Cloud services. We love them ! All you need to do is hand over your email address, use the same password you have everywhere and sito presto : Before you know it you are using yet another free service that does whatever you require. From handling your email, to storing your documents, from chatting with your friends to keeping track of all the Care-Bear stuff you track on line .. there is a cloud service for everything.
We are not always the customer, sometimes we are the product.
What most of us forget is that, unless you are paying for said service, you are not a customer, but a product. If your free cloud service has any plans about staying in business and paying that giant hosting bill for that ‘free storage’, it’ll better have a business plan. Most cloud services make money by selling you adds that you click on. The people who PLACE the adds are the actual customers of the service .. YOU .. are the product. This might not be true with a paid service ( Another way of working for a cloud service might be to get you hooked with a free account and then make you UPGRADE into a subscription plan). So if you are using that favourite cloud service of yours, ask yourself : Am I ok with being “The Product” ?
Just “Who IS” the cloud ?
Behind every fancy logo or snazzy name is a company. That company can be a multi brazillian dollar company who buys up instant messaging clients for sixteen billion the way you buy new socks. It might also be two crummy guys sitting in their moms basement remote controlling their servers somewhere else. You only see the flashy logo, you never read the terms of service (just click agree-agree-agree) and have no idea of who might be looking at your data. Who knows you may have signed over the creative rights of your summer snapshots to the cloud company that turns it into a “Free online picture-slideshow”.. because you never read the terms of service. And for the sake of argument : What if there is a problem you can’t fix ? Who are you gonna call … Chances are you will probably get to talk to the REAL Ghostbusters before you get a living person on the other end of the line at your “free cloud service”. So are you safe ? Is the data yours ? What happens if the bubble bursts and the service goes away ?
So what if you rolled your own ?
If you make it really simple you can say that cloud services are just servers running on applications. ( But they are actually spread out on servers all over the world and are optimised for coping with a LOT of simultaneous users). But what if you don’t need that ? What if its just you and your dog using them ? Then you could basically run them yourself right ? The answer is : YES. It takes some tinkering and having at least one machine that is online for most of the time to make sure your “private cloud” is accessible but aside from a little patience, a spare machine and an internet connection, its about ALL you need.
I don’t trust cloudy skies.
This week we boldly choose to chose “DISAGREE” on the terms of service of the cloud providers, we decide NOT to trust their free business model and we venture out on our own little geeky adventure : Rolling our own private cloud. The luxury of a cloud service, but being run on your own hardware, in your own home (or on YOUR webspace) with YOU in control. We will try to show you some great examples of just how much fun you can have while being your personal cloud provider. Most if not all services we will setup can be hosted on a Linux virtual machine and are accessible from any operating system (or device) that is capable of connecting to the internet.
Today on our Google Hacking week, we continue to use the Google search engine as a source for interesting information. In our previous posts we talked about finding and downloading certain kinds of files but today we are on the lookout for “juicy devices”.
The theory is quite simple : Most appliances like webcams, routers, copiers and more have web interfaces. A lot of different applications and services can also be controlled by a web interface. It’s easy and convenient when you can use the browser on your computer to configure and watch your webcam or change settings on your router while on your local lan. But what if those devices are hooked up directly to the internet ?
Any device that gets connected directly to the internet is at some point scanned and indexed by Google and if you enter the right search term you will be able to find it. The way we are looking for those devices and services today is by using the INURL option. Some web interfaces (to your router or webcam) have a very specific way their URL looks. By searching for those specific url types with the INURL option.. you can find some very cool stuff. If people have done their homework most of these services will be blocked by a unique login or password. But some people just use the default password … or even none at all.
Let us take you an a walk through the net with some very specific INURL Google Dorks.
- This one will get you some interesting webcams (some you can even control with your mouse). Look around and see if you can find the Giraffe Cam.
- More network camera’s here. This one is in some dorm/college. You can control the zoom and the direction of the camera.
- inurl:”:10000″ intext:”webmin”
- Remember we talked about WEBMIN ? This will give you a list of all webmin servers connected directly to the internet. most of them are protected by a password (we hope) .. but common usernames like ROOT and some generic passwords might get you in.
- This will get you a list of PLEX media servers where people can store music and movies to watch on any device (even across the internet). Most of them are locked down with a login/password. Some of them … are not. Happy streaming.
So you see : there are quite a few webservices out there that are inadvertently open to the indexing power of Google. Some clever searching and you can find them.
We close off by going by to our camera in the student dorm. Where is this ? A simple ping of the url gives us the following IP : 220.127.116.11 and by going to Whereisthisip.net we find out that its Sydney Australia. Its THAT simple.
Puzzling information together.
This might all look like fun and games, but badly secured devices are dangerous. Whether you have weirdo’s peeking through your accidentally-publicly-connected Ip camera, or random people printing out documents on your www-connected printer.. its never good. Using the Domain name, the IP and the registration information of the domain people can quickly find out where and even WHO you are. If you skip good security and don’t use passwords (or default passwords) .. it does not bode well for you. Hackers even use the INURL search to find specific webservers/services with vulnerabilities. All they then need to do is run some code to take advantage of the exploit .. and they are in. Hackers don’t NEED to search for your open Webmin server with the buggy (and vulnerable) version of the http code .. Google did it for them.
There is no way to summarise Hacker Public Radio in just one word. It isn’t even “one” podcast but an endless slew of individual podcast episodes by many many different hosts on a great variety of topics. All topics (mostly) center about hacking and technology … but sometimes there is just somebody on there who tells you what its like to stay in a mental institution as she suffers from schizophrenia. Not every show has top notch audio quality and some are a little chaotic .. But the awesome thing about HPR is that it is something DIFFERENT ever day. I feel like the proverbial Forrest Gump who points at his box of chocolates and is unable to correctly prophesize the content, texture and flavour of the next piece of chocolate. “You never know what you are gonna get” is exactly what sums up Hacker Public Radio. The only guarantees (except the speed of light) is that it is going to be related to technology and its going to be interesting.. And if not ? Skip a show and listen the next day.