Thursday, August 19, 2010

Eric Schmidt: "I think people want google to tell them how to live their lives"

Eric Schmidt sure had some interesting things to say today....

"In an interview Mr Schmidt said he believed that every young person will one day be allowed to change their name to distance themselves from embarrassing photographs and material stored on their friends' social media sites." -- Murray Wardrop , Telegraph

"We're trying to figure out what the future of search is, one idea is that more and more searches are done on your behalf without you needing to type." -- Eric Schmidt, Google Chairman & CEO

"I actually think most people don't want Google to answer their questions. They want Google to tell them what they should be doing next." -- Eric Schmidt, Google Chairman & CEO

"He suggested, as an example, that because Google would know “roughly who you are, roughly what you care about, roughly who your friends are”, it could remind users what groceries they needed to buy when passing a shop." -- Murray Wardrop, Telegraph

I'm sure Google's PR team is banging their head against the wall on this one. I was even reluctant to repost this because I'm sure comments are flying everywhere. Its rather scary to hear this blatant disregard for privacy concerns when you remember that Google has recently teamed up with the NSA.

I'll be the first to admit that I haven't cared enough about my privacy to discontinue the use of all Google products, but I think Eric has made his intentions fairly clear in this interview. Google does not care about your privacy, and frankly if you don't like it you should change your name and you may miss out on Google telling you when and what to think and more importantly buy.

Google's primary line of business is advertising, and frankly their really isn't any single competitor that can provide quality alternatives to their current service porfolio. That said, I dont see Googles position in the market place shifting anytime soon. We'll continue to use it and they'll continue to analyze and share our data.

From a Privacy perspective we get sick thinking about this, but frankly I think most people are in the "I don't like it but I can't stop using them" camp. Personally I try to mitigate potential damage to my future professional reputation by releasing everything under a Pen Name. The goal is simply to avoid the potential effect my current naive viewpoints and public photographs will have on future professional engagements. However most Google users are unaware that information is collected, and our younger generation has shown blatant disregard for personal privacy on many fronts.

I'm really interested to see where this wave of personal openness and lack of privacy takes us as a society. The internet globally connected my generation and I think by and large many netcitizens live in a world without international borders, a world where you are judged by your personality and knowledge over your skin tone and accent.

Personally I don't think these kids will actually need to change their names. What we're experiencing here is a changing of guard, the previous generation was lucky enough to leave what happened the summer of 1969 behind. Their children got to burn all of the pictures of themselves with big hair, and pink sweat bands. Perhaps the coming generation will just stop trying to pretend they were never wild, and it will become professionally be acceptable to be something more then Generic Cube Occupant 32A.


Consumer Devices and Electomagnetic Radiation

Today I'm a little frustrated by more then a few negative mentions of the Ontario parents who are pressuring their school district to discontinue the use of WiFi. Theres nothing particularly new going on, some local community's across the world have been fighting the deployment of cell phone towers and even wired published a piece about the effects of WiFi in 2006

Everyones entitled to their opinion, however I find the "WiFi is awesome, these parents are nuts" groupthink a little disturbing. Considering the combined knowledge across various hacker communities I'm somewhat disappointed by the lack of serious consideration.

First and foremost, I'd like to see WiFi, Cellphones, Microwaves, and other specific RF implementations dropped from these debates. I think the real question on the table is: What affect (if any) does the electromagnetic radiation being produced by prolific consumer devices have on the human body

America's FCC FAQ states:
At relatively low levels of exposure to RF radiation, i.e., levels lower than those that would produce significant heating; the evidence for production of harmful biological effects is ambiguous and unproven. Such effects, if they exist, have been referred to as "non-thermal" effects. A number of reports have appeared in the scientific literature describing the observation of a range of biological effects resulting from exposure to low-levels of RF energy. However, in most cases, further experimental research has been unable to reproduce these effects. Furthermore, since much of the research is not done on whole bodies (in vivo), there has been no determination that such effects constitute a human health hazard. It is generally agreed that further research is needed to determine the generality of such effects and their possible relevance, if any, to human health.

I think thats a fair response considering the current state of research in this space, however if we remove the political slant and legal ease we're left with "Maybe, we're not sure at this time".

In this particular case it may be in the Ontario school districts best interest, to review any records of the school nurse keeps to determine patterns. A good test would be to compare the number of reported symptoms to those of previous years and investigate the possibility that the children may be inadvertently being rewarded for reporting these symptoms (ie. going home early, getting out of gym, or class).

At the same time its common knowledge that RF causes interference to electrical devices. Considering our nervous system is also an electrical system, I think its foolish to completely discount the reported symptoms as unrelated.

If the brain was receiving unfiltered mild electrical interference, headaches and nausea would reasonable symptoms. In that case, there are probably no real long term health effects. However we also need to consider the effect electrical interference could potentially have on the developing brain. Obviously all of this is speculative, but I see real value in seeing this research come to pass. Comparing WiFi and cellular rollouts in epidemiology studies, and double blind testing inside a Faraday cage could help.

All in all, society has every right to be suspicious of the proliferation of wireless networks. Theres nothing wrong with the intuitive wisdom that rejects things that are too good to be true, because history has shown that every technological advancement comes with its price.


Wednesday, August 18, 2010

From the Vaults: HackedPHPBB

Some of you may remember an incident that occurred in January of 2009, where a hacker posted a blog detailing the compromise of the open source project phpbb's website ( and claiming responsibility.

After a week or two of concentrated attention by the infosec community and a rebuttal post by the website maintainers, I decided to track down "Hacked PHPBB(DOT)COM" for an anonymous IRC interview that I had planned to use on the ChromedPork podcast.

My intent in conducting this particular interview was to understand the motivations of a malicious attacker in the wild. However I ultimately decided to delay release of the material to avoid satisfying anyones attention seeking behavior.

The hackers original blog has officially been removed, you can still find a short write up and zip containing the original blog content at:


<multimode> Ok so I'll just jump right into the good stuff... So on your blog you claim to have owned, have any of the 413 comments changed your opinion on the attack? If so how?
<HackedPHPBB> I knew that 99% of the posts were going to be, you suck, I hate you, blah blah. I thank the people that actually put some thought towards their posts. I do kinda regret releasing the phone numbers for the staff. But I got wrapped up in releasing everything I didnt really think, I just uploaded all the text files I had in my folder.

<multimode> Did the staff end up getting phone mobbed by the pla or something?
<HackedPHPBB> I havent received any response from the staff, other than marshal asking for my name and address. So I do not know if they are getting phone bombed.

<multimode> Why do you think I set up this interview with you?
<HackedPHPBB> To track me Mr FBI man?
<multimode> Nah the only FBI i'm part of has to do with free beer initiatives
<HackedPHPBB> Lol to try getting some insight into a strange, screwed up, "little teenaged boy living in his mom's basement, whacking off to gay porn" as a post stated?

<multimode> Today you updated your blog stating boredom as the motivation, not enough hot chicks to chase around?
<HackedPHPBB> boredom, the "big factor" of a site, the thought maybe i could find the next security patch and see if there was an exploit they knew about, that i could exploit on other forums. or see if i could change a file in an upcoming patch to include "miscreant was here"

<multimode> What made you choose to disclose the attack publicly?
<HackedPHPBB> There's always hot chicks around, they are nice to look at. I go for the bottom feeders, that way i can only move up.
<HackedPHPBB> if i had just told the admins, they would have patched and nothing would have come from it. no props, no thank you. so i decided why not release it publicly with out a name, so its known to all but i still get no credit.

<multimode> Comments on your blog are mostly "oh no pwn'ed us!", How do you feel about those people?
<HackedPHPBB> Well at first I had the blog restricted, so you needed an account, and I don’t think any posts were made. So I allowed anyone to post, knowing that hundreds of retards would be posting, just like on the area 51 threads, about retarded shit. So I could careless, I know the stereotype they think I am, but am a lot further away from what they could possibly imagine.

<multimode> Some people say that hackers tend to get caught from inexperience, How long have you been hacking?
<HackedPHPBB> Since 2000 id say, back on my jerry rigged apple system stolen from the school's dumpster

<multimode> So far what has been your most interesting target?
<HackedPHPBB> And on getting caught, I wont. Knowing how big the site was, i covered my tracks, throw away NIC, stolen WIFI, different location than where I live. Proxies, fake emails. Wiping of hard drives. Deleting of all evidence.
<HackedPHPBB> I have comprimised several servers, (some still dont know) but they are all no named. I have created several incidents, a different hacking method which i wont go into detail, that has indirectly shut down a very large gaming community site, and another community site.

<multimode> Aside from attacking web servers what other kind of hacking do you do?
<HackedPHPBB> Web security is mainly what I do, i attend 2600 meetings from time to time, gone to them in 12 states and 4 countries so far. i helped a friend hack together a finger print keyless entry system for his house, a couple of years back. i do some wifi hacking from time to time.

<multimode> Do you listen to security podcasts? Which ones and why or why not?
<HackedPHPBB> I do not get a chance too, but i read up on news sites and forums.

<multimode> How do you feel about the "security" community?
<HackedPHPBB> I feel that it, like the world in general, have it's left and its right. And 9/10 they refuse to see it in the eyes of the other.
<HackedPHPBB> If you find something, you have to worry about reporting it and getting jailed for "hacking". If you exploit it you get jailed for hacking. If you report it and nothing happens, you get pissed off. So after seeing how the other side deals with it, some times a little bit of a wake up call is in order.
<HackedPHPBB> For instance
<HackedPHPBB> When I saw kevin mitnick give a speech when he wrote his first book. There were 2 kinds of people there, suits and ties, government officals, and hackers with binary t-shirts. the ones that were there for the real reson
<HackedPHPBB> reason*

<multimode> Today on your blog you mentioned work, What do you do for your day job?
<HackedPHPBB> I work for a telecom company, as a technical advisor

<multimode> Essentially the initial attack used a 0 day, what could the target have done to better defend themselves?
<HackedPHPBB> When the date the patch was released, I was still cracking the 160,000 user accounts (that turned out to be 40,000 successful cracked), the dump of the email, and the password for phplist. So if the patch was applied, that is all that I would have walked away with. The day the site came down, is the day the dump occurred, as mysql dump would time out, were the phpbb suite wouldnt.
<HackedPHPBB> Well when browsing around it appeared they were trying to implement a svn for the running site. that way unless you had the permissions you could not modify anything. they also could have used seperate servers for the tasks at hand or subdomains to try and keep areas as seperated as possible. they could have relocated logs outside of the default path.

<multimode> Did you have prior relations with the target and did those relations motivate the attack?
<HackedPHPBB> no real relations, just one of those random facts that was stored in my head, that they were running phplist.

<multimode> Do you think that phpbb should be immune to attack because they "write good code" for free?
<HackedPHPBB> hell no
<HackedPHPBB> I think every site that leaves their system unprotected, a site that users trust them, deserves the same right as to get comprimised.

<multimode> Comments on your blog are mostly "oh no he pwn'ed us", How do you feel about those people?
<HackedPHPBB> It only teaches them a lesson, if you are going to trust other services instead of coding something yourself (laziness), you better patch your shit.
<HackedPHPBB> i mean phplist, they store their admin password in plain text in the mysql database

<multimode> How should they have gone about it?
<HackedPHPBB> made it themselves? shopped around? hardened code? used the forums to mail people?

<multimode> Reading the other comments one might come to the conclusion that you are a noob script kiddie, who kills kittens and hangs out on 4 chan. Anything to say to those people?
<HackedPHPBB> I used an exploit off milw0rm, so what? I found, not some scanner; I found the log files to include so code could be ran. I found the salt/hash. I found a way to include my avatar/uploaded files. Nothing was automated.
<HackedPHPBB> I used several tricks of the trade to achieve the hack, not just the LFI from phplist.
<HackedPHPBB> I have never killed a kitten, and the only reason i know about 4chan is because i was interested in the XSS worm that was released on the site.
<HackedPHPBB> but i havent been on the site since the post was released

<multimode> Your initial blog stated that you intended to sell the email address's , did you find a buyer yet?
<HackedPHPBB> i am not into the sale of email addresses, i just said that statement for laughs. i knew by releasing it to the public, that it wouldnt go for anything because people could get it for free.

<multimode> Having the data what made you decide not to sell it?
<HackedPHPBB> i dont have an account in the cayman islands, so i figured it wouldnt be safe
<HackedPHPBB> and i didnt want any sort of credit for doing what i did

<multimode> After being on the inside do you think people should use phpbb?
<HackedPHPBB> reason i never posted a name, or website to visit
<HackedPHPBB> I do. I dont believe in paying for software as is. their team is very dovoted. The admins seem like average joes that know what they are doing. Just because they didnt patch something, doesnt mean their software sucks.
<HackedPHPBB> for example kaspersky, got hacked, customer info downloaded, but people still use their product

<multimode> Did you have the opportunity to go the extra mile and insert your own code? Introduce vulnerabilities ect?
<HackedPHPBB> On the first blog, i was able to include any file, once i changed an admin's email i recovered the password, and logged in. I was able to edit the front page layout. And i wish i had taken a screen shot, but i had a shell script running on the main forum site layout
<HackedPHPBB> on the first blog i wrote*
<HackedPHPBB> Once i had an active shell that i could submit post request through, i was able to find a writeable directory

<multimode> Did that access allow you to modify any of the phpbb codebase?
<HackedPHPBB> and upload my on shell file, so i could do what ever i want from there.
<HackedPHPBB> no, the active stuff was read only, and some of it was running from the data base. all the upcoming stuff was in an offsite/domain svn

<multimode> How do you feel about the "ethical hacking"?
<HackedPHPBB> I feel its good to have people that do this, but I am sure many of them have crossed to the darkside out of frustration of being ignored.

<multimode> If someone wanted to offer you work as a pen tester how could they reach you?
<HackedPHPBB> I dont want any way of being contacted, keeps from people finding me :D
<HackedPHPBB> i also make enough money that i do not need outside income

Tuesday, August 17, 2010

Makeing Some Changes

I've removed some political content as we make the necessary changes to get back to where we started. Going forward we'll try to hold back our very jaded world views and get back to delivering new and juice technical content.

To answer a few of your emails, the future of the Chromedpork podcast is currently up in the air. The original cast is still very interested in producing new shows, however there is some debate about the format and our ability do deliver all original (quality) content on a regular basis.
