My wife has discovered just how much money she can save shopping for our groceries using all of the coupons she has found online.  There are entire communities of people who follow and report on the deals you can find.  The only problem for her has been that many of the coupons she has found require a special application by the coupon.com folks.  The application is Windows/OS X only, and she runs Ubuntu.

Since I’m the one with the MacBook, it has become my duty to print the coupons that she forwards along to me.  I was happy to see there was an OS X version of the app, and installed it, only to find out the following:

Well that’s sort of annoying.  It just sends the job right off to the default printer, without asking about anything beforehand.  What’s worse for me is that it won’t “print” to a “graphic format like a PDF”.  A large percentage of my time, I’m not on a network with a printer, so I typically print things to postscript (.ps) files (bravo to Apple for building this into the OS and making it so easy).  When I want the hardcopies, I just tar them up and send them to a shell account on a server where I do have access to a printer.

Since this app doesn’t give me the usual printing dialog box with the option to “print to .ps”, I just had to hack together something.  I created a new printer in “System Preferences”->”Print & Fax”, with the following settings:

I then set this as my default printer.  Next, I set up a netcat listener to listen on the JetDirect port (9100), wait for a print job, and dump the incoming postscript to a file:

nc -l 9100 > output.ps

Once netcat is running and listening, you can print to the printer that you set up, and the result is a postscript file that you can then view, convert, print, etc.  It’s a pretty simple and painless procedure, if you’re dealing with an app that doesn’t play nicely with the printer dialog box.

…in which, our intrepid security geek finds out that there is a $400 bounty on his head.

Posts like this don’t have much technical content, but they’re fun, and the last one has been a wildly popular part of the site.  While you’re laughing your butt off, I hope you take away the real message here: do some background research on who you’re dealing with in the computer security scene.  If you got here by googling up information on this particular skiddie, then you’re already one step ahead of the game.  Just because someone has a legit-looking website and blog doesn’t mean they’re on the up-and-up :)

Since my first post about Yousif’s activities, I’ve had the pleasure of many late-night phone calls from him, being DOS’d for about a half hour, and having his friend threaten to hack my coffee maker.  I was promised a beat-down at Black Hat, although I unfortunately could not make it.  I am, however, sort of disappointed that I don’t warrant being stabbed, like Yousif has threatened to do to Lee Hinman over at the excellent writequit.org blog.  He is, however, willing to pay someone else to do the dirty work.

In the meantime, he hasn’t let up in his activities.  He has been hanging out on an Internet marketing forum, although his taste for script-kiddie hacking has not subsided.  He still has a penchant for attacking sites outside of well-defined pen-tests, still loves to threaten people who correct him, and runs his own small botnet.

Apparently looking to supplement his vapt-sec.com income with some cost-per-action fraud, he’s been hunting around for cohorts to develop software to fill out forms and offers on CPA advertisers, and to come in through his referral links from multiple IP addresses to fill out forms.  I took this as an opportunity to form my own “black hat” alter-ego, and have a good heart-to-heart chat with Yousif.  After a couple of boring evening chat sessions building up my “black hat” cred with him, he began to open up.

The following are some choice excerpts and quotes.  I’ve censored both his language and mine.  I do swear in-person, occasionally on IRC, and rarely on the blog, however I did ratchet it up about 12 notches with “elite yousif”, to build rapport.

Since he gets others to write his software for him, he occasionally gets his languages confused:

11:03:05 PM elite yousif: So
11:03:12 PM elite yousif: You know anyone who has botnets
11:03:39 PM bhb: i have a couple friends who might.  have a need?
11:03:50 PM elite yousif: Yeah
11:04:37 PM elite yousif: It’s quite helpful in CPA
11:05:16 PM bhb: yeah i was thinking of writing some code to work through a botnet, filling stuff and using the random ID generator
11:05:27 PM elite yousif: No need, lol.
11:05:35 PM elite yousif: I’m making something like that as we speak.
11:05:39 PM bhb: nice
11:05:50 PM bhb: what language do you code in
11:06:01 PM elite yousif: What language did I code this in?
11:06:11 PM bhb: yah
11:06:41 PM elite yousif: Net
11:06:54 PM bhb: c#
11:06:55 PM bhb: ?
11:07:21 PM elite yousif: nope
11:07:22 PM elite yousif: .NET <
11:07:29 PM elite yousif: Microsoft, ya know?
11:08:01 PM bhb: .net’s a platform, theres lots of languages you can code targeting .net
11:08:06 PM bhb: vb.net maybe?
11:08:13 PM elite yousif: Yeah, that’s right.
11:08:21 PM elite yousif: Vb.NET <

Don’t mess with this guy.  Especially in school:

11:56:56 PM elite yousif: No one ***** w/ me..
11:56:59 PM elite yousif: No one @ all.
11:57:02 PM elite yousif: Not even in school
11:57:03 PM elite yousif: They know
11:57:05 PM elite yousif: I can change their grade
11:57:09 PM elite yousif: expell them
11:57:10 PM elite yousif: frame them
11:57:11 PM elite yousif: etc
11:57:17 PM elite yousif: I can drop your docs too
11:57:21 PM elite yousif: know what shoe size you wear
11:57:23 PM bhb: heh nice
11:57:25 PM elite yousif: know your fam history
11:57:27 PM elite yousif: CC
11:57:29 PM elite yousif: S#
11:57:30 PM elite yousif: where u live
11:57:30 PM elite yousif: etc
11:57:59 PM bhb: knock some kiddies on their ***** online lol
11:58:18 PM elite yousif: lol
11:58:59 PM bhb: ***** haters lol
11:59:09 PM elite yousif: I know AOL internals too
11:59:11 PM elite yousif: ppl who work there
11:59:13 PM elite yousif: with high privs.
11:59:14 PM elite yousif: can easily
11:59:16 PM elite yousif: hi jack
11:59:19 PM elite yousif: any AOL/AIM account
11:59:22 PM elite yousif: and get info behind it
11:59:23 PM elite yousif: =D
11:59:31 PM elite yousif: i social engineer as well
12:00:08 AM bhb: hah that’s useful

A social engineering mastermind, to be sure.

Here, he’s a little sore that his affiliate program dropped him after figuring out his referrals weren’t legitimate:

12:03:12 AM elite yousif: you haven’t made any money in CPA yet?
12:03:43 AM bhb: haven’t even started.  just been reading up on it on the side, besides coding and work
12:04:30 AM elite yousif: ah
12:04:40 AM bhb: you made much?
12:04:42 AM elite yousif: I got my account terminated
12:04:45 AM elite yousif: 2 days ago
12:04:48 AM elite yousif: from a network
12:04:52 AM elite yousif: ***** bro, i swear
12:04:52 AM bhb: haters
12:04:53 AM elite yousif: I lost
12:04:56 AM elite yousif: 2000+ dollars
12:04:59 AM elite yousif: I better get my ***** back
12:05:00 AM elite yousif: OR
12:05:08 AM elite yousif: I’m gonna make my affiliate managers life a living HELL
12:05:14 AM elite yousif: I have access to her AIM account
12:05:15 AM elite yousif: verizon
12:05:17 AM elite yousif: photobucket
12:05:19 AM elite yousif: paypal
12:05:20 AM elite yousif: blogger
12:05:23 AM elite yousif: and some other *****
12:05:25 AM elite yousif: and facebook
12:05:29 AM elite yousif: she doesn’t know it yet
12:05:31 AM elite yousif: but I phished that *****

Bragging about taking down RSnake’s site (note: there’s an excellent chance this never really happened):

3:00:44 AM elite yousif: you know rsnake?
3:00:46 AM elite yousif: robert hansen
3:00:48 AM elite yousif: famous as *****..
3:00:49 AM bhb: yeah
3:00:51 AM elite yousif: k
3:00:51 AM elite yousif: well
3:00:53 AM elite yousif: his site
3:00:54 AM elite yousif: let me find it
3:01:03 AM bhb: ha.ckers.org or something
3:01:22 AM elite yousif: nah
3:01:23 AM elite yousif: his company
3:01:29 AM bhb: oh i dunno
3:02:26 AM bhb: sectheory?
3:02:58 AM elite yousif: yeah
3:02:59 AM elite yousif: rofol
3:03:02 AM elite yousif: i ddosed that
3:03:03 AM elite yousif: with my friend
3:03:04 AM elite yousif: in like
3:03:05 AM elite yousif: what
3:03:06 AM elite yousif: maybe
3:03:09 AM elite yousif: 3 mins
3:03:10 AM elite yousif: it was down
3:03:14 AM elite yousif: some security expert eh?

If there were any doubts about how he’s taking part in CPA fraud:

4:44:10 PM bhb: how are you supposed to make any money at it if you arent botting it anyways lol
4:44:25 PM elite yousif: what do you mean?
4:44:48 PM bhb: like automating it through a bunch of proxies/bots
4:45:02 PM bhb: how can you find that many people wanting to do it legit to keep making money
4:45:14 PM elite yousif: lol
4:45:17 PM elite yousif: u infect more victims
4:45:22 PM elite yousif: you market your trojan or w.e.
4:45:27 PM elite yousif: and more ppl open it
4:45:37 PM bhb: heh yeah so a loose definition of “legit” lol :D
4:45:48 PM elite yousif: yep
4:45:48 PM elite yousif: lol
4:45:59 PM elite yousif: you know what company is cool though?
4:46:03 PM bhb: you have nice custom trojans for it?
4:46:03 PM elite yousif: ******
4:46:10 PM elite yousif: i talked to the owner
4:46:10 PM bhb: cool you work with them too?
4:46:12 PM elite yousif: really cool guy
4:46:14 PM elite yousif: says
4:46:18 PM elite yousif: i can do black hat if i want
4:46:21 PM elite yousif: and he wont term. my account

Then, I managed to get him on the subject of yours truly :):

5:02:12 PM elite yousif: LOL
5:02:19 PM elite yousif: http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0545.html
5:02:21 PM elite yousif: that link u sent me
5:02:25 PM elite yousif: i know the guy who wrote that
5:02:27 PM elite yousif: wesley mcgrew
5:02:30 PM elite yousif: that dude is such a *****
5:02:36 PM bhb: he talks like one
5:03:01 PM elite yousif: he started talking ***** about my business and me because he claims that i hack around sites without permission and that i gave him access to my computer, WTF..
5:03:25 PM elite yousif: so i told him to go to black hat in vegas, and he said hes not going this year — i told him if i saw him id tackle him

I’m not really sure if the following about the director of Black Hat contacting him is true (I never contacted the Black Hat folks about it, since it’s not really a credible threat).  He probably just made it up after he found out how much Black Hat costs:

5:05:11 PM elite yousif: u know what he did
5:05:11 PM elite yousif: he spoke with teh director of black hat
5:05:11 PM elite yousif: and he told him that i would beat his ***** if i saw him
5:05:11 PM elite yousif: so he got scared
5:05:11 PM elite yousif: so the director listened to him
5:05:20 PM elite yousif: and said i cant attend black hat this yea
5:05:20 PM elite yousif: year*
5:05:38 PM bhb: lol that’s hilarious did the director email you or something
5:05:44 PM elite yousif: no he IM’d me
5:05:51 PM bhb: ahah
5:05:52 PM elite yousif: then i followed his profile and he actually WAS the director of black hat
5:05:54 PM elite yousif: oh well
5:05:59 PM elite yousif: he knew i wasn’t kidding

This did happen, although he and his friends would usually get bored and give up after a few calls:

5:06:00 PM elite yousif: i called him
5:06:03 PM elite yousif: 1000 times
5:06:07 PM elite yousif: i cussed him out badly
5:06:12 PM elite yousif: and i demanded to talk to his wife
5:06:14 PM elite yousif: so i can cuss her outtoo
5:06:17 PM elite yousif: her out too*
5:06:18 PM elite yousif: but he wouldn’t elt
5:06:20 PM elite yousif: let*

Remember kids, don’t DDOS on a school night:

5:14:51 PM elite yousif: ask him if i DDoSed his *****
5:15:03 PM elite yousif: he’ll either lie and say ‘it’s server issues @ night” or he’ll admit like a ***** i owned him
5:15:25 PM bhb: hah what an idiot.  how long did you ddos him for
5:15:36 PM elite yousif: for about 2-3 hrs
5:15:42 PM elite yousif: i was bored and it was late
5:15:45 PM elite yousif: i had school next morninig
5:15:47 PM elite yousif: so i let him go
5:15:48 PM elite yousif: lol

There’s a $400 bounty on my head.  My wife, a friend, and I considered faking some photos and video to claim it, but I guess we’re just too nice:

5:33:36 PM elite yousif: can you go to missipi?
5:33:39 PM elite yousif: ill pay you like
5:33:42 PM elite yousif: 400
5:33:44 PM elite yousif: to beat his ***** for me
5:33:46 PM elite yousif: no joke
5:34:03 PM bhb: lol maybe if im hard up for some money one day
5:34:14 PM bhb: you should definitely go though, that ***** would be classic
5:34:28 PM elite yousif: do u know anyone would do it?
5:34:34 PM bhb: show all the whitehats that you dont ***** with the blackhats cause they take it into RL
5:34:36 PM elite yousif: i seriously will pay $400 for it
5:35:06 PM bhb: i dont know anyone up for that but it shouldnt be too hard to find
5:35:20 PM bhb: lol craigslist, i bet theres tons of local rednecks there that would do it
5:35:27 PM elite yousif: lol
5:35:35 PM elite yousif: id rather talk to someone i already know
5:36:03 PM bhb: hah just tell them the money transfers when you see a jpg of his bloody nose lol
5:36:33 PM elite yousif: rofl
5:36:35 PM elite yousif: good idea
5:37:28 PM bhb: http://northmiss.craigslist.org/
5:38:10 PM bhb: i dunno what category lol
5:38:15 PM elite yousif: lol
5:38:17 PM elite yousif: murder
5:38:20 PM bhb: loool
5:39:57 PM bhb: services - labor & moving, that probably has the most steroid pumped rednecks
5:40:15 PM elite yousif: lol
5:40:21 PM elite yousif: bro i would never do it off tehre
5:40:27 PM elite yousif: ***** u know feds just hang out there
5:40:30 PM elite yousif: waiting for somone to ***** up

I’ll leave you with the last words he had to say to my dummy AIM account:

7:28:14 PM elite yousif: yo
7:28:30 PM elite yousif: is there a way to make your cd burner recognize dvd-r’s?

Brilliant.

I ran across this after I finished reading back-to-back reviews by Phn1x and Ilfak Guilfanov of the sounds-like-it’s-excellent “The IDA Pro Book“ by Chris Eagle, from No Starch Press.  Excellent reviews, and the book looks really good.  Please don’t confuse it’s coolness with the lameness I’m about to copy-paste about. I’ll probably wind up buying a copy of Eagle’s book.

The Syngress IDA book, though?  Not so much.

I didn’t know Syngress had an IDA Pro book when I went to Amazon to look at No Starch’s.  There’s a reason for that:  It’s awful.  I can say this, with certainty, without ever having picked it up.  I don’t normally feel this strongly without at least reading the book, but the universally bad reviews of “Reverse Engineering Code with IDA Pro” are quite damning…

…and hilarious :).  Which is why I’m pasting select comments from the various reviews here, as they tickle my funny-bone:

ZT says:

Do we really need half a page to print a table that does nothing but list every possible form a MOV instruction can take?

..and:

For heaven’s sake, the book was published FOUR MONTHS AGO, and already the repository for the book’s source and binaries has disappeared?!  Come on, this is unacceptable. Every time the book dedicates an entire chapter to disassembling a binary, you have to pretty much skip the entire chapter, because the binary isn’t available for you to disassemble. You can’t follow along.

magicmac2000 chimes in with:

And finally, there is information in the index of a chapter, but the pages are not there! It is not a problem of my book, it is a problem of the edition itself!

Hah what?  There’s entire chunks of the book missing:

(Chapter 4) claims to have this items:
Understanding Execution Flow, Tracing Functions, Recovering Hard Coded Password, Finding Vulnerable Functions, Backtracing Execution, Crafting a Buffer Overflow.
The problem is that the editors (Syngress) forgot to include the latest three. Yes, exactly as you hear it: the editors forgot to place those pages on the book.

Even one of the authors, Justin Ferguson, gave it a negative review:

This is my second attempt at reviewing the book I helped write, Amazon continues to censor me probably because my encouragement is not to buy this book (after dealing with syngress, I wouldn’t advise buying anything that comes from them). I don’t know how to say this other than I apologize to everyone who purchased this book, it really was supposed to be much more. However the corporate world being what it is, it was rushed from deadline to deadline without any regard for quality, the editors actually introduced errors, many of the diagrams are unreadable and theres parts of the book just flat out missing. DO NOT BUY.

Ouch!  You can check out the reviews for yourself here.  I think I’ll be getting Chris Eagle’s book instead.

Switching the site over to the new theme didn’t go as quickly as I had hoped, but it seems to be working now.  I’ve changed how things are organized too, so it should be easier to find things.  Most of my readers seem to be those interested in the technical guts of security, so I’ve done my best to set the ratio of content to fluff as high as possible.

…I’d spend a fair amount of time cleaning this inbox:

Thankfully, it’s just a glitch.  Probably something to do with GMail being a little messed up today.

2**32 minus 2, strangely enough :).

Edit: It decrements by 2 each time I click to another folder and then back to Inbox.

Thanks to HD Moore for this via twitter.  Splunk ad versus linkedin profile found via google:

I can’t stop giggling.

Everybody else is posting their picks for the talks they want to attend at Blackhat USA 2008.  I’m not going, but Chris Gates, of the excellent carnal0wnage blog, and I have decided to post our picks as part of an armchair “Blackhat Fantasy League”.  This’ll serve as a nice reference for myself when audio/video of the conference is released too.

(Edit: Chris just posted his picks.  There’s a nice web security flavor to his choices)

It really is a shame that I won’t be able to go, since our good friend Yousif Yalda promised to “beat me down” there.  Assuming I could make it to each talk, between all the beatings, here’s where I’d like to be:

Day 1 - 10:00 - 11:00

Fyodor Vaskovich - Track: The Network

This is going to be outstanding.  I always enjoy hearing Fyodor talk about nmap internals and tricks used to get more speed out of it.

Day 1 - 11:15 - 12:30

Dan Kaminsky - DNS Goodness

Pretty obvious choice here.  I feel sorry for the other speakers on during this time slot.

Day 1 - 13:45 - 16:30

Lots of folks - Iron Chef Fuzzing Challenge

Jacob West, Charlie Miller, Geoff Morrison, Jacob Honoroff, Sean Fay, Brian Chess finding vulnerabilities, Iron Chef style.  The Cisco shellcode/backdoor talk almost beats this out, but I had a lot of fun listening to the last Iron Chef challenge.

Day 1 - 16:45 - 18:00

Val Smith, Colin Ames - MetaPost-Exploitation

I’m on a Metasploit kick right now :)

Day 1 - 18:00 -

The Pwnie Awards

Day 2 - 10:00 - 11:00

Felix Lindner - Developments in Cisco IOS Forensics

I haven’t gotten my hands dirty with the guts of IOS, so I think I would enjoy this.

Day 2 - 11:15 - 12:30

Eric Filiol - Passive and Active Leakage of Secret Data from Non-Networked Computer

The description on the Blackhat site is kind of vague, but it sounds fascinating

Day 2 - 13:45 - 16:30 (?)

Lukas Grunwald - Hacking and Injecting Federal Trojans

Law enforcement injecting trojans into software downloads… neat… (this one is scheduled back to back with itself, so I don’t know if it’s a continuation or what?)

Day 2 - 16:45 - 18:00

Patrick McGregor - Braving the Cold : New Methods for Preventing Cold Boot Attacks on Encryption Keys

Having written msramdmp, I definitely have an interest in talks on cold-boot memory attacks :)

I don’t normally pay much attention to banner ads, especially for diploma mills, but this one caught my eye:

I thought to myself, “That looks familiar.  It’s almost as if I have been there before…”

I have:

Swalm Hall, on the Mississippi State University campus.  This is about half of a mile away from where I work part time as a graduate researcher at the MSU Center for Computer Security Research while I finish up my Ph.D.  As an undergraduate, I had a technical writing class in Swalm, and attended entrepreneurialship lectures in the auditorium.  While it’s a relatively new building, built while I was an undergrad, it was designed as a replica of another, older building on campus, Lee Hall:

These two buildings face each other, on opposite sides of the drill field.  I had actually convinced myself that the University of Phoenix was using an image of Lee Hall, and was halfway through writing this blog post, when I went looking for an image of Swalm Hall to give the post some character.  In the process, I stumbled across the picture of Swalm above, which appears to be the exact image they used (or very close).

We can’t quite offer a 13-month degree here, but at least we don’t have to claim buildings from other campuses :).  If you’re ever in the area and want the grand tour, let me know.

• Original flash version of the ad
• Blog post where I found the pic of Swalm, and probably where the “artist” for the ad found it too

It’s a weekend, so I’m all for a fun post.

The sexyhacking.com videos are not safe for work, however they’re probably even less arousing than you’d think.  They are hosted on YouTube, after all.  You might want to have a look, though, since they’re funny (intentionally and unintentionally), and who knows how long they’ll actually be around.

In the second video, described as Episode 1 in a series called “Naughty Script K1dd13″, basic compilation and usage of nmap is covered by a somewhat disinterested teacher.  It must be hot in the classroom, since she’s unbuttoned her shirt about halfway down.  Strangely enough, while nmap is displaying its scan, they censor the IP addresses involved with COPS-style pixelization:

If you’re paying more attention to the terminal than the girl, you’ll notice that they’re not very thorough.  At 3:49, we catch the video editor asleep at the wheel as the traceroute pops up :

…and at 3:50, the censor wakes up :) :

I’m not even sure why they’re attempting to hide the IP address.  It’s stated in the narration that sexyhacking.com will be used as the target, and the IP address revealed above is simply what you’d get doing a DNS lookup of sexyhacking.com…

(so long as Dan Kaminsky isn’t angry at you)

So, to sum it up:  If you’re redacting information out of a video you’re publishing, you not only have to worry about people being able to reverse engineer your pixelation (just black it out!), you’ll also have to make sure you blot it out of every frame :) .

I just received these two pictures via email from my major professor, and thought I’d share.  They’re from a series of mock trials that were held for this past fall semester’s computer forensics class.  The students had the opportunity to take the stand and present expert witness testimony regarding the evidence that they had examined as part of a class project.  We had a real courtroom, a real judge, real attorneys, and another university’s students sitting as a jury.  I sat as the accused for a few cases, and also helped guide the defense attorneys through some of the more technical aspects of the forensics.

Thankfully, with the inexperience of the expert witnesses, and coaching my attorney a bit (he had an engineering background, which helped), I was found to be not guilty :) .