Noid

In this episode of the Hack the Planet Podcast:

Noid is the former head of DEF CON security, founder of the LayerOne conference and the Black Lodge Research hackerspace, gunsmith, and anti-zombie technology enthusiast. We talk about the early history and social dynamics of BBS’s, the formation and growth of DEF CON, how to run a security team for unruly hackers in the middle of the desert, and why you shouldn’t go to DEF CON this year.

We also go into the formation of DC groups and the split from 2600, the formation of Black Lodge Research, and Noid’s artisanal hobbies including cooking and classic gun collecting.

Despite the advice of our guest, Hack the Planet will be attending DEF CON 29 in-person! Give us a call or drop us an email if you want to be interviewed for the show or meet up at the event!

Be a guest on the show! We want your hacker rants! Give us a call on the Hacker Helpline: PSTN 206-486-NARC (6272) and leave a message, or send an audio email to podcast@symbolcrash.com.

Original music produced by Symbol Crash. Warning: Some explicit language and adult themes.

Interview with Ilja van Sprundel

In this episode of the Hack the Planet Podcast:

We are joined by a master of C code audit, Ilja van Sprundel, Director of PenTest at IOActive and prolific public speaker. We ask him how he learned to be such a bad ass, including some epic stories from the past, and go over some of his recent areas of interest including IOMMU, bootloader, and kernel vulnerabilities.

Ilja’s Links:
An Offensive Approach to Teaching Information Security (Summer School):
http://sunsite.informatik.rwth-aachen.de/Publications/AIB/2005/2005-02.pdf
Netric (archive): https://web.archive.org/web/20050214135602/http://netric.org/

Things not to do when using an IOMMU: https://www.youtube.com/watch?v=p1HUpSkHcZ0
Boot2Root: https://www.youtube.com/watch?v=L7p5-ArFeYI
Memsad: https://www.youtube.com/watch?v=0WzjAKABSDk
BSD kernel vulns: https://media.ccc.de/v/34c3-8968-are_all_bsds_created_equally
Windows drivers: https://media.ccc.de/v/32c3-7510-windows_drivers_attack_surface
X Security: https://media.ccc.de/v/30C3_-5499ensaal_1201312291830x_security-_ilja_van_sprundel
iOS Security: https://media.ccc.de/v/cccamp11-4490-ios_application_security-en
Hacking Smart Phones: https://media.ccc.de/v/27c3-4265-en-hacking_smart_phones

Daniel Stone, Wayland and X: https://www.youtube.com/watch?v=GWQh_DmDLKQ

GodBolt: https://godbolt.org/
SleuthKit: https://sleuthkit.org/
SourceInsight: https://www.sourceinsight.com/
sandsifter: https://github.com/xoreaxeaxeax/sandsifter

Be a guest on the show! We want your hacker rants! Give us a call on the Hacker Helpline: PSTN 206-486-NARC (6272) and leave a message, or send an audio email to podcast@symbolcrash.com.

Original music produced by Symbol Crash. Warning: Some explicit language and adult themes.

Interview with Eric Michaud

In this episode of the Hack the Planet Podcast:

We do an actual ingress episode, not like the game. We discuss all manner of physical entry techniques, from doors to cars to tamper evident containers, with Eric Michaud, co-founder of TOOOL US and CEO of RiftRecon.

Can you beat the drug test? Find out in this episode! We also discuss the evolution of the US hackerspace movement from its European roots and ponder the post-COVID future of hackerspaces.

Eric’s Links:
RiftRecon: https://www.riftrecon.com/
Gone in 60 Seconds: https://www.youtube.com/watch?v=G6VVuSkTAgg
Lemon Caper: https://www.youtube.com/watch?v=qL9kFOt8YW4
Security of Urine Drug Testing Paper: https://www.yumpu.com/en/document/view/37593335/the-security-of-urine-drug-testing-journal-of-drug-issues
TOOOL US: https://toool.us/
Open in 30 Seconds (talk): https://www.youtube.com/watch?v=iOIRZnafgQk
Open in 30 Seconds (book): https://www.amazon.com/OPEN-THIRTY-SECONDS-Cracking-America/dp/0975947923

Be a guest on the show! We want your hacker rants! Give us a call on the Hacker Helpline: PSTN 206-486-NARC (6272) and leave a message, or send an audio email to podcast@symbolcrash.com.

Original music produced by Symbol Crash. Warning: Some explicit language and adult themes.

Interview with egyp7

In this episode of the Hack the Planet Podcast:

We talk red-teaming and CCDC with egyp7, volunteer for the National CCDC Red Team.

We go over war stories from CCDC Nationals, the early days of Metasploit and browser autopwn, as well as what’s been working well on professional red team engagements in the cloud era, advice on building wordlists, fun shell one-liners, and favorite offensive tools and exploits.

THIS IS NOT EGYPT THE COUNTRY, STOP SCANNING ME, TURKEY

egyp7’s links:

WebLogic CVE-2019-2725: https://blog.cybercastle.io/weblogic-remote-code-execution-exploiting-cve-2019-2725/
ExplainShell: https://explainshell.com/
MS17-010: https://github.com/3ndG4me/AutoBlue-MS17-010
Sliver C2: https://github.com/BishopFox/sliver
impacket: https://github.com/SecureAuthCorp/impacket
CeWL: https://github.com/digininja/cewl
DomainPasswordSpray: https://github.com/dafthack/DomainPasswordSpray
Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester
Kerberoast: https://github.com/nidem/kerberoast
hasherazade’s PE Bear: https://hshrzd.wordpress.com/pe-bear/
BlueSpawn: https://github.com/ION28/BLUESPAWN
BeeF: https://beefproject.com/
JDWP-shellfier: https://github.com/IOActive/jdwp-shellifier

Be a guest on the show! We want your hacker rants! Give us a call on the Hacker Helpline: PSTN 206-486-NARC (6272) and leave a message, or send an audio email to podcast@symbolcrash.com.

Original music produced by Symbol Crash. Warning: Some explicit language and adult themes.

Interview with Lei

In this episode of the Hack the Planet Podcast:

We talk with Lei, long-time Defcon goon and founder of Disconnect Camp, about how to recover from infosec burnout, the origin story of Disconnect Camp, some war stories from his tenure as a Defcon goon, and how to keep your cool in a pandemic when you’ve already been dealing with burnout for years.

Lei’s links:
Disconnect Camp: https://disconnect.camp/
Twitter: https://twitter.com/disconnectcamp

Frustration-Aggression Hypothesis: https://en.wikipedia.org/wiki/Frustration%E2%80%93aggression_hypothesis

Be a guest on the show! We want your hacker rants! Give us a call on the Hacker Helpline: PSTN 206-486-NARC (6272) and leave a message, or send an audio email to podcast@symbolcrash.com.

Original music produced by Symbol Crash. Warning: Some explicit language and adult themes.

Interview with Vi Grey

In this episode of the Hack the Planet Podcast:

We meet with Vi Grey who answers all the questions we’ve had about the Nintendo Entertainment System since we were kids but were too afraid to ask. A prolific developer of homebrew NES ROMs, Vi Grey helps us understand the present and future of innovation on the NES platform. We also discuss his work with polyglot files featured in PoC||GTFO. This episode itself is in fact a polyglot, check the mp3 metadata of the file on the RSS feed for more information.

Vi Grey’s links:
I Dream of Game Genies (HOPE 2018 talk): https://www.youtube.com/watch?v=0rcKWQVMQ5w
Twitch Stream: https://www.twitch.tv/ViGreyTech
More at https://vigrey.com/

NESmaker: https://www.thenew8bitheroes.com/
Brad Smith on Light Guns on modern TV’s: https://www.youtube.com/watch?v=qCZ-Z-OZFUs
Damien Yerrick (more homebrew tools): https://pineight.com/
Tom7 (more NES hacks): http://tom7.org/

CypherCon: https://cyphercon.com/

Be a guest on the show! We want your hacker rants! Give us a call on the Hacker Helpline: PSTN 206-486-NARC (6272) and leave a message, or send an audio email to podcast@symbolcrash.com.

Original music produced by Symbol Crash. Warning: Some explicit language and adult themes.

Swarm Intelligence with Pongolyn

In this episode of the Hack the Planet Podcast:

We have a chat with Pongolyn, a community organizer and strategist for the Pacific Northwest Englightend, one of the largest teams in the augemented reality game Ingress. We discuss the key elements needed to develop swarm intelligence and how they were applied to continent-spanning efforts.

Pongo has spent years deconstructing her experience into a valuable set of strategies for anyone organzing large numbers of volunteers, and expertly up-levelling them into easily digestible lessons on swarm-based strategies, gamification, and game theory for people that never played Ingress.

If you’ve ever had to organize a protest or a podcast, this episode is for you!

Pongolyn’s talks:
BSides Portland 2019 – https://www.youtube.com/watch?v=Eq33S_Rz4qo
Toorcamp 2018 – https://www.youtube.com/watch?v=UfYg3EVn_Jg
Defcon 26 – https://www.youtube.com/watch?v=bPTymsk1I_E

SwarmWise – The Tactical Manual to Changing the World by Rick Falkvinge
https://docs.google.com/file/d/0Bz8cVS8LoO7OOHhJUUF5akJ4RHc

Hannah Fry Ted Talk – Is life really that complex?
https://www.ted.com/talks/hannah_fry_is_life_really_that_complex

Screeps – https://screeps.com/

Be a guest on the show! We want your hacker rants! Give us a call on the Hacker Helpline: PSTN 206-486-NARC (6272) and leave a message, or send an audio email to podcast@symbolcrash.com.

Original music produced by Symbol Crash. Warning: Some explicit language and adult themes.

Threat Modeling: None of Your Security Tools Help me Get More Money for my Security Program

In this episode of the Hack the Planet Podcast:

For too long, the confusion caused by the Adam Shostack/MS threat modeling “methodology” has prevented security teams from doing any productive risk analysis. That ends now. We clear up the confusion around what a threat model is, what it’s for, how best to go about developing one, what is so very very wrong with the Adam Shostack/MS method of threat modeling, and how to achieve better results with less effort and arguing.

Check out the links for useful templates and examples. And remember: a dataflow diagram is an important piece of design documentation, but it is not and can never be an effective threat model.

Threat Modeling Template Examples from SymbolCrash, adjust these to suit!

Simple Threat Model Example:
https://www.symbolcrash.com/wp-content/uploads/2020/10/Threat-Model-Template-Simple.xlsx

CVSS 3.1 Auto-calculating Model with Automatic Coloring by Severity:
https://www.symbolcrash.com/wp-content/uploads/2020/10/Threat-Model-Template-CVSS-3.1.xlsx

“How to measure anything in cybersecurity risk”
https://www.howtomeasureanything.com/cybersecurity/

CVSS 3.1 Calculator at first.org
https://www.first.org/cvss/calculator/3.1

Automated Secrets Detection:
https://github.com/Yelp/detect-secrets
https://github.com/anshumanbh/git-all-secrets
https://github.com/dxa4481/truffleHog

Old-School SANS Threat Modeling Template Example:
https://www.sans.org/blog/practical-risk-analysis-and-threat-modeling-spreadsheet/

Mentioned Tools:
https://github.com/lyft/cartography
https://github.com/nccgroup/ScoutSuite

C4 model:
https://c4model.com/

What is the Actual Financial Impact of a Breach?
https://www.nber.org/digest/jun18/economic-and-financial-consequences-corporate-cyberattacks
https://www.nber.org/papers/w24409

Threat Modeling Tools that uselessly force everything into a DFD (not recommended):
ThreatModeler – https://threatmodeler.com/
Irius Risk – https://iriusrisk.com/
OWASP ThreatDragon – https://owasp.org/www-project-threat-dragon/
MS Threat Modeling Tool – https://www.microsoft.com/en-us/download/details.aspx?id=49168

Be a guest on the show! We want your hacker rants! Give us a call on the Hacker Helpline: PSTN 206-486-NARC (6272) and leave a message, or send an audio email to podcast@symbolcrash.com.

Original music produced by Symbol Crash. Warning: Some explicit language and adult themes.

Golang Offensive Tools with C-Sto and capnspacehook

In this episode of the Hack the Planet Podcast:

We talk with some of the most prolific developers of Golang offensive tools, from opposite points on the globe, about why they use Go, what they’ve been working on, how to work around some of Go’s challenges for red teams, and where things are going in the near future with Go malware. Featuring C-Sto (bananaphone/goWMIexec) and capnspacehook (pandorasbox/garble).

List of Golang Security Tools:
https://github.com/Binject/awesome-go-security

C-Sto:
https://github.com/c-sto/goWMIExec
https://github.com/C-Sto/BananaPhone
https://github.com/C-Sto/gosecretsdump

capnspacehook:
https://github.com/capnspacehook/pandorasbox
https://github.com/capnspacehook/taskmaster

Misc:
https://github.com/moonD4rk/HackBrowserData
https://github.com/emperorcow/go-netscan
https://github.com/CUCyber/ja3transport
https://github.com/EgeBalci/sgn
https://github.com/sassoftware/relic
https://github.com/swarley7/padoracle
https://github.com/gen0cide/gscript

Command and Control:
https://github.com/BishopFox/sliver
https://github.com/DeimosC2/DeimosC2
https://github.com/t94j0/satellite

Obfuscation/RE:
https://github.com/goretk/redress
https://github.com/unixpickle/gobfuscate
https://github.com/mvdan/garble

Of interest, but breaks Docker & Terraform:
https://github.com/unsecureio/gokiller

Be a guest on the show! We want your hacker rants! Give us a call on the Hacker Helpline: PSTN 206-486-NARC (6272) and leave a message, or send an audio email to podcast@symbolcrash.com.

Original music produced by Symbol Crash. Warning: Some explicit language and adult themes.

Interview with Craig Smith, author of The Car Hacker’s Handbook

In this episode of the Hack the Planet Podcast:

We talk to Craig Smith, author of The Car Hacker’s Handbook, about DRM, car hacking, and the future of virtual conferences.

https://github.com/zombieCraig/ICSim

http://opengarages.org

https://www.carhackingvillage.com

https://www.cybertruckchallenge.org

https://www.grimm-co.com/grimmcon

Be a guest on the show! We want your hacker rants! Give us a call on the Hacker Helpline: PSTN 206-486-NARC (6272) and leave a message, or send an audio email to podcast@symbolcrash.com.

Original music produced by Symbol Crash. Warning: Some explicit language and adult themes.