My short bio: I'm a security researcher who's worked for a university, defense contractor, and now I have my own company Vector 35 founded with some friends to make security "capture the flag" games among other things.

My Proof: http://imgur.com/QMU8oos

Additional proof from my twitter feed that's been widely credited in all the news stories: https://twitter.com/psifertex/status/622422961765617664

Comments: 257 • Responses: 66  • Date: 

Brake_check95 karma

My neighbor keeps throwing his trash bags on my balcony. How do i hack into his wifi?

Psifertex107 karma

Easy, just follow this basic how to: http://www.youtube.com/watch?v=5lvweMBCqAs

TheDoctaIsIN75 karma

Did you ask for a car, and end up with a computer?

Psifertex53 karma

+1 for the Ferris Beuller reference.

I did start pretty young on computers but I got tech jobs too so I could afford a car.

avaseyrockz36 karma

Teach me how to hack a social network?

Psifertex61 karma

No. :-)

that_blind_panda108 karma

$ sudo teach me how to hack a social network

Psifertex236 karma

username is not in the sudoers file. This incident will be reported

DriftingSkies36 karma

Most of us aren't security analysts and don't have huge websites that we have to worry about securing from ne'er-do-wells, but all of us have at least some online presence and have information that we don't want to fall into the wrong hands.

Given this:

1) What advice would you give to us as individuals to protect our information from being compromised?

2) How can we as consumers pressure businesses into taking website & data security seriously?

Psifertex38 karma

As individuals, make sure your software is fully updated (thankfully, the trend these days is to auto-updated).

Secondly, either use a password manager or two-factor authentication. Password managers can be a hassle, but using the same password is far and away how you're likely to have your information broadly compromised. One site being hacked is bad for you -- using the same password there and then having /all/ your data hacked is way worse.

On a related note, never click a link in an email and then login to the page. If you get an email notice from your bank, for example, just type in the URL for the bank directly. It drives me nuts that there are companies that actively train users to click links in email. The one exception to that rule is when you are first setting up your account and are verifying your email, but in that case, you know it's coming.

[Edited to fix poor phrasing, thanks, was typing most of these on my phone in the middle of a conference yesterday]

Psifertex10 karma

On the topic of pressuring companies, I wish I had a good answer. I think it's actually more likely that pressure comes from the government. The new Cyber UL that Mudge mentioned in a tweet recently is one really good idea to help with that. As a random user I suspect that just taking your business elsewhere isn't always possible or even going to get most companies attention.

BurnsinTX32 karma

Where are you going to fly first?! That's my only question. Also don't waste those miles on water bottles and stuff, it's a scam.

Psifertex40 karma

I travel more than I'd like for business right now and have three small kids, so it's hard to easily use the miles. Don't have anything scheduled yet, but I'd really like to take the wife on a round the world trip, maybe even in business class as a true once-in-a-lifetime kind of thing. That probably wouldn't happen for a while since it requires a lot of logistics (and would still cost a lot for the hotels!)

pyramidsofmoney15 karma

You can book hotels with miles! Do it

Psifertex33 karma

The rates aren't very good though. Would eat through the miles /really/ quickly.

Keebler_Elf123426 karma

Hi there,

Please explain to me like I'm 5 who you are and what this bug bounty was?

Psifertex100 karma

I'm someone who likes playing with computers and making them do things they weren't supposed to do. People like me are called hackers and while some are bad people who try to steal things and break things, most are good people who like doing this sort of thing to help people.

For the rest, United Airlines wants to make their web sites secure so bad hackers can't attack it to steal things or break things. To do that, they offer good hackers miles (which can be used to fly places for free) as a reward for finding those problems and telling United about them. I found two problems, one was the most serious and could have allowed a bad guy to take over one of United's computers and do bad things to it. The other problem let me see more on the website than I was supposed to see.

To be fair, I scoped that as an explanation for my six-year old, so hopefully it's close enough to an Eli5. :-)

chinmay_dd16 karma

Hello. How bright do you think is the future of CTFing? Currently we have topics relating to Reversing, Forensics, Cryptography and Web. Considering the recent advancements in technology what more could be included in online CTFs in the coming years?

Psifertex21 karma

Excellent question! Have you played PwnAdventure from Shmoocon these past two years? Rusty and I formed Vector 35 so that we could take that to its ultimate conclusion--a real online commercial game with first class hacking as an actual game element.

I'm also trying to resurrect livectf.org, but preparing for DEFCON has taken away from most spare time so I haven't done as much as I would like. I'm convinced that CTFs can become like e-sports where people are casting their practices, where head to head competitions are streamed and commentated, etc.

Psifertex5 karma

Thinking about this some more, there's already a pretty big breadth of stuff more than just what you described. Quantum Physics challenges, hardware circuit RE, ACM style programming, optimization, challenges requiring solvers, etc. that said, I do expect that's going to expand even more. There are video game styles that draw different people and I think there will be different CTF challenges that will likely draw different people. It's already really hard to be a generalist. Most big teams have different people specializing in different areas.

rollirouland12 karma

I have no plan of hacking etc. so what is the first thing you do when you try to find bugs on websites etc.?

Psifertex29 karma

There's a lot of stuff to check. Depends on whether I'm lazily poking or being methodical. First I would tend to just look around. Find places that have parameters in URLs, take input of any sort. I'd focus on spots that look old or outdated. Use google site:search to find specific terms I'm interested in, use reverse dns caches to find other virtual hosts on the same IP that I care about, port-scan the IP and other nearby IPs, do similar steps as above to all other IPs.

Start with a list of OWASP top 10, and look for locations where each of those could work. If allowed, you could use one of the many web app scanners, though of course for a bug bounty don't bother with standard tools like that because the company will have already done it themselves, or if they haven't someone else will have.

vito_lbs8 karma

What's it like living life as a Florida Man?

Psifertex16 karma

You tell me, fellow Florida man. ;-)

DonminD8 karma

Wanna join up and figure out Cicada 2016 together?

Psifertex8 karma

I wish I had the spare time to! Right now, getting some things ready for DEF CON which is going to keep me really busy.

DonminD2 karma

Are you going to be presenting at DEF CON?

Psifertex5 karma

Yup, but not on anything related to this: https://www.defcon.org/html/defcon-23/dc-23-speakers.html#Walker

BLAHFUK8 karma

How do you get in to the security industry? I have 8 years as a software dev, but I can't get hired in security, it's a tough field to get into.

Psifertex17 karma

I got started working in an IT department as a student at my university. A print server running Redhat 5.0 got compromised and I wrote up a forensics report because I thought it was really interesting. The report found its way to the university's newly hired security manager (whose primary responsibility at that point was shutting down open relays and had just begun setting up an early IDS system). I got hired as a part-time student assistant and eventually moved to full time.

I highly recommend playing security CTFs. See one of my other comments for links to sites to help you get going. They are a phenomenal way to build and practice skills and a lot of companies know that and hire people from that community.

avaseyrockz7 karma

If you are hacker then why don't you become a rich?

Psifertex42 karma

Because jail sucks. The risk/reward payoff isn't worth it. Besides, legitimate hacking pays quite well, I have no complaints.

Canuhere4 karma

What model computer do you use on a daily basis?

Psifertex8 karma

13" MacBook Pro. Only platform that can easily run all three major operating systems easily, and they make good hardware.

MarkusGreenCoder3 karma

hi bro i want to ask this questions : What programming langs you know ? For hacking do you use kali linux ? Do you watch tv show Mr. Robot ? Have you got some thaughts (sorry for misspeling) on hackactivism ?

Psifertex3 karma

Programming? I'm ok with Python, JavaScript, PHP, x86 assembly, and poor with C, Ruby and a smattering of other things. I'm not a great programmer which is not the recommended route I'd suggest.

I occasionally use Kali, but usually don't bother. Most of the tools I have installed on my main Linux Vm that I would Kali for, but I do use it for something every now and then.

Don't watch that show yet, but keep meaning to check it out.

combatwombat8D3 karma

How does one get started in hacking? I have decent computer skills (mainly from the hardware side of things), but I've always thought "ethical hacking" would be interesting.

Psifertex8 karma

It is! Hardware guys can do very well because they are usually better at understanding lower level concepts than some of the folks that come just from, say, building websites. At least for binary reverse engineering type problems.

Play CTFs! [ctftime.org](ctftime.org), [captf.com](captf.com), CTF field guide, and many others

Edit: fixed word, made links

Schmetty3 karma

So what exactly did you find in American Airlines system?

Psifertex10 karma

Nothing. It was united. :-) and I found two flaws, one was remote code execution and one was an "information leak"

Firehed3 karma

Assuming the issues have now been patched (traveling, on mobile, can't check), can you discuss the nature of the exploits at all? I work in the industry so I'm always interested to hear what fellow programmers screw up so I can avoid doing it myself.

Psifertex1 karma

Unfortunately, no -- the terms and conditions (hit the plus next to terms at the bottom) explicitly forbid revealing details.

ChefBoyarDEZZNUTZZ1 karma

Care to be more specific and/or a little dumbed down? I saw this story on the news recently and they said United didn't want to say exactly what it was you were able to exploit, so I understand if you can't say.

TheZaxvo1 karma

Remote code execution = he can take control of United's computers and do whatever he wants with it. I don't know which computer was compromised but even if it wasn't directly connected to a plan he could still probably wreck havoc with, say, plane schedules. He could cause incredible delays or rearrange/reduce the number of crew scheduled for a plane, etc. pretty much anything that United might use a computer for, he can take control of and totally screw up.

Information leak = he can see information that he isn't allowed to see. Again, as you know, we don't have many details, but you can speculate that he could maybe see financial info or customer info or United's future strategy plans, etc.

Psifertex1 karma

The summaries of the bugs are good, but I wouldn't make those assumptions about what was possible. I don't really know* what else was hosted on the virtual hosts and I didn't actually try the RCE (as per the rules) so it's really hard to say what I actually could have done with that.

*Well, I know some of it from other vhosts on the same IP assuming it wasn't fronted by a reverse proxy, but I don't know /all/ of what was there so it's really hard to say. Might have been a whole lot of nothing except as a stepping stone into some random host on their network, might have been more. If I was really trying to test the security and had permission, I'd have used the RCE and pulled local password hashes to try to get credentials, checked recent logins, scanned local/nearby hosts to find out what internal IPs I now had access to, etc.

Having an initial beachhead as an attacker almost always means that you can get further into a network, but at that point, it also depends on how good their internal monitoring is as to how long you'd last.

trippysnail3 karma

What did you do differently from Chris Roberts to earn United's praise? Airlines are not exactly known for being friendly to hackers.

Psifertex2 karma

I followed the rules. :-) I'm sympathetic to him because /somebody/ needs to be looking at airplane security as well, but that's definitely NOT the place for an open bug bounty. You do not want everyone just poking randomly at airplanes in-flight.

It is interesting to note that they announced the bug bounty just a few weeks after his incident, but I don't think they were directly related. I doubt they were able to spin the bounty up that fast, I would imagine they were working on it for a while and if anything that just made them move up the timing a bit.

Specifically, check out the "Do not attempt" section:

  • Brute-force attacks
  • Code injection on live systems
  • Disruption or denial-of-service attacks
  • The compromise or testing of MileagePlus accounts that are not your own
  • Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
  • Any threats, attempts at coercion or extortion of United employees, * Star Alliance member airline employees, other partner airline employees, or customers
  • Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
  • Vulnerability scans or automated scans on United servers (including scans using tools such as Acunetix, Core Impact or Nessus)

Related to that, here's a suggestion if you want to test mileageplus accounts: just make two new ones for yourself and then test between those.

Kidnap3 karma

Hey there, pretty cool you are doing this so thanks for that. I'm very interested in the bug itself especially since you say in a tweet that it wasn't "technically challenging" but I understand you can't really disclose info. I've got a couple questions if it isn't too much:

How do you feel about the Certified Ethical Hacker certification? Do you feel someone who has achieved this certification is actually ready for a job in the infosec field?

What has been your favorite squashed bug or hack that you've done (that you can talk about)?

Thanks again and I'm already following on Twitter to keep up with your work :)

Psifertex7 karma

I'm very rarely impressed with certifications. The SANS ones were pretty good for a while, but they have problems too (ask me some time in person about why I never got one). They've also removed the practical portion which is unfortunate.

Certifications really only have value in that they show someone cares a tiny bit enough to learn some basic skills and is maybe just good at taking tests. I'm far more impressed by someone who has done their own research, can talk intelligently about hard CTF challenges they've played or has published CVEs of value compared to someone with letters after their name.

Favorite bug? I love generic exploration technique research. Browsers in particular are fun because a researcher ha so much control in the environment. Makes for fascinating defenses and evasions.

Kidnap3 karma

Thank you very much for taking the time to answer my questions as well as others; you probably saved me $500. Took a practice test for the CEH and it was laughable, however, I thought it may get a foot in the door at some places (I realize now those places probably wouldn't be places I'd want to work anyhow).

Hope this isn't a bother but since you mention publishing CVEs it reminds me: does having your name on multiple "walls of fame" hold any merit? Will the bug you just reported, aside from the media attention, help you land future work?

Promise no more questions...today. Thanks!

Psifertex4 karma

For all the places /I/ would have wanted to work for in my career, yes. Wall of fame entries or CVEs are great resume builders. There's no substitute for proof that you can do the job already than something like that.

brygiger3 karma

If you're probing/checking out a site, do you usually tunnel your connection through a proxy/vpn or something?

Psifertex6 karma

Usually not, because I don't usually poke at sites that I don't have some prior authorization for (like a bug bounty or CTF), or I'm not doing anything that is liable to cause concern.

brygiger2 karma

Thanks for answering, follow up: so when do you tunnel and what do you use?

Psifertex9 karma

I usually use a random VPS server somewhere international. If just worried about privacy I will use azure or AWS for ease of use or from saved credits. Were I to hypothetically care about possible legal concerns, it would be a foreign hosting company paid for in pre-paid credit cards. On the server itself, I usually either just use an ssh proxy or streisand.

tjshipman443 karma

Were they regular miles or were they elite qualifying miles?

IOW, did you get 100K status from the hack? If not, seems hardly worthwhile.

Psifertex4 karma

Sadly, not qualifying miles. I already have gold from a previous status match. It's still nothing to shake a stick at though. I can convert all my miles to almost $8000 worth of Amazon gift cards which is the absolute worst case value. If I use them for flights I could, for example, get three round the world tickets in business/first class that allow me to make six international business class legs on each ticket. That's a heck of a lot of money if you were to purchase them directly.

[Edit: fixed word, added clarity on RTW]

infonoob3 karma

As a CS freshman, how can I get ready for participating in CTFs? Is there a good way to make sure I know all of the prerequisite skills?

Psifertex6 karma

Just start playing them. Look through old challenges and practice on those. I posted links elsewhere in this thread. Scripting in Python, ruby, or even bash is strongly recommended, and knowing C is a pretty important requirement of you want to do the binary reverse engineering / exploitation challenges.

Failsnail643 karma

Can you hack me back in time to Nazi Germany, just like a time machine?

Psifertex4 karma

Yes. I just need my powerglove and...

(Reference)

caulfield_h2 karma

Is it possible to hack a satellite or let's say ISS?

Psifertex1 karma

There's vulnerabilities in /everything/ running code. With the very tiny exception of some software that has been formally verified, I'm not surprised to see flaws anywhere. I'd certainly hope that the attack surface is very small for something NASA puts into space, but I have no idea about specifics.

Koala_gym2 karma

Where you going to go with all those miles?!

hlskn2 karma

What is your opinion on bug bounties? Do you think they do more good than harm?

Certainly some (e.g. Jeff Atwood) have expressed concern that bug bounties incentivise singular pecuniary gain instead of the goal of helping the community as a whole.

Psifertex4 karma

Bug bounties are valuable piece of an overall security strategy. They are not remotely enough on their own for any given company, but as a part of a broader program they are very valuable. I'll have to read Jeff's argument in full, but without seeing that yet, I'd say that bounties definitely fulfill a useful spot in the security ecosystem. See Leigh Honeywell's excellent summary of how to do it right.

[Edit] Ok, coming back now that I've had a chance to read the whole article. He doesn't really say that bounties are a bad thing, just that they have drawbacks -- which I agree with. They're also a heck of a lot better than the status quo we used to have of companies being actively antagonistic to researchers who were legitimately trying to do the right thing. We /have/ realize these flaws have value -- if you would consider hiring a penetration testing firm to find flaws for you, then you inherently agree with that. Then it's just a question of finding the right balance to incentivize people.

Most hackers want to do the right thing, but companies can make it easier or harder to encourage that. Bug bounties are generally a good way to encourage that.

I_CAPE_RUNTS2 karma

If you could have lunch with any person, living or dead, what would you order?

Psifertex3 karma

A buffalo chicken sandwich. But then I would regret it later because my mouth loves them, and my digestive system hates them.

HighExclusive2 karma

Frameworks - friend or foe (from a user perspective :))?

Psifertex3 karma

Frameworks aren't for users, they're for developers. Frameworks are a net neutral. On the one hand, a framework developer can theoretically provide better secured software (especially true in the crypto works, right?), but on the other, homogeneity helps attackers because it amplifies the value of any flaw. Of course, patching is often easier with a framework too at scale, so I call it a net neutral impact to security except in cases like crypto which you should never, ever, try to do yourself.

TheCatman112 karma

How did you get into the hacking/computer business?

Psifertex3 karma

Answered in a few other questions. Summary: play CTFs, do independent research, I specifically did forensics in my IT job when a server was compromised, then moved to security job.

[Edit: typo, more detail]

InTupacWeTrust2 karma

What do you think Anonymous use to hack with and what grade would you give them as hackers?

Psifertex5 karma

What do you think of hackers born in Germany? (Rhetorical question)

With such a large, diverse group it's almost impossible to make generalizations. I'm sure there are plenty of people with no skills in anonymous, but I also wouldn't be surprised if some really good technical people are affiliated as well too.

[Edit: two word fixes]

lazyasfuq2 karma

Hey thanks for doing this! I'm a security admin in my early 20s at a large university in the tri-state, most of my day job duties seem to be on the defensive side so I couldn't imagine lasting longer then 3 flags in a ctf. I want to learn more but doing it solo can be discouraging when you don't have a team or group to work with. When you were working at the university did you start any programs or do anything ctf related? How do keep your ctf skills sharp while doing mundane infosec operations type stuff on the daily?

Psifertex5 karma

Yes, I did! I started a student club that still plays CTFs many years later. If you are at a college, try the local ACM chapter or get with a professor that teaches security topics and start a student club. I wasn't a student when we started that group, just a university staff member. That said, there is also an open team right here on reddit that is quite friendly.

Trynothingy2 karma

If one were to run a personal ftp and media server, how can they protect themselves from data theft or similar?

Psifertex1 karma

For what context? Just around the house? I'd be somewhat trusting that the NAT would protect me against most casual attacks.

If I really had to run an FTP server on the internet, I'd use vsftpd because Chris Evans is a security /wizard/ and I trust his code way more than anything.

Honestly, in the cloud day and age, the answer is rarely to run your own server anymore. If you want to run a server to experiment and learn, go for it, but if you're putting real data on it, the effort required to secure it usually isn't worth it. Most of my highly technical friends, who are more than capable of running and securing their own servers don't even bother these days. It's just not worth the effort.

aizen61 karma

Is it easy to hack into GMail accounts and get passwords, or are those people in my Computer Science class just lying?

Psifertex2 karma

Turn on Google 2FA (two factor authentication) and don't use the same password on gmail as you do elsewhere and your google account is likely more secure than the computers you use to access r.

lockd0wn1 karma

When you first submitted it, how did they react? Did they ever threaten legal action?

Psifertex2 karma

I was responding to their public bounty and I think a lot of other people responded as well. I just got back an automated notification that it was received, then eventually an email that it was verified, then a while later that it was fixed and they were giving me my miles. My blog post has more on the timeline.

They were quite pleasant and easy to work with, kudos to them for having the program and being so easy to work with!

Quad_H1 karma

can you actually find someones password? like facebook password, live password? if you can is it really difficult?

Psifertex1 karma

Generally, no. That said, the way that would usually happen is you'd use the same password as somewhere else that would get hacked, or you would click a phishing link and login where you thought was real but was actually fake.

kazuri851 karma

It is very very easy to get someones 'password hash' if you know them IRL. If the website doesn't salt the hash, or take other steps it could be very easy to 'crack' someones password, if their password is short, or common.

Download the program 'cain & abel', you can use it to see how easy it would be to crack your own password. You can use cain & abel + wireshark to sniff your own network to see which websites you visit don't use better security.

I highly recommend this because it will show you how quickly an easy password can be cracked, and how dangerous it can be to use wifi in public

Psifertex1 karma

Umm, what? Getting someone's hash requires access to the server it's stored on typically (for an online service like described above). As a user, you don't even know how your password is hashed typically so I fail to see how IRL connections even matter at that point? Unless you are talking about getting a local hash from their box. In which case just install a keystroke sniffer and get the actual password, no hash required. Same thing for online passwords -- the keystroke sniffer will pull all the passwords, bur won't have access to the hashes.

hmathr1 karma

Hey, congratulations on your findings!

Do you have any advice on how to professionally get involved into web security? I have done bug bounties, found some pretty sweet bugs, played tons of CTFs and generally am not a beginner, but have no CS related college diploma (and attending college currently is not an option, unfortunately). What is the best way to get the job in the field? I have tried applying to couple security companies, but was declined because of no real work experience, and no diploma.

Psifertex1 karma

Get yourself some CVEs, list the CTF's you've played in (with specific challenges you've solved) on your resume, and keep applying. Work experience is somewhat valuable only in the sense that it shows you are familiar with the professional security environment, but having real skills is more important. Keep applying, you'll find the right place. Send me a DM with a link to your resume if you want advice on it. Are you willing to move? Are you trying to look for remote work only? Those factors can impact what's available.

jdm49001 karma

So, how'd you learn to hack into a multi-million dollar company?

Psifertex1 karma

"Multi-million dollar company" just means they probably have way more servers and apps than they can keep up with and have a LOT of stuff they have to keep an eye out for.

The fact that United has a bug bounty at all speaks well of their internal security mechanisms. Most non-tech, non-financial, non-government-contractor companies aren't even to that point yet. They're still drowning in the flaws they KNOW they have and can't fix, let alone are ready to go looking for more.

So big companies are likely to have lots of problems, some are better able to handle it than others, and United is ahead of the curve by having a bounty.

JeffTheSpider1 karma

What would be some good advice for someone who wants to learn how to program?

Psifertex3 karma

Like learning anything in life -- just do it a lot! There are a ton of great online resources these days. Udacity, Khan Academy, many others.

Stimonk1 karma

What was the buy you found - are you allowed to say what it was even if very high level?

Psifertex1 karma

Two bugs -- a remote code execution (I could have--but didn't--run anything I wanted on the target computer and used it to start exploring the rest of their network), and an information leak -- was able to access some info I shouldn't have been able to. That one was a bit more convoluted.

NachoCastro1 karma

What do you think about LastPass?

Psifertex1 karma

I think password managers are generally a good idea. I use 1password, but other than the recent lastpass breach, it's probably a reasonable choice as well.

aqinf1 karma

Do you have any suggestions for starting/organizing a CTF? I'm only in high school but started a cybersecurity club with some friends, and we've done well enough in a couple CTFs that we want to try building our own (small-scale) CTF for other students, mostly just as a challenge. Any tips on problem design, infrastructure, sponsorship, etc.?

Psifertex1 karma

I think that's an excellent idea! There's a number of good resources for people making CTFs. First, there's the The Many Maxims of Maximally Effective CTFs that Fuzyll and I wrote a while back. Then there's PPP's Suggestions for running a CTF.

For a scoreboard framework, many people have used ctfd, there's both a hosted version you can pay for which if you can get your school to cover it I'd recommend, or you can just run it yourself since it's open source.

waspwrx1 karma

What OS(s) do you use *nix windows?

Psifertex2 karma

OS X is my primary OS, but I have run ubuntu and windows (multiple flavors) in VMs.

dudesweetman1 karma

Regarding DDOS-attacks. I am aware that in maybe ten years ago it was something that could be done by any simple 13yo script kiddie (correct me if im wrong). Would you say that it have become harder or easier to create botnets for that purpose?

Do you ever think we will get rid of this shit?

Psifertex1 karma

Sadly, it's not really harder. A dozen computers with really good network connections can do some serious damage to all but the most protected infrastructure. The attackers on DDOS attacks haven't even bothered to get super advanced in terms of application-layer amplification yet because the haven't really needed to. If they did, it would actually be worse.

Can't get rid of it easily because securing random endpoint computers isn't easy.

ferengiprophet1 karma

I'm a software dev interested in switching to security, can you recommend me any good websites or books?

Psifertex2 karma

Start playing some of the wargame websites:

Best advice is to just start /doing/. Reading is helpful, but struggle through some problems first, then find the answer eventually if you get stuck somewhere else, but try it yourself first. Same with old CTFs, there's a ton of writeups.

Thunder_541 karma

I just want to say I think what you do is so cool. I want to become a penetration tester when I graduate.

What languages would you say are most important to a computer science student wanting to get into penetration testing? What steps can I take now to give me a better chance to stand out when it's time for me to job-hunt? How much back-end (Network) knowledge do I REALLY need?

One more edit: What did your career path look like? If you don't mind me asking

Psifertex2 karma

I should clarify that I'm not actually a penetration tester. While that's what doing this bug bounty was actually like, my work experience is mostly on the vulnerability research side of things which I enjoy a lot. The main difference is a penetration tester's job is to test the overall security of a network and find the weakest point. The weakest points are often not technically interesting (reusing passwords, people willing to pick up USB keys from the parking lot and plug into their machines, social engineering, etc).

Vulnerability researchers, on the other hand, are specifically targeted at an application. Their job is to find a brand new vulnerability in something. Most of the time I find that a lot more interesting than penetration testing, though of course there are also some really cool penetration testing examples, and the better penetration testers are more than capable of finding their own 0days to use in pentests as well, but the vast majority of the time that's overkill for their purposes.

Sutekhy1 karma

Were you at RVASec this year doing the CTF?

Psifertex1 karma

Nope. At Summercon this weekend, will be speaking at DEF CON, but sadly not playing CTF there this year. First time in a decade I'm not playing DEF CON finals. :-(

Elfclan301 karma

is it possible to get access into a facebook account without keyloggers or social egn.?

Psifertex1 karma

Already answered actually.

LasagnaAttack1 karma

How can I get into the type of work you're doing? Humble beginnings?

Psifertex3 karma

Reading the thread first before asking questions that have already been answered would be a good first start. :-)

B00tyWarrior1 karma

  • Any good material you suggest to help out a learning hacker?
  • What is the best (free) tool for packet sniffing?
  • Is there any way to penetrate BIOS passwords without deleting them? (basically get in and out without anyone noticing)
  • What made you a successful hacker?

PS: I am a 1st year computer science student/ currently exploring the magical world of kali linux/ right now i am mostly focused on hacking-exploiting OS's like Windows and wireless connections.

Psifertex3 karma

  • Play CTFs (see other answers)
  • Wireshark is the defacto packet sniffer
  • Not that I know of, but if you want to do some BIOS reverse engineering, maybe.
  • I like breaking things.

Bat_turd1 karma

As a hacker what would you recommend as a decent router for home use? (I read about the poor state of soho router security).

Psifertex1 karma

Oh, wow, yeah. Home routers are awful from a security perspective. I mean, really awful.

There's nothing great, but going with a mikrotik is better than pretty much anything mainstream: http://www.mikrotik.com/

Not the cheapest or best features, but far more secure.

FutureChuck1 karma

How do I get into your line of work? I have basic programming knowledge, that's about it.

Psifertex1 karma

Read my other answers -- play CTFs.

Memeinist1 karma

Whats the most black hat thing that you can say you've done?

And what got you to start with security researching?

Psifertex2 karma

Most blackhat thing I've done that I can talk about? If I /had/ done blackhat things, then I wouldn't really want to talk about them, wouldn't I?

That said...

Once when visiting Canada many years ago, I found one of the major wireless ISPs still had default credentials on their cisco access-point manager. You could login and re-flash thousands of access-points across the entire country.

I was in an airport at the time, so I closed my laptop, got on a flight back to the states, anonymously notified them about the flaw, and haven't been back to canada since. Wonder what the statue of limitations is there. I didn't do anything malicious, but you never know.

alexr10901 karma

Hey thanks for doing this. I think it's really cool that you're good with it security. I'm in the process of getting a degree in programming. I started getting into hacking and would get my ip banned from sites and decided that since that would be part of the learning process of hacking and that there are very real consequences for messing up I decided it wasn't worth it.

So anyway I'm curious how you got good with security. I suppose it'll be hard to get an honest response from you without incriminating yourself. But maybe you could tell me what friends did and how they learned to use their knowledge of it security for good. Thanks a lot.

Also I want to ask how do I get into the it security field without being a black hat hacker?

Psifertex1 karma

CTFs. You can practice hacking skills in a legal environment, and the competitive aspect is a ton of fun. See my many other answers on the topic for links and where to start.

enestatli1 karma

When will hacking in real life work the same way as it does in movies?

Psifertex2 karma

When anything else in real life works like it does in the movies... ;-)

Cardsharp0071 karma

Do you need any clearance from United before poking around? Do they give you a special temporary account? I heard about the bounty program, but airline TOS always favor the airline- they can close your account without explanation for any reason (and this seems like a good reason).

Psifertex1 karma

Following the rules of the bounty seemed like a good way to stay safe, so I wasn't worried about them revoking my account. I'm sure if I violated the rules they laid out it could have caused trouble, so I was reasonably careful not to do anything dumb.

skolor1 karma

I'm sure that as a now famous airline hacker, you must have found many vulnerabilities over the years. What was your favorite?

Psifertex1 karma

lol.

I'd like to point out that it's all thanks to skolor here that I even went looking for the flaws at all. He's the friend I mentioned in some news stories who was poking at another far more interesting flaw and we were brainstorming technical ideas about that when I went off and found the two far lamer flaws that I did that got me the miles.