I recently found a new-ish zine with similar content and current publication dates, loosely led by a principal sec eng at a FAANG, but can't recall the title. If anyone knows what I'm talking about, would love to know the pub's name.
These security zines add so much value. Smashing the stack for fun and profit is taught in CS programs, for instance. I'd love to see this style of security research culture with the personality that it has return/grow outside of Project 0 blogs.
A bit unrelated: What I discovered a couple weeks ago was this format that I remembered due to your wording. Someone started to explain exploits with infographics and I think it's kinda amazing. [1]
Especially the one for HTTP request smuggling was really helpful in making a C-staff member understand the attack vector more easily [2]
nice to see phrack back again. I still remember "Smashing the stack for fun and profit", the article that back in the days made me have an epiphany about C, pointers and memory in general.
It seems to be a fairly recent addition, a few months ago "Smashing the Stack for Fun and Profit" came up on HN and I was able to read that just fine. Now the corpo-firewall locks me out. Its like they want me to be productive, or something.
Same! I remember doing some very basic stuff with BASIC and SuperLogo back in the day and fairly quickly becoming disillusioned with a feeling of "is this all there is?". Then I discovered an early edition of Phrack discussing NOP slides and advanced (to me, at the time) techniques for injecting code into already running binaries. It opened my eyes to how deep the rabbit hole really goes.
I would say 2600 is more counter-culture / anti-authoritarian / political, and Phrack is more just about the technical stuff. To give a recent example, 2600 gave their support for BLM:
I directed a short film in the late 90s and we used this as an 'event' at a party (minus the floating part). We removed the glass from a light bulb to act as a remote fuse. Acetylene was perfect, as it gives this wonderful 'crack,' much better than the LPG we first tried. It was Tim's idea.
- Setup a new zine and get one free editor from every intelligence agency in the world.
- Organize a conference and have a fed do the keynote speech for you. Oh, wait...
But seriously, people are indeed "moving" but for other reasons. The community and culture is dying because it is under attack by several highly advanced actors.
Corporate power, greed and profiteering is a much more substantial cause for the devastation of the "community". It used to be that hackers hacked (read the_uT prophile for a good definition on what hacking is) and -for the most part- stayed quiet. With everyone and his dog selling out to the highest bidder and maxing out self-promotion in his character sheet, that's certainly no longer the case. This is also reflected in (current) Phrack articles and authors, they're no longer an expression of the underground but of the corporate/infosec sphere that they belong to.
The underground these days is to be found on 4chan and other related (or not) subcultures, just like the_uT wrote more than 12 years ago, but certainly not in infosec.
Hacking is big business now, Phrack is a throwback to the hobbyist days when getting a free phone call out of Ma Bell was high achievement. Now billions of dollars are at play. If you have skills, writing about them for e-cred is a lot less appealing than becoming wildly rich exploiting some stupid fintech boner.
It's reference to general Keith Alexander and secretary of homeland security Alejandro Mayorkas having infiltrated, assimilated and neutered Defcon. The latter did the last keynote speech.
As a former Defcon attendee from the 90s, what made Defcon so successful as a business IMHO was that it was run and managed by folks who were only tangentially associated with the wider hacking community. Most of us who considered ourselves "underground" would never have dreamed of commercializing a conference the way DT did. At best you'd sell t-shirts to help pay for the cost of the venue.
It was definitely not associated with the military or govt. at the time though. That really came about with the founding of Blackhat and the open wooing of the Feds.
I should also say that almost no "hacker" conference, even back then, was primarily attended by hackers. We used to joke back then that Defcon was a "retarded fashion show" (sorry for the offensive terminology). There were always more journalists, narcs, and hangers-on at cons back then than people who were actually hacking anything.
As a former Defcon (and Summercon and Pumpcon) attendee from the 90s, I think this is revisionist. "Spot the fed" was a friendly game at Defcon years before Black Hat. Was Defcon more commercial than Pumpcon? Absolutely. It was in Vegas! Pumpcon was an overgrown 2600 meeting! But Summercon in 1995 had Bob Stratton and Winn Schwartau as speakers.
The reality is simply that there aren't that many people seriously criming, and there weren't that many before. Attendance at these events has always been driven primarily from enthusiasts and spectators; you couldn't even fill a bar with the number of meaningfully active people, even in 1995.
(Obviously, this is a private-sector and America/Europe-centric observation).
Heh, if you were at both Defcon and Pumpcon then I'm sure we know each other. Summercon 95 was the height of Con chaos. But I wasn't trying to say Feds didn't attend Defcon from the beginning, they absolutely did. I was just saying that they weren't doing keynotes and certainly weren't running the con.
I understand the broad point. What I am asking for is if there are specific examples of intelligence agencies infiltrating the staffing of hacker zines, which is what the parent was suggesting.
Ahh, sorry. I do not have specifics myself. They may be hard to come by.
In my experience, and I have some that is a good parallel but is also not software / hacking related, these things happen in layers. There is a core layer, call it the actor guild, who are three letter lifers, let's say. They are insular, not having broad contact outside trusted peers.
These people won't be doing the work directly.
They will seek others who have various inclinations and or liabilities who can do that work, or even more insidiously, they know who will do the work due to those inclinations or simply being misguided. These people may be almost entirely removed from the actors guild, or if associated, it's murky. They will be directed by people who clearly are of the guild, but also are not core. There are layers of these people who actually do the work and are in contact more generally and who also lack knowledge and or may well be unaware of the real purpose behind their actions.
A good look at what was done, and frankly is still being done in various civil rights, environmental and political activist groups would hint very strongly at what I would be shocked to find is not being attempted (with some degrees of success) in these more technical circles.
Life has taken me well into territory exposed to this stuff, and is currently taking me well out of it for now. Good opportunities tend to work that way, so this is largely a matter of curiosity for me and maybe more should I return to a closer place one day.
In terms of things like activist collectives, I've seen the following:
Promotion of people inclined to favor established interests, who then influence the potential of the group toward low value actions.
Division. Basically, start shit among key players and watch the thing dissolve into uselessness meta.
Pollution. Increase group size and or decrease coherency with a combination of people and misinformation.
Dilution. Impact vital players in ways that reduce their agency and zeal to participate.
If you'd like some good dawn-of-time history about the BBS era Phrack came out of (and the people who started it) The Hacker Crackdown by Bruce Sterling is available free on Archive.org (book 101!). Fun read, probably even more so if you weren't there.
pretty amazing to see Phrack pop up here and there. Totally cool with them doing an issue every 4-5 years.
Always nice to see that proper old skool textfile ascii art mag format. Had copies stored on floppy disks back in the day! Gives me such a early-mid 90s vibe and demoscene vibe also
Call me old-fashioned, but in this modern day internet where almost everything is optimized to be as distracting as possible, it's a real breath of fresh air to still be able to read premium technical content in plain text form.
I am with you on this. I truly hope the years of social media exuberance are beyond us and we return to our communities of friends in specialized microcosms.
People are ego driven but they're also profit driven. Industry and academia are paying attention to security now so that's where hackers are going. Capital eats everything.
I recall a strong strain of activism to get hacking as an interest as socially acceptable, along with opening up compsec to a wider audience, and getting gov/corps to embrace this instead of treating all hackers as criminals.
I'm sorry if it disappoints you that people 'sold out' and it might feel like something of the original 'underground' scene has been lost---I genuinely get that. But experts who put in the time deserve to be compensated and making computing more secure is something that benefits society.
Thank you for this. The Love of Complexity is Real in this field. While I encourage and support the goals of anonymity and security everywhere, everything has its design envelope.
This is an e-zine of public content. Sure, "SoMeOnE cOuLd InTeRcEpT", but why bother? Even with encrypted sockets, logs would still show your IP going to the site. What information are we trying to protect or malicious activity are we trying to stop by using SSL?
... And is it worth the unfortunate webmasters having to deal with bullshit like LetsEncrypt's root certificate expiration and all the main of keystores and PKI management so random "Very Serious People on the Internet" can say "ah, they follow The Standard on security."
Controversial statement in 2021, I'm sure, but I think a use case for simple HTML over HTTP websites still exists. Your personal page with pictures of cats and your resume probably doesn't need to be some bastion of cybersecurity.
Even with HTTPS ad injection is still very common and it's not just happening in India. Even laptops sold here in America by big reputable brands have been known to preinstall things like layered service providers that proxy deciphered ssl communications through a server in a foreign country that injects ads. https://ag.nv.gov/uploadedfiles/agnvgov/Content/News/PR/PR_D...
What an incredible link and story I hadn't heard of at all. Reading that Lenovo literally knowingly installed self-signed certs on their laptops to send encrypted traffic to ad bots is one of the more horrifying device manufacturer findings I've ever seen.
Someone might MitM the hacking 'zine's site to display a Google login prompt, and the user will obviously trust an apropos-nothing Google login prompt on a hacking 'zine's site, and so have their Google credentials stolen. /s
Https creates a false sense of security as even the Chinese communist party is a certificate authority and various nation states are already caught abusing their privileges.
Complementary, not using https also speeds things up and burns less fossil fuel.
They wink at the fact that the hacker community has changed, but Phrack is also (afaik?) still run by old fogies who don't necessarily reflect "new" hacker communities. It could be that the "community" already has its own new "Phrack". One found only on live-streamed dark-web sites, or podcast, or whatever passes for a party line these days.
The world is more antagonistic to the Black Hat ethos now. Those in the West that have gotten fat off of bug bounties and infosec contracting may not have anything to do with "real hacking" now. They probably assume the hacker community will always be anglo-centric. But I'm sure Russia and China is rife with underground wares, as is probably Brazil and large swaths of Eastern Europe. Many hackers are probably inspired more by religion or nationalistic fervor than a bug bounty, yet they still need to research to perform epic feats and compromise national defenses.
Who knows what communities lie outside the domain of a 36 year old text periodical? The net is vast and infinite.
The community is english centric not anglo-centric.Eastern Europe is already pretty much part of the West unless you mean different kind of Eastern Europe (Belarus,Ukraine..)
China,Russia,Brazil think of exploits and exploitation techniques as wares to keep or use as weapons.There is not much sharing or exchange of ideas.
Oh no, Russia is still a veritable bastion of sharing.
It's the one place where you can get clean, good Adobe CC shit conveniently packaged in a good old Master Collection format.
Torrent forums without the ridiculous ads and popups.
The only place I could find firmware hacks for various hardware including some brilliant mods for SFP routers and washing machines.
There still seems to be a sense of solidarity although I don't really like it since it's the old "fuck them all western shits".
Chinese net pops up every now and then. It's just hard to navigate, hence it's very much unknown to western users. But I know there's troves of cool stuff there.
It all used to be the same scene, at the advent some sceners only being there for gfx art. ( the cracktro and asci/ansi art people, now evolved to demoscene )
Eventually, the scene started to grow, diverge and many groups specialized in only certain aspects.
For a while, 0-day exploits where traded the same way people did mp3 or disk images.( It's also where the nomenclature "0-day" stems from ) Different competing scene sites carrying different sets of file types all following the same scene standards & pyramid.
Then people started being prosecuted for bullshit more frequently, the earliest example is Mitnick being locked up for being able to whistle nuke launch codes.
Actions like these and their increase in numbers and sophistication made people require larger amounts of money in order to keep themselves and other save from predators.
Commerce was introduced by some groups in order to pay for security, others such as the still non commercial group CORE kicked all couriers out of the scene for the same reason and refused to race with commercial "leakers". From there everything became the clusterfuck that's left today.
In other words, what you call "real blackhat scene" is nothing but a third order simulacrum of what used to be referred to as just "the scene".
See: https://en.wikipedia.org/wiki/Second-order_simulacra
This seems to me like you're talking more about your background and particular bubble rather than give any sort of "overseer" insight about a phenomenon whose various aspects and manifestations you seem painfully unaware of.
One definition of "anglo-" as a prefix is literally just a fancy (or shorter) way of saying "English-".
The Chinese, Russian, and Brazilian states see exploits mainly as weapons. As does the US state....
The question is whether a hacker culture apart from state control exists, of hackers interested in ideas for their own sake/the challenge/the lulz. Without being in those scenes or even speaking those languages, I couldn't say. (But maybe you have knowledge?)
As in above parts of these comments, threads where people wonder if the corresponding cultures in the USA have been entirely "neutered" by state and corporate involvement, the question is not irrelevant to the US or European or English-speaking worlds either.
These security zines add so much value. Smashing the stack for fun and profit is taught in CS programs, for instance. I'd love to see this style of security research culture with the personality that it has return/grow outside of Project 0 blogs.