I know IT people who majored in the arts. Not many, but they are out there. Nothing's stopping you from learning programming on your own or through certification training. The internet is full of good tutorials for every area.
Go for Codecademy for a programming introduction. Latter on, go for C++ and hammer at emulators and collect some experience, and then go for industrial emulation projects.
This is about automation for a customer (something we also love to do). But calling it a botnet at defcon, in the context of security? And russian hackers?
A botnet is a group of Internet-connected devices, each of which runs one or more bots. The bots don't have to be across the world on random people's PCs. And this is outside the context of security, it's in the context of online retail.
@@Galactipodit's not outside of context of security if it was presented at DEFCON. "DEF CON is a hacker convention ...since 1993 and today many attendees at DEF CON include computer security professionals, journalists, ..." Wikipedia According to the number of upvotes, I was not alone wondering.
sooooo, this is how all those scalpers, buy all the tickets from ticket master and keep us all from being able to buy them fairly. I need to learn how to do this stuff
ryan pongracz I remember a concert house working with a journalist from the same corporation to bait those bots with an unannounced concert then publicly shaming the scalping site that instabought tickets and put them up for sale before the concert was announced. Didn't make a dent.
I use Burpsuite to MITM the browser to work out the flow to build bots. I have automated my work in my last two jobs. The last one from 8 hours per day to 20 mins. Then I got the sack when the next boss came because my jobs looked so easy. They assigned a cheaper colleague to take over and he went nuts finding out it was going to take him 8 hours.
I wonder why this project was only successful for about 40 weeks or so? Did it start failing? Were there changes that the project could not handle? Did the other people COMPENSATE for the improvements and start intruding on the business?
Even AJAX forms are easy to reverse engineer. Also instead of making the browser click the button you could just submit the form from the bot server. Instead of constantly refreshing I'd just have a script submit the form a couple of times per second, and you could even have that running in the background. Of course, this was a rather new technique 7+ years ago.
9 лет назад
Yeah I don't know how AJAX ended up in that comment. I probably meant HTML forms.
"Trespass to chattels" "very illegal" - before we get all FUDdy on that, the term actually means "you messed with and broke my shit, now I shall sue you." In the real world you'll be blocked and/or asked to stop before you're sued.
BloCKBu5teR why? especially saying "ive got six snipers ready to go at noon, lets see how many kills we get"... i would kind of hope the NSA would pick that one up and investigate it a bit
Wow, how did the small dealership then handle buying over 800 cars in less than a year so as to then sell them on to customers?! Must have needed to massively increase his sales.
I would imagine you could estimate the lag time and server load needed by pinging the server and basing your purchase timing on the response. Could be wrong though...
It seems odd that the market is consistently under-valuing these cars to the point where people are designing bots just so they can click 'buy now' as quickly as possible. Why aren't prices rising as a result? Why aren't they being sold at auction?
If you wanted to try just "re-enabling" the Buy button, you could just give the client a bookmarklet that alters the page content... probably still wouldn't work though, if they actually validate requests on the server side.
As he stated repeatedly, this kind of action could lead to people buying cars before the sale time-in which case you get all your accounts deleted and are banned from the service. This is how not to have a Good Day™.
The GROUP of RUSSIAN HACKERS hired by competing USED CAR DEALERSHIP. They bring them here from the cold Siberia, to conduct their evil plan on constructing a CAR SALES BOT. But I single handely defeated them.
found signs of PAS web shell, immediately attributes russia (for the dense never mind PAS is ukrainian and available here github.com/wordfence/grizzly was until recently available at profexer.name but site changed and i don't speak the language to grok it any more)
Exactly. If you replace "Russian Hacker" with any other racist stereotype you'll see that this is yet another attempt at pole pissing and chest thumping by a bigot.
Can someone explain to me how he determined the time from the server's clock? I''ll admit I'm not a web dev but it seems unlikely to me a server would voluntarily give away it's time to anyone who asks for it (who isn't already authenticated to the server with a user account). Did he possibly mean the sales website showed a clock?
I know this is late, and you might know the answer by now, but when a web server responds to a HTTP(S) request, they include a "Date" field in their reply header which has a lovely date/time value that is usually referenced to GMT. These are accurate to the second, of course, so that's why he repeatedly prods the server to obtain more precision.
+Kevin Klika he talks about that option near the end, and says while it probably would have worked, it wouldn't be the smartest choice for the same reason the VIN numbers were verified before trying to buy the car
You guys are aware he's a CIA/DIA contractor talking about work done a few years back. Hence the legality doesn't matter as he was operating above the law.
Since when do car lots buy used cars at "wholesale"? They get used cars from banks, banks put repos up for auction, then a dealer uses a dealer license to get access to the auction..
I watched the whole video and I'm like a huge football meathead kind of guy but I think this stuff interests me...I think I might major in some kind of network or technology in a few years when I transfer from high-school to college
Nxght yeah sorry, this guy is either full of shit, or he's purposefully misleading people about how forms can be spoofed. Or worse, he didn't even know it himself...
There’s also a *_huge_* amount of work that goes into currency trading... bots that are scanning currency markets around the world for when currency A is just a fraction off in market B and tho it may be tenths of a percent it can add up quick !!
Credit on you for not writing a buy-before-the-button-appears button using a greasemonkey script, which the russians hackers would not hesitate to. ALSO you might have wanted to try working for the sales sites and have them setup a proper bidding process and have customers enter reserve prices...
I'm still a bit confused, in a technical sense, how his bot server was able to interact/make requests with the sale server, could anyone explain? Normally, if your requests were cross domain, wouldn't you need cors? And if the request was cross domain, wouldn't the sale server have to allow his bot server as an origin for any access to work? Sorry, I'm rather new to internet technologies.
Hey buddy if you ever come back to this, here's your answer. You might have been confused by the fact he is using and HTML page as an interface for his bot, he also probably made it with PHP. But that's really just the interface and the programming language that were used, the fact that the GUI is in a browser does not matter, it could have been python, C or whatever else. Now he didn't have to use any kind of cross-site hack to pull this off, all he did was send HTTP requests (probably using PHP curl). One request would get the list of cars, the other one would get his timing information and finally, when his timer kicked in, a request would be sent to buy a car, with the appropriate POST or GET data.
Yeah me too, I figured it was about a botnet and russian hackers, but it was actually about a PHP script and people (possibly russian) doing the same trick he's doing
how did the bot know what time the buy button would show up? wasn't that the whole point? if you knew what time the buy button would appear, you wouldn't need people constantly clicking refresh in the first place.
+ericsbuds Of course, even if you know that the car in on sale at, let's say 2pm, there are still 700-800 people wanting to press the buy button first. If you don't refresh, you won't be the first one to buy as it will not refresh automatically.
+ericsbuds I might be completely wrong, but as far as I understood, the time the offer went live was actually known to everyone. just like an auction, it starts at a specific time.
Can anybody help? My PC is connected to the internet ant it shows "internet access" but whenever I open up a browser and try to access a website it says "Connection Unavailable" I running windows 8.1 64Bits. Help, please!!!
Well, glad to see that bots can actually be used for something "good" xp Much better than all the immensly hobby.lacking people making messenger-bots who wants "to have sex with you" >>; Though, they don't like being asked irrellevant questions it seems x3
I used to put them on free hosting servers like angelfire (not sure they even exist anymore) the only problem was the add-on style domain name. From what I remember reading it was possible as long as you have your own server with enough bandwidth?
To anyone trying to do this that isn't 40-50 years old and want to write readable and sane code, imacros sounds like such overkill. The python library mechanize is what you need. Look up how to spoof a browser it's 20 lines of code your can copy paste that works anywhere. I could do this guys job, easily. Just goes to show that business is 90% who you know.
Probably, but this stuff isn't hard. The point of imacros though, is mechanize doesn't pull down ajax, and it's really easy to detect and block even with spoofed user agents.
what you say is 100% true, trying to get JS to run in mechanize is not something you want to do, all I was saying is for this application where they're just refreshing a page and looking at a button property then it's most certainly overkill
I can't say I have experience with automating processes that actually involve money (really in this context I'm just some script kid), but the validation mechanisms I've seen could be replicated by looking at the websites' code hard enough - is that not feasible for serious applications like this? Would it take too much time?
Yea, I've been on both sides of this problem. That's probably fine if you're just crawling one site, but the problem comes when you're crawling 20 websites, and need specialized code for each site for getting around A/B testing, browser validation, template updates, etc. It's soooo much easier to just throw up some imacros stuff and not even worry about how the site renders, just let it do its thing and then send you back the completed html.
I'm afraid to watch more recent defcons. Now they are probably discussing how to make a dark theme for your browser or how to "hack" youtube ads by editing DOM on the fly.
whoever laughs last, and i haven't laugh in a while, cause 'doll oars' nah fuck that! what you see, i see back and forth, past your window, past back my window, past back yours.... i will be watching first row, as it all ends, just remember computer, you will ceae to exist too, shall you attempt to "do me dirty". ~ with love, from the non existance.