A bit talking!
Deep throat inside, this is really a personal blog. While back I was enrolled in a security industry based penetration testing company and I quickly realized there is a lack of real ongoing research. Every other penetration testing and security industry company seems to be a fantasy roll they’d be playing. Deep inside it’s all an Ad to get you enrolled in some easy way, get your attraction and rip off money for the training. Abiding by the rules of the current scenario, the security industry suffers from any real research been done at the first place. I see only money and business coming by. The penetration testers who pentest a web-service, a portal or networks themselves do not know what methodologies, scoping, and target based penetration test has to be done to assure a real quality based report deployment. Having seen all, I resigned. I began my quest in the digital security arena for long ago during the 2009’s and the current opportunities saw massive improvements with growing whitehat research blogs and bug bounty achievements. I am not really a big fan of bug bounties or neither I oppose them in any way. I would just quote out a quick 3rd party post from a different anti-sec blog which is supposed to be true in it’s very nature but does not apply to the real world these days.
Because of my philosophical leanings, I have made the assumption that freedom of speech and expression is an inalienable right granted by nature’s God. I have made the extension to this statement that the freedom to write code and execute your code is an extension to free speech. Fascists that may disagree with my statements may go ahead and skip this post.
Now, let us say you have a machine connected to the Internet. It is impossible, by this computer’s very nature, for it to do anything that is was not programmed to do. It takes in the data that it is given, processes it according to deterministic rules, and returns output that it could not possibly have deviated from. This process may be so complex that it appears to be stochastic, but it is nonetheless deterministic and we should not pretend it is anything but. This deterministic sequencing extends far beyond just your computer. If every element in a system is deterministic, then the whole system itself is deterministic. The entire Internet is a single, uninterrupted deterministic state machine.
I present to you the Eleatic school of hacker ethics.
The Internet is public property. No establishment has a right to own it, subvert it, subject it, or rule over it. It extends beyond race, nationality, religion, or geopolitical agreement. Now that we understand that the Internet is a single deterministic machine, we may approach this situation with logic and reason as opposed to knee-jerk reactionary idiocy. When connected to the Internet, your computer becomes a part of this deterministic machine. It is impossible for your computer to execute any code which it has not been programmed to execute. If your computer has been programmed to accept my arbitrary code, then there is no moral or ethical violation committed when I introduce my code to yours.
If you download and execute my code, you have done so willingly.
If your daemon executes my code after I introduce it in a manner that is innovative and unique, then your daemon has done exactly what it has been programmed to do.
You don’t want me to execute my code inside your code? Then keep your machine out of OUR deterministic state machine. Keep it on your own private network, so that someone will have to commit a real honest-to-God crime like breaking and entering to have access to it. The minute you connect it to a public network, it becomes connected to all of us through the 0 and 1.
Whitehats will try to play games and act like they’re the good guys. They will tell you that people who commit “computer crimes” are organized crime types who are out to empty your grandma’s bank account. Their arguments are bullshit. No doubt that emptying someone’s bank account is a serious crime, but we have real laws to punish this. The laws that we have made to punish “information crimes” are merely laws against thoughtcrime. It is impossible to commit crimes that extend solely in the wired.
Take a look at what your governments are doing. The majority of whitehats are employed in the US, where they have a leader that willingly and openly defies the fourth amendment of their constitution. They have a corporate oligarchy where a select few families get to control ninety-nine percent of the public funds and purposefully impoverish the working and intellectual classes. Things are only marginally brighter in the rest of the first world. This is your idea of a utopia, the system that you want to perpetuate indefinitely? Do you really want the tyrants in this new Rome to reign a thousand years like the last one did? I sure don’t, so stop preaching to me a bunch of bullshit about rule of law.
Stop working for these oligarchs that despise you. Band together, because at this point all that keeps the oligarchs in power is control over the ones and zeros. We have a power to change them for the better, a chance to make a lasting contribution to humanity.
You can be a hero in the manner of Plato, of Socrates, of Pappus, Pascal, Parmenides and Zeno. You can change the world. All you need is to cast off the shackles that your masters have put on you!
Those were indeed the fine words ever spoken. Had been digging up lately, I also realized most old penetration testers faded away and closed certain boards. To illustrate this, read the post here: http://seclists.org/fulldisclosure/2014/Mar/332
It is certain, something pisses digital security wizards off. Be it their own government, the local police, the guy next door, the room-mates, or the social assumption. Something must be still missing which bothers the community as a whole. The artifact and the knowledge of free sharing will is long gone, enter the 21st century. Now hackers, 18+ or 18- students from universities “hack” in order to show their names in hall of fame. This was a quick-witted move by the developer industry. Paying of as much as little bounties to secure and fortify vulnerabilities and in some way name the fame in certain PHP pages does not make you a hacker. One must understand this. However in a quest to highly indulge in my own work related to digital security, I chose to write this blog not only for the sake of my own personal research but also share my vision, posts, rants and topics including academic curriculum which I was enrolled in. Academic topics were a self-research; not that one has to follow the exact ones. The one I am pointing, is the fact that the entire purpose of creating this whole blog was to keep myself updated with the newer research I had been doing with web application exploitation and network intrusion. The playground is big and vivid, complex and to be honest, varied in nature. In no way, I approve my posts to be entirely valid. This is my own work and creation with my own effort and my perspective. If you feel to enlighten up the posts, use the comment sections. Mail me at firstname.lastname@example.org or just come-by and say a hello. This blog isn’t really to be a SEO oriented mass visitor advertisement. This is a personal research zone. Rants, personal opinions and the security industry is covered here. Pwnages are common. They had been attached to not make anyone offended but to spread the butter along the bread. The more the butter, the tastier is the morning breakfast. Either way there is a difference in pretending to be a penetration tester out of the defacement I had seen around, and actually being one.
I agree to the terrible things happened at past. The NSA, FBI and the security scene is always over consumed by attention seeking events. They need surveillance, we get it, they draft off money from your pocket, we get it. Do not let yourselves get diverted from your own research just because the security scene get’s messed up every now and then. It has been doing so in the past, it would be doing so in the future. Learn to know that nothing is permanent. The only solution is to keep doing things you like, just for the sake of the curiosity. make it your lives vision to accomplish it with your business as well. Now you see I am being submissive to the corporate world, but wait; I didn’t say you have to go do a job for that. Consultancy is a great start-off in any security industry. Be it the penetration testing department, as a security analyst or maybe as a bounty hunter. Feed your conscience. Now that the motivation part is done, I will wide way with your thirst for blog posts here with what I am willing to share here. This would include the following: