Digital Weapons

a reply to: verschickter

What's misleading about it?

I have 8000 characters available for an OP. It's a discussion on something rarely talked about in public.

If you wanted a highly technical discussion you came to the wrong place. This is a discussion for the general population of ATS.

a reply to: Jukiodone

No dude. This isn't my first "discovery". It is my first thread on the matter in the weapons forums. .

How about you discuss the topic instead of me?

a reply to: projectvxn
Because you ask so polite. The way you described stuxnet sounds like a 10 year olds description of something he heard at the dinner table. Far far far away from what I consider highly technical. You wrote that source code is now aviable while it has been for years. You never mentioned SPS, the target of the "digital weapon". If this is a discussion for the general population of ATS, at least keep the minimum facts straight.

That´s why I wrote it´s misleading and poorly researched and I stand by that.
I worked on SIEMENS step7 /wincc systems before, I can write in AWL and several other languages. I fully understand the way the controllers have been compromised. What you read about, that only six people in the world would have this knowledge, it´s totally wrong. I have worked Backtrack(kali predecessor) for years and went on deeper building my own kernels, scripts and metasploit ai.

I could bring much to this thread but if you want a low level conversation let´s see how much fruit comes out of this thread that has not been repeated to death.
Just because you do not want to hear my constructive critique.
I often get called wiseass for that but it´s why I registered here in the first place. Deny ignorance, hunt down false informations. If people feel pissed because I point them out on it, well...their bad.

a reply to: verschickter

Because you ask so polite. The way you described stuxnet sounds like a 10 year olds description of something he heard at the dinner table. Far far far away from what I consider highly technical. You wrote that source code is now aviable while it has been for years. You never mentioned SPS, the target of the "digital weapon". If this is a discussion for the general population of ATS, at least keep the minimum facts straight.

Stuxnet wasn't the point of the OP. Nor was any level of detail I added. You actually managed to miss the point entirely. I'm not a hacker nor a network admin. I am simply doing research on the topic by diving in as much as possible into the world of pen testing and computer security. What I am an expert in is weapons. I am also the Weapons forum FSME. This discussion is about weaponized code and how sophisticated hackers have become.

That´s why I wrote it´s misleading and poorly researched and I stand by that. I worked on SIEMENS step7 /wincc systems before, I can write in AWL and several other languages. I fully understand the way the controllers have been compromised.

Then by all means please provide a deeper explanation.

What you read about, that only six people in the world would have this knowledge, it´s totally wrong.

Those words were never included in my OP.

I have worked Backtrack(kali predecessor) for years and went on deeper building my own kernels, scripts and metasploit ai.

That's great. Perhaps I can learn something from you then.

I could bring much to this thread but if you want a low level conversation let´s see how much fruit comes out of this thread that has not been repeated to death.

I started the conversation, you're welcome to expand upon it. But please don't talk down to me or anyone else for not being experts in the field. That won't bring anything to the conversation.

Just because you do not want to hear my constructive critique. I often get called wiseass for that but it´s why I registered here in the first place. Deny ignorance, hunt down false informations. If people feel pissed because I point them out on it, well...their bad.

I would say you should communicate with people as if you were face to face with them. Have some basic respect and don't assume we're all a bunch of idiots for not explaining Stuxnet line by line while posting examples of its source code.

Once again, my field is weapons. Mostly firearms, and military weapons as that is my field of work. In order for me to have become so proficient with firearms I needed training. Currently I am embarking on training in the digital field.

a reply to: projectvxn
If you read my first post without bias you could have saved all the quote time. I will only adress the points that you got wrong.

The comment about 6 people was already some extra information, in case you read that there are only six people in the world. This is not true. I wrote it so you don´t asume I´m one of them.

I communicate like this way in real life. My words mean what they mean. Nothing between the lines .If you would stop reading what I wrote with bias and take it as it is, word for word... Can you tell me where there is disrespect or assuming you are all a bunch of idiots? That´s just you interpreting.
I even wrote it in my first post. No hate, just help.

So what do you want to discuss about? Whats the point of your thread then if you want to keep it flat?


Ignored that?

This is no hate, I just think this thread is missleading and poorly researched. But I respect your effort. Hundreds of kids reading threads and articles like that will download kali/any linux distri and will learn how software works not just learning and remembering where to click, that´s something at least

Nevermind:

The point of the thread was to shed some light on some of the new ways blackhat hackers can cause damage.

So what light did you shed on the new ways blackhats can cause damage?
What are those new ways?
Having a script kiddie distribution ported to androidOS?

Edit: If you have questions that you cannot google yourself, feel free to U2U me anytime. Might take a week since I´m not checking ATS daily.

It's amazing how much terminology has changed..

"Hackers" used to refer to the activity in general, sometimes with a focus on hardware. "Cracking" was used to refer specifically to breaking into code or passwords. "Phreaking" was more of a focus on doing these through telephony.

The most dangerous in the world tend to be white hats, as they tend to be sanctioned through governments or corporations, thus the nice fluffy term. Black hats were seen simply as those who had not been converted and catalogued as assets.

Simply put, psych warfare is effective. There really isn't an accurate term for those who do not wish to cause harm, and just as importantly, there is no clear dividing line and they can exist either as a white hat or black hat.

originally posted by: Serdgiam
The most dangerous in the world tend to be white hats, as they tend to be sanctioned through governments or corporations, thus the nice fluffy term. Black hats were seen simply as those who had not been converted and catalogued as assets.

I would count black and grey hats to the dangerous ones as the try get profit through non official channels(means breaking the law).
White hats at least are known as a person and they use their skills for good and with permission.

a reply to: verschickter

We can definitely agree to disagree on that one. That is certainly the way the labels are marketed, and Google will likely agree with ya.

The point was that the labels themselves are irrelevant to ethics, or even stated intent. In the same way, I don't believe that governments or corporations (and the actions of the humans involved) are necessarily altruistic just because their names and titles are public knowledge.

Not really important, other than analyzing the PR/psych component. To most, such things are not relevant.

I have been warning about cars, specifically, for years. Most still don't believe they can be hacked.

a reply to: verschickter

So what light did you shed on the new ways blackhats can cause damage? What are those new ways? Having a script kiddie distribution ported to androidOS?

You're focusing on an extremely small snippet of the OP detailing what I am doing for research purposes. I don't know why that seems to be where you're sticking.

Edit: If you have questions that you cannot google yourself, feel free to U2U me anytime. Might take a week since I´m not checking ATS daily.

I will most likely do that since network security isn't my strong suit.

a reply to: projectvxn

I´m sticking there because stuxnet/duqu is the most sophisticated known weapon aviable when it comes to cyberwarefare and you just skimmed it. So for me it´s one of the main focus points. It was the first known maleware,worm,virus combi -call it whatever- aimed on SPS/PLC controllers. The black boxes that take cyberwarefare into the physical realm (*except for the F35/F18G). That´s why I stick to it, it´s important for the topic in my opinion.

a reply to: verschickter

I´m sticking there because stuxnet/duqu is the most sophisticated known weapon aviable when it comes to cyberwarefare and you just skimmed it. So for me it´s one of the main focus points.

I agree, but it isn't the ONLY weapon out there. I skimmed it because I wanted to cover different avenues of attack. I also agree that is the most sophisticated digital weapon ever devised THAT WE KNOW OF. Stuxnet is a 4 year old weapon and in terms of technology it might as well be old hat.

It was the first known maleware,worm,virus combi -call it whatever- aimed on SPS/PLC controllers. The black boxes that take cyberwarefare into the physical realm (*except for the F35/F18G). That´s why I stick to it, it´s important for the topic in my opinion.

Yes it is. I apologize for the cursory look at it, but I was taking an overview of the battlespace.

Well damn... Guess it's time to maybe cut back on the physical target practice And maybe throw in 10-20 hours of coding practice.

Also.... Illuminati was strong with that first video lol so many people on that train.. I've seen so many peers in the video/photo/music editing world take on all these "signs" for various reasons... So silly

a reply to: projectvxn

Why use a term like "Digital Weapons" when Cyber Warfare is not only an established common term but is a military designation used in real world scenarios.

It alerts anyone who has taken the time to read up on the history of Cyber Warfare (which is an obvious extension of Espionage tradecraft and therefore not as "WOW" as you perceive) that you probably haven't done your research.

If I went into Aviation and made an ill informed post in the style of revelation where I labeled the B2 as a "surreptitious Flying Machine" I'm sure someone would point out it is already known as a Stealth Aircraft...

In your case you posted in a forum where you are the FSME so not only will you be corrected when wrong- but you will also be expected to actually have some knowledge in the area you are proposing to discuss.

a reply to: Jukiodone

Because they are weapons.

This thread isn't about me.

This thread isn't about me.

This thread isn't about me.

a reply to: projectvxn

A B2 is a "surreptitious flying machine" too but it would be remiss of me to insist on calling it that when everybody else uses the term "Stealth Aircraft".

Dont confuse criticism about the way you presented information as an attack on you- I'm sure you are a terrific fellow.

Before Computers there was an equally interesting period of telecommunications based "warfare" and before that people were using resonating cavities and radio waves (I.e "The Thing") as a part of their aggressive actions.

In fact next to projects such as "The Thing" Stuxnet is a medium sized endevour in terms of work and brainpower required as it is simply an exploit of existing flaws- not inventing new ways of doing things.

As I pointed in my previous post; most hacking today (such as traffic lights) is the exploitation of existing or undiscovered vulnerabilities...it is clever but it is not genius.

The genius tier is reserved for those that manage to get manufacturers and developers to incorporate elements that have "hidden in plain site" vulnerabilities in-built that only they can utilise.

originally posted by: Serdgiam
We can definitely agree to disagree on that one.

That is certainly the way the labels are marketed, and Google will likely agree with ya.

The point was that the labels themselves are irrelevant to ethics, or even stated intent. In the same way, I don't believe that governments or corporations (and the actions of the humans involved) are necessarily altruistic just because their names and titles are public knowledge.

Not really important, other than analyzing the PR/psych component. To most, such things are not relevant.

I have been warning about cars, specifically, for years. Most still don't believe they can be hacked.

Well but the labels ARE relevant to ethics. I bet you read that wikipedia article, it´s written a little bit confusing, the first sentence is a little bit misleading. Because of their job, penetration testing, it also involves social engineering as you will try to get inside any way. The ethics, at least that´s what drives me, is that you either are allowed by the institution/company and get paid for it or if not or by accident, you "bug out" and leave a message.
www.techopedia.com...
Gray hats, hat least the ones I know that call themselfes a "gray hat" will try to make a buck to other way. They claim to protect you by finding vulnerabilities/exploits and try to extort a bounty.


===============================================================
A nice example are the latest Alphabay blackmailings.
A group that calls themselves Co** N***** got wind of an alphabay developer that was bragging about his functions on reddit. Basically he explained in words how his Market was setup and how basic functions work.
Well. After two and a half week a younger member was able to download the php sources from the server by exploiting
a vulnerable POST function. The found several other vulnerabilities to exploit in future looking at the code. They were bragging in their IRC chan and you could download a snippet. Really bad codework I can tell you.

Now they had several scripts ready, had a backdoor to the sever. They had access to the btc hotwallet.
They knew his online times and build a histogramm based on that.
They approached the developer via mail but he did not react. They wanted 20BTC or they would destroy alphabay.

Alphabay developer does not react so they went open on reddit deep market list.
"The grayhats" warned the other people on reddit to pull their money because soon they would take it out by themselfes. Either really kindfully or a farce. As soon as alpha02 was online they started to DDoS his server. He denied the problems for hours and set up a cheap custom captcha to solve at the startpage. They were nearly dying of laughter on the public IRC channel because they had his custom script and it meant nothing to them. Solved already. BTW he was running a windows apache config.
However they somehow crashed the mysql-service and before that they pulled the database.

Now server was unreachable. I´m assuming they did not really had access to the hotwallet but the alphabay developer wired 10 BTC to them. Another user got stuff in the value of 12.5k$ for free because the developer saved the automarket transactions into a TXT (as he described) that was polled and updated every five minutes. He simply added his transactions into the file and voila.

You can follow the whole thing on reddit search "reddit deep market list alphabay", other infos are from their public IRC chan.
Most claim they hoaxed but I was on their public irc chan that night(it was night here) and followed the discussions on reddit as they unfolded. Even registered on alphabay just because of curiosity and yes, this code is awefully bad written from what I can tell.
===============================================================

...And also factor in that if you are skilled enough to actually discover zero day exploits, there are literally millions of dollars worth of bounties out there doing exactly that legitimately- with no risk of prison.


Obviously Car Hacking is very real and is an extension of the "Boston Brakes"- which was tinkering with the mechanics of a car (such as it's Brakes) and evolved to compromising the electronics (such as fly by wire controls) as a natural progression based on automotive technology.

I'm pretty sure if you could tell one of the guys who had to tunnel under an embassy or place a black box on a deep sea cable that their future activities would involve sitting at a keyboard, whilst leaving no physical evidence- they wouldn't believe you.


Grim reality is that Technology makes it easier to be surveilled and/or compromised unless you are in complete control of the entire development cycle, proprietary code, components and manufacturing used ( and also think about developing your own encryption methods as other peoples algorithms CANNOT be trusted).

a reply to: verschickter

I didn't get my info from wiki.

Thanks for the story!

a reply to: Serdgiam

I forgot to say the deal was like this:
Pay us 20BTC bounty, we offer fixes and you will be pentested for safety. We will be watching after you. Decline the offer and loose 1+ year of your work because we will destroy alphabay and never let you alone. Nucleus paid the bounty. Alphabay paid 10BTC, never looked back into it, I might follow with an update.