Ethical Hackers "hax0rs" Starting an InfoSec Career.
In Times When Public Institutions, & Agencies Are Weakening the Trust of the Public
How do you protect the fact finding process?
Ethical Hackers "hax0rs" ~ hacker-speak for hackers
The thing that distinguishes hacktivism from financially motivated attackers is that they're loud and they preannounce;
Who will be the Che Guevara of the tech world? An AI names CHE with some clever acronym? “Computing with High Ethics”.
June 24th 2018 Google Engineers Refused to Build Security Tool to Win Military Contracts
Chen Xiangmei the "legendary steel butterfly"
Anna Chennault aka Chen Xiangmei, was a stylish fixture on Washington DC's political circuit but also an unofficial diplomat who skilfully navigated [social engineered] the currents and eddies of 20th Century politics may have been a figure of intrigue, but as Chen Xiangmei she was seen as someone quite different. She first married US Maj Gen Claire Chennault, the leader of the Flying Tigers and one of her late husband's companies was purchased by the CIA and was reportedly used for anti-communist activities. And then there was the infamous "Chennault affair".
In 1968, the FBI secretly recorded Mrs Chennault telling the South Vietnamese government to boycott the Paris peace talks. A secret liaison for Nixon, she had essentially sabotaged a peace deal in order to improve his chances in the US presidential election. She was accused of treason by outgoing president Lyndon B Johnson. But days later Nixon won the election, and she was never prosecuted.
China, still holds the Flying Tigers and Claire Chennault in high regard, she has primarily been seen as the keeper of her husband's flame. In 2015, she even received a medal from Chinese President Xi Jinping.
Here's @Wired from 2006. AT&T Whistle Blower's Evidence
FORMER AT&T TECHNICIAN Mark Klein is the key witness in the Electronic Frontier Foundation's class-action lawsuit against the company, which alleges that AT&T illegally cooperated in an illegal National Security Agency domestic-surveillance program.
@EFF broke this via FOIA requests.
How Hacking got started.
The Rise of the Underground Engineer By Larry Lange Hobbit, Mudge and Yobie refer to it simply as "The Dinner.'' Mudge and six others founded the L0pht pretty much out of necessity in the early 1990s. "Everybody had apartments or rooms, but the 'significant others' were complaining that there were computers in the bathtub, software strewn all over the place and reams of computer paper all over," Mudge relates. "So we decided if we all chipped in we could afford a loft space."
FINALLY 2018 COMPUTER SCIENCE ETHICS COURCES
2018 WHITE HAT TRAINING CAMP CERTIFICATION
How to Take Control of Nearly Any Windows Machine by Creating a Malicious Word file. Metasploit Basics, Part 11: Exploiting Fileformat Vulnerabilities in MS Word
Tech's ethical Dark Side Harvard, Stanford and others want to address this. They waited till 2018 ! ! !
They amount to an open challenge to a common Silicon Valley attitude that has generally dismissed ethics as a hindrance. Compared to transportation or doctors, your daily interaction with physical harm or death or pain is a lot less if you are writing software for apps. Tools (think FaceBook) could ultimately alter human society, ex: Children who use it report more depression. Fake news on Facebook, Fake Twitter Followers, build it first apologize later mindset. Consider the ramifications of innovations — like autonomous weapons or self-driving cars — before those products go on sale.
Security Education and Training
DO NOT GET STUCK IN YOUR 1 AREA OF KNOWLEDGE !
EXPLOITS ARE NOT STATIONARY
Programmers are having a huge discussion about the unethical and illegal things they've been asked to do. Software developers 'kill people' Martin argues in that talk that software developers better figure out how to self-regulate themselves and fast. He pointed out that "there are hints" that developers will increasingly face some real heat in the years to come. He cited Volkswagen America's CEO, Michael Horn, who at first blamed software engineers for the company's emissions cheating scandal during a Congressional hearing, claimed the coders had acted on their own "for whatever reason." Horn later resigned after US prosecutors accused the company of making this decision at the highest levels and then trying to cover it up. But Martin pointed out, "The weird thing is, it was software developers who wrote that code. It was us. Some programmers wrote cheating code. Do you think they knew? I think they probably knew."
explains that there is free downloadable software on the Net that allows malicious hackers to steal users' passwords. Kids are just not educated enough on good security practices, or show a lack of common sense with this stuff. Parents, make sure your kids practice good computer security - choose hard-to-guess passwords, don't share them with friends, change them fairly often, and choose different ones for different sites and services.
80% of life just comes from people showing up ~ Woody Allen
Just Show Up and learn How to Get People to Like You
How to Sell! win friends and influence people
@deviantollam @J0hnnyXm4s joins talk the ranks of @ihackstuff @textfiles & @evanbooth a great speaker
Attack Paths: How to Get a Job in Infosec? talk, this instructional session discusses the specifics behind building up the soft skills necessary to effectively socialize and network with other human beings. This seminar will go beyond the obvious ?do this; don?t do that? information and focus heavily on how, where and what to practice in order to refine your skills. While most of the information will apply to all social situations, this seminar will have a career focus (not just InfoSec!), helping to provide information for not only job interviews, but also for professional networking to get those interviews in the first place. Guaranteed to be something in here for everyone, from the Basement Nerd to the Social Engineering Expert.
Alex Stamos the Security guy who quit on Yahoo because they choose to allowed the feds to spy on everyone's email.
[DEFCON 21] An Open Letter - The White Hat's Dilemma: Professional Ethics
FOR PROFIT CODING SCHOOLS
tech bootcamps are a freaking joke
Why Silicon Valley’s leading tech firms avoid hiring coding school graduates.
many recruiters are unwilling to hire coding school graduates due to lack of skills once they enter the workplace. Some are questioning the value of coding schools as Silicon Valley’s leading tech firms shy away from hiring the graduates, citing subpar skills. Coding House claimed its graduates could earn an average starting salary of $91,000, according to Bloomberg. But last month the Bureau for Private Postsecondary Education, which regulates coding schools in California, assessed Coding House founder Nicholas James a $50,000 fine and ordered the school to shut down due to complaints from students. Regulators also told the school to give refunds to all students since it opened in 2014. Coding House has filed an appeal.
10/12/15 Starting an InfoSec Career – The Megamix – Chapters 1-3
By @hacks4pancakes [Lesley Carhar, Full Spectrum Cyber-Warrior Princess]
Although I’ve touched on security education and training quite a bit, I’m continually asked to provide a resource for people who are trying to transition from school or other fields into Information Security roles. Ours is a healthy job market and we do need qualified and motivated applicants. The jobs exist, but we repeatedly see candidates being given false advice to get them. With tremendous and very much appreciated help from many of my colleagues and friends in the field, I have endeavored to compile a comprehensive blog about starting an InfoSec career.
- SECURITY PEOPLE
- Certified Ethical Hackers
- 10 Most Notorious Hackers of All Time
- Emmanuel Goldstein's sensitive description of Phiber Optik's last day of freedom underscores the need to rethink contemporary prison philosophy
- Fight for your right to privacy and against Big Data
- Ethics Google Hacking
- ISA Hackers Hacking is an art not a crime
- HACKER TRADECRAFT - Media Training is an OPSEC skill
- @ETHICALHACKX PENTESTING, HACKING, CRACKING , PROGRAMING, Linux, Website Hacking
- Work for the Feds: computer network defenders (CNDs)
- Opinion: This is how hackers create maximum damage
Digital Disruption - ETHICS and Toxic Cultures
The Internet and related technologies are giving the boldest entrepreneurs among us the opportunity to ‘mess’ with very new and exciting ways of doing things. Ways that challenge, undermine, subvert, and often completely replace the ways things have historically been done:
NOTHING ILLEGAL HERE HOW LAWYERS LAUNDER MONEY
Blackhatonomics - Economics Of Cybercrime by James Lyne
Keren Elazar (read more below about Barnaby Jack)
A DIY Guide for those without the patience to wait for whistleblowers
--[ 1 ]-- Introduction
"I'm not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz it took to 0wn Gamma. I'm writing this to demystify hacking, to show how simple it is, and to hopefully inform and inspire you to go out and hack shit. If you have no experience with programming or hacking, some of the text below might look like a foreign language. Check the resources section at the end to help you get started. And trust me, once you've learned the basics you'll realize this really is easier than filing a FOIA request.
--[ 2 ]-- Staying Safe
This is illegal, so you'll need to take same basic precautions:
--[ 10 ]-- Outro You'll notice some of this sounds exactly like what Gamma is doing. Hacking is a tool. It's not selling hacking tools that makes Gamma evil. It's who their customers are targeting and with what purpose that makes them evil. That's not to say that tools are inherently neutral. Hacking is an offensive tool. In the same way that guerrilla warfare makes it harder to occupy a country, whenever it's cheaper to attack than to defend it's harder to maintain illegitimate authority and inequality. So I wrote this to try to make hacking easier and more accessible. And I wanted to show that the Gamma Group hack really was nothing fancy, just standard sqli, and that you do have the ability to go out and take similar action. Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned hackers, dissidents, and criminals!"
Definition of Script Kiddy
Definition of a "script kiddie," someone who needs the simplified and automated tools created by others to mount attacks that he couldn't manage if left to his own devices.
Can You, using only free tools and the resources of the Internet, successfully:
- Find a set of passwords to crack
- Find a password cracker Find a set of high-quality wordlists and
- Get them all running on commodity laptop hardware in order to
- Successfully crack at least one password
- In less than a day of work?
1972 Steve Jobs’ first business was selling “blue boxes” that allowed users to get free phone service illegally. These boxes were designed in 1972 by Jobs’ close friend and future co-founder of Apple, Steve Wozniak. The idea to sell them was supposedly Jobs’. The two learned about blue boxes from famed “phreaker” (phone freak/hacker) John “Cap’n Crunch” Draper. (This nickname was alluding to a whistle given away in the 1960s in Cap’n Crunch cereal which produced the perfect tone, 2600 Hz, to allow a person to enter operator mode on AT&T’s phone system. Draper later briefly worked at Apple, even while serving a five year jail sentence for his phreaking escapades.) Jobs and Wozniak became intrigued with the idea of trying to make one of these boxes. As Jobs explained in a 1995 interview, "We were so fascinated by them (blue boxes) that Woz and I figured out how to build one. We built the best one in the world; the first digital blue box in the world. We would give them to our friends and use them ourselves. And you know, you rapidly run out of people you want to call. But it was the magic that two teenagers could build this box for $100 worth of parts and control 100′s of billions of dollars of infrastructure in the entire telephone network in the whole world…
Experiences like that taught us the power of ideas. The power of understanding that if you could build this box, you could control 100's of billions of dollars around the world, that’s a powerful thing. If we wouldn’t have made blue boxes, there would have been no Apple."
The Surprisingly ‘Not Sexy’ Life of 24/7 White Hat Hackers
Rob Bagnall, the founder of Maverick Cyber Defense. “In the end, it’s ensuring the mission. We are sanitation engineers more than anything else. We’re taking out the trash. When we’re doing it right, it’s mostly not sexy; it’s like being a PI."
CyberHarassment and CyberBullies
Bully: @ShadowDXS vs. American Patriot:
I love trolling people. The reason why is, I love to see people laugh. But I found a more effective way getting a chuckle out of people, real people. And 90% of them are not people like you. I now keep a very small social footprint that a large number of people have bitched about for the past two years. I follow around 20 or less people on the only social network that I’m addicted to by choice. It’s not because I’m trying to cool or some bullshit like that. Truth is, I hate what most of you people have to say. Most of the people I used to talk to, are nothing but cancer. I chose to cut the cancer out and move on. You’d be shocked to learn that once all the voices of petty drama are gone, the world gets less noisy and more interesting. I’ve had time to focus my life on things that benefit me. Time to asses who my real, no-shit friends are. Time to work towards a carer that I enjoy.
Spectacles of Insecurity: Top 10 Greatest White-Hat Hacks Hats off to the white hats. These hackers, who break into computer networks and digital devices to find holes before the bad guys do, have led to some of the most significant advances in securing the online world. Their findings have reshaped the way e-mail accounts, credit card numbers, and even ATMs and medical devices are protected from cyber-criminals.
RIP Barnaby Jack
"White hats" like Jack play a critical role in uncovering security flaws early so they can be fixed before real damage occurs.
His efforts pushed the manufacturers. Medtronic, one of the world's biggest medical device makers, hired security teams and coordinated with the U.S. Department of Homeland Security to implement anti-hacking changes to its insulin pumps and other products in light of research from Jack and others.
The Spotlight is a Necessary Evil:
Jack's family and longtime friends portray a much different person, one who was uncomfortable with being in the spotlight at the annual Black Hat and DefCon conventions
Barnaby’s dad, former Radio Hauraki pirate DJ Mike Jack, despaired their son would ever make anything of his life. He went on the dole and taught himself about computers from books he ordered from a fledgling Amazon. Barnaby Jack was a white-hat hacker, one of the good guys. One of the best of the good guys. He showed, with all the flair of a Vegas magician, how he could remotely hack into an ATM. Bank notes flew all over the stage, his peers cheered, and Barnes stood at the podium and nearly pissed himself laughing. Jack’s hack — Jackpotting, as it became known — was featured on news channels around the world. Overnight he became hacker royalty. “I’m on the good side of the fence,” he told interviewers. “I couldn’t really bring myself into a criminal life. Besides, my mum wouldn’t like it if I was in jail.” When sister Amberleigh jokingly suggested he might eradicate evidence of her student loan, he reckoned it could be done — but he’d have to erase thousands of them or he’d be fingered.
2014 Ethical hacking organization hacked, website defaced with Edward Snowden’s passport. The EC-Council, a US professional organization that offers a respected certification in ethical...
The EC-Council, a US professional organization that offers a respected certification in ethical hacking, was itself hacked this weekend. Passport and photo ID details of more than 60,000 security professionals who have obtained or applied for the EC-Council’s Certified Ethical Hacker certification are at risk after the breach, many of whom work in sensitive political and military positions. They include members of the US military, FBI, United Nations, and National Security Agency. Among their number is Edward Snowden, whose passport and application email for the certification were used to deface the EC-Council’s homepage, alongside the message “Defaced again? Yep, good job reusing your passwords morons.”
2014 Hacker School describes ways they inadvertently deterred or misjudged
female candidates and what they're doing to improve
We no longer believe people must "love" programming to come to Hacker School.
We learned that many of our alumni nearly didn't apply because they worried they didn't really "love" programming. Around the same time, Hacker School alumna Sunah Suh recommended the excellent book Unlocking the Clubhouse, which presents strong evidence that this language is gendered. We've since stopped saying that people must "love" programming (see my post about the word "hacker").
1. We don't compare applicants to alumni who share superficial characteristics or demographics. This mistake is a bit different from the others because it's not something we ever intentionally did. We realized about a year ago that we frequently found ourselves saying, "applicant X reminds me a lot of Y," where X and Y more often than not shared the same race and gender, or other irrelevant demographics or traits. A similar voice or speech pattern can conjure up feelings, good or bad, about someone else and lead you to wrongly project other less superficial attributes onto that person. Given this, we now have a policy of not making comparisons betweens people who share superficial characteristics and call each other out any time we do.
2. We shouldn't have named our company "Hacker School." Both parts of our name have caused us trouble: Hacker because so many people take it to mean a person who breaks into computers rather than a clever programmer.
3. School because it implies a rigid and traditional approach to education that we emphatically reject. This mistake is different from the others on this list because we haven't yet corrected it, and probably never will, given how time-consuming and costly it would be.
10/6/14 China Internet Security Conference in Beijing. A 13-year-old "internet security prodigy" prefers to be seen as 'an ethical hacker'. "I think those who hack all day for profit are immoral," said Wang. "It is interesting to look for website security risks and I am overwhelmed with joy when I find one. But I will not use my talent for something illegal." From the mouths of babes/the government's newest darling.
China's Youngest Hacker Speaks
Ankit Fadia Revealed by Charles Assisi
Media Literacy - Check the Facts about Ankit Fadia - he is a brand out of thin air. Anyone can offer a certificate. Insist, Exaggerate, Evade, Pursue, Empathise, Court, I’m awestruck at the genius you’ve deployed in getting to where you are without being anywhere close to the real hackers I know
The FBI Needs Hackers, Not Backdoors By Matt Blaze and Susan Landau The FBI wants to massively expand the wiretap mandate beyond phone services to internet-based services. There’s no need to mandate wiretap backdoors. That’s because there’s already an alternative in place: buggy, vulnerable software.
2012 Learn to Hack Attack servers, crack passwords, exploit services, beat encryption - everything you need to protect yourself from evil. Only try this at home…
Let’s be clear – breaking in to computer systems is illegal. You don’t actually have to do damage or steal any data to get in trouble. In most countries, just trying to break in to a system is a serious offence. Fortunately, virtualisation software allows us to test out the techniques that hackers employ using a single computer, as the examples here show. If you have a home network, you could easily set that up in a similar manner and try these out across multiple computers. Trying out these attacks helps you stop yourself falling prey to them. However, if you try these techniques out against a live server then – unless you have written permission from the owner of the machine – you will be opening yourself up to serious legal ramifications. Just don’t do it.
1/2011 In an age where the government threatens to restrict access to the Internet, people need to arm themselves with the knowledge to work around any attempts at censorship. Suggestions such as using Google Translate and viewing Web pages as emails, to more complex systems such as setting up VPNs (virtual private networks) and information about proxies.There is no point in trying to go after digital pirates. Ankit Fadia’s official site got hacked by a group called Team Grey Hat. The hackers seem to have gotten access to the files on his server. A Pastebin dump has been setup that shows screenshots of the files. Since the blocks can be circumvented easily, as you show in your book, does it matter if the government tries to ban/block websites?
It matters a lot - there is always a way to work around things, and I’m going to release updated versions of this book over time as more tips surface to make it even more useful - but people shouldn’t have to do all this. While some people will work around bans, the majority won’t, just like in China. In order to punish a few genuine offenders, the government will negatively affect most Internet users, and that is a real problem. Educating people about technology is, of course, one way around it, but things shouldn’t have to reach that stage at all.
Hacking Culture - Defcon
Richard Thieme - Hacking Biohacking and the Future of Humanity
DEFCON 17: Hacking UFOlogy 102: The Implications of UFOs for Life, the Universe, and Everything
Date: Thu, 9 Dec 1993 10:58:52 -0800
From: fen@IMAGINE.COMEDIA.COM (Fen Labalme)
Subject: File 2--Federal Prison Regs on Computer Classes/Books
((MODERATORS' NOTE: Fen Labalme heard a rumor that "computer books" could not be sent to federal prisoners. So, he tracked down the information. Here's what he found)).
Well, after quite a few calls and re-directions, I finally got through to one Tom Metzker at the federal bureau of prisons public affairs office (202/307-3198). He was quite helpful, if a little "tentative" as we talked.
He told me of a new (June 1993) prison policy that states that "no computer training" will be done in federal prisons. This includes (but is not limited to!) "programming techniques, computer languages, and computer repairs". He went on to say that programming includes "macros; for example, no DBase commands may be taught".
Tom informed me that many prisons now have computers for use by the inmates, but that "people who exhibit a propensity towards computers may be denied access to them".
I asked "what is the harm of learning a trade, such a C programming, that could be useful when the prisoner leaves?" He said that the rule was worded (as, he allowed, most such rules were) in a vague way that ultimately left it up to the warden as to what would or would not be allowable, and that special exceptions could be made by the warden in any case.
Anyway, this all sounds pretty unfair to me. I could understand, perhaps, if a person's crime was committed on computers that part of the punishment may be denial of access to a computer. But my friend was growing pot (a terrible crime -- aren't you glad that his punishment is greater, thanks to those wonderful mandatory minimum sentences, than if he had committed rape?) and now wants to learn about computers as a legitimate way to make money in today's information-centric world.
I think the prison system is failing us, the American society, if we don't allow inmates to learn valuable, socially beneficial skills while incarcerated. What can be done?
Servers are at Risk
Servers are at risk, not because the hackers are so talented, but because the companies and governments that run them are so bad at what they do.
They are only as effective as the rules that govern their operation. There are many holes in firewalls which must be identified and addressed to ensure security.
IRCs are popular hangouts were critical information is discussed in private rooms that get infiltrated by spooks who will prove themselves by performing a series of actions to validate their credentials as a knowledgeable and technically competent hacker. If they are able to gain the trust by demonstrating their capabilities, they may get chosed to be the “payload master.” There is a misplaced belief that anyone in law enforcement will not hack into sites to prove they are ok to deal with. THIS IS NOT THE SAME THING AS undercover drug agents and their inability to actually make deliveries as dealers to prove they are not the police.
IF hackers actually believe that law enforcement can only monitor sites and log chat room traffic but cannot be proactive they are making a big mistake because while that may in part be true, private cyber-security agents are not bound by the Constitution and often have far greater latitude.
This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework.
The "best ideas" about Piracy have nothing to do with legislation, because legislation is tackling the wrong problem. No amount of legislation or enforcement stops piracy. That's been shown over and over again. What does help deal with infringement is offering a better service that gives consumers more of what they want in a reasonable and convenient manner.
Nat Torkington's brilliant response is this old joke:
How does that apply to this situation? Same thing. The tech industry keeps sending Hollywood the tools it needs to save itself... and Hollywood keeps "waiting" for some miraculous savior, while missing all of the tools it's been offered to save itself:
Heavy rains start and a neighbour pulls up in his truck. "Hey Bob, I'm leaving for high ground. Want a lift?" Bob says, "No, I'm putting my faith in God." Well, waters rise and pretty soon the bottom floor of his house is under water. Bob looks out the second story window as a boat comes by and offers him a lift. "No, I'm putting my faith in God." The rain intensifies and floodwaters rise and Bob's forced onto the roof. A helicopter comes, lowers a line, and Bob yells "No, I'm putting my faith in God."
Well, Bob drowns. He goes to Heaven and finally gets to meet God. "God, what was that about? I prayed and put my faith in you, and I drowned!"
God says, "I sent you a truck, a boat, and a helicopter! What the hell more did you want from me?"
All I can think is: we gave you the Internet. We gave you the Web. We gave you MP3 and MP4. We gave you e-commerce, micropayments, PayPal, Netflix, iTunes, Amazon, the iPad, the iPhone, the laptop, 3G, wifi--hell, you can even get online while you're on an AIRPLANE. What the hell more do you want from us?
Take the truck, the boat, the helicopter, that we've sent you. Don't wait for the time machine, because we're never going to invent something that returns you to 1965 when copying was hard and you could treat the customer's convenience with contempt.
Ethics Guidelines for Public Media Employees
On the Clock or Off: Public Service Ethics the Same in Today's Networked World. "Public Media Ethics Never Log Off: Guidelines for Public Media Employees in Their Off-Hours" is posted at the Public Media Integrity Project website. pdf download here
Lawrence Lessig Lectures = Institutional Corruption - Opening Lecture
Setting the Framework for the Question of Institutional Corruption
In his inaugural lecture as director of the Edmond J. Safra Foundation Center for Ethics, Professor Lawrence Lessig presented both a plan of and call to action as the Center embarks on its five-year investigation of the problem of institutional corruption. Having introduced these ideas of an "economy of influence" and "institutional independence," Professor Lessig went on to introduce a third key concept underlying his understanding of the problem of institutional corruption, that of "responsibility." Institutional corruption ought to be understood as activities that, despite their being in accordance with existing institutional rules, either result in or from some improper influence within that institution's economy of influence that brings about either 1) a weakening of the effectiveness of that institution, or 2) a weakening of the public's trust of that institution. See: The Sociology of Power
See: Character Education
2009 Teen hacking seen as casual activity
Casual hacking is as almost as established a part of teen life as downloading music to an iPod, a new survey of the age group has claimed. According to Panda Security, we should take seriously the statistic it gathered from a survey of over 4,000 15 to 18 year-olds that nearly one in five of them have the knowledge to use 'advanced' Internet-distributed hacking tools. Of that group, nearly a third claimed to have used them on at least one occasion.Two thirds of the group said they had actually succeeded in hacking instant messaging or social network accounts of people known to them, with 20 percent admitting to having published embarrassing photographs or videos of acquaintances on the Internet. Apart from mischief-making and competition with their peer group, the main motivation for trying out hacking appears to be curiosity, with 86% citing that as the point from which their involvement started. Casual hacking is as almost as established a part of teen life as downloading music to an iPod, a new survey of the age group has claimed.
According to Panda Security, we should take seriously the statistic it gathered from a survey of over 4,000 15 to 18 year-olds that nearly one in five of them have the knowledge to use 'advanced' Internet-distributed hacking tools. Of that group, nearly a third claimed to have used them on at least one occasion.Two thirds of the group said they had actually succeeded in hacking instant messaging or social network accounts of people known to them, with 20% admitting to having published embarrassing photographs or videos of acquaintances on the Internet. Apart from mischief-making and competition with their peer group, the main motivation for trying out hacking appears to be curiosity, with 86% citing that as the point from which their involvement started.
VIRTUAL ACTIVIST TRAINING GUIDE
NetAction's self-guided training course is a comprehensive guide to Internet outreach and advocacy.
Defcon 18 Pwned By the owner: What happens when you steal a hackers computer zoz part.
Hackers are often perceived as isolated, alienated individuals, working alone or in small groups. In reality, hackers are quite social, frequenting online forums and chat rooms to brag about their exploits, exchange tips and share knowledge. Online forums are critical to the hacking community, and are used by hackers and crackers to learn, communicate and collaborate with other like-minded individuals. The forums are generally not easily discoverable or accessible to everyone, but interested newbies will find plenty of resources and support to get started.
Stealing Sensitive Data from Thousands of SystemsSimultaneously with OpenDLP
"HACKER ETHIC" - White Hat - Grey Hat - Black Hat Hackers Curious if Unconventional Researchers
ORIGIN AND DEFINITION
The terms hack and hacker originated in the 1950s at The Model Railroad Club at the MIT.
Hackers Find Bugs
Kevin Finisterre isn't the type of person you expect to see in a nuclear power plant. With a beach ball-sized Afro, aviator sunglasses and a self-described "swagger," he looks more like Clarence Williams from the '70s TV show "The Mod Squad" than an electrical engineer. But people like Finisterre, who don't fit the traditional mold of buttoned down engineer, are playing an increasingly important role in the effort to lock down the machines that run the world's major industrial systems. Finisterre is a white-hat hacker. He prods and probes computer systems, not to break into them, but to uncover important vulnerabilities. He then sells his expertise to companies that want to improve their security. Hackers are not hireable by a national laboratory. Finisterre caught the attention of INL in 2008, when he released attack code that exploited a bug in the CitectSCADA software used to run industrial control environments. He'd heard about the INL program, which helps prepare vendors and plant operators for attacks on their systems, and he thought he'd drop them a line to find out how good they really were.He was not impressed.
"FREE AS AIR, FREE AS WATER, FREE AS KNOWLEDGE"
"In fall 1984, at the first Hackers' Conference, I said in one discussion session: "On the one hand information wants to be expensive, because it's so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other." That was printed in a report/transcript from the conference in the May 1985 *Whole Earth Review*, p. 49. Note that this refers to the original use of the term 'hacker', as programmer, not as cracker.
The original meaning of the word hacker: someone who enjoys stretching the capabilities of a system and solving hard problems. http://www.catb.org/~esr/jargon/html/H/hacker.html
Eric Raymond's article about ``The Hacker Milieu as Gift Culture'' makes clear the difference: http://www.catb.org/~esr/writings/cathedral-bazaar/homesteading/ar01s06.html
Real hackers have given us Unix and Emacs and the Macintosh and apache and BSD and Linux and sendmail and numerous other high quality gifts, because that's what they enjoy and that's how they build their reputations.
1983 Hacker "one who gains unauthorized access to computer records" from slightly earlier tech slang
1976 Hacker " one who works like a hack at writing and experimenting with software, one who enjoys computer programming for its own sake," reputedly coined at Massachusetts Institute of Technology.
1984 Hack (v.) "illegally enter a computer system" is first recorded
Social Engineer and the The art of human hacking
Which tactic works best for a scamming social engineer? Acting like an authority figure and requiring a victim to answer questions and give up sensitive information? Or acting like a nice, trustworthy person who strikes up a friendly conversation and just needs the victim to tell
them a few things to help them out?
That was the question asked by the team behind the web site social-engineer.org. They have just released results of a several-months long poll that laid out two different scenarios of how a social engineer might try and elicit information from a victim.
The first showed how the principle of endearment and how it may be used by a malicious social engineer. The example given was a social engineer who attempts to get strangers to engage in very personal conversation with him with little effort. Dressed very casually he grabbed a prop that he felt would endear people to him, a small sign that had a funny slogan on it. As he walked around, looking like a tourist with his prop, he was able to engage people in conversation. "The fact is we like to deal with people who are like us, but even more powerfully we like to deal with those who LIKE us," said Christopher Hadnagy, "Endearment makes a person feel liked and, in turn, like you. Endearment is used by getting on the same plane as the target, or giving them reasons to like you." [...]
Hacktivism as a praxis was born in December 1997 when Critical Art Ensemble member and software engineer Carmin Karasic was so appalled by the events of the Acteal Massacre - 45 Zapatistas were murdered at the hands of the Mexican government - that she set out to create a Web interface that would perform political protest as an aesthetic act. Three other Critical Art Ensemble members joined her in forming a new collective they named the Electronic Disturbance Theatre. (The group's name is drawn from the concept of civil disobedience first proposed by Henry David Thoreau.) Their electronic civil disobedience engine is named FloodNet; funded by RTMark and launched in September 1998, it is Karasic's brainchild in her war against injustice.
- Hacktivists - "hacktivism," hacking with an ethical or political end, they are not cyberterrorists
- "Crackers" the dark-side, hackers who illegally break into systems to vandalize them
- Cypherpunk - a movement devoted to using networking technology and strong encryption to grasp freedoms denied by oppressive governments.
- ANNONYMOUS / JOHN GILMORE CYPHERPUNK
Background on Assange's rage against the state & Cypherpunks
- Cyberpunk - a subgenre of science fiction focussing on computer and technological undergrounds in dystopian anarchocapitalist futures.
- Phreaks - people who hack the telephone system.
- Jargon File, a comprehensive compendium of hacker slang illuminating many aspects of hackish tradition, folklore, and humor.
- The annual Las Vegas hacker convention called Def Con was founded by Jeff Moss in 1993.
- IEEE Computer Society
- The Ethical Hacker Network - Essential Wireless Hacking Tools
Anyone interested in gaining a deeper knowledge of wireless security and exploiting vulnerabilities will need a good set of base tools with which to work. Fortunately, there are an abundance of free tools available on the Internet. This list is not meant to be comprehensive in nature but rather to provide some general guidance on recommended tools to build your toolkit.
I'm wondering why you say 'hackers' instead of <'crackers'...> thats who is causing problems...
Crackers, hackers, as*holes, you can call 'em whatever you like. Did you understand what I was saying? Then let's not worry about whether my vocabulary is politically correct or not. (By the way the earliest references to "Computer Hackers" were in memos about MIT's timesharing system and phone system being screwed up by "so-called hackers" -- and it was definitely not a term of kindness. I see these discussions about "hacker" versus "cracker" or "technophile" or "cybercriminal" or whatever as a linguistic dodge to whitewash the unpleasant truth: there is a very large grey area between acceptable and unacceptable action and a lot of people are seeking a comfort-zone that justifies their doing things that annoy other people. No matter how you cut it, if it's damaging, annoying, or just plain rude, it's not proper behavior.) ~ mjr.
RICHARD STALLMAN FREEDOM FIRST:
Unethical Products that restrict freedom.
Richard Stallman - Happy Hacking Free software movement started in 1983 by Richard Stallman. Freedom and community are the moral goals of software freedom. He wrote version gnu 1, 2, and now 3 with the help of a contract lawyer. GNU public License protects the freedom on every user. Free computer programs - copyright vs. copyleft.
Gov't toadies to big business Disney, Intel, Sony, Microsoft conspiracy.
HDTV plot to control technology available to the public. After 2013 Analog video outputs will be forbidden and won't be allowed to be manufactured.
Pirates - where true democracy was born because the crew always had a vote. "His crew were a really rough, tough bunch - often coming from prisons and being escaped slaves. "But Sir Henry didn't have any noticeable problems with leadership and seemed to be accepted by his crew."
MIT OpenCourseWare: Ethics
This OpenCourseWare offering from MIT begins fittingly, with an architectural detail of Libra the Scales from the Autun Cathedral in France. This course was originally taught in the fall of 2009 by Professor Julia Markovits, and the course is a seminar on "classic and contemporary work on central topics in ethics." Some of the questions addressed by these
materials include "What makes our actions right or wrong?" and "What is virtue?" Visitors to the site will find the course syllabus, readings, lecture notes, and some assignments. The lecture notes include sessions on moral explanations, moral judgments, and utilitarianism. Also, visitors can look over the reading lists and offer their own feedback on the course.
WHITE HAT ETHICS
Johnny Long Christian, Hacker, Author, Pirate and Ninja is the descendant of Captain Sir Henry Morgan, 7th century buccaneer "one of the most notorious and successful privateers [.from wales..] and one of the most dangerous pirates that lurked in the Spanish Main.” is the penetration tester for Computer Sciences Corporation (nyse: CSC ) security team. Long is paid to probe weak points in a company's information security. His job as a "white-hat" hacker is to think like the bad guys--the more evil genius he can summon up, the better. His job as a "white-hat" hacker is to think like the bad guys. Google Hacking Mini-Guide By Johnny Long May 7, 2004 and Article about No Tech Hacking then you should watch No Tech Hacking DefCon video about this topic. Johnny has written or contributed to several books, including Google Hacking for Penetration Testers, InfoSec Career Hacking, Aggressive Network Self-Defense, Stealing the Network: How to Own an Identity, and OS X for Hackers at Heart. Google Hacking. Hacking Hollywood Style - Is it in You?
- Stangdawg.com and his personal blog
- Hacker Public Radio
- The Revolution will be Digitized Hack TV
- Binary Revolution Forums
- Welcome to Rixstep.
Where business is the usual. Where the industry is watched because it needs watching. Where software products are watched for the same reason. Where you can actually unbelievably enough learn things. And where you'll find heaps of scrumptious software, some of it even for free. Rixstep are a constellation of programmers and support staff from Radsoft Laboratories who tired of Windows vulnerabilities, Linux driver issues, and cursing x86 hardware all day long.
- Ethical Hacking and Penetration Testing - Discussion on ethical hacking and penetration testing subjects.
- Internet Security - Phrack
- Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security lists 5 Great Web security blogs you haven't heard of.
- Cryptogram Newsletter
- How File-Sharers Will Bypass UKs Anti-Piracy Act 2010 how file-sharers will easily avoid the measures that have been introduced by the new legislation.
NTRO's ethical hackers to conquer China
Monday, 03 October 2011The plan, sources said, is to put in place a group of hackers with special emphasis on countering the threats emanating from Chinese hackers. Sources also said that the Chinese hackers have the capability to disrupt the communication links of the satellites and drain out the information from the space-based assets. The Government swung into action following two major offensive operations from the Chinese hackers — Operation Shadow in the Cloud and Operation Shady RAT—that were into action for three to five years for theft of classified defence data before being detected by the McAfee (a cyber security company) and Canadian researchers respectively.
The National Technical Research Organisation (NTRO), premier technical intelligence agency, has hired a team of ethical hackers to counter the ever-increasing threat of Red Army — a state-funded group of Chinese hackers — to sensitive Government websites, critical infrastructure and secure the space-based assets from cyber attacks. The Red Army or the Red Team is estimated to have on board 10,000 hackers and poses threat to the entire world, a realization resulting in strengthening of the cyber warfare capabilities by countries like the US and India.
The NTRO is a tactical intelligence gathering agency that relies on technology for collection of information for securing the country's security interests, including threats to critical infrastructure and reports directly to the Prime Minister's Office.The agency has appointed a Chinese language tutor to help the hackers learn Mandarin, the language of the Chinese so that national critical infrastructure is protected from the offensive operations of the Red Army. Insiders said the hacking team would help the agency in tracking, analysis, minimization of impact from cyber attacks and counter action against such offensives. This besides, they would also aid in launching offensive operation against an adversary.
- Full Disclosure * Privacy * Security * Surveillance * Blog Black Hat
- The User's Manifesto: in defense of hacking, modding, and jailbreaking
2015 TERRIBLE - Hacking Team assisted some of the world's most repressive regimes – from Bahrain to Uzbekistan, Ethiopia to Sudan – to spy on their citizens. We know from investigations by Citizen Lab that these tools are used to target human rights activists and pro-democracy supporters at home and abroad.
clients #Mexico #Colombia #Italy #Surveillance #policestate #NWO @citizenlab #freedomofexpression
Massive leak reveals Hacking Team explaining the evilest technology on earth. > FBI Spent $775K on Hacking Team's Spy Tools > The data stolen from the firm contains several gigabytes worth of exploits, malware and other very sensitive information. Among them, a new Flash Player zero day affecting Flash Player up to version 126.96.36.199
Since 2011 just because a country is not on the UN blacklist doesn't mean it is ethical to sell surveillance tools to them. Hacking Team employee Daniele Milan joked about gathering enough Bitcoins to pay for the assassination of Christopher Soghoian, the ACLU’s Principal Technologist. HackingTeam had a generator that embeds their SWF 0day exploit into MSWord, Powerpoint and Excel for emailing. Hacking Team's competitors ARE UK-based Gamma International or Israeli NSO Group.
Dark Cloud Hovers Over Black Hat
CISCO AND MICHAEL LYNN
Last week Black Hat, the Vegas security conference that was at the center of the Ciscogate controversy last summer, was purchased by CMP Media. The sale has the internet hens clucking about whether ownership by a larger, wealthier corporation will protect Black Hat from future legal challenges, or make it more susceptible to pressure from companies wanting to control vulnerability disclosures.
The more worrisome question is why Black Hat and other purveyors of security information must worry so much about what they disclose. For better or worse, the settlement I negotiated with Cisco in its case against researcher Michael Lynn kept some important legal issues from reaching a courtroom, and these unsettled questions cast a long shadow over security research today.
As a brief background, Michael, my client, worked for ISS, a company that provides security products and services. While there, Michael's job was to study Cisco products, to figure out how they worked and to analyze them for security flaws. Cisco did not give ISS or its employees Cisco source code and ISS had no nondisclosure agreement, or NDA, with Cisco. Michael had the typical NDA with ISS that he would not reveal confidential information obtained during the course of his employment there.
When Michael discovered the now-famous Cisco flaw, ISS initially was pleased to have Michael tout the success at Black Hat. Michael's presentation demonstrated for the first time that it was possible to execute remote code on Cisco routers, and encouraged systems administrators running vulnerable versions to upgrade fast.
But in the weeks leading up to the conference, Cisco and ISS butted heads over what information Michael would reveal about the router code. The day before the conference, Cisco and ISS cut a deal and informed Black Hat that it had to cut Michael's presentation out of the conference materials. Michael, concerned that important information was being suppressed, gave an edited version of his talk anyway, and by that afternoon, Cisco and ISS had jointly filed a federal lawsuit against Michael and Black Hat.
Among other claims, the lawsuit alleged that Michael and Black Hat misappropriated trade secrets by revealing Cisco code in his presentation. In California, where Cisco is located and the lawsuit was filed, misappropriation means "acquisition by improper means, or disclosure without consent by a person who used improper means to acquire the knowledge." Improper means "includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means." Importantly, "Reverse engineering or independent derivation alone shall not be considered improper means" under the law. Michael didn't steal anything, and he never had access to confidential Cisco source code. He took the binary distributed with every Cisco router, decompiled it into machine code and used some pointers to the machine code to illustrate the claims made in his presentation.
Machine code is probably copyright-protected, but copyright's fair-use doctrine allows some copying for the purpose of critique and study.
California law makes it clear that people are allowed to study products on the market, and that a trade secret loses its special status when a company sells it to the public. When a company distributes confidential information to insiders, it can assure that that information remains protected by requiring the employee or contractor to sign an NDA.
Since Michael was not under an NDA with Cisco, he and Black Hat should have been in the clear. (At some point, Cisco and ISS lawyers claimed that Michael's NDA with ISS prevented him from reporting information he learned on the job about Cisco products, but arguing that Cisco flaws are ISS confidential information is a real stretch.)
But what about the Cisco End User License Agreement that ships with the router code? That's where things get interesting, and troubling for Black Hat's future.
Almost every piece of software today comes with a click-through EULA that purports to regulate how customers can use the product, including a limitation on reverse engineering.
Companies have argued that the EULA has the exact same effect as an NDA - essentially letting every single customer in on a "secret" that they're legally obliged to protect.
If courts adopt this view, instead of keeping insiders loyal, trade-secret law can help companies force the public not to discuss published information. And if EULAs do confer trade-secret protection, that might mean magazines, newspapers and conferences have a duty to screen information to make sure it wasn't obtained by prohibited reverse engineering.
are you ready to give it up? c'mon how 'bout it??
I'm your Bareback Ridin' Bronco Bustin'CowGirrrrl -- Lassoing java applets right out of the Cyberrodeo of life!
Yippee kiyi, yippee-aaaa I'll be ridin' the cybertrails all day.... -- KE
In a variety of cases, courts have held that the press has a right to disseminate information of a public concern even if it was illegally obtained.
In the Pentagon Papers case, The New York Times battled the Nixon White House over its right to publish a secret Department of Defense report on U.S. involvement in Vietnam that had been leaked by DOD employee Daniel Ellsberg. The Times won and the documents were published, calling the government version of the nation's decision to go to war into question.
In Barnicki v. Vopper, the Supreme Court said that a radio station could not be sued for playing a tape of an illegally intercepted telephone call between two union leaders involved in a matter of public interest, even though it knew that the person who recorded the call did so illegally, in violation of the Wiretap Act. Those are good decisions. But one of the only cases that addressed the issue of trade-secret publishers went the other way.
In a lawsuit filed by the DVD Copy Control Association against a California man who posted the DeCSS DVD-decryption code on his website, the California Supreme Court held that the First Amendment doesn't mean courts can't stop people from publishing trade secrets when the publisher knows or has reason to know that the information was acquired by improper means. That case is different from the Pentagon Papers case and Barnicki because the court found that DeCSS wasn't a matter of public interest. Of course, most security vulnerabilities are, especially those that affect the machines that form the backbone of the internet. Today, it's unclear how a court would rule in a trade-secret case where Cisco sued ISS for violating the prohibition against reverse engineering.
The rule should be that EULAs don't make published information secret, under any circumstance. The contrary would be dangerous for Black Hat, Michael, future bug finders and computer security. And while trade-secret law can prohibit accomplices and co-conspirators from publishing stolen data, reporters who merely know that information was improperly obtained should have a free-speech right to publish -- especially if the information reaches a matter of public interest, like the safety and security of the foundation of the internet.
Reporters Without Borders For educators designing lesson plans on journalism, the Reporters Without Borders site can offer insights into the lives of journalists working around the world. Readers may browse the site according to region, including information on Africa, Americas, Asia, Europe/Ex-USSR, and Middle East/North Africa. Selecting any of these tabs triggers a drop down menu of respective countries. Selecting any of the countries navigates to an archive of all the articles published about that country written in the past decade or so. Other important features of the site include a World Press Freedom Index, which evaluates each nation on a number of variables to assign them a yearly ranking. In the 2015 rankings,for instance, Finland was found to be the most powerful proponent of a free press in the world, while the United States was ranked number 49, after South Africa, Samoa, El Salvador, and many other nations.
2007 World's Most Ethical Companies
This ranking arose from an evaluation of "more than 5,000 companies across 30 separate industries looking for true ethical leadership" in areas such as litigation and conflict resolution, corporate citizenship, pan-industry participation, and governance. Includes a description of methodology, a list of winning companies, and brief additional material about selected winners.
How young upstarts can get their big security break in 6 steps
Here's the problem: The future of information security is in the hands of the youth. That may seem a clichd statement; so obvious it sounds stupid. But it's a fact. Here are a few things you can do to break through and make it in the industry. Think of it as
suggestions for becoming a security rock star, which you almost have to be to make a difference these days. Learn how to talk, dress, master social networking, write, work with suits AND mohawks, and get to conferences.
facebooks reward for bug hunters January 26, 2012
Tal Be’ery was happy helping Facebook fight hackers for free. In 2010, when the computer security professional was looking into how identity thieves, spammers, and other con artists used fake Facebook profiles to mount scams, he discovered a flaw that put new users’ passwords at risk of interception.
So Be’ery did what ethical hackers are supposed to do: He ignored the payday he undoubtedly could get from selling the information to criminals and alerted Facebook, which quickly fixed the problem. In recognition, the world’s biggest social media company added Be’ery’s name to a public list of researchers who have responsibly disclosed Facebook bugs.
At the time, that was reward enough for the Tel Aviv resident. Today the 32-year-old wishes he had something more tangible to show for his diligence—namely one of the debit cards Facebook began handing out to bug catchers in July. The Visa-branded (V) cards are loaded with as little as $500 or as much as $5,000—amounts vary depending on the severity of the bug. More important, the shiny black cards are brimming with geek cachet. There’s a whiff of exclusivity about them: Think American Express’s (AXP) by-invitation-only Centurion cards, which are also ebony. “That would be so great to get that,” says Be’ery. “To tell your grandchildren, ‘Papa was a hacker once.’ Just for the symbolic value.”
The cheeky conceit behind Facebook’s debit cards underlines a serious issue. Technology companies are torn about how to engage with application developers or security researchers who spot bugs in the course of their professional work or hobbies. Many businesses ignore unsolicited tips from so-called white-hat hackers. Some even threaten them with legal action. Criminals, governments, and sketchy middlemen are willing to pay top dollar for the nastiest bugs—experts say black market prices can go as high as $1 million.
Work for the FEDS
2010 DoD Requires Hacker Certification
Official government cyber defenders are now required to have the skills of a hacker according to a mandatory certification approved this week by the Department of Defense. The DoD now requires its computer network defenders (CNDs) pass Certified Ethical Hacker certification program from the International Council of E-Commerce Consultants (EC-Council) to fulfill baseline skills. The Certified Ethical Hacker qualification tests someone's knowledge in the mindset, tools, and techniques of a hacker. CNDs -- who are part of the DoD's information assurance workforce -- protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks. Assistant Secretary of Defense John Grimes officially instated the Certified Ethical Hacker requirement in late February under DoD Directive 8570, which provides guidance for how DoD information workers
should be trained and managed. [...] DSS
You can work for Jim Christy dod cyber crime response team.
2006 Hackers can work for the Feds - NO DEGREE REQUIRED
Traditional requirements like college degrees and polygraph tests were no longer strictly required for government employment. They also said security clearances are being approved quickly. FBI combats criminal hackers, fraud and abuse.
The government is streamlining its process of attracting hacking talent and has hired several people without degrees. "Very gifted" have the chance of being hired even without a high-school degree. The government is willing to accept people gaining skills away from schools.Many employees, contractors and even people in the senior executive service do not have degrees. Becoming a contractor first is the "easiest and quickest" way to eventually getting a government job and said 60% of his organization is composed of contractors. Government hiring procedures often can be "slow and antiquated" and working with contractors sometimes is the only option to complete a critical job, It can take "two to three years" for that position to be created. Hires can receive an interim secret clearance in about 3 to 4 weeks. According to Christy, the interim check consists of a "quick little" background inquiry and a check for warrants and convictions. " Strict polygraph requirement only exists at some agencies - like the NSA. Polygraphs are usually not required for other government agencies polygraphs are not required for most secret level jobs. Everyone doesn't have to be polygraphed. In certain programs, up to 90% are not polygraphed. Other factors that could disqualify an applicant are financial problems and drug use. Financial responsibility is the "number one" disqualifier, but Christy adds that drug use is also a major disqualifier. "If you used drugs in the last year, you would probably be precluded.
Mark Loveless, a.k.a. “Simple Nomad” Hacker for 25 years, is a Senior Security Analyst at BindView Corporation. Mark works on the company's highly regarded RAZOR Research Team. He is also the founder of the Nomad Mobile Research Center, an international group of hackers that explore technologies. He has spent years developing and testing security strengths for a broad range of computer systems. He has also authored numerous papers, tools and articles, all dealing with the computer security and insecurity. Mark is a frequently sought lecturer at security conferences and industry events around the globe. He has been quoted in print, online and television media outlets regarding computer security and privacy.Who does your OWN security company work for?
It's Not You!
You pay a company to keep the bad stuff out of your machine right? BUT Do they get paid off not to?BEFORE Mark Russinovich's expose of Sony BMG's use of stealth technology in a DRM (digital rights management) scheme, "rootkit" was a techie word. Now, the word is being used in marketing material for every anti-virus vendor, cementing Russinovich's status as a Windows internals guru with few equals.
The Sony rootkit discovery highlighted the fact that anti-virus vendors were largely clueless about the threat from stealth malware and forced security vendors to build anti-rootkit scanners into existing products. Russinovich, who now works at Microsoft after Redmond acquired Sysinternals, spent most of 2006 expanding on his earlier rootkit warnings and building new malware hunting tools and utilities.
Sony Rootkit DRM
Sony Rootkit DRM apple
Sony Rootkit plagiarism
ADWARE COMPANY QUIBBLES WITH LABEL
A company that makes and distributes adware has filed a lawsuit against a computer security company that identifies the adware company's products as "high risk." The adware purveyor, 180solutions, contends that Zone Labs erred in saying that some of 180solutions's applications try to monitor mouse movements and keystrokes. Although
some of its applications employ a technology that could be used in such a manner, those applications do not in fact work that way, according to 180solutions. Representatives from 180solutions said they tried to explain the situation to Zone Labs but were forced to file the lawsuit when Zone Labs refused to remove the applications in question from its list of high-risk tools. Eric Howes, a spyware researcher at the University of Illinois, said that despite its protestations, 180solutions remains "a perfectly legitimate target for anti-spyware companies." According to Howes, security professionals continue to "find unethical and illegal installations of 180's software." ZDNet, 1 December 2005
HACKER ETHICS Computer Women
Hackers Who Left a Mark on 2006
These folks disclosed serious vulnerabilities in the technologies we take for granted, forced software vendors to react faster to flaw warnings and pushed the vulnerability research boat into new, uncharted waters.
1) H.D. Moore has always been a household nameand a bit of a rock starin hacker circles. As a vulnerability researcher and exploit writer, he built the Metasploit Framework into a must-use penetration testing tool. In 2006, Moore reloaded the open-source attack tool with new tricks to automate exploitation through scripting, simplify the process of writing an exploit, and increase the re-use of code between exploits. Moore's public research also included the MoBB (Month of Browser Bugs) project that exposed security flaws in the world's most widely used Web browsers; a malware search engine that used Google search queries to find live malware samples; the MoKB (Month of Kernel Bugs) initiative that uncovered serious kernel-level flaws; and the discovery of Wi-Fi driver bugs that could cause code execution attacks. Moore's work nudged the security discussion to the mainstream media.
2) Jon "Johnny Cache" Ellch and David Maynor
At the Black Hat Briefings in Las Vegas, Jon "Johnny Cache" Ellch teamed up with former SecureWorks researcher David Maynor to warn of exploitable flaws in wireless device drivers. The presentation triggered an outburst from the Mac faithful and an ugly disclosure spat that still hasn't been fully resolved. For Ellch and Maynor, the controversy offered a double-edged sword. In many ways, they were hung out to dry by Apple and SecureWorks, two companies that could not manage the disclosure process in a professional manner. In some corners of the blogosphere, they were unfairly maligned for mentioning that the Mac was vulnerable.However, security researchers who understood the technical natureand severity of their findings, Ellch and Maynor were widely celebrated for their work, which was the trigger for the MoKB (Month of Kernel Bugs) project that launched with exploits for Wi-Fi driver vulnerabilities. Since the Black Hat talk, a slew of vendorsincluding Broadcom, D-Link, Toshiba and Applehave shipped fixes for the same class of bugs identified by Ellch and Maynor, confirming the validity of their findings.Maynor has since moved on, leaving SecureWorks to launch Errata Security, a product testing and security consulting startup.
Joanna Rutkowska In a standing-room-only presentation, she dismantled the new driver-signing mechanism in Windows Vista to plant a rootkit on the operating system and also introduced the world to "Blue Pill," a virtual machine rootkit that remains "100 percent undetectable," even on Windows Vista x64 systems.
Quotes for inspiration:
"They came for the communists, and I did not speak up because I wasn't a communist;
They came for the socialists, and I did not speak up because I was not a socialist;
They came for the union leaders, and I did not speak up because I wasn't a union leader;
They came for the Jews, and I didn't speak up because I wasn't a Jew.
Then they came for me, and there was no one left to speak up for me."
"Take sides. Neutrality helps the oppressor, never the victim. Silence encourages the tormentor, never the tormented. "
The only real difference between hacking and Quality Assurance is that a QA engineer generally gets compensated for finding flaws in a product before the general public (and our hacker kindred) have the opportunity to. Flaws that QA engineers work around or take for granted, when shipped to the consumer, become vulnerabilities that any halfway decent hacker can exploit.
"Never belong to any party, always oppose privileged classes and public plunderers, never lack sympathy with the poor, always remain devoted to the public welfare, never be satisfied with merely printing news, always be drastically independent, never be afraid to attack wrong, whether by predatory plutocracy or predatory poverty."
ETHICS OF OPEN GOV'T
Limehouse was a central place where you could comment on individual paragraphs of the plan. Not only could you submit your comments, but you could see what others were saying. You could agree or disagree with those comments as well.
Using email to share feedback with local government only goes so far. It's a great tool for communication, but not so much for collaboration, sharing, and transparency. Avoiding email for feedback might actually help city employees do their jobs. Instead of being stuck at their desk answering emails, they can use their skills more efficiently.
Raleigh's On-Line Document Center and Interactive Portal
On this website you will be able to search, navigate and read on-line versions of important documents right in your browser. Registered users will also be able to comment on draft documents that have been posted for input, as well as participate in specific surveys.
If you have not done so, please register at the link above access all the features of this website and to receive automatic notifications when documents are posted. A guided tour showing how to use the site is available at the link to the left, and help files are available at the link on the upper right hand corner of this page.
What you can do without registering on this portal:
- Read on-line versions of documents.
What you can do when you register on this portal:
Comment on all or part of documents posted for public review.
Read other people's comments on the documents.
Take surveys and participate in bulletin boards.
Keep up with other means of participating in on-going projects, such as attending public meetings.