HACK THE SYSTEM: 1/6/11

RSS

 Seguime por RSS

14 jun 2011

Lulzsec hackea senate.gov | El senado de estados unidos de norteamerica

Ver archivo aqui: Descargar TXT

Ese es el contenido de senate.gov, un sun sparc... ustedes creen que solo hicieron un df -h ?, no, pero esto es mejor que wikileaks!.
La seguridad no existe y se vuelve a probar una vez mas.

Exponen contraseñas de 26 mil sitios para adultos

Este resumen no está disponible. Haz clic en este enlace para ver la entrada.

13 jun 2011

Recuperar grub2 teniendo en distintas particiones /boot y /

Me vi obligado a recuperar grub2 en una pc que tenia Linux Mint y le habian instalado Windows 7 luego, asi que borraron el MBR. Como encontre que todos los tuto estan mal, o solo hablan de tener una particion unica para todo Linux y muchos tenemos, como corresponde, el /boot apartado en ext2, decidi compartir como se hace correctamente. Esto es valido para Mint, Debian, Ubuntu, Fedora (usando grub legacy), ArchLinux, Gentoo, etc.

1)Booteamos en un LiveCD con Mint o Ubuntu o algo que posea grub2.
2)Ejecutamos esto al pie de la letra =>
-----------------------------------------------------------------------------
Abrimos un terminal
Ponemos sudo su para hacernos root si es que no lo somos.
fdisk -l para ver la particion de /boot y / en los /dev/sdaX

Luego:

mount /dev/sdaX /mnt (donde X es la particion /)

(Reemplazamos el /dev /dev/pts /proc y /sys por nuestro sistema virtual para luego hacerle un chroot y que quede completo)

mount --bind /dev /mnt/dev 
mount --bind /dev/pts  /mnt/dev/pts
mount --bind /proc /mnt/proc
mount --bind /sys  /mnt/sys

chroot /mnt   (cambiamos el / del live por nuestro / del disco ojo que todo lo que toquen cambiara el sistema instalado)

mount /dev/sdaX /boot   (donde X es el /boot real del disco, que previamente vimos con fdisk -l

grub-install --recheck /dev/sda (instalamos grub en el MBR)
update-grub2 (al estar en chroot mode, el / es nuestro sistema real, asi que genera un grub.cfg y detecta los sistemas Linux y Windows)

Resultado:

Generating grub.cfg ...
Found background image: linuxmint.png
Found Debian background: linuxmint.png
Found linux image: /boot/vmlinuz-2.6.38-2-686
Found initrd image: /boot/initrd.img-2.6.38-2-686
Found linux image: /boot/vmlinuz-2.6.32-5-686
Found initrd image: /boot/initrd.img-2.6.32-5-686
Found Windows 7 (loader) on /dev/sda1
done


Nota, para los que se pregunten que es --bind:

The bind mounts.
              Since Linux 2.4.0 it is possible to remount part of the file hierarchy somewhere else. The call is
                     mount --bind olddir newdir
              or shortoption
                     mount -B olddir newdir
              or fstab entry is:
                     /olddir /newdir none bind

              After  this  call  the same contents is accessible in two places.  One can also remount a single file (on a
              single file).

              This call attaches only (part of) a single filesystem, not possible submounts. The  entire  file  hierarchy
              including submounts is attached a second place using
                     mount --rbind olddir newdir
              or shortoption
                     mount -R olddir newdir

              Note  that the filesystem mount options will remain the same as those on the original mount point, and can‐
              not be changed by passing the -o option along with --bind/--rbind. The mount options can be  changed  by  a
              separate remount command, for example:

                     mount --bind olddir newdir
                     mount -o remount,ro newdir

7 jun 2011

Inteligente cláusula de Microsoft le da control sobre Nvidia

En el año 2.000 Microsoft firmó un acuerdo con Nvidia para permitir que procesadores Nvidia estuvieran presentes en la consola Xbox, a cambio de esa concesión Nvidia le entregó su control de venta a Microsoft. Si una empresa desea comprar más del 30% de Nvida, Microsoft tiene derecho a vetar la compra y a presentar una mayor oferta. Vale la pena recordar que en este momento la mayoría de las tabletas digitales usan procesadores Nvidia y que Microsoft acaba de terminar su eterno matrimonio con Intel conocido como Wintel, al anunciar que de ahora en adelante sacará versiones de Windows 8 para ambos procesadores Intel –AMD y Nvidia ARM.

5 jun 2011

Revelado parte del código fuente de Skype

Lo cierto es que Microsoft no ha tenido un buen comienzo en su aventura en el mercado de la VoIP. Tras la compra de Skype, aparecieron por todo el mundo problemas de ingreso por parte de muchos usuarios; tras esto, Microsoft debe hacer frente a algo más peligroso aún como es la revelación de parte del código fuente de la famosa aplicación VoIP por la que tanto dinero ha pagado. Vaya modo de arrancar…


Efim Bushmanov, un programador ruso, ha conseguido parte del código fuente de Skype mediante ingeniería inversa.

Huelga decir que, más allá de las implicaciones legales y consecuencias económicas de este asunto, la revelación de parte del mencionado código puede representar una oportunidad para crear opciones alternativas libres. De hecho, es precisamente lo que desea este programador (y muchos otros, claro).

Skype protocol reverse engineered, source available for download

Con un par… Así de explícito y claro anuncia Efim en su blog http://skype-open-source.blogspot.com/ la disponibilidad del código para cualquier interesado, que los habrá y a montones.

os interesados pueden dirigirse a ese blog, descargarlo vía torrent (http://thepiratebay.org/torrent/6442887) o enhttps://github.com/skypeopensource/skypeopensource/downloads

PBS, Sony, Fox Websites Hacked By LulzSec's Lulz Boat, AT&T Next?

A new group of web pirates is making itself known, as it sails the high seas of The Internet in search of what it describes on Twitter as #fun #fun #fun.
The Lulz Boat, or what the group really calls itself: LulzSec, has hacked into the websites of PBS, Sony, and Fox, in reverse order over the last two months - and AT&T appears to be next on their list.
The Sony Hacks
The series of Sony hacks (not just one), and reported to be the largest in Internet history, caused the Japanese icon to shut down its PlayStation servers for a month. And LulzSec left this tweet:
LOL @Sony, nice Japanese website dumbasses: http://pastebin.com/NyEFLbyX
Which leads to this message containing the Sony website pages that contains two links to Sony's database structure:
@LulzSec was here you sexy bastards!
This isn't a 1337 h4x0r, we just want to embarrass Sony some more. Can this be hack number 8? 7 and a half?!
Stupid Sony, so very stupid:
SQLi #1: http://www.sonymusic.co.jp/bv/cro-magnons/track.php?item=7419
SQLi #2: http://www.sonymusic.co.jp/bv/kadomatsu/item.php?id=30&item=4490
(two other databases hosted on this boxxy box, go for them if you want)
And LulzSec does it all with the interesting tagline "Laughing at your security since 2011!"
And that seems to be the point of their hacks: taking advantage of apparent and simple gaps in system design. The LulzSec refers to the "seven processes" in their Twitter account, as if they were the "seven seas" that pirates would sail on.
But by "seven processes," and linked to reference to their actions as being pirate boat attacks, then the "seven processes" seems to be the approaches they use to enter a website and database.
The SQL Injection Method
Generally, what LulzSec seems to be doing is using something called The SQL Injection Method.  What this is starts with the use of the "Structured Query Language," or SQL programming approach, like C, or HTML, or any other language, but that is used to create managing data in a website's database. The technique of "convince the application to run SQL code that was not intended," is described in detail at Steve Friedl's website at unixwiz.net, where he provides a way to "mitigate" against such approaches as the ones used by The LulzSec. You can see that with a click and scroll here: FIX.
Tupac and LulzSec Fame
The LulzSec group gained recent fame by hacking into the PBS website and posting a report that legendary rapper Tupac Shakur is "alive and well" in New Zealand, along with Biggie Smalls, aka The Notorious BIG.
Which is interesting, because history tells us of a feud between them that resulted in their deaths. But I digress.
Why PBS?
Reportedly, The LulzSec hacked into the PBS website because of the public television giant's Frontline programs on Wikileaks and Private Bradley Manning. But personally, I don't think that's the reason: LulzSec just did it because PBS was vulnerable. So, they hacked in, made up a reason for the action after it was successful, then turned their attention to Tupac and Biggie.
Think about it.  Why would a group announce it was going to hack into a website and state its motives before the action unless they had reason to believe they were going to be successful?
Bragging On Twitter
The programmers are particularly active on Twitter, and not shy about their future objectives, or their present conquests. Here's sample from their Twitter page https://twitter.comLulzSec:
LulzSec The Lulz Boat Hey @PBS admins, you still trying to regain control? The Lulz Boat sails through your horrendously-outdated kernels! #Sownage next, folks. 5 hours ago Favorite Retweet Reply
LulzSec The Lulz Boat Sony happens when Sony happens - we're celebrating our victory right now. The fun will never stop! 6 hours ago Favorite Retweet Reply
LulzSec The Lulz Boat We dominate their entire stupid website. Selling custom blog.pbs.org domains, php/user included, lulzsec@hushmail.com - 2 BitCoins each! 6 hours ago Favorite Retweet Reply
LulzSec The Lulz Boat Oh yes, that's right... #Sownage tomorrow. We hope. We decided to obliterate @PBS instead out of distraction. *heads off to the Lulz Cabin* 9 hours ago Favorite Retweet Reply
LulzSec The Lulz Boat @ @ShiverMeTimbres PBS can't recover much, all their base are belong to us. They only broke the file that lets you read articles. 11 hours ago Favorite Retweet Reply
LulzSec The Lulz Boat We're working on another Sony operation. We've condensed all our excited tweets into this one: this is the beginning of the end for Sony. 26 May Favorite Retweet Reply
As of this writing, it looks like PBS has regained control of the articles section of website: http://www.pbs.org/newshour/rundown/a and Newshour reports on Twitter:
FYI: None of our visitors' personal information or emails were compromised during last night's incident ^TG
But LulzSec says that's the only part that PBS controls, so while all may seem OK, it's not. The PBS website is still largely under LulzSec's control, according to LulzSec.
(An observation: what's good about Twitter, is that PBS Newshour was able to use it not just to report the hack, but to explain the false Tupac news.)
Chester Wisniewski's Annoying Blog Post.
A network security specialist named Chester Wisniewski posted a rather annoying blog entry at his Naked Security blog site. This set of paragraphs Mr. Wisniewski wrote below was particularly troublesome to this blogger:
While PBS is the victim here, the passwords disclosed for most affiliates are embarrassingly predictable.
There was absolutely no skill involved in this attack, as it used freely available tools to exploit the databases. The attackers represent nothing more than what many historically thought of as hackers: people creating chaos with no other purpose than gaining fame, irrespective of the damage caused.
The attack is nearly identical to the recent attack against SonyMusic.co.jp. LulzSec used the same tool to attack the Sony website, although far less sensitive information was disclosed in the Sony attack.
Several other databases were disclosed, some including plain text passwords, others using hashes. It is unfortunate that PBS was vulnerable to this kind of attack and even worse that so many passwords were stored in clear text. Revealing this information is criminal and there are certainly more respectable ways of disclosing flaws than exposing so many users' passwords.
To write that there was "absolutely no skill involved in this attack" is nothing more than one programmer dissing another, and helping no one. The fact is, LulzSec did it, and is ways that aren't familiar to the general public. That makes them what? A specialist with a skill - a dangerous and effective one that impacts millions of people.
If what LulzSec did called for "no skill" then Chester Wisniewski should have posted the mathods to fix the gaps in their website security. He did not do that. If the problem is an SQL injection flaw, which is how LulzSec entered both the PBS and Sony website systems, then why not show how to spot the problem and fix it - as I did here, noting Steve Friedl's website
Facebook, Twitter, Safe
That LulzSec was able to easily hack into the websites of large, traditional brands, means that new media companies with far more secure website systems are safe, specifically Facebook, YouTube, and Twitter, to name some of them. 
The point of all this really should be to work with Internet entrepreneurs who build large, database-driven website companies, and not just any programmer on the block, in developing website protection systems that are extremely secure.  As LulzSec claims, "no one is safe" and that may be,  but you can make your website more safe than the next website.

Los 90' han vuelto?, un twett de 2600 el dia 4 de Junio 2011

2600 Magazine
hace 22 horas

Intesante no?

4 jun 2011

Microsoft consigue un acuerdo para una posible adquisición de Nvidia

Si con la compra de Skype y la más que probable adquisición de Nokia ya nos ha sorprendido, esta noticia nos deja directamente con la imagen mental de Steve Ballmer paseándose por un supermercado de compañías, carrito y lista de la compra en mano. Information Week tiene la exclusiva: Microsoft puede adquirir Nvidia tras conseguir un acuerdo de adquisición con el fabricante.
Gracias a ese acuerdo, Nvidia se blinda contra cualquier intento de compra por parte de la competencia de Microsoft, que tendría derecho a vetar esos intentos para poder absorberla (la fuente habla de unos 3400 millones de dólares por el 30% de Nvidia, el porcentaje mínimo de la compra para este acuerdo). Viendo los planes que presentó el gigante de Redmond con Windows 8 y su camino a través de tablets equipados con chips ARM la adquisición de la compañía cobra sentido, al mismo tiempo que empezamos a envidiar fuertemente sus cuentas corrientes capaces de soportar tanta compra. Si Microsoft controlara Nvidia conseguiría ventaja a la hora de fabricar chips optimizados para Windows.
También podría ser que Microsoft se viera en cierto modo obligada a adquirir Nvidia, como un seguro para impedir que sufra escasez de componentes mientras que la industria de los tablets de la competencia sigue adelantándose. No hay confirmación oficial de Microsoft por el momento.

Steve Ballmer... Adolf Hitler?

3 jun 2011

Fuentes GTK en Fedora KDE | GTK fonts in Fedora KDE

En Fedora KDE, los seteos de fuentes especificados en configuracion de sistema de KDE y aplicados a GTK, usando oxygen-gtk no funcionan como deberian, las fuentes de todo GTK se ven mal, firefox, xchat, gimp, paginas web, etc, la solucion?, muy simple, mas de lo que creen, en muchos foros de fedora u otros mencionan instalar un beta de freetype2 y no es asi.
Para que las aplicaciones GTK se vean bien, es necesario que este activo el autohint para todo el sistema, cosa que en version GNOME lo hace gnome setting, pero en KDE no, esto se arregla asi:

primero instalamos estos paquetes asi:

yum install freetype.x86_64 freetype-freeworld.x86_64


Si es 32 bit .i686
Luego como root vamos a /etc/fonts/conf.d/ y hacemos esto.

ln -s /etc/fonts/conf.avail/10-autohint.conf 10-autohint.conf
ln -s /etc/fonts/conf.aval/70-no-bitmaps.conf 70-no-bitmaps.conf

Con eso tenemos activo autohint para todo el sistema y se veran bien las fuentes GTK, y de paso desactivamos las fuentes bit map que son muy feas, reiniciamos las X o el sistema para que tome la nueva configuracion y eso es todo.

2 jun 2011

Mentiras y mas mentiras... Allan McRae

En unos dias hare un detallado analisis de Fedora 15, distro a la cual volví y nunca debería haberme ido, pero la entrada a que viene?.
Segun Allan McRae, un developer de ArchLinux Sucks, el hecho de que GCC no compile un kernel por poseer variables declaradas pero no usadas, es una restriccion de GCC y es un problema del codigo del kernel, no de GCC.
Para mi gratisima sorpresa, compile un vanilla kernel, misma rama, en Fedora 15 usando GCC 4.6, la misma rama que ArchLinux Sucks, pero por lo que vi en las listas de mail, esta parcheado, dado que se reconoce un error en el, cosa que Allan no reconoce y tampoco parchea... Debian tambien lo ha parcheado, y GNU informa que la version 4.6.1 sera corregido el bug.
Un consejo, Allan, dedicate a otra cosa!, que para developer te queda grande el titulo!.

GCC multilib Fedora 15 | compilacion cruzada

Muchos estareis acostumbrados a instalar gcc-multilib al usar distros de 64 bit, como ser Ubuntu o ArchLinux, pero en Fedora notaran que el paquete solo se llama "gcc.x86_64 : Various compilers (C, C++, Objective-C, Java, ...)" y no multilib. Al intentar hacer una compilacion cruzada, es decir, desde un equipo 64 bit, compilar para 32 bit, con el parametro gcc -m32 test.c -o test tendran un error, como solucionarlo?, pasos:

yum install glibc.i686 glibc-static.i686 glibc-devel.i686 libgcc.i686

Eso es todo, ahora podemos hacer compilaciones cruzadas, no eran tan dificil no?.