DISCLAIMER : [Insert the biggest, most comprehensive lawyerspeak here]. Basically, the author(s) are NOT RESPONSIBLE for anything arising out of the information presented below. Enjoy.

Contents

• Shellcode : The assembly cocktail
  { A superb introduction to the subject by Samy Bahra }
  { Contact : samy at kerneled.com }
  
  
• Interview Excerpt : Dan Verton
  { by Von Spangler }
  { Contact : vonspangler at infosecwriters.com }

• The RMIT Journal
  { A regularly updated section detailing stuff that I do at uni }
  

• How can you contribute ?
  { Procedure for sending submissions for the zine }

Learn

Don't you know that in a race,
everyone runs,
but only one runner gets the prize,
When you run, run for the prize .. (I Corinthians 9:24)

Music : U2, Toploader, Matchbox Twenty, Sting

r00ting the hacker - the Dan Verton interview
By Von Spangler

Recently I interviewed Dan Verton - the author of The Hacker Diaries: Confessions of Teenage Hackers. He is a former intelligence officer in the U.S. Marine Corps who currently writes for Computerworld and CNN.com, covering national cyber-security issues and critical infrastructure protection. (see: DanVerton.com)

The interview covered a range of issues, (some of which are discussed in The Hacker Diaries: Confessions of Teenage Hackers) including: Why the continuous rise in cybercrime; hackers - the ones behind this - who are they; what do we know about
them beyond the shallow media reports; why do they do what they do; a look at the changing hacker culture,
i.e. the hacking scene today; a look at the contradictions and perhaps ironies within this culture; an examination of ethics and the
sensitivities still involved; and how do the security/law enforcement world regard such ethics…

This interview will be published in full in the upcoming Recommended Reading section. But I give to you an excerpt; a question I threw at Dan. He gave me a truly interesting response. Something for you to think about…

Q: Evidently hackers play a major role in the nurturing of script kiddies. Hackers find and publish exploit-scripts and tools along with step-by-step instructions which these kiddies take advantage of. Hackers probably would not admit they are the arms dealers and a cause for the script kiddie population explosion. In fact many categorically express their disdain and denounce script kiddies, for it is their actions that consequently do most of the staining on hackers' reputation.

What does this say about the hacking culture and their fervent belief that information and resources should not be censored from anyone? Can it be said that this particular belief seems to oddly bite back at them?

A: Well, my view is that freedom of research is a good and necessary thing. We may not always like what we discover, but better that it is discovered and published in a responsible manner so that people and companies can take steps to protect themselves than for those discoveries to only be known by those who would do us harm.

That said, the old argument that all human knowledge should be free and that hackers who hack into corporate systems to let that information out is utterly ridiculous and it demonstrates the limitations of the hacker mind. That's right, I said it, the limitations of the hacker mind. Most people like to believe that those who are talented enough to breath life into silicon are just great thinkers in general. Well, that is by far not the case for every hacker. What many hackers have in technical prowess and genuis, they lack in a wider understanding of the unintended consequences of their actions. It's sort of like the Mutually Assured Destruction (MAD) concept of nuclear war. Nobody wins. The same is true for the traditional hacker argument that all information should be free and non-proprietary. Well, try to make a living in such an environment and feed your family. Chaos does not make for a stable society where good ideas and a little bit of entrepreneurial spirit are rewarded.

The recent flap over the Adobe e-book encryption is a good example. Why would anybody want to break through that encryption protection unless they were trying somehow to beat the system in a dishonest way? I'm a writer, so it strikes close to home for me. I have a right to my own ideas and to make a living based on those ideas and to feed my family based on my ability to put those ideas down on paper (real paper or digital paper) and to sell those ideas to those who are willing to buy it. Hackers do not have a right to make those ideas that I created available to everybody at no charge. They are mine and mine only to distribute and sell. This is where the notion of information being inherently free is absurd.

The RMIT Journal
By Arun Darlie Koshy

This issue has taken a long time ... due to a lot of factors (shifting , lack of focus and contributions). Neways, Its been quite an experience... and with the help of my lord Jesus Christ, I'm facing each day with confidence.

Currently, I'm enrolled as an M.S Student (Information Security) at RMIT (Department of Mathematics) .. here's the first essay I had to write as an assignment (Case Studies in Infosec)

Eve, Let's play hide and seek

I assume that this is being read by people who can google OR are lurkers/participants on groups like sci.crypt. Let's look at the factors presented :

• relevance of containers
  
  
• change in comm. patterns
  
  
• all points having the word "image(s)"

Assuming a giant Eve (say the millitary/govt). What would I do ? Steg is just ONE of the blocks we get to play with.

Why should'nt you use your Legos ? Evaluating only the technological aspects (cut out real-world possibilities like tempest attacks, torture etc) :

Level One - Building your Steg chain

1. Use diverse (muiltiple) container options (leave out popular ones that are found out on a simple google eg. images)
   
   
2. Create your own steg tools as a part of the chain
   
   
3. Use an open-source information base (less chance of being rigged by the Govt) for other tools and ideas.
   
   
4. TTL for the containers itself should be limited. Explained later.

Level Two - Applied Cryptography

1. Use a good algo with a known work factor to break (Asymmetric options : DSA-Elgamal-AES combo @ 2048 bits, AES here can stand for ur favorite block cipher)
   
   We assume here that using magic, Eve cracks it in time T
   
   
2. Set TTL < T (by hosting the containers on some P2P networks, and other controllable mediums)
   
   
3. Step 1 is used to send the initial plans, if required in combination with real-world methods
   
   
4. Repeat 1 - 3 as long as required to complicate before introducing actual data-ciphertext.
   

The basic idea is to keep up the time difference. The whole scheme is very expandable.

Useful Resources

http://www.gnupg.org

http://www.pgpi.org

http://www.cl.cam.ac.uk/~fapp2/steganography/stego_soft.html

Topics (but definitely not restricted to):
algorithms, stuff related to systems programming and applied network security.

Style:
The zine advocates a "hands-on" approach when it comes to tech.. Get to the code or point. Provide references and links if necessary (especially if you're presenting a fresh perspective on something already known).

All images, content & text (unless other ownership applies) are © copyrighted 2003, Infosecwriters.com. All rights reserved. Comments are property of the respective posters.