MoreRSS

site iconHackerNoonModify

We are an open and international community of 45,000+ contributing writers publishing stories and expertise for 4+ million curious and insightful monthly readers.
Please copy the RSS to your reader, or quickly subscribe to:

Inoreader Feedly Follow Feedbin Local Reader

Rss preview of Blog of HackerNoon

A Pentester Took Apart a Website’s Code to Prove It Was Totally Pointless

2024-12-07 01:00:16

The other day I came across a service that verified the signature of requests on the server side. It was a small online casino, which for every request checked some value sent by the user from the browser. Regardless of what you were doing in the casino: placing a bet or making a deposit, an additional parameter in each request was the value “sign”, consisting of a set of seemingly random characters. It was impossible to send a request without it - the site returned an error, and it prevented me from sending my own custom requests.

\ Had it not been for this value, I would have left the site at that moment and never thought of it again. But, against all odds, it wasn't the sense of quick profit that made me excited, but rather the research interest and challenge that the casino was giving me with its fool-proofing.

\ Regardless of the purpose the developers had in mind when they added this parameter, it seems to me that it was a waste of time. After all, the signature itself is generated on the client side, and any client-side action can be subject to reverse-engineering.

\ In this article, I will discuss how I managed to:

  1. Resolve the request signature generation algorithm
  2. Write my own extension for Burp Suite that automates all the dirty work

\ This article will teach you how to save your precious time and reject useless solutions if you are a developer who is interested in doing secure projects. And if you are a pentester, after reading this article, you can learn some useful lessons on debugging as well as programming your own extensions for the Swiss Knife of security. In short, everyone is on the plus side.

\ Let's finally get to the point.

Ariadne's thread: unraveling the signature algorithm

\ So, the service is an online casino with a set of classic games:

  • Plinko — a game where players drop a ball from the top of a peg-filled board, watching it bounce down to land in a slot with a win or lose value;
  • Tickets — players purchase lottery tickets with a set of numbers and win if their numbers match the randomly drawn numbers;
  • LiveDealers — online casino games conducted by real dealers in real-time, allowing players to watch and interact via video stream.
  • Double — a simple game where players bet on whether the next card will be higher or lower than the current card.
  • Crash — players bet and watch a multiplier increase, aiming to cash out before the multiplier crashes;
  • Nvuti — players bet on whether a number will fall below or above a certain interval;
  • Slots — casino games where players spin reels with symbols and win if certain combinations appear on the screen.

\ Interaction with the server works entirely on the basis of HTTP requests. Regardless of the game you choose, every POST request to the server must be signed - otherwise the server will generate an error. Signing requests in each of these games works on the same principle - I'll take only one game to investigate so that I don't have to do the same job twice.

\ And I'm going to take a game called Dragon Dungeon.

\ The essence of this game is to choose the doors in the castle sequentially in the role of a knight. Behind each door hides either a treasure or a dragon. If the player comes across a dragon behind a door, the game stops and he loses money. If the treasure is found - the amount of the initial bet increases and the game continues until the player takes the winnings, loses or passes all levels.

\ Before starting the game, the player must specify the amount of the bet and the number of dragons.

\ I enter the number 10 as the sum, leave one dragon and look at the request that will be sent. This can be done from the developer tools in any browser, in Chromium the Network tab is responsible for this.

\ Here you can also see that the request was sent to the /srv/api/v1/dungeon endpoint.

\ The Payload tab displays the request body itself in JSON format

\ The first two parameters are obvious - I chose them from the UI; the last one, as you might guess, is timestamp or the time that has passed since January 1, 1970, with the typical Javascript precision of milliseconds.

\ That leaves one unsolved parameter and, - and that's the signature itself. In order to understand how it is formed, I go to the Sources tab - this place contains all the resources of the service that the browser has loaded. Including Javascript, which is responsible for all the logic of the client part of the site.

\

\ It is not so easy to understand this code - it is minified. You can try to deobfuscate it all - but it is a long and tedious process that will take a lot of time (considering the amount of source code), I am not ready to do it.

\ The second and simpler option is to simply find the necessary part of the code by a keyword and use the debugger. That's what I will do, because I don't need to know how the whole site works, I just need to know how the signature is generated.

\ So, to find the part of the code that is responsible for generating the code, you can open a search through all the sources using the CTRL+SHIFT+F key combination and look for the assignment of a value to the sign key that is sent in the request.

\ Fortunately, there is only one match, which means I'm on the right track.

\ If you click on a match, you can get to the code section where the signature itself is generated. The code is obfuscated as before, so it is still difficult to read.

\ Opposite the line of code I put a breakpoint, refresh the page and make a new bid in “dragons” - now the script has stopped its work exactly at the moment of signature formation, and you can see the state of some variables.

\ The called function consists of one letter, the variables too - but no problem. You can go to the console and display the values of each of them. The situation starts to become clearer.

\ The first value I output is the value of the variable H, which is a function. You can click on it from the console and move to the place where it is declared in the code, below is the listing.

\ This is a pretty big snippet of code where I saw a clue - SHA256. This is a hashing algorithm. You can also see that two parameters are passed to the function, which hints that this may not just be SHA256, but HMAC SHA256 with a secret.

\ Probably the variables that are passed here (also output to the console):

  • string 10;1;6693a87bbd94061678473bfb;1732817300080;gRdVWfmU-YR_RCuSkWFLCUTly_GZfDx3KEM8 - directly the value to which the HMAC SHA256 operation is applied.
  • 31754cff-be0f-446f-9067-4cd827ba8707 is a static constant that acts as a secret

\ To make sure of this, I call the function and get the assumed signature

\ Now I go to the site that counts HMAC SHA256 and pass values into it.

\ And comparing it to the one that was sent in the request when I placed the bid.

\ The result is identical, which means that my guesses were correct - it really uses HMAC SHA256 with a static secret, which is passed a specially formed string with the rate, number of dragons and some other parameters, which I will tell you about further on in the course of the article.

\ The algorithm is quite simple and straightforward. But it's still not enough - if it was a goal within a work project for pentest to find vulnerabilities, I would need to learn how to send my own queries using Burp Suite.

\ And this definitely needs automation, which is what I'm going to talk about now.

Is it even necessary to write your own extension?

I have figured out the algorithm of signature generation. Now it's time to learn how to generate it automatically in order to abstract away all the unnecessary stuff when sending requests.

\ You can send requests using ZAP, Caido, Burp Suite, and other pentest tools. This article will focus on Burp Suite, as I find it to be the most user-friendly and almost perfect. Community Edition can be downloaded for free from the official site, it is enough for all experiments.

\ Out of the box Burp Suite does not know how to generate HMAC SHA256. Therefore, in order to do this, you can use extensions that complement Burp Suite's functionality.

\ Extensions are created both by community members and by the developers themselves. They are distributed either through the built-in free BApp Store, Github, or other source code repositories.

\ There are two paths you can take:

  1. Use an off-the-shelf extension from the BApp Store
  2. Write your own extension

\ Each of these paths has its pros and cons, I will show you both.

Getting to know Hackvertor

The method with a ready-made extension is the easiest. It is to download it from the BApp Store and use its features to generate a value for the sign parameter.

\ The extension I used is called Hackvertor. It allows you to use XML like syntax so that you can dynamically encode/decode, encrypt/decrypt, hash various data.

\ In order to install it, Burp requires:

  1. Go to the Extensions tab

  2. Type Hackvertor in the search

  3. Select the found extension in the list

  4. Click Install

    \

\ Once it is installed, a tab with the same name will appear in Burp. You can go to it and evaluate the capabilities of the extension and the number of available tags, each of which can be combined with each other.

\ To give an example, you can encrypt something with symmetric AES using the tag <@aes_encrypt('supersecret12356','AES/ECB/PKCS5PADDING')>MySuperSecretText<@/aes_encrypt>.

\ The secret and algorithm are in brackets, and between the tags is the text itself to be encrypted. Any tags can be used in Repeater, Intruder and other built-in Burp Suite tools.

\

\ With the help of Hackvertor extension you can describe how a signature should be generated at the tag level. I'm going to do it on the example of a real request.

Using Hackvertor in combat

So, I make a bet in Dragon Dungeon, intercept the same request I intercepted at the beginning of this article with Intercept Proxy, and stress it into Repeater to be able to edit it and resubmit it.

\ Now in place of the ae04afe621864f569022347f1d1adcaa3f11bebec2116d49c4539ae1d2c825fc value, we need to substitute the algorithm to generate HMAC SHA256 using the tags provided by Hackvertor.

\ Формула генерации у меня получилась следующая <@hmac_sha256('31754cff-be0f-446f-9067-4cd827ba8707')>10;1;6693a87bbd94061678473bfb;<@timestamp/>000;MDWpmNV9-j8tKbk-evbVLtwMsMjKwQy5YEs4<@/hmac_sha256>.

\ Consider all the parameters:

  • 10 - bet amount
  • 1 - number of dragons
  • 6693a87bbd94061678473bfb - unique user ID from MongoDB database, I saw it while analyzing the signature from the browser, but I didn't write about it then. I was able to find it by searching through the contents of the queries in Burp Suite, it comes back from the /srv/api/v1/profile/me endpoint query.

\

  • <@timestamp/>000 - timestamp generation, the last three zeros refines the time to milliseconds

  • MDWpmNV9-j8tKbk-evbVLtwMsMjKwQy5YEs4 - CSRF token, which is returned from /srv/api/v1/csrf endpoint, and substituted in each request, in X-Xsrf-Token header.

  • <@hmac_sha256('31754cff-be0f-446f-9067-4cd827ba8707')> and <@/hmac_sha256> - opening and closing tags for generating HMAC SHA256 from the substituted value with the secret as a constant 31754cff-be0f-446f-9067-4cd827ba8707.

\ Important to note: the parameters must be connected to each other via ; in strict order, - otherwise the signature will be generated incorrectly - as in this screenshot where I have swapped the rate and the number of dragons

\

\ That's where all the magic lies.

\ Now I make a correct query, where I specify the parameters in the correct order, and get information that everything was successful and the game started - this means that Hackvertor generated a signature instead of a formula, substituted it into the query, and everything works.

\

\ However, this method has a significant disadvantage - you can't get rid of manual work completely. Every time you change the rate or number of dragons in JSON, you have to change it in the signature itself to make them match.

\ Also, if you send a new request from the Proxy tab to Intruder or Repeater, you have to re-write the formula, which is very, very inconvenient when you need many tabs for different test cases.

\ This formula will also fail in other queries where other parameters are used.

\ So I decided to write my own extension to overcome these disadvantages.

Discover all the magic of Burp with your extension

Initial settings

You can write extensions for Burp Suite in Java and Python. I will use the second programming language as it is simpler and more visual. But you need to prepare yourself beforehand: first you need to download Jython Standalone from the official website, and then the path to the downloaded file in Burp Suite settings.

\

\ After that, you need to create a file with the source code itself and the extension *.py.

\ I already have a billet that defines the basic logic, here are its contents:

\ Everything is intuitively simple and straightforward:

  • getActionName - this method returns the name of the action to be performed by the extension. The extension itself adds a Session Handling Rule that can be flexibly applied to any of the requests, but more on that later. It is important to know that this name may be different from the extension's name, and that it will be selectable from the interface.
  • performAction - the logic of the rule itself, which will be applied to the selected requests, will be spelled out here

\ Both methods are declared according to the ISessionHandlingAction interface.

\ Now to the IBurpExtender interface. It declares the only necessary method registerExtenderCallbacks, which is executed immediately after loading the extension, and is needed for it to work at all.

\ This is where the basic configuration is done:

  • callbacks.setExtensionName(EXTENSION_NAME) - registers the current extension as an action to handle sessions
  • sys.stdout = callbacks.getStdout() - redirects the standard output (stdout) to the Burp Suite output window (the “Extensions” panel)
  • self.stderr = PrintWriter(callbacks.getStdout(), True) - creates a stream for outputting errors
  • self.stdout.println(EXTENSION_NAME) - prints the name of the extension in Burp Suite
  • self.callbacks = callbacks - saves the callbacks object as a self attribute. This is needed for later use of the Burp Suite API in other parts of the extension code.
  • self.helpers = callbacks.getHelpers() - also gets useful methods that will be needed as the extension runs

\ With the preliminary preparations done, that's it. Now you can load the extension and make sure that it works at all. To do this, go to the Extensions tab and click Add.

In the window that appears, specify

  • Extension type - Python, or the programming language in which the extension is written
  • Extension file - the path to the extension file itself.

\ And click Next.

\ If the source code file has been properly formatted, no errors should occur, and the Output tab will display the name of the extension. This means that everything is working fine.

A test of the pen

The extension loads and works - but all that was loaded was a wrapper without any logic, now I need the code directly to sign the request. I have already written it and it is shown in the screenshot below.

\ The way the whole extension works is that before the request is sent to the server, it will be modified by my extension.

\ I first take the request that the extension intercepted, and get the rate, and the number of dragons, from its body

json_body = json.loads(message_body)

amount_currency = json_body["amountCurrency"]
dragons = json_body["dragons"]

\ Next, I read the current Timestamp and get the CSRF token from the corresponding header

currentTime = str(time.time()).split('.')[0]+'100'

xcsrf_token = None
for header in headers:
    if header.startswith("X-Xsrf-Token"):
        xcsrf_token = header.split(":")[1].strip()

\ Next, the request itself is signed using HMAC SHA256

hmac_sign = hmac_sha256(key, message=";".join([str(amount_currency), str(dragons), user_id, currentTime, xcsrf_token]))

\ The function itself and the constants denoting the secret and the user ID were pre-declared at the top

def hmac_sha256(key, message):
    return hmac.new(
        key.encode("utf-8"), 
        message.encode("utf-8"), 
        hashlib.sha256
    ).hexdigest()

key = "434528cb-662f-484d-bda9-1f080b861392"
user_id = "zex2q6cyc4ba3gvkyex5f80m"

\ Then the values are written to the request body and converted to JSON

json_body["sign"] = hmac_sign
json_body["t"] = currentTime

message_body = json.dumps(json_body)

\ The final step is to generate a signed and modified request and send it to

httpRequest = self.helpers.buildHttpMessage(get_final_headers, message_body)
baseRequestResponse.setRequest(httpRequest)

\ That's all, the source code is written. Now you can reload the extension in Burp Suite (it should be done after each script modification), and make sure that everything works.

Testing the new rule in action

But first you need to add a new rule for processing requests. To do this, go to Settings, to the Sessions section. Here you will find all the different rules that are triggered when sending requests.

\ Click Add to add an extension that triggers on certain types of requests.

\ In the window that appears, I leave everything as it is and select Add in Rule actions

\

\ A drop-down list will appear. In it, select Invoke a Burp extension.

\ And specify for it the extension that will be called when sending requests. I have one, and it is Burp Extension.

After selecting the extension, I click OK. And I go to the Scope tab, where I specify:

  • Tools scope - Repeater (the extension should trigger when I send requests manually through Repeater)

  • URL Scope - Include all URLs (so that it works on all requests I send).

    \

It should work like in the screenshot below.

\ After clicking OK, the extension rule appeared in the general list.

\ Finally, you can test everything in action! Now you can change some query and see how the signature will dynamically update. And even though the query will fail, it will be because I chose a negative rate, not because there is something wrong with the signature (I just don't want to waste money 😀). The extension itself works and the signature is generated correctly.

\

Bringing it to perfection

Everything is great, but there are three problems:

  1. The CSRF token is taken from the header. Generally it should be disposable, but probably here it has a lifetime (or not, which is wrong). In any case, it would be more correct to make a separate request itself to get a new one and update it. 2- A predefined user ID is used. If I want to check IDOR on this service, my previous script will become invalid for another user, since the ID is hardcoded.
  2. Different queries can have different parameters. And the scheme that was described for the script initially will be valid only for Dungeon Dragons, and no other. And I would like to be able to edit and send any request.

\ To solve this, we need to add two additional requests, which can be done by the built-in Burp Suite library, instead of any third-party ones, instead of requests.

\ To do this, I've wrapped some standard logic to make the queries more convenient. Through Burp's standard methods, the interaction with queries is done in pleintext.

def makeRequest(self, method="GET", path="/", headers=None, body=None):
    first_line = method + " " + path + " HTTP/1.1"
    headers[0] = first_line

    if body is None:
        body = "{}"

    http_message = self.helpers.buildHttpMessage(headers, body)
    return self.callbacks.makeHttpRequest(self.request_host, self.request_port, True, http_message)

\ And added two functions extracting the data I need, CSRF token, and UserID.

def get_csrf_token(self, headers):
    response = self.makeRequest("GET", "/srv/api/v1/csrf", headers)
    message = self.helpers.analyzeRequest(response)

    raw_headers = str(message.getHeaders())
    match = re.search(r'XSRF-TOKEN=([a-zA-Z0-9_-]+)', raw_headers)
    return match.group(1)

def get_user_id(self, headers):
    raw_response = self.makeRequest("POST", "/srv/api/v1/profile/me", headers)
    response = self.helpers.bytesToString(raw_response)

    match = re.search(r'"_id":"([a-f0-9]{24})"', response)
    return match.group(1)

\ And by updating the token itself in the sent headers

def update_csrf(self, headers, token):
    for i, header in enumerate(headers):
        if header.startswith("X-Xsrf-Token:"):
            headers[i] = "X-Xsrf-Token: " + token
        return headers

\ The signature function looks like this. Here it is important to note that I take all the custom parameters that are sent in the request, add the standard user_id, currentTime, csrf_token to the end of them, and sign them all together using ; as a separator.

def sign_body(self, json_body, user_id, currentTime, csrf_token):
    values = []
    for key, value in json_body.items():
        if key == "sign":
            break
        values.append(str(value))

    values.extend([str(user_id), str(currentTime), str(csrf_token)])
    return hmac_sha256(hmac_secret, message=";".join(values))

\ The main floo got reduced to a few lines:

  1. CSRF token and UserID acquisition is performed
  2. Timestamp is calculated and a signature is generated based on all parameters. It is important to note here that I am using OrderedDict which generates the dictionary in a rigid sequence as it is important to preserve it while signing.
  3. The final body of the request is generated and it is sent onward
csrf_token = self.get_csrf_token(headers)
final_headers = self.update_csrf(final_headers, csrf_token)
user_id = self.get_user_id(headers)
currentTime = str(time.time()).split('.')[0]+'100'

json_body = json.loads(message_body, object_pairs_hook=OrderedDict)
sign = self.sign_body(json_body, user_id, currentTime, csrf_token)

json_body["sign"] = sign
json_body["t"] = currentTime

message_body = json.dumps(json_body)

httpRequest = self.helpers.buildHttpMessage(final_headers, message_body)
baseRequestResponse.setRequest(httpRequest)

\ A screenshot, just to be sure

\ Now, if you go to some other game where custom parameters are already 3 instead of 2, and send a request, you can see that it will be sent successfully. This means that my extension is now universal and works for all requests.

\ Example of sending a request for account replenishment

Conclusion

Extensions are an integral part of Burp Suite. Often services implement custom functionality that no one else but you will write in advance. That's why it's important not only to download ready-made extensions, but also to write your own, which is what I tried to teach you in this article.

\ That's all for now, improve yourself and don't get sick.

Link to source code of the extension: *click*.

Sankalp Kumar: Safeguarding Millions Through Cybersecurity Innovation

2024-12-07 01:00:13

\ The modern world is more interconnected than ever, with personal computers and mobile devices transforming how we communicate and interact. The Internet has seamlessly woven itself into the fabric of our daily lives, enabling experiences that once seemed impossible.

\ While this evolution of the internet has brought undeniable benefits, it has also opened the door to significant challenges. As these systems have gained popularity, the scale and sophistication of cyber threats targeting them have grown exponentially. Bad actors constantly seek vulnerabilities to exploit, posing risks to users’ sensitive data and privacy.

\ Amid this landscape, Sankalp Kumar has emerged as a pivotal figure in cybersecurity, particularly in securing communication technologies. Though much of his work happens behind the scenes, his expertise in adapting to rapidly changing technologies and evolving threats has made a profound impact.

\ Sankalp currently works as a Software Engineer in the industry, focusing on securing real-time systems that millions rely on every day. His journey in cybersecurity includes roles at major tech companies, where he designed and implemented advanced security frameworks for large-scale systems. His contributions have addressed critical challenges, such as enabling secure data transmission at lightning-fast speeds of up to 100Gbps, a feat that requires both technical ingenuity and a deep understanding of scalability.

\ Developing these cutting-edge solutions isn’t without its challenges. While automated defenses like virus detection and communication disruption are vital, they can only go so far in protecting end users. Sankalp’s expertise lies in building proactive, innovative systems that safeguard against the sophisticated threats facing modern real-time platforms.

\ His achievements have earned him a well-deserved reputation as a leading expert in cybersecurity. Beyond his technical acumen, Sankalp brings creativity and balance to his work. He is an accomplished actor and finds that performing helps him stay motivated and focused when navigating complex challenges. Additionally, he has contributed to numerous non-profit events and short films as an event manager, showcasing his versatility and commitment to collaboration.

Securing Systems at Scale

Focused on creating secure, scalable solutions, Sankalp’s work in cybersecurity addresses the unique challenges of safeguarding critical real-time systems. He emphasizes the importance of robust encryption and secure protocols while addressing potential vulnerabilities that could expose sensitive data. Leveraging his extensive background in cybersecurity and networking, he has developed strategies to combat sophisticated threats, such as zero-day vulnerabilities and advanced persistent threats. "I focus on developing secure, scalable solutions for critical systems, particularly in communication technology," Sankalp states, underlining the scope of his role in safeguarding critical infrastructures.

\ One major challenge Sankalp faces is balancing security with usability. In applications that are real-time, added latency or complexity from security features can disrupt the user experience—something unacceptable for millions of users. He also navigates the ever-evolving threat landscape, with attackers increasingly leveraging AI and machine learning to bypass defenses. “These challenges demand a proactive approach, constant learning, and leveraging cutting-edge technologies,” Sankalp notes. Global-scale systems add further complexity, requiring solutions that accommodate regulatory requirements and diverse environments.

\ To protect large-scale applications, Sankalp employs a comprehensive, scalable strategy. His “security by design” approach incorporates zero trust architecture, end-to-end encryption, and least privilege access. AI-powered threat detection, regular audits, and automated patch management ensure vulnerabilities are identified and addressed swiftly. Features like biometric authentication and single sign-on strike a balance between strong security and user-friendly design.

\ Sankalp’s commitment to continuous innovation ensures his frameworks adapt to emerging threats while maintaining reliability. Through robust incident response plans, scalable cryptography, and secure APIs, his systems provide dependable communication for millions of users worldwide.

Innovation in Internet Protocols

Sankalp has played a pivotal role in advancing security standards for internet protocols, particularly by adapting existing attack detection systems to protect HTTP/2. While HTTP/2 introduces innovative features like multiplexing and header compression, these enhancements pose new challenges for traditional security frameworks. Sankalp’s approach bridged this gap by enabling legacy systems to repurpose HTTP attack signatures for the newer protocol. “By enabling the system to use existing signatures designed for HTTP, we ensured that the newer protocol… received a similar level of robust protection,” he explains. This not only streamlined the adoption of HTTP/2 but also set a precedent for maintaining robust security without requiring entirely new detection architectures, thus establishing an industry benchmark.

\ In addition to enhancing protocol security, Sankalp excels at designing frameworks for real-time systems that demand both speed and security. To minimize latency while ensuring robust protection, he employs lightweight encryption algorithms such as ChaCha20 and AES-GCM. This allows data to be secured without introducing significant processing overhead. “Security measures are distributed across multiple layers—network, application, and endpoint—to avoid bottlenecks at any single point,” he notes, emphasizing the importance of multi-layered defenses. Non-critical operations, such as logging and analytics, are handled asynchronously, preserving system responsiveness even under heavy loads.

\ AI-driven threat detection systems further enhance the efficiency of these frameworks by identifying potential risks swiftly without impeding traffic flow. To handle sudden surges in activity, Sankalp integrates secure caching and load balancing, ensuring that both performance and encryption remain uncompromised. His methodology exemplifies how advanced security measures can coexist with high performance in real-time environments, addressing the unique demands of modern, high-traffic applications with precision and foresight.

Adapting to Emerging Cyber Threats

The cybersecurity landscape is increasingly challenged by sophisticated threats, including AI-driven attacks and the potential risks of undermining current cryptographic standards by future powerful computers. Adversaries are using machine learning to bypass defenses and create targeted phishing campaigns. “Additionally, the increasing use of IoT devices introduces vulnerabilities due to weak security standards and the sheer scale of interconnected systems,” Sankalp notes.

\ To counter these threats, Sankalp integrates AI and machine learning into threat detection systems, staying ahead of evolving attack techniques. For IoT security, Sankalp advocates for stricter standards, robust authentication, and scalable frameworks to address unique vulnerabilities. His proactive approach underscores the importance of adaptability and foresight.

\ Sankalp envisions a future where cybersecurity becomes more intelligent and adaptive, with AI and automation predicting and preventing attacks before they occur. “IoT security will become a major focus, with tighter regulations and stronger device-level protections,” he predicts. Drawing on his expertise in building resilient systems, Sankalp is committed to driving innovation and influencing industry standards to meet the demands of an evolving threat landscape. “I see myself playing a central role in shaping this future,” he states.

Building Strong Security Foundations

A robust security framework depends on several key components working in unison to provide comprehensive protection. According to Sankalp, strong identity management is foundational, with methods like multi-factor authentication and zero trust principles ensuring strict access control. “I prioritize identity management with multi-factor authentication and zero trust to control access,” he explains, emphasizing the importance of securing entry points against unauthorized users.

\ Proactive threat detection plays an equally critical role, leveraging AI and machine learning for real-time anomaly detection. This is complemented by signature-based systems to identify known threats effectively. For data protection, Sankalp highlights the use of encryption, scalable cryptographic solutions, and secure backups to safeguard against breaches or losses. “A well-defined incident response plan allows for swift containment and recovery,” he adds, noting that regular testing ensures these measures are always prepared for unexpected events. By tailoring the prioritization of these elements to a system’s specific risk profile, he ensures a security strategy that is both efficient and resilient.

Advice for Aspiring Cybersecurity Experts

Emphasizing a dual focus on technical expertise and strategic problem-solving, Sankalp highlights their importance for those entering the field of cybersecurity. He advises aspiring professionals to stay current with emerging technologies such as artificial intelligence, machine learning, and advanced encryption techniques, as these are integral to modern security systems. “Focus on mastering both technical skills and problem-solving,” he suggests, highlighting the need for a well-rounded skill set that combines deep technical knowledge with the ability to anticipate and address complex challenges.

\ Building a solid foundation in network security, threat detection, and incident response is equally crucial. Beyond technical skills, Sankalp underscores the value of a proactive mindset, urging professionals to “always anticipate potential threats and think one step ahead.” The fast-paced nature of cybersecurity demands continuous learning and adaptability, ensuring that practitioners can keep up with an ever-evolving threat landscape and emerging innovations in the field.

The HackerNoon Newsletter: The $XRP Comeback Was a Long Time Coming (12/6/2024)

2024-12-07 00:05:27

How are you, hacker?


🪐 What’s happening in tech today, December 6, 2024?


The HackerNoon Newsletter brings the HackerNoon homepage straight to your inbox. On this day, Slavery is Abolished in the United States in 1865, and we present you with these top quality stories. From Deadline Extended: 2 Weeks Left to Compete for $2,500 in the AI Writing Contest to The $XRP Comeback Was a Long Time Coming, let’s dive right in.

OpenAI Launches ChatGPT Pro: Is the $200 Monthly Subscription Worth It?


By @iamarsenibragimov [ 3 Min read ] Read More.

Author Your Own Adventure With These 5 Must-Try Free Tools


By @obyte [ 6 Min read ] Interactive fiction is an interesting way of storytelling where you, as the reader or player, get to make choices that affect how the story unfolds. Read More.

The $XRP Comeback Was a Long Time Coming


By @gleams [ 8 Min read ] Here are the four things I spotted Ripple doing right, even when every one was sleeping on the cryptocurrency. Read More.

Deadline Extended: 2 Weeks Left to Compete for $2,500 in the AI Writing Contest


By @hackernooncontests [ 3 Min read ] The AI Writing Contest deadline has been extended to December 16, 2024! Explore data collection for AI and LLM training, and compete for $2,500. Enter now! Read More.


🧑‍💻 What happened in your world this week?

It's been said that writing can help consolidate technical knowledge, establish credibility, and contribute to emerging community standards. Feeling stuck? We got you covered ⬇️⬇️⬇️


ANSWER THESE GREATEST INTERVIEW QUESTIONS OF ALL TIME


We hope you enjoy this worth of free reading material. Feel free to forward this email to a nerdy friend who'll love you for it.See you on Planet Internet! With love, The HackerNoon Team ✌️


OpenAI Launches ChatGPT Pro: Is the $200 Monthly Subscription Worth It?

2024-12-06 23:37:57

OpenAI has recently announced a new subscription plan called ChatGPT Pro, priced at $200 per month. This plan includes access to the advanced o1 model, which now supports images and has improved skills in mathematics and coding. As someone who has been following these developments closely, here are my thoughts on this new offering.

\

Exciting Updates with the o1 Model

I think it's really cool that OpenAI is making progress again. Recently, there were concerns that AI development had hit a plateau because it required much more power for even small breakthroughs. With the new o1 model, these fears are eased. The o1 model's ability to handle images and perform better in math and coding is impressive. It shows that AI is still advancing and becoming more capable.

\

Is ChatGPT Pro Worth the $200 Monthly Fee?

The price of $200 per month for ChatGPT Pro seems reasonable to me. There will definitely be people who are willing to pay this without hesitation. However, the big question is whether the service is good enough to keep subscribers. Some online reviews mention that ChatGPT Pro is about 11% better in coding compared to the standard version. But considering it's usually 10 times more expensive than the regular subscription, it might not be the best deal for everyone. For some, a cheaper alternative like Claude 3.5 might be more appealing. I'm waiting to see what the first users have to say before making a final judgment.

\

Benefits of the o1 Pro Mode

Access to the o1 pro mode is a major plus for users who work with more complex queries. I believe this will have a positive impact, especially for those in scientific fields like math, physics, chemistry, and medicine. With more powerful reasoning capabilities, the o1 pro mode can help achieve breakthroughs and solve difficult problems more efficiently.

\

o1 Model Now Available to All Paid Users

Finally, OpenAI decided to make the o1 model available to all paid users and move it out of the preview stage. I'm really excited about this change and can't wait to try it out. It's great to see OpenAI making advanced models more accessible, allowing more people to benefit from their capabilities.

\

New Features: Voice Module and Better Responses

ChatGPT Pro also offers unlimited access to the voice module and improved answers to complex questions. However, I'm not sure how many users will regularly use the unlimited voice feature. It might be useful for some, but it may not be a deciding factor for everyone.

\

Rumors of a $2,000 Monthly Subscription

There are also rumors about a $2,000 per month subscription. I can see this being a reality for professional, governmental, and scientific users. It would be something between the regular web version and API access, possibly providing access to AGI (Artificial General Intelligence) that can work on tasks for hours. This higher-tier subscription could be very valuable for those who need advanced AI capabilities for their work.

\ Conclusion

OpenAI's ChatGPT Pro offers exciting new features and improved models like o1, but the high price tag may limit its appeal to a broader audience. It will be interesting to see how users respond and whether the benefits justify the cost. For those who need advanced AI for complex tasks, ChatGPT Pro could be a great investment. However, others might prefer sticking with more affordable options until they see more feedback from early adopters.

Is Bitcoin’s Bull Market Closer to the End Than You Think?

2024-12-06 23:23:15

Analysts have come up with all sorts of data models and metrics to predict Bitcoin’s major cycles and peaks. Most of them predict lofty prices and bull markets that will last at least another year or more.

\ One metric suggests they might be wrong.

\ Let’s look at the Realized Cap HODL Waves, which splits holders into bands based on how long they’ve held their Bitcoins without moving them, then weighs each cohort by the price of those Bitcoins.

\ It’s the classic HODL waves plus a filter to weed out dead or lost Bitcoins.

Supercycle? HODL your horses

When you look at the wave for those who bought within one month or less, you see today’s peak inches closer to the long-term trendline of major market peaks.

While we have room to go higher, today’s number could be off by 20% or more. We could be a lot closer than you think.

\ Reason to panic?

\ No. Just another sign of the times.

\ 1–3 month HODLers trended down as price went up, suggesting heavy selling from this cohort (again, possibly off by 20% or more in absolute terms).

Meanwhile, last week’s drop in long-term HODLers has accelerated. “Diamond hands” and bear market stalwarts have decided “fiat” isn’t as bad as they thought.

A Caveat

As with all metrics that say “realized” or “short-term” in their title, you have to fudge the numbers to account for the Wall Street ETFs.

\ Those ETFs can buy or sell any token at any time, independent of when their clients buy or sell their funds. When Bitcoins move in and out of those funds, they don’t necessarily reflect the intent of the person buying and selling. As such, the related on-chain metric loses its significance.

\ At roughly 20% of the total volume on any given day, those ETFs account for no small portion of the on-chain activity. The problem will get worse over time.

\ While you can’t compare today’s numbers with numbers from before January 2024, you can assume this metric still catches the general direction of behaviors. Good enough for us.

No cause for concern . . . yet

Does this mean you need to sell?

\ That’s a personal decision. I’m not doing that.

\ These charts reflect a single dimension of human behavior. Markets are far more complex.

\ That said, dismiss this information at your peril. Combined with other trends and behaviors we’ve seen in recent weeks, it’s enough to get you to rethink your assumptions about banana zones and never-ending bull markets.

\ I look at other trends, behaviors, and strategic considerations in the November 27, 2024, market update of my newsletter, Crypto is Easy.

https://cryptoiseasy.beehiiv.com/p/market-update-november-27-2024?embedable=true


Mark Helfman publishes the Crypto is Easy newsletter. He is also the author of three books and a top Bitcoin writer on Medium and Hacker Noon. Learn more about him in his bio and connect with him on Tealfeed.

MEXC Bolsters Its Market Presence In Vietnam At VTIS 2024

2024-12-06 21:20:13

Seychelles, December 6, 2024 – Global leading digital asset trading platform MEXC participated in the Vietnam Tech Impact Summit (VTIS) 2024, held from December 3-4 at the Vietnam National Convention Center in Hanoi. Co-hosted by Vietnam Securities Group SSI and fintech firm FPT, the summit focused on cutting-edge sectors such as AI, Fintech, Blockchain, and Gaming, attracting industry leaders, innovative enterprises, and tech experts from around the globe.

\ During the summit, MEXC’s Vietnam team showcased its years of dedicated efforts in the local market. The MEXC booth drew a crowd of local KOLs and crypto enthusiasts eager to exchange insights and explore the latest industry trends. Una, Vietnam Country Manager of MEXC, highlighted the platform’s key strengths, including access to over 3,400 trading pairs, zero trading fees, and daily airdrops, which collectively enhance the user experience.

\ She also emphasized MEXC’s industry-leading liquidity ecosystem, supported by 30 million global users, cutting-edge technology, and top-tier liquidity providers, making it the platform of choice for both traders and project teams.

\ MEXC Vice President Tracy further elevated the platform’s presence by sharing her insights on Vietnam’s blockchain market in exclusive interviews with VTV Money and VTV1. She recognized Vietnam as a vital digital asset market in Southeast Asia, lauding its robust innovation capabilities and rapidly expanding blockchain ecosystem.

\ Tracy also addressed challenges such as market saturation and security risks, highlighting MEXC’s ability to swiftly identify high-potential projects and leverage AI-driven data analytics to help users seize opportunities in a competitive market.

\ MEXC’s unwavering commitment to the Vietnam market underscores its confidence and dedication to fostering local growth. Through its active participation in VTIS 2024, MEXC strengthened its relationships with local KOLs and users while reinforcing its position as a global leader in the crypto industry. Moving forward, MEXC aims to continue supporting innovation and development in Vietnam, collaborating with the local community to drive the adoption of digital assets and cryptocurrencies.

About MEXC

Founded in 2018, MEXC is committed to being "Your Easiest Way to Crypto". Serving over 30 million users across 170+ countries, MEXC is known for its broad selection of trending tokens, frequent airdrop opportunities, and low trading fees.

\ Our user-friendly platform is designed to support both new traders and experienced investors, offering secure and efficient access to digital assets. MEXC prioritizes simplicity and innovation, making crypto trading more accessible and rewarding.

Official WebsiteXYouTubeTikTokFacebook

:::tip This story was distributed as a release by Btcwire under HackerNoon’s Business Blogging Program. Learn more about the program here

:::

\n