Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DEF CON Hackers Unveil a New Way of Visualizing Web Vulnerabilities

timothy posted about a year ago | from the follow-the-bouncing-ball dept.

Security 57

punk2176 writes "Hacker and security researcher Alejandro Caceres (developer of the PunkSPIDER project) and 3D UI developer Teal Rogers unveiled a new free and open source tool at DEF CON 21 that could change the way that users view the web and its vulnerabilities. The project is a visualization system that combines the principles of offensive security, 3D data visualization, and 'big data' to allow users to understand the complex interconnections between websites. Using a highly distributed HBase back-end and a Hadoop-based vulnerability scanner and web crawler the project is meant to improve the average user's understanding of the unseen and potentially vulnerable underbelly of web applications that they own or use. The makers are calling this new method of visualization web 3.0. A free demo can be found here, where users can play with and navigate an early version of the tool via a web interface. More details can be found here and interested users can opt-in to the mailing list and eventually the closed beta here."

cancel ×

57 comments

finally, enough jargon to be /. worthy (0)

turkeydance (1266624) | about a year ago | (#44532799)

that's all.

Re:finally, enough jargon to be /. worthy (0)

Anonymous Coward | about a year ago | (#44532843)

Fuck yes. 'bout time. It was getting dangerously close to finding a Kardashian story posted here, which of course is now the standard litmus test of stupidity.

Re:finally, enough jargon to be /. worthy (0)

Anonymous Coward | about a year ago | (#44532863)

Yes, if it uses 3D data visualization, and Hadoop and Big Data it must be very advanced.

Who else agrees that "I love data" is the 2013 equivalent of "highly motivated self-started
with a focus on customer-oriented results"? Should be good for an extra $50K!

#checks it out, to see a whole new understanding. (2)

MickLinux (579158) | about a year ago | (#44535333)

Aah. It requires unity plgin. Okay.

##imagination runs wild#
After finding and installing the plugin, AND after a heated discussion with the wife about having lost one's job over some inappropriate tweets, AND having a talk with the Department of homeland security about pressure cookers, AND after receiving an Amazon gift subscription paid on my own credit card, along with a note that iif it doesn't suit, I can return it and the next purchase will be forbitcoins that will be used for a purchase from the Rayon Way,

Why yes, yes, I can see how this would work to help me visualize security in a whole new way.

It occurs to me... (0)

Anonymous Coward | about a year ago | (#44533031)

...that if someone burned down the building with all these hackers inside, Avast and all the other anti-virus, anti-phising, anti-malware,etc. makers would be out of business.

Re:It occurs to me... (1)

tqk (413719) | about a year ago | (#44537611)

...that if someone burned down the building with all these hackers inside ...

It'd be easier to determine your whereabouts.

Re:finally, enough jargon to be /. worthy (1)

tqk (413719) | about a year ago | (#44537599)

that's all.

Well, I was going to pat Timothy on the back for a couple of great intros (this and the dark matter controversy), but now that you've gone and said it all ...

Uh, thanks Timothy.

Yay slashvertisement (0)

Anonymous Coward | about a year ago | (#44532805)

from yet another hatted security guy. Why, how nice.

Web 3.0 (0)

Anonymous Coward | about a year ago | (#44532849)

Do we really need another buzzword for an old idea just to trick more VCs out of cash?

Re: Web 3.0 (0)

Anonymous Coward | about a year ago | (#44532855)

Big data, deep learning, social, cloud, and web 2.0 are wearing off.

Re: Web 3.0 (1)

dnadoc (3013299) | about a year ago | (#44532883)

Enough of your disruptive crowdsourcing.

Re:Web 3.0 (1)

oodaloop (1229816) | about a year ago | (#44532857)

I know. It's fucking ridiculous to call it Web 3.0. It's clearly 2.1.

Re:Web 3.0 (0)

Anonymous Coward | about a year ago | (#44532911)

I know. It's fucking ridiculous to call it Web 3.0. It's clearly 2.1.

Call me when it hits Web 11

Re:Web 3.0 (0)

Anonymous Coward | about a year ago | (#44532931)

If they start following the firefox release model we'll be at Web 16.0 by the end of next week!

Re: Web 3.0 (2)

robmv (855035) | about a year ago | (#44532999)

Web 3.0 and uses a plugin? at least do something real web before starting new buzzwords

Sounds like Acunetix (1)

sgt scrub (869860) | about a year ago | (#44532937)

The front end is nifty but I'm not fond of buzzy names. I don't really need a pretty pretty GUI. I'm more interested in the back end. It'd be nice if there was a link or more info about it.

Re:Sounds like Acunetix (2)

punk2176 (2840475) | about a year ago | (#44533003)

Ask and you shall receive :-). I have more information on that than you'd probably like to know. The back-end is actually quite similar to the PunkSPIDER project's back-end and uses all of the same principles, most of the same open software as its base, and even reuses some of the code (in fact, once it's done I'll probably make the back-end of web 3.0 a part of PunkSPIDER 2.0 - free and open source of course). So with that said here's info on how PunkSPIDER was built, which should give you a solid start to how we're building the web 3.0 back-end:

(1) A link to the talk at ShmooCon on PunkSPIDER which gives more info than you'd ever want to know about the back-end: http://www.hyperiongray.com/shmoocon [hyperiongray.com]
(2) If you're in a rush you can read some basic stuff about it here: http://www.hyperiongray.com/node/18 [hyperiongray.com]
(3) If you really want to get into it you can download PunkSCAN (the PunkSPIDER back-end) on bitbucket and take a look: https://bitbucket.org/punkspider/punkscan [bitbucket.org]

And last but not least, if you want to know even more feel free to contact Hyperion Gray at punkspider@hyperiongray.com or follow me (Alejandro) at @DotSlashPunk on Twitter. Oh and thanks for the feedback on the buzzy name, it's meant to be a little over the top, but we'll keep your comment in mind!

Alex

Re:Sounds like Acunetix (1)

sgt scrub (869860) | about a year ago | (#44533327)

Very nice. It sounds like you could use it to create a dynamic high risk list that could be added to content filter or intrusion protection device. I'm going to have to take a closer look now. I'll try parsing the data into rules for the IPS. If the database is too large, which I suspect it is, I'll have to find a spamhaus style way of implementing it.

"Unity web player"? (4, Informative)

mysidia (191772) | about a year ago | (#44532951)

When I visit the demo site it prompts me to install some software I never heard of, before showing the demo.

Seriously.... they make a malware visualization demo requiring me install some browser malware in order to view it?

Re:"Unity web player"? (1)

jdharm (1667825) | about a year ago | (#44532987)

I stopped there. I just know when I install that software the first thing I will see is not some pretty graphic showing the complex relationship between websites but a simple statement in flashing letters:

And that is why malware propagates. Idiot.

Re:"Unity web player"? (2)

punk2176 (2840475) | about a year ago | (#44533019)

Erm. Unity is a well-known 3D gaming engine, dude.... http://unity3d.com/ [unity3d.com]

Re:"Unity web player"? (1)

mysidia (191772) | about a year ago | (#44533071)

Erm. Unity is a well-known 3D gaming engine, dude....

Could of fooled me. As far as I know, Unity is a very expensive product from Cisco for providing voicemail integrated with Microsoft Outlook and Exchange.

So apparently there is some niche product that is a 3D engine of some sort, and I get that. But the publisher should still not be doing something that requires me to install software, to view it.

If they're posting it online, they should use a standard format such as HTML5.

Re:"Unity web player"? (0, Troll)

Anonymous Coward | about a year ago | (#44533097)

>could of

No attempt at sounding smart after writing that is going to work.

Re:"Unity web player"? (1)

tqk (413719) | about a year ago | (#44537641)

>could of

No attempt at sounding smart after writing that is going to work.

"Could've" ("could have") as "could of" just means they've picked it up from hearing it, not reading it. You should applaud their jumping back into the wrealm of the written word.

Re:"Unity web player"? (-1)

Anonymous Coward | about a year ago | (#44533113)

It'd probably be hard to code this in a markup language, but maybe if you ask real nice?

Re:"Unity web player"? (2)

bobstreo (1320787) | about a year ago | (#44533139)

Erm. Unity is a well-known 3D gaming engine, dude....

Could of fooled me. As far as I know, Unity is a very expensive product from Cisco for providing voicemail integrated with Microsoft Outlook and Exchange.

So apparently there is some niche product that is a 3D engine of some sort, and I get that.
But the publisher should still not be doing something that requires me to install software, to view it.

If they're posting it online, they should use a standard format such as HTML5.

Nah Unity is the value subtracted interface to Gnome in the latest versions of Ubuntu

Re:"Unity web player"? (1)

gl4ss (559668) | about a year ago | (#44533151)

well, what they did was make a desktop software with available tools that has a web loader...

and publish it as a "web software" when it's just desktop sw with a launcher in all practicality. but since everything has to be web nowadays, then web it is.

Re:"Unity web player"? (0)

Anonymous Coward | about a year ago | (#44534091)

Shhhhhhhhhhhh! Fucker!
Stop giving it away!

Re:"Unity web player"? (1)

jon3k (691256) | about a year ago | (#44533291)

Don't worry there's Unity Connect now, runs on Linux.

Re:"Unity web player"? (1)

Anonymous Coward | about a year ago | (#44533089)

Erm. Unity is a well-known 3D gaming engine, dude.... http://unity3d.com/ [unity3d.com]

Sorry, but your statement here doesn't diminish the huge cloud of irony hanging over this. User must install plugin to see visualization about malware fed often via plugins. Uhhh, yeah...reminds me of that time I was taking a security course teaching about how to never click on pop-up windows...when the course was initiated via, you guessed it, a pop-up window.

Re:"Unity web player"? (0)

Anonymous Coward | about a year ago | (#44533169)

This doesn't visualize malware... visualizes websites and vulnerabilities

Re:"Unity web player"? (3, Informative)

ThatAblaze (1723456) | about a year ago | (#44533025)

A little research indicates that Unity is a 3D engine. It's used a lot for 3D games. http://unity3d.com/unity/ [unity3d.com]

Re:"Unity web player"? (1)

znrt (2424692) | about a year ago | (#44534347)

A little research indicates that Unity is a 3D engine. It's used a lot for 3D games. http://unity3d.com/unity/ [unity3d.com]

pretty overwhelming records show that third party browser plugins are a major source of vulnerabilities, even more so if they are closed source and maintenance restricted to private profit organizations whose due dilligence in the process simply cannot be assumed, or even have shown outright negligence. see sun, oracle, adobe, apple, microsoft ...

this is not just ironic, it must be april fool's day in some random geeky tz somewhere.

Re:"Unity web player"? (1)

ThatAblaze (1723456) | about a year ago | (#44534559)

You make a good point, no one should ever use any non-open source browser plugins for anything. Down with shockwave! Down with flash! Down with iTunes! Down with Google Docs! It's time to go back to the dark ages because no one's source can be assumed to be secure unless you have the option to read it! Not that you would actually bother to go read it, any more than you would bother to go vote.. but that option simply must be there!

Re:"Unity web player"? (1)

mysidia (191772) | about a year ago | (#44534807)

You make a good point, no one should ever use any non-open source browser plugins for anything. Down with shockwave! Down with flash! Down with iTunes! Down with Google Docs!

I don't know about the last 2, but if you avoid the first two, then you have provided yourself some significant protection from malware which often exploits vulnerabilities in Flash, Shockwave, Adobe Abrocat reader plugin, Java plugin,.

HTML5 with Javascript and WebGL is not the dark ages

Re:"Unity web player"? (1)

ThatAblaze (1723456) | about a year ago | (#44536659)

I don't know about the last 2, but if you avoid the first two, then you have provided yourself some significant protection from malware which often exploits vulnerabilities in Flash, Shockwave, Adobe Abrocat reader plugin, Java plugin,.

HTML5 with Javascript and WebGL is not the dark ages

So you're saying you should avoid plugins with a track record of being exploited and go ahead and use plugins from an established company that don't have such a track record? That's excellent advice.

I hate to break it to you but Unity falls into the latter category, not the former.

Re:"Unity web player"? (1)

znrt (2424692) | about a year ago | (#44537279)

i actually love this idea def-con puts out. as a former cyberpunk fan i started a proof of concept of "the matrix" myself, decades ago. didn't finish, of course. if i did it today i even might as well choose unity3d too (probably not, but it wouldn't be unreasonable). but what i certainly would not do is claim to be "educating people about dealing with vulnerabilities" while just shoving another major source of them in right their pants. epic fail.

we definitely need a fresh perspective on the way we interact in the network. we are already deep in the dark ages, or didn't you get the news about government agencies routinely spying on absolutely everyone? and as much as malware is actually a plage, general public blissful ignorance is the real problem. but opensource doesn't mean we all have to read the source before running it, or start growing beards. it simply means it is publicly auditable, which in itslef has far reaching implications. assuming "company x will do good" is simply not acceptable. in part because they have proven otherwise more often than not. but nobody expects the spanish inquisition!

Re:"Unity web player"? (1)

Yvanhoe (564877) | about a year ago | (#44539205)

Actually, the unity plugin is now pre-installed in chrome under windows. I fear it will quickly become the new flash runtime.

I would not call it a malware, I do think that Google did a good job to clean it up, and that the Unity company really does need to stay clear of malware, given their business model, but I really despise the idea that we will have to indulge for yet another binary blob.

Re:"Unity web player"? (0)

Anonymous Coward | about a year ago | (#44534823)

This is hilarious indeed! So much for that project...

Neuromancer? (0)

Anonymous Coward | about a year ago | (#44533057)

Sounds a lot like what the hackers used in "Neuromancer." The Web 3.0 demo reminded me of the awesomeness in the book... would be so cool if they can really pull something like it off. Great nerdy game concept anyway.

best used while listening to The Prodigy (1)

ClassicASP (1791116) | about a year ago | (#44533109)

cool! just like in that 1995 movie "Hackers" ! http://www.youtube.com/watch?v=PZHG3pi9EDA [youtube.com]

Re:best used while listening to The Prodigy (1)

BonThomme (239873) | about a year ago | (#44535359)

Crash Override, is that you?

Easter Egg (1)

ThatAblaze (1723456) | about a year ago | (#44533121)

Most sites I type in don't work, but I found something interesting by typing in bushofficial.com

Wow (1)

93 Escort Wagon (326346) | about a year ago | (#44533123)

For some reason, I didn't think defcon would be receptive to guys shilling their new commercial products.

Screenshot anywhere? (1)

manu0601 (2221348) | about a year ago | (#44533369)

Are there screenshots of the thing anywhere, for the one that cannot or do not want to install that Unity player?

Re:Screenshot anywhere? (1)

ThatAblaze (1723456) | about a year ago | (#44533491)

Several screenshots are posted at the demo link of the trinarysoftware website.

Clever it might be, but the UI sucks big time (1)

davesag (140186) | about a year ago | (#44533447)

I mean seriously, you can't even edit the goddam URL field; hovering over nodes makes them glow (wooo) but clicking does nothing. Maybe it's an issue with the Unity plugin (yeah, Unity! seriously. FFS)

File this under "utter shite"

Re:Clever it might be, but the UI sucks big time (1)

ThatAblaze (1723456) | about a year ago | (#44533485)

Double clicking and dragging work.

Re:Clever it might be, but the UI sucks big time (2)

davesag (140186) | about a year ago | (#44533593)

Be that as it may, it's profoundly useless if you can't edit the root URL however.

Also, given the UI swiftly becomes a morass of swirling links, pinning one down to doubly click on it is next to impossible. The back end of this might be great but the UI is total shit.

Re:Clever it might be, but the UI sucks big time (0)

Anonymous Coward | about a year ago | (#44534109)

Nobody is stopping you from making a GUI in Visual Basic!!!

Re:Clever it might be, but the UI sucks big time (0)

Anonymous Coward | about a year ago | (#44534839)

Double clicking and dragging work.

Double clicking, how exactly? The damned links won't stop moving around. The interaction model is worse than amateur.

Research deeper... (0)

Anonymous Coward | about a year ago | (#44535053)

Take a look at Trinary Software's "About Us" page. Would you trust a software company that doesn't spell check their website? The name of the company in Mr. Rogers' image is spelled different than most other references on the website. I also wouldn't call the image setting appropriate. Mr. Rogers looks as if he is in a apartment, sitting on a sofa, dressed in a t-shirt and leather jacket. While Mr. Rogers may be a fine person, very capable of producing exceptional software, first impression from that page does not lead me to that conclusion.

black hat and def con are NOT hackers (0)

Anonymous Coward | about a year ago | (#44535225)

these sellouts are security coppers at heart....i dont care what any of you say its a lie to say otherwise....
and when you hav eto use 3d tech to spruce up your bullshit you might as well bend over to obuma and friends...

But, there's a good idea here. (1)

tqk (413719) | about a year ago | (#44537721)

Irrespective of all the "installing a plugin to determine secuity status" comments I've read so far , ...

I'd just like to say that a strip window in the bottom of my browser that spits a running commentary (a la XConsole)of what the browser's doing in the background and who it's talking to, would be cool. I want what it spits out to be user selectable and configurable. Get on it. You know you want to.

Re:But, there's a good idea here. (1)

ThatAblaze (1723456) | about a year ago | (#44537821)

Get on it. You know you want to.

I do. [youtube.com]

DEFCON Presentations (0)

Anonymous Coward | about a year ago | (#44541255)

DEFCON must of been pretty weak this year.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...