Domain: hackinthebox.org
Stories and comments across the archive that link to hackinthebox.org.
Comments · 19
-
P2P browser by Cult of the Dead Cow?
Wasn't there a project by Cult of the Dead Cow a few years back that should be a p2p browser? So if you are in a country where some site is blocked you can access it via other users from other countries? I remember something like Freebird. Here it says it was called Peekabooty. https://training.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=2027 Maybe something like this could be really useful in the future.
-
details of hack ..
'hackers breached the site, then modified it to redirect users to a rogue URL that in turn directed attack code against their systems'
'was this breach similar to what happened in the FISERV/CheckFree incident, or did something else happen?' -
Sandia is a laughing stock at other labs
Sandia not in the news? Ha! They even fired people who revealed the chinese were stealing their secrets, getting hacked by pakistani script kiddies. When you consider that sandia is tiny compared to Los Alamos (which spans 47 square miles) you have to realize their rate of serious security breaches is much worse. Los alamos has not reported any break-ins during the same period. No wonder they don't let Sandia store nuclear materials.
-
Re:Er, did WGA really do much there?
If you really want to see what WGA is sending to Microsoft, just capture the packets on their way to the internet and see what's being sent. Has anyone done that and found anything of real interest?
Yes, it has been done. MS has been sued over the amount of personal information being sent back to MS.
MS claimed that even releasing details on WGA in court would allow hackers to take over all of their customers windows computers.So, we have MS admitting that they (and everyone else who looks) can have full control over windows systems, and they cant have the world knowing what data is being sent back due to security claims (What the govt would call national security, no doubt)
References:
http://www.betanews.com/article/Microsoft_Sued_Over_WGA_Program/1151615015
https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=28694
http://news.cnet.com/Microsoft-faces-second-WGA-lawsuit/2100-1014_3-6090651.htmlOh, and that info about what exactly is sent back to MS that the court ruled can not be released to the public due to 'hackers' being able to take full control over windows?
No, it is not of much interest. And nothing more identifiable than a GUID.This link contains the full undecoded XML sent from WGA to MS:
http://blogs.msdn.com/wga/archive/2007/03/07/wga-notifications-and-download-and-install-telemetry.aspx -
HackInTheBox Security Conference
The HiTB Security Conference in KL website is at http://conference.hackinthebox.org./ see you chaps in KL !
-
Re:Java or Javascript?
The official conference website says the same thing
http://conference.hackinthebox.org/hitbsecconf2008kl/?page_id=214Reading the conference website sounds like he is saying the can crash computers through forced tight loops via multiple languages, javascript, java, even TCP/IP
-
Re:Intellectual PropertyYes, that's the idea behind WabiSabiLabi, the Exploit Marketplace. Security Researchers have always been treated unfair, as it was always demanded from the to give their knowledge away for free, at least to the vendor. But what is the incentive for a white hat to do research at all if he is not allowed to make money out of it?
Also, why should said researcher not just turn into a blackhat and sell stuff on the black market if he is not paid for his work on the 'free' market because no such market exists?
Compare it to medical research: medical research requires great efforts and would not be done if you could not turn the results into money (usually by patenting). Is it unethical to patent drugs that could save many lives? Why does nobody point their finger onto the drug researchers but the security researchers are the unethical people?
If someone is willing to pay more for an exploit than the vendor, that's the free market.The WabiSabiLabi guys experienced the ethical dilemma as well: They tried to resolve this issue and to create a free market for the security researchers but when they informed the vendor of an auction, they were called blackmailers. If they didn't do so, they acted unethical as well. So what?
BTW, there's a great video available from the WabiSabiLabi guy (Roberto Preatoni from Zone-H) at the HITB Kuala Lumpur Videos, the presentation is here .
-
Re:Zimmerman has it right .
Nobody actually reads the certificates.
Nobody has to if you trust the certificate authority. What use is reading it anyway, if it hasn't been signed by a CA/friend and can be tampered with?
Even if they did, they don't really mean anything anyway. How difficult is it to get a real certificate with fake credentials?
If a CA is worth its salt, nigh on impossible; that's what you pay those ridiculous prices for (at least, that's where the money should go). This is the main problem with an open CA; there are presumably fewer security checks that the person requesting the certificate is who he says he is.
Moreover, if the URL is similar enough to the target of your phish then your SSL certifcate may well be legitmate in every sense of the word but you trick people because the URL is close enough to a big brand's main domain.
That's a phishing problem, not a crypto problem.
I think Zimmerman, with his ZPhone program, has got it right. Really, all you're interested in for E-mail or VoIP is not whether the person really is Simon Johnson, of Widnes, based in the United Kingdom who is 23 years old with a pet dog called Thornton. You're actually interested in whether this Ckwop guy I'm speaking to now is the same guy as I spoke to last-time.
This is exactly what happens when you cache a certificate which hasn't been signed. If you go to, say, https://hackinthebox.org/ you will get a certificate warning because it hasn't been signed. You don't know if anyone has replaced the certificate along the way, but once you have cached the certificate you can be sure that you are securely communicating with whoever sent you the first certificate. Using a certificate authority means that you can also be confident that the person who sent the first certificate are who they say they are.
So whatever the ZPhone is, it sounds like plain old certificate-less public key encryption.When you weaken your security requirement to this position, you can remove a staggering amount of complexity. You can cut out all the CAs, all the X.509 certificates and ASN.1 implementations etc. What you're left with is Diffie-Helman and AES in CCM mode. You can implement this in a couple of thousand lines of provably correct code and your done.
Ensuring secure code doesn't bother me, I'm much more interested in having secure protocols. There's no point of having "provable code" if all the protocols are vulnerable to man-in-the-middle attacks (the attack which certificate authorities are designed to prevent).
The real way to solve the "identification problem" with web-sites is to change the way credit-cards work. You have a secure token that outputs a different string every thirty seconds. RSA have made these but they're very expensive for no explicable reason, the banks would develop an open-standard in my model to drive down prices. When you pay for something, you submit your credit-card along with the token's value. The transaction will only be authorised if the token's value matches what the bank thinks that value should be.
Credit cards? 30 seconds windows during which my money is accessible? We already have things that are better than this.
As regards the Certificate Authority issue here is the rundown as I see it:- The current way things are: CAs are very expensive, which means sites often don't use any encryption at all.
- Having an open certificate authority: Who pays for properly checking that a person is who they say they are?
- A key signing network: This is the idealistic approach, done at the moment in GPG keyservers; Everyone signs their friends' keys, who sign their friends' keys, and a web of trust is built up. It takes effort though, and there are still trust issues.
- A government CA: The government assigns public/private keys to individuals and bus
-
Ha - haa!
Bill, your puny OS has been hacked by
... a GIRL! bwa ha haaa
wait...
Man, she is a babe!
I saw her first!!!
*runs to buy airplane ticket* -
How to Build a Simple Wireless Authenticated Gatew
This would certainly be a cheap solution:
http://www.hackinthebox.org/article.php?sid=15607 -
Re:Uh
After reading the review of Dan Farmer and Wietse's Forensic Discovery, you should hear about The Grugq who got fired from @stake after writing a Phrack Article in which he exposed numerous flaws in The Coroner's Toolkit by Dan & Wietse. Before you read this book, check out the video (bittorrent) of The Grugq on The Art of Defiling and see how to defeat "industry grade" forensic tools and techniques . You can also meet him at a hacker convention near you (in March at BCS2005 in Jakarta, in April at Black Hat in S'pore and Amsterdam and at HITB2005 Bahrain.
-
The Art of Anti-forensics by The Grugq
After reading the review of Dan Farmer and Wietse's Forensic Discovery, you should hear about The Grugq who got fired from @stake after writing a Phrack Article in which he exposed numerous flaws in The Coroner's Toolkit by Dan & Wietse. Before you read this book, check out the video (bittorrent) of The Grugq on The Art of Defiling and see how to defeat "industry grade" forensic tools and techniques . You can also meet him at a hacker convention near you (in March at BCS2005 in Jakarta, in April at Black Hat in S'pore and Amsterdam and at HITB2005 Bahrain.
-
Re:A little overzealous, aren't we?There are so many things wrong with what you're saying, but the biggest of them all is how you've actually chosen to live in fear.
Mmm... yay for feeding the trolls.
God forbid! That I should think about even the idea of security when designing a public system! Whatever did happen to the idea that we could build a system and it would be just fine, like in the old days? Oh, sure, there have been people that have wanted to attack our infrastructure -- dare I say it -- before 9/11/2001! But security! By God, its existence takes away from my civil liberties!
</sarcasm>
-
Re:My experiences with Gmail invitations
... and quickly had well over a dozen requests for accounts despite including a disclaimer pointing to gmail-is-too-creepy.com
:)
I too am a Gmail beta user, and I've been very pleased with the service. Setup my .forward file to send a copy to my Gmail box, and set my reply-to address to be my private email, and I'm all set. Now I can switch between Gmail and Mail.app on my Powerbook lickety split.
I wanted to bring up something else that I just came across that was kind of strange. I agree that the people freaking out over adwords is a little over the top, but I found this article that brings up a very interesting point:
"Moreover, like any e-mail provider, the text of your Gmail is stored and subject to subpoena. I can envision a situation where an advertiser, paying Google hundreds of thousands of dollars, claims that Google failed to "insert" its ads in relevant e-mails, or inserted a competitor's ads instead (or in addition to, or more prominently). In the course of the ensuing litigation, wouldn't both the ads themselves and the text of the messages into which they were inserted be relevant, and therefore discoverable? I can't imagine why not."
I generally believe Google is a good company, but this argument actually got me thinking. -
hack in the box says its authentic but stunted
This hack in the box article quotes a security expert as saying:
"It looks real," he said. "You can't build Windows, however. It's just a bunch of chunks of the operating system."
From the article..
The 203MB file contains the code that appears to be from Microsoft's enterprise operating system, but the code is not complete, said Dragos Ruiu, a security consultant and the organizer of the CanSecWest security conference, who has examined the file listing. -
Password Checker!
You wanna know how gullable people are? As a joke last year, I coded a little password checking program, at my site. Users could check their password against a list of a million common English words, to see if their passwords were secure. There was a database with a million words in it, and each time someone put in their password, the site would tell them if it was in the list. It would also tell them that if they are stupid enough to give out the password to just anyone, then it's certainly not secure!
People would show up and type in something that looked like a real password, and then type in another password as a message to me -- along the lines of Fuck You on a Silver Platter, Asshole.
Hackinthebox.org posted the site and a pile of gullable flies* showed up to check their passwords. I'm guessing people from HiB would send the site to other unsuspecting people, as a joke. Thing is, eventually some pretty scared people were emailing me. I took it down after while. It was getting to be more annoying than fun.
There is always someone out there who is greedy or scared enough to be scammed online -- it's just sad when it happens to someone you know.
* flies: a fly is someone who gets stuck in the web, and a spider is someone who owns it. -
Re:source code?
There's a copy at http://www.hackinthebox.org/print.php?sid=8612
-
Since someone is going to say something about...
Since someone is going to say something about running water through your system and how you don't trust it, etc. etc. etc.. There are alternatives out there such as flourinert that have similar thermal properties but don't carry charges well. More expensive then water + wetting solution, but gives MUCH more peace of mind if you happen to be a paranoid person. Here's a link to an OC forum with a story or two on how the product behaves as well. A better article on watercooling (to the insane extreme) can be found here.
-
In case of the inevitable /.