########## ### ### ### ### #### ## ## ## ###### ### ### ## ## ## ## ## ### ### #### ## ## ## #### ### ### ## ## ## ## ## ## ### ### ##### ### ## ####### http://bitsofspy.net/newsletter ## ##### #### #### ##### #### Content vault! ## ## # # ## ## ## ## ##### # # #### ## ## ## ## # # ## ## ## ##### ###### # # ###### ## ## http://hellboundhackers.org ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||THE NEWSLETTER||| |||Guest-writer(s) || || ||| "Praise the bridge that |||-Uber0n || || ||| carried you over." ||| || ||ISSUE #01||| -GC- |||Amount oF texts || ||==================|||=============================|||-Eleven (11) || || Thanks to ||| ||| || || ||| one |||Included secret? || || [x]COM ||| one one |||-Yes || || [x]Fuser ||| one ||| || || [x]Futility ||| one ||| || || [x]Moshbat ||| one ||| || || [x]Only.Samurai ||| one ||| || || [x]Spyware ||| one ||| || || [x]Zephyr_Pure ||| one ||| || || [0]Swartmumba ||| oneoneoneone |||Releasedate || || ||| |||07-01-09 || ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| || || || TABLE OF CONTENTS || || || || {01} Introduction [INT] || || {02} HBH News [NEW] || || {03} Post of the issue award [PST] || || {04} BBS: The Documentary review [BBS] || || {05} Article Review: Building a CMS 4 Dummies [ARV] || || {06} Best programming language? [BST] || || {07} Creativity of a hacker [CRV] || || {08} Regarding Lol... [LOL] || || {09} Mentoring, can it be done? [MNT] || || {10} Moshbat's Corner [MBC] || || {11} Q/A [QAA] || || {12} End [END] || || {13} vOid || || {14} void || || {15} void || || {16} void || ||// \\ || ||\\. .// || || \\ // || || \\// || || \/ || || ( || || ) || ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [INT]~staff -IntrodUction Welcome to the beginning. The beginning of something new, something fresh and hopefully enjoyable. Welcome to The Newsletter. The Newsletter is a brand-new initiative that will combine, incorperate and connect with many aspects of the hacking community Hellbound Hackers (HBH). This newsletter will provide you with reviews, rants, security related writings and, of course, news. ~staff [INT continued]~Spyware Hey, Spyware here. I'm the editor in chief of this newsletter. That basically means I get to work with some great people I me(e)t while roaming HBH. Together we aim to bring you something that's fun and informative to read. I hope you can all enjoy the show. This first release starts of with a hitch; unfortunately one staff member already had to leave before this issue was released. Uber0n will be missed. The reason for his early departure is because of personal, in-real-life things that prevent him from working with us (at this time). I hope he can rejoin us once more in a later stadium. Included in this issue though, is one text written by him. Enjoy. Another staff member, Swartmumba, hasn't been spotted for weeks. We've all been looking out for him, but he hasn't returned (yet?). The reason for his absence is unknown, we all hope he will be able to return to us in the near future. On the bright side, we added yet another name to our payroll; Only.Samurai will entertain and inform us with his literature. Thanks, Samurai. Welcome to the staff! Well, this is it. I've made you all wait long enough. I'm doNe with this introduction. Have fun reading the first issue of The Newsletter. A bow for you all, ~Spy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [NEW]~Futility -HBH Updates I regret to inform you that HBH has been taken over by power-hungry tyrants bent on removing all honest folk from the site. That's right, Zephyr_Pure, system_meltdown, and the rest are pure evil and want nothing less than your first born child and a pint of the finest virgin blood, and they'll stop at nothing until they get it. Let's take a look at the horrors which have been committed in the past few weeks, shall we? >'Update' Name: New Challenges >Top Secret Code Name: Operation Doom >Operatives: Everyone, but system_meltdown and SwartMumba in particular That's right ladies and gentlemen- in the past few weeks HBH has gained three new challenges for your enjoyment. Timed 6 revolves around fetching data through a google search and returning it to HBH. The only problem is that system coded it so it needed to be done in an impossible amount of time. He's forcing us to use programming knowledge to complete it, rather than common sense. What a jerk. Timed 7, along similar lines, needs to be done in a short amount of time. It involves reading a barcode and posting back whether or not it's valid, which is a pretty nifty idea. SwartMumba can be thanked for this one. Basic 28, on the other hand, has nothing to do with programming. You are given a common feedback script and you have to get the message sent to you, rather than the 'admin'. This is one of my personal favorites and we have to thank system_meltdown for it. If any of you reading this happen to have a great idea for a challenge, feel free to send it to any of the admins. We're glad to take a look at it and add it to the site if it qualifies. >'Update' Name: Fancy Code Bank >Top Secret Code Name: Operation Enslave The People >Operatives: Zephyr_Pure, root_op and system_meltdown At first glance this might seem to be a good thing. I'm sure you've all noticed how clean the code bank has recently become. But is that really necessary? Does it matter how nice and clean things are? Hell yes, it does. The old code bank was useless. It contained about ten simple calculators in each language and other pieces of 'code' to waste space. One of Zephyr_Pure's first actions as an admin was to go through and remove the code that wasn't needed. That's right, he went through every single piece of submitted information and weeded out the bad. Now, instead of a festering cesspool, the code bank has the potential to become a central part of the site. The good code is no longer weighed down by the bad, and new submissions are being checked to make sure they are 'worthy'. But wait, there's more! After seeing the community take heart to the clean new code bank, root_op decided to take it a step further. He gave the code bank syntax highlighting and made it retain tabs and spaces. System then removed smilies from [coDe] tags. Now code is not only easier to find, but it is easier to understand as well. Thanks you guys. >'Update' Name: New Competitions >Top Secret Code Name: Operation Mind Control >Operatives: Everyone The current HBH theme: you know it. You love it. You've been looking at it for the past however long you've been here, and you're starting to grow tired of it. Sure, there're others that you can change to, but let's face it, they aren't the best. No offense, or anything, but they're too bright for my liking. I'm sure they're too something for your liking as well. So here's your chance. HBH has started a theme-building competition where all you have to do is edit the CSS file until you like what you see. Really, it's that easy. The best part is that on January 10th, we will vote on which ones we like the most, and if you win, your theme will be added to HBH for everyone to use. That's right, you can make HBH look like you've always wanted it to. Check the news submission for more information. I, Futility, have also taken the time to go through the CSS file and comment in what each property does so that it's easier for all of you. Zephyr_Pure has also taken time to put a new programming competition in motion. We're not entirely sure on all the details yet, but it will involve using your coding knowledge to create something useful for yourself and the community. Can it get any cooler than that? I submit that it cannot. These aren't the only new additions to the site. They're just the main ones. root_op has been working on a PM notification system which lets you know when you've run out of room in your inbox. Mr_Cheese is working on improving the search system because the current one is a little buggy. What about the pen-test challenges? For the year or so I've been here, there's only been the one. Moshbat has taken command and submitted another one for all of us to enjoy. It is currently being HBH-ified and should be available for testing pretty soon. What about the FAQ section? Ever had a basic question and got reprimanded for asking it in the forum? Well clone4, along with the help of COM, decided to whip up a nice shiny new one. It hasn't been put into effect yet, but can be seen in the 'God rank to easy?' thread, which is a fantastic place to see all the helpful suggestions and ideas that have been proposed. If you want to see something done, post your idea there and we'll all take a look and see what we think. So, as you can see, we HBHians have been a busy lot. The 'evil masters' have made sure the past few weeks have been riddled with updates and show no sign of stopping this disastrous course of actions. What a bunch of jerks. Till next update, -Futility ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [PST]~Moshbat -Post of the Issue The Post of the Issue award is a small column dedicated to praise the best post made on HBH in the past weeks/month. We hope that this will inspire people to ... well ... post less crap. Hopefully, people will try harder posting quality content. Without further ado, I will skip straight to the ceremony. This issue's award goes to: *absence of drumroll* Kiyoura! Kiyoura's post was one of the most helpful and informative I've seen in a long while. I don't have a trophy to give, but I hope a mere mention will suffice! Congratulations! [Kiyoura's post from: http://tinyurl.com/bestpost1] ~All of my projects, websites, and major applications are OOP. ~What I do before I start coding the actual applications are, write down ~notes of why and how you will need each class. ~e.g. Mysql: (brainstorm each method and member needed) ~constructor: connection to mysql via database information ~Members: (brainstorm) ~Methods: ~grabbing data ~sending queries ~etc. ~Another example, ~CMS controls ~constructors: any initialization that the object may need. ~Members: (brainstorm) ~Methods: ~log-in ~log-out ~etc.. ~Remember, ask yourself before starting: ~(Do I really need to place this information in a class?) ~(How can I set up my applications so that other people can add/edit it?) ~Use the PHP manual as a reference for creating classes, if your going to ~use them, use it to its complete power. ~if you need help send me a PM. ~EDIT: ~Also, comment, comment, comment. There's no such thing as to many ~comments. I recommend looking at the PEAR's standards in order to ~understand how and when to comment. [end of post] Again, congratulations and keep up the good work! Let this be an example for all HBH users. See you next issue, -Moshbat ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [BBS]~Fuser -BBS: The Documentary BBS: The Documentary Review We all had these situations where we stay up all night in front of our computers, staying online just for the sake of staying online. Now in the age of multiple-core computers and broadband internet connections, almost anyone can stay up all night facing their computers for a plethora of reasons. But back then, in the pre-Windows 95 era, staying up all night for the sake of being online was only for the dedicated hardcore. Dialing up to a bulletin board required time and patience, and these activities are usually conducted at night for three main reasons, mainly because the calling charges are cheaper, there is less line noise and there was less interruption from friends and family than during the daytime. This is what BBS: The Documentary is trying to capture. The director, Jason Scott, himself had been involved in the BBS scene since the 80's, and currently operates a website called textfiles.com which offers BBS-related content such as text files ranging from an extensively retyped version of The Necronomicon, hacking text files from legends such as the Legion of Doom (LOD) and The Knights Of Chaos, ANSI and ASCII art packs, to an exclusive hacking program called "Phantom Access" which was created exclusively for the LOD. This documentary is created as Scott realized that while there might be other people who run websites during the BBS era, no one had created a documentary about it. The documentary was intended by Jason Scott as a way to bring nostalgia from that era, and to show the later generation on what the BBS is all about before the internet becomes popular. And in my opinion, the documentary is extremely well-executed, with the topics separated for the viewer to watch the sections at any time they want. There are 8 topics in total, ranging from the history of the BBS, the System Operators, Commercial BBS's, Fidonet, the ANSI art scene, the hacking/phone phreaking/cracking scene, The end of the BBS era, and finally, about compression. The level of dedication he took to create this is astounding, going as far as to interview the co-creators of the BBS theMselves, Ward Christensen and Randy Suess, the "veterans" of the scene (read: those that built their own computers by hand) to those who had been cracking games for the Apple ][ computer system and drew ANSI artworks for their artgroup as teenagers. Each topic is well-presented, with the background on the topic, the technical details concerning the topic and an explanation about how certain scenes, such as the ANSI art scene, operated with personal experiences told by those who had been involved in the scene themselves. Throughout each topic, images are being shown which helps enhance the "feel" of being involved in the topic in question. They range from screen shots, magazine scans, printouts, recorded images, real-life images, news and advertisement excerpts, to recordings of the BBS loading. One impressive feature of this documentary is that Jason hardly narrates around it, and there is no input about his experience on the BBS scene (mainly because he posted about that on his blog, ascii.textfiles.com). Explanation is done by a screen with a background and text explaining about it, hence reducing the problem of being unable to understand or misunderstanding the topic in question. A topic-related amateur-made documentary, 2600 Magazine's Freedom Downtime was narrated by Emmanuel Goldstein himself and includes his gripes on how unfair America was to Kevin Mitnick. While his frustration is understandable, it makes his documentary feels like a personal vendetta. In contrast to Freedom Downtime, in this documentary the persons interviewed explain how the scene worked using their own, personal views and their involvement in it. This helps the viewer understand the subject better as it is explained in a detailed yet simplified way. One of the impressive features is that some visual effects are used to enhance the quality of the documentary. Images and photos are shown to further clarify and explain certain things. Conclusion I wholeheartedly recommend this documentary to anyone who is interested in one of the few histories of computing or those who want to relieve the glory days of the BBS. This is a very informative and entertaining documentary to watch and it has a high replay value. (I even converted some the topics into mp4 so that I can watch it on my brother's PSP. Yes, it's really that good.) -Fuser Extra Images (./images/1.png through 5.png) Picture 1: I don't know about you guys, but I don't think I'd buy my computer from someone like him. Picture 2: A cracking tutorial for an Apple ][ game. Picture 3: John Madill on how he helped Tom Jennings to create FidoNet. Picture 4: KillaHertz (ACiD/Remorse) on the time and process required to create an ANSI/ASCII artwork. The image on the background was one of his artworks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ARV]~Zephyr_Pure -Article Review Article Review: Building a CMS 4 Dummies Article Author: keiran420 Article Link: http://tinyurl.com/cms4dummies Everyone knows that a first impression is the most important of all. At HBH, this particular fact is often how a member is judged for the duration of his/her stay. Every now and then, though, this traditional viewpoint is pushed aside by a truly unexpected contribution. HBH is home to a number of PHP coders, each at varying levels of proficiency. Some have written and coded for the community, but these contributions tend to be barely more than the basics. Syntax, forms, sessions... these are all things that could easily be learned from any other PHP tutorial. Previously, there was a large gap between the PHP information available on HBH and the effective knowledge needed to code something worthwhile (such as when completing the Other CMS challenge). "Building a CMS 4 Dummies" is an article that seeks to bridge that gap by presenting CMS concepts in terms that PHP amateurs can understand. The author himself had not coded a CMS before writing the article, which actually helped to make the concept easy to grasp. Also, the author's lack of literary eloquence helped to set the tone for the article, which was wonderfully simple. All in all, the author did a great overall job at explaining things in the way that he learned and utilized them. Now that the pleasantries are aside, it's time to pick the article apart. First, the section that defined a CMS needed a bit more content. Saying that a "content management system" is a tool that allows users to control / add content is like saying that Toyota is a vehicle manufacturer: while that statement is true, it hardly suffices as an introduction. A solid definition, followed by listing some popular open-source CMS packages, would have served better in that section. The descriptions of the functionality and coded functions are precised and structured, but there is a bit of dead weight there. To explain better, we must think of OOP as merely bringing order and reusability to common functions and objects. That is, we should have unique objects for repeated database class usage and unique functions for repeated database access. Here are the 15 included functions from the article: Connect(), Disconnect(), login(), Checklogged(), logout(), UserLevel(), AddData(), DeleteData(), UpdateData(), ReturnAll(), Returndata(), Adduser(), edituser(), DeleteUser(), ReturnUser(), encode() The ability to connect to the database should be triggered as soon as a new database object is instantiated, so there is no need for a formal "Connect" function; it can just be placed in the constructor for the class. Also, by default, MySQL connections are not treated as persistent and are reused automatically, so there is no need (although it is a structured pleasantry) for a "Disconnect" function; this can be placed in a logout script / function as simply "mysql_close()", since calling this function without an explicit link identifier will close the active instance. The "login" and "logout" functions will only be used once in most implementations, but the inclusion of them as functions makes sense to keep the functionality in a single maintainable file. The "Checklogged" and "UserLevel" functions make much more sense, since they will most likely be included on every page. The questionable portion of the function list comes from the excessive duplication that exists between the "add/delete/update/return" complex of functions. At this point, you must question the necessity of defining separate instances of objects that will only exist "in theory"; that is, why define a class for an object that has no unique characteristics? Between the typical database functions and the user functions, the only real difference is the table name, which is being passed as a parameter to the database functions. Force your functions to accept an array of database fields (instead of separate function parameters), and you have a set of universal functions to do every little thing you like. This, there is no need for the user functions at all. To finally sum up the function list, the "encode" function is a necessary implementation. Having a sanitizing function in a complex implementation IS A MUST. If you determine that your current method of universally sanitizing input is inadequate, you nEed to be able to make that change as quickly as possible. Updating one function is much easier than updating multiple implementations. It's impressive that a learning coder is able to grasp this concept, and all aspiring coders should learn from it as well. Now, for nitpicking the rest of the article... No one in their right mind uses the "REQUEST" superglobal, since that encompasses both GET and POST functionality and, as such, is vulnerable. Sessions are better than cookies both for their simplicity and their implementation: "session_start" to start / continue a session, $_SESSION['whatever'] = 'blah' to set a session variable, and "session_destroy" to end a session. Also, cookies are stored and easily accessible / modified client-side, while sessions are not. The database connection variables need not be stored as class properties, as they are only used once (to connect initially). The "CheckLogged" function, in its current implementation in the article, makes little sense; as the cookies expire automatically, just sanitize the cookies as you use them and manually expire your sessions (when you use them). The use of iframes to place potential content should be discouraged in favor of using simple PHP includes, so the $emlink iframe is not ideal. True and false values have traditionally translated to 0 and 1 values so, when checking the $Loggedin variable, it is not necessary to test it against 0. The easiest way to do BBCode to HTML conversions is to use arrays with keys and values; that way, when you're looking for the HTML equivalent of [b], you need only access $array['[b]']... as an example. Use a foreach loop, and you can call the str_ireplace function with the key, to be replaced by the value, for the whole array. The rest of the article is perfectly viable from a viewpoint beyond that of an amateur. It is important to note that I am merely tailoring my review to cater to a progressive learning process from the status of an amateur coder. The article itself was perfectly viable for an amateur to understand but, in the process, that amateur should be seeking to make revisions and updates in accordance with gained knowledge and precision. To that end, this review seeks to be a bridging point. It is up to the author of the article to continue the process by refining the CMS with OOP characteristics, session usage, and more functionality. Tune in next issue, same bat-time, same bat-channel, -Zephyr ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [BST]~Futility -Best Language? What's the best programming language to start out with? Which one is the easiest to learn? What would be the most useful language for me to learn? How many times have you seen these questions in the forum? How many times have you thought them yourself? Well I'm here to shed some light on the situation. Remember, these are purely my opinions. Every language is better at something than the others. It really all depends on what you want to do. Anyway, here is what I would suggest. What is the best programming language to start out with/which is the easiest to learn? In my opinion, this would have to be Python. Your commands are written in plain English and there are tons of useable modules right off the bat. Python also has the ability to be ported over to tons of other languages, making it extremely versatile. How about we take a look at some sample code? Perhaps the infamous 'Hello World' will convince you. print 'Hello World' That's it. Save the file as .py, and you're ready to go. So printing to the screen is easy, but how about variables? Those could sometimes be a pain to figure out. Int vs. long vs. byte vs. string vs. bool... Python eliminates all this muck by taking care of assignment issues behind the scene. If you want to use a variable, all you have to do is think up a name and set it equal to something. Sure, there are dictionaries, tuples and arrays, but they're not that hard to get used to. Functions are similarly as simple as can be imagined when writing in Python. You just type: def function_name(local variables): Anything you might want. Sure, the entire language isn't as easy as this. It gets much harder the deeper you go, but so does every other language. Python is useful for quickly pumping out smaller projects. If you want large, in-depth programs, then Python probably isn't the best way to go. I consider it a good language because of how simplistic it makes the small mundane tasks that all programming languages must cover. Its extensive module index is also extremely helpful for projects. Just type import module_name at the top of your program, and you're good to go. I could go on for pages about Python, but I will put my personal opinion about it aside for a moment and speak generally since it's you who are deciding in the end. Most modern programming languages are very similar, not in every functionality of course, but within the area discussed and even beyond they tend to coincide a lot. Most of them share certain aspects, are quite understandable and just like Python, are based on the English language for it to be that way. Even if you might not be able to sit down and program something in a different language, if you've learnt one or two to get the general concepts it means that you can read most code written and get a general understanding of what it's supposed to do. No language is guaranteed to be easier to learn, there are myths about some being very easy and others immensely difficult, but it ultimately all boils down to two things: 1. how well explained it is, whatever source it might come from and 2. how much you want to learn it. Nothing really beats motivation, sure it can't be explained in whatever horrible manner possible, but it's the latter point that really tears down the walls between the languages and their difficulty to be learned. What is the most useful language for me to learn? Now this one is much more difficult for me to answer. Like I said, every language is bested by another in different areas. No one thing can be 100% better than every other one. I'm very interested in web-based security. Since a huge number of sites implement PHP, knowing it would be a large advantage. PHP, combined with HTML, SQL, and Javascript can do just about anything you can imagine. You want a forum on your website? Go ahead and code one. You want to create a content management system? Guess what you're going to need. If you want to make a real website, PHP is usually your best choice. As a bonus, learning how to write the language will teach you how to exploit it as well. Remember, this whole article is my opinion. You may agree with me, or you may disagree. The purpose here was to try and clear up some of the potential questions that will come up. A preemptive strike, if you will. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [CRV]~Only.Samurai -Creativity of a Hacker We've all seen Hollywood's depiction of hackers. Flashing graphics, strange clothing, all night soda binges. This fantastical display of the 'hacker subculture' provides very little insight into the technical aspects of hacking. Very little of what we see is remotely close to the true inner-workings of hacking. Despite this inaccuracy, the people involved are shown in a realistic sense. The clothing, the 'catch phrases', the actual culture displayed may or may not be accurate depending on who you speak to, but the motivation and creativity displayed are universal. Hacking is thinking outside the box in a technical sense. While you may need a vast technical knowledge to execute an attack, the process of developing the methodology can be accomplished without nearly as much technical knowledge. These movie characters stop at nothing to accomplish their goal and often find unorthodox solutions to problems. Look around whatever room you are in and find a light. Can you think of 10 different ways to make that light useless? When I teach classes or lecture at conferences I like to use this as an opening drill. Most of the time people only come up with 'turn off the switch' or 'take the light bulb out.' While these are valid answers, they are not very creative. What I like to see are answers more like 'destroy the power company,' 'shoot it,' or 'over-load it with current.' 'Destroy the power company' is a great example of a non-technical example explaining something useful. While that particular person didn't know about power grids or how that part of our infrastructure works, they did understand a creative way to exploit it. What is all this talk about creativity? Why is it so important? When you are doing a penetration test, odds are good it is not on a virgin environment. An environment void of firewalls and lacking patches would be ripe for the picking, but this is rarely our situation. Creativity is how we bypass the security already in place. Hacking is the art of using things in unexpected ways, the art of being clever. To give an example, think of a simple SQL injection vulnerability in a form field for a first name. The developer was either careless or clueless when he passed the value to the database and left it vulnerable. We'll hope that he was more clueless than careless and proceed. As a hacker, we look at the input and see the potential to exploit his database by injecting our own queries, but to the developer it's simply a form field for a name. The developer never saw this attack coming because of what he thought the code did, rather than what it was capable of. A hacker has to be creative in order to successfully understand and exploit things. A great example of exploiting using creativity are logic flaws or process exploits. These vulnerabilities are exploited when a hacker finds some portion of code that the developer assumed would be used correctly. If you were to goto a website and see a login field you couldn't bypass, odds are good that's the end of trying to exploit it. Now, applying our new found creativity, what if we guessed what URLs an authenticated user would have access to and type them in manually. Many developers simply do not display links to pages you don't have access to, but don't enforce those restrictions. This perfectly illustrates how a hacker will use something in an unexpected way. By attempting to find pages that we weren't presented with links to, we completely bypass the 'workflow' of the application and therefore can introduce vulnerabilities in the process, rather than the code. While many vulnerabilities require an in-depth technical knowledge to exploit, this technical knowledge isn't required to be a 'hacker.' A hacker without technical knowledge would do a poor job of executing his attacks, but the concepts of thinking outside the box and finding places to look that no one else did, or putting things together in just the right way to reach the goal, these are creative skills. -Samurai ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [LOL]~Futility -Rant regarding LOL Alright. Futility here, and I'm about to complain about something that's been bothering me for the past few... well... forever really. Now before I delve into this rant, I need you to do me a favor. Open up any instant messaging program you might have and send a message containing "Two men walked into a bar. One said 'ouch'" to everyone you know. I can guarantee you that at least one person will respond with an "lol" even though the 'joke' is devoid of anything that can be considered funny. This is where the rant begins. Why is "lol" used for everything? It could mean, "Hah. Funny.", or, it could be deciphered as, "Wow, that was a good joke!" Or, as in most cases, it could simply mean "I have nothing else to say so I'm going to fill the void with a useless acronym because everyone else does." How did this start? How did "lol" become the universal 'everything' word? Who started it? Why? If any of you happen to know the answers to these questions, please tell me, because I really want to give him/her a piece of my mind... and my fist. "Lol" in itself doesn't really bother me that much. When something is genuinely funny, I'll type it. Why? Because it means that I'm laughing out loud. Sometimes 'ha' just doesn't cut it, I understand that. The part that bothers me is how everyone uses it in every situation ever. -I failed my math test today. -lol -I just saw my first James Bond movie. -lol -Listen, I'm not sure this relationship is going to work. Maybe we should start seeing other people. -lol -No really, I'm not joking. I honestly don't love you anymore. -lol These conversations were, of course, decoded and rewritten in English to aid in the understanding of those who read it. This is how they originally read: -i fai1d mi mth tst 2dA :( -l0l -i jst saw mi 1st JB movy!!1!!! -looooool -im sry, but im not shure if i can b w/ u nemore -lol -me no luv u no more -lol My hatred is not only for lol. It is, in fact, dedicated to the loathing of all the acronyms/abbreviations/made up words that populate the phone lines today. Is it really that hard to type the two extra letters in 'you'? Why is it so difficult to type in English? Do you really save time by not typing a few letters? Is pressing that extra key really that taxing? How about speaking English? Is that too hard as well? The other day at school I actually heard someone say, "Wow, you're gay! (pause) omg lol jk jk." I can honestly tell you that I panicked. For a brief second I didn't know what to do, I was speechless and scared. But I'm a man and decided to stop this infection before it continued to spread into the 'real world'. I punched the kid in the balls and hit him over the head with a waffle iron. I then dragged him to my basement where he resides to this very day. Last I heard from him, he was complaining about needing food, or something. But the texting speech was gone. He was cured. I couldn't take any chances though, so he's still down there... I think. I haven't really checked for a couple weeks. Anyway, I thought I had saved planet Earth from the danger. But, alas, it had spread much faster than I could have ever imagined. Now it's common to hear this crap on a daily basis. I'm assuming all of you non-English speakers are plagued with the same affliction that we are, correct? Well I think it's time to take arms against this corruption before it gets even more out of control. Stop making up words in your texting. Stop using stupid acronyms in place of real words. Stop saying the same thing that everyone else does. And for God's sake stop actually pronouncing these ridiculous abbreviations in your everyday speech. Because if you do, I will hunt you down and personally rip out your vocal chords. You have been warned. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [MNT]~Guest writer: Uber0n! -Mentoring, can it be done? I joined HBH about two and a half years ago, since then I've noticed a change in the attitude towards mentoring and asking for the same. Mentoring has changed from something respectful and amazing to an almost sure path to a flamefest. Why has this happened? Is mentoring a good way to learn or is it only a free ride? What do you have to do to get a mentor/why won't you get one? The answers to these questions lie within understanding what a mentor truly is, that is what I will explain. Most people see the mentor as just a teacher, they make a quick post requesting mentoring and assume that will be fine. That's where they're wrong, a mentor is far more than a teacher. As a quick comparison one might say that asking for a mentor is like asking for a boyfriend/girlfriend, a partner. It is not something that you just make a quick post about in a forum and then expect to get someone who will fulfill your expectations. However, that comparison serves just as a quick and simple example, obviously a mentor isn't the same as a boyfriend or a girlfriend. At some points they're more and at some points they're less, but the important thing is that they are a sort of partner, someone that you will spend time with and who you will have to get to know better. A mentor's traits are always compared to that of the student, but what is it that a mentor really is? A mentor is someone who possesses a lot of knowledge about something to be able to teach, we all know that. However, a true mentor has two more qualities about him that elevates him to something much more important. What a mentor has besides knowledge is wisdom and experience. Never underestimate these traits, a mentor is a master at what he's teaching you and you are only an apprentice, thus a mentor deserves more than just attention. He deserves appreciation and respect as well and without that nobody can expect to get or keep a mentor. A mentor takes time to truly sit down and pass on that knowledge, wisdom and experience to you, one of the immense amount of people who also want a mentor and could also benefit from it in some way. A mentor is almost something holy, it's a partner, a teacher and a master, not just someone you will find giving classes in your local school and think that you can drop in on a couple of classes and pick some knowledge up. Having a mentor is not a one year class you sign up to, it's a true blessing. Many aren't ready for such mentorship, hopefully most will realize that themselves. You have to show respect to a mentor if you want one and show how dedicated you truly are, else it's a guaranteed waste of time for him and nothing will happen. One has to already know about the things they want to advance within, you can learn by yourself, a mentor isn't there to hold your hand and guide you through everything and he will only be impressed if you show that you are trying. It's expected to know at least basics within the subject you are seeking mentoring within and you have to show a dedication by searching for the answers yourself. Turn to a mentor only when you truly need his guidance and be specific with what you want, you can't say something vague and general like hacking and expect a thorough explanation of it. To get a mentor it is mostly easiest to show these things by trying yourself and just occasionally asking questions, getting to know the person who has the traits of a mentor for you and one day you might develop a mentor - student relationship. Even when you just ask someone a question by sending them a PM or any other way, you have to show respect to the person and try your best to make what you've written look good and understandable. People have begun conversations with me starting with "hey Uber0n, im a n00b can u mentor me plzz?" and this doesn't even live up to a help request. You can't ask any random crap and expect others to just decipher what you're trying to say and help you. Asking for a mentor requires even more than what you have to show when you just ask for help. When you make a post on a forum to get a mentor, you are basically trying to meet all the mentioned criteria, you have to instantly, in one little post show your dedication, respect, understanding and appreciation and that is nearly impossible, especially if you are new and nobody knows a thing about you yet. Hopefully this has given you a better understanding of what a mentor is and why things are as they are. Don't give up hope on finding a mentor, but don't expect to just get one handed to you for free. -Uber0n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [MBC]~Moshbat -The Encounter I was going to start my section with "Welcome to my section on the newsletter...", but then I remembered you're not welcome here. In this small section I will write things. Yes, just things. I hope you're able to squeeze a laugh or two out of my things, but I'm not too optimistic. Before I plough on with my ramblings, I must state: Any seconds you waste reading this will not be returned. Also, some of my content may be a bit below the belt. Not my problem if you happen to take offence. Not much happens in my life, you know. My time is split between school, the computer and my girlfriend, and I often find myself faced with a dilemma: Which is most likely to shout at me? Don't get me wrong, I'm not sexist in the slightest. I happen to hate people who see the opposite of sex as mere objects, toys, if you will. I mean, have you ever found a toy that will blow up on you the moment you happen to say the wrong thing? Well, excluding the brand new "terrorist-2" figurine, which is an upgrade of the "terrorist-1" figurine, which just shouts "INFIDEL" and "DEATH TO THE WEST" all the time. I have just realised that this whole writing humour thing isn't quite as easy as I thought it would be. I find it easier to take the piss out of people than just write random jokes, so that's what I'll do. I'm rather good at bitching, but a problem I often face is doing it to people's faces... And if you've seen me, you might realize that, living where I do, I'm very much in a minority. I'm sticking with the loose theme of my life, so I'll tell you a quick annecdote. I'm still at school, a school filled with completely "normal" people, and "gangstAz", which loosely translates into "Soft as shit, but hard in large numbers against one or two people". And as I seem to be the exact opposite of normal I seem to be a little free-for-all target. Enough background information, on with the little story. Walking down the main corridor between lessons I always seem to attract various witty comments, the smartest of which includes "Jesus". As you may know, I like my little retorts, and these comments usually come from Muslims (Nothing against them, nor am I pidgeon-holing -haha- a certain group of people) and to my understanding, they believe Jesus to be a prophet. Now, if a it causes a bit of controversy to call a teddy bear "Muhammed", what the fuck will they say about calling a "faggot" Jesus? So rather than explaining this to their usually low-powered brains, I merely reply "Get down on your knees, and worship me", an inuenndo if I ever saw one. Another favourite thing to shout in my general direction is "get a haircut", how they come up with these I will never know. On one occasion, I happened to reply to this particular command something like "You gonna make me?", not at all very constructive, and a definite fight-starter. What I failed to realize was that the individual who shouted this was at least twice my size, and flanked with about four rather braindead cronies. The rather well spoken and bright individual said to me, as his cronies formed a semi-circle around him rather like a satelite dish, possibly they hoped that in assuming this formation they could recieve TV signals telling them what to do next to look hard (other than shoving banannas down the front of their pants), "Did I say that, though?". Please note that that has been translated from "d'd a sa tht tho? ye". After a couple of minutes trying to argue, they just walked off, shouting various "insulting" comments after them. Apparently, they didn't quite know the meaning of the phrase "fornicate your siblings". Ah well. Thanks for reading, -Moshbat ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [QAA]~staff -Questions and their answers We like to ramble on, but what would -you- like to hear? Do you have a question that desperately needs answering? Lost in a manual? Question marks floating around your head? Ask us! We can't answer every question you might have, but we can answer many hacking- and computer related questions. Send your question(s) to any Newsletter staff member. You can contact them by using the PM system on HBH. We'll try to publish as much questions as we can in the follow-up issue. You can decide to stay anonymous, that's fine by us. We remove names like crazy. Now, send us those questions! -Newsletter staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [???]~??? -??? This could be your spot! Here, you could have written your own text. Perhaps you would have reviewed a piece of code. Maybe you wrote a rant. You could have tried to explain XSS worms, or some new attack vector you found on that weird russian site. We would LOVE to hear from you! If you have something to submit, please do! The Newsletter is looking for guest writers! If you have something to say, contact Spyware on HBH. Rules: 1) Manners. 2) Does it "fit" in The Newsletter? 3) Check your work before submitting. Do it twice, no, three times! We're waiting for you! -Newsletter Staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [END] -Thanks for reading! Issue: 001 Download from: http://bitsofspy.net/newsletter Published on: 7 January 2009. [CRC-32 IEEE 802.3: A90D068F] ~Remove this line before checking. ####### ## ## ## ## ## ## ##### ## ## ## ## ## ## #### ## ## ## ## ## ## ## ## #### ### ### ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~