==Phrack Inc.== Volume 0x0f, Issue 0x45, Phile #0x10 of 0x10 |=-----------------------------------------------------------------------=| |=----------------------=[ International scenes ]=-----------------------=| |=-----------------------------------------------------------------------=| |=------------------------=[ By Various ]=------------------------=| |=------------------------=[ ]=------------------------=| |=-----------------------------------------------------------------------=| In this issue of your damn favorite magazine we bring you, not one, but three international scene articles. The first is about the glorious Spanish hacking scene. We had some very respected hackers review it and we believe we have brought you a real gem. For the second phile, rather than assembling information on a specific locale in the world, we have approached some of the predominant wargaming networks and have asked them to write up about their history and scene. We're happy with what we have got, hopefully you are too. We have all played wargames some time in our life, right? It's a hell of a hard work to maintain a wargaming platform and some people are there to do it for you, for the community. Our third phile was a late addition due to absent minded Phrackstaff, but a strong contribution none the less. Austin Texas seems to have a strong lock picking scene, and jgor has thankfully written up this phile to tell us all about it. We would like to point out that the following articles are probably outdated, as their original submissions date back to mid-2015, however we believe they cover a fair deal of the, more or less, recent past and thus are worth publishing. The Phrack Staff cannot, in any way, guarantee the validity or the level of detail of the information presented herein. Want to add/correct something? Mail us and we will try to publish your side of the story as well. Enjoy -Phrack Staff --[ Contents 1 - A small historic guide of the first Spanish hackers The Spanish 90's Scene .................... Merce Molist & Jay Govind 2 - Wargaming Scene Phile ..................... Steven, adc & weekend 3 - The Austin Lockpicking Scene .............. jgor |=[ 0x01 ]=---=[ A small historic guide of the first Spanish hackers The Spanish 90's Scene - Merce Molist & Jay Govind ]=---=| |=----------------------------------------------------------------=| |=--=[ A short historical guide to the first Spanish hackers ]=---=| |=---------------=[ The Spanish 90's Scene ]=-------------------=| |=----------------------------------------------------------------=| |=----------------------------------------------------------------=| |=---------------------=[ Merce Molist ]=-------------------------=| |=--------------=[ English version: HorseRide ]=------------------=| |=---------------------=[ hackstory.net ]=------------------------=| |=----------------------------------------------------------------=| = Index = 1. Old old school 2. X25 hackers 3. 29A: "I am the scene" 4. The community 5. Credits 1. Old old school "Hi, I'm Mave What I am going to tell you is of VITAL IMPORTANCE. YOUR FUTURE IS IN ****DANGER**** A LOT OF ****DANGER**** This morning, of January 31st 1996, at 9 in the morning, the judicial police turned up at my home, more precisely the computer crime brigade, and have ** ARRESTED ** me." This is how started the message that Mave sent to his colleagues of the Konspiradores Hacker Klub (KhK) when he had the "honour" of becoming the first hacker arrested in Spain. He was accused of penetrating systems belonging to the Carlos III university and of having used a stolen card in Compuserve, which was pretty standard among hackers back then. He was caught because of a mistake: he entered a chat channel under police surveillance with an account under his real name. KhK were 5 who were passionate about social engineering, meeting up in a Madrid cafe. Along with a limited few groups and lone wolves, between the late 80's and early 90's, they set down the bases of the Spanish hacking community. Another member of KhK, Lester the Teacher, would later write the first Spanish social engineering course, with those hacking pioneers mentioned in its introduction: "There was a time in which the Internet was only a place for survivors, a time in which Knowledge was acquired through a lot of personal work. A time in which respect was gained by sharing with those that didn't know, things you had learnt with effort. A time in which technology ceased to be magical because you learned to read its innards and you could manage to understand it. At that time a Hacker was one who found that no matter how much he learnt about systems he always knew very little. A Hacker was the one that managed to program that routine even smaller and more beautiful. A Hacker was he who respected the work of others that he recognized as peers. This is a simple and somewhat spartan page, as things were then, dedicated to all those friends I had the fortune of finding online during that time, and here are a few of them: Ender Wiggins, Omaq, Akira, CenoIx, Agnus Young, D-Orb, Partyman, Quijote AFL, Pink Pulsar, HorseRide, BlackMan/KhK, Wendigo/Khk, Mave/KhK, El Enano, Bugman, Joker, Spanish Taste, Cain, Savage ... As far as I can remember, I have never heard or read any of them call themselves a hacker."(1) The first Spanish hackers started appearing in the 70's, from the fields of electronics and CB radio, when the word "hacker" had yet to reach Spain. They would build their own calculators and personal computers and worked in the few companies that used computers, such as the airline Iberia, state investigation centres, banks and local branches of northamerican companies. Among those few "computer nuts" Alberto Lozano stands out as one of the few Spaniards that bought an Apple I. Some years later he would help create the first Apple clones. Alberto Lozano: "A Barcelona company built the Unitron, but couldn't sell them because they contained two ROMs copyright Apple. They said to me: Make it work without having the same ROM. I encrypted the contents of the ROM and wrote a routine that decrypted it and placed a copy in RAM of that Apple ROM when you turned on the Unitron. However, when you turned off the machine, that would be lost. If a judge took the ROM and read it, it wouldn't look in any way like the Apple one. In other words, I didn't design a BIOS, I encrypted the same one. It was a hack: an interesting solution to an important problem." In 1978 Lozano created the first personal computer user club in Spain Apple II, Commodore Pet and Radio Shack's TRS-80). The club reached 100 members and in 1985 Lozano made a BBS out of it. Mave or Lester the Teacher were part of the generation following Lozano, when there was sufficient critical mass to talk of a hacker community. Many started out as crackers, among them the mythical Zaragoza duo of Super Rata Software & AWD, active from 1983 to 1986 and addicted to de protecting (cracking) games. They already had a rudimentary hacker ethic: their work had to be copyable using the ZX-Spectrum copy program Copion by Arguello, one that everyone had, was easy to copy and easy to find. Alternatively the games would autocopy using a key combo. However, AWD, as many others, left the cracking scene for the hacking one, obtained a modem and changed his handle to Depeche Mode. He joined HorseRide, Han Solo and Alf and together they created the first Spanish hacking group, active between 1987 and 1989. It was called Glaucoma, like the illness that attacks the eyes iris, a reference to their main hobby: penetrating RedIRIS (Iris-net), the Spanish university network, from where they would jump onto international X25 networks. It is still remembered how Glaucoma managed to get the password that gave access to the Telefonica X25 nodes (or PADS) in Spain: HorseRide and Han Solo, who were in their early twenties, passed off as sales rep for an English company selling shared mainframe time and wanted to buy X25 accounts. When Telefonica did a demo, they memorized the password as the technician repeatedly entered it: ORTSAC, the reversed last name of the engineer that had set them up (CASTRO). 2. X25 Hackers Depeche Mode met The Phreaker through the Minitel chat called QSD, a hub for European hackers. The Phreaker was Catalan and wrote comm programs for modems, such as COMS4, which in 1988 were used worldwide. His are the blue box for MX BB.BAS, the exploit for Linux imapd.c, NePED -one of the first IDS, resulting from a bet after a few too many beers-, and QueSO ("cheese"), which remotely determined OS's and on which Nmap was based (2). The Phreaker created QueSO in 1996, when under the alias of Savage he helped the Portuguese group ToXyN in the first campaign of systematic attacks in the history of hacktivism against the government of Indonesia in favour of the independence of East Timor. The campaign consisted in assaulting and defacing the largest possible amount of Indonesian governmental and corporate systems. Savage contributed creating exploits and other purpose created tools such as QueSo. Savage: "We set up search scripts for all .id domains. For each one found, we'd look for the machines hosting www ftp mail and news and tried to attack all four. We set off as many automated attacks as we could. When we'd get a positive hit, we'd finish it off manually. We owned thousands of machines. When you have a working exploit and nobody knows the vulnerability, it's really easy." In the end, Indonesia recognized East Timor and QueSO became a weapon for peace: the Internet Operating System Counter project used it to produce a monthly report on the OS's of European computers connected to the Internet, including Israel. The promoter of IOSC was a German who ran QueSO from a machine in USA maintained by Lebanese, called beirut.leb.net . There was a curious conflict when two Israeli security companies reported that Israeli machines were being attacked from a Lebanese site. The news media exaggerated the event and IOSC ended up shutting down. Returning to 1989, The Phreaker and Depeche joined El Maestro and Petavax to form the group Apostols. Later on they would be joined by Sir Lancelot and Ender Wiggins, who in 1987 wrote the first book in Spanish about hacking and phreaking: "Manual del novicio al hack/phreack" [The novices manual to hack/phreak] (3). Ender offered the Apostols his ample knowledge about phreaking in exchange for something he didn't know: why the American blue-boxes didn't work in Spain. Apostols: "We figured it out together, spending a ton of money calling each other. It was thanks to some high voice-pitched ladies in the Girona area who when answering the phone saying "digui" (hello), the tone was so high that it was hitting 2,500Hz and cutting the link. Someone from Telefonica told us and from there it dawned on us: Heck, it's Sokotel! Sokotel was a type of link with in-band signalling. The US was signalling in 2,600Hz, which we had tried thousands of times and it didn't work in Spain". Phreaking was essential to reach BBS's and X25 networks, the natural field of action. As the European and USA X25 networks were linked, hacking sessions would generally extend beyond the ocean. The main port of entry for USA networks was the MITRE system, from a provider for the US Army. MITRE would gain fame from the book "The Cuckoo's Egg" by Stiff Stoll, which recounts how hackers from CCC (Chaos Computer Club) used it to steal corporate secrets from USA and sell them to the KGB: The Phreaker: "MITRE was well connected to all the active networks back then. There was an entry menu to access a phone directory service which you could break out with the sequence CTRL-Y **Interrupt**. If you did it right, the menu would abort and drop you in a shell from where you could connect anywhere. It was known nearly worldwide and for years all the hackers would go in through there." "US X25 entry nodes/PADS were incorrectly configured. If you went in through the back, you had a modem to connect wherever you wanted worldwide. You only needed a list of nodes, which was easy to get: you'd go into a US university, check who's connected and you'd get a list with the identification number of the network entry port that he had used. If you'd connect to that number when the user was no longer online, some operators had it pretty badly configured and with little effort (AT OK) you'd have the modem right there. Lists of accounts that everyone knew were circulating, one of them RMS belonging to Richard Stallman, on an MIT system, with no password." Another source of entertainment for Spanish hackers was to run and maintain their own BBS and visit those of their friends. Among the most notorious were Public NME, God's House, Jurassic Park, MSX-Access, VampireBBS or Waikiki Island. Ender Wiggins even had the gall to open a hacker BBS (4) at the newspaper where he worked as the IT guy, taking advantage of the foreign journalists phone line. As a side note, Wiggins landed this job thanks to his expert knowledge of VMS, obtained hacking VAXes. On his first day at work he came across a problem: he didn't know how to turn it on! He had never physically accessed one. 3. 29A "I am the scene" The Galician BBS Dark Node would become the most famous BBS, breeding ground for 29A, the most internationally known Spanish group. Respected virus authors worldwide were part of 29A during its 13 year run from 1995 to 2008: Mister Sandman (es), Anibal Lecter (es), AVV (es), Blade Runner (es), Gordon Shumway (es), Griyo (es), Leugim San (es), Mr. White (es), Tcp (es), The Slug (es), VirusBuster (es), Wintermute (es), Darkman, Jacky Qwerty, Rajaat, Reptile, Super (es), Vecna, Mental Driller (es), SoPinky, Z0mbie, Benny, Bumblebee (es), LethalMind, Lord Julus, Prizzy, Mandragore, Ratter, roy g biv and Vallez (es). Amongst their always original creations stood out the first virus for WinNT /Win95/Win32s (Cabanas/Jacky Qwerty), and for 64 bits (Rugrat/roy g biv), the first multiplatform (Esperanto/MrSandman), the first reverse executing (Tupac Amaru/Wintermute), the first for Windows 2000 and Windows 98 ( appearing prior to the public launch of those OS's, the first that ran under Linux and Windows (Winux/Benny), the first 32 bit polymorphic ( Marburg/GriYo), the first PHP trojan (Pirus/MaskBits as colaborator), the first virus to infect PDA's (Dust/Ratter) the first for mobile phones ( Cabir/Vallez) or the first anti-ETA hacktivist virus (GriYo) and Tuareg ( MentalDriller). Marburg, the first 32 bit polymorphic virus, saw the light in October of 1997 after a bitter discussion on alt.comp.virus between 29A members and the antivirus industry. 29A was criticizing the industry for false advertising, as their products could not detect 100% of virus, to which the industry responded with taunts. Following this, GriYo created Marburg which none of the existing antivirus could detect. Somehow Marburg ended up on the free CD's that came with the magazines "PCGamer" and "PC Power Play", and on the MGM/Wargames game CD. Marburg spread throughout the world like wildfire. As 29A was an international group, so were its meet-ups which would last for days and days. They spent a month in Amsterdam, in Brno a few weeks. A nice and well loved Belgium female follower, Gigabyte, went to the latter one, who was so young that she travelled with her cheerful grandfather. Bernardo Quintero: "I went to a 29A meetup in Madrid. One afternoon we went to the funfair. While we were queueing up at one of the rides, one of them was wearing a print of a virus hex-dump on his back, and the two who were behind him, bored, started to translate it out loud on the run into assembler and to interpret what it did as if they were reading a book... I was amazed (any normal human being, including myself as someone knowledgable in that field, needed a computer, a disassembler and to spend a while to do something like that)." The long lifespan of 29A had it witness in first person the decadence and criminalization of the whole virus scene, a decadence which would also apply to the whole hacking scenario. Benny, in 29A ezine, 2002: "The whole scene and many things in it will no longer be the way it was. Some programmers talk of "death", "decadence", some talk of serious problems. (...) Script kiddies and their so called "virus/worms" rule in cyberworld. (...) Antivirus earn money off people whose stupidity is 99.99% responsible for vast virus outbreaks ("click here" viruses). Where are those elite programmers, those elite groups? Where are those hi-tech viruses that *yesterday* dominated the world? *Decadence*". 4. The community However, prior to the decadence, the latter half of the 90's had a bubbling fertile and noisy community, proud heirs of the pioneers, meeting in newgroups such as es.comp.hackers, mailing lists such as hacking or hackindex, the IRC-Hispano chat group and ezines such as Raregazz, NetSearch, 7a69ezine, Cyberhack, CatHack, JJF Hackers Team or Virtual Zone Magazine. This breeding ground would give fruits in the form of tools that are still useful today such as Halberd (rwxrwxrwx), OSSIM (Ulandron), RKdetector (aT4r) or Unhide (Icehouse). The appearance of scores of newbie hackers showing up at the end of the 90's on the Spanish Internet is due to Infovía, the low cost phone network set up by Telefonica to access the Internet at local calling rates. This multiplied the number of ISP's, who practically gave away access, and the amount of internauts grew exponentially. Heading this small horde of apprentices were two veteran rival groups: !Hispahack from Catalonia and Saqueadores from Murcia. The former started in 1992 and their high technical level was apparent through the tools created and distributed by their members: SMBScanner (Flow), ICMPush ( Slayer), HTTPush (JFS) or Yersinia (Tomac and Slayer). Amongst their multiple feats, hacking forum.phrack.org with a PHP exploit in 2000. Unfortunately !Hispahack will not be remembered so much for their high level but for a police raid transformed into media circus in 1998 which ended up with one of its members, JFS, going on trial. His two seized computers produced password files allegedly stolen off machines from all over the world, from Thailand to Kiev, passing through Sweden, Canada, Australia, Germany or the European Organization for Nuclear Research ( CERN). A total of 9,459 accounts. In the end he was absolved due to inconsistencies in the proof presented. As for Saqueadores, they stood out due to the ezine of same name, born in 1996, the longest running of the Spanish arena. Some of the notable hacks of the time were narrated inside, such as when the editor of the ezine in 1997, Paseante, took control of Infovía (5), or when he obtained control of another sister, also owned by Telefonica, that controlled important networks of companies and institutions, amongst them the Iberia airline, the parliamentary congress, or Caja Madrid (a bank). Saqueadores is also credited with organizing the first hacking convention in Spain: the UnderCon (1997-2004), a private event with 30 to 60 participants, depending on the edition, precursor of many conventions that are currently held throughout the country. Homs: "There were a lot of people interested in phreaking and hardware hacking, hacking lifts, foosballs, phone booths, the hotel pbx, etc. At night the people would gather according to their interests and you'd see phreakers in booths with crocodile clips or metal plates, hackers who would stay "working" in the hotel rooms, others scanning RF frequencies, others just hanging out and partying (ending up getting call-girls and talking about hacking with them, or loosing a chicken in a taxi...), etc." From 2000 onwards, when the scene had reached its climax and little by little the decadence was taking root, a new generation of hackers gained strength, more transversal due to the groups they belonged to and more collaborative from an international point of view. Amongst them Zhodiac from !Hispahack stands out as author of EMET and multiple exploits (6). He published an article in Phrack in 2001 about overflows in PA-RISC, which opened the gates for others who would also publish there: Pluf and Ripe, Ilo, Dreg and Shearer, Pancake and Blackngel. They also created notable exploits, as Doing(7)(8) and RomanSoft(9)(10), well known for having written, in 1997, the most downloaded text of the Spanish underground "Tácticas de guerra en el IRC" (War tactics in IRC). RomanSoft is today a member of Int3pids, one of the 20 best CTF teams in the world, and of the group !dsR, who in 2004 managed the epic feat of hacking the actual Chaos Computer Club (11) (12). Taking advantage of a 0- day exploit in the CCC wiki, they obtained the 2003 congress participants list, which they published. Alejandro Ramos: "Hans Ulrich, from the CCC, after doing some forensics on the systems announced the vulnerability, attributing it to himself. It wasn't until then that RomanSoft reacted and explained that he had discovered the exploit a few months before and spread it to a small group of people from where it had filtered. Even the author of Twiki himself confirmed that Román had notified him of the vulnerability a few days prior". As a final note, the numerous and always collaborative Spanish cracking community deserves mention, very active on both sides of the ocean. Spanish crackers from the 90's created a multitude of refuges and a cathedral called "La Página de Karpoff" (Karpoff's page), where hundreds of translations, tools and manuals in Spanish about cracking, reverse engineering and computer programming were uploaded. This fountain of knowledge watered today's fertile community of Spanish reversers, amongst them Rubén Santamarta (reversemode), Joxean Koret (matalaz), Ero Carrera, Hugo Teso, Mario Ballano or Sergi Àlvarez (trufae), the creator of Radare. (1) http://www.netcomunity.com/lestertheteacher/index.htm (2) https://nmap.org/nmap-fingerprinting-old.html (3) http://hackstory.net/Manual_del_novicio_al_hacking (4) https://www.youtube.com/watch?v=jXmAzeMoZNs (5) http://set-ezine.org/ezines/set/txt/set11.zip (6) http://zhodiac.hispahack.com/index.php?section=advisories (7) http://examples.oreilly.com/networksa/tools/rpc-statd.c (8) http://www.vfocus.net/hack/exploits/os/linux/suse/6.2/su-dtors.c (9) http://examples.oreilly.com/networksa/tools/rs_iis.c (10) http://archives.neohapsis.com/archives/fulldisclosure/2006-07/ 0234.html (11) http://www.digitalsec.net/stuff/fun/CCC/camp-server-hack.htm (12) http://www.digitalsec.net/stuff/fun/CCC/ccc_and_cccs.txt 5. Thanks to: Dreg, Homs, Zhodiac, HorseRide, Han Solo, Depeche, Rampa, Savage, Partyman, Lester, Mave, Darkraver, RomanSoft, X-Grimator, Karpoff, Pepelux, JFS, Alberto Lozano, VirusBuster, rwxrwxrwx, aT4r, Crg, TaNiS, MindTwist, uCaLu, MegadetH, Pancake, Crash, Metalslug, Angeloso, Nico, dAb, Snickers, Rayita, Yandros, Icehouse, DrSlump, Deese, L, Altair, thEpOpE, Belky, El-Brujo, ReYDeS, Bernardo Quintero, Carlos Sánchez Almeida, Manoleet, Cyteck, Yoriell, Mónica Lameiro, Jay Govind, Rock Neurotiko, Albert StateX and the rest of the Hackstory's crew. Also: Jericho. Wau Holland. |=[ 0x02 ]=---=[ Wargaming Scene Phile - Steven, adc & weekend ]=--------=| --[ An Overview of the Wargaming Scene Through the Eyes of adc In 2007, 3 dudes captured the first slot in the DEFCON CTF Qualifiers. They didn't come from anywhere, and they werent actually planning on playing, which is why they had to decline. The only explanation is wargames. So if you eat your veggies and do loads and loads of wargames you too will have brains, discipline, and hilarity. And the wargame scene has bloomed! There are CTFs available just about every month now, many of which can be played remotely. And persistent shell-based wargames and web-vuln sites continue to run, year after year, completely free. Here's why I love wargames: - The people attached to the keyboards on the other side - Easy, piecemeal, bite-sized levels - Decent learning curve on most games (easy to HARD) - Easy to discipline yourself into a hacking machine - Good ego-boost after trying to hack unsolved things gets you down (see: real world) - Friendly help readily available - Knowledge itself is the reward, pure skill! - Some people cheat, and those that do don't get much of anything out of it - Cheating is more fun when noone knows how you cheated - Adrenaline rush (though it's faded for me and others with great time) I became addicted to wargames.unix.se in 2003. Before the summer, I had been trying a website my friend showed me, hackerslab, but didn't really get anywhere after copy pasting my way to somewhere not very far. The swedish site was started by norse and had lots of other people participating and making games, a bunch of which are still not far from wargames today. At wargames.unix.se something special happened for me though, it all just really clicked. Perhaps it was the web design or maybe the slogan: "Unregulated knowledge is pornography". There was just tons of cool information being discussed in the forums and on irc, things people wondered about, highly technical, and those people were exploring them full-on. I think it really was the community. A bunch of charming and cool swedes were making fun, addictive wargames to play. The attitude there was A+, the challenges were good, and something about the way they were presented just made them very appealing. It could have been the scoreboard, or just listening in on the irc and thinking damn, these are some genuine hackers. And people were very polite and helpful. Some of those early games can still be played on overthewire.org: Leviathan - this was the first shell based game, where all newbies start Behemoth - where I exploited my first buffer overflow Utumno - A little harder Maze - Harder again, easy remotes There used to be a bunch of other games on wargames.unix.se, some that taught network skills, and then some that did crypto from easy (balthasar) to hard (halls of despair) to insane (halls of torment). The four shell-based games above I would highly recommend to anyone just starting out. They are just easy enough that it's welcoming to a beginner but after leviathan the esoterism begins to seep through and make the levels something else altogether. They're fun and captivating to this day. The thing of it is, I used to actually get a huge adrenaline rush from solving these back then. Like my heart would be pounding while I was waiting for some shellcode to land, and when it did, it was always a great smile. After spending an evening to a week or two miserably stuck, taking copious notes, and then finally solving a level, I couldn't wait to be working my way up to the next one. It was really damn addictive. Oddly enough, real-world hacks rarely got close to the rush from wargames for me, as the real world has lots of complications which my biology begins to think about.... I'm weird. Many wargamers also keep copious notes in order to capture the subtleties of the different game levels. The notes directories usually begin only with the credentials for each level, but as most wargamers find, the notes directory tends to escalate. It contains for each level of each game: which vulnerabilities have been identified, which exploits might work, which exploits failed, and finally which exploits succeeded. It's also a good idea to keep notes on different shellcodes, different techniques for debugging, heap tricks, and so on. I would probably learn a ton from the disclosure of other people's notes :-). wargames.unix.se transformed into Digital Evolution dievo.org and was around until '06 or so. Digital Evolution was quite awesome. It had basically everything I use from the internet still today: wargames, a chill music station (delphium radio!), an awesome picture gallery from the userbase, an extensive archive of links to knowledge, irc!!!, and leaderboards to compete about everything on the website. In '06 or so at some point the community dispersed after the demands of running the site became too great for the people running it and the site leaders just kind of moved on after a lot of downtime. runixd offered to host the games and intruded.net came up. I helped restore and retest a bunch of them. It seems like ages ago, but I remember administering the games on user-mode-linux, then Xen (and finding tons of ways to kernel panic), and finally Vserver. We stopped updating the games around '07, and it turns out turns of privesc vulns were being introduced to the kernel and libc in late '07 and '08, heh, so the games didn't need too much maintenance for awhile. Till some hardware failed quite poorly in early '11. Luckily, overthewire.org has taken everything back up in '12 and continues to host them So tempting to namedrop some greetz here to all the nick, but archive.org really says it best!. http://web.archive.org/web/20050729112313/http://www.dievo.org/ So what's around today if you're looking to get yet-better at memory corruption when CTFs are not around? I highly recommend two oldies, which I consider transformative in my exploitation education. The first of these is vortex on overthewire.org, the second is #io on smashthestack.org. When I first played vortex, the first level showed me that I did not really understand pointers as well as I thought I did. I recall andrewg telling me to draw a stack diagaram. So I did, and finally the &s and *s made sense when combined with my diagram and the assembly code. It was mind bendingly difficult for something quite simple the first time through. And other levels repeat the experience. Subtly exploitable bugs that at first don't appear to be possible because of certain limitatio yns. The level of difficulty does continue to grow until at some point you become somewhat skilled. When showing up to play #io, the first time through, I got to 11 and was utterly disappointed until then. And then something happens, the levels become hard. Quite hard. I had been a wargame veteran at this point, so #io was a gift! Today, the first 10 have been rewritten to all be fun. Now up to about 30 levels, #io continues to grow with well-researched, subtle vulnerabilities for exploitation. At least one level has a real world, remotely exploitable vulnerability found by a player and crafted into a challenge for your intellectual pleasure. Beat #vortex and #io and you will be rather _good_ at exploiting unix memory corruption. After that, go play them all. Play every wargame. They all contain knowledge that will enhance your skills. Also play CTFs when you can and if they're fun! If they're not as fun or getting stale, then hack the game! - adc old rant: When I was younger I was aggressive and persistent, probably still so. Wargames were the perfect outlet to mold my energy into some pretty useful tricks. I remember coming and going back to wargames many times, the same challenges continually kicking my ass. I started out as a google copy pasta chef. I didn't know how to code very well, though I remember checking out a copy of Turbo C once when I was 12, then a C++ book from the store when I was 13, and being bored while attempting to learn something from it. I still hate C++, I think that Bjarne Stroutsups overgrown haircut explains it all. I have always, always kept coming back to really play with the machine though. I want to watch it tick and take it apart. I think I always had the itch when peering into a screen. I started out wargaming in 2003. From memory, there are some good ones I remember from that year, there was web stuff like try2hack.nl, hackthissite.org, and C stuff like hackerslab (a korean site), pulltheplug.com (now overthewire.org), and wargames.unix.se (a swedish site which later became dievo.org). I remember not really knowing my way around a command shell after cheating on some of the hackerslab levels. Then one day, a friendly hacker started talking to me through my bash shell. I had no idea how he did it. Peering up, the difference of skill level between us was laughable. I wanted to learn :-) Wargaming in the military is running battle simulations. Wargaming for computer security is also a simulation. The nice thing about computers is that they enable very cheap simulations on very real systems. When wargaming really started to take off in the early 2000s, internet connections became cheaper as did servers, so it wasn't too much of a hassle to host something. Though you had to remain careful where you hosted in case you invited skilled company inside. Sometimes the systems you're hacking are completely synthetic, which can be quite tame at times. Sometimes the synthetic game is hackable to reveal the real game, which is a lot more fun, and I always have more fun when the real game comes out from the synthetic. For example, I recall one roothack in 07 or so, eagerly awaiting Epic (RIP) to kick off a 5-way king of the box game when felinemenace crew ended the game on the gateway machine before the event had even started. Meanwhile, beist was on my team had hacked another team's account, and we thought *we* were the ones being cool... Those two week lulls before classes would pick up again in high school, and nothing felt better than procrastinating the binges of assigned summer reading with some real intellectual stimulation of my own volition. Landing some code. Since 07, CTFs have just exploded. I am lucky to have played with the loller skaterz dropping from rofl copters as well as RPISEC and pick up teams here and there. One thing that always impressed me about the teams I encountered was when they *hadnt* played persistent wargames before. You can have a read of atlas' blog to see what kind of catching up they have to do. Many CTF players have managed to compress an year's worth of debugging exploits into a few months, it's impressive. Here's what I love about wargames. One, it will expand your understanding of programs and debugging like nothing else can. Many wargame levels will be little 100-line programs that don't *appear* to have any security bugs and they will kick your ass for awhile. Others will be obviously exploitable, until you go and try and exploit them, and find all the difficulties whether an XSS filter, a NUL byte in the wrong place, or the compiler reordering stack variables... Two, there's always a solution* once a challenge is up. Some brilliant minds thought through and tested something special just for you very thoroughly to make sure you'd have a good time. Real world code can REALLY kick your ass and get your self esteem down. It's hard, you can't always be smarter than the programmers that wrote it. But a wargame level was made to be broken. It will help you pick up the momentum you need to tackle the real world again. *Some CTFs mess up the testing phase which is disappointing for everyone. Three, they come in baby steps. The way most persistent wargames and CTFs are organized is through a potpourri of easy medium hard and random challenges. Each challenge itself is usually quite manageable and bite-sized. A well designed game makes it effortless to figure out which pieces to solve first. A common strategy among wargame players it to keep a copious notes with the successes (and sometimes failures) of each level. I personally logged most of my failed attempts, and always felt great satisfaction revisiting them. The games provided excellent facilities for conquering genuinely hard, unknown problems with a lot of research, gdb (or whatever web stuff for web stuff), and head scratching. Was also always a joy ;-) to grab a copy of someone's note directory and learn little tricks. Four, you will learn real skills. There are skills encoded in the levels of the games out there that haven't been yet published in an article. I'm fairly certain #io on smashthestack.org revealed linux ASLR bypasses quite awhile before they were patched and semi-public. Though many wargames start out quite easy the difficult ones are there. And it is the difficult ones that will transform you from a noob into a conscious hacker. Five, the people. Yes some people are ornery, and if you're vain then you think I'm talking about you. Some people are trolls. And some people are just so genuinely cool. Throughout my time in the computer security space, I am persistently impressed and inspired by people. Both competitively and creatively, I feel like I've always worked best in pairs or small groups of people. It's always just a pleasure for me to work with others. And people of very different backgrounds and goals come to sharpen their skills on wargames, which means there will be fun. I remember the first guy I learned to exploit a stack buffer overflow with, we both had no clue, but we figured it out after a few days of gdbing. This was on the wargames.unix.se website, which I am EXTREMELY nostalgic for. I owe Sweden a lot of beers. Throughout the different wargaming sites and CTFs you will find lots of different attitudes, some very mysterious people, and some incredibly ordinary. Back in 2003 when I found wargames.unix.se I knew nothing but just had a compulsion to solve some levels. I was doing whatever it took to get to the next one, but I often couldn't figure it out *on my own*. On wargames.unix.se I found mentorship and just a super inviting attitude to do the hard stuff. The standard of thinking hard was well-ingrained, and more impressively, people were just really damn friendly and accepting. And the reason that is impressive is because I asked *a lot* of dumb questions. It also had a great scoreboard with green dots that I lived for, plus the rankings. I'm pretty sure that I can crash in pads around the world on the promise of explaining a wargame level to someone. Steven, I'll race you... -adc Wargames: overthewire.org, smashthestack.org, hackthissite.org, try2hack.nl CTFs: blah blah blah --[ OverTheWire OverTheWire.org (OTW for short) is, as far as we are aware, the oldest hacker wargame community on the internet. The goal of OTW is to learn security principles and coding practices through a hands-on approach, and have fun while doing it. The regular OTW community idles on IRC and is very supportive of new users willing to learn. They answer technical questions about the games, provide hints and often discuss all kinds of topics surrounding computer security. We currently host 11 online games and 3 downloadable images for games that can be played offline. The topics covered in these games are typically related to lowlevel security in linux userland (vortex, semtex, leviathan, narnia, behemoth, utumno, maze, manpage), but we also cover commandline scripting (bandit), networking (semtex), crypto (krypton), web (natas) and some kernelland (monxla). OverTheWire.org was originally called PullThePlug.com, and was created by Brian Gemberling around 1999. It consisted of 4 physical machines connected to a network in his basement, behind a cable modem with a single IP. Through portforwarding, all these machines could be reached from the internet. More people joined in the following years and PullThePlug (PTP) grew out of Brian's basement and into a dedicated hosting enviroment. Now being run by a core management team and a lot of volunteers, the games existed on 4 physical machines and a bunch of vserver instances. To avoid a conflict between the PTP games and Brian's business (ptptech.com), the community moved from PullThePlug.com to PullThePlug.org. After a dispute over the PullThePlug.org domain name, PullThePlug.org moved again to OverTheWire.org around 2006. At this point, most of the old games were gone and replaced by newer games. Because of all the turbulence caused by moving domain names and problems with hosting providers and DDoS attacks, development of new games stalled out. It took a couple years before the server infrastructure got back on it's tracks. By this time though, a lot of the crew had moved on to other things. In 2010, OTW created its first custom wargame for the French Hackito Ergo Sum (HES) conference and has been doing that annually ever since: HES2010 and abraxas (HES2011) can be downloaded as VM images, while monxla (HES2012) can be downloaded as a livecd ISO. Kishi, a custom game for 2013, will be shared by HES and NSC (No Such Conference, also French) and offered as a download later on. In 2012, it became apparent that games from intruded.net went offline and were staying offline. We were asked to adopt these games and, with the help of their former administrators, managed to resurrect them all 6 on the OTW servers: leviathan, narnia, behemoth, utumno, maze and manpage. In addition , 2 games for complete beginners were developed to lower the barrier for newcomers. Bandit focuses on the very basics of systems security, and natas covers serverside websecurity. Because of relentless DDoS attacks on both the OverTheWire.org and SmashTheStack.org IRC networks, it was decided in 2012 to link both of them together into one bigger network, reuniting us with our long lost brothers and sisters. This is not the end of the story. We will keep working on developing new games and maintaining the old ones, for as long as we can. Several new games are already in development, covering topics such as kernel exploitation, web-security and others. Many great hackers started out playing, or at some point regularly visited the PTP/OTW games. It's an honor to be part of their lives in this way and it is our hope to continue to provide this kind of hands-on experience to the next generation of hackers. Remember, kids: "Experience is what you get, when you don't get what you want!" This looks like a good place to thank some people: andrewg, arcanum, astera ,aton, bk, Brian Gemberling, deadbyte, dusty, gizmore, jduck, joernchen, kripthor, l3thal, malvina, mercy, morla, mxn, nemo, rainer, samy, everyone else of #social and probably a ton of people who slip my mind right now <3 Go forth, and be a force of the awesome! |=[ 0x03 ]=---=[ The Austin Lockpicking Scene - jgor ]=---=| |=----------------------------------------------------------------=| |=----------------=[ The Austin Lockpicking Scene]=---------------=| |=------------------------=[ by jgor ]=--------------------------=| |=----------------------------------------------------------------=| The hobbyist lockpicking scene in the U.S. has become wildly organized in the last decade. If you've been to a hacker conference in that time you've likely heard the names TOOOL (The Open Organization Of Lockpickers) [0] or Locksport International [1]. While TOOOL has been going strong in the Netherlands for far longer, the U.S. branch didn't make an appearance until the mid-2000's, and Locksport International popped up around the same time in 2005 as a joint effort between U.S. and Canadian founders. Enter Doug Farre. An early officer and now president of Locksport International, Doug came to Austin in early 2006. After his principal put the kibosh on attempts to start a lockpicking club at his high school in Houston, and a short-lived group at UT Dallas, he founded the Longhorn Lockpicking Club [2] at the University of Texas at Austin. This student organization soon became the flagship chapter of Locksport International. The club held general meetings on campus each month but core members found themselves gravitating to the Spider House Cafe & Bar down the street for weekly informal picking sessions. Not so coincientally, Spider House was also the location for Austin 2600 [3] at the time. Longhorn Lockpicking enjoyed great success; with meetings exceeding 50 people in attendance and over 150 registered members in a year it became one of the largest hobbyist lockpicking groups in the U.S.. DEFCON 16 saw no less than 5 Longhorn Lockpicking officers on staff in the lockpick village, bringing with them an epic obstacle course competition involving picking locks underwater. Doug gave one of the more popular talks at DEFCON that year as well, "Identification Card Security: Past, Present, Future." By DEFCON 17 Longhorn Lockpicking officer jgor (yours truly) won the speedpicking championship, winning a trip to compete at the invitation-only LockCon in the Netherlands. In the next few years Longhorn Lockpicking went on to organize or help run lockpick villages and contribute games such as "Locksport Wizard" and "24 Hours of Locks" to DEFCON, HOPE, and a number of other hacker conferences. In 2011 due to lack of volunteers for leadership the Longhorn Lockpicking Club on campus took a hiatus, officially splintering off a separate group dubbed L.I-Austin [4] with meetings continuing off-campus. Eventually the name Longhorn Lockpicking was restored but the club remained unaffiliated from the university, meeting regularly every other Saturday on the Spider House patio. As of 2016 they're still going strong and looking forward to their 10th anniversary in the fall. In addition to Longhorn Lockpicking, the ATX Hackerspace [5] has held lockpicking meetings on occasion and has hosted multiple lockpicking workshops in conjunction with College of Lockpicking [6], an initiative by Eric Michaud and Jamie Schwettmann which brought lockpicking workshops to hackerspaces around the U.S. If you're interested in getting involved in lockpicking check out the organization websites mentioned above to find a chapter near you, or resources to start your own chapter. [0] TOOOL U.S. http://toool.us [1] Locksport International http://locksport.com [2] Longhorn Lockpicking http://longhornlockpicking.com [3] Austin 2600 http://atx2600.org [4] L.I Austin http://meetup.com/li-austin [5] ATX Hackerspace http://atxhackerspace.org [6] College of Lockpicking http://collegeoflockpicking.com |=[ EOF ]=---------------------------------------------------------------=|