According to DarkTangent it was about 7000 strong.  The great thing was the venue.  Defcon 11 was at Alexis Park.  This one was at the Riviera hotel. 

    Many of the rooms at Alexis Park had no A/C.  The worst thing was that many of the rooms would get packed and have to turn people away.  At times it seemed that this might cause a riot!

    As far as I know, only one room got too packed this time it was “Googling: I’m Feeling (un)Lucky” by Greg Conti. 

    I have a lot of favorites but what stands out for me was “Beyond Social Engineering: Tools for Reinventing Yourself” by Theime Richard.  He had interesting ideas about the importance of integrating spirituality into your life to balance the difference personality profiles and life changes that happen more and more in a world of fast moving technology.  He discussed modifying your persona with reference to your “meta-self”, or hacking yourself.  Very interesting and insightful.

    I loved all the breifings on privacy and the legal battles against the government and AT&T.  I will definitely be getting involved. 

    Others that stand out are The Making of atlas: Kiddie to Hacker in 5 Sleepless Nights, by atlas.  I thought it was a great introduction to REAL hacking, which is pretty damn hardcore.  Atlas and his team 1stPlace actually won Capture the Flag, the main event at Defcon.

    There was S. Korean team their that got honorable mention, since the flew all the way around the world just to play the game.

     

     

  • Intricate Steps of How to Hack Into a Computer

    Here is a huge map that pretty much shows you all possible ways to gain entrance into a system. From finding exploits and scanning ports to password cracking. It shows all the likely paths you can take to hack into a computer and/or test out it’s security.

    read more | digg story

  • The Dark Tangent Says we are all DOOMED!!!

    The Dark Tangent (Jeff Moss) president of the DEF CON hacker conventions is interviewed on CyberSpeak podcast and talks about the change in venue from Alexis Park to the Riviera Hotel and Casino. In response to the question, “who will protect our privacy from big business?”, he responds, “we are all doomed!”. Great interview!

    read more | digg story

  • Former Pentester of FBI, hacks the FBI

    This case is not the same as the Department of Veteran Affairs loss of records or the Department of Agricultures security failures.  In this case, a contracting consultant conducted a penetration test with out getting formal approval.  He expoited the FBI's vulnerabilities to gain elevated privledges.

    Joseph Thomas Colon, 28, is a former employee of BAE Systems.  His pentest allowed him to obtain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.  According to Colon, the FBI field office in Springfield, Ill., he was attached to gave him approval.

    However, every professional pentester and/or ethical hackers knows that you have to get formal approval from an authority. 

    Colon's lawyer said in a court filing that his client was hired to work on the FBI's “Trilogy” computer system but became frustrated over “bureaucratic” obstacles, such as obtaining written authorization from the FBI's Washington headquarters for “routine” matters such as adding a printer or moving a new computer onto the system. 

    As a result, Mr. Colon will likely serve about 18 months in prison. :(…

    Pentesting and ethical hacking tools and techniques must be dealt with responsibly.  The bureacracies that might allow pentesting must be respected at all costs.  The first thing in Pentesting and ethical hacking that is taught is to ALWAYs, ALWAYS, ALWAYS get writen consent to procede from the owners of the system.