Crowdfunding Infosec

Is there one step below script kiddie?

Discuss…

1 Like

So, if the tool is real and does what it says, it would be quite useful for my kit as a professional merely due to form factor when doing covert physical entries (our tools are far more capable, but not nearly as convenient or require a lot more prep work to set them up in the field). There are a lot of tools that work really well for one protocol or one system in that form factor, but not any thusfar that have the diversity of what’s been stated.

If they can pull it off, aweseome! I hope someone makes a more serious firmware for it and then it would be come a nice piece of kit. Anything “gamifying” though isn’t as useful for actual pentesters.

As a fun thing like a Pwnagotchi though I’m all over it showing how this stuff works and pushing companies to actually make their crap use secure protocols by default

I see use of gamification as two things.

  1. “I’ve hit leet status” Making the user feel far more advanced than they actually are.

  2. “I’m not doin nothing” Curious standby doesn’t realize what they are doing because it’s not the Hollywood laptop with glowing code. May pass sniff test by rentacops.

IF it works, yes, projects like this could start an industrial revolution on hardening infrastructure but the random chaos of certain protocols opening gates/doors? Eh… I’d rather it not be THAT easily accessible.

1 Like

Looks like they’re using an Arm Cortex-M and STM32: https://github.com/Flipper-Zero/platform-ststm32 so effectively a flashable system which can double as a bad usb and hack LoRa or IoT thanks to its TI CC1101 chip. Don’t think it would be the end all system but they did get the backing to cover the bluetooth features so that’s promising.

Also looks like Samy Kamkar is backing this one and there’s a lot of potential for expansion.

So its going in my edc next to my wifiduck, pwnagotchi, sdr, and Compute Stick (preloaded with veracrypt [you can guess what the hidden volume has cough docker, zerotier, blackarch cough] and android-x86).

Now why these four (five after the flipper zero goes live) devices. They’re easily unrecognizable by most as “hacking tools”. I mean sure the sdr looks out of place but it’s easy to say; oh that’s just a tv tuner. But the value comes in plausible deniability.

I’ve heard you reference your vocation a number of times. I wondered if you’d be interested in sharing some of your knowledge in the field of cybersecurity as a class. I have an application (web based saas) which I’d like to pentest and see if it has holes.

Any off the shelf tools or techniques I could employ to give it a once over?

2 Likes

@coloneldan, run fuzzers, xss explorers, and sql injectors. Metasploit has a lot of good ones already backed in and so does kali linux.

Defence side; run a WAF in front of the application. Ensure one is using good authentication like jwt, Harden the database and anything talking to it.

Also since you have access to the source code; use something like snyk or
sonarqube.org to scan for vulnerabilities.

1 Like