• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Security/hacking tutorials

P

PrincessFrosty

Platinum Member
I've started a blog with some security related tutorials, I've started off with some Union based SQLi, tips and tricks for SQLi, evading WAFs, advanced SQLi, XSS and attacking PRNGs, I'll be adding more as I go.

They focus on learning the theory as well as the steps for exploitation, so they're quite in-depth.

http://frostyhacks.blogspot.com

Feedback is welcome, both positive and negative.
 
Tread lightly, PrincessFrosty...I see absolutely no problem with this, but a thread was locked and posts edited by moderators because the names of some linux security distros were posted in it.

I'm all for these types of discussions. It's important for sys admins and devs to understand these vulnerabilities so they know what can/should be done to protect against them. Sadly, all of the moderators here don't feel the same way.
 
seepy83 said:
Tread lightly, PrincessFrosty...I see absolutely no problem with this, but a thread was locked and posts edited by moderators because the names of some linux security distros were posted in it.

I'm all for these types of discussions. It's important for sys admins and devs to understand these vulnerabilities so they know what can/should be done to protect against them. Sadly, all of the moderators here don't feel the same way.
Click to expand...

There is a difference in understanding and openly posting the said hacks/tools to hack esp openly public.

This is a big reason why many of the classes one would take that would discuss these things have one at least agree to a Code of Ethics.
 
alkemyst said:
There is a difference in understanding and openly posting the said hacks/tools to hack esp openly public.

This is a big reason why many of the classes one would take that would discuss these things have one at least agree to a Code of Ethics.
Click to expand...

You've got it all wrong. I'll put my CISSP and 3 GIAC certifications on it (all of which come with codes of ethics). Talking about the tools openly in public is absolutely NOT a violation of any ethics code. Using the tools illegally, on the other hand, is.
 
Last edited:
I understand the concern and if the moderators think this is out of line then I'm sure they'll delete it and inform me. The information is purely for educational purposes only, I don't provide any automated tools to perform attacks that's something other people do and are already available through other channels. My blog focuses on theory and doesn't use real examples only theoretical ones.

On a personal note I disagree with barriers to entry on learning, if you're an amateur developer or someone studying, this information shouldn't be behind abstract conditions but be free so everyone can learn and improve.
 
Last edited:
PrincessFrosty said:
On a personal note I disagree with barriers to entry on learning, if you're an amateur developer or someone studying, this information shouldn't be behind abstract conditions but be free so everyone can learn and improve.
Click to expand...

Absolutely! The best thing for the Information Security community (and, really, the security of all systems in general) is for all of this information to be freely available. Trying to silence the flow of this kind of information is almost always only good for the people that use it for evil.
 
PrincessFrosty said:
On a personal note I disagree with barriers to entry on learning, if you're an amateur developer or someone studying, this information shouldn't be behind abstract conditions but be free so everyone can learn and improve.
Click to expand...

Yup. Security through obscurity isn't security at all. If what you teach can get through someone's defense, they need to read it also, and fix their setup.
 
seepy83 said:
You've got it all wrong. I'll put my CISSP and 3 GIAC certifications on it (all of which come with codes of ethics). Talking about the tools openly in public is absolutely NOT a violation of any ethics code. Using the tools illegally, on the other hand, is.
Click to expand...

They are sharing the tools openly.

It's the same as you shouldn't be able to buy lockpicking tools unless you are a locksmith, but some sites don't screen so well.
 
alkemyst said:
They are sharing the tools openly.

It's the same as you shouldn't be able to buy lockpicking tools unless you are a locksmith, but some sites don't screen so well.
Click to expand...

The thing is that there is no real problem with sharing the tools. Most security tools are free and open source. I won't start naming/linking, since I know how that goes here...but, like most things in life, all of these tools can be used for good or for evil. If i'm running a vulnerability assessment or pen test on a system, I'm usually using the same tools that someone might use to break in. The only difference is having permission and what my intentions are.

When the tools aren't open and available to the masses, the end result is less secure systems. It's like owning a gun...it can be used for good or for even, and a criminal and a non-criminal typically have different intentions.
 
alkemyst said:
They are sharing the tools openly.

It's the same as you shouldn't be able to buy lockpicking tools unless you are a locksmith, but some sites don't screen so well.
Click to expand...

I own lockpicks as well, it's a fun hobby. You absolutely do not need to be a locksmith to buy lockpicks, at least not in the UK. You can pick a lot of locks with just a biro pen top or a paperclip, are those to be banned too?

I don't host or share any tools, I have theory and link to whitepapers, abstracts and proof of concept code, there's no skiddy one click hack stuff on my site, it's specifically designed to be educational.

lxskllr is right, security through obscurity isn't security at all, this is a well known fact among hackers, denying people the information and tools to attack their own systems only ensures they stay weak to attack.
 
John Connor said:
I own lock picks too, but it's a felony if the cops catch you with them and you aren't a locksmith. That's here in the U.S.
Click to expand...

Actually, the laws vary state to state. You can be in possession of them in most states and the state would need to prove criminal intent to charge you with anything.

I'm not a lawyer, so definitely consult one in your state before you act on anything I said, but it's likely that you are falling right in compliance with the law if you have a lock pick set, practice/cutaway locks, etc. Get caught walking down the street in the middle of the night with it after a series of break-ins in the neighborhood? That's a different story.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top