About AskApache

FREE THOUGHT · FREE SOFTWARE · FREE WORLD

About AskApache

Sep 15, 08

Purpose and Goal of AskApache

To provide free access to knowledge and data with the goal of empowering people.. or more melodramatically: “Power to the People!”

Why the name AskApache? AskApache was chosen to show and pay respect to the contributors of the Apache Web Server. Literally it means to ask Apache when facing a problem, by searching the Open-Source, contacting a board/list, or browsing the documentation.

AskApache.com Author Photo

The Author

I work for a multimedia production / brand development & marketing company here in Indianapolis, the greatest city in the world! I started this blog in Dec., ‘06 to familiarize myself with WordPress as a blogging platform among other things for my job. I help expand/create a growing companies market-share online (and offline) by managing and building the brand and developing high-quality leads and loyal customers by building online funnels fed by SEO traffic and on/offline marketing campaigns. Other than the design and development costs for our minimum 12 month contract, we operate using a gain-share formula where we receive a percentage of the increased revenue that results from our services. This translates to fanatical attention to improving the bottom-line, and focus on long-term sustainable growth and overall success.

My Background

I started on MS-DOS, then Windows 2.11 (released 1989), and learned BASIC for my first language. I frequented BBS’s for awhile before the “Internet Browser” became available.. meaning I would use term and super slow modem connection.

Security Focus

Most people like me who were lucky enough to discover the Internet (gopher, ftp, etc.) at the time when you could only surf the web using text-based tools were also lucky to learn alot of great security information that was freely shared all over the world by various hackers and groups.

Security Path

From those early days on I was heavily involved in the security research scene, mostly networking security, then server/application security. I know quite a bit about the malicious activities one hears about from time to time, but other than learning how they work and how to execute them (against a test system mostly) I stayed away from cracking.

Of course back in those days I would occasionally create a virus or trojan but just for fun and not for exportation. Does anyone else remember all those automatic virus creation tools that came out once Windows 95 was released? Haha those old progs rock!

Working for an ISP

Around the turn of the Millenium I worked for a small Internet Service Provider. I learned how to wire buildings, houses, and the networking devices required by the ISP to connect to the backbone and customers. My boss’s previous job was for the US Military, and all he could tell me about his work there was that it was top-secret cryptography work. I learned alot about OS security and Network Security while working there.

The coolest thing about working for an ISP was learning about the Networking and Administrative capabilities and requirements specific to ISP’s.. I learned how to setup, operate, debug, and admin switches, hubs, routers, servers, backup systems, ISDN connects, etc..

Unix – Linux – BSD

Working at the ISP opened my eyes to the power of BSD/Unix, and I’ve spent almost a decade using hundreds of linux distro’s and all BSD flavors. My favorite Linux distro’s are Arch Linux, BackTrack 4, Gentoo, Ubuntu, and Slackware, in that order. I love debian. I run OpenBSD 24/7 but I also always like to have 1 computer running FreeBSD for “fun.”

Education Background

For a longgg time I was planning on going to school for an advanced network security degree, available at only a couple of colleges in the whole country. So I took all the networking/computer courses available at my college, and I even managed to convince the Department Head to allow me to skip all pre-requisites for any CIS courses and enrolled as a freshmen in the advanced classes.

I was immediately frustrated with the curriculum, none of it was challenging or new… it was just the same boring path towards a degree :(. So I kept the books, ditched class for a couple years, and went into business for myself doing freelance custom security audits for organizations and interested parties. That allowed me to spend my time hacking and educating myself, and paid the rent in my one-bedroom apartment.

Employed as a Security auditor/analyst

For about 5 years I helped small but very privacy-conscious organizations identify exploits in their operations and policies.. Basically I hacked until I got in or got fired.. A couple times I got root the same day I started the initial recon, but those were ALL Windows machines run by amateurs so it doesn’t really count..

Most of the time it would take several weeks or months of mapping.. probing.. reading.. reading.. reading.. and packet-crafting before I had to give up on what I think of as the Technical phase of an operation. I was unsuccessful many, many, times at this phase, but rarely unsuccessful after the second phase, which is where I would utilize sneaky social engineering.

One technique that worked extremely well was to spoof an email from some service company used by the target organization to an employee’s email account and immediately call that employee and walk them through opening the email and unknowingly installing my customized trojan. The customized trojans were really devious and really really cool. These were the precursors to the IRC botnet virii. Once I had the trojan installed I could generally get to any computer on the network within a day or two.

Areas I worked in

While I was a security consultant I was basically a Jack-of-all-trades kind of resource. The audits I performed were incredibly lengthy and all were done remotely. Meaning that I wasn’t going to visit your organization and run diagnostics and security scanners on your internal network, I would literally insist that my clients only provide me with a public facing node, mostly a domain/server address.

This allowed me to perform the audit the same way that a real hacker would. And which was a methodology I had used for several years and was comfortable with. The goal with every audit was to systematically look for vulnerabilities or misconfigurations that when exploited would provide me with root access to the internal/external network of the organization.

Most of the exploits that I used to gain access were application-level vulnerabilities like sendmail, ssh, phpBB, shopping carts, etc.. Nothing very advanced, just a lot of research and testing.

Once I achieved access (a few times I was totally unsuccessful) and outlined how I did it and/or how to fix the vulnerabilities I was basically done. More often than not my clients would be pretty happy about my services and would ask me to do other misc. work.

I was involved in securing and locking down many web applications like phpBB, Joomla, Shopping carts, etc.. and also was hired to setup or re-configure servers and software to be more secure.

Alot of my clients would want hire me to provide information about someone. I would be enlisted to trace and locate various entities, such as:

  • The source of a DDOS attack against a website (potentially one hired by a competitor)
  • A spammer masquerading as my client
  • A cracker selling stolen credit card numbers or other merchandise on the internet black market
  • A person spreading lies or talking bad about my client on the Web

I became pretty proficient at being able to identify, find, and locate anyone using the Internet for communication. For example, many times a client would locate some private information that wasn’t supposed to be public posted anonymously on some forum or message board or email. I was very successful at this, and I don’t think I ever failed to trace the owner of an email account. This activity got me involved with honeypots and honeynets, among other tracking tech.

Leaving Security to Pursue Web Development

So I was all fired up to get my Masters degree from the best school in the country and that degree would guarantee me a good job in a field I absolutely love, but around 2006 I switched.

Government, Public Sector, Private Sector Security Ambitions

Ok so in the security world, everybody knows that Governments have the best toys, the secret technology, carte blanche for its employees, basically everything on my “Top 10″ list. But most people also know that the Government doesn’t pay very well and there are some personal security concerns that crop up when working for a Superpower. I disdain money..To me its an invention someone came up with a long time ago, and I won’t let the economic vultures steal my dreams.

After graduation I was interested in working for the US Air Force, which has some of the highest tech in the world, or for an intelligence-related government agency. I am not that into cryptography, so the NSA didn’t look like a good fit. Today there are dozens of Government computer security agencies and groups, and most of the major nations are building the armies of the future cyber wars today and have been for years. Some big players: China, U.S., Soviet-Union Countries, N. Korea, Italy, France, Japan, and Germany.

Exact Moment I switched to Web Development

Of course security means constant never-ending research, and I had been researching the possible ways of exploiting a systems security by hijacking the boot-up process. Mostly this requires physical access, such as plugging in a USB drive, CD, serial line, etc.. But I was also learning about the boot process that networking devices like switches and routers execute. Many of these devices automatically look for configuration files, operating-system upgrades, or boot files on their network while booting up, and to make a long subject short by using some network hacking you could talk to these devices and provide them with modified files, effectively taking over the device.

For regular computers I was learning about the various boot loaders used by the different operating systems like Windows, BSD, Linux, etc.. (think grub, lilo, etc.). The exciting thing I learned was that all these OS’s that can be booted from a floppy or CD basically can write data directly to specific areas on the actual root drive…

During my research of the various OS’s boot process (from when you turn on the machine to when the operating system starts) I learned alot about rootkit technology.. kernel-level rootkits interested me and led me to some very dangerous areas on the net. At this point I was surfing the web from a Linux machine using a VMWare Virtual workstation for extra protection. That machine’s internet connection came through a customized OpenBSD Machine that was running Snort for Intrusion Detection and IPTables – a fully stateful firewall. That firewall was connected to the net through an additional Stateful firewall/router. So I was being very very careful to avoid getting cracked.

I won’t divulge what exactly I was researching, but I discovered an incredible resource of information on some security topics that I had never before (or since) seen. The day after I found this site my VMware workstation was rooted, my underlying linux operating system was rooted, and my firewall/IDS was rooted. Luckily I had configured an older 3rd machine as a syslog server and cut the TX wires so it was invisible, and thats how I discovered the intrusion. All I will say about it is that the intrusion was so sophisticated and the attackers tracks so well covered that I took out all the hard-drives and put them in storage so I could examine them in a few years with better tools and hopefully I can discover the methods used by the attacker and maybe discover where they came from. Needless to say, I was out of my league and someone was watching me.

Web Development Opportunity

So I had spent all those years learning about the vulnerabilities of various software and hardware, and then learning how to fix and correctly setup and run them. I already knew html, javascript, basic perl/php/shell-scripting, and I was experienced at running and administrating web servers at this point, so when one of my clients called me late on a Friday and begged me to help them build a website due on Monday I decided to give it a shot.

My First Website

OWWW! Thats me howling in pain when I recall that weekend of web design hell. I built the whole site using Microsoft Frontpage, something which should be outlawed, and not knowing much about CSS I built the whole 4 page site using HTML tables.

The site was completed on time and opened my eyes to the endless possibilities of web development. I spent the next year trying to MASTER CSS and best-practice standards-based coding, then I learned more about Ajax and javascript, and also started using server-side programming quite a bit.

My first 10 or so websites were each drastically better than the last, and all of them were created by hand in code without templates of any kind. A good 15+ page site would take me about 3weeks to 5weeks to complete back then, now I build online presence’s designed to increase the clients bottom line. This includes everything and anything our client wants and to start we do a 1year contract, it takes a lot of time and effort over a long period to really achieve greater market share (leads) using the web in high-competition markets. I tell the sales/marketing people who work with me to tell the clients that we can do anything, because we pretty much can. I’m just so thrilled at how easy all this web development stuff is compared to the security stuff… It’s night and day and I’m really enjoying myself.

Ideal Candidate looking to work with me

  1. The right attitudes
  2. Willing to challenge and be challenged
  3. Scrappy & will do whatever it takes
  4. High attention to detail
  5. Want to make history not read it
  6. You have a history of achievement at whatever level you’ve been at.
  7. You are the best person you know at what you do.
  8. You are faster than fast
  9. You can be competitive but nice at the same time
  10. Skills

Technology Interests

  1. CSS
  2. XHTML (strict!)
  3. Javascript (unobtrusive, strict!)
  4. NetSec (network security, hack the planet)
  5. PHP, Python, Ruby, Perl, Ocaml, Shell-Scripting (strict mostly!)
  6. AJAX (strict,crossbrowser,degrades gracefully!)
  7. Linux {Arch-Linux, Slackware, Gentoo, Red Hat, Fedora}
  8. BSD/Unix {OpenBSD, FreeBSD, NetBSD}
  9. Software {Photoshop, Dreamweaver, Sorenson, Flash, QuickTime, ffmpeg, nirsoft, sysinternals, Adobe Creative Suite, etc.}
  10. Windows {for Workgroups, 3.1, 95, 98, me, 2000, NT Workstation&Server, XP Pro&Home SP1&SP2}
  11. And of course, if not especially, the Apache Web Server, .htaccess, and mod_rewrite!

AskApache.com Info

  1. Popular Web Design and Development Blogs on Google
  2. Top Weblogs on Alexa
  3. Technorati
  4. AskApache Twitter
  5. Typekey
  6. Stumbleupon
  7. Last.fm
  8. seomoz
  9. LiveJournal
  10. Digg
  11. Flickr
  12. MyBlogLog
  13. WordPress Plugins, Support Forum, Codex Wiki
  14. BlogCatalog

More AskApache

  1. BlogCatalog
  2. StatsAholic
  3. Alexa
  4. Technorati
  5. Compete
  6. Quantcast
  7. DomainTools
  8. Live
  9. Google
  10. FindForward
  11. Alexa DirectoryAlexa Info
  12. MyBlogLog htaccess Group

AskApache mirrors

Every once in awhile I come across a project that is so indescribably great that I decide to help out by mirroring and contributing to the content.

Google if you are reading this, I’m willing to relocate. ;) Microsoft, no thanks.

Related Articles


My Picks
Related Articles
Newest Posts
Random
Tech Topics

htaccess Guide

Website Speed Tips Series
  1. Turn On Compression
  2. Add Future Expires Header
  3. Add Cache-Control Headers
  4. Turn Off ETags
  5. Remove Last-Modified Header
  6. Use Multiple SubDomains
  • Pages

    • Donate

    Please consider donating to support active development of the free software and articles here.
    Donate!

    Good Causes

    The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee

    Skip to Comments

    Add Your Opinion

    Reader Comments

    1. gon kyouka ~

      I love reading your about me page. Neatly arranged.

    2. Sean ~

      I LOVE the “Ideal Candidates” section…

    3. brother ~

      wow.. great experiences.. and many skill..

    4. Hanon Sinay ~

      I thoroughly enjoyed reading about your experiences presented on http://www.askapache.com/about/
      Thanks.
      Hanon Sinay


    It's very simple - you read the protocol and write the code. -Bill Joy

    HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C | TLDP | WAI | DISA | ICSI | GIAC | SANS RR | GHOST | DEFCON | NIST | DHS CYBER | NIST

    ↑ TOPExcept where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
    This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. HTTPD based on NCSA HTTPd

    Site Map | Contact Webmaster | Email AskApache | Glossary | License and Disclaimer | Terms of Service