HackIt server nearly ready

I spent the last few days fine tuning the HackIt server I mentioned last week. After lots of thought on how I was going to punch holes into the security, I decided on a different approach. Since in the past contests I always found it fustrating to see people with high skills trying out stuff I would never have dreamed of, and in the end to get beaten by people who by sheer luck tried out the right thing at the right time … I decided to minimize the “luck” factor of the contest by not putting any holes in the server on purpose.

What I am going to do is not update any of the packages any more from now on. I’m doing an update right now as I post this, and from here on no more updates. There will also be no updates or changes to the RBAC system. The only changes I will be making to the box from now on, are if it breaks and needs to be fixed.
-> The box will be shamelessly neglected, waiting to be owned.

If nothing strange pops up tonight, I will be posting information about the contest tomorrow in the buha forum, here and a few other places …

Google Chrome Browser … buggy ;-)

That was fast,
first bugs are being found in the Google Chrome Browser that was released yesterday. This one here crashes the browser if it tries to access a specially crafted url (undefined handler followed by certain character). PoC and details can be found at
http://evilfingers.com/advisory/google_chrome_poc.php

Since it “only” crashes the browser, the only use that comes to mind would be to use it to filter out google browser users from websites by crashing them.

Mythbusters at NVISION 2008

I just saw this funny video. The Mythbusters go and compare how a CPU and how a GPU draw things. Considering it’s the Mythbusters, it’s not really surprising that they use robots and paintball to demonstrate. Here ist the video
httpv://www.youtube.com/watch?v=fKK933KK6Gg

The second part in high resolution:
httpvh://www.youtube.com/watch?v=FllMX9dFmWg

Hartknäckige Scriptkiddies

Seit gestern Abend versucht irgendein Scriptkiddie mein SSH zu Bruteforce’n. Das an sich ist eigentlich nichts erwähnenswertes da es zum täglichen Müll gehört (wie die Spammer die offene Mail Relays suchen) und eigentlich zum allgemein “Rauschen” im Internet gehört. Nach ein paar Fehlversuche landet bei mir die IP automatisch für eine gewisse Zeit auf eine Blackliste und wird per iptables gesperrt.

Was das ganze hier jedoch interssant macht ist die Hartknäckigkeit derjenigen. Die meisten Kiddies merken “ach mist, meine IP wird geblockt” und versuchen es vielleicht noch von eine 2. IP bevor sie aufgeben. Der hier jedoch hat wohl eine ganze menge an Zombie Rechner zur Verfügung weil er seit ein paar Stunden es schafft nach jeden IP Ban von einen neuen Host seinen Brute Force Attacke erneut zu starten. Jepp, ihr habt richtig gelesen, er führt sie nicht weiter, wo er aufgehört hat, sondern fängt jedesmal wieder von vorne an.

Ich gib ihn 8/10 Punkte für Ressourcen, 9/10 für Hartknäckigkeit und 2/10 Punkte für die Durchführung.

Programming follow up

I just noticed I never wrote a follow up about my script that periodically parses the official World of Warcraft statistics. Unsurprisingly I wrote a basic Web interface to access the stored data. Since I stopped actively playing Warcraft the project kinda faded off my “todo radar”. So it has been stuck on my development site for months -> http://dev.dopefish.de (not the only project stuck in development, my “Voice-Over-IP Audio Shoutbox” also grinded to a stop after I ran into a flash problem)

I’d say it is about 90% done, currently it monitors 450 guilds and more than 15.000 players each day. It works pretty good, better than I had hoped considering how unreliable the source of the data is. There are a few quirks left in the code that I will iron out the next week, then I will release it so that anyone interested in the code can use it. In retrospect it isn’t much more than a big Proof-of-Concept that can be useful for others planing on doing similar projects.