commodo

One of the guys in charge of these services gave me some slides to pass around. He saw the post that I added here, and asked me to show you the slides. To answer a question before anyone thinks of asking it, the question being "So, why aren't these guys here in person to present/defend their project(s) ?", the answer is simply that they're too busing working on the stuff, and even though they're making their stuff known, you can all probably guess that the effort implied is considerable. And I'm just helping coz I don't have anything better to do at work. That, and I think they have a good approach with both ideas. The slides are not much, maybe it'll help with some clarification, even though I think they will probably raise more questions/comments and hence more discussions [which is good a lot of the times]. The slides usually come with a presenter talking in front of a live audience; I'll probably pass the message along to them to record one of their presentations that they'll do in English. ======================================================================================================== Having said that, some replies are in order; mainly to comments I haven't replied to yet. @bobbyb1980 : related to 1), startups usually start off slow; there are a few examples even in the IT world that have rapid ramp-up and they're usually correlated with the dotcom boom, or some sort of speculative market; even though there are some pen-testing/testers at affordable prices, that still leaves enough room for such a service (IMHO at least), plus, from I've seen, you pretty much get a full VM (root access and all) running your stuff, so you can test pretty much anything that you can put an internet connection on it (like your shiny new Java/Python/Perl/PHP web framework if you have one). Now that I think about it, maybe your comment is actually useful, to tell them to extend the description on their website. Regarding exploit-db : maybe they'll take a look [if they're not doing that already] at exploit-db, and integrate some of that info into their service, so as to identify known exploits/vulnerabilities vs new ones. Related to 2) : well, any help/recommendations/requests you have for courses are welcome. The idea is to at least centralize the data/courses, so that it can be validated. That way the pollution of misleading information can be reduced/addressed. @ihackforfun : "I agree with digininja, I would not like to see my server being attacked without my monitoring" - nobody said anything about [production] servers not being monitored; the idea is to test it out like you test cars in crash tests [only in reverse]; you're not sending your server against any wall(s), you're letting crackers have a go at it; and [i'm repeating myself here], it's not the actual production server, but a replica with Lorem Ipsum/fake data. When you're saying : "companies like google have the resources to patch vulnerabilities fast, most other companies are not so lucky ..."; well this is who HackaServer addresses : the companies that are not Google, Facebook,etc with the big money; companies that can't afford 50.000$ security audits, and quick response/patch-up times, but can afford to pay for a service that is """ If I were to use this service I would: - make sure the DB is empty or filled with random values, I would not even trust randomising existing data - make sure the server nor any of the software indicates the company the server is from """ This is actually implied when using the service; I have to apologize for not explicitly saying this, and to thank you for pointing it out; [no sarcasm was implied here, so if you feel there is one, you're just imagining it, and had too much coffee]. The hackers/crackers MUST NOT know who they've hacked, as well as the hacked/cracked people MUST NOT know who hacked them. If you don't do it like this, it will have a risk of not being a fun/useful service to use. From what I recall when talking to the guys, they actually said that all servers that will be put up for testing, will go through a check-phase to make sure they're compliant with some guidelines [which hopefully they have by now], so that the company's anonymity is ensured. I think this may also be a reason behind Hackademy, i.e. how to create a replica server for crowd pen-testing, since some clumsy sysadmins could actually put up company data. And to wrap up a response to your comment, I'll pass along your appreciation for Hackademy; they probably need some encouragement. @Radau : the guys at Hackademy/HackaServer will appreciate your appreciation; I'll pass that along as well. ======================================================================================================== That's about it for now with the replies. One last part. A use-case that HackaServer would help with: Structure migrations : say you have Apache + MySQL and want to migrate to Nginx with NoSQL; or you're running everything on FreeBSD and would like to try it on Fedora/Debian. Having the chance to try out a migration from a security stand-point could be useful. Then when that configuration stands the crack-test, you can feel a bit more comfortable if you put it in production. I can understand that some questions might arise like "How do you know if a server is cracked ?"; I have no idea yet to be honest; I can ask them a bit more and find out. But I'd rather tell them to WTFM so everyone else can RTFM.

Hey Radau, Well, they're just starting; and I don't know about pentest requirements for businesses. That could be a requirement in the US. Their goal [and target] actually are the smaller businesses that don't have tens of thousands of dollars to spend on professional pentesting, If that law might get a go-ahead in the US, then it might help out their business. The guy in charge of business [of the service] actually described it to me like an alternative for smaller businesses, that don't have that kind of money like Google/Facebook, but rather somewhere in the range of a couple of thousands, which [let's be honest] is what you generally pay for a sysadmin. So, even if your sysadmin is good, you may still want to get a rundown of your security.

Perhaps it won't take off; who's to say ? And I said replica, not clone; clone is an exact duplicate, replica implies similarity not necessarily a duplicate. The idea is to create a replica by adding stuff that you want to see if it stands or cracks. Other information can be filled with Lorem Ipsum

Hey, This is a bit of a spam, but hopefully some of you might find it useful. I have a friend who's launching 2 online services. 1) HackAServer - as you all know pentesting is done by specialized security companies, and cost a lot of money; the approach with this one is for lower budget (around 1000-5000$ for a pentest); the idea is that you configure a replica of your production server (or web application, or whatever) and that gets put into an arena where hackers/crackers hit it with everything they have; the first one to find a security hole or exploit, gets the bounty after filing a hack-report; It's something like Google or Facebook sometime does, where they offer 500$ for each security exploit you find. This one is nearing completion : the backend is complete (you can run some VMs on it); they say that they guarantee the anonymity of the cracker, and if you're up for making money out of pen-testing, or just starting out or learning the stuff, you may want to try it [when it's complete]. It's like a rentacoder.com for hackers/crackers. 2) Hackademy - While working on HackAServer, the guys found that there's a shortage of knowledge in hacking/cracking to consider it a discipline. To develop HackAServer they called on the help of some specialized dudes that know how to take down servers and stuff. And what they found is that, even if some of the guys are badasses at taking down stuff, they're totally undisciplined at writing exploit/cracking reports; when they tried to compile some tutorials on writing exploit/cracking reports they also noticed that there's a lack of basic training/online courses in security. And with that in mind they're about to launch [hopefully before this year ends] Hackademy, which will be a repository of online courses on hacking/cracking, pen-testing and security stuff. So, hopefully I didn't bore you yet with details, if you're interested, you're invited to check it out.

I like Eclipse for Java; it's very good. It's a bit slow on some systems, and that's why a lot of people don't like it. I use Vim for C/C++, PHP (especially over ssh), Python and other. Vim is a good alternative for Notepad/Notepad++ and it's also available on Linux, if you learn it's key shortcuts it's almost like swiss-knife of code; of course many IDEs are very good once you learn it's shortcuts.

on the media server idea that soka80 added, you could make your own network radio stream (music, shows, etc), or even your sort of web-TV channel that continuously streams web-tv shows like Hak5; i personally like sometimes the idea of the old TV channels where you're spoon fed entertainment rather than going about and searching the web for it; or, you could loan some processing power to a grid (Folding@home for example), if you're gonna let it running; you have to balance that with how much it's gonna add to your electric bill; joining the Tor-network is interesting to loan some bandwidth to the anonymity of others; although I got flooded when I tried that; may have been a coincidence; hosting an IRC server for an IRC hub like QuakeNet or whatever; you could try to find other solutions for maybe hosting like open-source projects (or maybe finding some open-projects), or adding mirrors for Linux distros, etc; depends what your taste in open-software is;

Are you interested in (cross) compiling an executable for Windows in Linux, or (port) compiling code from Windows to a Linux executable ? There is cross-compiling on Linux; the guys at VLC usually do this. You kinda have to google it for more details, since I don't know too much about this at the moment. On the VLC wiki there's this link : http://wiki.videolan.org/Win32Compile and something specific for Fedora13 : http://wiki.videolan.org/Win32CompileFedora13 For both cases (cross-compilation and porting) if the code was written in Visual C++, all's good if it's not too language specific. Both GCC and Visual C++ have all sort of language specific constructions that are not standard and a pain to work-around or rewrite sometimes. You also have to be careful for certain types; for example widechars in Visual C++ are not compatible with the standard char type.

A while back I stumbled upon this guy's video blog about protecting laptops/computers from being stolen :

I wonder how much of a performance increase did cleaning them up make :P

write a kernel module that overrides some basic OS functionality, like opening/reading files; that usually puts any Linux OS into the ground

http://geeks.thedailywh.at/2011/06/05/ipad-illusions-of-the-day/

So as luck would have it, I've just had to implement a project related to this : I've used the Cinterion/Siemens MC35 (http://www.mobiledata.com.au/SiemensMC35.html); they're a bit old but they're still good; you can try other GSM terminals. You need to add a SIM card into it. You have to link it's serial console to a router's or PC serial console. First thing you have to do, is to send it a random message so that the device detects the baud rate you're trying to talk to it. It has autobauding so it will match your baud rate. Then you have to set the AT+CLIP=1 command so that the device gives you the caller phone number. You kinda need this, otherwise people calling your number by mistake will turn on your computer. When you call the number associated with the SIM card, you'll get on the serial console "RING" messages, and the caller number. Every time you get this, you can match it and send Wake On Lan packets. Note that all commands should be ended with carriage return (or the <ENTER> key). You may try to decode SMS messages, but for my case, just getting a call from a list of known phone numbers is enough.

Well, I would second Psychosis' recommendation for Portal 2. It's really awesome, and if you've played Portal (1), you have to have a bit of patience through the first levels, because you're thinking : man, this is Portal (1), it's kinda boring; but the game picks up really well after that. I guess they made that to make it reasonable for people that haven't yet played Portal (1). You could try to replay some older FPS games, for the fun and melancholy of it. Or you could try some older FPS games you missed. I found that I missed several cool FPS-es like Clive Barker's Undying, or Counter Strike Condition Zero Deleted Scenes, which is a twist to CS, with single player missions. I guess, me personally I have to catch up with a lot of FPSes, since I usually keep my personal computers for coding, email, and other stuff; not so much for gaming yet. Still, here's a view on playing older games : http://xkcd.com/606/

I would propose using an xxWRT (xxWRT means either OpenWRT or DD-WRT, or whatever) able router; technically, since it's Linux, you can add all sorts of software to it, including WOL (which it might already support), and you don't need to have another PC (which takes up some power to stay awake). As for the SMS part, I would find it simpler to use internet on your mobile telephone, host a webpage on your xxWRT router, which you access to turn on your system. However, if you really want to through SMS (Short Message Service), then I think there's 3 ways to do this: a) find a web service that can receive SMSes in your area, and send a web request to your xxWRT able router b ) get a cheap mobile phone that you can open up, hack into it and get some signal lines from it, and hack into the router to find other lines that you can hack (preferably a serial port or something), and then you can write up a C code in Linux/xxWRT to listen to the signals from the phone c) or get a more expensive phone, that knows wi-fi, that's always connected to the router (now we're talking explicitly about a WiFi router); possibly an Android phone, or at least a Symbian one; but even with this, you have to make some application for it, to open up your web-page from the xxWRT If I think about it, going with c) is overkill and silly; at that point you might as well just get the cheapest internet on your phone and use the mobile phone to open up a web page to your xxWRT router to do that. b ) is the most difficult, and a) I don't know if you can find something for it. In any case, these are some of the DIY-type of solutions I would think (and thought of) doing for my own WOL/cheap/simple server for my own computer(s). I actually am planning to get a router to use as a personal web/vpn/etc server, and if I need to access my storage or more power, the router would wake up my computer(s), and would forward some the requests or provide access to my computer. I am conservative about energy consumption around my home, and I avoid leaving computers on, except for the router (which is a computer itself). In any case, if you or anyone does find something that does this, please post it, or even PM me and tell me about it; I don't always have the time to read all forum posts and I sometimes skip through them.

Well, there are 2 ways to go about doing a security cam: - getting an cheap/decent IP camera; but even so, you'd have to do a "power-over-ethernet" trick; in the sense that you'd have to put the power adapter through 2 unused wires of the ethernet cable; that way you can put the camera at whatever length you want; - if you have a tv-tuner or a capture card (a cheap/decent new one is about 20$ bucks) and use an analogic (surveillance) camera, you could end up cheaper at a better quality; and the coaxial cable can be long enough; it may be that you also have to stick a power cable near it

let's ask the myth busters; i haven't researched this yet more in-depth, plus I don't know where to find a geiger counter

I was looking to buy a new computer; guess I found it.

From the article on wikipedia about bananas: Bananas are naturally slightly radioactive, more so than most other fruits, because of their high potassium content, and the small amounts of the isotope potassium-40 found in naturally occurring potassium. Proponents of nuclear power sometimes refer to the banana equivalent dose of radiation to support their arguments.

i say scam too; i mean, it reads : Have You Ever Considered Working Online? Kelly Richards of Cluj-napoca never thought she would have a job working at home until one day she filled out a simple form online. I am from Cluj-Napoca and Kelly Richards is not a name that you find in our country. They seem try too much to adapt to your city, and that can slip from them. Which reminds me of a rather funny joke; luckily I found it here.

Indeed Google's Satellite Images are far better than Bing's. However the gap between the Google Maps and Bing Maps can be filled by writing your own web-code or you can use http://www.mapchannels.com I discovered their website because I really wanted to try to integrate Bing's Bird's Eye and Google Earth's Street View + Maps into a website. You can try their Dual Maps API, which is pretty neat; they have a demo at the link I sent you.

Well, Microsoft is not to be underestimated with certain stuff. Yeah, we p**s on their OS, but their research in different new technologies and stuff is something to be admired. Unlike some of their products, but what can you expect ? The problem with BIG corporate products is that they boast indestructibility when in fact they're written by average people like you and me who make mistakes... in groups. People usually trust their apparent indestructibility while we resent it for not being actually indestructible, and it's just a lie; and the bigger the company/player the bigger the lie is (when talking about indestructibility at least). But coming back to Microsoft research : - you may know about PhotoSynth, and when it was presented at TED in 2007 - you probably also know about the talk at TED about the FTIR multi-touch stuff in 2006; the guy makes reference to a Bill Buxton who (hopefully still) is heavily involved with Microsoft research in various user-input devices; after that TED talk, Bill was asked to make this article about multi-touch; I highly recommend it for historical/interesting/good-to-know and maybe trivia facts - related to the previous point : Microsoft Surface; yeah, I know it's over-priced, but show me a Microsoft product that isn't over-priced; still, if you want to make a check this out; I made one, but right know I use it as a small to hold stuff on it; mine is actually bigger than what the guy made- i admit at this one that I'm short on research info, but MS has the Virtual Earth project; I don't know whether this was before/after Google Earth, or how advanced it is compared to Google Earth; I do know it was presented at this TED talk; - if you haven't checked Bing Maps, you might want to; I mean, the Bird's Eye View that they have is awesome; here's where I live (a rented apartment) right now; the awesomeness of this is that you can spin the view 90 degrees and you get this view, then another 90 degrees and you get this view ; I think they used plane cameras to actually record data, and then maybe use PhotoSynth to compile it in; Bird's Eye View is limited to medium-to-big cities; if you try to get out of the city, you can't I think this is enough spam of stuff; hope you found the info interesting. The main idea is that, yeah Microsoft may s**k, but they also have some good stuff. In the end I think the people you have to hate in any big company are the ones that drive the creation and marketing of their products, especially if their crappy. And maybe sometimes, even Microsoft will show us something cool and original that they made, like Microsoft's Kinect; sorry to all Apple fans, but they're late on this one.

I don't know if this was posted before, so if I'm reposting something, then sorry. Check out this awesome mashup vid

I hope you guys got the idea that it's an April Fool's prank from Google. Nearly fell for it myself, until I saw the date on my computer. And then I researched TISP; I should have started with that.

Imagine having to wake up to this and you have to play on the controller to turn off your alarm clock: http://walyou.com/gaming-console-controllers-clock-art/ http://www.novate.ru/blogs/140311/17084/ I think I prefer the one with the pistol controllers

http://www.smashingapps.com/2011/03/29/cartoon-i-am-an-iphone-killer-no-you-are-not.html