View Feed
group-icon
PHP Programmers
Community for PHP Programmers : Ask questions, doubts and help each other get better at PHP
289 Members
Join this group to post and comment.
Kaustubh Katdare
Kaustubh Katdare • Jan 21, 2007

Ask Dan Kuykendall - The man behind podPress, phpGroupware, qmail & podCastAlley!

[FONT=verdana,geneva]CEans!

CrazyEngineers is proud to have Dan Kuykendall (Director Of Engineering, NTObjectives Inc., USA) – the man behind Mighty Seek Podcast, podPress, project - phpGroupWare, rpmBuilder, Qmail & podcastAlley!

Few days ago, we grilled Dan about his work on podPress, phpGroupware, rpmBuilder. Now its your time. We are lucky that Dan agreed to answer our questions. Dan is a CEan with id ' seek3r '

So charge up your curious brains & shoot your questions directly at Dan! Get started!

-The Big K-
[/FONT]
crook
crook • Jan 21, 2007
Hello Mr. Dan! How were you involved in qmail & how is qmail different from sendmail?

Thanks.
xheavenlyx
xheavenlyx • Jan 22, 2007
Hello Dan!

I have seen the recent rise of podcast and I am really impressed by the amazing potential it has. Considering that now it can be easily added to blogs with the wonderful plugin of yours!

Keeping this in mind; how do you picture the future of video and audio podcasting. What new code/hardware development will we be seeing? And how further can we go with it. Is there a point of saturation, if yes where?

You know, I was really inspired by the plugin and just realized that blogging community is one of the strongest forces of influences and information. Strengthening it with more advance features will make the flow of thoughts easer and widespread. I hope to see so much more from your arsenal!

Have a great day!
Regards.
seek3r
seek3r • Jan 22, 2007
crook
Hello Mr. Dan! How were you involved in qmail & how is qmail different from sendmail?
Im certainly not "the man behind qmail", that would be Dan Bernstein. My involvement was mostly around documenting how to use it, which was done thru my contributions to the Linux HOWTO project. Qmail is much like sendmail, in that it is a MTA (mail transport agent) which performs the duties of an SMTP server, and includes a POP3 server as well. The way qmail is different than sendmail is in the security design. Sendmail was the original, and it wasnt initially designed with security in mind. It is one huge app that does all the work it needs, and for many years was one of the biggest security holes installed on an internet server. On the other hand, qmail was designed with security in mind from the start. It is created by way of several small apps/utils that do a small set of functions, and each app has little or no trust in the others. So at each step along the way there is redundant validation to protect from things like buffer overflows. All in all, qmail is a far more secure email server solution, but it also has problems. The problems are all around usability. It is not very easy to install, and due to the licensing, its hard for outsiders to add or improve the functionality. More details can be found at https://www.qmail.org but I hope this gives you an answer that will get you started
Jerry
Jerry • Jan 22, 2007
Wow! I've few questions too.

CE: Is it true that you get paid to hack?

Dan: It is. My job with NT OBJECTives (https://www.ntobjectives.com) is to research the latest ideas and techniques for hacking web apps, and then to manage a development team to automate these attacks into our scanner.


You have mentioned about cross scripting on your website. I am not a computer engineer but I want to know about this technique. Is it similar to phishing?

Also, what are the new features that you are working on for podpress?
seek3r
seek3r • Jan 22, 2007
xheavenlyx
I have seen the recent rise of podcast and I am really impressed by the amazing potential it has. Considering that now it can be easily added to blogs with the wonderful plugin of yours!
Ive been a real fan of podcasting as soon as I found a couple decent and interesting ones. As a geek, there is tons of nitch content that would never get out to mainstream media.
When I started my own podcast the tools just didnt do what I wanted, so the plugin began

xheavenlyx
Keeping this in mind; how do you picture the future of video and audio podcasting. What new code/hardware development will we be seeing? And how further can we go with it. Is there a point of saturation, if yes where?
I dotn see a limit at this point. In the future I see audio and maybe video podcast content being subscribed to and consumed by cell phones, video podcasts subscriptions in TIVO type system. I even can envision a point where a system like netflix new downloadable content can be subscribed to and consumed via podcasting technologies.

xheavenlyx
You know, I was really inspired by the plugin and just realized that blogging community is one of the strongest forces of influences and information. Strengthening it with more advance features will make the flow of thoughts easer and widespread. I hope to see so much more from your arsenal!
Thank you. I agree, the blogging community is becoming a HUGE force of content, innovation and informat distribution. Im proud to be part of it.
seek3r
seek3r • Jan 22, 2007
Jerry
Wow! I've few questions too.
You have mentioned about cross scripting on your website. I am not a computer engineer but I want to know about this technique. Is it similar to phishing?
Phishing isnt a single attack technique. Phishing is the act of trying to get someone to a site under false pretenses. So like a fake paypal email, where the link is going to another site that may be setup to look like paypal.com but instead is their site which is trying to steal information from you (like your password.

So, phishing attacks often use XSS to accomplish their goal of getting the user to the website they want under false pretenses.

Jerry
Also, what are the new features that you are working on for podpress?
Lots of improvements with presentation control are in the works. Im also focusing more on the pay-subscription support and will probably add support for show notes in the near future.
seek3r
seek3r • Jan 22, 2007
Jerry
You have mentioned about cross scripting on your website. I am not a computer engineer but I want to know about this technique.

oops, I didnt answer what XSS is. Many websites take input from a user that will later be displayed to other people. This forum is an example. Now imagine if I were to put in some HTML into my post, and the forum software didnt filter it. I could insert some javascript code that woud send your sessionid (cookie data) to my website, for example. Then I can come back on here as you and ruin your reputation. I could have the javascript redirect you off to some porn site, or whatever I want.


On a site like this, the bad isnt so terrible, but imagine this on amazon, or your bank website. If on amazon, I could then order a bunch of stuff, and send it as a gift to some p.o. box I open up.

So web apps need to filter/escape any inputs they take from users that will later be displayed to other users. There are other types of attacks that web apps need to defend against, but XSS is an important one that isnt being handled peroperly more often than we would like to think about.

To learn more, listen to my podcast about the subject at https://www.mightyseek.com/podcasts/hands-on-series-cross-site-scripting-xss-part-1
crook
crook • Jan 23, 2007
seek3r
Im certainly not "the man behind qmail", that would be Dan Bernstein. My involvement was mostly around documenting how to use it, which was done thru my contributions to the Linux HOWTO project. Qmail is much like sendmail, in that it is a MTA (mail transport agent) which performs the duties of an SMTP server, and includes a POP3 server as well. The way qmail is different than sendmail is in the security design. Sendmail was the original, and it wasnt initially designed with security in mind. It is one huge app that does all the work it needs, and for many years was one of the biggest security holes installed on an internet server. On the other hand, qmail was designed with security in mind from the start. It is created by way of several small apps/utils that do a small set of functions, and each app has little or no trust in the others. So at each step along the way there is redundant validation to protect from things like buffer overflows. All in all, qmail is a far more secure email server solution, but it also has problems. The problems are all around usability. It is not very easy to install, and due to the licensing, its hard for outsiders to add or improve the functionality. More details can be found at https://www.qmail.org but I hope this gives you an answer that will get you started
Thank you for quickly replying to my question. I have few more questions 😁 . I really liked the podpress plugin but it is only avaialble for wordpress. Are you planning to add support for other blogging tools such as yahoo360 or movabletype?
seek3r
seek3r • Jan 26, 2007
crook
Thank you for quickly replying to my question. I have few more questions 😁 . I really liked the podpress plugin but it is only avaialble for wordpress. Are you planning to add support for other blogging tools such as yahoo360 or movabletype?
No plans at this time to port it to any other blogging platform. It would be portable, but would require quite a bit of work because it is very specifically designed for the wordpress environment.
aashima
aashima • Jan 27, 2007
I wonder when my blog too would see a podcast file in it !!
Hello Dan
Its almost monotonous to mention but your work really is amazing. Great going! Between you mentioned in your talk on CE that you get paid for being a hacker. Now that sounds something out of the box and interesting. Could you be a little more elaborate about it?
seek3r
seek3r • Jan 27, 2007
aashima
Between you mentioned in your talk on CE that you get paid for being a hacker. Now that sounds something out of the box and interesting. Could you be a little more elaborate about it?
I guess I really didnt elaborate much about that. Well, since you ask, Im very passionate about web app security, which is why I have chosen to do it full time for a living, and why I do my podcast about it.

My job:
My work at NT OBJECTives consists of me spending countless hours reading mailing list and forum discussions, chatting with other web app security professionals and reading every article and website about the subject. In addition I do alot of my own research to discover what kind of mistake web developers are making, and how I can exploit these patterns.

I then have to take every bit of my reseach and figure out how to reproduce the attackes in an automated way, where we can have some reasonable degree of confidence that when we think we found a vuln, that it really is one.
There are things I can do as a human, with leaps of logic and intuition, which are extremely hard to accomplish with a computer which needs to deal in facts. In computer science we call this fuzzy logic, and its a very hard problem to tackle.

The actual hacking:
Well, in web apps there are a number of categories of attacks. I dont want to get too far into it, because its a discussion of its own, but some of the major ones are SQL Injection, Cross Site Scripting (XSS) and various resource discovery issues.

resource discover - In this we try and find files that could lead to information. For example, when you request a files with .php extensoin, the web server executes this thru the PHP engine, and the result is displayed. But if the developer is developing on the server and leaves a somefile.php.bak file, if I request this, then I will see the actual source code. Imagine if this was the config file, with its database passwords. Even a normal source file, could tell me important information about the database. So I look for these kind of files, and learn what I can when I do find them

SQL Injection - With these attacks I attempt to leverage the fact that web apps often take user input as part of a generated SQL query. If I provide an input that will have the affect of altering the sql statement into what I want... I can accomplish fun things. Check out my podcast about this. So when Im hacking a web app, Im lookinhg for user input being used in sql statements which are not being properly validated.

Cross Site Scripting (XSS) - Sites often take input which is re-displayed back to other users. What we attempt is to provide inputs that will still generate a valid html file, but one that is altered into doing something we want for attacking other users. Again, I have a podcast about this which would be informative to listen to and follow along with

Hope that helps 😀
desijays
desijays • Jan 31, 2007
@ Dan

I always thought it was much easier to compromise a system by trying to hack it at the protocol level than the application level. And since web security falls in the domain of the later, I find it hard to adapt.

Usually if there was something that needed to be compromised, in my opinion i believe it is easiar to directly get into the system using commands that the daemon running at that particular port will understand... (thats jus one of the techniques) or if the daemon has a vulnerability the task is even more simplified

ofcourse, sometimes you succeed and sometimes you don't. in the end i suppose its just a matter of persisting.

so doesn't that mean compromising a system at the application level is naturally redundant since you can do all you want with direct access to the system by getting at it at the protocol level..?

for example if you wanted the source code of some php file located on a server and if there is no file called "somefile.php.bak" cos the programmer who programmed the website was concious of making sure to not leave any tracks behind then.. in that case... wouldn't it be easier to just get the source file "somefile.php" by compromising the server directly than to wonder if the programmer was careless enough to leave "somefile.php.bak" lying around.

And again, im aware the techniques that can be used here are equally vast.

And one other thing i have noticed is that, it could be mighty hard to perform XSS and SQL injection techniques using this method although it is very good at discovering resources.

Is that why web hacking is preferred?

And as always, there are issues of ethics to be considered!! But, should we care?

Afterall, we are all curious at one point or other 😉.

I hope i was clear.

Welcome to CE Dan.

Nice to have you here mate. 😀
seek3r
seek3r • Jan 31, 2007
One of the things that make web hacking interesting is that you already have a window thru the firewall.
If you are assigned to attack a server, which is sitting behind a firewall and only has port 80 accessible (which is a common situation these days) what are you doing to do?

You will attempt to fingerprint the web server, and then known vuln attacks against the server, but what if they are all patched up?

That leaves you to attacking the web apps to fight your way in.
Web app hacking is much more difficult in that most apps are custom, and so you cannot throw out a bunch of "known vuln attacks" against a host as you can when your attacking at the OS/Services level.

What it most relies on is understanding the habits of web developers, and the problems they can make and what you can do when you find a problem spot. Its also important to understand what you want to accomplish.

If my goal is to view other users data, then its probably easier to review how they display records and then try requesting records by their ID, but for ones not in your lists. If they dont check permissions on each request, then maybe you can get to the data you want, and this may be easier than trying to gain shell access to the system in order to get to this data.

If your goal is to steal paypal accounts, its probably easier to find a XSS problem on the paypal site, and then send out spam emails to try and trick some users into clicking a link that goes to paypal.com but then redirects them to your site and passes along the users sessionid (cookie data) in its request. Trying to hack their well protected servers, which have IDS's and firewalls logging everything would probably be more troublesome.
aashima
aashima • Feb 1, 2007
Amazing informaton Dan. Its all so new and interesting. Thankyou.
Jerry
Jerry • Feb 3, 2007
Thank you Mr. Kuykendall! My best wishes for the next version of podpress. I think we can have ideas & technical discussions for podpress on CE. I would like to hear your opinion about this.

Jerry
Rocker
Rocker • Apr 16, 2007
Hello Mr. Kuykendall!

I doubt if my question is within the scope of this discussion. Is there a way to distinguish between a fake mail (phishing) which asks for the login details and an authentic mail? Everyday I receive an email from bank of america which asks me to update my account details. They were the first ones to tell me that I've an account with Bank of America 😉 !

Share this content on your social channels -