Godina je 2009. Još malo. Kada se osvrnemo na istoriju malicioznog ponašanja na Netu videćemo jedan pravi muzej. Sećam se kako je devedesetih u vreme modemske telefonske veze sa svetom (ako među čitaocima ima mlađih koji ne znaju šta je to potražite na Netu modem + dial up) glavna zabava bilo pokušati i upasti u terminalski sistem poreske uprave Srbije. Naravno, o tome ništa ne znam. Čuo sam od druga. Ozbiljno. Elem, upadanje na taj i slične sisteme se nije radilo iz realnih malicioznih razloga, bar ne u većini slučajeva, već iz čiste znatiželje. Radoznalost da se to nešto izvede je bila jedna od glavnih pokretačkih sila mnogim mlađanim hakerima. Pričamo o vremenu kada je u Srbiji bilo toliko sajtova da ste ih mogli nabrojati na prste… jedne šake. Onda su se vremena promenila. Web je eksplodirao a sa njim začeci web servisa. Radoznalost je i dalje ostala glavna pokretačka sila negde krajem devedesetih. Neki su želeli da napadaju NATO sajtove i koriste činjenicu da je država opraštala telefonske račune ako kažete da ste se bavili promovisanjem istine o NATO bombardovanju. Sećam se da je jedan poznanik uspeo da napravi račun u vrednosti od 500EU i da je to prošlo kao akt borbe za istinu o zlodelima NATO trupa. Zabavna vremena to behu. Elem, već tada smo mogli da nazremo neki šablon u problemima koje prve web aplikacije imaju. Listu standardnih problema web aplikacija sam pokrio u jednom ranijem tekstu koji možete videti ovde. Godina je 2009. Prošlo je 10 godina od NATO bombardovanja. Internet upotreba je porasla u Srbiji. Eto, čujem da Srbija ima 1 000 000 korisnika Facebooka. *oduševljenje* Često čujem neke svoje poznanike iz BBS vremena kako žale za danima kada ste na IRC kanalima imali gužvu koju čini 50 ljudi. Ne znam da li deca danas i znaju šta je IRC. No, nije ni važno. O tempora, o mores. Sve je postalo web aplikacija sa tendencijama da i web aplikacije postanu web aplikacije. Preterujem. Šala. Dakle, sve je postalo web aplikacija i sve zapravo radi nešto. Sajtovi postaju "pametne" aplikacije. Problem ostaje što korisnici ne postaju ništa pametniji. Povećanje korisnika Interneta, koji su pride vrlo loše edukovani na temu upotrebe te Mreže, povećava faktore za razne maliciozne aktivnosti. Sve je manji i manji broj hakera. Kada kažem haker mislim na pojedinca koji zarad znanja i iz čiste zabave provodi sate, a nekada i dane, pokušavajući da "provali" neki sistem. Sve je postalo ili interes (što mogu da razumem) ili prosto izdrkavanje površnih kretena (ups, vulgaran sam) koji koriste gotove alatke kako bi upali na neki nezakrpljen sistem. Pošto je život postao klik nekako je bilo očekivano da i hakovanje ili "hakovanje" postane klik. Uz razne alatke poput Metasploita i sl. gotovo svako može da uradi nešto maliciozno a da pritom blage veze nema šta je zapravo uradio i kako to suštinski radi. Ne, bitno je da je uradio. I time postao "haker". Tužno ali istinito. Ne verujete mi? Pogledajte komentare ovde. Padom kvaliteta "hakera" je pao i kvalitet svrhe zbog koje se radi to što se radi. Najniže besmislene pobude. Ne verujete mi? Pogledajte komentare ovde. No, gore navedeni problemi (po meni su to problemi) su otvorili nove mogućnosti. Oni još uvek dobri programeri su počeli da pišu bolji kod i suštinski više nije baš tako lako hakovati aplikacije. To je dobra stvar. Zbog toga se napadači polako ali sigurno okreću novoj-staroj meti. Korisniku. Kao što sam ranije komentarisao, više nije zabavno juriti rupe u računarskim sistemima. One su tu ali se dosta brzo popravljaju. Dobar programer i dobar administrator će se oko njih pobrinuti ili bar fino otežati eksploataciju istih. Ili će biti lenji pa neće to uraditi ali nećemo sada u detalje. Ono što nikada neće moći da zakrpe jeste čovek sa svim svojim propustima i manama. Već neko vreme gledamo rađanje nove ere. Ere hakovanja ljudi ili kako se to popularno zove soc-eng - social engineering. Socijalni inžinjering podrazumeva nebrojeno puno stvari od kojih je NLP samo jedna. Napredak savremene psihologije i psihoanalize su omogućili uvid u čovekov um na način na koji to nikada ranije nije bilo moguće. Čovek je sistem koji je moguće hakovati kao i bilo koji računar. Ne verujete mi? Ali radite to svakog dana a da toga niste ni svesni. Porazmislite o tome. Dobro, i šta sada, pitate me vi? Ništa. Ovo je tek još jedno od mojih razmišljanja na temu socijalnog inžinjeringa i čoveka kao problema. Jer kao što mi neko reče na jednom IRC kanalu pre par dana (da, ja još uvek koristim IRC jer su posle najezde idiota na kanalima ostali OK ljudi… svi ostali su na Facebooku): Problem svih računarskih sistema se nalazi između računara i stolice. Možda ako nastavim da budem dosadan sa ovim problemima veći broj ljudi počne da koristi glavu i ne pravi gluposti. A možda i ne. Nije ni važno. Uzgred, kada imate vremena pogledajte animu Ghost in the Shell… i prvi i drugi deo.
Planeta Srbija
Скуп блогова на српском језику
Архива за 'privacy' категорију
I just ran into this really cool comic that explains how AES actually works. It’s funny and rather geeky –> Advanced Encryption Standard (AES)
As it was reported by quite a few people in the past few days - official Apache web site was compromised on Friday. I suggest reading and following the info they are publishing on their blog: Apache Infrastructure Team. Here you may see the info that was on the official web pageon Friday. Since more than half of the Internet runs on Apache web servers this is a serious issue. And though nothing seems to be damaged and compromised when it comes to the code base and the packages of Apache HTTPD I would agree with Apache team when they say: "While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided."
U današnjoj Politici je objavljen razgovor za zaštitnikom građana (ombudsmanom), Sašom Jankovićem. Članak se bavi njegovim poslom i mogućnošću da zaista ispravlja greške državnih službi i menja njihovo odnos prem agrađanima.
Na samom početku članka zaštitnik građana iznosi zastrašujući događaj:
Pre izvesnog vremena, MUP je od jedne banke tražio podatke o promenama na računu jednog njenog korisnika. Direktor banke je tražio sudski […]
Prologue Software flaws are becoming less interesting to me as time passes by. I work around software, I really enjoy messing with the code, checking how it works, finding flaws in it and so on. Yet, my focus moves to a new target. A piece of software that has been around for very long. Piece of software that is sometimes very hard to crack and sometimes so easy. One thing is sure - it’s never the same. It keeps expanding, moving and changing. Sometimes it’s very encrypted and sometimes it’s just plain text. Human mind. *** Social networks are here to stay. That’s a fact. I figure that most copanies have figured that up to now and have started exploiting that fact in every possible way. By exploiting I don’t mean tons of spam and banners. I think that only companies in Serbia are still using that kind of marketing nowadays. Or most of them anyway. No, by exploitation I mean using major social networking systems such as Facebook, MySpace, Twitter, Digg and similar to promote business and/or products and to achieve something that has never been possible in this way before - direct/live contact with the customers. Getting good feedback is of great importance for any company that tends to lead on the market. No matter what they produce and sell they need to be faster in any way possible compared to their opponents. It’s kill or get killed market. And a good feedback from the customers may help staying a live. The fact that Internet usage is expanding in Serbia has brought the issue of social networking usage in business to my attention. Not in a way that I want to put some marketing theories on how to achieve the best promotion using all the gadgets these networks bring. I’m more interested in security aspects of this story. In the old days companies had their networks closed to the world. And hacking that kind of a network was a real challenge in most of the cases. All that has changed. No matter how tight security policies are in any company their strenght is governed by that old rule - your security is as strong as it’s weakest point is strong. Are you starting to see where am I going with this? No. OK. Let’s say you use all the best security policies that can be found. Let’s say you have the best sysadmins money can buy. And let’s say you are not using buggy and risky software on the workstations in your company. You are a true Fort Knox, right? Wrong. John Doe sits by his workstation, does what ever is that he’s doing in your company and logs into Facebook - bang! All your security efforts go to bits. It’s not a software error that we see here. No, it’s the weakest point in your network - human. Unless you have androids working for your company you are facing a serious threat from each of your employees every day. Some companies have started using even tighter measures such as prohibiting the usage of Facebook or doing any private business while at work. That’s fine but I’m not talking about those companies. I’m more interested in those companies that have realized the true potential of social networking and all those technologies of tomorrow. As you may have noticed I’m using a lot of social network web sites. I have nothing against them. Yet, I’m rather cautious about what I write over there. I’m not a company and I don’t have to worry that much even if I write something people may not like but I’m still very cautious. If I were a company where would I draw the line? I want to fully use all the potential of all those networks but I don’t want to suffer cause of it. This may sound silly to some people but times have changed and you can not just use the social network. A company now needs a really well crafted plan and a strategy on this issue. And what I find the most important - it needs a new security policy for the way those networks will be used. Let’s say person A wants to penetrate some company’s network. The easiest way would be to have an insider. And even better would be to have an insider who doesn’t even know he/she is doing anything wrong. Let’s say our guy meets this girl that works for company B on Facebook. By scanning her profile he figures out that she likes English poetry of the XIX century. Good. He starts talking to her and sends her some Byron or Keats verses now and then. She falls for it. They start talking day by day for some time. He gains her trust. Now and then he goes into some computer talk just to see how much of a techie she is. No, she’s no techie at all. Good. He has built a completely false identity for this purpose. One day he starts saying bad things about the sysadmins at his company - they won’t come and help him with this or that. She starts complaining about the same guys at her company. Good, they have lame sysadmins. Time passes and he gets more and more technical info on her company’s system. He finds out that they don’t update their workstations on a regular basis. Then he gives her some nicely crafted links telling her that he has left some pictures or poems for her over there. The poems are there but a bit more is in those pages. He starts collecting the data on her browser, OS and so on. And at one point he hijacks her computer. She doesn’t even know it. Yet, he is in her network and her company just got "twitted". Someone will argue that this may happen no matter what. That it has been happening in the past even without social networks. This is true. Social networks have made things like these easier to achieve. And they have made the surface for the attack way wider than before. So think before you go into frenzy about putting your company on Twitter. Do it if it will be of any use but make a plan about it before you do. Humans are pretty easy to hack. Sometimes easier than software.* - term I crafted for being owned over a social network.
I’m not kind of a person that ever regrets about the things done in the past. What is done is done. Yet, I’m rethinking was it really smart writing about Facebook on my blog. A little bit of history for my visitors from abroad - a few months ago I wrote a few articles explaining how to access other peoples galleries without being their friend. There was a bug in Facebook system that allowed this. It’s not working any more or at least not as simple as it used to. Galleries now have longer ID’s and it’s a lot of work to hack through this. So, what was intended as a proof of concept and a try to show how social networks are very insecure became a horror story. Those two articles were swamped with so silly comments I couldn’t have believed my eyes. I’ve delete a lot of them. To sum them up into two comments: 1. This does not work/I don’t know how to do this. My comment: Oh really! Well, dough! FB fixed the bug and I wrote about it too. And even if they didn’t isn’t it more than obvious how to do it? No? Go back to playing cards on your ‘puter. 2. I want to get other people’s passwords. Will someone teach me to hack? My comment: Get a life! What, you don’t trust your girlfriend/boyfriend so you want to spy their account to see if they are messing in virtual world with someone else… cause you are doing that anyway? Well, here’s a tip: if you know your "beloved" you probbably know her/his password. People use dumb passwords they can remember. And believe me, it’s not that hard to brute force into someone’s FB account. Internet has started to expand in Serbia like a flood in the past few years. And that’s all nice and sweet but… people using global network in Serbia got no clue how to behave. They keep letting complete strangers into their lives by sharing tons of private data. So, what makes you think they use their brains to create passwords? If they had been using their brains at first place they wouldn’t be acting like idiots online. So, to sum up this story - stop asking silly questions like "teach me to hack". What does that mean? I’m sorry (well not actually but I’m being polite) if this text comes to harsh on people… they deserve it. Will it change anything? Nope. Was my intention to be a digital messiah that will show the people their faults? Nope, couldn’t care less. So why did I write this rant? Cause I can. It was just to pass the time while writing an article on encrypted chatting over Jabber and Gtalk. Now that is useful. Will be online by tomorrow.
Kada sam otvorio nalog na Fejsbuku, u svoj foto album sam stavio nešto fotografija. Poseban foto album je posvećen mom gradu - Užicu. Napravio sam i Fejsbuk grupu Užice i jednu od svojih fotografija izabrao i priredio za naslovnu stranu grupe. Kako sam sve to uradio tako je počelo i kopiranje tih fotografija na sve znane i neznane načine. Nije mi bilo pravo, ali tolerisao sam.
Međutim kako vreme prolazi bezobrazluk postaje sve veći, hajde što ih kače svugde, nego ih još poptisuju kao svoje, nekad prikriveno a nekad otvoreno. Ponekad čak i uklone moj potpis koji sam stavio na fotografije. Sad malo-malo pa kod nekog na Fejsbuku naiđem na foto album koji se zove Užice ili slično, a u kome su…
Dosta dugo nisam pisao ništa na srpskom. Za to su najviše odgovorni nebulozni komentari vezani za tekstove koje sam pisao o Facebooku. Ne, neću vas naučiti kako da kradete lozinke… niko vas to neće naučiti. Dođavola. Elem, reših da malo piskaram na srpskom i da dotaknem neke domaće teme. (eng. speaking visitors… proceed, nothing to see… internal Serbian stuff…) Već neko vreme mi se motaju po glavi neki tekstovi. No, ono što bih danas voleo da pitam sve prisutne jeste: šta mislite o poverenju? Da se pojasnim. Većini vas je poznat termin "cloud computing". Do sada su valjda i zidovi naučili da tako nešto postoji. No, pretpostavljam da većina vas pojma nema šta je to. Svi o tome pričaju. To je u trendu i totalno IN. Kao i jedno milion stvari u poslednjih 10 godina. Opustite se, proći će. Sve je to od ovog sveta. Dakle, kompjuteri u oblacima, kako volim da kažem, jeste nešto tako matoro da pričati o revolucionarnom tehnološkom rešenju jeste u najmanju ruku smešno. Zašto? CC, kako ću dalje zvati ovaj hit, je ništa drugo nego modernizovana verzija "time sharing" sistema iz šezdesetih. Stari model deljenog procesorskog vremena je bio popularan jer su računari u to vreme bili jako skupi. Kasnije je otišao u istoriju kada su personalni računari postali popularni i jeftini. Dakle, svi danas govore o CC. Svi koriste CC. Nema tu ničeg lošeg. Svi koriste Facebook, svi koriste Twitter i ko zna šta još ne. A šta je sa bezbednošću? Ne, neću paranoisati opet. Ovo nas vraća na ono moje pitanje od ranije. Šta mislite o poverenju? Shvatimo, koliko god se bilo kod od nas trudio da ima bezbedan računar uvek će postojati neka rupa. Faktički, kompletan naš svakodnevni digitalni život počiva na poverenju koje poklanjamo nekoma. Da li je to proizvođač hardvera, firma koja je proizvela operativni sistem koji koristite ili naš Internet provajder… sve se svodi na isto. Zbog prvih možemo da izugibimo podatke, drugi mogu da budu krivi što su nas napali virusi ili nam je neko ukrao podatke, a treći mogu da prate šta radimo i da te informacije daju na upotrebu nekom trećem licu. Dakle, svakog dana mi verujemo nekome. Za ove prve baš i nemamo rešenje sem da redovno radimo backup… a opet, tu je i proizvođač medija koji koristimo za čuvanje tih podataka. Za ove druge imamo rešenje… možemo da koristimo nešto bezbednije. Za ove treće… ima rešenja i za to, napisaću možda kasnije kako njih da zaobiđete. No, sve u svemu poverenje je ključna reč. Dobro, a sada se vratimo na CC. Dakle, šta je ovde drugačije od bilo čega do sada. Bilo koja firma koja pruža CC usluge je samo još jedan faktor u svakodnevnoj igri poverenja. Umesto da sami brinemo o bezbednosti sistema koji koristimo mi prepuštamo tu brigu nekome tamo. I to je nešto sa čime moramo da živimo, zar ne? I onda, da se po poslednji put vratim na pitanje - šta mislite o poverenju? Mislim da danas skoro svako ima sajt ili dva. Hosting je posao u cvatu u Srbiji… a ja sam vrlo srećan što sam na vreme pobegao sa te livade… dok još nije potpuno procvetala. Dakle, kakvi su vaši utisci kada je u pitanju poverenje koje morate da imate u odnosu sa svojim provajderima različitih usluga na Internetu? Kakve garantije domaći provajderi nude da nećete preko noći ostati bez svojih podataka? Da li ste potpisali ugovore sa njima ili ste samo po navici kliknuli na "Slažem se" u online formularu (dok ste bili oduševljeni kako je procedura kupovine brza i sjajna)? Danas je vrlo kišan dan i eto došlo mi da malo mračim.
