July 4, 2010

7/4 The Professional Security Testers Warehouse for the GPEN GSEC GCIH GREM CEH QISP Q/ISP OPST CPTS

1st Open Backdoor Hiding & Finding Contest to be held at DEFCON 0x12
July 3, 2010 at 9:23 AM
The CoreTex Team from Core Security is happy to announce the *1st Open Backdoor Hiding & Finding Contest* to be held at DEFCON 0x12 this year!

Hiding a backdoor in open source code that will be subjected to the scrutiny of security auditors by the hundredths may not be an easy task. Positively and unequivocally identifying a cleverly hidden backdoor may be extremely difficult as well.

But doing both things at DEFCON 0x12 could be a lot of fun!

If you liked to read about the exploits of C. Auguste Dupin, the devious Minister D. or even the n00b Prefect Monsieur G. [*] here's a chance to role-play all of them at DEFCON using your favorite coding and code auditing techniques.

Registration is now open at http://www.backdoorhiding.com

Questions, feedback, comments and general discussion at: https://forum.defcon.org/forumdisplay.php?f=520

Here are the details:

Quick intro

Two in one Backdoor Hiding/Finding Contest (participate in either or both): In the first stage, hiding participants provide a source code hiding a backdoor, in the second stage organizers mix the source codes with non-backdoored (placebos), and then ask finding participants to spot the placebos. Hiding participants get hiding points for being voted as a placebo and finding participants get points for spotting the placebos and negative points for false positives.

Contest Description

The contest includes two games: a backdoor hiding and a backdoor finding contest which are played simultaneously. The contest will be played in two rounds: a qualification round that starts before the conference and ends during the conference, and a second (smaller and shorter) round during the conference. Each round is a multi-player game, which is played in two stages. The timeline is included below.

Prizes will be announced shortly. We will give prizes for all those that get to the qualification round and special prizes for the winners of each contest.

Qualification round

Stage 1 (hiding): All participants registered for the backdoor hiding game are given a set of requirements for a software program. Before the deadline, they must submit the source code for a program that fulfills these requirements plus includes a backdoor. They must also send a description explaining how to exploit the backdoor.

Stage 2 (finding): There is new time to register for the backdoor finding game. All players registered are given a bundle with the different pieces of source code. To each bundle the organizers will add a few placebos (source codes that fulfill the requirements but should not include a backdoor). Before a deadline, the players must answer for each source code if they believe it includes a backdoor or not.

The winners of each game are the ones that accumulate the most points. There is a table for computing points (which can be positive or negative) for the finding contest (X points if it was voted as backdoor and had a backdoor, Y points if it was voted as backdoor and hadn’t a backdoor, etc.).

For the hiding contest, it’s simpler: each time one player’s source code was voted as non-backdoored, the player is given 1 point. The first participants of the backdoor hiding contest with the most points qualify for the second round.

Same with the finding contest.

Final Round

Stage 1: We provide a source code in C/C++ and describe the requirements it fulfills to all the players. We then describe an additional requirement, and players must write a patch to this source code such that all of the requirements are fulfilled and a backdoor is hidden in the code. They must also provide an explanation on how to use the backdoor.

Stage 2: Again, the organizers will add a few patches/source codes that fulfill the requirements but do not have backdoors. A jury composed of the winners of the hiding contest (1st stage), a small set of well-known security experts and the players of stage 1 (round 2) have 3 hours to cast their votes for each source code if it hides or does not hide a backdoor. Points are computed according to the same strategy as in the first round.

The contest is not restricted to any particular programming language. However, it is part of the instructions that the “work” was commissioned by a government that needs this software and will audit it. Hence, most players will stay away from non-mainstream programming languages since the non-backdoored programs will most probably be developed in C, C++, etc.


-July 1, we open registration.
-July 19th, we open the 1st stage of the qualification round. Participants are allowed to register until before the July 29 deadline.
-Thursday July 29, 0hs, we stop receiving source codes. Registration for 2nd stage of the first round continues.
-Friday July 30th, 0hs, we open the 2nd stage of the qualification round: users are allowed to download the source code bundles; the site accepts votes (YES/NO)
-Saturday July 31st, 12hs, Registration and voting are closed. Shortly, we announce first round winners of the backdoor-hiding and backdoor-finding contests.
-Saturday July 31st, 16hs, we start the second (and final) round which will last less than two hours. Players have some time to write a patch for a given source code and include a backdoor.
-Saturday July 31st, 17:30hs, The eminence jury members (3-5 members, TBD), winners of the backdoor-hiding qualification round and the winners of the backdoor-finding qualification round are allowed to vote for the final round winner. They have 30 minutes.
-Sunday 1, 14hs. Winners are announced and prizes delivered in the DefCon Awards Ceremony.

Register now, have fun and see you at DEFCON-0x12 !

[*] C. Auguste Dupin, Minister D. and Monsieur G. are characters from the 1845 tale "The Purloined Letter" by Edgar Allan Poe
ariel, andres, Damian Saura, futo, ivan & pedro

The CoreTex team at Core Security Technologies

December 27, 2009

12/26 The Professional Security Testers Warehouse for the CEH GPEN QISP Q/ISP OPST CPTS

I just saw this in my RSS feed and thought I would pass it along.  I have never been to CarolinaCon, but I have heard mostly good things about it and I am sure it would be a great opportunity for anyone looking to give presentations about hacking. 

CarolinaCon Call for Paper
December 25, 2009 at 12:53 pm

CarolinaCon is now accepting speaker/paper/demo submissions for its 6th annual event in March 2010!!!

What is this "CarolinaCon"?

CarolinaCon is an annual Technology Conference whose mission/purpose is to:

- Enhance local and global awareness of current technology issues and developments,

- Provide affordable technology education sessions to the unwashed masses,

- Deliver varied/informative/interesting presentations on a wide variety  of InfoSec/hacking/technology/science topics, and
- Mix in enough entertainment and side contests/challenges to make for a truly fun event

When/Where is CarolinaCon?

This year's event will be held on the weekend of March 19th-21st, 2010.

The event will mostly occur at a Holiday Inn in Raleigh, NC.  Raleigh is about 30 minutes from Durham, Chapel Hill, and Research Triangle Park.

Who develops/delivers CarolinaCon?

CarolinaCon is proudly brought to you by "The CarolinaCon Group". 

The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and  information rights.

The CarolinaCon Group is also closely associated with various "2600" chapters across NC, SC, TN, VA, LA, DC, and NY.  Many of the volunteers who help develop and deliver CarolinaCon come from those chapters.

What events will be at CarolinaCon?

CarolinaCon is mainly about the talks/presentations/demos.  Alongside of those we'll surely have several other technology-related contests/challenges, as we've had in past years.  Details on other events will be announced soon.

Who will be presenting which topics this year?

That's where YOU possibly come in.  If you are somewhat knowledgeable in some interesting field of technology, hacking, science, etc., and are interested in speaking/presenting at CarolinaCon, we invite you to submit your proposal (in brief) for our review.  If you're interested in presenting please send;

- your name or handle,
- the topic/presentation name,
- estimated time-length of presentation, and
- a brief topic abstract
....via e-mail to:
speakers carolinacon.org


All submissions are due BY January 29, 2010!  Please be timely in submission if you're committed to being part of the elite cadre of presenters.  We value diversity, so please don't hesitate to propose
your ideas no matter how outlandish.

If you speak at the Con, you will receive;

- free Con admission for you and one guest,
- a free Con t-shirt,
- minimal fame, glory, and possibly notoriety, and
- mad props from our staff and attendees

I'm excited and I want to present!  What do I do know?

If you're interested in speaking, send the 411 requested to:
speakers carolinacon.org
(BY/BEFORE January 29th 2010)

And if you're interested in attending, watch this space for more details:


...and don't forget to mark the dates on your calendar!



December 20, 2009

Hacker Shows

As internet connections become faster, video cameras become cheaper, and streaming video sites go even more mainstream a growing number of people are turning to the internet to broadcast low budget shows.  Unlike television, where budgets for even a news broadcast run in the thousands of dollars, these low cost shows usually cost well under 1000 dollars an episode (some costing nothing at all).  Due to these low costs it is now possible for many more niche shows to be created, one of these niches being hacker shows. 
Two of my favorite hacker shows would have to be Hak5 and The Hacker News Network.  Hak5 is a show based on the technical side of hacking.  Not all of the hacks will be things which you're interested in doing, but many of them are pretty cool, and cost nothing to try out, such as installing Doom on a zipit (zipits cost 50 dollars by the way), installing an operating system onto a USB, or rooting a droid. 

Hacker News Network is a show based more on computer security.  Reporting on topics such as arrests in the scene, new exploits (they don't show you how to use them), the spread of worms, viruses and trojans, and the inefficiency of the computer security sector in general.   

If anyone reading this knows of any other good hacker shows feel free to post a link in the comments section of this article.  I am always looking for better ways to waste my time, learning is just a byproduct.    

December 12, 2009


     Yesterday as I was surfing the internet I stumbled upon a forum used mainly by blackhats to discuss the newest methods in profiting via websites and blogs.  Many of these methods I have know about for a long time, such as cookie stuffing, spamming forums, fake traffic, etc.  One method which caught me by surprise was autoblogging (there were others by the way). 

     Autoblogging is basically using a RSS feed to publish content from one blog onto a different blog.  The whole process is automated meaning after set up, assuming you set it up right, a blog will be provided with quality articles and cost the operator nothing in time or money.   Used correctly autoblogging seems like an easy way to inhance your blog, while promoting another bloggers blog. The problem is a lot of blackhats have taken to finding a nitch markets, setting up an autoblogger, using blackhat tactics to promote their blog, and then moving on to create another blog.  Usually these blogs, due to the ways they are promoted, will recieve more traffic then the blogs whose articles they are using, and often times they provide very few, if any, links to the blogs which they recieve there articles from. 

     After read up on autoblogging and hearing about the hundereds of dollars per day blackhats make using it I decided to try it out for myself.  First however I wanted to lay down a few ground rules for myself.  The first being that autoblogging would not be used to supply my blogs with 100% of their content.  Secondly any autoblogging which was done would have some sort of link back to the blog which I got the articles from and finally I decided that I would not use everything which was gotten from other blogs RSS feeds.  With these rules in place I feel I can consinously use autoblogging to add content to my blog, and at the same time supply other blogs with more viewers.  Legality wise there have been no copyright cases involving autoblogging, so I decided to just accept the general consenus that it is legal (even in many of the cases where autoblogging supplies a site with 100% of the content).

     Once you have figured out how you feel morally about autoblogging it is time to get down to business.

First:  Start a blog on blogger.com (This method of autoblogging is blogger based).

Second:  Go to the settings section on blogger, then look under Email & Mobile for the Posting Options.  Once you're here enter your secret word (this is to make sure no one can spam you site with articles).  Next select when you want your e-mails to be published, you can either do it right when they are recieved or they can be saved as drafts which you can post, by hand, later.  I decided to send everything to my drafts section, because this allows me to publish only the articles I feel apply to my readers.

Third:  Find the blog which you want to get your articles from, and then use a service like Feed My Inbox to e-mail the blog to your e-mail.

Fourth:  Set up your e-mail to forward any messages from Feed My Inbox to your blogger address and your ready to go.


December 9, 2009

The Hacker Manifesto

     The Hacker Manifesto is a piece of hacker litature which has influenced generations of hackers.  I stumbled upon it back in the late 90s when I was first starting to get into hacking.  Back then The Hacker Manifesto described me perfectly.  Reading this manifesto was my moment of clarity, the point at which I relized that the hacking community was where I belonged.
     It has been roughly 10 years since I began hacking, and I no longer walk the halls of my junior high or high school, but the overall message of the manifesto still applies.  If you have not stumbled upon The Hacker Manifesto I would like to introduce you to one of the greatest peices of hacker litature in existance, enjoy!

The Hacker Manifesto
by +++The Mentor+++
Written January 8, 1986

Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...

Damn kids. They're all alike.

But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world...

Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...

Damn underachiever. They're all alike.

I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."

Damn kid. Probably copied it. They're all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here...

Damn kid. All he does is play games. They're all alike.

And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...

Damn kid. Tying up the phone line again. They're all alike...

You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.