Agile Hacking and a New PWN20WN Contest

The last time I checked, Amazon.com listed well over two dozen security-related hacking books. Although many of the books are great resources, their content can become outdated. The reasons vary and are usually related to shifts in technology made available by vendors or used by developers and end users. For example, Web site hacking is shifting dramatically as more and more sites adopt the use of ASP.NET Asynchronous JavaScript and XML (AJAX). Long story short, you probably can't ever have enough security books.

The team at GNUCITIZEN is the driving force behind a proposed security book entitled "Agile Hacking." The team issued an open call for participation by anyone interested in helping to create "the best hacker manual ever made." The idea is to get as many people as possible to contribute any amount of information they choose. The information will then be used in three ways.

First, each contribution will be posted to a blog. Later, when enough material has been contributed, the contributions will be turned into an e-book that will be free to anyone that wants to download a copy. Finally, the book will also be available in print, any sales proceeds will be pooled, and participants will jointly decided how to spend the money.

Sounds like a great idea. Right now the project is centralized as a mailing list at Google Groups. If you want to join (as a contributor or onlooker) you can send an email message to [email protected] or [email protected], or you can visit the first URL below to use a Web interface instead of email. You can sign up for an RSS feed at the second URL below if you prefer to monitor progress in that fashion. To read the official announcement, visit the third URL below.

http://groups.google.com/group/agile-hacking

http://feeds.feedburner.com/gnucitizenAgileHacking

http://www.gnucitizen.org/blog/agile-hacking/

Speaking of agile hacking, you might already be aware of GNUCITIZEN's Google Hacking Database (GHDB) tool. It's a Web-based interface that lets you run GHDB-based queries against a target Web site. Earlier this month, the developers announced that they've made some upgrades to the underlying code. So if you used it before and didn't find it useful, check it out again (at the first URL below) and see if it suits your needs now. For those of you who haven't heard of GHDB, it's a database full of Google queries that can be used to discover all sorts of interesting info. See the second URL below for details.

http://www.gnucitizen.org/ghdb/

http://johnny.ihackstuff.com/ghdb.php

Finally, I want to let you know that the CanWestSec 2008 security conference starts today and runs through Friday. I mention this because the conference will again sponsor a hacking contest called PWN2OWN. ("PWN" means to dominate and/or humiliate, and the winners get the systems they hack.) Last year, the goal was to see whether someone could hack into two Apple MacBook Pro systems running OS X. It didn't take long for someone to find a way in, and the successful hack involved a zero-day exploit that took advantage of a serious flaw in Apple QuickTime. The winners, Dino Dai Zovi and Shane Macaulay, won the MacBooks plus $10,000 in cash.

The challenge this year is to hack into a Fujitsu LifeBook U810 running Windows Vista SP1, a Sony VAIO VGN-TZ37CN running Ubuntu 7.10, or a MacBook Air running OS X 10.5.2. As was the case last year, the winners get to keep the computers and TippingPoint will offer up to $10,000 in cash prizes. It'll be very interesting to see which of the systems might be broken into. For more details about the contest, visit the two URLs below:

http://cansecwest.com/post/2008-03-20.21:33:00.CanSecWest_PWN2OWN_2008

http://dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008

TAGS: Windows 8
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish