The Lulz Boat

I am really starting to get a kick out of this LulzSec crew. Today I went to their web page. The theme from The Love Boat TV show start playing in the background. That is in reference to their Lulz Boat. I get it.

There is a link at the button of the page to Mute the volume. But when you click the Mute link, the volume gets doubled, and they change the text to say that volume has increased 100%. LMAO. Now that is a worthwhile joke.

On a more serious note, I checked out some of the data they posted on their sight. Damn. They got around 75,000 records of X-Factor contests details. Whew. They also have a long list of emails and passwords for a porn site. Ha ha. They have a good time at who they find registered at the sight. I am going to be keeping an eye on the Lulz folks.

The Mind of LulzSec

The Guardian newspaper published an article online describing the personalities of the members of LulzSec. They gained this insight in part by viewing the logs of an IRC channel called "pure-elite". The Guardian went on to publish the contents of the logs, with some information redacted. From what I gather, the redacted info outs the perp who leaked the info.

I read through the chat log and learned a great deal about the LulzSec crew. They value the Perl, Bash, C++, PHP, and assembly programming lanaugages. That does not mean they all have these skills. It is just what they need to write some apps or bots. In fact, during on session they were trying to identify some C++ programmers to help them out.

They use technologies such as bots, IP spoofing, Virtual Private Networks (VPNs), and flooders. These are use in DDoS attacks. They also help conceal their identity. Or so they think. Muhahaha.

These guys use tools such as Tor for anonymous communications, Slowloris for DDoS over HTTP, and anonine for VPN servers. LulzSec seems to hate The Jester, 2600, and Adrian Lamo.

Overall this crew seemed to speak intelligently. They used a lot of slang appropriate for chat. But their speech was eloquent. They also seemed to know a lot of details about composing DDoS attacks. Not that I am a DDoS expert. But you could tell they were discussing the finer points of putting together cool attack vectors.

Hats off to the Guardian newspaper for obtaining and publishing the chat logs. I guess they have their security in order. Otherwise the LulzSec crew would have DDoSed them off the Internet.

You Would Have To Be Destroyed By Me

I am finally getting around to reading a book I brought a while ago. The title is "I Could Tell You But Then You Would Have to be Destroyed by me". This book catalogs a number of military patches from covert projects. Who would have though that you could get a patch for a mission you could not speak about? Apparently it happens all the time. I imagine many of these patches are not sanctioned by the military.

I have only ready a portion of the book so far. However there are some themes that seem to be recurring. You get a lot of swords, stars, globes, and skeletons on these patches. Each item connotes something about the black ops project. Some of the patches are still a mystery even to the author.

Take the image I posted above. You got a helmet or hat that means the bearer flies a helicopter. The footprints on top of the helmet make reference to search and rescue operations. Who knows what the G.H.O.S.T. stands for? I may give you some more info by the time I finish this book. That should not be too long. It is a quick read.

LulzSec Identification

The LulzSec team has been all over the news. The biggest story was their hacking of Sony accounts. Lately they have infiltrated the CIA websites. Is there anything they can't do? Well the LulzSec blog is outing the identify of some LulzSec members.

Who knows whether this blog has actual info on LulzSec members? The thing that surpised me was the detailed information the blog posts on some people. They got social security numbers, postal addresses, phone numbers including mobile, and email addresses. They know the ISPs used, IP addresses, pictures, and even family information.

The LulzSec blog is brought to you by Team Web Ninjas. They provided the most information on one Corey R Barnhill. He is known as Kayla, Xyrix, and Parr0t. Leave it to a hacker to have so many handles. I am going to keep an eye on this blog. Perhaps they have the low down on LulzSec.

Keygen Fail

Last time I wrote, I had just created a keygen to test the security I put in my app. My keygen app tried a brute force attack on my app registration. It would simulate a user entering in all the combinations of keys. The keygen had to also press the Ok button on the registration dialog.

Well the keygen app key trying all night. However the target of the attack blew up after a few hundred thousand attempts. Heck. I might consider that abort part of the security in the app. If you can't brute force the thing without it blowing up, that makes the brute force hacker's job even harder. That's not to say that the keygen app could not detect this and restart my app.

I just wanted a little experience with creating a keygen. My app's registration screen will pause if you enter a wrong key. The more bad keys you enter, the longer it will pause between attemps. This will slow a brute force attack down in its tracks.

Malware Attack

I was in the middle of some brute force app attacking testing when my Windows system itself came under attack. I hastily allowed some Adobe update program to run. Turns out it was some malware masquerading as an Adobe update. I found a program which kept asking me to allow it to do something to my computer. It would not go away.

My task manager was disabled. All the icons on my desktop were gone. All the items in my Windows start menu had also disappeared. I could not use Windows Explorer to browse to the location where the rogue program was at. Damn this was a serious virus.

I did get to the command prompt. From there I ran the Windows registry editor. I changed the entry that disables task manager. With task manager back, I could kill off the malware process. Then I saw the real damage that had been done.

This rogue app had made almost everything on my hard drive hidden. Therefore I could not see any files and directories. The directory that contains my start menu items was hidden, as was my desktop (which contains all my icons). The developers of this malware were pretty damn smart. This just reminds me that I need to do a better job of backing up the source code of my ongoing projects.

Brute Force Attack

I am getting close to completing my app which I plan to sell. This thing is going to need some crack protection. So I am shipping a alphanumeric key to customers that pay. You need to enter the key to get the software to work. I thought I would test to see how a brute force attack might work against this first level of defense.

I coded up an app that would simulate a user trying combinations of characters, guessing what a legit key would be. This brute force cracker does not have any speed up techniques. Currently it is generating 2000 keys a minute. I plan to leave the thing running all night to see if it can get into my app.

If it does get in, I will implement some delays on my app when it detects wrong keys being entered. That will slow down a brute force attack. However if I find it takes forever for the cracker to get into my app, then I might not even add that level of defense. No need to put up a higher gate if the existing one is keeping out the dogs.

Uncrackable

Sorry I have not posted anything in a while. Each night I have been working on a computer program that I plan to sell online. At first I was going to do something in the college scene. But now my direction has turned to poker.

So far I already have a playable game. I just need to put in some rewards that makes the user want to keep playing my game. My recent research has turned to figuring out how to lock down my app. I want people to buy the thing. And I was only those who bought my app to be able to run it.

I need to generate some registration keys that you need to install the game. The key needs to be long enough so you can't guess it. But it should be short enough so as not to cause valid users to make mistakes. Next I need to write some code that is hard to figure out, but that validates the key. I do not want anybody brute force attacking this key. So if you make a mistake, my program will pause before you can reenter the key.

My program is written in C++. I hear that you should use some complex features of the programming language to make it harder to break. Speaking of C++, you should inline all calls to the key decryption. That way a hacker can't just patch one copy of your routine. They need to find all instances of it. There is a whole lot more to this key business. I plan to talk about it some more in the future.