Screw it Silencefreedom, if you don't want to make your codes public then I will put mine. The idea of procedural render came from demoscene and artscene. Game programming actually applies this in open world genre.

However instead of write a long ass code page based on POV ray I rather put some simpler ones up for references.

EDIT: Also, fuck April fool. If you can't read the codes then it's your own problem simple.

Ascii generator http://pastebin.com/dZtxKx4k (Python)

POVray mock up http://pastebin.com/LEbS408v (C)

Procedural renderer http://pastebin.com/NuXuFhk4 (C)

http://pastebin.com/W5eJQLvz (C#)

http://pastebin.com/iXDuuCQL (C++)

P.S. I will update soon.

For what? Well, there is a meet on this Sunday. Unofficial one for graduates. But officially for the Anonymous Helpers. (nothing to do with Anon!)

Technical University of Munich, or TUM as we used to say, are a German version of American MIT or Canadian Waterloo. For every geek and nerd, getting into there is a huge dream. You need all types of fees to only to get a fresh man's entry.
_____________

Some could not make it. Simply scholarships weren't enough even for geniuses. So we established a club. The Anonymous Helpers, in 1999.

I was dang young back then. 1999 = 18 years old. At the start we had like 5 members but until then end of 1st month we got like 47 or 50 something!

Our goals: To help poor students to get into the university, get them food/drink/clothes and living support. We asked no return except more members to help out. We help students with homework and classwork. Help the disability with props. And a lot of parties...

We did all kind of money raising. Donations - charities. Bakery sales. Cheap food sales. Cloth and jewelries sales. All homemade. Fixing computer/devices for donations. Hacking contest for charity (1/5 of the members are from Chaos Computer Club). All kinds of weird contest. Art & photography sales. Music for disability. I'm the most active musician in the club. Played as bassist and fiddler at a local goth metal band. Later we formed a black metal band that only do charity for the Anonymous Helpers.

We never got onto the news until last 2009. Why? We are the closest club in the whole Munich, ever. No banner, no logo. We are all backgrounds, belief, no belief, cultures and nationality. All activities are self-made, which mean no officially group approving every time someone wanted to throw a party for charity!

P.S. In the end of my graduate we got like over 130 different logos and slogans! Still can't find the exactly founder but fingers pointed at me a lot. Not me...
_____________

From here I actually met Silencefreedom and a couple of other friends that later become my colleagues in work and comrades in military.

The group is still active. April the 1st, is our anniversary day. LOL. I have no idea who made this day (rumours it was from a prank day of the CCC members put on us). Fact that we formed our group on The 10th, not 1st!! I go to it regularly every year. So as almost everyone from all over the Earth.

Pic below is TUM famous building. ;)

Another cheap good toy... wait... I mean computer! http://www.raspberrypi.org/

ARM11 CPU for Linux! $25 only!!!

Teh Pirate Bay used this for their Server DRONES http://arstechnica.com/tech-policy/news/2012/03/
pirate-bay-plans-to-build-aerial-server-drones-w ith-35-linux-computer.ars

It can run Quake~~!!! http://www.youtube.com/watch?v=e_mDuJuvZjI

Wanna be a hacker? Pick one bro and dump ya Winidows http://www.theregister.co.uk/2011/11/28/raspberr y_pi/

More hacks!!! http://raspberrypihacks.com/

Mines are gonna arrive at Munich on 1st of April!!

Banking Trojan - Hidden Transformers

What is a Trojan Horse?

Perhaps many of you who visits my posts have read and known the origin(s) of the legendary and perhaps-true tale on the Fall of Trojan city?

From Wikipedia:"In the canonical version, after a fruitless 10-year siege, the Greeks constructed a huge wooden horse, and hid a select force of men inside. The Greeks pretended to sail away, and the Trojans pulled the horse into their city as a victory trophy. That night the Greek force crept out of the horse and opened the gates for the rest of the Greek army, which had sailed back under cover of night. The Greeks entered and destroyed the city of Troy, decisively ending the war."

Wait, what does computer science have anything to do with this old tale? Put this way: It's a metaphor to any situation that has come to mean any trick or stratagem that causes a target to invite a foe into a securely protected bastion or space. An embedded malware inside a looking-safe piece of software. Facts are it's a piece of shit.

Why does banking have anything to do with this?

Come on! What does your financial or even life-time properties have nothing to do with the little looking-harmless malwa... I mean program? =P

Its jobs are to record, keylog, capture private info that related to your banking details and cause mayhem as much as possible to your systems. Here is the shittier things, sophisticated banking malware infects all types of OS equally so don't ever think Linux, BSD or OS X are save havens for you, forever.

So does this Trojan comparable to a transformer?

Nope. Well, much worse than a comical 'transformer', also not like those transformers in the electric socket, duh!

'Why is it like that' is a magical phrase or question. Trojan horse, unlike traditional worm and virus, do not replicate itself. However, it defensive goals are to stay hidden and 'ninja' with... the Anti-Virus (AV) system as much as possible. Kill the guards, get the lambs. By 'ninja', I really mean with mayhem making and toying.

As a senior sec researcher myself although cyber virologist is my main field but I have encountered and even have the hands on source codes of one of the most powerful trojans ever. I tend to write my own version, think of it as a vaccine, for personal research.

What is the different between a traditional trojan and a banking trojan?

The different? You get more nastier mayhem and impressive ways to get infection by banking trojan than its original siblings.

Anatomy of a Banking Trojan:

1. Outer Contents - Purposes of the fake program such as anti-virus, malware cleaner, instant message, etc... up to illegal executable as keygen, cracktro, patch, ripper.

2. Inner Contents -

- Sensors - Port scanner, pinger, netcat (or similar), socat (or similar), procedural MD5/hash cracker, packet sniffer.

- Infections - HTML injector, JavaScript, PHP, Perl, SQL, ActionScript (take this mandog!)... drive-by-download . Most famous attack ever, probably not really use in banking but stealing emails: Operation Aurora by the Chinese via Google system and SQL drive-by attacks.

3. Where to?

- To system files and make various versions of itself - this is not replica, since it's prescripted not self-act. Usually stay at Assembly and register keys.

- To RAM, fuck yeah. I have successfully found a way to inject temporary macros into RAM to cause AV goes nuts. Perfect as hell.

- To BIOS.

- To your most precious place... private browser, email, user info? Download straight to the user of the trojans.

Now the worst part, Mayhem!

What could it cause? CPU high usage, RAM overload - stack-overflow, buffer overflow, unthinkable of unlimited way of message boxes, BSoD (classic!), Kernel panic (wait there Linux jerks!), random playing music, download more trojans, block your internet and... make you part of the botnet for future infections.

Most uses and dangerous trojans:

Zeus kits - capable of p2p and bandwidth infection; Zeus hold the position of top banking exploit/trojan kit ever. Originally made my Russian, it licensed for over $3000 per months for scammers, spammers and phishers. But now it has be made freely available. Open source really has its dark side...

Blackhole Exploit Kit - Made in Russia. Licensed for over $1000 but now has been freely available. Hold the position of top most mayhem causing and second position of most dangerous banking trojan.

Koobface - Not really a banking trojan in general, however it spreads on Facebook systems. Creators arrested. Still in use.

SpyEye - license for $2300 on darknets. use dorks and queries powers to find vulnerable sites to inject itself. My harmless dork bots were written based on it. I'm not copycat at all, in fact I just used the concepts to take advantage on Google/Bing dorks. Like I said, for personal research.

Torpig, Crimeware, Clampi, URLZone...

Prevention?

No porn shit, especially xxx domains, avoid illegal contents by all cost. No shit like 'hacker' tools by Anonymous or Lulzsec, use as your own risks.

Why no helping me remove it?

I'm heartless bro. I tend to be pro-mayhem maker rather than a nice little tech guy try to help others. I only helped you by writing this post, publicly.

Good day. Another white paper, may be?

So I change my plan for future career. Contracts of my current job end soon, earliest probably this April. No more freezing and server crash headaches. No more insomnia.

I like this new career. It fits me perfectly. What's more happier to work for the government?

I'm not gonna stay in Iqaluit soon. There are 2 possibles place for me to go since I have citizenship in both, United State or Germany. Either government agency or private intelligence. Doesn't matter.
___________

My second choice probably is private military. Stuff similar to Academi. I apply for ArmorGroup or probably Lupo Security (thanks to silencefreedom for the info). Former KSK 2nd Platoon member. Involved in Afghanistan.

Time to do some useful and serious matters.

I have been whining how bad was about the world around me for the last few posts. It's enough, for now. I may do Wireless Defence and Phishing later.

My music is open source.

You may think this is crazy. Or someone already has this idea already (OpenSourceMusic.com). I don't know what I'm doing. No one will care.

Well: This is fantastic. The operator of that site does not know the meaning of 'Open Source'; it's a fucking shame they used this holy phrase without knowing the meaning. I know exactly what I should do and people will care. Thing is, I'm not looking for exposure either.

Why are we doing this?

Recently silencefreedom just quit his memberships in BMI and ASCAP to protest on the ACTA/SOPA supports of those musical organizations. One night he came up on our midnight lounge of IRC and tell me: why doesn't music can be applied to freely sources just like software? Why are we having to chain to these rubbish laws? You can't win an army of pirates. Why not do something that help both sides: them and us?

Both of us, were once warez distributors and crackers. In fact I took part in cracking SecuROM while silencefreedom did Ubisoft DRM and iLok before we abandon the warez path. I understand the pains of both vendor/producer and customer.

We decide to turn words in to action: Our first Open Source Album - Genesis. (source notations and module files will be up within a few hrs, I have hard time with SF's MOD files)

You can: freely share, rip and copy unlimited time. Use in both commercial and non-commercial.

Best part and the reasons of Open Source: You can modify, sample, remix and remake. Just inform/PM either of us first. We stick to hard Open Source here.

What is Open Source?

There is quite a different ideas and facts between free and open source. Software has been using them for pretty long time, think about UNIX and Linux. GIMP instead of PS. Blender? Libre Office? Audacity? LMMS? Buzz? And tons of other tracker?

For source here you can think it's the same or similar meaning as root, core, basic, raw and genesis. In programming, an open source software is a either a free or paid software that have their source codes available for others to modify, view and update. Paid open source software such as ActiveState (Python, C, Perl...) and MySQL (ironically, MySQL becomes the most targeting lang by injection in the SQL family, ever!)

How does this 'Open Source' thingy relate to music?

In software, you must compile the source codes to able to use the packed/translated version of raw codes into machine codes.

In music, you need to render the notations, samples and pre-rendered arrangements into melodies of a track; in order to share the rendered audio file universally without the need for specified program to run.

There are far many free-to-use music than truly Open Source music. There are only a handful of truly Open Source music I have ever encountered.

Demoscene and warezscene are the only 2 official place for free and open source music to 'freely' distribute. We want that boundary to be broken and widen the reality.

Rules of Open Source:

We are with hard OS license here. You can modify, rip... whatever you can think of to do with our works, but you may need to credit or at least to inform us first.

We are going to do a few soft OS license albums later on. Which mean 100% anonymous, for us. Not little exposure. Nope!

Final words:

Silencefreedom is on his glorious way to become a film composer and conductor. He has 2 years left in Berklee. That bastard may do another master. In fact he actually did addition scores and arrangement for the latest sword-n-sandal 'Immortal'.

Me? I'm still a miserable system administrator who is a classic stalker, aka. enemy of any site I visited. I enjoy composing music too. My life my change later when I end my contracts with Husky Energy 2 years later. Where to next? I'm thinking of 3 paths:

- Penetrating tester -- cryptology-related. Good place for me since I'm a regular lurker. No mercy on bugs and sec holes.

- Self-employment programmer/software developer. I can travel and work, at the same time. Telecommuting solves the problem.

- Freelancer -- in both music and computer science. Freelancing in music composition, performance and producing. IT research, FUD, dark IT business tactic, grey data-mining, black intelligence, grey programming, black-box testing. I like my grey fedora better than the old white cap. Although I do like to have a black helmet on sometime, in my life.

Well, we both have the same wishes and ideology: To pursue our goals of transparent intellect properties, to have the freedom to read, write and execute intellect properties without chaining by laws, rubbish laws. We shall not betray the manifestos of freedom intellectual property.

chmod ugo=rwx ~/music

All user privileges are accessible. 777, bitches! Fuck ACTA.

If you are an IT enthusiastic and mainstream-security maniac then you probably keep hearing news media boast nonstop on this and that security hole has/hasn't patch, Anon versus FBI, nonsense DDoS, defacement, MS vs Linux vs Apple, C vs Java for a secure lang and tons of retarted news that aren't helpful much.

The most stand-out topic is: which website or country has the best security system?

Recently, McAfee look-good lists of most secure country is pretty irrelevant. Yet I see many people believe it immediately.

Found 2 bugs on Finish Sewer Control's SCADA servers yesterday that let me gain access to administration, easily. What is the password of the main admin user? Abc123-. Rooted in less than an hour with slight bruteforcing.

Another bug (generic SQL) on Bank of Finland site a week ago. Critical.

Paypal Canada's login data leak. Patched.

Israel Central Bank's website, 13 bugs ranged from XSS to traversal. Some patched, some not yet.

Eurasia login page, DOM XSS. Patched.
_________

I think whoever thought their whatever site is secure should stay humble and shut up about how secure you are. The more you rant about your own server the more happier the attackers are, such as I was.

Be vigilant. Open wills. Be united. And shut your mouth about your security's proud. McAfee was getting paid to lie then I guess?

I think your site is not secure. Oops. I could mean anysite including Newgrounds, right now.

How the fuck does web ad work, Wolfos?

Yeah, I have heard enough people on the General forum whined and cried about ads poping up their screens and sound ads. We all agree that advertisement helps to keep this site up and running. But why some of you get the sound ads and some don't? This seems bothering everyone. So let's me walk you through this myth just like Adam busted stuff in Mythbusters.

Now we get people defending the way the ads help Newgrounds make money. Sure! But absolutely none of you questioned how-the-fuck do those ads know which person to pop-up at the right place and right time? More professionally and straight way to say this is: How do the web ads track/stalk us in the shadow?

I love Newgrounds but I hate the Internet users, esp trolls like you, Wolfos. Wolfos please drop your bullcrap dream and I don't think you are good at trolling either. Think of this as a provocative post directed to your shits.

Oh wonder how many dollars does Newgrounds make from ads only per day, Wolfos?

1) Can't be a good guy...

Hell, I was thinking to prove people with ethical way. But it can't be. In fact I can't prove how ads track users on Newgrounds site without re-demonstrading the way ad-bots work.

So most of my tools are belonged to the grey area. Google Search Engine, Firebug, Mozilla Web-dev Console and a few Perl/Python/PHP scripts. For the scripts just PM me.

I use my own account as a genuie pig for this demonstration.

2) Clickme I'm sounding & looking awesome!

I map out ads-bot automology with a research based upon the prespective areas that I can see cleary. However it doesn't mean it is 100% accurate since my source is only based on a handful type of famous ads-bots such as Google Analytic, Ad Sense and Bing spider. Yeah, you can 'assume' that most bots work these ways.

Appearance of an ads-bot:

= Ad's contents:

\\ Images, flash, audio, external URLs, texts, embedded scripts, etc.

Skeleton of an ads-bot:

= Data miners:

\\ Custom search engine setting - FYI you can custom what you want to search on the net (Ps. I'm talking 'bout G-Hack...)
\\ IP spoof > your ISP > region such as country or city.
\\ Session spoof > what are u doing currently? And more bonus shit. (check next section)
\\ Social engine search > looking for user's auto-logged in of social sites such as Facebook, Twitter, Digg, Reddit, etc... > what do you like?
\\ Cookie spoof > Probably for stuff above. This is an Easter Egg, check next section.

= Dark scripting:
\\ XST - Cross site tracking (IP/session/cookie spoof)
\\ MIM-XSS - Man-in-Middle Cross Site Scripting. Newgrounds is the 1st middle man. You are both target and 2nd MIM!
\\ DOM-XSS - Document Object Model XSS
\\ SQLi - Structured Query Language Injection
\\ Indirect/Direct Path Traversal
\\ MIM DoS/DDoS - Man-in-Middle (Distributed) Denial of Service. You are the temporary bot in the real time gigantic botnet. Happy dossing.

(Everything above is auto-scripted)

= Where to?

\\ Storage servers
\\ Ads-hosts' client servers (eh?)
\\ Goverment-linked servers (Based on tracking Bing spider, 20% of the backtracked links have crossed '.gov .mil' hosting servers. Check next section for demos)
\\ Bulletproof hosts
\\ Nothing-to-do-with-current hosts (found a bunch of .cn, .ru, .pl, .se domains that have nothing to do with actual game-ads server that located in US/Canada.)

3) I am lying.

Hell, people hate conspiracy-fags. Bunch of liars. However could what they said be true?

Act like an ads-bot:

So let's assume I'm an ads-bot that searching for Waffle-lovers and my clients want me to ad their top-class waffle prods. I want to search for a few basic things: target's favorite food, target's age/gender/culture-background(s) and target's real-time 'tag(s)'. Tag here, I mean 'keywords, cache and target's common/general activities'.

So how do I do these? I must have been scripted by some coder right? I'm an AI, of course.

How do I get the targets in the most effeciency way with the most simplified algorithms? Hierarchies.

Here is how a psuedo script of hierarchies of Waffle-lover hunt (don't compile this, it's made for only & only Waffle!):

find.any.target(target(null))

if target.food = true

switch(food) {

id(waffles|waffle|wafer|wafflel) = id(null) + remember(id(true))

id(db(food.any.waffleRelated(null))) = remember(id(true))

id(db(food.any(null))) = tempo.remember(id(loop))

}

else if target related.food = true

switch(related.food) {

id(related.food(waffles|waffle|wafer|wafflel)) = id(null) + remember(id(loop))

id(db(related.food.any.waffleRelated(null))) = remember(id(loop))

id(db(related.food.any(null))) = tempo.remember(id(loop))

}

else = false

This is how a transparent ad-bot works. If the id-variables appear to be true, contents will appear and some of you might get the Waffle songs too... MUAWAHAHA! ^.^

If loop, which mean = semi-false then I'll do another sweep. If false, I get the fuck out there...

Apply to region and background searches too.

e.g: target.region(country(city(ISP(loop.all)))) > target.background(culture(gender(age(loop.all)))
) > target.food(input.what.iTyped.above.here)

Harvey Two-Faces:

No-tech is enough... by 'referencing'(stealing) other spider/crawler's DB... XD

Stuff like auto dork-search (inurl, filetype, site, "waffle" OR "waffles", ) (google, bing, yahoo, baidu, dogpile...), user-agent spoof, what-is-my-ip-address, stat-my-site, robtex, WebCrawler, pipl, people123, etc... combine with clever work-around scripts to counter NG's anti-crawler and All Your Base Are Belong To Us! =P

April Fool: This guy Marty's flash looks normal but http://www.newgrounds.com/lit/marty/intro.swf this is what this guy actually put on! (.swf exposed|non-inurl search but filetype)

Anyway, I'm not suppose to find user's stuff on dumping ground RIGHT? I thought they are private unless user share them!!!! /dump/ was disallowed! http://www.newgrounds.com/robots.txt

Also the rest of *Disallowed* dir are crawl-able too. No matter "/" or not. I used PHP script to crawl.

In the FAQ, it says "The only other people who have access to them are those who are given the URL for a particular file"

Eh?

Auto-generate/harvest header/usr-agent and auto-proxy-harvest scripts are no problem now. Of course my IP... or proxy IPs are everywhere on NG logs already.

Here is a cookie that id me:

NG_GG_username=Wurfel-Waffles; __utma=158261541.1059185036.1326839903.133132757 8.1331329547.107; __utmz=158261541.1331329950.107.76.utmcsr=google |utmccn=(organic)|utmcmd=organic|utmctr=site%3An ewgrounds.com%20filetype%3Aswf; ng_adcode_country_id=3; vmkldu5I8m=50ed79279dda604b; vmk1du5l8m=f0de362eada46981; ng_user0=a%3A1%3A%7Bs%3A7%3A%22default%22%3Ba%3A 0%3A%7B%7D%7D; __utmc=158261541; NGBBS_timestamp=1331321863; NGBBS_last_visit=1331321863; __utmb=158261541.4.10.1331329547

Yes, I did use Google dork site:newgrounds.com filetype:swf ... thing is, ads-bot got it too.

Here is when I logged out. Interestingly how Newgrounds store my current session and IP. Also, log anyshit I do that related to Newgrounds.com.

NG_GG_username=Wurfel-Waffles; __utma=158261541.1059185036.1326839903.133132757 8.1331329547.107; __utmz=158261541.1331331239.107.78.utmcsr=google |utmccn=(organic)|utmcmd=organic|utmctr=site%3An ewgrounds.com%20document.cookie; ng_adcode_country_id=3; ng_user0=a%3A1%3A%7Bs%3A7%3A%22default%22%3Ba%3A 0%3A%7B%7D%7D; __utmc=158261541; NGBBS_timestamp=1331321863; NGBBS_last_visit=1331321863; __utmb=158261541.7.10.1331329547

yeah, I did search for document.cookie and found stuff below.

Bots got it too...

Site admin's real time management is the only obstacle for ad-bot to deal with.

Easter Egg: Newgrounds Tank's ASCII art. Look awesome!

Why's so serious?

If ads-bot has access to general universal database, so why can't it have access to site vulnerabilities? Sites like PacketStormSecuritty.org | XSSed.com | OffensiveSecurity DB | etc... are great gold mines for auto-bots.

NG has an old forum/BBS database that accessable by all types of crawlers n bots. Vulnerabilities found. Some has direct paths to current site. This is a silver mines... and hey I did not use Web Archive!

There are tons of way to hide JavaScript DoS algorithms. Tons of way to hide a JS vul scanner.

To be continue...

Counter:

Cookie filtering, JS disable/filtering, proxy, user-agent/header generator... in the ind sum it up that hide your real life info.

To be concluded...

Gosh, 3 of our server hubs crashed yesterday. SCADA is a bad mix with Microsoft IIS. I saved the data and most of the logs by avoiding cold reboot.

One of the oil well's control station got malfunctioned and repetitively sending mass amounts of crash log to one of our server. It was a fucking chain reaction when IIS servers refused to counter overrode data. Human error when setting up the servers. Turned out to be a catastrophe.

And NOW, I have to sit here and write a bunch of fucking observational reports and analysis papers that probably will end up more than 2 dozens of page (I'm on pg. 14...) because the lead sysadmin is on his fucking break! Goddamn it, I saved the day and now I have to do these??

Hell, it isn't even my shift now. I didn't sleep yet for 1 and a half day. 5th cup of coffee so far. I'm fucking tired and decide to take a break to release some of my stress out.

So my stress releaser ends up to be 4Chan, NG forums and Slashdot...
_____________

Edit: Another day as a miserable system administrator...
_____________

Edit: I don't wanna die here. Page 29 now. I think I can't feel my fingers anymore. And I don't know why the fuck do I keep complaining this shit.
_____________

DONE! NO MORE STUFF TO DO. I GET OUT OF HERE JOE. YOU MF!

Back, you fucker. I'm not that dumb to not to realize you use 1337 words to replace my psswd. How is like to feel be paid back?

Oh yeah. Nice try. Now I paid you $0. It's even!

next time put a stronger password.