Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

February 09 2010

February 08 2010

February 03 2010

February 01 2010

January 30 2010

blackfire
16:56

Unconfirmed technologies

Sometimes you see a technology which looks like magic. Happens all the time in security, more often in IT, not so often in real world.

Steorn, for instance, just demonstrated Orbo, its new free energy technology. Violating one of the core principles of (not so) modern science. However, the demo itself was nothing worth of note. It's the tiny, small quote at the end "next week, come and try: measure with your own equipment".

The trick is not showing some magic. It's having people actually use it. It's one of the oldest techniques in the world, and made fortunes in IT (remember? Shareware). Any product has to learn from that: put down the barrier, release "easy to try at home" products, have people see for themselves. A video won't do it, nor will a live demo. OpenSource developers (including me) should learn it.

January 29 2010

blackfire
10:11

Modern magicians

Recently, I have been asked to write a non-tech article about pentesting and vulnerability research. As it might be interesting to some readers, I decided to share a few fragments here.

"Any sufficiently advanced technology is indistinguishable from magic"
Arthur C. Clarke

Since my early days with computers, I have always cited this Clarke's Law to people astonished by technology artifacts. These days, I am still using the same quote while explaining my job as a pentester to non-technical persons. Beyond the shadow of doubt, security testing is far away from magic being a complex technology-based process. It requires a proper mix of scientific know-how, creativity and expertise on cutting-edge technologies. Staying on top of the latest in vulnerabilities and computer attacks requires continual study, in-depth research, as well as continual discussions and feedback with fellow security professionals.

"0days are a device to prove that a client is unready to handle the unknown"
Pete Herzog

Understanding incoming threats or even discovering new vulnerabilities gives a crucial advantage over potential aggressors. It allows system owners to protect their installations in spite of the public spread of critical flaws. In the long term, it also provides important insights which are useful to design more secure technologies for the future. As 0days are a product of an intensive research work, vulnerability research activities are essential for pentesting.

"I’ve always said that hacking is not about skill set. It is mostly about dedication, patience and a lot of motivation"
Pdp, GNUCITIZEN

Hacking is about skills, dedication, patience, passion and creativity. Properly mixing these elements makes possible to experiment with computers (and not only!). During a pentest, trying to understand how systems work and using them in an unconventional way is the key to circumvent protections and exploit vulnerabilities. After all, security testing is just about mastering technology and doing magic tricks.
Tags: ikki hacking

January 28 2010

January 25 2010

January 19 2010

January 16 2010

January 15 2010

blackfire
09:54

Once you're sold, you can't stop.

Some of you know I'm quite hostile towards selling exploits and vulnerabilities.
I've debated the thing with a lot of friends, and still can't see the actual difference with selling weapons, nor I can buy the "I get paid for my work" attitude. I can see too many flaws in the logic... but never mind, this is not the point of the post.

I've just been made aware of GenApple, https://www.genapple.com/. GenApple is a startup allowing people to sell their knowledge.
Right now, the site is full of recipes, cheat codes and "how to get rich fast" documents.

However, it made me wonder: what if the underground community actually starts using one of these tools?
It is a scenario that cyberpunk readers are familiar with: in Stephenson's Snow Crash selling data is what the main character (Hiro Protagonist, btw) does for a living.
But what if all of sudden such scenario goes real?

Right now, hackers go to conferences for free (well, most of them and most of the conferences). They share their knowledge for the sake of it, and for a little celebrity maybe, which in turn can become money at some point.
Yet, the hacker community has always been driven by the idea that "information wants to be free". Maybe not for everybody - we've always got "inner circles of whatever" - but yet miles away from the idea of actually selling a new attack or defense technique.

People advocating selling exploits always told me: I'm only selling the actual code, I'll let the technique out and skilled people and the security community as a whole can then write the code and find the bug by themselves. As a "science", security will go on anyway, they told me.
Now I wonder: if they were actually offered money for their techniques - say, $10k for a way to bypass stack protection on VISTA or something similar - what would they do?

A lot of people say that some hackers resemble rock stars. In the rock/metal community, there's a saying: "to sell out". I wonder if the same is true for knowledge, not just for code. Once you sell out, it's hard to stop.
No more free bugs. No more free techniques. No more free security. No more security?

January 14 2010

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.