Nathan Wailes - Blog - GitHub - LinkedIn - Patreon - Reddit - Stack Overflow - Twitter - YouTube
Hacking
- Defcon 21 - Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
- Summary: Script kiddies use one of a few different known existing software applications that allow them to basically press a button to scan a server for vulnerabilities and then launch attacks. These software applications attempt to mimic existing web browsers (IE, Firefox, Chrome) when they send requests to web servers, and these browsers have certain quirks with how they handle uncommon HTTP response codes. Thus, if you are trying to defend your website against these kinds of low-sophistication script-kiddie attacks, you can use HTTP codes to cause problems with the attacking software to 1) dramatically increase the amount of time it takes for the software to find vulnerabilities (from minutes to 14+ hours), 2) reduce the number of vulnerabilities that end up being found, and 3) introduce false positives (fake vulnerabilities). The creators of these software applications coukd somewhat fix these current vulnerabilities by looking more closely at the responses they're getting from web servers, but 1) they don't feel any strong motivation to do it at the moment, and 2) this will cause some unavoidable slowdown in how the software works. He'd like to make it easy for web server admins to implement this kind of defense and so he'd like to get this defense included in an open-source project, but he doesn't have the skills necessary to do it, and so he asked if anyone in the audience would be interested.
- Samy Kamkar
- Chris Rock
- Pablos Holman
- 2012.08.30 - TEDxMidwest - Top hacker shows us how it's done
- A good summary of how hacking works: 12:20 - "Here's the most exciting slide ever shown at TED: this is the protocol diagram for SSL, which is the encryption system in your web browser that protects your credit card when you're sending it to Amazon and whatnot. Very exciting, I know, but the point is: hackers will attack every point in this protocol, right? I'm gonna send two responses when the server's expecting one, I'm gonna send a zero when it's expecting a '1', I'm gonna send twice as much data as it's expecting, I'm gonna take twice as long answering as it's expecting, I'm gonna just try a bunch of stuff, see where it breaks, see what falls in my lap. When I find a hole like that, then I can start looking for an exploit, right?"
- 2012.08.30 - TEDxMidwest - Top hacker shows us how it's done