Thursday, September 15, 2011

Hack This Site

What You Need for This Project
• A computer of any kind with Internet access.
• A lot of time to spend solving puzzles and doing research.

Part I: Basic Web Challenges
1. Be warned: in this project, you will be learning real criminal techniques from real criminals. Do not reveal your real name or address, or trust these people. As you will see in Part II, the creator of this site is currently in prison.
2. Open a browser and go to hackthissite.org
3. In the upper left, click on the green word register.
4. Fill out the form to create an account. Do NOT give these people your real name or any correct information, not even a real email address. I used the address sam@mailinator.com and I recommend that you use a mailinator address too.
5. After creating your account, log in. Then, on the upper left of the main page, in the challenges section, click "Basic Web."
6. You should see a page labeled Level 1(the idiot test). There is a form asking for a password. Your job is to figure out the password. There is a Help! Link at the bottom which can help you.
7. Solve as many puzzles as you can. There is a forum on the site which contains hints, tutorials, and even outright explicit instructions at solving the puzzles. The puzzles are very instructive, although not perfect. In my opinion level 8 is too frustrating—the code injection routine is too restrictive, so you don't get enough reward for coming close to the answer. But that's because the technique being used is so powerful that you could take over the whole hackthissite.org server, so they have to protect themselves.
8. When you have completed as many levels as you can, or want to, take a screen image showing how far you got. Saving the Screen Image
9. Press the PrntScn key to copy the desktop to the clipboard.
10. On the Start menu, click Run. Enter the command mspaint and press the Enter key. Paint opens.
11. Press Ctrl+V on the keyboard to paste the image into the Paint window. Select a Save as type of JPEG. Close Paint.
12. Upload the picture to the blog here.

Part II: Jeremy Hammond's Ethics and Fate
1. At the main hackthissite.org page, in the upper left, click Realistic Missions. Look through the missions, as shown below, and think about them from an ethical point of view, not a technical point of view.
2. Open a browser and go to en.wikipedia.org/wiki/Jeremy_Hammond
3. Read what Jeremy did, and what happened to him.
4. Write a couple of paragraphs about Jeremy Hammond and his case. Make sure to address these points: a. Was Jeremy Hammond an Ethical Hacker? Why or why not? b. Was his sentencing fair? Should it have been more or less severe? Why?
5. Reply on the blog with your thoughts here.

9 comments:

  1. PART I:
    http://imageshack.us/photo/my-images/210/unled1m.jpg/

    I got as far as I could stand to at the time, but I enjoy the site and it is very interesting.

    PART II:
    What happened to Jeremy Hammond was necessary in my opinion, He had it coming to him whether he did not use the credit cards or not he still stole them. Looking at his realistic mission provided on the site, I am going to say Jeremy was not an ethical hacker what so ever. Jeremy seems to target racist groups or just "bad" people in general. However, "bad" people have rights too and Jeremy thinks it's okay to violate their rights. I believe Jeremy's sentencing was a little much, on account of he didn't use the cards. Two years in prison is a long time. On the other hand I feel as though he needed to be punished to learn what he is doing is wrong.

    ReplyDelete
  2. Part 1: Only finished level 2 so far http://i13.photobucket.com/albums/a287/Dreamstalkerwolf/School/hts02.jpg

    Part 2: What Jeremy did was wrong. Rather than notifying the target of a breach he decided to take the data for his own use. Even if HE didn't use the credit cards, there was no guarantee that someone else who saw the data didn't plan to. The original 'damages' that were asked for in sentencing seem excessive; they were demanding restitution based on something that might or might not have happened.

    ReplyDelete
  3. PART 1:
    Completed all of the basic ones(up to 11). No tutorials! I recommend getting the FireBug extension along with an extension that can edit cookies. They were crucial for the last few (5 and on). 5 was pretty simple (As simple as #4) once I had FireBug, so I hope that doesn't. That was fun. 8, 9 and 11 were fun and pretty involved! I'll try the harder ones and see if I can do anything. I'll get working on part 2 as well!
    Yay!

    http://imgur.com/r2GJj

    ReplyDelete
  4. http://imageshack.us/photo/my-images/148/basic7proof.jpg/

    Part 1: stopped after 7, used the hints on the forums from 3 onward

    Part 2: Jeremy was not an ethical hacker; if I took sensitive information even without the intent to do anything negative with it I still have stolen the information. 2 years was a reasonable sentence for what he had done. What was requested in damages was way beyond what had been caused, if I stole a junker car drove exactly 3 miles on it and cause no definable damage to it most people would think it unreasonable for the damages requested in damages to be what the car could have been worth off the showroom floor.

    ReplyDelete
  5. The RIAA/MPAA also likes speculative damages as well (are they basing it off of hard data, or what they think it could have been worth in sales?). In my opinion any demands for monetary damages should be verifiable.

    ReplyDelete
  6. http://imgur.com/F1oSb
    Stopped after Realistic 3. Couldn't figure out Realistic 4 (sql injection is tough... and frustrating!)

    Part 2:
    I do not think Jeremy is an ethical hacker by any means. It is clear that he was motivated by noble causes, but that does not give him the right to commit crimes against the people he sees as unethical. Stealing credit cards from a website is unethical, period. With that said, if you take into consideration that no money was yet stolen and what he intended to do with the money was selfless, I think he received too strong a sentence. As Isabel said, this speculative damage nonsense made me think of the RIAA/MPAA immediately. I don't think it's fair to come to the conclusion of $2.5 million dollars, and even if it were, without the crime being committed yet I do not think it is fair to sentence him as if it were.

    ReplyDelete
  7. It's official...I could never become a hacker!!
    Sadly, I only managed level 4 on PartI


    PartII

    Do I consider Jeremy Hammond an Ethical Hacker?

    No, simply because there was no consent to do so. In my opinion, what he did constitutes trespassing. To obtain over 5000 credit card numbers and supposedly donate proceeds to charity is BS. Maybe OK for Robin Hood but let's stick to reality here.

    It's almost as if I walk into someone's home without permission, then walk out with their HDTV and after being surrounded by Police...I say something like "oh I wanted to drop this off to the local Boys & Girls club."

    First off, Jeremy did not own those credit card numbers and he had no permission to hack into the site.

    Was his sentencing fair?

    I think so and he could have received more if the case ever went to trial. I think the evidence was sufficient and he knew if by entering a plea of not guilty, they could have sentence him to prison longer.

    I always say play by the rules and if you don't..you must face the consequences!

    ReplyDelete
  8. http://loudmouthsquawkbox.blogspot.com/2011/09/blog-post.html

    I got through basic level 8, and I'll keep going in the future but for now, I'm too tired. Mind you I know NADA about SSI, and it was verrrry frustrating. (I know very little about linux as well, but that was a lot less work to find the right command for basic level 7) Truth be told I finally just looked up the proper command and then spent waaaay too long reading about SSI.


    As for Jeremy Hammond...I DO understand the Robin Hood Hero idea he had, but even if he intended (but never went through with) donating to charity...that money would have been stolen. A useless gesture, and a bad example to set. Even just sitting in his computer...it could have been stolen, and used. He still had them, he did not delete them.....and yes, his sentence was too harsh. I also am put off by "speculative damage". Seriously, it borders on thoughtcrime to me (except he actually had the means to complete this thought). However, I do believe he was being made an example of. Still not good reason for such harsh punishment.

    ReplyDelete
  9. Jeremy, you are a cheeky little show off. Now you HAVE to show us how :P

    ReplyDelete