Tuesday, August 16, 2011
Who would have thought we would see Duke Nukem and C++0x materialize in the same year? Well its official, C++0x has become a standard with unanimous approval. C++0x has some interesting features such as Range-based loops, lambda functions and type inference. Its been almost a decade for C++0x (and even longer for Duke which makes me wonder what 3D realms was doing?). As a big fan of Bjarne Stroustrup I must admin I'm excited.
Sunday, August 14, 2011
Hacking is a powerful topic. People with absolutely no interest in computers can still be captivated with a story about hacking. Anyone who displays the slightest amount of technical ability will repeatedly be asked about hacking, how to hack and how to learn to hack. When I'm asked "How can I learn to hack?" I have one reply. Buy Hacking: The Art of Exploitation.
I have read both versions of Hacking: The Art of Exploitation and both times I have been surprised and impressed. The reader is first given a definition of what hacking actually is (the unintended use of laws or properties of a given situation as Jon explains). Then they are walked through a gentle explanation of programming with non-technical real world examples. Comparisons are made between giving driving directions to a person and how to program those same directions for a computer. This ensures that the reader is not overwhelmed when they realize they are learning to program.
Once the reader is comfortable with basic programming concepts the book gets right into the topic at hand. Simple programs are given with explanations of how each program works and why each program is insecure. This is followed by an explanation of the attack vector that will be used and then the reader is walked through coding a fully functional exploit, step by step. Most of these explanations show memory maps and debugger commands used to see how the exploits are detected and crafted.
After explaining common places to attack code such including both stack and heap-based overflows Jon moves into networking and how computers communicate. DOS attacks, network sniffing, TCP/IP hijacking and port scanning are all covered in the networking section. The reader is then brought back to shellcode with a very low level look at how code works. By this time the reader has a fairly strong grasp of several attack vectors. Countermeasures are then discussed to explain what will prevent a hack from working, or at least being logged, and how to counter the countermeasures.
Jon brings the book to a close with one final subject, cryptography. Hybrid ciphers, password cracking and WEP cracking are all discussed here. WEP may seem a bit dated but I still don't have an issue finding a WEP network these days. The book comes with a CD containing all the source code used as well as a pre-configured linux hacking environment (Ubuntu) that will allow the reader to test all of the exploits they have just learned. As I said the great thing about this book is that it doesn't teach you to hack via paint by numbers because that becomes dated quickly. Instead it teaches the reader how to look for, find and craft exploits which is a timeless skill. If you or someone you know wants to learn to hack, this is the place to start. Well, here and Phrack.
Saturday, August 13, 2011
What if there was a database that stored everything? I know that sounds like a tall order but consider that Wikipedia strives to have a page for everything the question. Having a database that stores everything doesn't sound so absurd and it is the idea behind fluidinfo.com. Fluidinfo wants to be able to store meta-data regarding everything (or as close as physically possible).
The idea behind Fluidinfo is that read-only information is just not as useful as on the Web as openly writable information. Metadata is used routinely in the real world from name tags to post-it notes but it is much harder to apply metadata to information on the Internet. That is where Fluidinfo comes along. When information needs to be stored about an object the Fluidinfo database is queried. If the object exists in Fluidinfo, the information is appended to the object. If the object does not exist then it will be created and stored.
So if anyone can add information then can't people just deface Fluidinfo? No, permissions are not applied to the object but to the information regarding the object. Therefore information can be managed by the user who created it. When querying Fluidinfo trustworthy sources can be used to derive the information requested. For example if you were looking for book reviews Fluidinfo could return reviews from Tim O'Reilly and Frank from Nebraska. Tim O'Reilly would clearly have a greater reputation than Frank (but don't you worry, Frank is an up-and-comer). Reputations and trusted domains can be used to filter data, as well as the fact that the user is generating the query. Fluidinfo is probably sounding pretty good. It gets better. Fluidinfo uses a very simply API and queries can be returned in JSON makes Fluidinfo very intriguing
The Court of Appeal for Ontario ruled in favor of Tucows that domain names are property. This now leads to a flurry of new questions. What does this mean for ICE domain seizures? How will this affect service outages? Can domains be seized for violating a TOS of a web host? Before we get ahead of ourselves, this ruling still has the option of being appealed at the Supreme Court of Ontario. It is going to be very interesting to see how this unfolds.
Here's a neat little trick I stumbled on at lifehacker.com. Boot off a repair disk then opening a command prompt and copying cmd.exe over sethc.exe. Then boot windows and hit the Shift key 5 times at the Windows login prompt to bring up a command prompt. From there you can simply reset the user's password using the net user command.
Posted by Matthew The Tech at 11:46 AM
Friday, August 12, 2011
Monday, August 1, 2011
It allows you to display data using SVG (Scalable Vector Graphics) and then apply transformations to the document based on your data. I'm going to experiment a bit more with d3.js and see what I can cook up.
Posted by Matthew The Tech at 10:34 AM
I found a few quick tips on reviving dead hardware on Matt Wandel's site this morning. I poked around the site a little more and found he has some really cool projects showcased such as building a digital camera out of a scanner and a CD burner CD changing machine and a computer controlled table saw. There is also a lot of wood projects such as two wooden computer cases and even a power supply with a wooden case that he built. Check it out when you have a minute.
Posted by Matthew The Tech at 10:18 AM
Sunday, July 31, 2011
Reddit is an awesome site and this hack makes it that much more awesome. Chris at the new hobbyist made a physical upvote/downvote button to feed his reddit addiction. Check out the write up at hackaday.com for the details.
Its like a bad prison movie, only in real life. Security researchers have already written three exploits for PLCs (Programmable Logic Controller) that control the locks of some top high-security prisons. Personally I don't think we have to worry about inmates running down the streets just yet, but it is something to consider. Check out the link at Slashdot for more details.
Posted by Matthew The Tech at 11:38 AM
As this is my first post and information on my blog is a little scarce, I'm going to point you in the direction of a wealth of information. Hak.5 is my favorite IPTV show. Every week they present tips and tricks, new programs, security information, hacking tutorials, custom hardware such as the infamous WiFi Pineapple (you'll have to check out the show to understand) and anything else interesting to computer enthusiasts everywhere. I highly recommend checking them out.