Lockpicking is one of the oldest hacker arts and one of the funnest/easiest things to do. There are great guides on the internet about how to actually pick locks, I'll link to some good ones at the end of the post. Of course, responsible lock picking is encouraged or you could end up in the slammer having your cellmate pick YOUR locks and you don't want that. Check local laws and make sure that its legal for you to possess lock picks without a license, as some states have outlawed even the possession of picks.

There are a couple ways to get some picks. You can order some off the internet, I got a pretty sweet set from Lockpicks.com for a very fair price so I recommend them. I haven't done business with any other sites, so I don't know how good they are.

How To Make Lock Picks - The funniest home videos are here

If you really wanna do the true hacker thing, you can make your own picks. I didn't realize how easy it was to do this before I ordered my picks, otherwise I would have used the method in the video. I'll probably still do that and make some more picks.

Lockpicking is fun and can be very easy (most locks) or very hard (high security locks). Its pretty interesting to know just how useless a lock is if someone with the right tools and knowledge is around... fairly scary too. Of course, don't get all paranoid. There are much easier ways of getting in your house than picking your doors.

• MIT Guide to Lockpicking (pdf)
• Greg Miller's Guide to Lockpicking
• Lockpicking Guide

The OpenLearn project provides free online courses of college level curriculum for many subjects including IT, Mathematics, Law, Education, Arts, Health and a bunch more stuff. Of interest to my readers is the IT section. There are lots of good classes on network protocols, security, electronic government, etc. Very interesting stuff here that I previously knew nothing about. Any opportunity to learn something new is an opportunity you should seize.

There is a great class over at Hacker High School that will teach you the basics of networking and security. If you're curious about how hackers do what they do and how computer security works, you should definitely check out this free course. It is provided in thirteen PDFs free for download.

Keep in mind that this really isn't meant for anyone who has security experience, but anyone that craves information like I do might be interested in reading the lessons.

This is primarily meant for high school students that want to learn more about computer security for purposes of a career in IT. Not only does it teach about hacking but it teaches about ethics as well. Its cooler to be an ethical hacker than a malicious one, kids. Then you're subverting the subverters.

A recent Ubuntu convert asked me how to block IPs in Linux. He wanted something that was compatible with the PeerGuardian format (description:xxx.xxx.xxx.xxx-yyy-yyy-yyy-yyy). I didn't know of one off the top of my head so Googled it and found linblock. This is a handy little script that parses those IP blocklists you can get at sites like Bluetack. These blocklists can keep you safe from various types of hosts on the net like ad agencies, IPs that are under investigation by the authorities, and lists created from firewall and IDS logs that indicate that they are known for portscanning or other activities.

All you have to do with this script is extract it, open a terminal and type
perl -u blocklist -c chainname
Where blocklist is the name of the text file and chainname is just a name for that chain. If you want to use more than one blocklist file, you'll have to use a different chain name for each one of them.

If you want to roll your own blacklist, you can block ip addresses or networks manually with

iptables -A INPUT -s <iprange> -j DROP

You can substitute <iprange> with a single ip, or a range of ips such as 192.168.0.1-192.168.3.254

THE go-to port scanner for most security professionals (and hackers alike), Nmap, has released a brand new version, 4.60. Tons of bugfixes and tweaks are added in this release, along with more service and OS fingerprints, the NSE HTTP library (which allows for advanced HTTP operations via scripts), and various improvements to Zenmap, the official GUI.

You can get the new version or read the changelog.

Metcalf's Law states that a network's value increases exponentially with every node attached to it. This is true, a single computer sitting in a room by itself has minimal value in the real world. This concept describes the power of the internet and it can't be disputed. However, there is an aspect that has gone overlooked. For every node connected to the network, there has to be an operator of each node. Those operators can be one of three things, neutral agents, benevolent agents or malicious agents. While the majority of users are neutral agents, there will always be malicious agents present as well. Its much like the human immune system. Red blood cells exist as the neutral agents, serving the purpose of providing necessary nutrients for the body. White blood cells are the benevolent agents, fighting off the malicious agents such as viruses and bacteria. In the context of the human body, the benevolent agents normally greatly outnumber the malicious agents present. However, in the context of the Internet and computing systems, it seems that malicious agents far outnumber the benevolent agents. Therefore, while Metcalf's law applies to the value of a network, it also applies to the overall security of the network. For every node that joins the network, the potential security of the network decreases exponentially.

How does one prevent this, or even counteract it enough to make the network a sane environment? The simplest answer would probably be that its impossible. With the ratio of malicious users to neutral users, who may have no concept of security whatsoever being so lopsided, the malicious users on the Internet have made the network a highly infected and contagious system. The desperate shortage of benevolent agents (white hat hackers, penetration testers, etc) allows the malicious agents (black hats, hacktivists, terrorists) to basically run free. Not only do they go mainly unchecked in the system, they mutate at a rapid pace by creating new methods of taking advantage of people, programs, and network systems, making treating them a very difficult task. The only hope the system has is for more people to become educated in ethical hacking and become inclined to act as the white blood cells of the Internet. Ideally, ALL non-malicious users should have at least some security training to help protect the system in some capacity. While it will probably never be that every user connected to the Internet is a security-conscious, careful individual, everyone that can do their part should. Keeping your own systems clean of virii and malware to help keep the spread minimal, being educated about scams and hoaxes, and helping educate others about the dangers of online scams and hoaxes are great places to start that don't require you to work in security or even be highly trained.

Network security can be simply described by the following equation:

Where S represents the potential security of the system, Bh represents the malicious Black Hats, Wh represents the benevolent White Hats, and N represents the neutral entities. As the ratio of White Hats to Neutral agents increases, the impact by the Black Hats is decreased and the security of the whole is increased. The problem with the nature of the equation and the Internet is that while that ratio is increasing, so is the value of Bh, making it even harder for an equilibrium to be achieved. The security of computing systems relies on the same principles as the health of a living body, the malicious agents must be outweighed by the benevolent agents. This can never happen without people like YOU voluntarily becoming the benevolent agents. Don your white hats.

OK, as I continue to tweak my blog, I'm noticing a few things that didn't work correctly. I just implemented search engine friendly URLs for the content posts and fixed some other things. If you find anything that's broken, please let me know astralsin (at) gmail (dot) com.

I know, some people think professional certifications are lame. The plain and simple truth is that if you want to be a security professional (or any type of IT professional) these days, you have to have certifications. One reason is, all your competition has certifications and it shows employers that the candidate that has certs has enough conviction to actually study for, spend the money on, and pass the tests. Other than that, PCI standards are very important to industry today and PCI requires that IT staff be certified. That being said, I found a great guide to CompTIA's Security+ certification, which has recently been recognized by the US Department of Defense (Directive 8570.1) so it does have some clout. Besides, no matter how leet you may be, you might actually learn something in the course of studying for the exam.

Given, this is the entry level security test, it really does give you a solid understanding of the ideas and principles behind the standard procedure for keeping systems as secure as they can be. While there is alot more to study to really be ready to do work like penetration testing or vulnerability assessments professionally, its a good gateway to more serious certifications like CISSP or ECCouncil's curriculum.

While you're at the Techtopia website checking out the Security+ guide, you might as well check out some of the other stuff they have. They have good guides on Ubuntu, openSuse, Ruby, MySQL, C#, PHP and a few other things.

These are like porn for hackers. Links galore to tools, news, tutorials, stuff you've never heard of, etc. These can be a great source of information.

• cybersniper Research Labs
• wiretapped

Now, we all know there are plenty of scams on the net. From the old standard Nigerian prince that needs to launder some money through you to the free 1000" TV you just won. Now, there are a couple new scams to be aware of. Both of which are fairly amusing for someone like me, who knows that there's nothing to be scared of.

The first is the African Yorkie puppy dog scam. These guys over in Africa are actually sending out emails threatening people that if they don't buy a Yorkie from them for $15k, they'll kill some Yorkies. For one, I'm a dog lover, I love animals, but Yorkies irritate me. Second, I can buy many, many Yorkies for $15k. Third, if you've been on the net as long as I have you can see this as a crap scam from a mile away. Think about it, Yorkies in Africa? What are they doing, roaming the savannah with the lions? Look people, don't fall for stupid crap like this.

The second scam is this one. It is a death threat stating that if you don't send some stupid amount of money to this person, they're gonna kill you. I'm a redneck. My response to this might be "bring it on, I'll be waiting with my shotgun". For some reason, I never get scam emails... damnit. I get left out of all the fun. Again, this is dumb. If someone wanted to kill you, they damn sure wouldn't email you about it. For one, that would give investigators WAY too much info to go on AND make it a first degree offense. No one's going to kill you if they email you about it. Calm down.

There's always someone wanting to make a buck without working for it. These lowlives that think they can push people around on the internet need to be ignored, don't play into their game.

But of course, I'm sure my readers know better. Tell your friends, though.

EDIT:: These scams have actually hit kinda close to home, I've heard of two people lately that have experienced these scams, one a peice. Read about it here. While you're at it, check out Steve Mallard's (who is mentioned in the article) technical blog, cool blog with lots of valuable information.