P

Pupper

Welcome to my blog, where I reveal my deepest darkest secrets (maybe)

A Hacker's Black Friday/Cyber Monday

Black Friday has become the single largest shopping holiday in the west, even overtaking Boxing Day in Canada.

Most people go into this weekend with Amazon, Walmart, or (god forbid) physical retail shopping in mind. I prefer to kick back and lurk for online deals. Here's my list of stuff you might be interested in if you're like me.

DISCLAIMER: the hyperlinks provided all lead to the American versions of each respective site. Make sure you visit the correct store site for your country. I am also aware that this article is over a week early.

Internet Goods

Throughout the year, I get into conversations about the services I use. Often times people ask me how I manage to get them for so cheap. Well, my secret is buying everything on black friday/cyber monday.

Almost every online service that you can name has a sale around this time. These are all my personal favourite services for hackers/developers/privacy gurus:

Note: * indicates that the service also has a free tier.

  • Namecheap - Park all those domains you've been secretly thinking about getting.
  • OVH - 20-50% off 12-month VPSes. Snag a few and use them for whatever (usually comes out to 3.50€/month).
    • Pro tip: don't get scammed by lesser-known hosting providers with super cheap "deals". I've had servers completely deleted by these types of providers, and I was even ghosted by customer support.
  • VPN Services - Most run Black Friday sales. Pick your provider of choice and see if you can snag a sweet deal for a year's subscription.
  • Protonmail* - 50% off pro plans, even if you're an existing paid user. I like Protonmail for their domain email hosting.
  • 33mail* - Catchall email without your own domain. Last year they offered 50% off if you paid with bitcoin.
  • Shodan* - Lifetime individual membership for $5, down from $49. I got mine a couple years ago and still use it to this day
  • Standard Notes* - 50% off a 5-year subscription. This is the best notes app in the game (for privacy/security), if you haven't already heard.
  • Charles Proxy - 30% off licenses (normally $50). Basically a system-wide proxy for traffic analysis/fuckery.

Hardware

I should preface this section by saying that I'm a homelabber and a data hoarder. This is by no means a "build your own PC" sale index (go to /r/buildapcsales for that).

  • Hak5 - Discounts on all devices (ranging from -$10 to -$90) as well as books and other stuff you didn't want.
  • Hacker Boxes - 20-25% off cool hacker care packages.
  • Newegg - The internet's favourite source for PC parts/accessories year round.
    • Great deals for: monitors, SSDs, and CPUs/GPUs (especially AMD)
  • Tiger Direct - Basically newegg--; when it comes to sales and customer support, but they tend to have a similar inventory.
  • eBay - Find basically any computer part in existence. Every Black Friday I buy at least 1 thing from eBay, usually used/refurbished things from reputable sellers.
    • If you want a cheap laptop for your homelab, check out the ThinkPad X220/X230 and T420/T430.
  • Best Buy - I shop at BestBuy for one thing and one thing only: WD EasyStores.

Books/Resources

  • No Starch Press - The best hacker books in the game (exploitation, programming, etc.). Last year they ran a 42% discount.
  • Pragmatic Bookshelf - Books on programming, data structures, and more computer science-y topics. 40% off.
  • LibGen - Download any ebook for 100% off!

Other Stuff

Things that don't fit into the other categories, but I that still wanna recommend.

  • Stickermule - This is where I print my stickers, and they tend to have some pretty good sales.
    • Pro tip: get some stickers for your own logo/pfp/whatever. They're the new business cards, haven't ya heard?

Hopefully this information will aid you in your Black Friday endeavours. Don't forget to stay safe!

~Pupper

 
P.S. let me know if I missed anything by emailing your suggestions to blog[at]pupp3r.net

TraceLabs CTF @ BSidesTO 2019

This past weekend, my local meetup group and I attended BSides Toronto. The main event, for us at least, was the Trace Labs OSINT CTF for missing persons.

OSINT CTF? WTF?

For the uninitiated, Trace Labs is an open source intelligence (OSINT) collective who aims to use OSINT to solve real world problems. Most of their events so far revolve around solving missing persons cases. These come in the form of capture the flag (CTF) events, where teams are given 8 subjects and they compete to find the most/best info on whoever they can.

Unlike traditional CTFs where teams solve prepared challenges to get a single deterministic flag, the "flags" for these OSINT CTFs are pieces of information about the subjects. You submit your findings to a board of judges, who then assign varying point values based on the usefulness of the information.

The Event

If you read my last blog entry, you'll know that the running plan was to take the victory at BSides. Fortunately, all went according to plan and we actually won the CTF!

This was my 3rd time attending an IRL Trace Labs event. The team was myself, v01dwalk, Theodore, and 647ninja. At the last event, we didn't have 647ninja and came in 4th place, so he definitely gave us that push we needed to get to the top.

The Targets

The 8 targets for this CTF were absolute ghosts when it came to online presence. Normally, I'm accustomed to a bit of social media presence from at least 1 or 2 of the subjects. This time around, the cases were very difficult. All of them were local Toronto/GTA cases, with some being as many as 4 years old and still unsolved. This meant we had to rethink our approach.

For the first 2-3 hours, very little was found by any of the teams. We began to doubt whether we would find any information at all. The search was extended from the targets themselves to family members and any identifiable friends. We found a couple hits, but almost everything we found wouldn't lead to other findings. The same seemed to be the case for other teams, with many of the scores hitting plateaus for several hours.

At one point, we looked at a YouTube video provided in the case information of one subject. We initially glossed over the video since it didn't provide any useful information, but after revisiting the video, we noticed something about the channel: the uploader was actually a friend of the target. This obviously led to us fuzzing through the entire channel's contents, and oh was there ever some information in there.

We found out that the target was a scrap metal thief who worked for a local "company" that sold scrap metal. Much to his own detrement, his friend recorded almost everything they did and put it up on YouTube. This included them stealing copper pipes, loading them onto trucks, and random other videos of them visiting places like coffee shops.

The Findings

We pulled a license plate off the target's truck in one of the videos, which the police then used to get the address of its registered owner (did I mention the Toronto Police were involved in the CTF?). Interestingly enough, they actually sent a cruiser to the location during the CTF to see if they could find the suspect. No dice, but they said they'd let us know if/when they found him.

Conclusion

I'm glad we were able to help the cops get closer to finding someone. As frustrating as it was that most of the targets were unfindable, at least we can say we did something good. It's also pretty cool that the Toronto Police Cyber Division now knows who Microwave Gang is. Who knows... maybe we'll all be private investigators in a few years.

Also, if you want more information on Microwave Gang, check out our team page here.

~ Pupper

Hello, World!

My blog is now officially nonempty! I guess I should introduce myself...

My name's Pupper (or pupp3r or Nervous Pupper). I'm a hacker/webdev based in Toronto and I spend way too much time lurking in various corners of the internet.

By Day

I'm a university student and full stack web developer. I work full time at my job during the summer, and part time when I'm in school.

By Night

I'm a hobbyist hacker, CTF participant, conference goer, and cool project maker.

CTF-wise, my favourite events are the OSINT CTFs held by Trace Labs here in Toronto. At their last local CTF, my team and I came in 4th place after being 1st with only 25 minutes to go. The next one is at BSidesTO, but this time we plan on winning (stay tuned to see how that goes).

As for conferences, I've only been to a couple thus far. I went to DEF CON 27 this year, which got me completely hooked on hacker culture and further solidified my decision to make a career in the security field. I'll also be going to BSides and SecTor here in Toronto.

Some local hacker friends and I also run biweekly meetups here in Toronto. These tend to be the highlight of my otherwise boring week. We bring beer, hang out, show off new devices/hacks/projects, blast some 1337 tunes, and do CTFs. We're open to all skill levels and all ages, although generally you should be 18+.

Now for the "cool projects" part, you'll just have to check out the projects section of my main website.

Let's get in touch

Just kidding... I don't share my online accounts with random blog visitors. If you know me from elsewhere then you already know where to hit me up.

If you're new or you found my site on a sticker in public, shoot me an email at blog[at]pupp3r.net (especially if you're in the Toronto area). I'm always down to chat with new people, but I don't like linking all my online accounts in one place.

Anyway, thanks for checking out my blog. I don't really have an objective with this thing yet... I'll just write about whatever I find interesting.

~Pupper