It looks like old Pentium boxes aren’t the only systems being relegated to web server duties. This is a supposedly easy install of Debian ‘woody’. The Linux distro can not be booted directly and needs to be started from OS 7.5.3. The guide gives some handy tips on what security upgrades need to be installed. I’m guessing most highschools finally threw these out last year, but you may still luck out.
[thanks MarkDavid]
if you’re into geocaching, terraserver and google maps can be your greatest allies. well, maybe second greatest, right after your trusty gps receiver. with terraserver, you can pull up hires satellite photos and topo maps of just about everywhere in the continental us. with google maps, you can easily pull up a road map and driving directions.
however, one thing i noticed when google maps launched was that it’s interface is conspicuously lacking a lat/lon entry field. it turns out there are a couple of query parameters that you can use to pull up coordinate based maps. with this info, you can make a simple form to pull up both map results for a given latitude/longitude combination, which should hopefully be a handy tool for your next gps treasure hunt. continue reading to see how this works.
Continue reading “Howto: Geocaching With Google And Terraserver”
the linksys nslu2 is a fun thing to hack around with, not only can you change the firmware and do things like telnet to it, but with this guide it can act as an itunes server and stream music to any of your computers running itunes.
Continue reading “Use The Linksys Nslu2 As An Itunes Server”
Open Source has sort of eaten everything in software these days. And that includes malware, apparently, with open source Command and Control (C2) frameworks like Sliver and Havoc gaining traction. And of course, this oddball intersection of Open Source and security has intrigued at least one security researcher who has found some interesting vulnerabilities.
Before we dive into what was found, you may wonder why open source malware tools exist. First off, trustworthy C2 servers are quite useful for researchers, who need access to such tools for testing. Then there is Red Teaming, where a security professional launches a mock attack against a target to test its defenses. A C2 is often useful for education and hobby level work, and then there are the true criminals that do use these Open Source tools. It takes all types.
A C2 system consists of an agent installed on compromised systems, usually aiming for stealth. These agents connect to a central server, sending information and then executing any instructions given. And finally there’s a client, which is often just a web interface or even a command line interface.
Now what sort of fun is possible in these C2 systems? Up first is Sliver, written in Go, with a retro command line interface. Sliver supports launching Metasploit on compromised hosts. Turns out, it accidentally supported running Metasploit modules against the server’s OS itself, leading to an easy remote shell from an authenticated controller account.
Havoc has a fancy user interface for the clients, and also a command injection flaw. A service name field gets used to generate a shell command, so you’re only a simple escape away from running commands. That’s not quite as useful as the API that failed open when a bad username/password was given. Oops. Continue reading “This Week In Security: Open Source C2, Raptor Trains, And End To End Encryption”
For hackers of a certain age, the warbling of an analog modem remains something of a siren song. Even if you haven’t heard it in decades, the shrill tones and crunchy static are like a time machine that brings back memories of a bygone era. Alien to modern ears, in the 1980s and 90s, it was the harbinger of unlimited possibilities. An audible reminder that you were about to cross the threshold into cyberspace.
If you can still faintly hear those strangely comforting screeches in the back of your mind, the JawnCon 0x1 badge is for you. With a row of authentic vintage red LEDs and an impeccably designed 3D-printed enclosure, the badge is essentially a scaled-down replica of the Hayes SmartModem. But it doesn’t just look the part — powered by the ESP8266 and the open source RetroWiFiModem project, the badge will allow attendees to connect their modern computers to services from the early Internet via era-appropriate AT commands while they’re at the con.
Continue reading “The JawnCon 0x1 Badge Dials Up A Simpler Time”
Sometimes those moments arise when a new device comes on the market and hardware hackers immediately take to it. Over a few days, an observer can watch them reverse engineer it and have all sorts of fun making it do things it wasn’t intended to by the original manufacturer. We’re watching this happen in real time from afar this morning, as Dutch hackers are snapping up a promotional kids’ game from a supermarket (mixed Dutch/English, the site rejects Google Translate).
The Albert Heijn soundbox is a small handheld device with a barcode reader and a speaker, and as far as we can see it forms part of an animal identification card game. The cards have a barcode on the back, and sliding them through a reader causes a sample of that animal’s sound to be played. They’re attractively cheap, so of course someone had to take a look inside. So far the parts including the microcontroller have been identified, the ROM has been dumped and the audio reverse-engineered, and the barcode format has been cracked. Still to come are the insertion of custom audio or codes and arbitrary code execution, but knowing these hackers that won’t take long. If you’re Dutch, we suggest you head over to your local Albert Heijn with a few euros, and join in the fun.
European supermarkets can be fruitful places for the hardware hacker, as we’ve shown you before.
A month ago, I’ve talked about using computers to hack on our day-to-day existence, specifically, augmenting my sense of time (or rather, lack thereof). Collecting data has been super helpful – and it’s best to automate it as much as possible. Furthermore, an augment can’t be annoying beyond the level you expect, and making it context-sensitive is important – the augment needs to understand whether it’s the right time to activate.
I want to talk about context sensitivity – it’s one of the aspects that brings us closest to the sci-fi future; currently, in some good ways and many bad ways. Your device needs to know what’s happening around it, which means that you need to give it data beyond what the augment itself is able to collect. Let me show you how you can extract fun insights from collecting data, with an example of a data source you can easily tap while on your computer, talk about implications of data collections, and why you should do it despite everything.
