EvilZone
Hacking and Security => Hacking and Security => : Mordred August 04, 2013, 09:23:15 PM
-
I'm curious to hear some opinions about this company that I discovered a while back and to whom I was considering sending my resume to (I decided already a few months ago I won't do that).
What bugs me is that it seems that this company offers, in the most literal sense, hacking/cracking/security evasion services.
Now I'm not very knowledgeable on hacking laws with a few exceptions regarding ethical hacking & related, and am almost not at all knowledgeable on EU/International laws regarding this (this company initially operated only from Milan, Italy but have now opened a new set of offices in Annapolis, U.S.A.), but it seems to me that everything about this company is (or at least should be) not only illegal in terms of how they market themselves (Ad #1 (http://hackingteam.it/components/com_gk3_photoslide/thumbs_big/83423004.jpg)) but also in terms of the operations that they run.
For instance, on their Careers (http://hackingteam.it/index.php/careers) page you can see the following:
HackingTeam is a company based in Milan, Italy.
We spend time on interesting projects with smart people, provide great working conditions and enjoy our time together.
Working with us, you will help design, develop and deploy our flagship product, Remote Control System, that's being used worldwide for fighting crime, and is the #1 solution for governmental offensive interception.
And underneath, where they list the available positions, the top one is:
Hacker / Developer Developers design new features, develop them and polish our software to perfection.
Hackers find out how to overcome the original design of objects, hack into them and uncover all their secrets.
You have to be both, and the more you know, the better.
We need a person with a strong technical background, able to deeply understand how devices and software work and to hack them.
At the same time, you should be confident with lean programming and know how to structure code to fit into an enterprise scale software.
We only accept candidates with an unstoppable will to learn!
Depending on the area of development preferred knowledge is: C++, Objective-C, some x86 or ARM Assembly, Ruby or Python, ActionScript or reversing skills.
Design Patterns and Agile Programming are a must.
Work location is Milan, Italy, and on site presence is a plus.
This all looks very shady to me, and this detailed analysis of their "work" is what immediately led me to disconsider any idea of applying for a job there.
I recently remembered them when checking out cryptome.org and wanted to get an opinion from the EZ community about this business. So, guys, what's your take on this?
-
Definitely not legal in most countries. I have a few cents on this being bullshit as well. I wouldn't go anywhere near that shit.
-
I'm not an expert in computer crime law, but my two cents are:
1).
After taking a brief look through their website, they do present themselves in this very dark and shady, almost black market fashion.
However what they appear to be doing is marketing a proprietary backdoor application for use by government agencies and law enforcement. These parties make heightened use of malicious and/or offensive security and surveillance software as we already know, so consequently it follows that private companies dedicated to supplying this demand exist.
They are quite covert about their operations and aren't directly offering their services, which is a must for businesses of this type. Interested parties would need to strike up an explicit conversation to obtain their software, and would be willing to throw away large sums of money, as I assume this "Remote Control System" is insanely expensive.
tl;dr they don't seem to be some skiddie black hat DDoS/"hacking" service on the deep Web or some shit like that, but an under-the-radar legitimate company that exists to market computer surveillance software to law enforcement and government for use in operations. Such businesses do exist and are constantly in demand, be it firearms, espionage hardware, surveillance, security breaching or whatever, but keep a low profile for obvious reasons.
2).
This is all a honeypot to weed out gullible wannabe cybercriminals.
-
FBI.
(Will evolve later, on phone)
::edit::
Realised I didn't evolve on my matter :/. And what I would have said would be proven wrong, as it has been done in the posts after this one. So yeah.
-
Actually, hold that thought.
I did some quick research, and found this:
http://surveillance.rsf.org/en/hacking-team/ (http://surveillance.rsf.org/en/hacking-team/)
They've been around for a decade now and sell their software exclusively to government agencies, and it has reportedly been used for human rights violations.
Quote from this IBTimes article (http://www.ibtimes.co.uk/articles/445507/20130313/hacking-team-murky-world-state-sponsored-spying.htm):
One of the most high-profile of these companies is Hacking Team, a Milan-based company which has been offering its surveillance system to governments and law enforcement agencies for almost a decade. It has come under fire in recent years after it was discovered that its software had been used by repressive regimes in Morocco and the United Arab Emirates to illegally monitor activists.
It has even been alleged that the use of Hacking Team's tools have directly led to the torture and murder of people - a charge strongly denied by Hacking Team.
Unenviable
Eric Rabe has a pretty unenviable job. As head of communications and public policy for Hacking Team, his job consists of defending a company which sells powerful cyber-weapons allowing its customers to monitor your every email, text message, phone call and web search.
Hacking Team, like its competitors, is very secretive about its work, revealing nothing about who it works with, how much it gets paid, and most importantly what exactly its software is used for.
Calls for more regulation and transparency in its dealings have been growing since the revelations last year and while there has been no change in regulations thus far, the negative media coverage does seem to have had an effect on the way Hacking Team deals with the public and the press.
Last month at the annual RSA security conference in San Francisco Rabe and other Hacking Team representatives made an appearance to the surprise of many industry watchers.
At a panel discussion on cyber surveillance, Hacking Team came in for criticism from Jacob Appelbaum, a security expert and core member of the Tor project, as well as from Kurt Opsahl, senior attorney at the Electronic Frontier Foundation (EFF).
According to Tom Brewster from TechWeekEurope who was at the panel discussion, Appelbaum said the use of Hacking Team tools and similar software can be the difference between life and death.
"These people are tortured, some of them are murdered ... the result of the things we are talking about here is a life and death matter."
One of their presentations advertising the product is on WikiLeaks (http://wikileaks.org/spyfiles/files/0/31_200810-ISS-PRG-HACKINGTEAM.pdf).
Finally, the most interesting article:
https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/ (https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/)
A technical analysis of an old RCS version that got leaked to the wild somehow. Haven't read it in its entirety, but be sure to check it out.
------------------------------------
So, the question of whether or not they're legitimate is out. They are.
This leaves us just how effective their product is. Is it snake oil, relying solely on security through obscurity, or is it truly superior?
You could probably get employed. If you don't mind participating in the facilitation of human rights violations. Or you could infiltrate them and leak the source code for everyone!
-
It shouldn't be legal, and in most countries it probably falls into a gray area, but when it's government agencies who are their clients no one seems to care.
There are other companies like this, companies who sell malware and 0-day exploits to government agencies for large sums of cash.
FinFisher (http://en.wikipedia.org/wiki/FinFisher) is malware which has been sold to governments and is actively in use.
-
They've been around for a decade now and sell their software exclusively to government agencies, and it has reportedly been used for human rights violations.
One of their presentations advertising the product is on WikiLeaks (http://wikileaks.org/spyfiles/files/0/31_200810-ISS-PRG-HACKINGTEAM.pdf).
Finally, the most interesting article:
https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/ (https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/)
So, the question of whether or not they're legitimate is out. They are.
This leaves us just how effective their product is. Is it snake oil, relying solely on security through obscurity, or is it truly superior?
Ah, so basically their legitimacy is given by the fact that they cater exclusively to Government Officials and other Security Agency type of "business".
Also given what information is available it does indeed seem that these guys don't give two shits about the privacy of the individual, let alone privacy laws in general. On the other hand the question regarding whether or not their software is actually that good as they claim it is, is quite interesting. I think I might dig deeper on this one and also go through that tech analysis you posted.
Also as a final note, I gave up on the idea of trying to get a job with them when I saw the incredibly vague description that they give for the "Hacker/Developer" title. I mean come on:
Hackers find out how to overcome the original design of objects, hack into them and uncover all their secrets.
You have to be both, and the more you know, the better.
We need a person with a strong technical background, able to deeply understand how devices and software work and to hack them.
To me it sounds like someone who has a very faint idea of what they want and don't know what to ask for.
With all the other data on how they abuse privacy I'm now positive I wouldn't even want to touch these people with a 10 foot pole, let alone try to get a job there.
@Thor: Do you maybe have names or some sort of identification type for such companies? I'm really interested to see if this is like a well spread thing and something that can be done by anyone as long as he abides by his/her countries laws and only sells to the government or to defense/counterinformation agencies; and unfortunately I found it quite difficult to track these kind of companies down. The only reason I saw about hackingteam.it is because I saw it in a mail on cryptome.org.
And kudos for the link on FinFisher, didn't know about that one.
-
@Thor: Do you maybe have names or some sort of identification type for such companies? I'm really interested to see if this is like a well spread thing and something that can be done by anyone as long as he abides by his/her countries laws and only sells to the government or to defense/counterinformation agencies; and unfortunately I found it quite difficult to track these kind of companies down. The only reason I saw about hackingteam.it is because I saw it in a mail on cryptome.org.
And kudos for the link on FinFisher, didn't know about that one.
Sure, EndGame (http://www.endgamesystems.com), VUPEN (http://www.vupen.com/), NetraGard (http://www.netragard.com/)
Of course most companies involved in this sort of stuff keep it relatively quiet.
@thegruqg is one of the most e-famous. He acts as a middle man between security researchers who are looking to sell exploits and governments looking to buy them. Here's an article on him and what he does http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
And here's another article which discusses the 0-day trade, http://www.fastcompany.com/3009156/the-code-war/how-spies-hackers-and-the-government-bolster-a-booming-software-exploit-market
-
"Governments buying 0-days--" Im gonna sit back and eat popcorn.
Im hardly suprised.
This is no exception really.
weapons; illegal unless you call it peace
murder; illegal unless you call it freedom
....
You got the point.
-
Sure, EndGame (http://www.endgamesystems.com (http://www.endgamesystems.com)), VUPEN (http://www.vupen.com/ (http://www.vupen.com/)), NetraGard (http://www.netragard.com/ (http://www.netragard.com/))
Of course most companies involved in this sort of stuff keep it relatively quiet.
@thegruqg is one of the most e-famous. He acts as a middle man between security researchers who are looking to sell exploits and governments looking to buy them. Here's an article on him and what he does http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ (http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/)
And here's another article which discusses the 0-day trade, http://www.fastcompany.com/3009156/the-code-war/how-spies-hackers-and-the-government-bolster-a-booming-software-exploit-market (http://www.fastcompany.com/3009156/the-code-war/how-spies-hackers-and-the-government-bolster-a-booming-software-exploit-market)
Wow man, thank you for the resources! +1 cookie for you sir!
This @thegruqg guy is... dont have words to describe. Puss of society, a human infection. Fucking cuntbag maybe? Instead of offering the exploits ONLY to the original developers so that they can improve their product and offer better security to their users, he sells it to motherfucking government agencies so that they can spy on the population in a more easy fashion. I'm raging so fucking hard now... Fucking hell.
@proxx: standard human species situation. Bullets or cyberbullets, the difference is just the "cyber" part apparently.
-
Wow man, thank you for the resources! +1 cookie for you sir!
This @thegruqg guy is... dont have words to describe. Puss of society, a human infection. Fucking cuntbag maybe? Instead of offering the exploits ONLY to the original developers so that they can improve their product and offer better security to their users, he sells it to motherfucking government agencies so that they can spy on the population in a more easy fashion. I'm raging so fucking hard now... Fucking hell.
@proxx: standard human species situation. Bullets or cyberbullets, the difference is just the "cyber" part apparently.
Are you kidding me?
When having a 0-day you have four options;
1. Sell it on the black market and make potentially a lot of money.
2. Sell it to a company like ZDI.
3. Send the shit to full disclosure and get famous.
4. Coordinate release with vendor and expect 5-10 e-mails and 3-4 months until some random french idiot gets the point and then a couple months more testing 3-4 patches that does not fix the problem.
Guess I'm keeping with the first.
-
Are you kidding me?
When having a 0-day you have four options;
1. Sell it on the black market and make potentially a lot of money.
2. Sell it to a company like ZDI.
3. Send the shit to full disclosure and get famous.
4. Coordinate release with vendor and expect 5-10 e-mails and 3-4 months until some random french idiot gets the point and then a couple months more testing 3-4 patches that does not fix the problem.
Guess I'm keeping with the first.
You forgot option 5.
5.get sued by some company for being an evil terrorist ..
(http://fbpics.net/files/Shop%20Lube%20Fail-1307377962.png)
I would def go for the WD-40, awesome stuff.
-
personally, i wouldn't judge anyone selling a 0-day. The streets are hard and those companies never listen especially those that open source. Those kids need a reward for there effort of finding that vulnerability.
-
personally, i wouldn't judge anyone selling a 0-day. The streets are hard and those companies never listen especially those that open source. Those kids need a reward for there effort of finding that vulnerability.
I agree, only those who buy 'm.
Thats curious.
-
You forgot option 5.
5.get sued by some company for being an evil terrorist ..
Again, kidding me? Do you have any idea about the laws for these kind of things? Selling applications is not illegal in any country yet, that same ting goes for an application that exploit flaws in other computer software.
On the other hand the laws for reverse engineering of software is very fuzzy.
There exists a number of legitimate businesses that makes money on selling exploits as well as software that could be considered malicious..
@ kenjoe41 - actually the open source community is well known to take security seriously, I suppose you don't have any experience coordinating vulnerability disclosures. The problem with some open source projects is that they are hobby projects and are not always maintained. Some projects are abandoned and only community driven, others are actively maintained and bugs are fixed in a matter of days.
-
Sure, EndGame (http://www.endgamesystems.com), VUPEN (http://www.vupen.com/), NetraGard (http://www.netragard.com/)
Of course most companies involved in this sort of stuff keep it relatively quiet.
VUPEN is not quite at all. CEO and head of research at VUPEN Chauki Bekrar is an attention whore. There is a reason why they do pwn2own contests, it's all about fame.
I have to agree with Alin on this. There exist a number of companies making money on their security research, it does not matter if they sell this research to governments, send it to vendors or to other business.
-
Again, kidding me? Do you have any idea about the laws for these kind of things? Selling applications is not illegal in any country yet, that same ting goes for an application that exploit flaws in other computer software.
On the other hand the laws for reverse engineering of software is very fuzzy.
So just because there aren't any laws you should do it, right? It seems to me that you're one of the people who's part of the problem rather than one who's looking for a solution. But then again, to each his own. If you want to sell security flaws on the black-market for financial compensation you're free to do so, but that doesn't mean it's the right thing to do.
I've sort of had enough of this human population trying to exploit eachother. Instead of working for the betterment of society you work for the money, a piece of paper which you were convinced has value, but which actually has none.
When having a 0-day you have four options;
1. Sell it on the black market and make potentially a lot of money.
2. Sell it to a company like ZDI.
3. Send the shit to full disclosure and get famous.
4. Coordinate release with vendor and expect 5-10 e-mails and 3-4 months until some random french idiot gets the point and then a couple months more testing 3-4 patches that does not fix the problem.
Those are the only options you find viable, not the only options in existence. I would offer any exploit I find for free to the developer because I can make my money via a stable job, not by being a thorn in society's back. But again, you're free to do whatever you want and it's not like anyone will waste their time trying to argue with you. There's bigger problems out there, but I guess those are irellevant as well with this kind of mindset.
Then again we digress from the original topic, which was how come is it legal to have a company which literally sells hacking services, when hacking itself is illegal in most (if not all) countries. If you want to have a discussion on the ethics of selling/buying vulnerabilities/exploits we can start a new topic.
-
I think proxx nailed it when he mentioned the twisting of language to make two identical concepts appear different.
"Hacking" may be illegal in most countries, but the term itself is highly broad with at least ten definitions. It is legal when it's done with one's consent or under the banner of "penetration testing", "security auditing", "ethical hacking" and so on.
This software probably isn't classified as hacking, but likely under the legitimate category of policeware. While in reality policeware is no different from any malicious software that would normally be considered illegal, using different mnemonics to make it sound like it's beneficial for law enforcement and national security turns the game around.
It's all a simple matter of language manipulation/Newspeak and the fact that security is offensive as well.
-
not herd of endgame systems...?
develop 0day for all three letter agenices!
-
"Hacking" may be illegal in most countries, but the term itself is highly broad with at least ten definitions. It is legal when it's done with one's consent or under the banner of "penetration testing", "security auditing", "ethical hacking" and so on.
This software probably isn't classified as hacking, but likely under the legitimate category of policeware. While in reality policeware is no different from any malicious software that would normally be considered illegal, using different mnemonics to make it sound like it's beneficial for law enforcement and national security turns the game around.
Yeah, I guess that's the key point. Basically this applies:
This is no exception really.
weapons; illegal unless you call it peace
murder; illegal unless you call it freedom
....
You got the point.
-
Mordred, forgive me for giving such a short reply, but I really have nothing more to say other than: in the eyes of the US Government specifically (at least from what I have seen) anything is justifiable in the name of "national security"
-
Forgive me for bumping this thread, but I just wanted to mention that 'Hacking Team' and their proprietary surveillance product were briefly mentioned in the documentary film Terms and Conditions May Apply. It was a great film overall, and highlights a whole bunch of privacy concerns, legal matters and coverups, some surveillance companies and so on.
There's probably some things you weren't aware of, so I definitely recommend people here watch it. It's freely available on lots of public BitTorrent trackers, despite being quite recent.
-
Forgive me for bumping this thread, but I just wanted to mention that 'Hacking Team' and their proprietary surveillance product were briefly mentioned in the documentary film Terms and Conditions May Apply. It was a great film overall, and highlights a whole bunch of privacy concerns, legal matters and coverups, some surveillance companies and so on.
There's probably some things you weren't aware of, so I definitely recommend people here watch it. It's freely available on lots of public BitTorrent trackers, despite being quite recent.
Nice vezzy, thank you for the suggestion. I'll definitely watch it today or tomorrow.
-
--snip--
Sweet! I'll definitely watch it!
XD, take a look at their websites terms and conditions, it's awesome!
4) For your protection- (Should be C)By using these services, your information may be stored by legal entities in Utah, or other facilities. We are not responsible for that either
- 6) In Exchange for These Services
- In exchange for visiting this website, you have agreed to publish a post stating that you have visited this website on Facebook. Failure to do so may result in legal action.
- Furthermore, and with the same applicable penalties, you have also agreed to watch the film "Terms and Conditions May Apply", in any or all of the following mediums: Theatrical, VOD, SVOD, DVD, airplane, cruise ship, hotel, or building wall.
- [/l][/l][/l][/l][/l][/l]
- Ugh, stupid formatting.... it evens go on here....
[/list]
-
I'm also sorry for bringing up this old topic, but I'm really surprised by the reaction towards the use of "hacking" services by different governments. I don't know if the recent revelations just make you believe NSA is the only agency using the services, but you must never forget that NSA are working together with other top agencies around the world.
Why should the agencies not use these services, and why should people not provide these services? The internet do not have any general laws, and I am not aware of _any_ country that prohibited the use of bits and bytes and therefore no country has forbidden hacking by laws. In most countries, the use of hacking is prohibited by e.g. stealing data, but the question of "borrowing" a computer has never been raised. We will see a lot of malware mining some kind of online currency in the future, but is it illegal to borrow CPU resources? And do not just say yes, because in general there are no countries that has any specific laws with regard to this problem.
One must realise the use for intelligence agencies and it's not investigating what the wankers here at evilzone do. We are simply not a target, due to lack of intelligence in here. The pack of newbies in here makes the forum non-interesting for government agencies.
Stop bringing up moral questions about "hacking" as they are out of the scope, we must discuss what is really going on.
And at last, stop being naive. If the underground is using 0 days to target certain companies, why should the government not do so? Should moral be the reason _not_ to catch a bad guy? Have you ever watched a cops TV show and complained about the police breaking rules to catch criminals, cause they are doing it all the time.
-
The website and corporation is basically a whitehat recruiting center. Basically, it could be one of two things:
A. Legit, structured recruitment agency built by talented individuals for intelligence agencies who are great with programming and know their way around software, or
B. A federal honeypot disguised as a shady invite to an underground, little-known group who claim skill and offer no proof.
I agree with Ande. Either way, there's no way I'm going anywhere near that shit.
-
I'm also sorry for bringing up this old topic, but I'm really surprised by the reaction towards the use of "hacking" services by different governments. I don't know if the recent revelations just make you believe NSA is the only agency using the services, but you must never forget that NSA are working together with other top agencies around the world.
Why should the agencies not use these services, and why should people not provide these services? The internet do not have any general laws, and I am not aware of _any_ country that prohibited the use of bits and bytes and therefore no country has forbidden hacking by laws. In most countries, the use of hacking is prohibited by e.g. stealing data, but the question of "borrowing" a computer has never been raised. We will see a lot of malware mining some kind of online currency in the future, but is it illegal to borrow CPU resources? And do not just say yes, because in general there are no countries that has any specific laws with regard to this problem.
One must realise the use for intelligence agencies and it's not investigating what the wankers here at evilzone do. We are simply not a target, due to lack of intelligence in here. The pack of newbies in here makes the forum non-interesting for government agencies.
Stop bringing up moral questions about "hacking" as they are out of the scope, we must discuss what is really going on.
And at last, stop being naive. If the underground is using 0 days to target certain companies, why should the government not do so? Should moral be the reason _not_ to catch a bad guy? Have you ever watched a cops TV show and complained about the police breaking rules to catch criminals, cause they are doing it all the time.
The agencies should not use these services because they are breaking the exact laws they are trying to enforce. The Internet itself has no laws, but there are PLENTY of country wide and union wise laws that prohibits the use of unauthorized systems and breaking into them. Here are a few US ones: http://www.ncsl.org/research/telecommunications-and-information-technology/computer-hacking-and-unauthorized-access-laws.aspx http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
"borrowing" as you put it, is unauthorized access (seeing how you presented the argument). Borrowing something without permission is theft. Of course it is illegal to borrow CPU resources without permission. And there are laws against it.
Very nice of you to call us wankers and a pack of newbies. Don't expect to be here very long.
Moral questions about hacking should be brought up as much as possible. There are several cases where hacking can and are used for "good".
-
One must realise the use for intelligence agencies and it's not investigating what the wankers here at evilzone do. We are simply not a target, due to lack of intelligence in here. The pack of newbies in here makes the forum non-interesting for government agencies.
Stop bringing up moral questions about "hacking" as they are out of the scope, we must discuss what is really going on.
Wow... You're really in your own world I see. Moral questions about hacking (I dunno why you use commas) are the number 1 topic discussed in any proper course/study where you learn about Sec. But obviously you don't even value morals related to hacking, so I can assume you are a self-tutor. In that case I recommend you take a class or something, cause you're missing big chunks of Basic Security 101.
I'm sure you can find a nice course to attend. Just a quick Google search and a bunch of options popped up.
But, as usual, ande managed to summarize all my thoughts, so read his post again and imagine it was me saying that.
-
He makes a point about the forum, however.
-
He makes a point about the forum, however.
That there's no intelligence here? I mean sure there's a lot of stupid people anywhere you go but come on..
-
Oh no, I'm not saying there's a lack of intelligence. But one thing's for sure, we've been pretty stagnant as of recent.
-
Can't argue with that I suppose.
-
I am not quite sure I know what you guys mean. Looking at the forum statistics, we are doing just as fine as we have done for a long time. Not that I am as active as I once was, so maybe I don't have the full picture but nonetheless.
-
Well, at least in my opinion, there could be more new topics on things that have to do with hacking(go figure). I realize that we must keep things theoretical as well as not wanting to spoon feed newbs by giving away too much information, but it seems like talking about hacking at all is taboo in a way...
Which is weird considering this is a hacking forum.
Honestly though, Sir explained my thoughts with far greater writing prowess and elegance in a large post he made quite awhile ago. I know you read it ande and I'd be willing to bet that you know which one I'm talking about.
I can't speak for how vezzy feels. But please, don't take this the wrong way ande I'm not bashing EZ or it's other staff and members, or you.
-
I know what you mean. I am hoping to touch on some of that with a new category/board structure in Alpha as well as a archive much like the one we had way way way back. tools.evilzone.org or archive.evilzone.org or some shit. A little bit like VX heaven or what that archive was called. I realize hosting and showing old malware code and all sorts of stuff is kinda important. With that said, we can never (I wont) go back to the old defacement/showoff bullshit. Nor is it a good idea for us to let people post actual URL's with targets they want help with. But we'll see.
-
With that said, we can never (I wont) go back to the old defacement/showoff bullshit. Nor is it a good idea for us to let people post actual URL's with targets they want help with. But we'll see.
Of course not, I understand that. I also keep forgetting that EZ Alpha is coming out and there will be many changes. I guess I just need to be patient.
-
I am not quite sure I know what you guys mean. Looking at the forum statistics, we are doing just as fine as we have done for a long time. Not that I am as active as I once was, so maybe I don't have the full picture but nonetheless.
Well certainly statistics don't reveal much other than the site is being visited and that some people are posting. It does not reveal the fact that in general the discussions are based on basic knowledge to the general infosec guy and the level is quite low and uninteresting. I get the idea that as a forum it is important to be welcoming, but when most of the new people are here to learn about python and don't get the idea of pointers in C something is wrong as a "hacking community".
-
Hacking is not only about pointers in C! And you can definitely be a successful pen tester/security consultant without knowing any C. I think you need to look at the broader picture and realize that there are many fields of hacking and many directions that doesn't require you to know C.
-
Generally if you intend on finding vulnerabilities in most large-scale software, which is primarily C/++, then yes. You do need to know C in and out, as well as low-level machine concepts and processor architectures.
-
Hacking is not only about pointers in C! And you can definitely be a successful pen tester/security consultant without knowing any C. I think you need to look at the broader picture and realize that there are many fields of hacking and many directions that doesn't require you to know C.
You can clearly see from my post that I was just making examples e.g. python or C. If you don't know either, you are not gonna make it as a successful pen tester in a technical environment. I might be stepping on some people here, but it's damn correct and I know a lot of people claiming to be pen testers.
I guess there is a reason why there are no discussions on security frameworks like ITIL, Sarbanes Oxley or any ISO standard, and that's because they are only compliance and not technical at all. Yes you can be a great security consultant knowing these frameworks and compliance rules, but they are not part of the technical discussion that are/should be happening in here. I'm not saying they should be disregarded as potential topics I'm just saying the categories available implies this being technical forum and lately the technical level have been low.
-
1. This has gone extremely off-topic.
2. Vezzy; Who said pen testing is only about vulnerabilities in large scaled software?
Alin; Exactly, claiming! A lot of people are claiming to be pen testers just because they have found a vuln or two on a website. And you can do just fine without Python and C. I know a really successful Pen tester and he uses Perl instead of Python and he's not particular good at C. He's a web app/network pen tester. It's not all about which languages you know etc. It's about how you apply your knowledge to the job.
-
[size=78%]Alin; Exactly, claiming! A lot of people are claiming to be pen testers just because they have found a vuln or two on a website. And you can do just fine without Python and C. I know a really successful Pen tester and he uses Perl instead of Python and he's not particular good at C. He's a web app/network pen tester. It's not all about which languages you know etc. It's about how you apply your knowledge to the job.[/size]
1. I agree this is out of topic.
Again you go with the specifics of my examples. If you want you can replace Python with either Haskell, Perl or Ruby. The point I'm stressing is that lot of the people who come in here know none of the languages or have only written simple hello world in one of them. The guy you mention might prefer Perl, but he's still fitting in the box as a pen tester who knows technicality and that is what I'm trying to say.
-
Yeah just close this baby down , it has been coming back since forever.