commodo

One of the guys in charge of these services gave me some slides to pass around. He saw the post that I added here, and asked me to show you the slides. To answer a question before anyone thinks of asking it, the question being "So, why aren't these guys here in person to present/defend their project(s) ?", the answer is simply that they're too busing working on the stuff, and even though they're making their stuff known, you can all probably guess that the effort implied is considerable. And I'm just helping coz I don't have anything better to do at work. That, and I think they have a good approach with both ideas. The slides are not much, maybe it'll help with some clarification, even though I think they will probably raise more questions/comments and hence more discussions [which is good a lot of the times]. The slides usually come with a presenter talking in front of a live audience; I'll probably pass the message along to them to record one of their presentations that they'll do in English. ======================================================================================================== Having said that, some replies are in order; mainly to comments I haven't replied to yet. @bobbyb1980 : related to 1), startups usually start off slow; there are a few examples even in the IT world that have rapid ramp-up and they're usually correlated with the dotcom boom, or some sort of speculative market; even though there are some pen-testing/testers at affordable prices, that still leaves enough room for such a service (IMHO at least), plus, from I've seen, you pretty much get a full VM (root access and all) running your stuff, so you can test pretty much anything that you can put an internet connection on it (like your shiny new Java/Python/Perl/PHP web framework if you have one). Now that I think about it, maybe your comment is actually useful, to tell them to extend the description on their website. Regarding exploit-db : maybe they'll take a look [if they're not doing that already] at exploit-db, and integrate some of that info into their service, so as to identify known exploits/vulnerabilities vs new ones. Related to 2) : well, any help/recommendations/requests you have for courses are welcome. The idea is to at least centralize the data/courses, so that it can be validated. That way the pollution of misleading information can be reduced/addressed. @ihackforfun : "I agree with digininja, I would not like to see my server being attacked without my monitoring" - nobody said anything about [production] servers not being monitored; the idea is to test it out like you test cars in crash tests [only in reverse]; you're not sending your server against any wall(s), you're letting crackers have a go at it; and [i'm repeating myself here], it's not the actual production server, but a replica with Lorem Ipsum/fake data. When you're saying : "companies like google have the resources to patch vulnerabilities fast, most other companies are not so lucky ..."; well this is who HackaServer addresses : the companies that are not Google, Facebook,etc with the big money; companies that can't afford 50.000$ security audits, and quick response/patch-up times, but can afford to pay for a service that is """ If I were to use this service I would: - make sure the DB is empty or filled with random values, I would not even trust randomising existing data - make sure the server nor any of the software indicates the company the server is from """ This is actually implied when using the service; I have to apologize for not explicitly saying this, and to thank you for pointing it out; [no sarcasm was implied here, so if you feel there is one, you're just imagining it, and had too much coffee]. The hackers/crackers MUST NOT know who they've hacked, as well as the hacked/cracked people MUST NOT know who hacked them. If you don't do it like this, it will have a risk of not being a fun/useful service to use. From what I recall when talking to the guys, they actually said that all servers that will be put up for testing, will go through a check-phase to make sure they're compliant with some guidelines [which hopefully they have by now], so that the company's anonymity is ensured. I think this may also be a reason behind Hackademy, i.e. how to create a replica server for crowd pen-testing, since some clumsy sysadmins could actually put up company data. And to wrap up a response to your comment, I'll pass along your appreciation for Hackademy; they probably need some encouragement. @Radau : the guys at Hackademy/HackaServer will appreciate your appreciation; I'll pass that along as well. ======================================================================================================== That's about it for now with the replies. One last part. A use-case that HackaServer would help with: Structure migrations : say you have Apache + MySQL and want to migrate to Nginx with NoSQL; or you're running everything on FreeBSD and would like to try it on Fedora/Debian. Having the chance to try out a migration from a security stand-point could be useful. Then when that configuration stands the crack-test, you can feel a bit more comfortable if you put it in production. I can understand that some questions might arise like "How do you know if a server is cracked ?"; I have no idea yet to be honest; I can ask them a bit more and find out. But I'd rather tell them to WTFM so everyone else can RTFM.

Hey Radau, Well, they're just starting; and I don't know about pentest requirements for businesses. That could be a requirement in the US. Their goal [and target] actually are the smaller businesses that don't have tens of thousands of dollars to spend on professional pentesting, If that law might get a go-ahead in the US, then it might help out their business. The guy in charge of business [of the service] actually described it to me like an alternative for smaller businesses, that don't have that kind of money like Google/Facebook, but rather somewhere in the range of a couple of thousands, which [let's be honest] is what you generally pay for a sysadmin. So, even if your sysadmin is good, you may still want to get a rundown of your security.

Perhaps it won't take off; who's to say ? And I said replica, not clone; clone is an exact duplicate, replica implies similarity not necessarily a duplicate. The idea is to create a replica by adding stuff that you want to see if it stands or cracks. Other information can be filled with Lorem Ipsum

Hey, This is a bit of a spam, but hopefully some of you might find it useful. I have a friend who's launching 2 online services. 1) HackAServer - as you all know pentesting is done by specialized security companies, and cost a lot of money; the approach with this one is for lower budget (around 1000-5000$ for a pentest); the idea is that you configure a replica of your production server (or web application, or whatever) and that gets put into an arena where hackers/crackers hit it with everything they have; the first one to find a security hole or exploit, gets the bounty after filing a hack-report; It's something like Google or Facebook sometime does, where they offer 500$ for each security exploit you find. This one is nearing completion : the backend is complete (you can run some VMs on it); they say that they guarantee the anonymity of the cracker, and if you're up for making money out of pen-testing, or just starting out or learning the stuff, you may want to try it [when it's complete]. It's like a rentacoder.com for hackers/crackers. 2) Hackademy - While working on HackAServer, the guys found that there's a shortage of knowledge in hacking/cracking to consider it a discipline. To develop HackAServer they called on the help of some specialized dudes that know how to take down servers and stuff. And what they found is that, even if some of the guys are badasses at taking down stuff, they're totally undisciplined at writing exploit/cracking reports; when they tried to compile some tutorials on writing exploit/cracking reports they also noticed that there's a lack of basic training/online courses in security. And with that in mind they're about to launch [hopefully before this year ends] Hackademy, which will be a repository of online courses on hacking/cracking, pen-testing and security stuff. So, hopefully I didn't bore you yet with details, if you're interested, you're invited to check it out.

I like Eclipse for Java; it's very good. It's a bit slow on some systems, and that's why a lot of people don't like it. I use Vim for C/C++, PHP (especially over ssh), Python and other. Vim is a good alternative for Notepad/Notepad++ and it's also available on Linux, if you learn it's key shortcuts it's almost like swiss-knife of code; of course many IDEs are very good once you learn it's shortcuts.

on the media server idea that soka80 added, you could make your own network radio stream (music, shows, etc), or even your sort of web-TV channel that continuously streams web-tv shows like Hak5; i personally like sometimes the idea of the old TV channels where you're spoon fed entertainment rather than going about and searching the web for it; or, you could loan some processing power to a grid (Folding@home for example), if you're gonna let it running; you have to balance that with how much it's gonna add to your electric bill; joining the Tor-network is interesting to loan some bandwidth to the anonymity of others; although I got flooded when I tried that; may have been a coincidence; hosting an IRC server for an IRC hub like QuakeNet or whatever; you could try to find other solutions for maybe hosting like open-source projects (or maybe finding some open-projects), or adding mirrors for Linux distros, etc; depends what your taste in open-software is;

Are you interested in (cross) compiling an executable for Windows in Linux, or (port) compiling code from Windows to a Linux executable ? There is cross-compiling on Linux; the guys at VLC usually do this. You kinda have to google it for more details, since I don't know too much about this at the moment. On the VLC wiki there's this link : http://wiki.videolan.org/Win32Compile and something specific for Fedora13 : http://wiki.videolan.org/Win32CompileFedora13 For both cases (cross-compilation and porting) if the code was written in Visual C++, all's good if it's not too language specific. Both GCC and Visual C++ have all sort of language specific constructions that are not standard and a pain to work-around or rewrite sometimes. You also have to be careful for certain types; for example widechars in Visual C++ are not compatible with the standard char type.

A while back I stumbled upon this guy's video blog about protecting laptops/computers from being stolen :

I wonder how much of a performance increase did cleaning them up make :P

write a kernel module that overrides some basic OS functionality, like opening/reading files; that usually puts any Linux OS into the ground

http://geeks.thedailywh.at/2011/06/05/ipad-illusions-of-the-day/

So as luck would have it, I've just had to implement a project related to this : I've used the Cinterion/Siemens MC35 (http://www.mobiledata.com.au/SiemensMC35.html); they're a bit old but they're still good; you can try other GSM terminals. You need to add a SIM card into it. You have to link it's serial console to a router's or PC serial console. First thing you have to do, is to send it a random message so that the device detects the baud rate you're trying to talk to it. It has autobauding so it will match your baud rate. Then you have to set the AT+CLIP=1 command so that the device gives you the caller phone number. You kinda need this, otherwise people calling your number by mistake will turn on your computer. When you call the number associated with the SIM card, you'll get on the serial console "RING" messages, and the caller number. Every time you get this, you can match it and send Wake On Lan packets. Note that all commands should be ended with carriage return (or the <ENTER> key). You may try to decode SMS messages, but for my case, just getting a call from a list of known phone numbers is enough.

Well, I would second Psychosis' recommendation for Portal 2. It's really awesome, and if you've played Portal (1), you have to have a bit of patience through the first levels, because you're thinking : man, this is Portal (1), it's kinda boring; but the game picks up really well after that. I guess they made that to make it reasonable for people that haven't yet played Portal (1). You could try to replay some older FPS games, for the fun and melancholy of it. Or you could try some older FPS games you missed. I found that I missed several cool FPS-es like Clive Barker's Undying, or Counter Strike Condition Zero Deleted Scenes, which is a twist to CS, with single player missions. I guess, me personally I have to catch up with a lot of FPSes, since I usually keep my personal computers for coding, email, and other stuff; not so much for gaming yet. Still, here's a view on playing older games : http://xkcd.com/606/

I would propose using an xxWRT (xxWRT means either OpenWRT or DD-WRT, or whatever) able router; technically, since it's Linux, you can add all sorts of software to it, including WOL (which it might already support), and you don't need to have another PC (which takes up some power to stay awake). As for the SMS part, I would find it simpler to use internet on your mobile telephone, host a webpage on your xxWRT router, which you access to turn on your system. However, if you really want to through SMS (Short Message Service), then I think there's 3 ways to do this: a) find a web service that can receive SMSes in your area, and send a web request to your xxWRT able router b ) get a cheap mobile phone that you can open up, hack into it and get some signal lines from it, and hack into the router to find other lines that you can hack (preferably a serial port or something), and then you can write up a C code in Linux/xxWRT to listen to the signals from the phone c) or get a more expensive phone, that knows wi-fi, that's always connected to the router (now we're talking explicitly about a WiFi router); possibly an Android phone, or at least a Symbian one; but even with this, you have to make some application for it, to open up your web-page from the xxWRT If I think about it, going with c) is overkill and silly; at that point you might as well just get the cheapest internet on your phone and use the mobile phone to open up a web page to your xxWRT router to do that. b ) is the most difficult, and a) I don't know if you can find something for it. In any case, these are some of the DIY-type of solutions I would think (and thought of) doing for my own WOL/cheap/simple server for my own computer(s). I actually am planning to get a router to use as a personal web/vpn/etc server, and if I need to access my storage or more power, the router would wake up my computer(s), and would forward some the requests or provide access to my computer. I am conservative about energy consumption around my home, and I avoid leaving computers on, except for the router (which is a computer itself). In any case, if you or anyone does find something that does this, please post it, or even PM me and tell me about it; I don't always have the time to read all forum posts and I sometimes skip through them.

Well, there are 2 ways to go about doing a security cam: - getting an cheap/decent IP camera; but even so, you'd have to do a "power-over-ethernet" trick; in the sense that you'd have to put the power adapter through 2 unused wires of the ethernet cable; that way you can put the camera at whatever length you want; - if you have a tv-tuner or a capture card (a cheap/decent new one is about 20$ bucks) and use an analogic (surveillance) camera, you could end up cheaper at a better quality; and the coaxial cable can be long enough; it may be that you also have to stick a power cable near it