Q&A For Dummies: For Govts/LEs/Police/Solicitors/CXOs

Post date: Nov 16, 2011 3:06:14 PM

Hi dudes,

I am going to write about it for law enforcement, police and dummies want to challenge us. It is the only way to "educate" them well how to respect research, security, hacking and education as well as one's capability.

Q: VXRL is a registered group?

A: Yes, of course, please check it with HK Police Force!

Q: VXRL is a hacking and research group? Hacking means criminal!

A: If you take a word "hacking" as criminal activities, let me clarify it again. Hacking is all about thinking out any shortcuts in creative way, modifying functions which may not be expected by the original designers and make fun. Ethical people and team like us will show the Proof-of-Concept bypassing/attack techniques to public/professionals/vendor so as to educate them to fix or avoid it; Attackers will manipulate those vulnerabilities to do the bad things, they never hold seminars before attack.

For example, Blackhat (www.blackhat.com) is the well-known security and hacking conference, DoD and FBI have supported their event and their staff joined their training as well, do you know that, dummies? You don't know about attack and offense, how do you know the ways to defense and investigation? ;-)

Reference: http://whatishacking.org/

I hope you should not put an equal sign between "Hacking/Hacker" and "Attacker/Criminal/Illegal".

Q: What did and will VXRL do?

A: We have provided free or not free training/seminar/workshop to the following institutions:

1. Hong Kong Police Force and other police from various countries

2. IT Audit course for MSc Information System and Operation Management programme in HKUST

3. Internet Infrastructure Security for BSc Computing in HK Polytechnic University

4. IT audit course for BBA students in HKUST

5. Present at HTCIA Asia Pacific Conference (http://2011.htcia.org.hk)and Clean PC Day in both HK and Macau

6. Present and publish research in Blackhat USA 2010, DEFCON 18 and DEFCON 19, HITCON 2010 and 2011, AVTokyo 2011, IEEE Malware 2011

7. We published facebook forensics paper, APT case studies, Webapp Security Fengshui, CTF write-up, etc.

8. We have reported various incidents to Worldbank (leaking server credentials), Media Firm (thousands of job applicants information are leaked), A Kowloon Primary School (leaking thousand of student personal records) and a PR firm (which is attacked), etc

9. Provide Penetration Test Kungfu training in HKPC and ISSummit conference as well as ISACA (HK Chapter).

10. Numerous media exposure including Police Report, RTHK, Cable TV, TVB, Apple Daily, Ming Pao, Next Media, etc.

We will continue our education for public and professionals and our report/work has been appreciated by many organization including US government.

Q: Will VXRL leak my company/project secret if I have found my staff is a researcher in VXRL?

A: Some of our researchers works as police, FBI, MI6 or in law enforcement, who cares? Any interview/media/publication/conference speaking are none of the business with your company (i.e. I also feel doubtful whether you could have such team on research to deal with future criminals with advanced security/attack tricks ;-)), all concepts and researches as well as works are initiated by themselves. Their personal job content/secret is nothing doing with VXRL publication. As a certified security professional, we all know what could be shared or not.

By the way, they are doing it voluntarily with their spare time, VXRL don't care about and feel interested in your company even dead or alive. We are an international group, do you think we will sacrifice our reputation because of your company/organization? :)

Q: Can my company be proud of having a staff in VXRL?

A: You should support him/her and be proud of having a professional/researcher who could contribute his/her spare time on advancing security and hacking research.

Q: I don't want my staff to show up in interview and conference, it may cause conflicts to

my team.

A: Yes, you are the one in charge of it and I can't control your thought and it could be understandable if you have no background about our aim, however, if you read through my words and still keep it. I feel regretful that your stupidity simply shows you don't understand and try to accept the spirit of security research, hacking, education as well as respect your staff's expertise

Q: VXRL guys are certified professionals?

A: I am quite sure our held certifications, experience as well as techniques are far more practical and better than you expect. Certified XXX does not mean he/she is skillful, however, as a certified security professional, we will comply with ethics.

Finally, I hope this Q&A is readily fit to you, dummies.

A quote for dummies:

"I only respect guys/gals with intelligence and reasoning instead of what the fucking rank or dump of money you hold."

"You could keep your money but hid your stupidity from us."

"You learn from incidence, we learn from the globe."

- Darkfloyd, Founder and Security Researcher of VXRL.