If you're a fan of Heroes, and into security, check out
PrimaTechPaper. For those who don't
follow the show, PrimaTechPaper is a front for the agency Mr. Bennett
(father of the cheerleader) works for. This site has a "Hacker's
challenge"/puzzle type feel to it and my first clue to you guys is to
give the number a call and take it from there.
Good luck -- Save the packets, save the world!
Every time I have a conversation with someone who has diarrhea of the mouth, it makes me nauseous. The other day, I was flying from Atlanta to Hartford (my flight was delayed by an hour) and while in the plane waiting, I struck up a conversation with a BPM/O software sales engineer and some Windows IT guy. You would think the IT person is knowledgeable in his field and the sale guy to not have a clue, but you'd be wrong. The IT guy was an idiot. I stopped believing what this guy was saying after he came up with a ridiculous explanation of memory leaks on Windows [to the sales guy]. And I quote:
You know when you start up your computer and fire up an application? And it takes like forty-five seconds to a minute to load? and then when you close it and start it up again it loads almost instantly? Yeahhh, that's a memory leak. It's Windows for ya! We in the industry call that 'leaky memory'.
Listening to this guy was getting more painful by the sentence. The sales guy asked me about my flight from Phoenix, etc.. and the IT guy butts in and says "oh yah? that's nothing... try flying six times a week." So, I asked him what does he do that makes him fly six times a week. He said he's a consultant and deploys networks for businesses. Then he gets into talking about how he got his MCSE and CCNA and all these other certifications. I wished he would stop already. Dropping four letter acronyms like they were going out of style. :rolleyes:
Anyways, I asked him what size networks he worked with? How many users? Small or medium business?
"Really small businesses" Oh yah? How small? 1000? "Not even. Ten or twenty, somewhere around there" Ohhhh, okay.... o_O ... What kind of systems do you deploy? "Small business server, 2003" (I smirked.. sorry, I couldn't help it!)
Well... then I asked how the hell he can manage to fly six times a week and deploy these networks by himself. "Lots of coffee." Oh sure... (You can tell I'm annoyed by this point...)
Then he starts talking about how closed source is so much better than open source. I asked, oh really? I can run version whatever thirty years from now and have no problems. He replied, "Why would you want to?" I said well, you have access to source code and you can do whatever you want with it. You're on your own schedule and not on any vendors', who can push you to upgrade or obsolete your version.
"so? Who the hell is going to work on it? you got coders?"
Why yes, I do have coders... I wanted to break the guy. :sigh: it was no use!
Then, something he said made me bring up the paper on LCDs being vulnerable to Van Eck Phreaking. He shook his head and stated "I doubt it" multiple times... How can you reason with this guy? Our plane was given the goahead to take off, and I stopped talking with him. I ignored him for the entire three hour flight.
MCSE... pfft, CCNA.. hah, pleaseee... don't flatter yourself. You're not all that!
This has been filed under intelligence, for the lack of.
In a month, I begin a new internship for a Fortune 100 company. Having already spoken with a member of the security team, I can expect to be placed in one of four areas in IT security, including web application security and forensics/incident response. I have a gut feeling I'll be involved with web app security, and hope to learn a lot from the internship. This month and May, I'll be pouring through OWASP documentation and a lot of RSnake's, Jeremiah Grossman's and pdp's previous posts. Perhaps I'll even pick up the book on XSS; RSnake posted Chapter 5 and the TOC of his book at his site. If I'm not in this field, that's okay... learning isn't a bad thing; I really enjoy a good challenging, learning experience.
To assimilate quickly with the corporate environment, I've been reading as much documentation as I can - internal policies and processes, information located on the corporate intranet, various group sites, etc. Anything I could read, I have or will. I'd like to know as much as possible before coming in, so my first day will be less overwhelming.
I'm interested in hearing your thoughts on internships. This will be my second internship, and it's nice to get around and see what different companies and their people are like. What should an intern expect -- duties and responsibilities wise -- on a corporate security team? What advice would you give to new interns? How do you work to fit in at a new company?
My first hack that I remember, was in sixth grade (1996 or so??). We had a lab full of Macintosh computers, which I had no clue about or anything at the time, other than we logged into them and had a folder for our documents and another folder containing the programs we could use. Every student had their own login name -- a derivative of their first and last name -- and a password assigned and given to you on a small strip of paper. You couldn't change your password, but if you forgot it, the teacher could log you in using her 'master' password.
So, after I noticed what powers the teacher had, I thought of a way to take advantage of it. When the teacher walked around the room to check if anyone had any problems, I told her I forgot my password. The teacher, being a slow, "pointer finger typer," enters in her password for my username. I watch carefully as she types and how many dots show up in the password field: g - o - l - d, four dots.
GOLD!!!
(OK, so you might not think this is a hack, but only shoulder surfing. Whatever.) I made a mental note of this and after doing what I had to do on the computer, I log off and log back on using the teacher's password again. Works. I log back off again, and this time... use a friend's name from another class. Sweet, it works! I could even log onto the teacher's account and anybody else I wanted too. I had no idea what the Mac admin's name was, otherwise I'd probably have tried and logged into his account as well.
This soon got real boring, as the only thing different in people's folders were their documents. It was fun typing random stuff into people's papers, but there were no cool programs available. I couldn't care less at the time. Soon, other people discovered the password and began abusing it. Not being discrete about it at all, the teachers eventually caught on.
Subsequently, they changed the master password... to oxygen.
What I learned today? The importance of backups, and having a clear head when working on my system. Tuesday night, I am going home to Connecticut for the summer, so I started saving all my data to an external hard drive to take with me. Well, I also did a little spring cleaning at the same time and accidentally did a "shift+up+del" (which selected the directory above as well as the one I wanted) and wiped out a 30GB directory full of rare documentaries I had acquired over the years. For those who don't know, on Windows, "shift+del" bypasses the Recycle Bin. Stupidly, I pressed enter to confirm deletion.
At first I wasn't sure what got deleted, but I knew I deleted something more than I was supposed too. Check the recycle bin, nothing.. "Oh shit..." I quickly IM a couple friends and ask them what I should do. One of them points me to a really "nice" CD full of hard disk maintenance and recovery tools.
Using Active UNDELETE, I was able to restore everything except for one 700MB file. At the time I deleted the files, I was also bzipping a tar file, which probably overwrote the space that file was located and thus made it unrecoverable.
What was supposed to take only 15 minutes turned into an entire morning ordeal. A hard lesson is a lesson learned. I hope somebody gets something out of this post...
« Newer entries — 36 — Older entries »