Hacking the Word - by Atlas

The last three weeks have been amazing and awful at the same time.

Two and a half weeks ago my wife and I picked up our adoptive daughter from the hospital! She's wonderful and tiring. Why did we do this? Kids need a loving home. Not all of them get them. Why a newborn? Wow... good question. Newborns are the reminder that something can be wonderful and terrible at the same time. Baby Abigail is an adorable little girl, mother from Zimbabwe, father is African-American. Aparently finding adoptive parents who are willing to adopt interracially are few, so we found out about our little wonder the day of our homestudy (the last part of adoption before the infamous "holding pattern"), 10 days before her due date! Standard time for waiting is between six months and two years. We are very blessed.

The wonderment did not stop there. And Biggel(her handle) is only responsible for half of my sleep-deprivation.

Friday, June 3rd saw the 10pm kick-off of the DefCon Hacking Capture-The-Flag(CTF) competition qualifying round. The new carriers of the DefCon CTF flag is the KenShoto group, and my hat's off to them. They did a great job!

Like a moron, I invited college friends to bring their three kids to visit for the weekend. They are not hackers... So, in order to avoid being rude (and incurring my wife's wrath) I relegated my hacking activities to post-bedtime... Friday and Saturday I didn't see the pillow before my ordinary alarm-clock setting. Surprising how 5:30am looks similar whether you're getting up or going to bed ;)

First stage was fun, with an easily hackable web-application using a hidden field and limited input-validation. It just took the appropriate amount of poking and guesswork. Finding the key was easy, so long as you took the logical route of grabbing /etc/passwd for all the information it contains. To be honest, I missed it. The "flag" was stored as the name of one of the users. I apparently was too busy looking for "real" information. In that respect, it was somewhat of a gimme, on the way to really hacking. I had already cracked a password and logged in before actually seeing the stage 1 key. The stage 2 key was provided when I logged in with the hacked user account. I was having fun already.

Stage 3 was much more difficult, and thus ultimately much more rewarding, and a great deal of the wonderment of my week. Logging into the account to get the stage 2 key, a binary file was pasted to my screen, the screen was blanked, the key was printed to my screen and I was logged out. Hmmmph.

That binary, upon inspection, appeared to be the program offering a service on port 6969. Attaining stage 3 meant finding a vulnerability in the binary and writing a remote exploit. As a talented security professional, this was still the territory of immortals. I nearly gave up when I realized what was required. I didn't.

I've been reading Erickson's book, "HACKING: The Art of Exploitation". Great book, but I had hit a dry patch (and been distracted by many other aspects of life) about page 20. It was dry because I knew it already... Given the challenge at hand, I looked in the table of contents to find buffer overflows (BOF) (which is the vulnerability-type I had determined to use). It started on page 23. DOH! So I quickly started back at page 20 and continued into the section on exploiting BOFs.

HTAE not only includes in-depth discussions of the hacking techniques, but provides examples which you can test and play with. Hands-on hacking. Nothing over the network (at least not where I was reading), but definitely enough to get started. That, coupled with a VMware installation of FreeBSD (the OS used on the "hackable" machine) and some debugging/reverse-engineering tools, and my blood/sweat/tears created a wholely original exploit (ok, so the payload was gratuitously stolen from the MetaSploit framework, thanks guys!) but I made the mechanics work.

I felt as if Ben Kenobi himself patted me on the shoulder and said "You've just taken your first step into a bigger world." But it was the KenShoto guys (Snit, Invisigoth) who congratulated me. I think they took pity on me, since they realized I was a sploit-virgin.

Hacking the Word: The process of learning more and understanding the scripture better than the average joe. Hacking is about knowledge and understanding, exploring and devouring. The use of such knowledge is really superfluous to the actual meaning of hacking.

Hacking the Word is going beyond the normally accepted platitudes and trite phrases of religiosity, much like poking and prodding IIS to see what undisclosed "goodies" it has to offer, past that which mere mortals choose to accept. Much like Hacking computer systems, Exploiting the Word lies in how you make use of it. Scouring the Word to find the unknown gems (or just proving them for yourself) will yield interesting brain-fodder for discussion, digestion, and a perspective which is lacking in this world of despair and mortality. 'leet Word-Hackers find riches without the threat of prison (at least for the moment). Hacking the Word can be more difficult and even more intriguing than computer hacking. In order to understand the Word, it takes more than just finding an unchecked buffer and overwriting a return address. It requires context, which means that an understanding of the whole source code is important. That's why hacking teams are formed, which are able to bring the experience of many to the table for discussion. Often these hacking groups are lead by experienced Word-Hackers, but they tend not to be exclusionary. leet-ness is gained through knowledge, not exclusion. The best line I've heard from one of these groups is "Don't take _my_ word for it. _Prove_me_wrong_!"

About a year ago I was introduced to new toolz and introduced to a new methodology to studying the writings of God's dudes (aka Biblos or the Bible, which means book). I attribute the new toolz and methodology to divine inspiration since nobody really "taught" me. I was met with a new way to get depth of understanding, at the same time I found a driving passion to learn more that what I'd been taught growing up.

The ensuing "devouring" of the Word lead to intriguing discoveries and understandings. Many of the principles had been taught me since birth, but the context and word-origins were refreshingly new and gave me the ability to take a skeptic's view on the "obvious" meaning.

What were these toolz of mine, you ask? The Sword Bible libraries and modules, front-ended with BibleTime bible-study software.

The Sword provides many types of modules in many different languages. Being Open Sourced and openly available, the NIV is not an option (apparently the copyright owner supports a lot of missions work with the royalties). I've found I like the WEB (World English Bible) for readability. I tie that to the King James Version (yes, like a parallel bible) because the KJV has ties to "Strong's Numbers" which are an indexing and definining of the original Greek or Hebrew words! Talk about using the Source, Luke! Since I have not been able to learn either of those langauges to any real extent, using the definitive definition, and being able to compare word numbers between verses with like words, has been incredibly eye-opening. English jumbles and combines words; for instance, there are 8 definitions of "Love" in the Hebrew language, two definitions of the verb "to Know" in Spanish, etc...

Kate has also added to my experience! Kate is the MDI advanced text editor of the KDE project. Why does Kate make that big a deal? Well, I've been pretty lax about taking notes during BibleStudies and Church Sermons. Kate makes it simple to at the *very least* keep track of Bible verses in use throughout the teaching. That way, even if I don't agree with the interpretation or usage I can always return later and do more digging. Since that time, I've found a reason to get up early in the morning and spend time with the Architect, learning about the Creator and communing/submitting myself to His will. In fact, that's where I'm going right now.

Oh, by the way... I believe I have qualified for the Capture the Flag in July! So, if you're in Vegas the last weekend of July, stop by Def Con and we'll meet. You can email me ahead of time at atlas_THAT_AT_THINGY_r4780y.com

@145