About AskApache
Dec 11, 2006 by Charles Torvalds
Post Written/Unchanged since: 12/11/2006
The goal of AskApache.com is simple - To provide free access to knowledge and data with the goal of empowering people.. or more melodramatically: "Power to the People!"
Why the name AskApache? AskApache was chosen to show and pay respect to the contributors of the Apache Web Server. Literally it means to ask Apache when facing a problem, by searching the Open-Source, contacting a board/list, or browsing the documentation.
The Author
I work for an awesome web company here in Las Vegas, NV, the greatest city in the world! I started this blog Dec., '06 to familiarize myself with WordPress as a blogging platform among other things for my job.
My work is mainly building and running state of the art Linux servers and devices, I love working on Linux servers and especially in the Linux bash shell more than most everything else. A lot of my time is spent writing code, shell scripts, php, and JavaScript are the main ones these days...
My Background
I started on DOS, then Windows 2.11 (released 1989), and learned BASIC for my first language... then IBM PC assembly followed by Java, which I used as an excuse to stop learning assembly.. And the visual studio suite I used for several years around win95 era. Hearing so much about linux I went out and immersed myself in Red Hat, which had great documentation and books. Then came the BSD's.. The first computer I had access to was DOS but not windows yet, so thats why I learned the BASIC languages. I liked DOS so much I got some DOS POWER TOOLS books from PC Mag and was able to do whatever. DOS was like my gameboy or xbox, and knowing it so well has really come in handy since a form of DOS is still to this day in Windows, it's kinda like having cheat codes.
C and C++ are the only languages I ever took a class on in school and I know them decent enough. The thing is, I've spent my whole computer life reverse-engineering everything I can get ahold of, and so I read source code more than I would care to say. Almost all of it is C, perl, or more unusual stuff like yacc, bison, or some type of scripting. I get my best ideas from reading source code and am always looking for new more optimized ways to get something done in the worlds best code. I read it like a book more than code because I've just been doing that my whole life. Nobody said hey here's a computer, this is called DOS, and here's how you do this:.. I literally didn't even know what a computer did, so I learned DOS at first by traversing the whole dir-tree and trying to open everything. The worst part is that unlike any linux windows doesn't have any kind of man pages, so I learned by doing something and seeing what happened! It's amazing what you can learn by viewing every file included with an operating system, and that was my start.
I've used javascript for maybe 10 years.. CSS and xhtml I've learned in great detail since 03. Flash, actionscript, pretty much anything ever released by Adobe/Macromedia I've been using since 2000. PERL was the first main language I learned when I switched to linux, I also code in PYTHON, RUBY, and OCAML, but now I use PHP more than anything for web dev.
BASIC and QBASIC was a game to me, found it by accident. At that point I was maybe around 8 or so, and I went to the public library and got a book on Assembly called (it's currently sitting on my bookshelf) "Assembly language primer for the IBM PC and XT". I remember going through it page by page and taking detailed notes and following along with the book. Definitely the hardest thing I had ever tried to learn in my life, but I stuck with it for a whole summer since I didn't know any better, and wrote a few simple programs from within DOS. I'm convinced that experience of trying to learn assembly before even knowing much about ocmputers is the reason why I find languages so intuitive, nothing else I code is even close to being as difficult as learning assembly, which is about as low-level as you can get, its been around for over half a century.
So I'm definitely not even close to being as good as the best coders of the world and their various specialty languages.. But on the other hand I am totally flexible attaining the best possible solution, so it's like the Bruce Lee method of having no method, and this lets me be extremely flexible when going about trying to find the best solution. I look at the whole spectrum from the network level to the host and app level and my experience at reverse-engineering security, networks, and software gives me a very different way of looking at things. Coders are taught to plan and build from start to finish. I have always done the exact opposite. Once I know the finish point it's a done deal, I will be able to get there no matter what and the code is usually much smaller and leaner doing it that way.. Or maybe I'm just dyslexic or something like that. Or wish I was.
Of all the areas of study relating to computers, I was most fascinated with networking and communication, and wanted to reverse-engineer everything to really understand it. Somehow I figured out how to use the hyperterm of windows 3x and hooked the computer up like the fax machine was and all of a sudden my world became much much bigger as I discovered the web, arpanet, gopher repos, BBS!, fido, telnet servers, etc..
I frequented BBS's regularly before the "Internet Browser" became available with mosaic. At that time before HTTP was standardized it was like, 100% text only, no presentation or style.. it was all about the content. I taught myself how to use terminal and a modem to wardial (calling phone numbers sequentially searching for a computer) based on that War Games movie, and it actually worked. The first machine I got access to in this way was a Sun machine used by a library. That was my first network experience and within 5 years me and a couple friends had gained access to machines all over the world, including the Las Vegas International Airport Ticket Terminals and the Air Traffic Control itself! Our only and sole interest was in acquiring information, how did the system work? How did the access controls, input, output, variables, etc., all work? It was a palpable hunger hackers everywhere recognize immediately but find hard to explain. But then HTTP and Mosaic exploded on the scene and were soon followed by the great censor AOL (aka AOHell). After the novelty wore off / once the majority of the American online public used AOL, and it was a stampede of consumers, that's when today's laymans understanding of "the Internet" was born, in my opinion. All these newbs had no clue of the history or tech or purpose or soul or ghost of the machine was.. they just wanted the connection and the benefits of the 'Net, no strings attached, as promised by AOL. AOL censored the net and was really it's own network, and that is what people got used to thinking about the Internet in terms of what it was.
For me and my friends, it was a playground larger than any ever constructed, with rules specifically made to be broken and controls easily taken over if not circumvented. For us, it was like we had invited the whole world to play our nerdy video game, where we had root access, and they signed up faster than we could process. For us, it was a chance to live in a world where the best idea always won, as long as it was funnish. Nothing mattered other than quality, as long as it was human-friendly.. Darwin on virtual rollerskates with Mother T. as a proctor.
Like being invaded by a 2-dimensional race, a snobby race insistent that they had access to the most dimensions. Good times, Great times!
Security Focus
Most people like me who were lucky enough to discover the Internet (gopher, ftp, etc.) at the time when you could only surf the web using text-based tools were also lucky to learn alot of great security information that was freely shared all over the world by various hackers and groups.
Security Path
From those early days on I was heavily involved in the security research scene, mostly networking security, then server/application security. I know quite a bit about the malicious activities one hears about from time to time, but other than learning how they work and how to execute them (against a test system mostly) I stayed away from cracking.
Of course back in those days I would occasionally create a virus or trojan but
just for fun and not for exportation. Does anyone else remember all those automatic virus creation tools that came out once Windows 95 was released? Haha those old progs rock!
Working for an ISP
Around the turn of the Millenium I worked for a small Internet Service Provider. I learned how to wire buildings, houses, and the networking devices required by the ISP to connect to the backbone and customers. My boss's previous job was for the US Military, and all he could tell me about his work there was that it was top-secret cryptography work. I learned alot about OS security and Network Security while working there.
The coolest thing about working for an ISP was learning about the Networking and Administrative capabilities and requirements specific to ISP's.. I learned how to setup, operate, debug, and admin switches, hubs, routers, servers, backup systems, ISDN connects, etc..
Unix - Linux - BSD
Working at the ISP opened my eyes to the power of BSD/Unix, and I've spent almost a decade using hundreds of linux distro's and all BSD flavors. My favorite Linux distro's are Arch Linux, BackTrack 4, Gentoo, Ubuntu, and Slackware, in that order. I love debian. I run OpenBSD 24/7 but I also always like to have 1 computer running FreeBSD for "fun."
Education Background
For a longgg time I was planning on going to school for an advanced network security degree, available at only a couple of colleges in the whole country. So I took all the networking/computer courses available at my college, and I even managed to convince the Department Head to allow me to skip all pre-requisites for any CIS courses and enrolled as a freshmen in the advanced classes.
I was immediately frustrated with the curriculum, none of it was challenging or new... it was just the same boring path towards a degree :(. So I kept the books, ditched class for a couple years, and went into business for myself doing freelance custom security audits for organizations and interested parties. That allowed me to spend my time hacking and educating myself, and paid the rent in my one-bedroom apartment.
Employed as a Security auditor/analyst
For about 5 years I helped small but very privacy-conscious organizations identify exploits in their operations and policies.. Basically I hacked until I got in or got fired.. A couple times I got root the same day I started the initial recon, but those were ALL Windows machines run by amateurs so it doesn't really count..
Most of the time it would take several weeks or months of mapping.. probing.. reading.. reading.. reading.. and packet-crafting before I had to give up on what I think of as the Technical phase of an operation. I was unsuccessful many, many, times at this phase, but rarely unsuccessful after the second phase, which is where I would utilize sneaky social engineering.
One technique that worked extremely well was to spoof an email from some service company used by the target organization to an employee's email account and immediately call that employee and walk them through opening the email and unknowingly installing my customized trojan. The customized trojans were really devious and really really cool. These were the precursors to the IRC botnet virii. Once I had the trojan installed I could generally get to any computer on the network within a day or two.
Areas I worked in
While I was a security consultant I was basically a Jack-of-all-trades kind of resource. The audits I performed were incredibly lengthy and all were done remotely. Meaning that I wasn't going to visit your organization and run diagnostics and security scanners on your internal network, I would literally insist that my clients only provide me with a public facing node, mostly a domain/server address.
This allowed me to perform the audit the same way that a real hacker would. And which was a methodology I had used for several years and was comfortable with. The goal with every audit was to systematically look for vulnerabilities or misconfigurations that when exploited would provide me with root access to the internal/external network of the organization.
Most of the exploits that I used to gain access were application-level vulnerabilities like sendmail, ssh, phpBB, shopping carts, etc.. Nothing very advanced, just a lot of research and testing.
Once I achieved access (a few times I was totally unsuccessful) and outlined how I did it and/or how to fix the vulnerabilities I was basically done. More often than not my clients would be pretty happy about my services and would ask me to do other misc. work.
I was involved in securing and locking down many web applications like phpBB, Joomla, Shopping carts, etc.. and also was hired to setup or re-configure servers and software to be more secure.
Alot of my clients would want hire me to provide information about someone. I would be enlisted to trace and locate various entities, such as:
- The source of a DDOS attack against a website (potentially one hired by a competitor)
- A spammer masquerading as my client
- A cracker selling stolen credit card numbers or other merchandise on the internet black market
- A person spreading lies or talking bad about my client on the Web
I became pretty proficient at being able to identify, find, and locate anyone using the Internet for communication. For example, many times a client would locate some private information that wasn't supposed to be public posted anonymously on some forum or message board or email. I was very successful at this, and I don't think I ever failed to trace the owner of an email account. This activity got me involved with honeypots and honeynets, among other tracking tech.
Leaving Security to Pursue Web Development
So I was all fired up to get my Masters degree from the best school in the country and that degree would guarantee me a good job in a field I absolutely love, but around 2006 I switched.
Government, Public Sector, Private Sector Security Ambitions
Ok so in the security world, everybody knows that Governments have the best toys, the secret technology, carte blanche for its employees, basically everything on my "Top 10" list. But most people also know that the Government doesn't pay very well and there are some personal security concerns that crop up when working for a Superpower. I disdain money..To me its an invention someone came up with a long time ago, and I won't let the economic vultures steal my dreams.
After graduation I was interested in working for the US Air Force, which has some of the highest tech in the world, or for an intelligence-related government agency. I am not that into cryptography, so the NSA didn't look like a good fit. Today there are dozens of Government computer security agencies and groups, and most of the major nations are building the armies of the future cyber wars today and have been for years. Some big players: China, U.S., Soviet-Union Countries, N. Korea, Italy, France, Japan, and Germany.
Exact Moment I switched to Web Development
Of course security means constant never-ending research, and I had been researching the possible ways of exploiting a systems security by hijacking the boot-up process. Mostly this requires physical access, such as plugging in a USB drive, CD, serial line, etc.. But I was also learning about the boot process that networking devices like switches and routers execute. Many of these devices automatically look for configuration files, operating-system upgrades, or boot files on their network while booting up, and to make a long subject short by using some network hacking you could talk to these devices and provide them with modified files, effectively taking over the device.
For regular computers I was learning about the various boot loaders used by the different operating systems like Windows, BSD, Linux, etc.. (think grub, lilo, etc.). The exciting thing I learned was that all these OS's that can be booted fro m a floppy or CD basically can write data directly to specific areas on the actual root drive...
During my research of the various OS's boot process (from when you turn on the machine to when the operating system starts) I learned alot about rootkit technology.. kernel-level rootkits interested me and led me to some very dangerous areas on the net. At this point I was surfing the web from a Linux machine using a VMWare Virtual workstation for extra protection. That machine's internet connection came through a customized OpenBSD Machine that was running Snort for Intrusion Detection and IPTables - a fully stateful firewall. That firewall was connected to the net through an additional Stateful firewall/router. So I was being very very careful to avoid getting cracked.
I won't divulge what exactly I was researching, but I discovered an incredible resource of information on some security topics that I had never before (or since) seen. The day after I found this site my VMware workstation was rooted, my underlying linux operating system was rooted, and my firewall/IDS was rooted. Luckily I had configured an older 3rd machine as a syslog server and cut the TX wires so it was invisible, and thats how I discovered the intrusion. All I will say about it is that the intrusion was so sophisticated and the attackers tracks so well covered that I took out all the hard-drives and put them in storage so I could examine them in a few years with better tools and hopefully I can discover the methods used by the attacker and maybe discover where they came from. Needless to say, I was out of my league and someone was watching me.
Web Development Opportunity
So I had spent all those years learning about the vulnerabilities of various software and hardware, and then learning how to fix and correctly setup and run them. I already knew html, javascript, basic perl/php/shell-scripting, and I was experienced at running and administrating web servers at this point, so when one of my clients called me late on a Friday and begged me to help them build a website due on Monday I decided to give it a shot.
My First Website
OWWW! Thats me howling in pain when I recall that weekend of web design hell. I built the whole site using Microsoft Frontpage, something which should be outlawed, and not knowing much about CSS I built the whole 4 page site using HTML tables.
The site was completed on time and opened my eyes to the endless possibilities of web development. I spent the next year trying to MASTER CSS and best-practice standards-based coding, then I learned more about Ajax and javascript, and also started using server-side programming quite a bit.
My first 10 or so websites were each drastically better than the last, and all of them were created by hand in code without templates of any kind. A good 15+ page site would take me about 3weeks to 5weeks to complete back then, now I build online presence's designed to increase the clients bottom line. This includes everything and anything our client wants and to start we do a 1year contract, it takes a lot of time and effort over a long period to really achieve greater market share (leads) using the web in high-competition markets. I tell the sales/marketing people who work with me to tell the clients that we can do anything, because we pretty much can. I'm just so thrilled at how easy all this web development stuff is compared to the security stuff... It's night and day and I'm really enjoying myself.
Ideal Candidate looking to work with me
- The right attitudes
- Willing to challenge and be challenged
- Scrappy & will do whatever it takes
- High attention to detail
- Want to make history not read it
- You have a history of achievement at whatever level you've been at.
- You are the best person you know at what you do.
- You are faster than fast
- You can be competitive but nice at the same time
- Skills
The only thing that counts with me is skills. . . either technical prowess or non-technical business know-how -- I always enjoy meeting new people in the industry so send me an email and introduce yourself, It's great fun to call up fellow developers in London and Japan... Feels cool so it must be!
Technology Interests
- CSS
- XHTML (strict!)
- Javascript (unobtrusive, strict!)
- NetSec (network security, hack the planet)
- PHP, Python, Ruby, Perl, Ocaml, Shell-Scripting (strict mostly!)
- AJAX (strict,crossbrowser,degrades gracefully!)
- Linux {Arch-Linux, Slackware, Gentoo, Red Hat, Fedora}
- BSD/Unix {OpenBSD, FreeBSD, NetBSD}
- Software {Photoshop, Dreamweaver, Sorenson, Flash, QuickTime, ffmpeg, nirsoft, sysinternals, Adobe Creative Suite, etc.}
- Windows {for Workgroups, 3.1, 95, 98, me, 2000, NT Workstation&Server, XP Pro&Home SP1&SP2}
- And of course, if not especially, the Apache Web Server, .htaccess, and mod_rewrite!
AskApache.com Info
- Google +
- Technorati
- AskApache Twitter
- Stumbleupon
- seomoz
- Digg
- Flickr
- WordPress Plugins, Support Forum, Codex Wiki
More AskApache
- BlogCatalog
- StatsAholic
- Alexa
- Technorati
- Compete
- Quantcast
- DomainTools
- Live
- FindForward
- Alexa DirectoryAlexa Info
- MyBlogLog htaccess Group
AskApache mirrors
Every once in awhile I come across a project that is so indescribably great that I decide to help out by mirroring and contributing to the content.
Google if you are reading this, I'm willing to relocate. ;) Microsoft, no thanks.
Comments