Kalimat al-Mutafalsif

Saturday I got a letter that I thought I'd share. It's really interesting to me, since I've dealt a lot with phishing emails, and this real letter set does many of the things that both phisers, and unfortunately legitimate companies, do. If companies would stop doing these things, Phishing would get harder! This is gonna be a long post, please bear with me. Without further ado, I give you: The Car Registration Scam (which later turned out to be legit).
Read More »

Well, in case you can't guess from the title, it's been exactly a year since I started this blog. To be more specific, it was November 20th of last year that I registered the domain. This post also (totally not planned, I swear) happens to be my 100th. Again, to be more specific it's my 100th page... pages include things such as my warhammer picture pages and the others you find under "Pages" on the right. So, this'll be a fun past, five days in the making, about all kinds of things dealing with the past year. ((Published a second time, I apologize))

Some History
The domain was registered while taking one of my patented Long Thanksgiving Breaks. That was ThanksGaming 2005, and I grabbed the domain one night while talking to that coder I always mention, Malaprop of Cambrian House. Malaprop kindly put the domain on his site, installed WordPress, and away I went. My first actual post (I believe) was on the 20th of 2005, but it was accidentally deleted, so the first surviving post is from the 21st.
Read More »

Well, here's a bunch of random ideas strung together in an update on my life so far this year. For those keeping track I'm into my thirs year of college, and credit-wise am a senior.

First off, I changed my layout back to what it was when I started the blog. Mainly because that other one I used had some quirks to it I didn't like. I hope to come up with a new one somewhat soon as well as adding a domain (Note, domain is empty as of right now not even a server for it) that I've always wanted which *just* became available.

Really busy this semester with research. Have an indepent research class with a professor I absolutely love. The guy's pretty smart when it comes to security, systems, and computer science in general. I'm in another of his courses and have to do a project (thankfully related) for that class as well. On top of that there's some ideas I want to flesh out on my own that could lead to papers. Finally, ya'll know I program for fun as well, and I barely have time for that. Hence, this blog is gonna be sorely ignored for most of the semester.

My love for Arabic is finally starting to take a back seat to security issues, so I might be able to finally make a decision about where I want my life to head. However, as with all things in my life that decision's going to be quite complicated and will not end with a definitive one or the other answer.

I may have an awesome opportunity for an internship in the spring. Don't want to say any more than that for fear of jinxing it, as I'm fairly certain I won't get it, but it'd be amazing if I did.

I'm always looking forward to entertaining so anyone interested in seeing the research I'm working on, or just coming for a college visit that can find me in real-life, make sure to drop me a line, this school is gorgeous in the fall.

Finally I'm being hit hard by spam posts. Most for porn, the others for cheap sex pills. Sorry for the misspelling... s3x p1lls. Akismet catches most of it (about 200 a week) but about 4 have been getting through a week, annoying.

Well, it finally hit the papers today (ok, yesterday, this has been a draft for a day). A phishing email went out, and instead of asking you to login to a bad site, it changed the legit phone number to a false one. They wanted you to call this fake number tor eactivate your account. Now, I've known that phishing is not just limited to email, that's why I define it as "Scamming other people out of their credentials". Hopefully, this'll make mainstream media rethink their definition of phishing, and stop giving the false pretense of "ignore email, and you're safe". No one is safe, ever from frauds.

So, I (think I) coined a new phrase today. Passive Identity Theft. It's not illegal, as you're not actually stealing someone's identity. However, you are posing as them by not saying you are them. Confused? I'll explain.

Around December of last [My first year of college] year I got an email, it said that my school parking pass had come in. It interested me because it had my name on it, but was for a campus that I don't attend. I did some research and found out that, surprise surprise, there's another person with my name, and an almost identical username. He just attends a different campus. I emailed back the parking operations people, and informed them of their mistake, told them who to contact, and thought nothing of it.

Earlier this semester I was "hired" by a professor as a research assistant at roughly enough to pay my internet bill each month [Edit: It turned out that this was actually substantially more than I had anticipated...]. Now, even though I emailed the lady who should have my contract, she never got back to me. I heard no more about it, and assumed things had fallen through, and I wasn't really "hired".

Yesterday I got a forwarded email from her saying "Does he [me] work for you [professor I'm working with]"? I promptly replied saying I'd like to, but that I wasn't yet, as I hadn't been able to sign a contract. So, I talked with her today, and she explained the whole deal to me:

After she filed my paperwork she looked "me" up in the system (when she already had my email, I don't know why) and sent "me" an email telling me to get the contract. I never responded (obviously, as it was the other me's email, in case you haven't caught on). She repeatedly emailed "me" trying to get "me" to come in and pick up my (not in quotes as it is my money) contract/pay stubs (pay goes out even without a signed contract). Well, this guy ignored it. He must have known what it was about, as he got paid for three months, all the while ignoring her emails. Finally, just now, he came forward and said he wasn't me.

So, I signed my contract finally, and hopefully things'll work out for the rest of the semester. But lets take a look at this.

He never claimed to be me. So, its not identity theft. But he knew he was getting someone else's money (or thought he had a job he never attended at a campus he doesn't live near) and never reported it. He also didn't respond to the lady telling him where the money was coming from. Now, he did in the end, but he owes the school 3 months pay since he accepted it. I consider that identity theft. I'm calling it passive because he did nothing more then sit back, and watch the checks roll in. Thankfully, I'm not a petty man, because I have his user id,full name, and student number. If I anted to... gee... I could phish him for his identity and use it. But I'm a bigger man then that.

So, remember, you can hurt people by not doing anything just as much as by stealing their identity. If you're in the situation I described above, do the right thing and report it, as I did in the first case, don't ignore it.

So, some of my friends, in the past, have asked me to teach them how to hack. I normally agree, depending on who it is, to give them the tools. Teach them UNIX, show them how to find stuff online, etc. What I can't teach, however, is the mentality. I had some fun last night, and I figured I'd share it with you, give you a feel for how a hacker thinks.

First, I have to tell you a little bit about myself.

See, hacking, in its purest form, is not what the government, hollywood, or the media want you to believe. Hacking is merely finding a creative solution to a problem. You might remember my post about Hacking Your GPA. I never once talk about actually cracking a system, except to say it's illegal, instead I focus on how an individual can get the GPA they want with a whole lot less work. I want to make a clear difference right now between "hacking" meaning a creative solution and the "media hacking" meaning click a button, and make a botnet (we call them script kiddies).

I'm a big fan of 2600, the hacker magazine (side note, I love the google impersenation they have up right now) and buy every new issue when it comes out. I do, however, pay cash, just in case it is tracked. Every time I buy it, I end up in the same conversation with the cashier.

"So, this is a hacking magazine?"
"Yea."
"So, you're a hacker?"
"Yea."
"Isn't that illegal?"
"Nope, I hack my own systems, do security audits, anything when I have permission beforehand."
"Oh."
"Why are you a hacker?"
"Because its how I think. I like information, knowing how things work, and it drives me crazy if I can't figure it out. have a nice day."

Some things change, others remain the same. There's always an incredulence to their voice when I admit I'm a hacker, as if I should be scared. At first this scared me. What if they recorded who buys this? What if the media gets the government to go on a hacker witch hunt? Then it pissed me off. These people judge what I do. Assume I'm a no talent script-kiddie, and that I only look to hurt people. Now, I enjoy it. Every conversation I get to enlighten one more person that hackers aren't evil. We're normal people, blessed with an inquiring mind. So, after my last conversation, no one was in line, and I opened up to the cashier. Told her about hacking. Pretty much all of the above. Her response?

"Oh, I never knew that's what hacking was. Thank's for telling me."

It was a good feeling, standing up for a whole culture that gets a bad rap. So, that's what I think of when I say "hacker". I know people assume we're script-kiddies, just looking to hurt people. Dirty guys sitting in dark rooms laughing as they take down government systems. But I have to say I'm a hacker because I have the questioning mentality of needing to know how stuff works, and I'm proud of it.

Background aside, yesterday in my phishing class a guy stood up, and told us of a phishing email his sistere got. How he'd now have to talk to his family about Phishing, and all that. I decided to check out this company (name not mentioned to protect them, and me). Here's how I was thinking.

Reasons
The entire reason I did this was to find out if my classmate's sister was in trouble from these

Recon
First I did a dig on the domain name. Found who's it was registered to, and where it was located. Turns out, it was off shore. later I found an IP on one of their pages, did both a dig, as well as a traceroute on it, to find out where it was located, and how it got into the country.

Next I visited the website, and found it was a gambling site. Interesting.

Cracking
While I was trying to get into the page, I ran into the problem that they actually verified credit card info. Since falsifying that is a crime in this country, I had to find a work around. First thing I did was check the source of the page. It normally yields at least the next place to check, if not the answer. Sure enough they had a poor coding scheme, intro page was 1.asp... I was on 3.asp... so I tried 4.asp. Bingo, it welcomed me, and sent me to their main page. This yielded the IP I tracked down later.

Where to go?
So, you're into the site, where do I go from here? So far everything's looked like it's legit, and I wasn't sure if I needed to poke around more. But, all their gambling programs were flash programs. I like messing with that, so I grepped the source again, and found the name of the files. They were fairly decent in security, in the fact that I couldn't use wget to traverse their file structure. Kinda a setback, but I got around it. The goal here was to prove the flash files were fakes. Turns out, after decompiling, they weren't. This was a legit site.

So what?
Well, I got out of the site, and thought about what I'd learned. As an aside, every hacker should learn something from everything. If its the millionth time you've played this game, look at the one spot you never look at. Analyze your own game play. You'll find something to learn. Anyways, I came to the conclusion that this site had some tricks to it... they made it look like it was secure when it wasn't, and had some nasty stuff in the EULA but was legit. So, it wasn't a phishing scam, the guy's sister and family had no reason to worry, but regular users, if they didn't read the EULA, would get screwed out of a ton of money. Well, if you're frequenting off shore gambling sites, you're probably already losing money.

I realize I mention a lot of UNIX command tools, and general network stuff, so if you're unsure of something, feel free to ask. If anyone wants to learn how to hack, feel free to ask, but I can't teach the thought process, so if you're not naturally inquisitive, forget about it. I feel I should say I didn't break any laws doing the above, and I don't support illegal actions (gotta say that to not get sued/arrested).

Well, I've been quite busy the past week or two, hence the silence. I know ya'll missed me .

First off, I've picked up a job doing the website for a grad student in the Fine Arts School here, specifically a portfolio website, as he's a photographer. This'll be interesting, and I trust I can put out something of high enough caliber for what he needs. I randomly met this guy at my church, and it turns out that he grew up Virginia also, about two towns over!

Next I've just been asked by a professor of mine, and a P.H.D. student to join them on a business venture. I can't go into specifics right now, but they're looking to patent an idea, so after the patent's filed, I could talk about it. It turns out that I'm going to be programming most of it, yippe. The post-doc's job is to make sure I stay on track, and the professor came up with the idea, and will secure our patents. We'd split the proceeds with my school, as that way we can get the school to file the patent for us. The goal is, in a year this'll be a self-sustaining revenue generator, and the school will use it as an example to encourage ore entrepreneurship. Very ironic, the post-doc is ALSO from Virginia, and his mother now lives one town over from me.

Once I can say more (heck, once I understand the project better), I'll let ya'll know.

Well, some of you have heard me rant about Social Networks, Facebook being an example, already, but here's a new one.

I had the great opportunity to have both a really informal breakfast (only 5 students, and the speaker) with a CMU professor who is looking at Social networks and privacy issues. Before I go further I should stress there's no such thing as privacy online. At least, not for the average user.

Facebook, after I started using it, really bugged me. There is no way to turn off displaying your email at all. Yes, it's displayed as an image, but it's not CAPCHA text, so can be "decrypted" on the fly in Perl. Using a Perl module called WWW::Mechanize, you can mine whatever you want from any profile. You can even do batches of profiles. Here's my findings so far.
Read More »

Well, I'm loving my phishing class. They encourage hands on experiments, and I've already got the opportunity to carry out something that should lead to publication! (More to come on that after I get approval, etc). However, the main reason I like the class is I get to tthink like a bad guy. Something I do a lot, just never carry out due to my preference for white hat hacking, as opposed to black hat.
Read More »

Well then, now that I'm awake and (somewhat) functioning, lemme break down this semester. In this post, I gave a break down of the courses I'm taking this semester. That changed on Monday. But I digress...
Read More »