LogicX

I’ve had a colo box with ColoPronto for over a year now. Its been a great, inexpensive box to play on. Since I’ve been in Boston I’ve been trying to locate a reasonbly priced local colo option, so I can be more ‘hands on’ with the server and upgrades. Unfortunately for the last year my search results have been pathetic. The best I’ve been able to find is around $100/mo for 1U with 1/4Mbit/sec (80GB/mo). That is just totally unacceptable, considering I get 500GB/mo with ColoPronto for $20/mo.

I recently received a reply to a post on WebHostingTalk where I asked for Boston Colo Options. Through this I learned of Prospeed.net. They offer 1U in their Cambridge, MA facility, with Level3 Communications, with generous bandwidth allowances. I’ve contacted Prospeed, and began the process of getting some space there. I ordered a Core2Duo 1U from AntOnline which arrived today; and I hope to get it live in the next few days.

What will I do with this box you ask? Well — for starters, it will run gentoo, and run vmware-server. I will then be able to run a number of VMs inside it. One of them will likely be a DekiWiki 5-User VM. I will also continue to expand my knowledge by being able to run servers and experiment with new OS choices, etc.

A broader goal — which I’ll write about in more detail later — is to offer VMs on the box to interested High School and College students who do not have the resources available to them — but would like to experiment with running a server, hosting sites, and the learning that comes with offering such services.

Update 4/24/08: I’ve been very pleased with ProSpeed.net for the time I’ve been with them now.  I’ve had very little downtime, service has been good and they even didn’t have an issue when my CC expired, and they weren’t paid for 5 months - they called me up and we cleared it all up.   I had a friend who was looking into colo services contact them however, and I don’t believe they’re offering this deal at this pricepoint anymore.

• Leave a comment... (3)

I read Billy’s Post concerning the release of Jikto code, and want to share my thoughts.

Just to make sure facts stay straight –

I was at Shmoocon, and watched Billy Hoffman’s presentation about Jikto. At one point during the presentation he was trying to show how the code worked, and switched to a window displaying the URL it was including. As this part of the demonstration showed how it can be incorporated into sites such as Google Translate, jikto needed to be accessible to Google Translate. I was sitting near the front, caught the URL, and downloaded it.

I had put the code up on a site of mine for only a short while before Billy called me and kindly asked me to take it down, and explained the media frenzy surrounding the code, its purpose, and SPI Dynamic’s release of it. I meant no harm to Billy or SPI, and immediately took it down. My interest in the code was purely from the perspective of how it worked. I’m an Information Security Consultant with Security Management Partners in Boston, MA and imagined being able to use his proof of concept for Phishing exercises we create for clients.

We create fake websites, and email employees to test their compliance with policies regarding clicking links or attachments in emails. Obviously being able to include code which could perform reconnaissance of their Internal network before we even step on site would be an excellent demonstration to clients as to the severity of employees accessing unknown sites. Even more extreme is the fact that this can be included via XSS attacks, making it come from a real site such as cnn.com.

My understanding of Jikto is that it will not take down the Internet, or other alarmists reactions; but just that its a interesting Proof of Concept demonstrating an interesting way to enumerate information about systems while dealing with the constraints of the security model.

Regarding RSnake’s comment, I believe Billy did actually go to great lengths to protect the code, and still perform his demonstration. A testament to this is the fact that all I actually got was client-side code — I did not get the GUI control component, viewer, etc. So the piece released was incomplete, and not actually usable in its current form. I’ve not executed the code, and unless others have coded their own control/viewer component, its not that big of a deal that a small piece of it got out.

Update: IDG articles are released such as InfoWorld, ZDNet blogged about it, CNet Security Blog, I posted on VulnerableMinds.

• Leave a comment... (1)

I competed in the Hack or Halo competition this past week at Shmoocon 2007.

There were about 40 people competing, in two sessions of 20. I completed 9 of the 22 goals, and was declared the winner during the closing ceremony Sunday afternoon. I received an Xbox 360!

I’d have to say that the Friday night practice session was very helpful. I had my work pentesting laptop along with me for the weekend, preloaded with all my tools, the only one I discovered to be lacking were tools to decode stegnography, so I quickly got steghide prior to Saturday Night’s competition.

• Leave a comment... (0)

Insecurity at its best — At Shmoocon I saw a presentation on WPAD, which is essentially a means of dispensing new proxy settings to browsers. Of course this was implemented by Microsoft, with no forms of security in mind. Over the next few months I intend to use WPAD at clients to dispense rogue proxy servers, and see what sensitive information can be gathered.

• Leave a comment... (0)