Michael Schrenk August 1st--4th, 2013 Rio Hotel & Casino • Las Vegas, Nevada
КОМЕНТАРІ: 382
@waffle9117 років тому
You know you've been in the automotive business long enough when you recognize the example VIN he uses as belonging to a Lexus.
@Minzkraut7 років тому
It might not have been the best talk, but I liked it as a story.
@earlgrey21309 років тому
I feel like i should've learned IT stuff instead of arts. Then i'd maybe not be homeless and fucking unemployed -.-
@D4rkst4r2359 років тому
Правда
@RiDankulous9 років тому
I know IT people who majored in the arts. Not many, but they are out there. Nothing's stopping you from learning programming on your own or through certification training. The internet is full of good tutorials for every area.
@NightmareTV6669 років тому
You should learning hacking to get your art out
@navy43419 років тому
Go for Codecademy for a programming introduction. Latter on, go for C++ and hammer at emulators and collect some experience, and then go for industrial emulation projects.
@zombiemoat59 років тому
x3kesa3 This is true. learning it is free, the certification is all that matters.
@arsalan200510 років тому
Awesome! Enjoy watching these stories!
@KX365 років тому
And this is why it's nearly impossible to buy concert tickets now.
@ShelliLoop4 роки тому
Naw, people are stupid. There are hawkers selling tickets at 10x the value only feet from the ticket booths.
@younglife8810 років тому
Enjoyed this talk. learned a few things, even though they are a bit of older legacy hack but still applicable.
@jonandbrooklynn63615 років тому
Really interesting. Thanks for sharing
@thatguy10000019 років тому
"..It was like the gods handing me fire! Here you go Mike, you've been a good boy!" Hahahaha gold
@msven10 років тому
Very cool presentation! Thanks!
@martinzember87215 років тому
This is about automation for a customer (something we also love to do). But calling it a botnet at defcon, in the context of security? And russian hackers?
@Galactipod3 місяці тому
A botnet is a group of Internet-connected devices, each of which runs one or more bots. The bots don't have to be across the world on random people's PCs. And this is outside the context of security, it's in the context of online retail.
@martinzember87213 місяці тому
@@Galactipodit's not outside of context of security if it was presented at DEFCON. "DEF CON is a hacker convention ...since 1993 and today many attendees at DEF CON include computer security professionals, journalists, ..." Wikipedia According to the number of upvotes, I was not alone wondering.
@mercurichinc8 років тому
I think this info are complex but he present it easily. Good job
@chadpunte17314 роки тому
best one I've seen yet.
@nikolaos91757 років тому
Very informative. Thx
@cselph8 років тому
I guess this was kinda interesting, but the title was completely misleading.
@jbGraphics_6 років тому
nah dog you're just dumb
@talhatariqyuluqatdis6 років тому
jb OHHHHHHHHHHHH
@bee_irl4 роки тому
@Joel P The fact that they may or may not have been hackers doesn't seem relevant to me.
@Freakazoid123454 роки тому
I haven't watched it yet, but might as well have thrown the word "quantum" in there for good measure.
@medularob71584 роки тому
Exactly more of a scraper than a hack
@ryanpongracz80518 років тому
sooooo, this is how all those scalpers, buy all the tickets from ticket master and keep us all from being able to buy them fairly. I need to learn how to do this stuff
@molomono97957 років тому
Actually Ticketmaster can stop scalpers but they would loose money in doing so. So i doubt it's a very prominent topic on their agenda.
@johnfrancisdoe15634 роки тому
ryan pongracz I remember a concert house working with a journalist from the same corporation to bait those bots with an unannounced concert then publicly shaming the scalping site that instabought tickets and put them up for sale before the concert was announced. Didn't make a dent.
@SleekMouse10 років тому
This guy is really cool.
@infl4 роки тому
website adds “i’m not a robot” 😂
@maverickstclare37564 роки тому
I use Burpsuite to MITM the browser to work out the flow to build bots. I have automated my work in my last two jobs. The last one from 8 hours per day to 20 mins. Then I got the sack when the next boss came because my jobs looked so easy. They assigned a cheaper colleague to take over and he went nuts finding out it was going to take him 8 hours.
@pinotfilmnoir10 років тому
Awesome!
@Samura1gamer6 років тому
i was one of the russian hackers that was defeated by his bot back then, and yes i saw a giant red and blue eagle on my screen at the time of defeat
@ShelliLoop4 роки тому
Good for you for admitting this, assuming you are a "for real Russian hacker."
@user-pm8je4fo7e11 місяців тому
No you were not. Those were ukrainian wannabes (just like this cowboy right here).
@alexandernyberg86682 роки тому
6:40 "It's important because the developer has to get payed" -The developer
@LiamKarlMitchell5 років тому
Could have also had the harvesters hosted closer to the real server to minimize trip time?
@briangork60245 років тому
Fun observation, he's presenting white-hat, possibly grey-hat, but wearing a black hat
@Jay-Niner6 років тому
Love the amount of mid-stream ads you injected into this freebooted video...
@Seth98096 років тому
Fuck the uploader.
@KeenJT4 роки тому
It doesn't matter, the video would be auto detected by youtube's copyright claims and all the ad money would go to the copyright owner
@patrickkeefer86784 роки тому
Brave browser.
@lolcatwill4 роки тому
@@patrickkeefer8678 ublock. brave is spyware.
@eustatianwings8 років тому
"Trespass to chattels" "very illegal" - before we get all FUDdy on that, the term actually means "you messed with and broke my shit, now I shall sue you." In the real world you'll be blocked and/or asked to stop before you're sued.
@ryannorthup3148Рік тому
Cease and desists usually come before big lawsuits. Intimidation is cheaper than a lawyer.
@JordanShackelford7 років тому
My mom and dad made a bot in 1995 too. His name was Jordan. :(
@DrFreezedUp7 років тому
Jordan Shackelford k
@pure_espress03936 років тому
Hey wait a second........
@talhatariqyuluqatdis6 років тому
Jordan Shackelford your profile pic perfectly portrays this plump emoji :(
@lawrencenoyman3505 років тому
You think you are a bot?
10 років тому
Even AJAX forms are easy to reverse engineer. Also instead of making the browser click the button you could just submit the form from the bot server. Instead of constantly refreshing I'd just have a script submit the form a couple of times per second, and you could even have that running in the background. Of course, this was a rather new technique 7+ years ago.
@catkid1339 років тому
It didn't have any Ajax script, so you can't reverse engineer it.
9 років тому
Yeah I don't know how AJAX ended up in that comment. I probably meant HTML forms.
@user-sw1wq8lh2w5 років тому
if it's ajax, it was probably hitting an app, just view the request it sends, mock your own with curl, super minimal
@jtc19474 роки тому
I wonder why this project was only successful for about 40 weeks or so? Did it start failing? Were there changes that the project could not handle? Did the other people COMPENSATE for the improvements and start intruding on the business?
@sellersgarner7 років тому
"RUSSIAN HACKERS?! MIKEY FORRESTER?! WHAT THE HELL ARE YOU GUYS ON ABOUT?!?!" - S. Williamson
@GonG1087 років тому
it took me 7 minutes to realize i would not even get a description of how to get me a burger by a bootnet
@ShelliLoop4 роки тому
Would you EAT a burger from a greasy dirty bot hacker????
@goiterlanternbase4 роки тому
What ever brings me closer to a burger now, is reasonable.
@batlin5 років тому
If you wanted to try just "re-enabling" the Buy button, you could just give the client a bookmarklet that alters the page content... probably still wouldn't work though, if they actually validate requests on the server side.
@ConstantlyDamagedРік тому
As he stated repeatedly, this kind of action could lead to people buying cars before the sale time-in which case you get all your accounts deleted and are banned from the service. This is how not to have a Good Day™.
@batlinРік тому
@@ConstantlyDamaged I didn't say it was a good idea, just that it can be done, and therefore someone will do it.
@NeoIsrafil9 років тому
I would imagine you could estimate the lag time and server load needed by pinging the server and basing your purchase timing on the response. Could be wrong though...
@ShelliLoop4 роки тому
exactly. but it would ruined his lengthy story.
@Goldenfightinglink5 років тому
whoa, that'd be super easy now. but it's still crazy doing alllll that back in '06. pretty sure html was still like 2.1 or something
@johnfrancisdoe15634 роки тому
Goldenfightinglink 4.01, then after years of stability they jumped to "5, but not telling the number anymore"
@error.418Рік тому
@@johnfrancisdoe1563 and they dropped calling it "5" now it's just the "Living Standard"
@brianaragon16414 роки тому
Amazing
@illuminaughty19117 років тому
people complaining about ads, current year, not using ad blocker
@Bender17 років тому
Illuminaughty sadly there is no mobile adblock for youtube.
@Slada17 років тому
+Roliath, Malebranche Of The Abyss There IS - youtube adaway (needs xposed framework and root)
@illuminaughty19117 років тому
sorry you can only afford to watch UKposts on mobile. Firefox and adblock plus is the way to go
@Technolgy27 років тому
+Douwe Huysmans he never used the word whining. why use quotes?
@Bender17 років тому
Adam S. All phones can't be rooted sadly.
@knopjeh8 років тому
What did that guy shout at the beginning?
@xorinzor6 років тому
All you need to do is send a POST or GET request with the form data it'd expect and you're done xD
@DanielLopez-up6os5 років тому
Dang Myspace was old in 2013... And it's still there... Barely.
@Jixejo4 роки тому
Mybot?
@TheTigero8 років тому
I had high hopes for this talk... In the end, all the guy really needed was Firebug to enable the buy button...
@teejaye1108 років тому
+Kevin Klika he talks about that option near the end, and says while it probably would have worked, it wouldn't be the smartest choice for the same reason the VIN numbers were verified before trying to buy the car
@sebastienlauzon56558 років тому
*Spoiler Alert??*
@TheTigero8 років тому
Sébastien Lauzon not a spoiler alert, it's exactly NOT a spoiler because it's not what he did...
@IoanKatalinn7 років тому
Bullshit. Watch the video guys.
@Penissniffer7 років тому
Just cause u can enable the the buy button client side doesnt mean server side code will accept the request.
@mkomovffdfewrwqwerqw8 років тому
The GROUP of RUSSIAN HACKERS hired by competing USED CAR DEALERSHIP. They bring them here from the cold Siberia, to conduct their evil plan on constructing a CAR SALES BOT. But I single handely defeated them.
@kb3ngb6 років тому
was probably kids in secaucus using some open russian iot device running msh
@kb3ngb6 років тому
found signs of PAS web shell, immediately attributes russia (for the dense never mind PAS is ukrainian and available here github.com/wordfence/grizzly was until recently available at profexer.name but site changed and i don't speak the language to grok it any more)
@sliyarohmodus57494 роки тому
Exactly. If you replace "Russian Hacker" with any other racist stereotype you'll see that this is yet another attempt at pole pissing and chest thumping by a bigot.
@IronFilmVR6 років тому
Wow, how did the small dealership then handle buying over 800 cars in less than a year so as to then sell them on to customers?! Must have needed to massively increase his sales.
@Seth98096 років тому
He sold like 20 cars a week, that easy. That's like one every two working hours.
@75PercentWater6 років тому
or is he the guy defeated by captcha?
@ineluctablemodality6 років тому
18:53 he said 'I understand a little' in Russian
@Freakazoid123454 роки тому
Spasiba.
@notimportant70232 роки тому
Spasibo Tebe Bolshoe.
@g73hc3gsv3i4 роки тому
When I get bored with jokes, I come here :).
@phatrikk1236 років тому
Can someone explain to me how he determined the time from the server's clock? I''ll admit I'm not a web dev but it seems unlikely to me a server would voluntarily give away it's time to anyone who asks for it (who isn't already authenticated to the server with a user account). Did he possibly mean the sales website showed a clock?
@phatrikk1236 років тому
and yeah, I know what NTP is... Obviously, that's not what he's talking about here...
@ConstantlyDamagedРік тому
I know this is late, and you might know the answer by now, but when a web server responds to a HTTP(S) request, they include a "Date" field in their reply header which has a lovely date/time value that is usually referenced to GMT. These are accurate to the second, of course, so that's why he repeatedly prods the server to obtain more precision.
@a29_6 років тому
0:45 sounds like the last fast and fiurious movies
@SgtKOnyx7 років тому
Unless you have a storm trooper?
@Gunbudder7 років тому
for any curious, the vin at 13:49 is for a salvage title lexus in michigan. i don't know why i looked that up
@gazorpazorpgazorpazorp35475 років тому
I appreciate you
@hammercanttouchthis4 роки тому
Thanks for sharing. I often ponder on these trivialities.
@Freakazoid123454 роки тому
How do you look up vehicle VIN numbers?
@BloCKBu5teR7 років тому
the fact that he is afraid to send certain e-mails is messed up.
@Fetidaf7 років тому
BloCKBu5teR why? especially saying "ive got six snipers ready to go at noon, lets see how many kills we get"... i would kind of hope the NSA would pick that one up and investigate it a bit
@BloCKBu5teR7 років тому
can I read your emails please?
@SlimAgnus6 років тому
I think this gentleman's definition of what a botnet is, differs from mine.
@Its__Good4 роки тому
It seems odd that the market is consistently under-valuing these cars to the point where people are designing bots just so they can click 'buy now' as quickly as possible. Why aren't prices rising as a result? Why aren't they being sold at auction?
@wingsonthebus2 роки тому
certified Very Powerful Ally
@ContagiousRepublic5 років тому
Credit on you for not writing a buy-before-the-button-appears button using a greasemonkey script, which the russians hackers would not hesitate to. ALSO you might have wanted to try working for the sales sites and have them setup a proper bidding process and have customers enter reserve prices...
@niight21226 років тому
I watched the whole video and I'm like a huge football meathead kind of guy but I think this stuff interests me...I think I might major in some kind of network or technology in a few years when I transfer from high-school to college
@kebman5 років тому
Nxght yeah sorry, this guy is either full of shit, or he's purposefully misleading people about how forms can be spoofed. Or worse, he didn't even know it himself...
@groundhogx29416 років тому
Since when do car lots buy used cars at "wholesale"? They get used cars from banks, banks put repos up for auction, then a dealer uses a dealer license to get access to the auction..
@ShelliLoop4 роки тому
Your whole talk is obfuscation Good job, you diverted the topic from down-right-evil-BOT-hacker, to do-kinda-good-sometimes-BOT-hacker.
@Pleiodes7 років тому
is it possible to buy stocks with a bot network? Or is that illegal?
@mikecrapse52857 років тому
Pleiodes it's called machine trading, and more than 75% of stock trades are done with this method
@grendelum5 років тому
There’s also a *_huge_* amount of work that goes into currency trading... bots that are scanning currency markets around the world for when currency A is just a fraction off in market B and tho it may be tenths of a percent it can add up quick !!
@swaaagquan35405 років тому
You guys are aware he's a CIA/DIA contractor talking about work done a few years back. Hence the legality doesn't matter as he was operating above the law.
@shellybelly358 років тому
i got well bored love zoz's presentations =)
@Ug0tmi1k5 років тому
I'm still a bit confused, in a technical sense, how his bot server was able to interact/make requests with the sale server, could anyone explain? Normally, if your requests were cross domain, wouldn't you need cors? And if the request was cross domain, wouldn't the sale server have to allow his bot server as an origin for any access to work? Sorry, I'm rather new to internet technologies.
@tazetotero17085 років тому
Hey buddy if you ever come back to this, here's your answer. You might have been confused by the fact he is using and HTML page as an interface for his bot, he also probably made it with PHP. But that's really just the interface and the programming language that were used, the fact that the GUI is in a browser does not matter, it could have been python, C or whatever else. Now he didn't have to use any kind of cross-site hack to pull this off, all he did was send HTTP requests (probably using PHP curl). One request would get the list of cars, the other one would get his timing information and finally, when his timer kicked in, a request would be sent to buy a car, with the appropriate POST or GET data.
@ShelliLoop4 роки тому
you know too much. this is entertainment only.
@bradypatterson18914 роки тому
He almost got a sentence in between ads there for a bit.
@ericsbuds8 років тому
how did the bot know what time the buy button would show up? wasn't that the whole point? if you knew what time the buy button would appear, you wouldn't need people constantly clicking refresh in the first place.
@Ilikeyourgirl8 років тому
+ericsbuds Of course, even if you know that the car in on sale at, let's say 2pm, there are still 700-800 people wanting to press the buy button first. If you don't refresh, you won't be the first one to buy as it will not refresh automatically.
@ericsbuds8 років тому
Pianolicious i see I see, so you know what time the buy will happen before hand. thanks ;D
@Ilikeyourgirl8 років тому
+ericsbuds I might be completely wrong, but as far as I understood, the time the offer went live was actually known to everyone. just like an auction, it starts at a specific time.
@shadyk6669 років тому
Wtf is this? I have never seen auction where you need to wait on button :) Can you tell me what is this about?
@boxbox62908 років тому
1998 auction sites mate the past is the past
@firefox59266 років тому
13:12 did no one think of just using a drinking bird ?
@eliluong7 років тому
how did he know when the buy button would appear? he is counting down time to make the purchase.
@ShelliLoop4 роки тому
yes. he said EXACTLY that.
@xxPEvexx5 років тому
LOL they frantically refresh and DOS themselves. I work at a dealership and i knew salesmen were stupid but, wow this is stupid on another level.
@dzhiurgis7 років тому
I guess no XSRF tokens back then? Also rental car is great if you need to something that looks brand new but is completely destroyed mechanically.
@Vrani21109 років тому
Well, glad to see that bots can actually be used for something "good" xp Much better than all the immensly hobby.lacking people making messenger-bots who wants "to have sex with you" >>; Though, they don't like being asked irrellevant questions it seems x3
@tizrmonky8 років тому
Vrani2110 hahahaha ahhhh good one
@johnfrancisdoe15634 роки тому
Vrani2110 Not as bad as the bots that commercially messes with our lives out of their California headquarters.
@Anvilshock5 років тому
VIN number. Vehicle Identification Number number.
@thatoneguyinthecomments26335 років тому
Yeah see shit like that alot.
@Anvilshock4 роки тому
@@thatoneguyinthecomments2633 Shit like "alot"?
@thetrioffish6 років тому
what's wrong with your ads?
@happyjohn16565 років тому
18:53 Awkward! 6:02 PM 9/16/2018
@overweightactor4 роки тому
What was he saying?
@larrywilliams53325 років тому
Oh that kind of bot..... why the hell was I thinking botnet?
@dukesoft72114 роки тому
Yeah me too, I figured it was about a botnet and russian hackers, but it was actually about a PHP script and people (possibly russian) doing the same trick he's doing
@user-pm8je4fo7e11 місяців тому
I'm afraid to watch more recent defcons. Now they are probably discussing how to make a dark theme for your browser or how to "hack" youtube ads by editing DOM on the fly.
@kirdook9 років тому
To anyone trying to do this that isn't 40-50 years old and want to write readable and sane code, imacros sounds like such overkill. The python library mechanize is what you need. Look up how to spoof a browser it's 20 lines of code your can copy paste that works anywhere. I could do this guys job, easily. Just goes to show that business is 90% who you know.
@fission11109 років тому
Probably, but this stuff isn't hard. The point of imacros though, is mechanize doesn't pull down ajax, and it's really easy to detect and block even with spoofed user agents.
@kirdook9 років тому
what you say is 100% true, trying to get JS to run in mechanize is not something you want to do, all I was saying is for this application where they're just refreshing a page and looking at a button property then it's most certainly overkill
@sciencoking9 років тому
I can't say I have experience with automating processes that actually involve money (really in this context I'm just some script kid), but the validation mechanisms I've seen could be replicated by looking at the websites' code hard enough - is that not feasible for serious applications like this? Would it take too much time?
@fission11109 років тому
Yea, I've been on both sides of this problem. That's probably fine if you're just crawling one site, but the problem comes when you're crawling 20 websites, and need specialized code for each site for getting around A/B testing, browser validation, template updates, etc. It's soooo much easier to just throw up some imacros stuff and not even worry about how the site renders, just let it do its thing and then send you back the completed html.
@sciencoking9 років тому
ryan edge I see, so I'm just not thinking big enough :P
@Zhoul-is-back7 років тому
The fastest way to do this (imho) would have been a simple bash script that threaded buy calls via curl or wget. Srsly...
@user-sw1wq8lh2w5 років тому
rofl, I keep thinking that, his harvesters could be vms
@kenichimori85334 роки тому
Thanks purchased botnet.
@MusiciansReflib4 роки тому
Auto Hot Key ftw
@bass94547 років тому
thnx for upload
@MegaSuperCritic7 років тому
lol is that a stormtrooper at the Google server house? 4:57
@ImperatorClass7 років тому
MegaSuperCritic Its an image from google Street view. Google has it go through their server stacks, the stormtrooper is actually there on street view
@Mr_T.6 років тому
So many youtube commercials, pain in the arse.
@sebastianiuga30203 роки тому
Why would you go against hackers i thought we were on the same side
@tamponlolipops87216 років тому
Skip to 00.00
@RichMantaray7 років тому
it was a younger guy that actually did the botnet not him
@rekrn123457 років тому
God damn russian hackers everywhere.
@WalleCarlos9 років тому
Can anybody help? My PC is connected to the internet ant it shows "internet access" but whenever I open up a browser and try to access a website it says "Connection Unavailable" I running windows 8.1 64Bits. Help, please!!!
@JustChillF7 років тому
try a different browser firstly, if that doesnt work, check your pc proxy settings or dns server, otherwise check your browser's proxy settings
@alekseevstepan4 роки тому
still sometime do same things)
@googleSux9 років тому
With the car buy program, how is that even a bot, it's just an application?
@RenamedChannel4 роки тому
I heard about the most dangerous Russian hacker named 4chan. Was he defeated?
@padlockbeats1517 років тому
damn thats a hustle. sounds illegal lol
@music91707 років тому
I used to make things like this when I was a kid to mess with chat sites ahahahaha
@mrpumperknuckles16317 років тому
Joe can you make webpage servers with its own domain with no need to pay for a host?
@music91707 років тому
I used to put them on free hosting servers like angelfire (not sure they even exist anymore) the only problem was the add-on style domain name. From what I remember reading it was possible as long as you have your own server with enough bandwidth?
@hrnekbezucha5 років тому
Cute little story of a dude making a bot..
@djrh53872 роки тому
whoever laughs last, and i haven't laugh in a while, cause 'doll oars' nah fuck that! what you see, i see back and forth, past your window, past back my window, past back yours.... i will be watching first row, as it all ends, just remember computer, you will ceae to exist too, shall you attempt to "do me dirty". ~ with love, from the non existance.
@Seernadroj9 років тому
18:15? What did he say/
@Xeldafied9 років тому
He started to say the persons name so he stopped himself.
@JonathanCr0ss4 роки тому
@@Xeldafied "Mike would call..."
@LexFromHell7 років тому
But... captchas ?
@ertpecsertpecs4 роки тому
How many captchas do you remember in 2007? Sorry about the necro
@metalfist549 років тому
"bot net" haha...
@maxximuss9 років тому
this should be a crime
@mcottingham5 років тому
...my client said we were attacked by russian hackers.. WHY THE F%!$ does Russia care about a few cars on a dealership network? Give your head a shake people.
@TripleBarrel065 років тому
Where did he say that? Pretty sure he said his client found out that a competitor hired some Russian hackers to make a competing bot.
@mcottingham5 років тому
Exactly. I'm pretty sure his client was exaggerating. Again, I doubt Russian hackers care about a few cars on a dealer network.
@foof8116 років тому
at 6:15 he sounds like Kermit the frog
@advaithmadhukar26094 роки тому
Fast and furious irl
@marianoarganaraz8 років тому
Damn I almost fell asleep
@ShelliLoop4 роки тому
if you are a "couple" its your own fault you fell asleep. Take a shower.