||||Freelance Samurai

Google Analytics tells me that every single day a few people stumble upon this blog coming from search engines with the query “Another word for freelance samurai”.

It’s Ronin.

You’re welcome.

I just read a great blog post linked by Pedro Telles in his blog Spinning Beachball.

Alex Payne says it all about the future of Apple and the App Store and what it means to future generations of users. It’s refreshing to read something as clear minded as this.

Perhaps the iPad signals an end to the “hacker era” of digital history. Now that consumers and traditional media understand the digital world, maybe there’s proportionally less need for freewheeling technological experimentation and platforms that allow for the same. Maybe the hypothetical mom doesn’t need a real computer. As long as real computers stick around for people who do need them, maybe there’s no harm in that.

I agree that the more advanced personal computers get the less you need to know what is under the hood. That makes perfect sense to me. However I don’t think that this is the end of the “hacker era”, not even close. I actually think that in the future you will hold extremes of open and closed systems. Hackers are hackers because they insist on trying to understand what they don’t and break into what “the man” says they can’t.
This might be a rather inflammatory remark but Linux is “marketed” as a hacker’s OS and I think that is very far from the truth. When you can look at the source code where is the challenge? I remember how much fun it was to tinker with undocumented system calls back in the day and how that sort discovery process was really the fuel to keep tinkering with the innings of the system.

I for one welcome these closed systems, because I like the challenge of the unknown, undocumented, evil, perverse code that is just sitting there for me to play with until I break it and then reconstruct it, leaving pieces out, adding some in and at the end of the day I go to bed with a smile on my face because I managed to do something that wasn’t suppose happen.

This morning Levi posted this I don’t agree with much of it. I can see the point, of protecting the user from him/herself, of controling the app pipeline, yadayadayada. but I just can’t agree with it, like I don’t agree with the whole concept of the app store (even though it’s the only app store that works, that doesn’t mean I have to like it). If you follow the blog post from where Levi got the inspiration for his post you will see the term “Walled Gardens“. Here’s the deal: just because your prison is pretty doesn’t mean you can get out. And just because you don’t want to get out doesn’t mean you’re not missing out on something.

I think when my MacBook Pro dies I’ll get myself a quadcore (or whatever is trendy at the time) desktop and run linux on it. I will also get an iPad. I like apple, I really really do but I’m not sure I want to play the commitment game any longer.

Its really hard to be roommates with people if your suitcases are much better than theirs.

-J. D. Salinger

I had heard of Matthew Weigman a few years ago, but nothing as in depth as this article on Rolling Stone Magazine by David Kushner. A great read.

The Boy Who Heard Too Much.

To be nobody but yourself in a world which is doing its best, night and day, to make you like everybody else means to fight the hardest battle which any human being can fight; and never stop fighting.

- E. E. Cummings

I’ve been crafting a post on better passwords and it’s been sitting in the drafts folder for far too long now, which usually means it will never get posted but since twitter decided to enforce password restrictions I feel I should dig parts of that old post out and rant a bit.

So twitter decided recently that there were a few password people just shouldn’t use and while right they are I have a couple of issues that are making me itch a bit:

A few passwords, that’s right not a comprehensive list of passwords by any means, and while after a quick look at the list I have to agree that if I were to do a penetration test, brute forcing user passwords with the list that twitter finds unacceptable it would provide (in all probability) some nice results, those really are common passwords and I wonder where twitter got them. Could they have compiled the list with the most used passwords in their user database? are they making my job that easy? because a password policy enforced now will not affect the billions of users that registered previously.

So this leaves me with two options: I can either use that list to brute force a service having better chance of cracking old accounts or I can grab that list and remove those entries from my dictionary file, making sure that the service’s list of bad passwords isn’t an option during the brute forcing. which leads me to my second issue: how this whole thing was implemented. You can actually see the list simply by checking the page source code at https://twitter.com/signup, heres what it looks like:

//< ![CDATA[

  twttr.BANNED_PASSWORDS = ["111111","11111111","112233","121212","123123","123456","1234567","12345678","131313","232323","654321","666666","696969","777777","7777777","8675309","987654","aaaaaa","abc123","abc123","abcdef","abgrtyu","access","access14","action","albert","alexis","amanda","amateur","andrea","andrew","angela","angels","animal","anthony","apollo","apples","arsenal","arthur","asdfgh","asdfgh","ashley","asshole","august","austin","badboy","bailey","banana","barney","baseball","batman","beaver","beavis","bigcock","bigdaddy","bigdick","bigdog","bigtits","birdie","bitches","biteme","blazer","blonde","blondes","blowjob","blowme","bond007","bonnie","booboo","booger","boomer","boston","brandon","brandy","braves","brazil","bronco","broncos","bulldog","buster","butter","butthead","calvin","camaro","cameron","canada","captain","carlos","carter","casper","charles","charlie","cheese","chelsea","chester","chicago","chicken","cocacola","coffee","college","compaq","computer","cookie","cooper","corvette","cowboy","cowboys","crystal","cumming","cumshot","dakota","dallas","daniel","danielle","debbie","dennis","diablo","diamond","doctor","doggie","dolphin","dolphins","donald","dragon","dreams","driver","eagle1","eagles","edward","einstein","erotic","extreme","falcon","fender","ferrari","firebird","fishing","florida","flower","flyers","football","forever","freddy","freedom","fucked","fucker","fucking","fuckme","fuckyou","gandalf","gateway","gators","gemini","george","giants","ginger","golden","golfer","gordon","gregory","guitar","gunner","hammer","hannah","hardcore","harley","heather","helpme","hentai","hockey","hooters","horney","hotdog","hunter","hunting","iceman","iloveyou","internet","iwantu","jackie","jackson","jaguar","jasmine","jasper","jennifer","jeremy","jessica","johnny","johnson","jordan","joseph","joshua","junior","justin","killer","knight","ladies","lakers","lauren","leather","legend","letmein","letmein","little","london","lovers","maddog","madison","maggie","magnum","marine","marlboro","martin","marvin","master","matrix","matthew","maverick","maxwell","melissa","member","mercedes","merlin","michael","michelle","mickey","midnight","miller","mistress","monica","monkey","monkey","monster","morgan","mother","mountain","muffin","murphy","mustang","naked","nascar","nathan","naughty","ncc1701","newyork","nicholas","nicole","nipple","nipples","oliver","orange","packers","panther","panties","parker","password","password","password1","password12","password123","patrick","peaches","peanut","pepper","phantom","phoenix","player","please","pookie","porsche","prince","princess","private","purple","pussies","qazwsx","qwerty","qwertyui","rabbit","rachel","racing","raiders","rainbow","ranger","rangers","rebecca","redskins","redsox","redwings","richard","robert","rocket","rosebud","runner","rush2112","russia","samantha","sammy","samson","sandra","saturn","scooby","scooter","scorpio","scorpion","secret","sexsex","shadow","shannon","shaved","sierra","silver","skippy","slayer","smokey","snoopy","soccer","sophie","spanky","sparky","spider","squirt","srinivas","startrek","starwars","steelers","steven","sticky","stupid","success","suckit","summer","sunshine","superman","surfer","swimming","sydney","taylor","tennis","teresa","tester","testing","theman","thomas","thunder","thx1138","tiffany","tigers","tigger","tomcat","topgun","toyota","travis","trouble","trustno1","tucker","turtle","twitter","united","vagina","victor","victoria","viking","voodoo","voyager","walter","warrior","welcome","whatever","william","willie","wilson","winner","winston","winter","wizard","xavier","xxxxxx","xxxxxxxx","yamaha","yankee","yankees","yellow","zxcvbn","zxcvbnm","zzzzzz"];

      page.controller_name = 'AccountController';

      page.action_name = 'new';

      twttr.form_authenticity_token = '71a074c2881258ce889d6ce7c47d26e527811612';

      // FIXME: Reconcile with the kinds on the Status model.

      twttr.statusKinds = {

        UPDATE: 1,

        SHARE: 2

      };

      twttr.ListPerUserLimit = 20;



//]]>

Well shouldn’t that be hidden somewhere?

Now this post isn’t really about twitter, but about password restrictions and enforcing said restriction. Twitter will be much more prone to XSS attacks than to brute force attacks (the re-captcha after a few failed attempts complicates the whole process)

The list should be not only a bit more comprehensive but less arbitrary as well (how is “zzzzzz” unacceptable but if you add another z it’s ok, even more interesting (and this is what makes me think that twitter fetched this list from their own servers) “xxxxxx” and “xxxxxxxx”… 6 and 8 x’s are not ok, but 7 x’s is just fine)
On a side note: why is “abc123″ listed twice in a row?

There are obvious places where a “good enough” password list is publicly available, If these systems are to be implemented in the WWW, you should perhaps use those lists and not some arbitrary or obviously sub-par password lists.

Password policies are a trade-off between security and usability, there are a few ways to go around that, but that’s another ring of punishment in Dante’s Inferno. I fully support password restrictions in websites, actually password restrictions should be everywhere and they should be more than a list, they should be smart (can you use your year of birth as you ATM pin? exactly!).

Passwords are hard and people are lazy, not only lazy but they play their role in a corporation down and think their facebook account being hacked can be a nuisance but nothing really serious.

Sadly for the most part IT security starts and ends with passwords. Whether you are in your cube logging on to the backoffice, at home logging in to the VPN, the system administrator elevating his privileges to super user or the hacker brute forcing a corporate pop3 server.

Wrong.

Let’s start with the casual internet user. Here’s a link to yahoo answers where someone asked what a good password would be. Notice the “best” answer. shocking stuff:

Numbers and letters definitely. maybe your birth year, part of your last name, pet’s name, and a part of your telephone number.

Make it so that no one else in the world could figure it out in a logical way.

All the examples given? bad, bad, terrible passwords. and that last sentence just contradicts the given examples. There’s nothing more logical than a password that correlates to the users life. And The remaining answers are just as appalling.

Now let’s see what the nice people of Redmond have to say about it, here’s an excerpt:

The easiest way to remember your passwords is to write them down.

It is OK to write passwords down, but keep them secret so they remain secure and effective.

Sounds silly? It is. but it comes after they explain what a good password is to them and even though they state that a good password should be easy to remember but hard to guess the truth is that using their method you will never really remember more than 2 or 3 passwords, also, that is a ridiculously small example password for this day and age. (more on that coming right up)

You are not forced to use password managers to have unique and complex passwords, you can use several tricks to create strong and unique password for all the services you use. One thing you can do is chose one password that is complex it doesn’t even need to be that long, for example R(z?10AI now you can use the service name as a suffix or prefix to that password, for example:

Look at that, 4 unique password and the smaller ones are 14 characters long. not too bad. Also, pretty easy to remember, right?

Want to raise the bar a bit? how about using the URL as part of the password?

So this article was brought to my attention.

If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place – Eric Schmidt.

Interesting. So god forbid I ever or catch an STD because, I might be tempted to google it. Maybe the Patriot Act doesn’t cover venereal diseases, which is fine, but then again I can put on the tin foil hat and pretend that they do. (ssssh, they really really do!)

And maybe people shouldn’t be using google documents for business purposes, or even personal purposes for that matter. Hell, Eric Schmidt himself tells me I shouldn’t!

On top of everything else google came out with public DNS services this past week. I enjoyed the usual echo chamber effect of people running their own DNS test shoot-outs like they are the only people on the internet doing those requests to the DNS servers (and god forbid they’d flush the DNS cache in between tests). A few chuckles later and after about the same amount of meaningless comparison tables, 9 out of 10 bloggers state that it’s not any faster than any other DNS server, in some cases it’s actually a bit worse.

I for one think that those are good DNS IP’s to use and I especially appreciate not waiting another second for my dns server to figure out where analytics.google.com is every time I visit a bloody site (including the aforementioned bloggers sites).

Now, I know that this isn’t a very clear post. On one hand one grows weary of google for stating that our data is in all probability being processed, parsed, fondled and laughed at and then handed to nameless authority figures that can raid our house based on some random past mistake, and on the other hand they are giving us all this free stuff, right?

/me puts on the tin foil hat again (was it ever off?)

Trojan horses come in many forms but one very common element of the trojan horse is that it’s free and alluring. You gotta love google, I mean… they seriously liberated the internet in a lot of ways, from copious amounts of email storage to video and image search to maps, logged location tracking, perpetual user history….wait, what?

I think I use pretty much every google service out there, and I do so for the same reason I’m primarily a mac user: I’m a lazy bastard, and I’m addicted to the sense of productivity these things deliver.

sure, I could use other services and even minimize the services I use, and I know I’ll end up in a Stallman-ian paradox of having my own email and dns server, after everyone has decent internet connections I’ll constantly use tor and I’ll eventually throw the mac away and get off the shelf parts for my octa-core linux box with realtime harddrive encryption, I could delete my facebook, my twitter and my blog, I could make sure I KNOW everyone on my linkedin account and never accept candy from strangers, but again, Im lazy and I’ve grown fond of human interaction (where’s my long gone teen angst when I need it?).

This whole thing reminded me of a video I watched some time ago, about how you should never talk to the police unless you have legal representation. If data about me is handed to authorities it’s a lot like me talking to the them *without* legal representation.

I do care that “my” data is being handed in a golden platter to the authorities, it’s not a question of anonymity but rather a question of privacy. And “my” because I realize it’s not my data, it’s google’s, it just happens to be data about *me*.

Data “ownership” is a messy thing and I also believe people often forget that encryption is no guarantee privacy and that it holds no legal value (if im wrong about this, please do correct me). Giving data away to a service is even less than that since there can be no realistic expectation as to how data is kept in every phase of data processing and eventual storage.

So a few months back I decided to invest in a penetration testing certification. Of all certs available Offensive-Security’s OSCP seemed the safest bet in terms of acquiring knowledge but right now seems to lack market recognition. People are still asking for EC-Council’s Certified Ethical Hacker in most job postings regarding security.

Comparing the two side by side there’s no question which one will prepare you better for what the future might hold, and I for one predict a shift in the near future regarding the OSCP’s market credibility. Another serious player in the security cert’s game is SANS, I wandered away from any SANS certification on the basis of cost alone. Wile it would be fantastic to have a GPEN from SANS I just can’t justify the investment right now.

So I went with OSCP.

The course consists in written documentation and videos, both are of very acceptable quality and I personally think that CBTnuggets could take a few pointers from Offensive Security when it comes to keeping your viewers engaged. There is also access to a VPN connection where you’ll have access to a decent number of servers (several platforms and flavors) and a XP workstation that will be used not only to explore commercial vulnerability assessment tools (namely Core Impact) but also to develop win32 exploits.

The course leverages on backtrack for all of it’s exercises, I personally used backtrack 3 for all the exercises and most of the exam, but I met a lot of people who did all of it with backtrack 4 beta running on a VM. During the exam I actually switched from the physical computer with BT3 to a VM under Fusion with BT4 a few times, taking advantage of the updated tools and some new tools not included in BT3.

Everything is very well planned out, skipping chapters is not a bright idea. It starts slow with something as simple as configuring your nic in backtrack and ends talking about rootkits and XSS attacks, after a journey of buffer overflows, ssh tunneling and SQL injections.

I would advise anyone taking up this cert to brush up on his/her python skills. even though their site states that it’s not required, it sure helps if you intend to finish the course within the 30 or 60 day time frame. I would say that you don’t need that much programming skills to pass this course, but you do need to understand what is happening when you look at source code (perl, c, python, ruby…) rudimental knowledge of programming principles is certainly a huge help.

So you spend a few weeks doing all these exercises and then comes the exam. The exam is a 24 hour long multiple challenge, you are connected to another network via VPN where you have a certain number of servers and workstations, you’ll receive documentation as to what the objectives are. Be prepared for a long night, frustration and despair. The challenges vary from what I gathered (as the machines in the network) so there’s no saying what you’ll encounter, but from my experience I can say the exam is not a walk in the park by any means. you don’t need to necessarily get every machine in the exam, there are points associated with each challenge and just need to sum up to a passing score.

I think it’s important to mention that you should consider this course as self-study. I came across a people who assumed that because there is a forum and an IRC channel that there is some sort of guarantee of support if you cant figure something out. Reality is: no. You can stop by the IRC channel and ask for help, you might get it or not. Same with the forums. I myself had some question that went unanswered, some exercises I didn’t finish as the documentation said I should. At the end of the day it’s about “whatever works”.

So is it worth doing? yes. no question about it. it’s a fraction of the price of most courses out there and the sheer amount of information contained in the course material is staggering. the exercises make sure you know what you are doing. the exploit development makes sure you don’t come out of this course depending on precompiled exploits and easy hacks. A fantastic investment even if having this cert does not give me any advantage in the job market when it comes to getting an interview.

Someone in the IRC channel said that “CEH might get you the job, but OSCP will certify that you keep your job”. I tend to agree.

Following Alcides‘ post Unix in Scala I spent a few minutes doing the same with 9 lines of code using Lua and no $voodoo involved.

print ("You have mail")

while true do

     io.stdout:write ("$")

     c1 = io.stdin:read()

     if c1 == "uname"

          then print ("Lunix 0.1 (Lua)")

          else print ("Command " .. c1 .." not found.")

     end

end

Needless to say that his is in no way serious, it’s just silliness like Songs in Code (which I failed to participate in, but eh… the night is young) and i’m sure that reducing unix to three lines of interaction is going to offend a few people.

Lua came into play when I felt the need to change a few nmap scripts to suit my needs. It’s been really fun working with it even though it’s a bit hard to find good documentation about it on the web. Which reminds me… my amazon wishlist has one or two books on Lua. Hey, just saying…