Hack a Day » hacker

Hacker Typer lets you turn jibberish into useless code

Mike Szczys — Thu, 28 Apr 2011 12:03:36 +0000

We generated the screen full of code seen above literally by bashing a hand on the keyboard repeatedly like a monkey. You know, just like how hackers are portrayed in the movies? Hacker Typer makes you look like you know what you’re doing even though you’re too lazy to do something real. It’s a pointless website that’s none-the-less worth a few moments of your time just for the sake of amusement. You’ll be greeted with a set of options. The first lets you decide what pre-determined text will appear as you type. The rest are for page title, foreground and background colors, and number of characters that will appear with each keystroke.

The default features start off with three characters generated for each keystroke, another annoying staple of Hollywood film making. Oh well, even movies that try really hard to get things right end up getting under the skin of someone. Case in point, the Linux shell readout from Tron Legacy.

[via The Presurfer]

Filed under: misc hacks

25C3: Hackers completely break SSL using 200 PS3s

Eliot — Tue, 30 Dec 2008 17:40:41 +0000

A team of security researchers and academics has broken a core piece of internet technology. They made their work public at the 25th Chaos Communication Congress in Berlin today. The team was able to create a rogue certificate authority and use it to issue valid SSL certificates for any site they want. The user would have no indication that their HTTPS connection was being monitored/modified.

This attack is possible because of a flaw in MD5. MD5 is a hashing algorithm; each unique file has a unique hash. In 2004, a team of Chinese researchers demonstrated creating two different files that had the same MD5 hash. In 2007, another team showed theoretical attacks that took advantage of these collisions. The team focused on SSL certificates signed with MD5 for their exploit.

The first step was doing some broad scans to see what certificate authorities (CA) were issuing MD5 signed certs. They collected 30K certs from Firefox trusted CAs. 9K of them were MD5 signed. 97% of those came from RapidSSL.

Having selected their target, the team needed to generate their rogue certificate to transfer the signature to. They employed the processing power of 200 Playstation 3s to get the job done. For this task, it’s the equivalent of 8000 standard CPU cores or $20K of Amazon EC2 time. The task takes ~1-2 days to calculate. The tricky part was knowing the content of the certificate that would be issued by RapidSSL. They needed to predict two variables: the serial number and the timestamp. RapidSSL’s serial numbers were all sequential. From testing, they knew that RapidSSL would always sign six seconds after the order was acknowledged. Knowing these two facts they were able to generate a certificate in advance and then purchase the exact certificate they wanted. They’d purchase certificates to advance the serial number and then buy on the exact time they calculated.

The cert was issued to their particular domain, but since they controlled the content, they changed the flags to make themselves an intermediate certificate authority. That gave them authority to issue any certificate they wanted. All of these ‘valid’ certs were signed using SHA-1.

If you set your clock back to before August 2004, you can try out their live demo site. This time is just a security measure for the example and this would work identically with a certificate that hasn’t expired. There’s a project site and a much more detailed writeup than this.

To fix this vulnerability, all CAs are now using SHA-1 for signing and Microsoft and Firefox will be blacklisting the team’s rogue CA in their browser products.

Posted in cons, security hacks

ToorCon preregistration ends today

Eliot — Fri, 12 Sep 2008 23:09:47 +0000

Preregistration for ToorCon San Diego ends today. The current price is $100 and it will be $140. This is the 10th year for the San Diego hacker convention which will happen September 26th – 28th. The schedule for ToorCon X has already been posted. We highly recommend this convention. We’ve attended the last four years and it’s always been a favorite.

Subway hacker speaks

Eliot — Mon, 25 Aug 2008 04:30:00 +0000

Popular Mechanics has an interview with [Zach Anderson], one of the MIT hackers that was temporarily gagged by the MBTA. The interview is essentially a timeline of the events that led up to the Defcon talk cancellation. [Zach] pointed out a great article by The Tech that covers the vulnerabilities. The mag stripe cards can be easily cloned. The students we’re also able to increase the value of the card by brute forcing the checksum. There are only 64 possible checksum values, so they made a card for each one. It’s not graceful, but it works. The card values aren’t encrypted and there isn’t an auditing system to check what values should be on the card either. The RFID cards use Mifare classic, which we know is broken. It was NXP, Mifare’s manufacturer, that tipped off the MBTA on the actual presentation.

New Discovery Channel show starring hackers

Kimberly Lau — Thu, 14 Aug 2008 19:20:00 +0000

A new Discovery Channel show titled Prototype This! will debut on October 15, 2008. Hoping to capture the same demographic as Mythbusters‘ audience, the show is about designing and creating robots, gadgets, and other things that nerds will love. Prototype This! is hosted by four wide-ranging experts: [Zoz Brooks], who’s got a PhD in robotics, [Mike North], who also has a PhD, in material sciences, [Terry Sandin], a special effects veteran of the Hollywood film industry, and [Joe Grand], who we’ve covered recently for his Defcon badge work. [Daniel Terdiman]‘s glimpse behind the scenes reveals some interesting projects, from a stair-climbing robot to the creation of a pyro pack. We’ll be sure to set our DVRs to record.

[via Zero Day]

British hacker to be extradited to U.S.

Kimberly Lau — Fri, 01 Aug 2008 00:30:00 +0000

British computer hacker [Gary McKinnon] lost his final appeal to block his extradition to the U.S. He stands accused of hacking into almost 100 U.S. military and NASA computers from his girlfriend’s aunt’s house in London over a four year period by the U.S. government. If convicted of the crimes in a U.S. court, he could face up to 70 years imprisonment. [Gary McKinnon] freely admitted to hacking into the computers, but claimed that he did it out of curiosity, not out of malice or any terroristic aims. He was looking for information on UFOs. The U.S. government claimed that in addition to hacking into the computers, he also stole 950 passwords and erased important files. [McKinnon's] next move will be to appeal to the European Court, and if unsuccessful, he will have no other option but to stand trial in the U.S. court system.

Hacker sentenced for stalking internet celebrity

Kimberly Lau — Fri, 11 Jul 2008 21:50:00 +0000

[Jeffrey Robert Weinberg] has been sentenced to 2 years in state prison for a single act of computer intrusion. He had already served time in federal prison for hacking into Lexis-Nexis. Weinberg was caught through his cyberstalking – he went after an Internet celebrity. [Amor Hilton] was a MySpace user with a popular show on Stickam. Hilton found herself locked out of her MySpace account, and her cellphone account disconnected. She alleged that he demanded phone sex and nude photos of her. [Hilton] worked with the police to identify the hacker using a photo that he sent. After [Weinberg] completes his sentence in state prison, he will have to face repercussions for violation of his federal probation, which came with severe restrictions on his computer usage.

25th Chaos Communications Congress

Eliot — Wed, 02 Jul 2008 11:15:00 +0000

The 25th annual Chaos Communications Congress is happening December 27-30th in Berlin, Germany. They’ve just published their official call for papers. Last year’s 24C3 was incredible and we’ll take any chance we get to attend an event held by the fine folks in the CCC. We hope to see you there!

[via BoingBoing]

Hackers needed, Los Angeles

Eliot — Sat, 10 May 2008 00:30:00 +0000

Hack-A-Day is looking for fulltime contributors in the the Los Angeles area. The details are in this Craigslist ad.

Our friends at Mahalo are also looking for a Systems Engineer, Los Angeles.