Slashdot Mirror

← Back to Stories (view on slashdot.org)

L0pht Gives FAQ of @Stake Merger

Posted by ryuzaki0 on from the getting-together dept.

Duke of URL writes "The gray hat hacker think tank L0pht Heavy Industries has provided a FAQ list on their recent merger with @Stake. It sounds like there will be a few more changes than I personally previously thought, (i.e. Web site changes, etc.) but the good news is that L0pht 'will continue to act as a Consumer Reports style organization in posting our general findings through analysis and evaluation as general customers reviewing software.' Also Hacker News Network will still be run by L0pht/@Stake and will receive more time and resources. "

8 of 70 comments (clear)

  1. Re:OT: "white hat" hacker training material? by Jonathan+White · · Score: 4

    Well unfortunately there is no one book to sum up breaking into systems that is along the lines of Applied Cryptography.

    Some books to get you on the right direction follow:

    1. A good C book if you do not already know C. I personally learned with C Programming, A Modern Approach, it's a good book. Knowledge of C is essential because you will need it to write your test exploits and most of the following books assume knowledge of C.

    2. Advanced Programming in the UNIX Environment and a good OS theory book such as Operating Systems by Stallings or "the dinosaur book". This is necessary so that you understand the both the nature and implementation of modern operating systems.

    3. TCP/IP Illustrated Volumes 1 and 2. These are necessary so that you understand TCP/IP at a very low level. Most attacks involve a network and that network usually runs TCP/IP, a lower level network book covering such topics as Ethernet may be necessary as well.

    4. The Tao of the Buffer Overflow by Aleph1. This can be found in the Bugtraq archives. Stack based overflows remain the most common method of compromise (besides social engineering). This article does an excellent job of explaining how to exploit and find them. Dildog wrote an NT version for the l0pht which you may also need.

    5. w00w00 published an article on heap based overflows which you may need.

    6. A general Internet + Systems security book, O'Reilly has one I have heard good things about, I can't recall it's title. Note however that a general security book is not enough.

    7. Various academic pubications and thesis papers. These can be an invaluable resource for descriptions of more esoteric attacks not covered in published books. These also have the benefit of assuming a much higher level of knowledge than most papers/websites/books for dummies.

    8. OS Specific docs and books. In order to secure or break an OS you need to know everything about that OS.

    9. Mailing lists such as Bugtraq and OS specific security lists will provide a history of previous vulnerabilities and solutions.

    Security is a very broad and difficult subject requiring its practitioners to be skilled in many different areas. I hope this is a good transition and you enjoy your new post.

    Cheers

  2. Re:please post the faq if you get in by Ranger+Rick · · Score: 4

    It's up at my site (defiance.darktech.org/merger.html) -- please try not to hammer it, it's a lowly 300k DSL line :)

    --

    WWJD? JWRTFM!!!

  3. Re:OT: "white hat" hacker training material? by wozz · · Score: 3

    > Well unfortunately there is no one book to sum
    > up breaking into systems that is along the
    > lines of Applied Cryptography.

    Sure there is. Hacking Exposed. Its already been mentioned in this thread, but its a great resource. I'm a security manager for a large ISP that is responsible for penetration testing as well as a bunch of other stuff, and being that its rather hard to find qualified security people for reasonable salaries, hiring a good unix/nt guy and making him read that book has proved pretty effective at making people 'think secure'

    Also, the content of that book comes out of the security practice at Ernst and Young, where they offer a great 5 day course called "Extreme Hacking" (as well as courses on Incident Reponse and Computer Forensics) , taught by some of the authers of "Hacking Exposed". Its $5000, but well worth it if you don't have the white or grey hat background. I haven't taken the course (my grey hat saved me $5k ;)) but I've heard many good things about it. And compared to the rest of the "security" classes out there, this is by far the best.

    Another important point to consider is that you don't neccesarily need to have black hat skills to sucessfully secure a system. It helps, but you don't need it.

    --
    \w0zz - OpenBSD - A Better Solution
  4. OT: "white hat" hacker training material? by konstant · · Score: 3

    This is only vaguely on-topic, but I would appreciate it if some of the more knowledgeable crowd could help me out.

    In the next month and a half or so I'll be making a transition out of my current job into another post. This new position will require me, among other things, to crack our pre-deployment systems so that holes can be patched before release.

    I don't think I'll have much trouble with the more prosaic "skript kiddie" side of the assignment, things like netcat and ping floods, but I'm concerned that I might miss some of the less glamorous holes due to lack of specific training in "white hat" cracking. This groups is more concerned about a coalition like the l0pht finding a vulnerability than they are about the more typical attacks.

    Does anyone here have any expertise or suggestions about suitable books or webpages? Something along the lines of Applied Cryptography, except in the domain of cracking. Again, I'm looking higher-level material, not Online Hooliganism for Dummies :-)

    Thanks!

    -konstant
    Yes! We are all individuals! I'm not!

    --
    -konstant
    Yes! We are all individuals! I'm not!
    1. Re:OT: "white hat" hacker training material? by GMontag · · Score: 3

      Checkout Bugtraq and NTBugtraq (if using MS OS.

      OKOK, I could not spell my name without notes, but check the above places as well as Packetstorm (link at http://www.hackernews.com), yea a daily scan of hackernews is good too.

      Listen to Off the Hook http://www.2600.com/offthehook/ check 2600 news daily, buy 2600 magazine too for a general look at some of the more out-of-the-way items that crop up.

      Your local 2600 meeting (if there is one in your area) will probably have other professionals with the same concerns as you, with solutions.

      --
      Eve Fairbanks says I drive a hybrid!LOL
    2. Re:OT: "white hat" hacker training material? by swordgeek · · Score: 3

      Yeah, got a book for you: "Hacking Exposed!" by Stuar McClure et al. Desppite the exciting title, it's a very clear, concise, and current treatise on how to break into systems, AS WELL AS how to block them out.

      There's a lot of stuff deliberately left out of it, along the lines of specific exploits to run on a buffer overflow (if you need it, go write it yourself!), but gives information on general attacks.

      For higher security, check out some of the lovely online articles, like the stuff on Sage. The 'securing a Solaris server' is definitely required reading, regardless of your platform.

      --

      "People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
  5. Consumer Reports? by Signal+11 · · Score: 5
    Hmm, that's an interesting image. Let's see, the typical table of contents for such a "consumer report" for security might look something like this...


    Cover: More bugs found in W2K. Microsoft denies problem exists and says they're working to fix it as quickly as possible.
    MacOS: Most secure? Performance details p. 30
    AOL users swindled (again)- passwords leak out by the thousand.
    AOL 5.0 Upgrade of Death: Marketing ploy or gross incompetence?
    Slashdot source released: Malda's e-mail was out for a few weeks, thus bypassing the mandatory "24 hour wait per request" problem.
    L0pht drops SuperMegaCorp's pants with another vulnerability.
    The Press: Getting it wrong again. HNN goes inside to reveal why "they didn't get it" again.
    Buffer Overflow found in Cup 'O' Noodles. (After 2:30, the thing spills all over the inside of the microwave).

    Also inside: A feature on Kevin Mitnick - Martyr or idiot, and an in-depth review of Emacs as an Operating System.

  6. Damned internet filters... by Hall · · Score: 3
    Anyone care to do a little "copy-n-paste" job ?? I can't read this (at least 'til I get home). Big brother don't like l0pht's site ;-) When I try and go there, I get this:

    SmartFilter Control List Restriction
    SmartFilter denied access to the URL http://WWW.L0PHT.COM/MERGER.HTML It matches the category 'Criminal skills content'.

    If you have a business reason to access this site, in adherence to Company Internet Use policy, there may be an error in the category sites list. Please contact your Division IT Director to have the error corrected.