| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Jun 2008 01:50:25 +0100
From: n3td3v <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: What the UK government care about in a hacker
On Sat, Jun 28, 2008 at 1:38 AM, Ureleet <ureleet@...il.com> wrote:
> u know how old this article is?
A couple of months old and a prime example of that the intelligence services
don't give a fuck about fire fox, internet explorer, opera and other gay
applications people post application flaws about on Full-Disclosure.
I want to see things post that actually affect national security and the
government actually give a fuck about.
Let's move away from stupid computer applications and start focusing on
national security if you want to be an elite hacker, nobody cares about
applications, buffer overflow and the like, its over and done with, its old
skool, nobody gives a fuck anymore.
If you want to impress the government then start on mobile, radio frequency,
chip / hardware hacks.
The security community has got to evolve, we can't be sitting here in 2020
still getting wet and excited about an internet explorer or quick time
flaws, its getting gay, its nearly 2009...
All the best,
n3td3v
>
>
> On Thu, Jun 26, 2008 at 5:45 PM, n3td3v <xploitable@...il.com> wrote:
> > On Thu, Jun 26, 2008 at 2:08 AM, n3td3v <xploitable@...il.com> wrote:
> >> I think we've gone beyond the F-Secure has said stage, I think folks
> >> are looking for something more. I think the security space has evolved
> >> already in respect of home user hackers, the security professional
> >> circuit and with the government.
> >>
> >> Infact the government are finding it hard to keep up with what's
> >> possible by the government and what's technologically possible by joe
> >> average in his bedroom.
> >>
> >> A few years ago it was impossible for joe average to shoot the live
> >> scene of a national emergency via his cell phone, email that footage
> >> to a national television station and that to be used as prime time
> >> evidence of the incident, now it is.
> >>
> >> With this I look onto the media, its still using F-Secure press
> >> releases for its news round.
> >>
> >> Your average joe is now able to creep behind the media wall and get
> >> the news before the outlet gets time to read up.
> >>
> >> The fact, the media is becoming less important in the security arena
> >> for bringing us news.
> >>
> >> Your average joe can configure google.com/ig to give them keyword news
> >> thats coming onto the news wires and google.com/alerts can too.
> >>
> >> What used to be a government fundamental for the intelligence
> >> services, is now becoming a challenge for them to know what user is
> >> signed upto what and how much they know.
> >>
> >> Before it was more straight forward, they would know what news sites
> >> were available as civilian intelligence sources but now its becoming
> >> less obvious.
> >>
> >> The intelligence community are having to dig deep into online
> >> community to see what is possibly being plotted and what sources of
> >> information they have and the technique in which its gathered.
> >>
> >> Today the world is changing, what used to be charted water only
> >> reserved for the intelligence services is now also being used by the
> >> civilian population.
> >>
> >> It's scary times, hackers have the best ability to over come the
> >> intelligence services, not the script kids, but the hackers!
> >>
> >> The main focus for the British intelligence service is mobile and
> >> anything to do with radio frequency hacks, including RFID type stuff,
> >> that's high on the British government look out.
> >>
> >> The media are hyping about mobile phone worm, while this hype *is*
> >> unfounded right now, thats not to say its not top on the British
> >> government's watch list of most desirable vulnerability threat vector
> >> against national infrastructure of government and civilian population.
> >>
> >> The hax0r credibility score board from the government's point of view
> >> isn't hacks in safari, fire fox or internet explorer, its
> >> telecommunications and radio frequency hacks right now.
> >>
> >> So while you and your friends might think browser hacks, etc.. think
> >> again, the real stuff that gets the UK government interested in you is
> >> radio, mobile and chip hacks, anything to do with electronics and
> >> communication, they don't actually give a fuck about applications, DNS
> >> hacks, Cisco router hacks and the like.
> >>
> >> While those things like DNS hacks, Cisco router hacks and the like
> >> are internet critical, they aren't national security critical...
> >>
> >> So hackers, if you want the most hax0r credibility points and
> >> attention with the UK government, think national infrastructure, radio
> >> frequency, chip hacks and mobile telecommunication interception.
> >>
> >> If you want head hunted into the UK government cyber defensive,
> >> offensive and research departments go for those vectors... keep away
> >> from silly stuff like web browser hacks, DNS poisoning, Cisco etc.
> >>
> >> How will the UK government contact you? Brute guys will jump out of a
> >> range rover land rover which will have darkened windows and will give
> >> you an offer you can't refuse after abducting you for five minutes
> >> based on your research post on Full-Disclosure.
> >>
> >> All the best,
> >>
> >> n3td3v
> >>
> >
> > ---------- Forwarded message ----------
> > From: n3td3v <xploitable@...il.com>
> > Date: Sun, Apr 20, 2008 at 10:42 PM
> > Subject: GSM Researcher stopped at Heathrow Airport by UK government
> officials
> > To: n3td3v <n3td3v@...glegroups.com>
> >
> >
> > I was leaving today from the United Kingdom/Heathrow airport. I am
> > about to speak at the HITB IT security conference about GSM security
> > and the USRP (gnu-radio project).
> >
> > I was searched by the UK government while waiting at the Gate and
> > reading a newspaper. A UK Government employee flipped his badge and
> > said "Let's talk. Come over here".
> >
> > They detained my USRP (Software Defined Radio), my mobile phone and my
> > personal SIM card.
> >
> > They did their homework. They knew who I am, where i live, which day I
> > speak at the conference and who I work for.
> >
> > I'm involved in the GSM software project where we also developed a new
> > attack against the GSM encryption A51. We published our research in
> > February at the Blackhat security conference in Washington DC.
> >
> > I understand that the government wanted to make sure that I'm not
> > exporting any cryptanalytic device.
> >
> > I did not. I will not. The USRP is a radio. My mobile phone is a
> > normal nokia 3310 phone and my SIM card is a sim card.
> >
> > They said they do not know what the USRP is and that I can not take it
> > until they have checked it in the lab. This can take 14 days (1/2
> > month).
> >
> > So be it. They have it for 14 days. Guys, enjoy the device! It's fun
> > playing around with it!
> >
> > I'm uneasy that they took my mobile phone and my sim card. Having a
> > pregnant wife at home and not being reachable complicates my
> > situation.
> >
> > Is this common practice? Are they allowed to do this?
> > Any tips how I can get my mobile phone and my sim card back quicker?
> >
> > Our project: http://wiki.thc.org/gsm
> > The USRP is available from http://www.ettus.com
> > The GNU RADIO project: http://www.gnu.org/software/gnuradio
> >
> >
> > stunning,
> >
> > THC
> > ---
> > Appendix: Surprisingly they did not detain my laptop or my paperwork
> > which would be the most likely place to store any information related
> > to cracking A51. They were also not interested in my 160GB harddrive
> > which would have been the obvious place for storing the rainbow
> > tables. Neither were they interested in the high performance FPGA
> > chip.
> >
> > Instead they took all equipment that could have been used for
> > demonstrating that GSM signals can be received with publicly available
> > hardware for 700 USD.
> >
> > It does not appear that they were after cryptanalytic information.
> >
> > I received a yellow paper about my detained goods. They left the field
> > blank that reads
> > "The goods specified below are detained for the following reason:". What
> reason?
> >
> > They also crossed out the field "Agent" of the officer who was in
> > charge of the operation.
> >
> > ---
> > UPDATE 2008-04-18
> > Arrived back at Heathrow. Airplane crew announced "All passengers
> > please have your passport ready. There is a passport check while
> > leaving the airplane. Passenger Steve Mueller please make yourself
> > noticeable to the crew. Steve Mueller please."
> >
> > They told me at the gate that I can get my equipment back. I had a
> > chat with them and they answered many of my questions. They did not
> > answer who requested that I should be searched when I left the
> > country.
> >
> > I'm happy that I got my equipment back and I appreciate that they had
> > it checked out quickly.
> >
> > I'm still not sure why they took exactly the radio receiver parts. I
> > had to change my presentation for the conference and was not able to
> > demonstrate the USRP/gnu-radio.
> >
> >
> http://blog.thc.org/index.php?/archives/1-GSM-Researcher-stopped-at-Heathrow-Airport-by-UK-government-officials.html
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists