Since I’m the one with the MacBook, it has become my duty to print the coupons that she forwards along to me.  I was happy to see there was an OS X version of the app, and installed it, only to find out the following:

Well that’s sort of annoying.  It just sends the job right off to the default printer, without asking about anything beforehand.  What’s worse for me is that it won’t “print” to a “graphic format like a PDF”.  A large percentage of my time, I’m not on a network with a printer, so I typically print things to postscript (.ps) files (bravo to Apple for building this into the OS and making it so easy).  When I want the hardcopies, I just tar them up and send them to a shell account on a server where I do have access to a printer.

Since this app doesn’t give me the usual printing dialog box with the option to “print to .ps”, I just had to hack together something.  I created a new printer in “System Preferences”->”Print & Fax”, with the following settings:

I then set this as my default printer.  Next, I set up a netcat listener to listen on the JetDirect port (9100), wait for a print job, and dump the incoming postscript to a file:

nc -l 9100 > output.ps

Once netcat is running and listening, you can print to the printer that you set up, and the result is a postscript file that you can then view, convert, print, etc.  It’s a pretty simple and painless procedure, if you’re dealing with an app that doesn’t play nicely with the printer dialog box.

• Conference Recordings - 25C3 Public wiki

At the current time, many talks are not available in the official releases.  There are unofficial recordings of the streams that have talks that are not yet in the official release directories:

• Real-time Recordings

The mirror at http://mirror.informatik.uni-mannheim.de/pub/ccc/streamdump/ seems to have the best speed for me at the moment, despite being on the other side of the pond.  Unfortunately, the stream recordings are also missing part of day 4 of the conference, which even more unfortunately means that they are missing Applebaum and Sotirov’s talk, MD5 Considered Harmful Today, which has drawn a lot of attention over the past week.  Hopefully the releases of official videos will continue, and include this and some of the other missing talks.

There’s plenty to keep you interested while you wait, though.  Here’s a couple of tips to help you understand the bare directory structures of the mirrors, if you don’t pick it up from context:

• “Saal” is German for “hall”, or “large room”. 
• “Tag” is German for “day”.

…and that’s about as far as my German skills go.  You’re on your own for the German-language talks :)

• Microsoft’s Security Bulletin

It’s a 50-minute class, and pretty strictly so, since the Information and Computer Security class is held immediately afterwards :).  Due to the limited time I have, I’ve scaled back my coverage of these two chapters to what you see in the following slides.  I’m focusing on the basic data structures used by “extx” to point at files and metadata, such as the superblock, group descriptor tables, and inodes.  I’ve included an example of finding a file on a filesystem using only dd piped through xxd and less, and some discussion of what a forensic examiner or someone tasked with data recovery should be on the look-out for.

Unfortunately with this PDF version of the slides, you won’t see the slick Keynote animations I’ve worked into my lecture.  I’m considering expanding the detail and coverage of this, and recording the slideshow as a video with narration for this site:

• Slides - PDF Format (through the “Reduce File Size” Quartz Filter)
  

Enjoy!

Edit: Wow, that filter really killed the screenshots, uploaded the full-res version

• http://avondale.good.net/dl/bd/

…and what’s more: There are MP3’s available of the recent Black Hat USA 2008 and Defcon 16 conferences :-D.  I’m looking forward to stuffing my iPod full of these:

• http://avondale.good.net/dl/bd/blackhat-2008-usa-audio/
• http://avondale.good.net/dl/bd/defcon-16-audio/

Many other excellent conferences have materials available in this archive, too.  I think it’s a great educational resource, and a great way to fill your head with new ideas in security between episodes of Pauldotcom Security Weekly, Network Security, and Securabit.

Many thanks to darkoz and the new hosts!

I’m looking forward to meeting the students of this class, and I think I’ve got a pretty good lecture lined up for them.  I’ve made the slides and notes available here on my website, for the students, and anyone else who is interested:

• Principles of Secure Software

A web accessible edition of the original Saltzer and Schroeder paper is available here.

As someone who believes that the initial stages of a proper penetration test should include an intensive passive intelligence gathering phase, more than what most testers put into it, I believe that using Maltego is a really good starting point.  This is especially the case for pentesters that aren’t as experienced in open-source information gathering as they are in the later phases of a test (due to how their training was focused).  The output from Maltego gives a good base to work from, and is likely to put the tester in the right mindset to expand upon that information.

Mubix, over on his Room362.com blog, has started a series of posts on the new version of Maltego, and it should be very informative to both those new to Maltego, and those, like me, who are aware of older iterations, and would like to know how things are progressing:

• Maltego 2 and beyond - Part 1

The other night, Mubix did some information gathering on me, using Maltego, and I was impressed with the output.  At the very least, it will find much of the same information that an experienced intelligence gatherer will find in his or her first stages, in a very short period of time (5 minutes in this particular case).  I’m looking forward to seeing the rest of Mubix’s series on the new version.

Edit: Chris Gates, of the Carnal0wnage (definitely McGrew-approved for techie security geek content), has a nicely detailed writeup on Maltego over on the Ethical Hacker Network:

• Maltego Part 1 - Intro and Personal Recon

This looks to be a good series, too.  Definitely worth editing the post to add, as it’s too good to let flounder around down in the comments section.

I was getting bored of the call, and decided to fire up Audacity, in order to record some of his profane rants and play them back to him.  Once he wrapped his head around the fact that I was able to record the call, he decided that he wanted me to record a message to post here, on my website.

The following, is that message.  While I took this as an opportunity to play around with iMovie, I haven’t censored any of the language or idiocy that’s present in his audio.  If you are easily offended, then you might not want to watch.  If you’re at work, well, you might want to save this till you get home, or get some headphones :)

Edit: Yousif apparently didn’t like the fact that this video was in the “Related Videos” box for the commercial he made ripped off from Lanier Leather for his affiliate marketing site.  He managed to report the YouTube version of this video into oblivion, so here it is on metacafe:

Edit: Awesome comments down below.  Glad you could join us, Mark.  I guess this is where you can contact him for the time being.

Edit (Sun Sep  7 12:22:02 CDT 2008): As of this particular moment, the page seems to have reappeared on Google’s search.  Not sure why (glitch in the matrix), or for how long.  I’m going to leave this post up, though, as the topic is still very interesting.

Edit (Thu Sep 11 19:12:31 CDT 2008): Annnd now it’s back down, hard.

I’m definitely no SEO expert, and certainly not anywhere near an expert on the more arcane aspects of negative or blackhat SEO.  I did, however, have a good time reading about a tactic that some call “Google Bowling”.  The term makes it sound like a lot of fun, and I imagine it is–for the people taking part in it.  Here’s some links:

• Google Bowling - Can We Fight it?
• Google Should Offer Self-Defense Against Spammy Inbound Links

The idea here is: by creating links to a page on sites that are blatantly “spammy” and subject to a very negative weight by a search engine’s ranking algorithms (in this case, Google’s), the ranking of the target page can be dragged down, or, apparently delisted completely.  A little poking around in search results for “Google Bowling” reveals several groups that will do this for you, for a fee.  I doubt that the perpetrator in this case has the resources and skill to pull this off on his own, so I certainly hope it was worth whatever he paid :-).

This isn’t really the site you want to go for, regarding SEO information, and it’s little more than a curiosity when it happens to isolated posts on a blog, but it’s definitely something you might be interested in when it’s your organization being seriously targeted by a competitor that implements these tactics.  It’s difficult to see it happening, except for an occasional referer from a spam site.  The negative sites linking to you are almost certainly such SEO black holes that you won’t be able to find them reliably using Google.  It’s also difficult to figure out who’s responsible, unless the answer presents itself in the pages that have been “bowled”, as it has in this case.

The only real defense, from what I’ve read, is to minimize the impact of negative links by overwhelming them with positive links.  This is pretty easy for larger sites, and makes the cost of “bowling” pages on those sites quite a bit higher.  Smaller blogs, like this one, that average a few good incoming links per post are much more vulnerable.  In this particular case, I’m grateful to the guys at (the larger-than-this-site) attrition.org, who have kindly mirrored the Yousif Yalda posts on this site in their extremely informative and entertaining Charlatans pages.

Posts like this don’t have much technical content, but they’re fun, and the last one has been a wildly popular part of the site.  While you’re laughing your butt off, I hope you take away the real message here: do some background research on who you’re dealing with in the computer security scene.  If you got here by googling up information on this particular skiddie, then you’re already one step ahead of the game.  Just because someone has a legit-looking website and blog doesn’t mean they’re on the up-and-up :)

Since my first post about Yousif’s activities, I’ve had the pleasure of many late-night phone calls from him, being DOS’d for about a half hour, and having his friend threaten to hack my coffee maker.  I was promised a beat-down at Black Hat, although I unfortunately could not make it.  I am, however, sort of disappointed that I don’t warrant being stabbed, like Yousif has threatened to do to Lee Hinman over at the excellent writequit.org blog.  He is, however, willing to pay someone else to do the dirty work.

In the meantime, he hasn’t let up in his activities.  He has been hanging out on an Internet marketing forum, although his taste for script-kiddie hacking has not subsided.  He still has a penchant for attacking sites outside of well-defined pen-tests, still loves to threaten people who correct him, and runs his own small botnet.

Apparently looking to supplement his vapt-sec.com income with some cost-per-action fraud, he’s been hunting around for cohorts to develop software to fill out forms and offers on CPA advertisers, and to come in through his referral links from multiple IP addresses to fill out forms.  I took this as an opportunity to form my own “black hat” alter-ego, and have a good heart-to-heart chat with Yousif.  After a couple of boring evening chat sessions building up my “black hat” cred with him, he began to open up.

The following are some choice excerpts and quotes.  I’ve censored both his language and mine.  I do swear in-person, occasionally on IRC, and rarely on the blog, however I did ratchet it up about 12 notches with “elite yousif”, to build rapport.

Since he gets others to write his software for him, he occasionally gets his languages confused:

11:03:05 PM elite yousif: So
11:03:12 PM elite yousif: You know anyone who has botnets
11:03:39 PM bhb: i have a couple friends who might.  have a need?
11:03:50 PM elite yousif: Yeah
11:04:37 PM elite yousif: It’s quite helpful in CPA
11:05:16 PM bhb: yeah i was thinking of writing some code to work through a botnet, filling stuff and using the random ID generator
11:05:27 PM elite yousif: No need, lol.
11:05:35 PM elite yousif: I’m making something like that as we speak.
11:05:39 PM bhb: nice
11:05:50 PM bhb: what language do you code in
11:06:01 PM elite yousif: What language did I code this in?
11:06:11 PM bhb: yah
11:06:41 PM elite yousif: Net
11:06:54 PM bhb: c#
11:06:55 PM bhb: ?
11:07:21 PM elite yousif: nope
11:07:22 PM elite yousif: .NET <
11:07:29 PM elite yousif: Microsoft, ya know?
11:08:01 PM bhb: .net’s a platform, theres lots of languages you can code targeting .net
11:08:06 PM bhb: vb.net maybe?
11:08:13 PM elite yousif: Yeah, that’s right.
11:08:21 PM elite yousif: Vb.NET <

Don’t mess with this guy.  Especially in school:

11:56:56 PM elite yousif: No one ***** w/ me..
11:56:59 PM elite yousif: No one @ all.
11:57:02 PM elite yousif: Not even in school
11:57:03 PM elite yousif: They know
11:57:05 PM elite yousif: I can change their grade
11:57:09 PM elite yousif: expell them
11:57:10 PM elite yousif: frame them
11:57:11 PM elite yousif: etc
11:57:17 PM elite yousif: I can drop your docs too
11:57:21 PM elite yousif: know what shoe size you wear
11:57:23 PM bhb: heh nice
11:57:25 PM elite yousif: know your fam history
11:57:27 PM elite yousif: CC
11:57:29 PM elite yousif: S#
11:57:30 PM elite yousif: where u live
11:57:30 PM elite yousif: etc
11:57:59 PM bhb: knock some kiddies on their ***** online lol
11:58:18 PM elite yousif: lol
11:58:59 PM bhb: ***** haters lol
11:59:09 PM elite yousif: I know AOL internals too
11:59:11 PM elite yousif: ppl who work there
11:59:13 PM elite yousif: with high privs.
11:59:14 PM elite yousif: can easily
11:59:16 PM elite yousif: hi jack
11:59:19 PM elite yousif: any AOL/AIM account
11:59:22 PM elite yousif: and get info behind it
11:59:23 PM elite yousif: =D
11:59:31 PM elite yousif: i social engineer as well
12:00:08 AM bhb: hah that’s useful

A social engineering mastermind, to be sure.

Here, he’s a little sore that his affiliate program dropped him after figuring out his referrals weren’t legitimate:

12:03:12 AM elite yousif: you haven’t made any money in CPA yet?
12:03:43 AM bhb: haven’t even started.  just been reading up on it on the side, besides coding and work
12:04:30 AM elite yousif: ah
12:04:40 AM bhb: you made much?
12:04:42 AM elite yousif: I got my account terminated
12:04:45 AM elite yousif: 2 days ago
12:04:48 AM elite yousif: from a network
12:04:52 AM elite yousif: ***** bro, i swear
12:04:52 AM bhb: haters
12:04:53 AM elite yousif: I lost
12:04:56 AM elite yousif: 2000+ dollars
12:04:59 AM elite yousif: I better get my ***** back
12:05:00 AM elite yousif: OR
12:05:08 AM elite yousif: I’m gonna make my affiliate managers life a living HELL
12:05:14 AM elite yousif: I have access to her AIM account
12:05:15 AM elite yousif: verizon
12:05:17 AM elite yousif: photobucket
12:05:19 AM elite yousif: paypal
12:05:20 AM elite yousif: blogger
12:05:23 AM elite yousif: and some other *****
12:05:25 AM elite yousif: and facebook
12:05:29 AM elite yousif: she doesn’t know it yet
12:05:31 AM elite yousif: but I phished that *****

Bragging about taking down RSnake’s site (note: there’s an excellent chance this never really happened):

3:00:44 AM elite yousif: you know rsnake?
3:00:46 AM elite yousif: robert hansen
3:00:48 AM elite yousif: famous as *****..
3:00:49 AM bhb: yeah
3:00:51 AM elite yousif: k
3:00:51 AM elite yousif: well
3:00:53 AM elite yousif: his site
3:00:54 AM elite yousif: let me find it
3:01:03 AM bhb: ha.ckers.org or something
3:01:22 AM elite yousif: nah
3:01:23 AM elite yousif: his company
3:01:29 AM bhb: oh i dunno
3:02:26 AM bhb: sectheory?
3:02:58 AM elite yousif: yeah
3:02:59 AM elite yousif: rofol
3:03:02 AM elite yousif: i ddosed that
3:03:03 AM elite yousif: with my friend
3:03:04 AM elite yousif: in like
3:03:05 AM elite yousif: what
3:03:06 AM elite yousif: maybe
3:03:09 AM elite yousif: 3 mins
3:03:10 AM elite yousif: it was down
3:03:14 AM elite yousif: some security expert eh?

If there were any doubts about how he’s taking part in CPA fraud:

4:44:10 PM bhb: how are you supposed to make any money at it if you arent botting it anyways lol
4:44:25 PM elite yousif: what do you mean?
4:44:48 PM bhb: like automating it through a bunch of proxies/bots
4:45:02 PM bhb: how can you find that many people wanting to do it legit to keep making money
4:45:14 PM elite yousif: lol
4:45:17 PM elite yousif: u infect more victims
4:45:22 PM elite yousif: you market your trojan or w.e.
4:45:27 PM elite yousif: and more ppl open it
4:45:37 PM bhb: heh yeah so a loose definition of “legit” lol :D
4:45:48 PM elite yousif: yep
4:45:48 PM elite yousif: lol
4:45:59 PM elite yousif: you know what company is cool though?
4:46:03 PM bhb: you have nice custom trojans for it?
4:46:03 PM elite yousif: ******
4:46:10 PM elite yousif: i talked to the owner
4:46:10 PM bhb: cool you work with them too?
4:46:12 PM elite yousif: really cool guy
4:46:14 PM elite yousif: says
4:46:18 PM elite yousif: i can do black hat if i want
4:46:21 PM elite yousif: and he wont term. my account

Then, I managed to get him on the subject of yours truly :):

5:02:12 PM elite yousif: LOL
5:02:19 PM elite yousif: http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0545.html
5:02:21 PM elite yousif: that link u sent me
5:02:25 PM elite yousif: i know the guy who wrote that
5:02:27 PM elite yousif: wesley mcgrew
5:02:30 PM elite yousif: that dude is such a *****
5:02:36 PM bhb: he talks like one
5:03:01 PM elite yousif: he started talking ***** about my business and me because he claims that i hack around sites without permission and that i gave him access to my computer, WTF..
5:03:25 PM elite yousif: so i told him to go to black hat in vegas, and he said hes not going this year — i told him if i saw him id tackle him

I’m not really sure if the following about the director of Black Hat contacting him is true (I never contacted the Black Hat folks about it, since it’s not really a credible threat).  He probably just made it up after he found out how much Black Hat costs:

5:05:11 PM elite yousif: u know what he did
5:05:11 PM elite yousif: he spoke with teh director of black hat
5:05:11 PM elite yousif: and he told him that i would beat his ***** if i saw him
5:05:11 PM elite yousif: so he got scared
5:05:11 PM elite yousif: so the director listened to him
5:05:20 PM elite yousif: and said i cant attend black hat this yea
5:05:20 PM elite yousif: year*
5:05:38 PM bhb: lol that’s hilarious did the director email you or something
5:05:44 PM elite yousif: no he IM’d me
5:05:51 PM bhb: ahah
5:05:52 PM elite yousif: then i followed his profile and he actually WAS the director of black hat
5:05:54 PM elite yousif: oh well
5:05:59 PM elite yousif: he knew i wasn’t kidding

This did happen, although he and his friends would usually get bored and give up after a few calls:

5:06:00 PM elite yousif: i called him
5:06:03 PM elite yousif: 1000 times
5:06:07 PM elite yousif: i cussed him out badly
5:06:12 PM elite yousif: and i demanded to talk to his wife
5:06:14 PM elite yousif: so i can cuss her outtoo
5:06:17 PM elite yousif: her out too*
5:06:18 PM elite yousif: but he wouldn’t elt
5:06:20 PM elite yousif: let*

Remember kids, don’t DDOS on a school night:

5:14:51 PM elite yousif: ask him if i DDoSed his *****
5:15:03 PM elite yousif: he’ll either lie and say ‘it’s server issues @ night” or he’ll admit like a ***** i owned him
5:15:25 PM bhb: hah what an idiot.  how long did you ddos him for
5:15:36 PM elite yousif: for about 2-3 hrs
5:15:42 PM elite yousif: i was bored and it was late
5:15:45 PM elite yousif: i had school next morninig
5:15:47 PM elite yousif: so i let him go
5:15:48 PM elite yousif: lol

There’s a $400 bounty on my head.  My wife, a friend, and I considered faking some photos and video to claim it, but I guess we’re just too nice:

5:33:36 PM elite yousif: can you go to missipi?
5:33:39 PM elite yousif: ill pay you like
5:33:42 PM elite yousif: 400
5:33:44 PM elite yousif: to beat his ***** for me
5:33:46 PM elite yousif: no joke
5:34:03 PM bhb: lol maybe if im hard up for some money one day
5:34:14 PM bhb: you should definitely go though, that ***** would be classic
5:34:28 PM elite yousif: do u know anyone would do it?
5:34:34 PM bhb: show all the whitehats that you dont ***** with the blackhats cause they take it into RL
5:34:36 PM elite yousif: i seriously will pay $400 for it
5:35:06 PM bhb: i dont know anyone up for that but it shouldnt be too hard to find
5:35:20 PM bhb: lol craigslist, i bet theres tons of local rednecks there that would do it
5:35:27 PM elite yousif: lol
5:35:35 PM elite yousif: id rather talk to someone i already know
5:36:03 PM bhb: hah just tell them the money transfers when you see a jpg of his bloody nose lol
5:36:33 PM elite yousif: rofl
5:36:35 PM elite yousif: good idea
5:37:28 PM bhb: http://northmiss.craigslist.org/
5:38:10 PM bhb: i dunno what category lol
5:38:15 PM elite yousif: lol
5:38:17 PM elite yousif: murder
5:38:20 PM bhb: loool
5:39:57 PM bhb: services - labor & moving, that probably has the most steroid pumped rednecks
5:40:15 PM elite yousif: lol
5:40:21 PM elite yousif: bro i would never do it off tehre
5:40:27 PM elite yousif: ***** u know feds just hang out there
5:40:30 PM elite yousif: waiting for somone to ***** up

I’ll leave you with the last words he had to say to my dummy AIM account:

7:28:14 PM elite yousif: yo
7:28:30 PM elite yousif: is there a way to make your cd burner recognize dvd-r’s?

Brilliant.