The end of summer is almost here, which means I'll soon have to go back to work and school. Right now I'm writing from Ontario, my friend I'm visiting is at work and I've got some spare time to spend on my laptop (thankfully she has Highspeed).
This summer has went extremely fast, and it feels like I've gotten nothing substantial done. I've done little bits here and there, added a couple small features on my site, got the downloads back up...but I haven't had the free time to do the most important things; Learn PHP, learn Perl, code a simple IRC bot...So I'll have to push those things farther down until I get time. I am starting with a bit of PHP and shortly after I'll learn a bit of Perl. Thankfully, I taught myself some CSS basics and have implemented a tiny example into my site that I'll continue to work on as time goes on. Also, I've installed the Apache webserver and PHP on my laptop so I'll be able to work/test some work without an internet connection.
Some useful links that helped me setup PHP on Windows Vista:
Apache in Windows: http://www.apachelounge.com/forum/viewtopic.php?t=570,
PHP installation: http://www.php.net/manual/en/install.windows.manual.php
System Path/Variables in Windows Vista: http://banagale.com/changing-your-system-path-in-windows-vista.htm
Some things I need to do when I have time:
Fix and upload WAR.exe (Website Automated Reloader)
Learn PHP
Learn Perl
Brush up on C++
Partition Hard Drive -> Install Linux
Think about installing MySQL
Friday, August 24, 2007
Sunday, August 5, 2007
Rant - motives
Tonight because I was bored, I thought I'd share with whomever, a rant of mine about people who call a hacking technique lame without knowing the motives for using that technique.
In the world of Network and Internet Security, many people believe that exploiting certain flaws/bugs/exploits is just pathetic, retarded or "un-cool". Personally, I believe that it all depends on your current situation. Alot of people I've heard from believe that DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks are utterly pathetic. However, if you really think about it, it's the exact same scenario as exploiting a vulnerability. The end result is still the same; the target is unavailable and/or damaged.
So, why exactly do people hate these certain techniques of disabling their target? A lot of the disliked techniques are old techniques that have been known for years, so I suppose that people might dislike them for that, but really, what's the difference? If someone were to use a DoS attack to temporarily disallow service to a database instead of using an SQL injection to achieve that same result (except the SQL injection would destroy the database), some might label the attacker as "pathetic", or "uncool". DoS might be easier to execute, so people dislike it more, but in reality, the end result would still be the same. It really annoys me when people label someone by the choice of flaw they use, instead they should be labelling them for their motives of using that flaw.
Another example would be something I hear often. People who say "XSS and Social Engineering attacks are lame". Are you sure about that? Social Engineering is one of the most powerful skills a hacker can have. As Einstein put it, "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former". In other words, no matter how much money a company spends on state of the art software, routers, hardware and firewalls, they will still be vulnerable (to a certain degree) to Social Engineering. What is Social Engineering? To put it bluntly, it's tricking someone. SE (Social Engineering) is hacking your target's mind, not computer.
So people say, "What about XSS? That has to be one of the lamest flaws in websites. They're everywhere and easy to execute so they have to be lame!" Wrong. Yes, XSS is found in A LOT of sites, and yes, XSS is easy to prevent, however, depending on your website, XSS might be the hole that could get your site defaced. What is a (relatively) easy way to get access to an administrator panel? Well, if it's vulnerable to XSS, an attacker can redirect the supplied credentials to his/her email address.
I believe that most people that hate the above mentioned flaws/techniques only hate them because of how easy they can be executed (depending on the situation that is!), but really, you have to think of the definition of hacking (which is different for everyone).
To some people, hacking is a learning path. To others, it's a game, an ego boost, or even a job. Before calling a technique lame, you should really ask yourself "What was the attacker abusing it for?". If you think about it, the technique itself isn't lame at all, what's lame is why the attacker used it. Taking over a site using an XSS vulnerability for an ego boost is lame. DoSing a site because they banned you for breaking their rules is lame. XSS and DoS itself isn't lame. Sure, sometimes they can be easier than looking for another flaw, but if you're the attacker, you want to accomplish your task as quick and as efficiently as possible. What were the first computers made for? To simplify calculations. So why should we go out of our way to find the hardest possible exploit in a site, when the easiest one (that can accomplish the exact same thing we need) is right in front of us? We shouldn't.
Now don't get me wrong, I'm not saying that trying to find an unknown exploit is bad(actually, I very much support the research of finding new flaws), I'm just saying that it annoys the hell out of me when I see people say that a technique is lame, without knowing, or wanting to know, the motive behind the attack.
In the world of Network and Internet Security, many people believe that exploiting certain flaws/bugs/exploits is just pathetic, retarded or "un-cool". Personally, I believe that it all depends on your current situation. Alot of people I've heard from believe that DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks are utterly pathetic. However, if you really think about it, it's the exact same scenario as exploiting a vulnerability. The end result is still the same; the target is unavailable and/or damaged.
So, why exactly do people hate these certain techniques of disabling their target? A lot of the disliked techniques are old techniques that have been known for years, so I suppose that people might dislike them for that, but really, what's the difference? If someone were to use a DoS attack to temporarily disallow service to a database instead of using an SQL injection to achieve that same result (except the SQL injection would destroy the database), some might label the attacker as "pathetic", or "uncool". DoS might be easier to execute, so people dislike it more, but in reality, the end result would still be the same. It really annoys me when people label someone by the choice of flaw they use, instead they should be labelling them for their motives of using that flaw.
Another example would be something I hear often. People who say "XSS and Social Engineering attacks are lame". Are you sure about that? Social Engineering is one of the most powerful skills a hacker can have. As Einstein put it, "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former". In other words, no matter how much money a company spends on state of the art software, routers, hardware and firewalls, they will still be vulnerable (to a certain degree) to Social Engineering. What is Social Engineering? To put it bluntly, it's tricking someone. SE (Social Engineering) is hacking your target's mind, not computer.
So people say, "What about XSS? That has to be one of the lamest flaws in websites. They're everywhere and easy to execute so they have to be lame!" Wrong. Yes, XSS is found in A LOT of sites, and yes, XSS is easy to prevent, however, depending on your website, XSS might be the hole that could get your site defaced. What is a (relatively) easy way to get access to an administrator panel? Well, if it's vulnerable to XSS, an attacker can redirect the supplied credentials to his/her email address.
I believe that most people that hate the above mentioned flaws/techniques only hate them because of how easy they can be executed (depending on the situation that is!), but really, you have to think of the definition of hacking (which is different for everyone).
To some people, hacking is a learning path. To others, it's a game, an ego boost, or even a job. Before calling a technique lame, you should really ask yourself "What was the attacker abusing it for?". If you think about it, the technique itself isn't lame at all, what's lame is why the attacker used it. Taking over a site using an XSS vulnerability for an ego boost is lame. DoSing a site because they banned you for breaking their rules is lame. XSS and DoS itself isn't lame. Sure, sometimes they can be easier than looking for another flaw, but if you're the attacker, you want to accomplish your task as quick and as efficiently as possible. What were the first computers made for? To simplify calculations. So why should we go out of our way to find the hardest possible exploit in a site, when the easiest one (that can accomplish the exact same thing we need) is right in front of us? We shouldn't.
Now don't get me wrong, I'm not saying that trying to find an unknown exploit is bad(actually, I very much support the research of finding new flaws), I'm just saying that it annoys the hell out of me when I see people say that a technique is lame, without knowing, or wanting to know, the motive behind the attack.
Subscribe to:
Comments (Atom)
