Comment Re:Wow (Score 2) 57
Free and open source, dude. Just not released yet because it's funded by DARPA CFT and still ongoing research: http://www.wired.com/dangerroom/2011/11/darpa-fast-track/
Comment Re:"Unity web player"? (Score 2) 57
Erm. Unity is a well-known 3D gaming engine, dude.... http://unity3d.com/
Comment Re:Sounds like Acunetix (Score 2) 57
Ask and you shall receive :-). I have more information on that than you'd probably like to know. The back-end is actually quite similar to the PunkSPIDER project's back-end and uses all of the same principles, most of the same open software as its base, and even reuses some of the code (in fact, once it's done I'll probably make the back-end of web 3.0 a part of PunkSPIDER 2.0 - free and open source of course). So with that said here's info on how PunkSPIDER was built, which should give you a solid start to how we're building the web 3.0 back-end:
(1) A link to the talk at ShmooCon on PunkSPIDER which gives more info than you'd ever want to know about the back-end: http://www.hyperiongray.com/shmoocon
(2) If you're in a rush you can read some basic stuff about it here: http://www.hyperiongray.com/node/18
(3) If you really want to get into it you can download PunkSCAN (the PunkSPIDER back-end) on bitbucket and take a look: https://bitbucket.org/punkspider/punkscan
And last but not least, if you want to know even more feel free to contact Hyperion Gray at punkspider@hyperiongray.com or follow me (Alejandro) at @DotSlashPunk on Twitter. Oh and thanks for the feedback on the buzzy name, it's meant to be a little over the top, but we'll keep your comment in mind!
Alex
(1) A link to the talk at ShmooCon on PunkSPIDER which gives more info than you'd ever want to know about the back-end: http://www.hyperiongray.com/shmoocon
(2) If you're in a rush you can read some basic stuff about it here: http://www.hyperiongray.com/node/18
(3) If you really want to get into it you can download PunkSCAN (the PunkSPIDER back-end) on bitbucket and take a look: https://bitbucket.org/punkspider/punkscan
And last but not least, if you want to know even more feel free to contact Hyperion Gray at punkspider@hyperiongray.com or follow me (Alejandro) at @DotSlashPunk on Twitter. Oh and thanks for the feedback on the buzzy name, it's meant to be a little over the top, but we'll keep your comment in mind!
Alex
Submission + - Hackers Unveil A New Way of Visualizing Web Vulnerabilities at DEF CON 21
punk2176 writes: Hacker and security researcher Alejandro Caceres (developer of the PunkSPIDER project) and 3D UI developer Teal Rogers unveiled a new free and open source tool at DEF CON 21 that could change the way that users view the web and its vulnerabilities. The project is a visualization system that combines the principles of offensive security, 3D data visualization, and "big data" to allow users to understand the complex interconnections between websites. Using a highly distributed HBase back-end and a Hadoop-based vulnerability scanner and web crawler the project is meant to improve the average user's understanding of the unseen and potentially vulnerable underbelly of web applications that they own or use. The makers are calling this new method of visualization web 3.0.
A free demo can be found here, where users can play with and navigate an early version of the tool via a web interface. More details can be found here and interested users can opt-in to the mailing list and eventually the closed beta here.
A free demo can be found here, where users can play with and navigate an early version of the tool via a web interface. More details can be found here and interested users can opt-in to the mailing list and eventually the closed beta here.
Submission + - Scientists Uncover First Hundred Thousand Years of Our Universe
An anonymous reader writes: In order to solve a mystery, you need to revisit the scene of the crime. In the case of the Big Bang, though, that's a little difficult. That's why scientists are using cosmic microwave background (SMB) radiation data to look back at the origins of our universe. Now, they've managed to get their furthest look back through time yet, catching a glimpse of the universe a mere 100 to 300,000 years after its birth.
Submission + - Researcher (ab)uses Big Data tech for large-scale attacks 1
punk2176 writes: Security researcher Alejandro Caceres demonstrated techniques and released open source tools to attack large (e.g. country sized) beds of targets using "Big Data" technologies at this year's DEF CON 21 hacking conference. Caceres is best known for the controversial PunkSPIDER project, a project to vulnerability scan the entire Internet's websites and make them searchable by the general public.
The new techniques revolve around using an Apache Hadoop cluster and cloud technologies, such as Amazon's Elastic MapReduce, to conduct large, coordinated attacks. The researcher showed that by leveraging the MapReduce parallel programming concept, such techniques can be extremely effective. He demonstrated several use cases, including a coordinated, automated SQL injection attack that was able to steal system hashes at a rate of 1 target every .75 seconds, approximately 70 times faster than with conventional means. These techniques may allow a single attacker to conduct massive attacks against hundreds of thousands or even millions of targets, a task which would otherwise be too time-consuming, costly or complex for an attacker. More details on the talk can be found on the DEF CON website or at open source R&D organization Hyperion Gray's website.
The new techniques revolve around using an Apache Hadoop cluster and cloud technologies, such as Amazon's Elastic MapReduce, to conduct large, coordinated attacks. The researcher showed that by leveraging the MapReduce parallel programming concept, such techniques can be extremely effective. He demonstrated several use cases, including a coordinated, automated SQL injection attack that was able to steal system hashes at a rate of 1 target every
Submission + - Lon Snowden, former Coast Guard officer, is on the way to Moscow
Max_W writes: Lon Snowden, the father of Edward Snowden, gave an interview to the Reuters: http://www.reuters.com/article/2013/08/07/us-usa-security-snowden-idUSBRE97617S20130807 He is also practically on the way to Russia, to visit his fugitive son. He applied for the Russian Federation entry visa already.
Edward Snowden's deeds could be debatable, but I am absolutely fascinated by his father's courage. He is calm and absolutely fearless in trying to save his son. Is it a former Coast Guard character? As we know Coast Guard officers are facing grave danger on a daily basis. Or would anybody act like this in his place?
Edward Snowden's deeds could be debatable, but I am absolutely fascinated by his father's courage. He is calm and absolutely fearless in trying to save his son. Is it a former Coast Guard character? As we know Coast Guard officers are facing grave danger on a daily basis. Or would anybody act like this in his place?
Submission + - IBM Builds Programming Model For Brain-Like Computing (techweekeurope.co.uk)
judgecorp writes: IBM is working on a programming model for cognitive applications, which it hopes will provide something like a high-level language for producing brain-like programs, enabling "anyone" to make cognitive applications, just as FORTRAN did for conventional computing. IBM plans to build a brain with 10 billion neurons (about one tenth the number in the human brain.The project surely wins Acronym of the Week: it's called SyNAPSE (Systems of Neuromorphic Adaptive Plastic Scalable Electronics).
Submission + - Conflicting Views on the Science of Pain
ZahrGnosis writes: Popular Science, a stalwart of the scientific literature community, posted a couple of articles about pain research recently that are causing a bit of controversy. First, they posted an article titled Fetal Pain Is A Lie: How Phony Science Took Over The Abortion Debate that argues fetuses don't feel pain at 20 weeks due to a scientific consensus that the nervous system is underdeveloped at that point. Ironically, this argument has been used for years in a different setting: to claim that crustaceans don't feel pain (justifying among other things the live boiling of lobster). But PopSci also posted an article titled Crabs And Lobsters Probably Do Feel Pain, According To New Experiments. And now there's mild internet flaming going on. I know Slashdot doesn't venture into the abortion arena much, and I'm not trying to wade into political territory so much as understand the competing scientific commentaries (in so much as fetuses and lobster can be compared). But mostly I'm just curious what the Slashdot crowd thought.
Submission + - NVIDIA open sources SHIELD's operating system (paritynews.com)
hypnosec writes: NVidia has now open-sourced the operating system that powers the gaming console to encourage its modification and further development. Powered by NVidia’s homegrown Tegra 4 processor, the console runs Android, which shouldn't surprise many as the company moves ahead with its opensourcing intentions. The GPU company has said that the SHIELD is an ‘open gaming platform’ that allows for ‘an open ecosystem’ enabling developers to develop content as well as applications that takes advantage of the underlying hardware and which can be enjoyed on bigger displays as well as mobile screen.
Submission + - Stop fixing all security vulnerabilities. (blog.risk.io)
PMcGovern writes: At BSidesLV in Las Vegas, Ed Bellis and Data Scientist Michael Roytman gave a talk explaining how security vulnerability statistics should be done. " Don't fix all security issues. Fix the security issues that matter, based on statistical relevance." They looked at 23,000,000 live vulnerabilities across 1,000,000 real assets, which belonged to 9,500 clients to explain their thesis.
Submission + - Elon Musk Admits he is Too Busy to Build Hyperloop (ibtimes.co.uk)
DavidGilbert99 writes: It sounded like the future — a 600mph train taking people from San Francisco to Los Angeles in just 30mins. In fact it sounded like a future too good to be true. And so it seems to have proven. As Alistair Charlton at IBTimes reports, Elon Musk, the man behind PayPal, Tesla and Space X has admitted that Hyperloop is a step too far and he should never have mentioned it in the first place — "I think I shot myself in the foot by ever mentioning the Hyperloop. I'm too strung out." Oh well, let's hope SpaceX works out a bit better.....
Comment Re:Ethics (Score 2, Informative) 85
Hmm, a few issues with this...
1) The statement that we "just run Nessus" is incorrect. We wrote our own scanner that works on a Hadoop cluster. Why is this important? It means that we can handle a lot more scans than anyone else (several thousand per day with a small cluster) and it's also specifically made for mass scans. This is important in point 2 below.
2) The process you're describing is for finding a vulnerability in a piece of software in general (e.g. a common CMS), not a specific vulnerability in an implementation of a piece of software (e.g. a specific website). That's a huge difference. You wouldn't put a CVE up for a SQL injection bug in a specific implementation of a site (you would only if it was common to an entire CMS for example). Anyway, what we hope is to build a community of like-minded security folks that can help those website owners fix their *specific issues* first and if applicable go through the process you describe when needed. We also want to provide this for free.
3) What if the vulnerability is in a custom built site that no one cares enough about to do security research on. Who's letting them know their issues? We hope to provide a view of this to the website owner and yes, push them a little to get their security ducks in a row.
4) We're not attention whores or jackasses. Calling people names isn't nice and makes us sad.
1) The statement that we "just run Nessus" is incorrect. We wrote our own scanner that works on a Hadoop cluster. Why is this important? It means that we can handle a lot more scans than anyone else (several thousand per day with a small cluster) and it's also specifically made for mass scans. This is important in point 2 below.
2) The process you're describing is for finding a vulnerability in a piece of software in general (e.g. a common CMS), not a specific vulnerability in an implementation of a piece of software (e.g. a specific website). That's a huge difference. You wouldn't put a CVE up for a SQL injection bug in a specific implementation of a site (you would only if it was common to an entire CMS for example). Anyway, what we hope is to build a community of like-minded security folks that can help those website owners fix their *specific issues* first and if applicable go through the process you describe when needed. We also want to provide this for free.
3) What if the vulnerability is in a custom built site that no one cares enough about to do security research on. Who's letting them know their issues? We hope to provide a view of this to the website owner and yes, push them a little to get their security ducks in a row.
4) We're not attention whores or jackasses. Calling people names isn't nice and makes us sad.
Comment Re:Couldn't find any - the results so far ARE pret (Score 3, Informative) 85
So one thing that we've been trying to make clear is that the project is *on track* to scan the entire Internet, we haven't scanned everything yet. We have scanned about 70k sites and have under 4 million indexed. Our next version is going to be clearer on what is and is not scanned - currently we just say 0 vulnerabilities if we haven't scanned it, indicating that we have not found vulnerabilities in it yet - not necessarily that it doesn't have any.
This was all part of our ShmooCon presentation which just hasn't been released to everyone yet! The system is self-sustaining at this point so these numbers are constantly going up. The "not pretty" comes from the fact that we have over 100,000 vulnerabilities from just scanning about 70,000 sites (some sites have multiple vulnerabilities).
Submission + - The PunkSPIDER Project Controversy (theregister.co.uk) 1
punk2176 writes: "Recently I started a free and open source project known as the PunkSPIDER project and presented it at ShmooCon 2013. If you haven't heard of it, it's at heart, a project with the goal of pushing for improved global website security. In order to do this we built a Hadoop distributed computing cluster along with a website vulneraility scanner that can use the cluster. Once we finished that we open sourced the code to our scanner and unleashed it on the Internet. The results of our scans are provided to the public for free in an easy-to-use search engine. The results so far aren't pretty.
In short after having found tons of vulnerabilities, we've been blowing up. Social media users either love or hate us. Critics have been claiming that the results of our scans can be used for evil by script kiddies. We argue that these results will, more importantly, be used by website owners to check the security of their own websites or website users to check the security of sites to which they entrust their sensitive data. Due to the controversy around the project The Register asked us for our response and published an article about it. I'm curious to see what the Slashdot community thinks — do you think we are doing the right thing?"
In short after having found tons of vulnerabilities, we've been blowing up. Social media users either love or hate us. Critics have been claiming that the results of our scans can be used for evil by script kiddies. We argue that these results will, more importantly, be used by website owners to check the security of their own websites or website users to check the security of sites to which they entrust their sensitive data. Due to the controversy around the project The Register asked us for our response and published an article about it. I'm curious to see what the Slashdot community thinks — do you think we are doing the right thing?"
