The end of summer is almost here, which means I'll soon have to go back to work and school. Right now I'm writing from Ontario, my friend I'm visiting is at work and I've got some spare time to spend on my laptop (thankfully she has Highspeed).
This summer has went extremely fast, and it feels like I've gotten nothing substantial done. I've done little bits here and there, added a couple small features on my site, got the downloads back up...but I haven't had the free time to do the most important things; Learn PHP, learn Perl, code a simple IRC bot...So I'll have to push those things farther down until I get time. I am starting with a bit of PHP and shortly after I'll learn a bit of Perl. Thankfully, I taught myself some CSS basics and have implemented a tiny example into my site that I'll continue to work on as time goes on. Also, I've installed the Apache webserver and PHP on my laptop so I'll be able to work/test some work without an internet connection.
Some useful links that helped me setup PHP on Windows Vista:
Apache in Windows: http://www.apachelounge.com/forum/viewtopic.php?t=570,
PHP installation: http://www.php.net/manual/en/install.windows.manual.php
System Path/Variables in Windows Vista: http://banagale.com/changing-your-system-path-in-windows-vista.htm
Some things I need to do when I have time:
Fix and upload WAR.exe (Website Automated Reloader)
Learn PHP
Learn Perl
Brush up on C++
Partition Hard Drive -> Install Linux
Think about installing MySQL
Friday, August 24, 2007
Sunday, August 5, 2007
Rant - motives
Tonight because I was bored, I thought I'd share with whomever, a rant of mine about people who call a hacking technique lame without knowing the motives for using that technique.
In the world of Network and Internet Security, many people believe that exploiting certain flaws/bugs/exploits is just pathetic, retarded or "un-cool". Personally, I believe that it all depends on your current situation. Alot of people I've heard from believe that DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks are utterly pathetic. However, if you really think about it, it's the exact same scenario as exploiting a vulnerability. The end result is still the same; the target is unavailable and/or damaged.
So, why exactly do people hate these certain techniques of disabling their target? A lot of the disliked techniques are old techniques that have been known for years, so I suppose that people might dislike them for that, but really, what's the difference? If someone were to use a DoS attack to temporarily disallow service to a database instead of using an SQL injection to achieve that same result (except the SQL injection would destroy the database), some might label the attacker as "pathetic", or "uncool". DoS might be easier to execute, so people dislike it more, but in reality, the end result would still be the same. It really annoys me when people label someone by the choice of flaw they use, instead they should be labelling them for their motives of using that flaw.
Another example would be something I hear often. People who say "XSS and Social Engineering attacks are lame". Are you sure about that? Social Engineering is one of the most powerful skills a hacker can have. As Einstein put it, "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former". In other words, no matter how much money a company spends on state of the art software, routers, hardware and firewalls, they will still be vulnerable (to a certain degree) to Social Engineering. What is Social Engineering? To put it bluntly, it's tricking someone. SE (Social Engineering) is hacking your target's mind, not computer.
So people say, "What about XSS? That has to be one of the lamest flaws in websites. They're everywhere and easy to execute so they have to be lame!" Wrong. Yes, XSS is found in A LOT of sites, and yes, XSS is easy to prevent, however, depending on your website, XSS might be the hole that could get your site defaced. What is a (relatively) easy way to get access to an administrator panel? Well, if it's vulnerable to XSS, an attacker can redirect the supplied credentials to his/her email address.
I believe that most people that hate the above mentioned flaws/techniques only hate them because of how easy they can be executed (depending on the situation that is!), but really, you have to think of the definition of hacking (which is different for everyone).
To some people, hacking is a learning path. To others, it's a game, an ego boost, or even a job. Before calling a technique lame, you should really ask yourself "What was the attacker abusing it for?". If you think about it, the technique itself isn't lame at all, what's lame is why the attacker used it. Taking over a site using an XSS vulnerability for an ego boost is lame. DoSing a site because they banned you for breaking their rules is lame. XSS and DoS itself isn't lame. Sure, sometimes they can be easier than looking for another flaw, but if you're the attacker, you want to accomplish your task as quick and as efficiently as possible. What were the first computers made for? To simplify calculations. So why should we go out of our way to find the hardest possible exploit in a site, when the easiest one (that can accomplish the exact same thing we need) is right in front of us? We shouldn't.
Now don't get me wrong, I'm not saying that trying to find an unknown exploit is bad(actually, I very much support the research of finding new flaws), I'm just saying that it annoys the hell out of me when I see people say that a technique is lame, without knowing, or wanting to know, the motive behind the attack.
In the world of Network and Internet Security, many people believe that exploiting certain flaws/bugs/exploits is just pathetic, retarded or "un-cool". Personally, I believe that it all depends on your current situation. Alot of people I've heard from believe that DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks are utterly pathetic. However, if you really think about it, it's the exact same scenario as exploiting a vulnerability. The end result is still the same; the target is unavailable and/or damaged.
So, why exactly do people hate these certain techniques of disabling their target? A lot of the disliked techniques are old techniques that have been known for years, so I suppose that people might dislike them for that, but really, what's the difference? If someone were to use a DoS attack to temporarily disallow service to a database instead of using an SQL injection to achieve that same result (except the SQL injection would destroy the database), some might label the attacker as "pathetic", or "uncool". DoS might be easier to execute, so people dislike it more, but in reality, the end result would still be the same. It really annoys me when people label someone by the choice of flaw they use, instead they should be labelling them for their motives of using that flaw.
Another example would be something I hear often. People who say "XSS and Social Engineering attacks are lame". Are you sure about that? Social Engineering is one of the most powerful skills a hacker can have. As Einstein put it, "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former". In other words, no matter how much money a company spends on state of the art software, routers, hardware and firewalls, they will still be vulnerable (to a certain degree) to Social Engineering. What is Social Engineering? To put it bluntly, it's tricking someone. SE (Social Engineering) is hacking your target's mind, not computer.
So people say, "What about XSS? That has to be one of the lamest flaws in websites. They're everywhere and easy to execute so they have to be lame!" Wrong. Yes, XSS is found in A LOT of sites, and yes, XSS is easy to prevent, however, depending on your website, XSS might be the hole that could get your site defaced. What is a (relatively) easy way to get access to an administrator panel? Well, if it's vulnerable to XSS, an attacker can redirect the supplied credentials to his/her email address.
I believe that most people that hate the above mentioned flaws/techniques only hate them because of how easy they can be executed (depending on the situation that is!), but really, you have to think of the definition of hacking (which is different for everyone).
To some people, hacking is a learning path. To others, it's a game, an ego boost, or even a job. Before calling a technique lame, you should really ask yourself "What was the attacker abusing it for?". If you think about it, the technique itself isn't lame at all, what's lame is why the attacker used it. Taking over a site using an XSS vulnerability for an ego boost is lame. DoSing a site because they banned you for breaking their rules is lame. XSS and DoS itself isn't lame. Sure, sometimes they can be easier than looking for another flaw, but if you're the attacker, you want to accomplish your task as quick and as efficiently as possible. What were the first computers made for? To simplify calculations. So why should we go out of our way to find the hardest possible exploit in a site, when the easiest one (that can accomplish the exact same thing we need) is right in front of us? We shouldn't.
Now don't get me wrong, I'm not saying that trying to find an unknown exploit is bad(actually, I very much support the research of finding new flaws), I'm just saying that it annoys the hell out of me when I see people say that a technique is lame, without knowing, or wanting to know, the motive behind the attack.
Tuesday, July 3, 2007
Summer is here?
So, Summer has arrived, school is out and I have all the free time in the world.....actually, I really don't. I thought that by this time I would have tons of time on my hands, I was wrong.
So, as a final goal before I graduate, I've decided to build my own desktop computer. I've already bought the case (which costed me 105$ + tax) and a power supply (95$ + tax). Next thing I'll be keeping an eye out for will be the motherboard. The case itself is pretty nice, it's the black "Hush" by NZXT.
This summer, my main goals will be learning PHP, Perl, continuing along with C++ and to complete the Perm Program mission on HTS that requires me to create a 'simple' IRC bot (which I'll probably create in Perl).
I was planning on going to UVic or University of Waterloo for a Bachelors in Computer Science, but I might head off to the Center for Arts and Technology as a Network Security Specialist...still haven't decided what to do but I'm keeping my mind open for any other areas (preferably in Canada) that deals with IT/Computer/Network Security....My plan is to join a Security Auditing company that deals with Penetration testing. Any suggestions on a path to achieve that goal?
So, as a final goal before I graduate, I've decided to build my own desktop computer. I've already bought the case (which costed me 105$ + tax) and a power supply (95$ + tax). Next thing I'll be keeping an eye out for will be the motherboard. The case itself is pretty nice, it's the black "Hush" by NZXT.
This summer, my main goals will be learning PHP, Perl, continuing along with C++ and to complete the Perm Program mission on HTS that requires me to create a 'simple' IRC bot (which I'll probably create in Perl).
I was planning on going to UVic or University of Waterloo for a Bachelors in Computer Science, but I might head off to the Center for Arts and Technology as a Network Security Specialist...still haven't decided what to do but I'm keeping my mind open for any other areas (preferably in Canada) that deals with IT/Computer/Network Security....My plan is to join a Security Auditing company that deals with Penetration testing. Any suggestions on a path to achieve that goal?
Sunday, May 20, 2007
Backtrack
Definitely been awhile since I posted back here, and quite a few exciting things, two of which are very exciting. First of all, last week I bought a new notebook HP Pavilion dv6355ca Entertainment notebook; 2GB of RAM, Nvidia GeForce 6150 Graphics card (not the greatest), AMD Turion 64 x2 Mobile Technology TL-60 (2 CPUs), ~2.0Gz.
Quite a nice little package. The best part of having the laptop is now I'm not always restricted by Dial-up. At home I'll still have to work with Dial-up, however whenever I'm in town I can usually find a useable signal around the mall or work. Perrrrfect.
Next important thing would be the Linux Distro I managed to find. Backtrack 2 is definitely worth looking into if you're interested in Offensive Security or Security Auditing (Not recommended for new Linux users). Their website can be found at Http://remote-exploit.org and Backtrack's Wiki can be found at
http://backtrack.offensive-security.com/index.php?title=Main_Page
Interpals.net has been updated and the bugs I have found, and reported, have been fixed. The bugs were: Unfiltered HTML/script tags in Forum posts and PMs. I was even able to create a cookie stealer to "borrow" users phpBB session cookies and log in as them. Forums were updated to phpBB2 with new features added.
I have also been made a moderator and work with the Administrator to report and fix any bugs I find.
Things to do this weekend:
--Partition my Hard Drive with G-Parted (Getting an error->Invalid Partition Table)
--Install Backtrack, if not I'll simply use the LiveCD
--Guide Time
--Homework->Short Story Analysy (purposely spelled like that), 3000 Word Short Story, Physics
Quite a nice little package. The best part of having the laptop is now I'm not always restricted by Dial-up. At home I'll still have to work with Dial-up, however whenever I'm in town I can usually find a useable signal around the mall or work. Perrrrfect.
Next important thing would be the Linux Distro I managed to find. Backtrack 2 is definitely worth looking into if you're interested in Offensive Security or Security Auditing (Not recommended for new Linux users). Their website can be found at Http://remote-exploit.org and Backtrack's Wiki can be found at
http://backtrack.offensive-security.com/index.php?title=Main_Page
Interpals.net has been updated and the bugs I have found, and reported, have been fixed. The bugs were: Unfiltered HTML/script tags in Forum posts and PMs. I was even able to create a cookie stealer to "borrow" users phpBB session cookies and log in as them. Forums were updated to phpBB2 with new features added.
I have also been made a moderator and work with the Administrator to report and fix any bugs I find.
Things to do this weekend:
--Partition my Hard Drive with G-Parted (Getting an error->Invalid Partition Table)
--Install Backtrack, if not I'll simply use the LiveCD
--Guide Time
--Homework->Short Story Analysy (purposely spelled like that), 3000 Word Short Story, Physics
Saturday, April 21, 2007
First Blog
So here I am, making my first blog and eating Sour Skittles.
The reason I'm making the blog is a secret! *Gasp*, or maybe I just can't think of a reason just yet ;-) but there is a reason why I chose "A Forest Path" as the name, which just might be part of the reason why I'm making the blog.
So, today I've done almost nothing (surprise surprise). Last night I got aLinux setup on my computer which makes a total of two Operating Systems on my Hard Drive now (aLinux and Window$ XP). As I stumble around in the dark trying to set things up, I learn different things here and there about the new OS on my system. My goal for the day was originally to get my Internet Connection working on aLinux, but it doesn't look bright. At least I managed to set up the Sound correctly...which took longer than I had expected. aLinux is a nice change from Windows and it's fun to find the differences between them, though, setting up a Dial Up connection using Windows is a lot easier (so far) than installing it on aLinux (using the KDE Desktop)...Mainly just one thing that has been obstructing my path; Whenever I try to set up the Modem location, it will say "Modem Ready" and then the program freezes, after closing it I try it again and it says "Looking for Modem" in which case it will freeze after that, everytime it freezes I have to change the location of where the Modem is supposed to be to the next folder in the drop down menu...Don't quite understand it yet, but I'm sure I'll get it eventually.
Earlier this morning work had called in to say it was really slow so they didn't need any extra hands, so I got them to schedule me for tomorrow instead, which gave me some more time to set things up here.
As for tonight, I'll be hanging out with some friends (like most Saturdays) so maybe I'll work on Jobapolitan (A game in Visual Basic I'm making for some friends, it's pretty much just for laughs) for an hour or two...though I think I'll try to set up my Internet Connection for a bit longer before I work on Jobapolitan
The reason I'm making the blog is a secret! *Gasp*, or maybe I just can't think of a reason just yet ;-) but there is a reason why I chose "A Forest Path" as the name, which just might be part of the reason why I'm making the blog.
So, today I've done almost nothing (surprise surprise). Last night I got aLinux setup on my computer which makes a total of two Operating Systems on my Hard Drive now (aLinux and Window$ XP). As I stumble around in the dark trying to set things up, I learn different things here and there about the new OS on my system. My goal for the day was originally to get my Internet Connection working on aLinux, but it doesn't look bright. At least I managed to set up the Sound correctly...which took longer than I had expected. aLinux is a nice change from Windows and it's fun to find the differences between them, though, setting up a Dial Up connection using Windows is a lot easier (so far) than installing it on aLinux (using the KDE Desktop)...Mainly just one thing that has been obstructing my path; Whenever I try to set up the Modem location, it will say "Modem Ready" and then the program freezes, after closing it I try it again and it says "Looking for Modem" in which case it will freeze after that, everytime it freezes I have to change the location of where the Modem is supposed to be to the next folder in the drop down menu...Don't quite understand it yet, but I'm sure I'll get it eventually.
Earlier this morning work had called in to say it was really slow so they didn't need any extra hands, so I got them to schedule me for tomorrow instead, which gave me some more time to set things up here.
As for tonight, I'll be hanging out with some friends (like most Saturdays) so maybe I'll work on Jobapolitan (A game in Visual Basic I'm making for some friends, it's pretty much just for laughs) for an hour or two...though I think I'll try to set up my Internet Connection for a bit longer before I work on Jobapolitan
Subscribe to:
Comments (Atom)
