OK, here it is.

I was hired to perform a third-party penetration test for a local ISP in 1997. The term penetration test was not in common use in the private sector then (I was more familiar with the term "tiger team"), so I went with security report.

https://twitter.com/eric_conrad/status/1277346806704361472?s=20">https://twitter.com/eric_conr...
My client offered Unix shell accounts, and my scope was to see if I could hack four FreeBSD systems from an account that anyone could sign up for.

They assigned me the account "patrick"

<5 minutes later...
I called my contact, and told him I had root on the four systems in scope, explained that what I did was *really* easy, and that someone probably beat me to the punch

So he asked to check to see if anyone had, and my penetration test segued into a proto-incident handling gig
Here& #39;s the entire report. I redacted the non-hostnames, etc.

I& #39;m pretty sure this was my 2nd third-party penetration test. First was on Wall Street, for a news agency. I don& #39;t think I have a copy of that report (the results were basically the same)
Here& #39;s the entire report. I redacted the non-hostnames, etc.I& #39;m pretty sure this was my 2nd third-party penetration test. First was on Wall Street, for a news agency. I don& #39;t think I have a copy of that report (the results were basically the same)
Here& #39;s the entire report. I redacted the non-hostnames, etc.I& #39;m pretty sure this was my 2nd third-party penetration test. First was on Wall Street, for a news agency. I don& #39;t think I have a copy of that report (the results were basically the same)
Here& #39;s the entire report. I redacted the non-hostnames, etc.I& #39;m pretty sure this was my 2nd third-party penetration test. First was on Wall Street, for a news agency. I don& #39;t think I have a copy of that report (the results were basically the same)
Here& #39;s the entire report. I redacted the non-hostnames, etc.I& #39;m pretty sure this was my 2nd third-party penetration test. First was on Wall Street, for a news agency. I don& #39;t think I have a copy of that report (the results were basically the same)
I remember handing in a draft of this report, and being specially asked to use terms like "security test" and "hacker". My client seemed to recoil at whatever I called a penetration test back then (probably tiger team, but I can& #39;t remember)

https://alpinesecurity.com/blog/history-of-penetration-testing/">https://alpinesecurity.com/blog/hist...
I remember handing in a draft of this report, and being specially asked to use terms like "security test" and "hacker". My client seemed to recoil at whatever I called a penetration test back then (probably tiger team, but I can& #39;t remember) https://alpinesecurity.com/blog/hist...
I remember handing in a draft of this report, and being specially asked to use terms like "security test" and "hacker". My client seemed to recoil at whatever I called a penetration test back then (probably tiger team, but I can& #39;t remember) https://alpinesecurity.com/blog/hist...
I remember handing in a draft of this report, and being specially asked to use terms like "security test" and "hacker". My client seemed to recoil at whatever I called a penetration test back then (probably tiger team, but I can& #39;t remember) https://alpinesecurity.com/blog/hist...
I remember handing in a draft of this report, and being specially asked to use terms like "security test" and "hacker". My client seemed to recoil at whatever I called a penetration test back then (probably tiger team, but I can& #39;t remember) https://alpinesecurity.com/blog/hist...
That& #39;s the complete report, minus the appendices (FreeBSD security advisories, etc)

I called the IDS a "promiscuous monitoring station", which is interesting. I can& #39;t remember if the term IDS was in common use then. I had hacked and extended Texas A&M& #39;s Netwatch
That& #39;s the complete report, minus the appendices (FreeBSD security advisories, etc)I called the IDS a "promiscuous monitoring station", which is interesting. I can& #39;t remember if the term IDS was in common use then. I had hacked and extended Texas A&M& #39;s Netwatch
That& #39;s the complete report, minus the appendices (FreeBSD security advisories, etc)I called the IDS a "promiscuous monitoring station", which is interesting. I can& #39;t remember if the term IDS was in common use then. I had hacked and extended Texas A&M& #39;s Netwatch
The history of IDSes leaves out Netwatch, which was the first Network Intrusion Detection System I used (circa 1994).
https://www.dropbox.com/s/51xsunnk0p75y9n/netwatch.README.txt?dl=0">https://www.dropbox.com/s/51xsunn...
Here& #39;s my client& #39;s response: when I handed in my draft report (which included this section) my client said they& #39;d simply reinstall FreeBSD on the compromised servers

I warned them that bad things would follow

Narrator voice: bad things followed https://twitter.com/johullrich/status/1277624839562559490?s=20">https://twitter.com/johullric...
After the incident went from bad to (much) worse: they told me they would swap from FreeBSD to Solaris.

Because this was clearly all FreeBSD& #39;s fault

So I added this section to my report.

Narrator voice: they didn& #39;t listen
...and the intrusion continued to worsen, because the hackers were pissed off and became destructive after having to repeatedly re-own their unpatched systems

How did my client make out financially? I just checked: they IPOed in 1999

Welcome to the dot com bubble, my friends!
Forgot to attach this image a few tweets back.

Who could have possibly seen this coming?
The mid/late 90s was truly the golden age of hacking.

No DEP, no ASLR, no stack canaries, etc., etc.
The mid/late 90s was truly the golden age of hacking.No DEP, no ASLR, no stack canaries, etc., etc.
The mid/late 90s was truly the golden age of hacking.No DEP, no ASLR, no stack canaries, etc., etc.
The mid/late 90s was truly the golden age of hacking.No DEP, no ASLR, no stack canaries, etc., etc.
The mid/late 90s was truly the golden age of hacking.No DEP, no ASLR, no stack canaries, etc., etc.
Nice shout-out to Bugtraq in the "Internet Security Resources" appendix
Nice shout-out to Bugtraq in the "Internet Security Resources" appendix
Nice shout-out to Bugtraq in the "Internet Security Resources" appendix
Nice shout-out to Bugtraq in the "Internet Security Resources" appendix
Nice shout-out to Bugtraq in the "Internet Security Resources" appendix
You can follow @eric_conrad.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more