There are exceptions of course, like the Oracle Certified Master. For the OCM you have keep an Oracle Database environment running, two days in a row, while the examinators in the next room delete data files, disrupt the network or fill the test champer with nitrogen mustard gas. My friend and collegue Erik Sekeris actually managed to get this title alive, so I know his counter-terrorism and database skills are truely good.

Another exception to the ‘all-certs-suck’ rule is the Offensive Security Certified Professional. In case you don’t know, Offensive Security are the guys behind the linux distro ‘BackTrack’. BackTrack provides penetration testers with easy access to a comprehensive collection of security-related tools. You can only get this certification after spending some time in their lab environment followed by completing a 24-hour exam.

The lab consists of getting you familiar with the various ways to use backtrack components for a succesful attack. Most of the time there is first a thorough explanation of some software or configuration problem. Then they start to abuse this flaw manually and via scripts. Then when you grasp the concepts they will introduce a tool which does then same. And in the end they show something utterly mega kewl tool like ‘Core-Impact’. Which does the same as all your written scripts and used tools, but with the press of a single button. I really like this build up, to make sure that the users of the tools aren’t scriptkiddies. Remember,  ”A fool with a tool is still a fool”.

The other thing I really liked is that there is little support. This sounds weird, but they really give enough information. But it doesn’t mean you can apply it directly. Sometimes you are stuck for a day or two. And you just need to try harder. It is like a difficult puzzle or game. Once you grasp it it feels like you climbed the everest or solved the algorithm for prime numbers. While all you did was getting a reverse shell for the first time through exploiting a buffer overflow and send some shell code with it.

Spending a whole day hacking servers and then another day writing documentation sounded cool enough for me. So about six months ago I signed up and started preparing for this exam. Clocking in at 230 hours of my free time and exactly 1641 ‘Come to bed!?’ yells from my girlfriend. ‘The time has come,” the walrus said.

The exam was suppose to start today at 14.00 GMT. And it is 15.13 now. So why am I spending some of my precious 86,400 seconds in writing this instead of pwning a server? Well, I assumed that GMT is 1 hour behind the Central European Time. So at 15.00 is was F5, F5, F5, F5… Nothing. Was I wrong? No.. there is indeed an one hour difference. But it appears that GMT doesn’t have daylight savings.. So I needed to add an extra hour. Grmblz.. Will be back in an hour.

Update 1: (15-05 15:57) It’s in. I have gotten a list of 5 IP addresses. Behind each of those is a machine which has a file, stored either in the root’s home or the administrators desktop, which you need to get.

Update 2: (15-05 18:04) Yeah.. First one in.

Update 3: (15-05 20:32) And that’s the second.. So it is Pizza time… Quattro Formagi, what else?

Update 4:  (15-05 23:09) And I got the third one..

Update 5: (16-05 02:26) Hoooray, if my brain is still capable to do simple calculations, I now have enough points needed to pass the exam. That means it is now time to think over the solutions during my naturally recurring state of relatively suspended sensory and motor activity, characterized by total or partial unconsciousness and the inactivity of nearly all voluntary muscles

Update 6: (16-05 08:22) “Rise and shine, Mister Freeman, rise and… shine. Not that I wish… to imply that you have been sleeping on… the job. No one is more deserving of a rest, and all the effort in the world would have gone to waste until… well… let’s just say your hour has come again. The right man in the wrong place can make all the difference in the world. So wake up, Mister Freeman…wake up and… smell the ashes.”

Update 7:(16-05, 13.33) Done, now all I need to do is start on the documentation of all my steps. Which means cleaning up cli logging and editing them with comments in my leo file.

Update 8: (19-05,  11.00) Yesterday, I got the following mail for OffSec:

Dear Marinus,We are happy to inform you that you have successfully  completed your Certification Challenge, and obtained your OSCP certification.

1. The water in the hose hasn’t been in contact with the hot water since the last usage. But it is in contact with some metal valve parts. So it’s cooled down to near absolute zero.
2. It physically impossible to remove your hand before the stream of water hits some part of your body. (Or at least at that early in the morning)

Because of this I get to know every day what Mr. Joe the lab monkey feels like when pressing the wrong button and getting a high voltage shock applied directly to it’s brain. Instead of a nice banana or some other sweet monkey snack.

Now of course you could nudge the showerhead away from you. But this will result in a even angrier attack the moment the hose gets pressurized. Okay.. take it off, point it to the floor and then turn the water on. Which isn’t that much of a hassle, I agree. But I mean come on, we can have a man in spaceship twitter about his view of the Palau islands 200 miles above earth. But we cant fix this? The reason for being human is to adapt the world around you. Improving stuff (for ourselves) is where we are good at.

Now, it could be that the whole design of the shower isn’t the way it should be. First let’s look at the modern toilets. How long did it take before someone finally came up with the siphon and stopped the pleasant odor of sewers. Image how happy people were the day that they only had to smell the scent of the intestinal flora from the previous visitor, instead of the whole city. Just by adding 2 curves to a tube. Small adjustments to improve life.

Now for the shower. Why not put the tabs somewhere else then right below the sprinkles from hell. Some might complain it’s not fully Feng-Shui compliant. Plus most houses, at least the ones owned by clean people, are already fitted with showers. So replumping the whole thing for this is a silly idea. Mhhh.. you could install some qooker but that is also a quite expensive solution for such a small problem. Plus getting 100 degrees Celcius water on your skins will make you feel what the small lab rat sitting in the cage next to Mr. Joe is going trough.

But it might be even simpler. For the kitchen you can buy these really ugly cooking alarms. Most of these food preparation timers have designs like fruits, eggs or even vases. Yuck, but it again shows my point.. why spend time looking at clock when we can invent something to do it for us. Now these things operate on the simple concept that when you turn them, they get wound up. Releasing the spring with a fixed interval. How much effort would it be for shower tab makers to incorporate something like this. So the moment I turn the dial to start my artificial rain, a 2 second spring gets released. And when the time is over, there is no PING but water. And when I turn it back, to stop my hi-tech rain dance, “Click!”. Ready for the next turn. Costs would be below cents and it would al least stopped me from writing this.

The evening starting with some opening act done by two girls who introduced themselfs as ‘mmmhmhmhmhm’. I know I am getting old but none of the people around me could tell what they were saying. Probably nervous or something. (update: they were called The Secret Love Parade) And they were not bad or anything, just not what I would like to see while waiting for tAGT. It was kind of a mix between Ladytron and some high school band. Clumbsy in their performance. But still being able to grasp a difficult concept like harmony. They should keep the drummachine but add a base player to keep the flow. Also they started of with some very slow softpop. They should started with a bang. Now with each number they started increasing their aggressiveness but by then they had already lost most of the audience’s interest. A least ours, so we went to the merchandise booth. Here we bought the limited edition vinyl version of Fruit. I guess it is called limited as it wasnt pressed on 180gram vinyl.

After returning, tAGT was ready and started their set with ‘Push the envelope‘. Now that’s how you start off a live set. Lot’s of screaming, a fat baseline and fast drums to get the audience going. After that the somewhat more relaxed tunes were done. And I noticed that the songs were played a bit slower then on the album version. Much better to dance on, but because they were in a small venue/parlor/hallthingy there was not much room to do that. It was also quite funny to see the trumpet player doing the baseline with his free hand on the keyboard. Except for vocalist Mette and drummer Rasmus all the band members regularly switched instruments per number. Talk about talent.

Because tAGT only got one album, their repetoire isnt that big. So I was amazed that they played some new material including a Inner City Blues cover. No where near Marvin Gaye, but much better than the Powderfinger version. Then after two songs it was “good night” and “dankuwel“. But after a “we want more”, they came back for one encore. The Golden Age. I really don’t like those planned encores. Either play your set and do a real return. Or just pause somewhere in the middle if you need the rest.. And I can get my beer.

In 1998 I was studying information technology. One of the final things that I needed to do was to write a thesis. Mine was about ‘Rythm-based passwords’. The idea is quite simple. Instead of just sending the password characters, you also send the time between and during the keypresses, the so-called flight- and dwell-time.

Each person types a little bit different, but this difference is enough identify someone. I created a tool to test it. And after about 10 successive entries the various possibilities were unique enough. The down- and in-between times of the keypresses were stored as percentages. So someone could type it slower but still fit specified ranges. Try it yourself, just type the same word or phrase several times and at different speeds. And then ask the person nearest to you to do the same.

Now this alone isn’t enough for authentication. But the same could be said for the password. But when they are combined then you extend the authentication factor ‘something you know’ with ’something you do’. Hence, stronger authentication.

Off course when I was nearly finished with PoC’s and all kinds of tests, I spend some more time on researching: “Why the hell didn’t anybody else think of this”. Well.. somebody did. It turns out that the USA military had already discovered this in the sixties, but never used it. And before that, during the second World War, the allies discovered a way to track German telegraph operators by identifying their particular style of typing code, something known as ‘the fist of the sender‘. More on this can be read in Simon Singhs excellent The Code Book. Sigh, In the end I abandoned the whole idea and went for something completely different.

In 2001 a group of  3 students released a paper on ‘Password hardening based on keystroke dynamics‘ Mhhh.. And in 2006 a company called BioPassword was in the news for a revolutionary way to enhance passwords.. Jup. They even stated “After taking about nine samples of an 8- to 16-keystroke password, the company’s software is able to identify the “fist” of the typist.” With some searching the same announcement, albeit all from other sources, can actually be found in each subsequent year from 1986 till now.

Now I am not here to brag about the fact that I came up with that idea earlier that than the others. I just want to show that some ideas are thought up independently, because they didn’t know about the others. And that is a unfortunately a waste of precious time. Instead of thinking about it, they could have build it years ago. And I rather would have the functionality put to practical use, then to read about it way too many times. As I have yet to see keystroke dynamics, as it is called now,  anywhere except in papers, ads and the news.

So to inspire other people I will put more concepts here that kept me awake at night. And if someone want to do something with it. Great! Be my guest.

Ow.. and next to dumping ideas, I’ll post stuff about things like security, retrotechnology and media too. So there you have it..

Welcome to blog 44,324,985 on the internets…