Hacker Alert- Darpa project 10$ K for summer
If you bleed red,white and blue and know some geo-spatial analysis ,social network analysis and some supervised and unsupervised learning (and unlearning)- here is a chance for you to put your skills for an awesome project
For this challenge, Darpa will lodge a selected six to eight teams at George Mason University and provide them with an initial $10,000 for equipment and access to unclassified data sets including “ground-level video of human activity in both urban and rural environments; high-resolution wide-area LiDAR of urban and mountainous terrain, wide-area airborne full motion video; and unstructured amateur photos and videos, such as would be taken from an adversary’s cell phone.” However, participants are encouraged to use any open sourced, legal data sets they want. (In the hackathon spirit, we would encourage the consumption of massive quantities of pizza and Red Bull, too.)
DARPA Innovation House Project
Home | Data Access | Awards | Team Composition | Logisitics | Deliverables | Proposals | Evaluation Criteria | FAQ
Proposals must be one to three pages. Team resumes of any length must be attached and do not count against the page limit. Proposals must have 1-inch margins, use a font size of at least 11, and be delivered in Microsoft Word or Adobe PDF format.
Proposals must be emailed to InnovationHouse@c4i.gmu.edu by 4:00PM ET on Tuesday, July 31, 2012.
Proposals must have a Title and contain at least the following sections with the following contents.
- Team Members
Each team member must be listed with name, email and phone.
The Lead Developer should be indicated.
The statement “All team members are proposed as Key Personnel.” must be included.
- Capability Description
The description should clearly explain what capability the software is designed to provide the user, how it is proposed to work, and what data it will process.
In addition, a clear argument should be made as to why it is a novel approach that is not incremental to existing methods in the field.
- Proposed Phase 1 Demonstration
This section should clearly explain what will be demonstrated at the end of Session I. The description should be expressive, and as concrete as possible about the nature of the designs and software the team intends to produce in Session I.
- Proposed Phase 2 Demonstration
This section should clearly explain how the final software capability will be demonstrated as quantitatively as possible (for example, positing the amount of data that will be processed during the demonstration), how much time that will take, and the nature of the results the processing aims to achieve.
In addition, the following sections are optional.
- Technical Approach
The technical approach section amplifies the Capability Description, explaining proposed algorithms, coding practices, architectural designs and/or other technical details.
- Team Qualifications
Team qualifications should be included if the team?s experience base does not make it obvious that it has the potential to do this level of software development. In that case, this section should make a credible argument as to why the team should be considered to have a reasonable chance of completing its goals, especially under the tight timelines described.
Other sections may be included at the proposers? discretion, provided the proposal does not exceed three pages.
Anonymous grows up and matures…Anonanalytics.com
I liked the design, user interfaces and the conceptual ideas behind the latest Anonymous hactivist websites (much better than the shabby graphic design of Wikileaks, or Friends of Wikileaks, though I guess they have been busy what with Julian’s escapades and Syrian emails)
I disagree (and let us agree to disagree some of the time)
with the complete lack of respect for Graphical User Interfaces for tools. If dDOS really took off due to LOIC, why not build a GUI for SQL Injection (or atleats the top 25 vulnerability testing as by this list http://www.sans.org/top25-software-errors/
Shouldnt Tor be embedded within the next generation of Loic.
Automated testing tools are used by companies like Adobe (and others)… so why not create simple GUI for the existing tools.., I may be completely offtrack here.. but I think hacker education has been a critical misstep[ that has undermined Western Democracies preparedness for Cyber tactics by hostile regimes)…. how to create the next generation of hackers by easy tutorials (see codeacademy and build appropriate modules)
-A slick website to be funded by Bitcoins (Money can buy everything including Mastercard and Visa, but Bitcoins are an innovative step towards an internet economy currency)
-A collobrative wiki
Seriously dude, why not make this a part of Wikipedia- (i know Jimmy Wales got shifty eyes, but can you trust some1 )
-Analytics for Anonymous (sighs! I should have thought about this earlier)
http://anonanalytics.com/ (can be used to play and bill both sides of corporate espionage and be cyber private investigators)
What We Do
We provide the public with investigative reports exposing corrupt companies. Our team includes analysts, forensic accountants, statisticians, computer experts, and lawyers from various jurisdictions and backgrounds. All information presented in our reports is acquired through legal channels, fact-checked, and vetted thoroughly before release. This is both for the protection of our associates as well as groups/individuals who rely on our work.
_and lastly creative content for Pinterest.com and Public Relations ( what next-? Tom Cruise to play Julian Assange in the new Movie ?)
http://www.par-anoia.net/ />Potentially Alarming Research: Anonymous Intelligence AgencyInformation is and will be free. Expect it. ~ Anonymous
Links of interest
- Latest Scientology Mails (Austria)
- Full FBI call transcript
- Arrest Tracker
- HBGary Email Viewer
- The Pirate Bay Proxy
- We Are Anonymous – Book
- To be announced…
How to learn Hacking Part 2
Now that you have read the basics here at http://www.decisionstats.com/how-to-learn-to-be-a-hacker-easily/ (please do read this before reading the below)
Here is a list of tutorials that you should study (in order of ease)
1) LEARN BASICS – enough to get you a job maybe if that’s all you wanted.
2) READ SOME MORE-
Lena’s Reverse Engineering Tutorial-“Use Google.com for finding the Tutorial”
Lena’s Reverse Engineering tutorial. It includes 36 parts of individual cracking techniques and will teach you the basics of protection bypassing
01. Olly + assembler + patching a basic reverseme
02. Keyfiling the reverseme + assembler
03. Basic nag removal + header problems
04. Basic + aesthetic patching
05. Comparing on changes in cond jumps, animate over/in, breakpoints
06. “The plain stupid patching method”, searching for textstrings
07. Intermediate level patching, Kanal in PEiD
08. Debugging with W32Dasm, RVA, VA and offset, using LordPE as a hexeditor
09. Explaining the Visual Basic concept, introduction to SmartCheck and configuration
10. Continued reversing techniques in VB, use of decompilers and a basic anti-anti-trick
11. Intermediate patching using Olly’s “pane window”
12. Guiding a program by multiple patching.
13. The use of API’s in software, avoiding doublechecking tricks
14. More difficult schemes and an introduction to inline patching
15. How to study behaviour in the code, continued inlining using a pointer
16. Reversing using resources
17. Insights and practice in basic (self)keygenning
18. Diversion code, encryption/decryption, selfmodifying code and polymorphism
19. Debugger detected and anti-anti-techniques
20. Packers and protectors : an introduction
21. Imports rebuilding
22. API Redirection
23. Stolen bytes
24. Patching at runtime using loaders from lena151 original
25. Continued patching at runtime & unpacking armadillo standard protection
26. Machine specific loaders, unpacking & debugging armadillo
27. tElock + advanced patching
28. Bypassing & killing server checks
29. Killing & inlining a more difficult server check
30. SFX, Run Trace & more advanced string searching
31. Delphi in Olly & DeDe
32. Author tricks, HIEW & approaches in inline patching
33. The FPU, integrity checks & loader versus patcher
34. Reversing techniques in packed software & a S&R loader for ASProtect
35. Inlining inside polymorphic code
If you want more free training – hang around this website
OWASP Cheat Sheet Series
- OWASP Top Ten Cheat Sheet
- Authentication Cheat Sheet
- Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
- Transport Layer Protection Cheat Sheet
- Cryptographic Storage Cheat Sheet
- Input Validation Cheat Sheet
- XSS Prevention Cheat Sheet
- DOM based XSS Prevention Cheat Sheet
- Forgot Password Cheat Sheet
- Query Parameterization Cheat Sheet
- SQL Injection Prevention Cheat Sheet
- Session Management Cheat Sheet
- HTML5 Security Cheat Sheet
- Web Service Security Cheat Sheet
- Application Security Architecture Cheat Sheet
- Logging Cheat Sheet
- JAAS Cheat Sheet
Draft OWASP Cheat Sheets
- Access Control Cheat Sheet
- REST Security Cheat Sheet
- Abridged XSS Prevention Cheat Sheet
- PHP Security Cheat Sheet
- Password Storage Cheat Sheet
- Secure Coding Cheat Sheet
- Threat Modeling Cheat Sheet
- Clickjacking Cheat Sheet
- Virtual Patching Cheat Sheet
- Secure SDLC Cheat Sheet
3) SPEND SOME MONEY on TRAINING
Module 1 – The x86 environment
- System Architecture
- Windows Memory Management
- Introduction to Assembly
- The stack
Module 2 – The exploit developer environment
- Setting up the exploit developer lab
- Using debuggers and debugger plugins to gather primitives
Module 3 – Saved Return Pointer Overwrite
- Saved return pointer overwrites
- Stack cookies
Module 4 – Abusing Structured Exception Handlers
- Abusing exception handler overwrites
- Bypassing Safeseh
Module 5 – Pointer smashing
- Function pointers
- Data/object pointers
- vtable/virtual functions
Module 6 – Off-by-one and integer overflows
- Integer overflows
Module 7 – Limited buffers
- Limited buffers, shellcode splitting
Module 8 – Reliability++ & reusability++
- Finding and avoiding bad characters
- Creative ways to deal with character set limitations
Module 9 – Fun with Unicode
- Exploiting Unicode based overflows
- Writing venetian alignment code
- Creating and Using venetian shellcode
Module 10 – Heap Spraying Fundamentals
- Heap Management and behaviour
- Heap Spraying for Internet Explorer 6 and 7
Module 11 – Egg Hunters
- Using and tweaking Egg hunters
- Custom egghunters
- Using Omelet egghunters
- Egghunters in a WoW64 environment
Module 12 – Shellcoding
- Building custom shellcode from scratch
- Understanding existing shellcode
- Writing portable shellcode
- Bypassing Antivirus
Module 13 – Metasploit Exploit Modules
- Writing exploits for the Metasploit Framework
- Porting exploits to the Metasploit Framework
Module 14 – ASLR
- Bypassing ASLR
Module 15 – W^X
- Bypassing NX/DEP
- Return Oriented Programming / Code Reuse (ROP) )
Module 16 – Advanced Heap Spraying
- Heap Feng Shui & heaplib
- Precise heap spraying in modern browsers (IE8 & IE9, Firefox 13)
Module 17 – Use After Free
- Exploiting Use-After-Free conditions
Module 18 – Windows 8
- Windows 8 Memory Protections and Bypass
ALSO GET CERTIFIED http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/ ($950 cost)
the syllabus is here at
4) HANG AROUND OTHER HACKERS
or The Noir Hat Conferences-
or read this website
5) GET A DEGREE
Yes it is possible
The Johns Hopkins University Information Security Institute (JHUISI) is the University’s focal point for research and education in information security, assurance and privacy.
The Information Security Institute is now accepting applications for the Department of Defense’s Information Assurance Scholarship Program (IASP). This scholarship includes full tuition, a living stipend, books and health insurance. In return each student recipient must work for a DoD agency at a competitive salary for six months for every semester funded. The scholarship is open to American citizens only.
MASTER OF SCIENCE IN SECURITY INFORMATICS PROGRAM
The flagship educational experience offered by Johns Hopkins University in the area of information security and assurance is represented by the Master of Science in Security Informatics degree. Over thirty courses are available in support of this unique and innovative graduate program.
Disclaimer- I havent done any of these things- This is just a curated list from Quora so I am open to feedback.
You use this at your own risk of conscience ,local legal jurisdictions and your own legal liability.
Stanford Courses Delayed Again
Message from the guys at Palo Alto— Why dont they just make videos using Sal Academy’s help?
We’re sorry to have to tell you that our Machine Learning course will be delayed further. There have naturally been legal and administrative issues to be sorted out in offering Stanford classes freely to the outside world, and it’s just been taking time. We have, however, been able to take advantage of the extra time to debug and improve our course content!
We now expect that the course will start either late in February or early in March. We will let you know as soon as we hear a definite date. We apologize for the lack of communication in recent weeks; we kept hoping we would have a concrete launch date to give you, but that date has kept slipping.
Thanks so much for your patience! We are really sorry for repeatedly making you wait, and for any interference this causes in your schedules. We’re as excited and anxious as you are to get started, and we both look forward to your joining us soon in Machine Learning!
Andrew Ng and the ML Course Staff
How to learn to be a hacker easily
1) Are you sure. It is tough to be a hacker. And football players get all the attention.
2) Really? Read on
3) Read Hacker’s Code
The Hacker’s Code
“A hacker of the Old Code.”
- Hackers come and go, but a great hack is forever.
- Public goods belong to the public.*
- Software hoarding is evil.
Software does the greatest good given to the greatest number.
- Don’t be evil.
- Sourceless software sucks.
- People have rights.
Organizations live on sufferance.
- Governments are organizations.
- If it is wrong when citizens do it,
it is wrong when governments do it.
- Information wants to be free.
Information deserves to be free.
- Being legal doesn’t make it right.
- Being illegal doesn’t make it wrong.
- Subverting tyranny is the highest duty.
- Trust your technolust!
4) Read How to be a hacker by
Eric Steven Raymond
or just get the Hacker Attitude
The Hacker Attitude
- 1. The world is full of fascinating problems waiting to be solved.
- 2. No problem should ever have to be solved twice.
- 3. Boredom and drudgery are evil.
- 4. Freedom is good.
- 5. Attitude is no substitute for competence.
- 5) If you are tired of reading English, maybe I should move on to technical stuff
- 6) Create your hacking space, a virtual disk on your machine.
- You will need to learn a bit of Linux. If you are a Windows user, I recommend creating a VMWare partition with Ubuntu
- If you like Mac, I recommend the more aesthetic Linux Mint.
- How to create your virtual disk-
- read here-
- Download VM Player here
- Down iso image of operating system here
- Downloading is the longest thing in this exercise
- Now just do what is written here
- or if you want to try and experiment with other ways to use Windows and Linux just read this
- Moving data back and forth between your new virtual disk and your old real disk
- 7) Get Tor to hide your IP address when on internet
- 8a ) Block Ads using Ad-block plugin when surfing the internet (like 14.95 million other users)
- 8b) and use Mafiafire to get elusive websites
- 9) Get a Bit Torrent Client at http://www.utorrent.com/
- This will help you download stuff
- 10) Hacker Culture Alert-
- This instruction is purely for sharing the culture but not the techie work of being a hacker
- The website Pirate bay acts like a search engine for Bit torrents
- Visiting it is considered bad since you can get lots of music, videos, movies etc for free, without paying copyright fees.
- The website 4chan is considered a meeting place to meet other hackers. The site can be visually shocking
- You need to do atleast set up these systems, read the websites and come back in N month time for second part in this series on how to learn to be a hacker. That will be the coding part.
- END OF PART 1
- Updated – sorry been a bit delayed on next part. Will post soon.
C4ISTAR for Hacking and Cyber Conflict
As per http://en.wikipedia.org/wiki/C4ISTAR
C2I stands for command, control, and intelligence.
C3I stands for command, control, communications, and intelligence.
C4I stands for command, control, communications, computers, and (military) intelligence.
C4ISTAR is the British acronym used to represent the group of the military functions designated by C4 (command, control, communications, computers), I (military intelligence), and STAR (surveillance, target acquisition, and reconnaissance) in order to enable the coordination of operations
I increasingly believe that cyber conflict will develop its own terminology and theory and paradigms in due time. In the meantime, it will adopt paradigms from existing military literature and adapt it to the unique sub culture of cyber conflict for both offensive, defensive as well as pre-emptive actions. Here I am theorizing for a case of targeted hacking attacks rather than massive attacks that bring down a website for a few hours and achieve nothing but a few press headlines . I would also theorize on countering such attacks.
So what would be the C4ISTAR for –
1) Media company supporting SOPA/PIPA/Take down Mega Upload-
Command and Control refers to the ability of commanders to direct forces-
This will be the senior executives including the members of board, legal officers, and public relationship/marketing people. Their name is available from corporate websites, and social media scraping can ensure both a list of contact addresses (online) as well as biases for phishing /malware attacks. This could also include phone (flooding or voicemail hacking ) attacks , and attacks against the email server of the company rather than the corporate website.
Communications– This will include all online and social media channels including websites of the media company , but also those of the press relations firms handling communications , phones,websites- anything which the target is likely to communicate externally (and if possible internal communication)
Timing is everything- coordinating attacks immediately is juevenile, but it might be more mature to attack on vulnerable days like product launches or just before a board of directors meeting
Most corporates have an in-house research team, they can be easily targeted using social media channels, but also offline research and digging deep. Targeting intelligence corps of the target corporate is likely to produce a much better disruption. Eventually they can be persuaded to stop working for that corporate.
Computers– Anything that runs on electricity and can be disabled – should be disabled. This might require much more creativity than just flooding.
surveillance- This can be both online as well as offline, and would be of electronic assets, likely responses for the attack, and the key people who are to be disrupted.
target acquisition- at least ten people within each corporate can and should be ideally disrupted, rather than just the website. this would call for social media scraping, and prior planning. even email in-boxes can be disrupted (if all else fails)
study your target companies, target employees, and their strategies.
Then segment and prioritize in a list of matrix of 10 to 10, who is more vulnerable and who is more valuable to attack.
the C4ISTAR for -a hacker activist organization is much more complicated but forensics reveal that most hackers tend to leave a signature style (in terms of computers,operating systems,machine ids,communication, tools, or even port numbers used)
the best defense for a media rich company to prevent hacking attacks is to first identify its own C4ISTAR structure for its digital content strategy and then fortify as well as scrub vulnerabilities (including from online information regarding its own employees)
(to be continued)