Copy Link
Add to Bookmark
Report
HBH 01
##########
### ###
### ### #### ## ## ## ######
### ### ## ## ## ## ##
### ### #### ## ## ## ####
### ### ## ## ## ## ## ##
### ### ##### ### ## #######
http://bitsofspy.net/newsletter ## ##### #### #### ##### ####
Content vault! ## ## # # ## ## ##
## ##### # # #### ## ##
## ## # # ## ## ##
##### ###### # # ###### ## ##
http://hellboundhackers.org
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
||THE NEWSLETTER||| |||Guest-writer(s) ||
|| ||| "Praise the bridge that |||-Uber0n ||
|| ||| carried you over." ||| ||
||ISSUE #01||| -GC- |||Amount oF texts ||
||==================|||=============================|||-Eleven (11) ||
|| Thanks to ||| ||| ||
|| ||| one |||Included secret? ||
|| [x]COM ||| one one |||-Yes ||
|| [x]Fuser ||| one ||| ||
|| [x]Futility ||| one ||| ||
|| [x]Moshbat ||| one ||| ||
|| [x]Only.Samurai ||| one ||| ||
|| [x]Spyware ||| one ||| ||
|| [x]Zephyr_Pure ||| one ||| ||
|| [0]Swartmumba ||| oneoneoneone |||Releasedate ||
|| ||| |||07-01-09 ||
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|| ||
|| TABLE OF CONTENTS ||
|| ||
|| {01} Introduction [INT] ||
|| {02} HBH News [NEW] ||
|| {03} Post of the issue award [PST] ||
|| {04} BBS: The Documentary review [BBS] ||
|| {05} Article Review: Building a CMS 4 Dummies [ARV] ||
|| {06} Best programming language? [BST] ||
|| {07} Creativity of a hacker [CRV] ||
|| {08} Regarding Lol... [LOL] ||
|| {09} Mentoring, can it be done? [MNT] ||
|| {10} Moshbat's Corner [MBC] ||
|| {11} Q/A [QAA] ||
|| {12} End [END] ||
|| {13} vOid ||
|| {14} void ||
|| {15} void ||
|| {16} void ||
||// \\ ||
||\\. .// ||
|| \\ // ||
|| \\// ||
|| \/ ||
|| ( ||
|| ) ||
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[INT]~staff -IntrodUction
Welcome to the beginning. The beginning of something new, something fresh
and hopefully enjoyable. Welcome to The Newsletter. The Newsletter is a
brand-new initiative that will combine, incorperate and connect with many
aspects of the hacking community Hellbound Hackers (HBH). This newsletter
will provide you with reviews, rants, security related writings and, of
course, news.
~staff
[INT continued]~Spyware
Hey, Spyware here. I'm the editor in chief of this newsletter. That
basically means I get to work with some great people I me(e)t while roaming
HBH. Together we aim to bring you something that's fun and informative to
read. I hope you can all enjoy the show.
This first release starts of with a hitch; unfortunately one staff member
already had to leave before this issue was released. Uber0n will be missed.
The reason for his early departure is because of personal, in-real-life
things that prevent him from working with us (at this time). I hope he can
rejoin us once more in a later stadium. Included in this issue though,
is one text written by him. Enjoy.
Another staff member, Swartmumba, hasn't been spotted for weeks. We've all
been looking out for him, but he hasn't returned (yet?). The reason for his
absence is unknown, we all hope he will be able to return to us in the near
future.
On the bright side, we added yet another name to our payroll;
Only.Samurai will entertain and inform us with his literature. Thanks,
Samurai. Welcome to the staff!
Well, this is it. I've made you all wait long enough. I'm doNe with this
introduction. Have fun reading the first issue of The Newsletter.
A bow for you all,
~Spy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[NEW]~Futility -HBH Updates
I regret to inform you that HBH has been taken over by power-hungry tyrants
bent on removing all honest folk from the site. That's right, Zephyr_Pure,
system_meltdown, and the rest are pure evil and want nothing less than your
first born child and a pint of the finest virgin blood, and they'll stop at
nothing until they get it. Let's take a look at the horrors which have been
committed in the past few weeks, shall we?
>'Update' Name: New Challenges
>Top Secret Code Name: Operation Doom
>Operatives: Everyone, but system_meltdown and SwartMumba in particular
That's right ladies and gentlemen- in the past few weeks HBH has gained
three new challenges for your enjoyment. Timed 6 revolves around fetching
data through a google search and returning it to HBH. The only problem is
that system coded it so it needed to be done in an impossible amount of
time. He's forcing us to use programming knowledge to complete it, rather
than common sense. What a jerk. Timed 7, along similar lines, needs to be
done in a short amount of time. It involves reading a barcode and posting
back whether or not it's valid, which is a pretty nifty idea. SwartMumba
can be thanked for this one. Basic 28, on the other hand, has nothing to do
with programming. You are given a common feedback script and you have to
get the message sent to you, rather than the 'admin'. This is one of my
personal favorites and we have to thank system_meltdown for it. If any of
you reading this happen to have a great idea for a challenge, feel free to
send it to any of the admins. We're glad to take a look at it and add it to
the site if it qualifies.
>'Update' Name: Fancy Code Bank
>Top Secret Code Name: Operation Enslave The People
>Operatives: Zephyr_Pure, root_op and system_meltdown
At first glance this might seem to be a good thing. I'm sure you've all
noticed how clean the code bank has recently become. But is that really
necessary? Does it matter how nice and clean things are? Hell yes, it does.
The old code bank was useless. It contained about ten simple calculators in
each language and other pieces of 'code' to waste space. One of
Zephyr_Pure's first actions as an admin was to go through and remove the
code that wasn't needed. That's right, he went through every single piece
of submitted information and weeded out the bad. Now, instead of a
festering cesspool, the code bank has the potential to become a central
part of the site. The good code is no longer weighed down by the bad, and
new submissions are being checked to make sure they are 'worthy'. But wait,
there's more! After seeing the community take heart to the clean new code
bank, root_op decided to take it a step further. He gave the code bank
syntax highlighting and made it retain tabs and spaces. System then removed
smilies from [coDe] tags. Now code is not only easier to find, but it is
easier to understand as well. Thanks you guys.
>'Update' Name: New Competitions
>Top Secret Code Name: Operation Mind Control
>Operatives: Everyone
The current HBH theme: you know it. You love it. You've been looking at it
for the past however long you've been here, and you're starting to grow
tired of it. Sure, there're others that you can change to, but let's face
it, they aren't the best. No offense, or anything, but they're too bright
for my liking. I'm sure they're too something for your liking as well. So
here's your chance. HBH has started a theme-building competition where all
you have to do is edit the CSS file until you like what you see. Really,
it's that easy. The best part is that on January 10th, we will vote on
which ones we like the most, and if you win, your theme will be added to
HBH for everyone to use. That's right, you can make HBH look like you've
always wanted it to. Check the news submission for more information. I,
Futility, have also taken the time to go through the CSS file and comment
in what each property does so that it's easier for all of you. Zephyr_Pure
has also taken time to put a new programming competition in motion. We're
not entirely sure on all the details yet, but it will involve using your
coding knowledge to create something useful for yourself and the community.
Can it get any cooler than that? I submit that it cannot.
These aren't the only new additions to the site. They're just the main
ones. root_op has been working on a PM notification system which lets you
know when you've run out of room in your inbox. Mr_Cheese is working on
improving the search system because the current one is a little buggy. What
about the pen-test challenges? For the year or so I've been here, there's
only been the one. Moshbat has taken command and submitted another one for
all of us to enjoy. It is currently being HBH-ified and should be available
for testing pretty soon. What about the FAQ section? Ever had a basic
question and got reprimanded for asking it in the forum? Well clone4, along
with the help of COM, decided to whip up a nice shiny new one. It hasn't
been put into effect yet, but can be seen in the 'God rank to easy?'
thread, which is a fantastic place to see all the helpful suggestions and
ideas that have been proposed. If you want to see something done, post your
idea there and we'll all take a look and see what we think. So, as you can
see, we HBHians have been a busy lot. The 'evil
masters' have made sure the past few weeks have been riddled with updates
and show no sign of stopping this disastrous course of actions. What a
bunch of jerks.
Till next update,
-Futility
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[PST]~Moshbat -Post of the Issue
The Post of the Issue award is a small column dedicated to praise the best
post made on HBH in the past weeks/month. We hope that this will inspire
people to ... well ... post less crap. Hopefully, people will try harder
posting quality content.
Without further ado, I will skip straight to the ceremony.
This issue's award goes to: *absence of drumroll* Kiyoura!
Kiyoura's post was one of the most helpful and informative I've seen in a
long while. I don't have a trophy to give, but I hope a mere mention
will suffice!
Congratulations!
[Kiyoura's post from: http://tinyurl.com/bestpost1]
~All of my projects, websites, and major applications are OOP.
~What I do before I start coding the actual applications are, write down
~notes of why and how you will need each class.
~e.g. Mysql: (brainstorm each method and member needed)
~constructor: connection to mysql via database information
~Members: (brainstorm)
~Methods:
~grabbing data
~sending queries
~etc.
~Another example,
~CMS controls
~constructors: any initialization that the object may need.
~Members: (brainstorm)
~Methods:
~log-in
~log-out
~etc..
~Remember, ask yourself before starting:
~(Do I really need to place this information in a class?)
~(How can I set up my applications so that other people can add/edit it?)
~Use the PHP manual as a reference for creating classes, if your going to
~use them, use it to its complete power.
~if you need help send me a PM.
~EDIT:
~Also, comment, comment, comment. There's no such thing as to many
~comments. I recommend looking at the PEAR's standards in order to
~understand how and when to comment.
[end of post]
Again, congratulations and keep up the good work! Let this be an example
for all HBH users.
See you next issue,
-Moshbat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[BBS]~Fuser -BBS: The Documentary
BBS: The Documentary Review
We all had these situations where we stay up all night in front of our
computers, staying online just for the sake of staying online. Now in the
age of multiple-core computers and broadband internet connections, almost
anyone can stay up all night facing their computers for a plethora of
reasons.
But back then, in the pre-Windows 95 era, staying up all night for the sake
of being online was only for the dedicated hardcore. Dialing up to a
bulletin board required time and patience, and these activities are usually
conducted at night for three main reasons, mainly because the calling
charges are cheaper, there is less line noise and there was less
interruption from friends and family than during the daytime.
This is what BBS: The Documentary is trying to capture. The director, Jason
Scott, himself had been involved in the BBS scene since the 80's, and
currently operates a website called textfiles.com which offers BBS-related
content such as text files ranging from an extensively retyped version of
The Necronomicon, hacking text files from legends such as the Legion of
Doom (LOD) and The Knights Of Chaos, ANSI and ASCII art packs, to an
exclusive hacking program called "Phantom Access" which was created
exclusively for the LOD.
This documentary is created as Scott realized that while there might be
other people who run websites during the BBS era, no one had created a
documentary about it. The documentary was intended by Jason Scott as a way
to bring nostalgia from that era, and to show the later generation on what
the BBS is all about before the internet becomes popular.
And in my opinion, the documentary is extremely well-executed, with the
topics separated for the viewer to watch the sections at any time they
want. There are 8 topics in total, ranging from the history of the
BBS, the System Operators, Commercial BBS's, Fidonet, the ANSI art scene,
the hacking/phone phreaking/cracking scene, The end of the BBS era, and
finally, about compression.
The level of dedication he took to create this is astounding, going as far
as to interview the co-creators of the BBS theMselves, Ward Christensen and
Randy Suess, the "veterans" of the scene (read: those that built their own
computers by hand) to those who had been cracking games for the Apple ][
computer system and drew ANSI artworks for their artgroup as teenagers.
Each topic is well-presented, with the background on the topic, the
technical details concerning the topic and an explanation about how certain
scenes, such as the ANSI art scene, operated with personal experiences told
by those who had been involved in the scene themselves.
Throughout each topic, images are being shown which helps enhance the
"feel" of being involved in the topic in question. They range from
screen shots, magazine scans, printouts, recorded images, real-life images,
news and advertisement excerpts, to recordings of the BBS loading.
One impressive feature of this documentary is that Jason hardly
narrates around it, and there is no input about his experience on the BBS
scene (mainly because he posted about that on his blog,
ascii.textfiles.com). Explanation is done by a screen with a background and
text explaining about it, hence reducing the problem of being unable to
understand or misunderstanding the topic in question.
A topic-related amateur-made documentary, 2600 Magazine's Freedom Downtime
was narrated by Emmanuel Goldstein himself and includes his gripes on how
unfair America was to Kevin Mitnick. While his frustration is understandable,
it makes his documentary feels like a personal vendetta.
In contrast to Freedom Downtime, in this documentary the persons
interviewed explain how the scene worked using their own, personal views
and their involvement in it. This helps the viewer understand the subject
better as it is explained in a detailed yet simplified way.
One of the impressive features is that some visual effects are used to
enhance the quality of the documentary. Images and photos are shown to
further clarify and explain certain things.
Conclusion
I wholeheartedly recommend this documentary to anyone who is interested in
one of the few histories of computing or those who want to relieve the
glory days of the BBS. This is a very informative and entertaining
documentary to watch and it has a high replay value. (I even converted some
the topics into mp4 so that I can watch it on my brother's PSP. Yes, it's
really that good.)
-Fuser
Extra
Images (./images/1.png through 5.png)
Picture 1: I don't know about you guys, but I don't think I'd buy my
computer from someone like him.
Picture 2: A cracking tutorial for an Apple ][ game.
Picture 3: John Madill on how he helped Tom Jennings to create FidoNet.
Picture 4: KillaHertz (ACiD/Remorse) on the time and process required to
create an ANSI/ASCII artwork. The image on the background was one of his
artworks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[ARV]~Zephyr_Pure -Article Review
Article Review: Building a CMS 4 Dummies
Article Author: keiran420
Article Link: http://tinyurl.com/cms4dummies
Everyone knows that a first impression is the most important of all. At
HBH, this particular fact is often how a member is judged for the duration
of his/her stay. Every now and then, though, this traditional viewpoint is
pushed aside by a truly unexpected contribution.
HBH is home to a number of PHP coders, each at varying levels of
proficiency. Some have written and coded for the community, but these
contributions tend to be barely more than the basics. Syntax, forms,
sessions... these are all things that could easily be learned from any
other PHP tutorial. Previously, there was a large gap between the PHP
information available on HBH and the effective knowledge needed to code
something worthwhile (such as when completing the Other CMS challenge).
"Building a CMS 4 Dummies" is an article that seeks to bridge that gap
by presenting CMS concepts in terms that PHP amateurs can understand. The
author himself had not coded a CMS before writing the article, which
actually helped to make the concept easy to grasp. Also, the author's lack
of literary eloquence helped to set the tone for the article, which was
wonderfully simple. All in all, the author did a great overall job at
explaining things in the way that he learned and utilized them.
Now that the pleasantries are aside, it's time to pick the article
apart. First, the section that defined a CMS needed a bit more content.
Saying that a "content management system" is a tool that allows users to
control / add content is like saying that Toyota is a vehicle manufacturer:
while that statement is true, it hardly suffices as an introduction.
A solid definition, followed by listing some popular open-source CMS
packages, would have served better in that section.
The descriptions of the functionality and coded functions are precised
and structured, but there is a bit of dead weight there. To explain
better, we must think of OOP as merely bringing order and reusability to
common functions and objects. That is, we should have unique objects for
repeated database class usage and unique functions for repeated database
access. Here are the 15 included functions from the article:
Connect(), Disconnect(), login(), Checklogged(), logout(), UserLevel(),
AddData(), DeleteData(), UpdateData(), ReturnAll(), Returndata(),
Adduser(), edituser(), DeleteUser(), ReturnUser(), encode()
The ability to connect to the database should be triggered as soon as a
new database object is instantiated, so there is no need for a formal
"Connect" function; it can just be placed in the constructor for the class.
Also, by default, MySQL connections are not treated as persistent and are
reused automatically, so there is no need (although it is a structured
pleasantry) for a "Disconnect" function; this can be placed in a logout
script / function as simply "mysql_close()", since calling this function
without an explicit link identifier will close the active instance.
The "login" and "logout" functions will only be used once in most
implementations, but the inclusion of them as functions makes sense to keep
the functionality in a single maintainable file. The "Checklogged" and
"UserLevel" functions make much more sense, since they will most likely be
included on every page.
The questionable portion of the function list comes from the excessive
duplication that exists between the "add/delete/update/return" complex of
functions. At this point, you must question the necessity of defining
separate instances of objects that will only exist "in theory"; that is,
why define a class for an object that has no unique characteristics?
Between the typical database functions and the user functions, the only
real difference is the table name, which is being passed as a parameter to
the database functions. Force your functions to accept an array of
database fields (instead of separate function parameters), and you have a
set of universal functions to do every little thing you like. This, there
is no need for the user functions at all.
To finally sum up the function list, the "encode" function is a
necessary implementation. Having a sanitizing function in a complex
implementation IS A MUST. If you determine that your current method of
universally sanitizing input is inadequate, you nEed to be able to make
that change as quickly as possible. Updating one function is much easier
than updating multiple implementations. It's impressive that a learning
coder is able to grasp this concept, and all aspiring coders should learn
from it as well.
Now, for nitpicking the rest of the article... No one in their right
mind uses the "REQUEST" superglobal, since that encompasses both GET and
POST functionality and, as such, is vulnerable. Sessions are better than
cookies both for their simplicity and their implementation:
"session_start" to start / continue a session, $_SESSION['whatever'] =
'blah' to set a session variable, and "session_destroy" to end a session.
Also, cookies are stored and easily accessible / modified client-side,
while sessions are not.
The database connection variables need not be stored as class
properties, as they are only used once (to connect initially). The
"CheckLogged" function, in its current implementation in the article, makes
little sense; as the cookies expire automatically, just sanitize the
cookies as you use them and manually expire your sessions (when you use
them). The use of iframes to place potential content should be discouraged
in favor of using simple PHP includes, so the $emlink iframe is not ideal.
True and false values have traditionally translated to 0 and 1 values so,
when checking the $Loggedin variable, it is not necessary to test it
against 0.
The easiest way to do BBCode to HTML conversions is to use arrays with
keys and values; that way, when you're looking for the HTML equivalent of
[b], you need only access $array['[b]']... as an example. Use a foreach
loop, and you can call the str_ireplace function with the key, to be
replaced by the value, for the whole array.
The rest of the article is perfectly viable from a viewpoint beyond
that of an amateur. It is important to note that I am merely tailoring my
review to cater to a progressive learning process from the status of an
amateur coder. The article itself was perfectly viable for an amateur to
understand but, in the process, that amateur should be seeking to make
revisions and updates in accordance with gained knowledge and precision.
To that end, this review seeks to be a bridging point. It is up to the
author of the article to continue the process by refining the CMS with OOP
characteristics, session usage, and more functionality.
Tune in next issue, same bat-time, same bat-channel,
-Zephyr
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[BST]~Futility -Best Language?
What's the best programming language to start out with? Which one is the
easiest to learn? What would be the most useful language for me to learn?
How many times have you seen these questions in the forum? How many times
have you thought them yourself? Well I'm here to shed some light on the
situation. Remember, these are purely my opinions. Every language is better
at something than the others. It really all depends on what you want to do.
Anyway, here is what I would suggest.
What is the best programming language to start out with/which is the
easiest to learn?
In my opinion, this would have to be Python. Your commands are written in
plain English and there are tons of useable modules right off the bat.
Python also has the ability to be ported over to tons of other languages,
making it extremely versatile. How about we take a look at some sample
code? Perhaps the infamous 'Hello World' will convince you.
print 'Hello World'
That's it. Save the file as <anything>.py, and you're ready to go. So
printing to the screen is easy, but how about variables? Those could
sometimes be a pain to figure out. Int vs. long vs. byte vs. string vs.
bool... Python eliminates all this muck by taking care of assignment issues
behind the scene. If you want to use a variable, all you have to do is
think up a name and set it equal to something. Sure, there are
dictionaries, tuples and arrays, but they're not that hard to get used to.
Functions are similarly as simple as can be imagined when writing in
Python. You just type:
def function_name(local variables):
Anything you might want.
Sure, the entire language isn't as easy as this. It gets much harder the
deeper you go, but so does every other language. Python is useful for
quickly pumping out smaller projects. If you want large, in-depth programs,
then Python probably isn't the best way to go. I consider it a good
language because of how simplistic it makes the small mundane tasks that
all programming languages must cover. Its extensive module index is also
extremely helpful for projects. Just type import module_name at the top of
your program, and you're good to go. I could go on for pages about Python,
but I will put my personal opinion about it aside for a moment and speak
generally since it's you who are deciding in the end.
Most modern programming languages are very similar, not in every
functionality of course, but within the area discussed and even beyond they
tend to coincide a lot. Most of them share certain aspects, are quite
understandable and just like Python, are based on the English language for
it to be that way. Even if you might not be able to sit down and program
something in a different language, if you've learnt one or two to get the
general concepts it means that you can read most code written and get a
general understanding of what it's supposed to do. No language is
guaranteed to be easier to learn, there are myths about some being very
easy and others immensely difficult, but it ultimately all boils down to
two things: 1. how well explained it is, whatever source it might come from
and 2. how much you want to learn it. Nothing really beats motivation, sure
it can't be explained in whatever horrible manner possible, but it's the
latter point that really tears down the walls between the languages and
their difficulty to be learned.
What is the most useful language for me to learn?
Now this one is much more difficult for me to answer. Like I said, every
language is bested by another in different areas. No one thing can be 100%
better than every other one. I'm very interested in web-based security.
Since a huge number of sites implement PHP, knowing it would be a large
advantage. PHP, combined with HTML, SQL, and Javascript can do just about
anything you can imagine. You want a forum on your website? Go ahead and
code one. You want to create a content management system? Guess what you're
going to need. If you want to make a real website, PHP is usually your best
choice. As a bonus, learning how to write the language will teach you how
to exploit it as well.
Remember, this whole article is my opinion. You may agree with me, or you
may disagree. The purpose here was to try and clear up some of the
potential questions that will come up. A preemptive strike, if you will.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[CRV]~Only.Samurai -Creativity of a Hacker
We've all seen Hollywood's depiction of hackers. Flashing graphics, strange
clothing, all night soda binges. This fantastical display of the 'hacker
subculture' provides very little insight into the technical aspects of
hacking. Very little of what we see is remotely close to the true
inner-workings of hacking. Despite this inaccuracy, the people involved are
shown in a realistic sense. The clothing, the 'catch phrases', the actual
culture displayed may or may not be accurate depending on who you speak to,
but the motivation and creativity displayed are universal. Hacking is
thinking outside the box in a technical sense. While you may need a vast
technical knowledge to execute an attack, the process of developing the
methodology can be accomplished without nearly as much technical knowledge.
These movie characters stop at nothing to accomplish their goal and often
find unorthodox solutions to problems.
Look around whatever room you are in and find a light. Can you think of 10
different ways to make that light useless? When I teach classes or lecture
at conferences I like to use this as an opening drill. Most of the time
people only come up with 'turn off the switch' or 'take the light bulb
out.' While these are valid answers, they are not very creative. What I
like to see are answers more like 'destroy the power company,' 'shoot it,'
or 'over-load it with current.' 'Destroy the power company' is a great
example of a non-technical example explaining something useful. While that
particular person didn't know about power grids or how that part of our
infrastructure works, they did understand a creative way to exploit it.
What is all this talk about creativity? Why is it so important? When you
are doing a penetration test, odds are good it is not on a virgin
environment. An environment void of firewalls and lacking patches would be
ripe for the picking, but this is rarely our situation. Creativity is how
we bypass the security already in place. Hacking is the art of using things
in unexpected ways, the art of being clever.
To give an example, think of a simple SQL injection vulnerability in a form
field for a first name. The developer was either careless or clueless when
he passed the value to the database and left it vulnerable. We'll hope that
he was more clueless than careless and proceed. As a hacker, we look
at the input and see the potential to exploit his database by injecting our
own queries, but to the developer it's simply a form field for a name. The
developer never saw this attack coming because of what he thought the code
did, rather than what it was capable of. A hacker has to be creative in
order to successfully understand and exploit things.
A great example of exploiting using creativity are logic flaws or process
exploits. These vulnerabilities are exploited when a hacker finds some
portion of code that the developer assumed would be used correctly. If you
were to goto a website and see a login field you couldn't bypass, odds are
good that's the end of trying to exploit it. Now, applying our new found
creativity, what if we guessed what URLs an authenticated user would have
access to and type them in manually. Many developers simply do not display
links to pages you don't have access to, but don't enforce those
restrictions. This perfectly illustrates how a hacker will use something in
an unexpected way. By attempting to find pages that we weren't presented
with links to, we completely bypass the 'workflow' of the application and
therefore can introduce vulnerabilities in the process, rather than the
code.
While many vulnerabilities require an in-depth technical knowledge to
exploit, this technical knowledge isn't required to be a 'hacker.' A hacker
without technical knowledge would do a poor job of executing his attacks,
but the concepts of thinking outside the box and finding places to look
that no one else did, or putting things together in just the right way to
reach the goal, these are creative skills.
-Samurai
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[LOL]~Futility -Rant regarding LOL
Alright. Futility here, and I'm about to complain about something that's
been bothering me for the past few... well... forever really. Now before I
delve into this rant, I need you to do me a favor. Open up any instant
messaging program you might have and send a message containing
"Two men walked into a bar. One said 'ouch'" to everyone you know. I can
guarantee you that at least one person will respond with an "lol" even
though the 'joke' is devoid of anything that can be considered funny.
This is where the rant begins. Why is "lol" used for everything? It could
mean, "Hah. Funny.", or, it could be deciphered as, "Wow, that was a good
joke!" Or, as in most cases, it could simply mean "I have nothing else to
say so I'm going to fill the void with a useless acronym because everyone
else does." How did this start? How did "lol" become the universal
'everything' word? Who started it? Why? If any of you happen to know the
answers to these questions, please tell me, because I really want to give
him/her a piece of my mind... and my fist.
"Lol" in itself doesn't really bother me that much. When something is
genuinely funny, I'll type it. Why? Because it means that I'm laughing out
loud. Sometimes 'ha' just doesn't cut it, I understand that. The part that
bothers me is how everyone uses it in every situation ever.
-I failed my math test today.
-lol
-I just saw my first James Bond movie.
-lol
-Listen, I'm not sure this relationship is going to work. Maybe we should
start seeing other people.
-lol
-No really, I'm not joking. I honestly don't love you anymore.
-lol
These conversations were, of course, decoded and rewritten in English to
aid in the understanding of those who read it.
This is how they originally read:
-i fai1d mi mth tst 2dA :(
-l0l
-i jst saw mi 1st JB movy!!1!!!
-looooool
-im sry, but im not shure if i can b w/ u nemore
-lol
-me no luv u no more
-lol
My hatred is not only for lol. It is, in fact, dedicated to the loathing of
all the acronyms/abbreviations/made up words that populate the phone lines
today. Is it really that hard to type the two extra letters in 'you'? Why
is it so difficult to type in English? Do you really save time by not
typing a few letters? Is pressing that extra key really that taxing?
How about speaking English? Is that too hard as well? The other day at
school I actually heard someone say, "Wow, you're gay! (pause) omg lol jk
jk." I can honestly tell you that I panicked. For a brief second I didn't
know what to do, I was speechless and scared. But I'm a man and decided to
stop this infection before it continued to spread into the 'real world'. I
punched the kid in the balls and hit him over the head with a waffle iron.
I then dragged him to my basement where he resides to this very day. Last I
heard from him, he was complaining about needing food, or something. But
the texting speech was gone. He was cured. I couldn't take any chances
though, so he's still down there... I think. I haven't really checked for a
couple weeks. Anyway, I thought I had saved planet Earth from the danger.
But, alas, it had spread much faster than I could have ever imagined. Now
it's common to hear this crap on a daily basis.
I'm assuming all of you non-English speakers are plagued with the same
affliction that we are, correct? Well I think it's time to take arms
against this corruption before it gets even more out of control. Stop
making up words in your texting. Stop using stupid acronyms in place of
real words. Stop saying the same thing that everyone else does. And for
God's sake stop actually pronouncing these ridiculous abbreviations in your
everyday speech. Because if you do, I will hunt you down and personally rip
out your vocal chords. You have been warned.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[MNT]~Guest writer: Uber0n! -Mentoring, can it be done?
I joined HBH about two and a half years ago, since then I've noticed a
change in the attitude towards mentoring and asking for the same. Mentoring
has changed from something respectful and amazing to an almost sure path to
a flamefest. Why has this happened? Is mentoring a good way to learn or is
it only a free ride? What do you have to do to get a mentor/why won't you
get one?
The answers to these questions lie within understanding what a mentor truly
is, that is what I will explain.
Most people see the mentor as just a teacher, they make a quick post
requesting mentoring and assume that will be fine. That's where they're
wrong, a mentor is far more than a teacher. As a quick comparison one might
say that asking for a mentor is like asking for a boyfriend/girlfriend, a
partner. It is not something that you just make a quick post about in a
forum and then expect to get someone who will fulfill your expectations.
However, that comparison serves just as a quick and simple example,
obviously a mentor isn't the same as a boyfriend or a girlfriend. At some
points they're more and at some points they're less, but the important
thing is that they are a sort of partner, someone that you will spend time
with and who you will have to get to know better.
A mentor's traits are always compared to that of the student, but what is
it that a mentor really is? A mentor is someone who possesses a lot of
knowledge about something to be able to teach, we all know that. However, a
true mentor has two more qualities about him that elevates him to something
much more important. What a mentor has besides knowledge is wisdom and
experience. Never underestimate these traits, a mentor is a master at what
he's teaching you and you are only an apprentice, thus a mentor deserves
more than just attention. He deserves appreciation and respect as well and
without that nobody can expect to get or keep a mentor. A mentor takes time
to truly sit down and pass on that knowledge, wisdom and experience to you,
one of the immense amount of people who also want a mentor and could also
benefit from it in some way. A mentor is almost something holy, it's a
partner, a teacher and a master, not just someone you will find giving
classes in your local school and think that you can drop in on a couple of
classes and pick some knowledge up. Having a mentor is not a one year class
you sign up to, it's a true blessing.
Many aren't ready for such mentorship, hopefully most will realize that
themselves. You have to show respect to a mentor if you want one and show
how dedicated you truly are, else it's a guaranteed waste of time for him
and nothing will happen. One has to already know about the things they want
to advance within, you can learn by yourself, a mentor isn't there to hold
your hand and guide you through everything and he will only be impressed if
you show that you are trying. It's expected to know at least basics within
the subject you are seeking mentoring within and you have to show a
dedication by searching for the answers yourself. Turn to a mentor only
when you truly need his guidance and be specific with what you want, you
can't say something vague and general like hacking and expect a thorough
explanation of it.
To get a mentor it is mostly easiest to show these things by trying
yourself and just occasionally asking questions, getting to know the person
who has the traits of a mentor for you and one day you might develop a
mentor - student relationship. Even when you just ask someone a question by
sending them a PM or any other way, you have to show respect to the person
and try your best to make what you've written look good and understandable.
People have begun conversations with me starting with "hey Uber0n, im a
n00b can u mentor me plzz?" and this doesn't even live up to a help
request. You can't ask any random crap and expect others to just decipher
what you're trying to say and help you. Asking for a mentor requires even
more than what you have to show when you just ask for help. When you make a
post on a forum to get a mentor, you are basically trying to meet all the
mentioned criteria, you have to instantly, in one little post show your
dedication, respect, understanding and appreciation and that is nearly
impossible, especially if you are new and nobody knows a thing about you
yet.
Hopefully this has given you a better understanding of what a mentor is and
why things are as they are. Don't give up hope on finding a mentor, but
don't expect to just get one handed to you for free.
-Uber0n
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[MBC]~Moshbat -The Encounter
I was going to start my section with "Welcome to my section on the
newsletter...", but then I remembered you're not welcome here.
In this small section I will write things. Yes, just things. I hope you're
able to squeeze a laugh or two out of my things, but I'm not too
optimistic. Before I plough on with my ramblings, I must state: Any seconds
you waste reading this will not be returned. Also, some of my content may
be a bit below the belt. Not my problem if you happen to take offence.
Not much happens in my life, you know. My time is split between school, the
computer and my girlfriend, and I often find myself faced with a dilemma:
Which is most likely to shout at me? Don't get me wrong, I'm not sexist in
the slightest. I happen to hate people who see the opposite of sex as mere
objects, toys, if you will. I mean, have you ever found a toy that will
blow up on you the moment you happen to say the wrong thing? Well,
excluding the brand new "terrorist-2" figurine, which is an upgrade of the
"terrorist-1" figurine, which just shouts "INFIDEL" and "DEATH TO THE WEST"
all the time.
I have just realised that this whole writing humour thing isn't quite as
easy as I thought it would be. I find it easier to take the piss out of
people than just write random jokes, so that's what I'll do. I'm rather
good at bitching, but a problem I often face is doing it to people's
faces... And if you've seen me, you might realize that, living where I do,
I'm very much in a minority. I'm sticking with the loose theme of my life,
so I'll tell you a quick annecdote. I'm still at school, a school filled
with completely "normal" people, and "gangstAz", which loosely translates
into "Soft as shit, but hard in large numbers against one or two people".
And as I seem to be the exact opposite of normal I seem to be a little
free-for-all target. Enough background information, on with the little
story. Walking down the main corridor between lessons I always seem to
attract various witty comments, the smartest of which includes "Jesus". As
you may know, I like my little retorts, and these comments usually come
from Muslims (Nothing against them, nor am I pidgeon-holing -haha- a
certain group of people) and to my understanding, they believe Jesus to be
a prophet. Now, if a it causes a bit of controversy to call a teddy bear
"Muhammed", what the fuck will they say about calling a "faggot" Jesus? So
rather than explaining this to their usually low-powered brains, I merely
reply "Get down on your knees, and worship me", an inuenndo if I ever saw
one.
Another favourite thing to shout in my general direction is "get a
haircut", how they come up with these I will never know. On one occasion, I
happened to reply to this particular command something like "You gonna make
me?", not at all very constructive, and a definite fight-starter. What I
failed to realize was that the individual who shouted this was at least
twice my size, and flanked with about four rather braindead cronies. The
rather well spoken and bright individual said to me, as his cronies formed
a semi-circle around him rather like a satelite dish, possibly they hoped
that in assuming this formation they could recieve TV signals telling them
what to do next to look hard (other than shoving banannas down the front of
their pants), "Did I say that, though?". Please note that that has been
translated from "d'd a sa tht tho? ye".
After a couple of minutes trying to argue, they just walked off, shouting
various "insulting" comments after them. Apparently, they didn't quite know
the meaning of the phrase "fornicate your siblings". Ah well.
Thanks for reading,
-Moshbat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[QAA]~staff -Questions and their answers
We like to ramble on, but what would -you- like to hear? Do you have a
question that desperately needs answering? Lost in a manual? Question
marks floating around your head?
Ask us! We can't answer every question you might have, but we can answer
many hacking- and computer related questions. Send your question(s) to
any Newsletter staff member. You can contact them by using the PM
system on HBH.
We'll try to publish as much questions as we can in the follow-up issue.
You can decide to stay anonymous, that's fine by us. We remove names like
crazy.
Now, send us those questions!
-Newsletter staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[???]~??? -???
This could be your spot! Here, you could have written your own text.
Perhaps you would have reviewed a piece of code. Maybe you wrote a
rant. You could have tried to explain XSS worms, or some new attack vector
you found on that weird russian site.
We would LOVE to hear from you! If you have something to submit, please do!
The Newsletter is looking for guest writers! If you have something to say,
contact Spyware on HBH.
Rules:
1) Manners.
2) Does it "fit" in The Newsletter?
3) Check your work before submitting. Do it twice, no, three times!
We're waiting for you!
-Newsletter Staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[END] -Thanks for reading!
Issue: 001
Download from: http://bitsofspy.net/newsletter
Published on: 7 January 2009.
[CRC-32 IEEE 802.3: A90D068F] ~Remove this line before checking.
####### ##
## ## ##
## ##
##### ## ## ## ##
## ## #### ## ##
## ## ## ## ##
## #### ### ### ##
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
