Episode 416 — SSH Tunneling, Independent Games, Updating Multiple Blogs At Once, and Password Protecting Applications

In this extensive episode Matt shows us how to setup SSH tunneling to securely transmit HTTP traffic and more while on the go. Shannon checks out some student entries to the 2009 Independent Games Festival, including City Rain, Glitch, Froggle, Blazar, and Akrasia. Darren puts together a PHP script that, in conjunction with Ping.fm, allows you to update multiple blogs at once including your own hosted WordPress. Plus this weeks LAN Party, revamped Trivia and viewer questions.
[ MP4 | XviD | WMV ]

Show Notes

Chris Gerling joins us at the top of the show via skype from a SANS conference where he is currently getting schooled in forensics.

Matt is obsessed with Clicky Keyboards. I’m a fan of the Model M and the PC-XT’s 83 Key Keyboard.

Our next LAN Party game will be Quake 3 on Saturday, January 10 at q3.hak5.wpengine.com. Check out all the details at our brand spankin’ new Hak5 LAN Site (with leetness by Squarespace)

Darren mentions Post_Break‘s article on Mubix’s Room362 site about ways to detect nearby Jasagers.

Setup an SSH SOCKS proxy!

For episode 416 of HAK5, I showed how easy it really is to tunnel all kinds of traffic from HTTP, FTP, and more over a secure SSH Socks proxy.

Some of you may be thinking to yourself… “HOLY CRAP WHAT ARE THESE TERMS?!” And I’m here to assure you that it’s going to be OK! Really it is.

What you’ll need

  • An SSH server to act as your proxy.
    Simple enough really! If you’re using windows I highly recommend freeSSHd. If you’re on a mac check out this page for instructions on how to enable remote logon. Linux users, you should know how to do this. 😉
  • An SSH client on the computer you’re using.
    Mac and *nix machines have SSH built right in at the command line. Windows users can do like I did in the episode and download plink (available here). There are other people out there that will recommend Cygwin, but for this purpose, it’s really overkill.

How proxies work

In a nutshell, what you’re doing with a proxy is setting up a middle-person (no not a pineapple, but close) between you and the internet. Using the proxy, your browser hands off web page requests to the proxy server, which handles the request and fetches the page for you from the internet. The web site actually thinks the request is coming from the proxy server, not your computer, which is a good way to obscure your originating IP address.

Additionally, the connection between your computer and the proxy happens over SSH, an encrypted protocol. This prevents wifi sniffers from seeing what you’re doing online.

Start your SSH tunnel

So you’ve got your ssh server setup at your house or workplace. Great! To connect to it we’re going to setup a local proxy server on your client that you’ll be browsing the internet from, which will then “tunnel” web traffic from your local machine to the remote server over SSH. The command to run on your linux / mac client in a terminal window is :

ssh -ND 9999 [email protected]

For Windows it’s as simple as browsing to the directory you saved plink to and running

plink.exe -N -D 9999 [email protected]

Of course, you’re going to replace the you with your username on your SSH server and example.com with your server domain name or IP address. What that command does is accept requests from your local machine on port 9999 and hands that request off to your server at example.com for processing.

When you execute either of those commands, you’ll be prompted for your password. After you authenticate, nothing will happen. The -N tells ssh not to open an interactive prompt, so it will just hang there, waiting. That’s exactly what you want.

Set Firefox to use SOCKS proxy

Once your proxy’s up and running, configure Firefox to use it. From Firefox’s Tools menu, choose Options, and from the Advanced section choose the Network tab. Next to “Configure how Firefox connects to the Internet” hit the “Settings” button and enter the SOCKS information, which is the server name (localhost) and the port you used (in the example above, 9999.)

Save those settings and hit up a web page. When it loads, visit http://www.ipchicken.com to see if it’s using your remote ssh server to tunnel traffic. If you are, GOLDEN!

If you feel there’s something I’ve missed, hit me up here (http://www.mattlestock.com)

PS: Remember that you’ll need to open your firewall a bit by cracking open port 9999 on your local machine and port 22 on your server for SSH.


Congrats to VickiWong who correctly answered last week’s trivia. Answer: Stiletto as it is not a submarine launched ballistic missile like the other two. We would have accepted the fact that Polaris and Trident are US ICBMs while Stiletto is a USSR ICBM.

Update multiple blogs with Ping.fm and custom URLs

I don’t know about you guys but keeping up with all the latest blogs, social networks, and micro messaging services is a lot of work! And I don’t know how many times I’ve neglected my blog(s) because I was simply too lazy to login and update, login and update, login and update.

In my segment this week I’ll be showing you how to use ping.fm‘s Custom URL feature to update blogs by email. Ping.fm is great for updating multiple status services like Twitter and Identica, but I’m just concerned with blogs.

I personally use three blogging services; Posterous, Tumblr, and WordPress hosted on my own domain, DarrenKitchen.net.

The first two are easy to update with a Ping.fm Custom URL since they feature rich posting via email. WordPress on the other hand is a bit lacking. Sure WordPress has a built in post via email feature but it’s severely lacking. To alleviate this I recommend installing the WordPress Postie plugin. This little guy is awesome, with features like roles, authorized addresses, photo and file upload, signature removal and custom CSS just to name a few.

Once installed and configured all we need to do is edit some the sample PHP code, upload it to our web server, rename the file to something obscure, and add the URL to Ping.fm as a custom URL.



2009 Independent Games Festival Student Entries

The Independent Games Festival is an annual festival awarding students and independent developers $50,000 in prizes. This year, IGF will happen March 23-27 in San Francisco.

In my segment, I test out a few student entries that were free for download.

The first one was City Rain, which is sort of like Sim City in a way. You play the mayor of a new town, and have to make quick choices as to what kind and where new buildings will go. Buildings quickly fall out of the sky and you have to make your decisions quickly.

I also tried out Froggle. In Froggle, you play a, well… froggle. You’re incredibly long tongue is used to eat flies and fling yourself over cartoony environments. I really liked the shading and humor aspect of this game.

The third game was Blazar, which really brings me back to the old school arcade games! You control a ship which has the ability to destroy asteroids or bounce them away. Your goal is to grow a black hole from tiny to huge.

The last game I demo’ed was Glitch. Glitch is a first person shooter that exists in a large cube arena. The environment is constantly moving and the enemies are made out of little cubes themselves. This game was fun!!

The last game which I didn’t demo but mentioned was Akrasia. I liked Akrasia because of it’s educational touch. This is the description from the IGF website:

Akrasia is a single-player game that challenges game conventions and is intended to make the player think and reflect. It is based on the abstract concept of addiction, which is expressed metaphorically throughout the game.

The game is set in a maze that represents the mind. The maze has two states – a normal and a psychedelic state. To enter the game, the player collects a pill-shaped object and thus enters the game as “addict”. From “chasing the dragon” to working through “cold turkey”, this game models the essential dimensions of the addiction gestalt as identified by its creators.



We answer view question about password protecting applications and feature a program called Empathy

Until next week we welcome your feedback and remind you to Trust your Technolust


  • Søren Klintrup

    I totally get your love for the old model M keyboards, I still have my old 1985 model – signed by QA and everything.

    As motherboards start being shipped without PS/2 ports I am running out of places to use this keyboard though – a nice way to get the best of both worlds is to go to http://pckeyboards.stores.yahoo.net/ and get a brand new Model M from unicomp, who bought the original patent from lexmark.

    They make the keyboards as USB now and the buckling spring types is an exact match to the classic keyboard in look and feel (unless you get the black version .. which is black ofcourse).

    They are a bit pricey – but totally worth it, and they carry almost every international keyboard layout as well, bought one a couple of years back for work :-).


  • Scorpion

    Was darren on something as he seemed different lol. good idea about those symbols for the triva but i wouldn’t of made them THAT big. Good ep like normal i might use ssh soon (at the moment VPN is working ok at this time).

  • Th3BigGuy

    Chris and then going to come back to the real world and realize that SANS forensics is sssssoooo basic. Open source is cool but its all about the good forensic software…Get mubix back and maybe he can give you some real info on incident response and forensics.

    BTW…you can get rid of anti-virus 2009 over the wire without having to make that trip…I believe you guys had mentioned some info about crossloop last year and I have been loving what crossloop can do for my friends and family. I had a simular issue with a friend getting that virus and doing some forensic/malware analysis work I found the code and cleaned it without having to re-install.

    Can we get back to some true form haking and away from the kiddie hacking. What is up lately with the kids play segments. It would be better if you went back to one episode a month and did some hardcore hacking/forensic/net sec. I love you guys but lets get a little more hardcore.

  • Ingo

    Yeah standard Xbox 360 pad uses USB connection.

    You can also hook wireless Xbox 360 pad to USB, but that requires: Wireless pad (obviously) and “special” USB receaver.

  • lomolover

    Darren, Matt, Shannon, Chris

    Thanks for such a good podcast, well, the whole 4th season, I haven’t gone back further (yet). I had given up a couple of years ago on hooking up my BB to a laptop, but Darren proved me wrong. And then Matt brought SSH for the masses, and it works. So I can use it in my daily commute, through my BB. So far, I think I am now protecting myself against pineapples, but I’ll keep my eyes open. I need to reverse my fon, and install Jasager, to watch it in action. So much to do.

    And yes, Logmein has been with me for two years now, and my parents, back in Spain love it, because support only gets physical once a year!

    Cheers and Merry Xstmas


  • Beely

    Great show and thanks for spreading the info on protecting data while using free WiFi connections! For the SSH Tunneling option — Try out SWITCHPROXY add-on for Firefox (available at http://mozmonkey.com) — great time saver in changing between tunnel and non-tunnel (or free WiFi access and home.)


  • louboutin men shoes

    Vivier’s work is familiar to Louboutin because
    it is Vivier who designed the stiletto heel that fascinated Louboutin on a signal at
    the Avenue Daumesnil museum. Well by the middle of 2007 “the fringe” made an appearance, blunt, pixie or Kate style
    -named after Kate Moss and spread like fire in the public figures’
    world. Christian Louboutin is also well-known for producing boots that go over the

  • check here

    Excellent site in this article! Additionally your internet site a lot up rapid! What coordinator do you think you’re the application of? Should i get those affiliate marketing backlink to your host? My partner and i want my website . check herejam-packed as rapidly when your own house lol

  • cheap giuseppe zanotti shoes

    Teenage boys who like sports will love a pair of custom Jordan sneakers as a gift this
    holiday season. The work settings for personal and home care aides are
    in the homes of employers. Sporting an almost even assortment of high top and low top sneakers
    in numerous looks.

  • online fifa 15 hack

    Great post. I was checking constantly this blog and I am impressed!
    Extremely useful info specially the last part 🙂 I care
    for such information a lot. I was seeking this certain information for a very long time.

    Thank you and good luck.

  • http://Companyteeshirts.org

    Simply want to say your article is as surprising.
    The clarity in your post is simply nice and i could assume you’re an expert on this subject.
    Well with your permission let me to grab your feed to keep up to date with forthcoming post.

    Thanks a million and please continue the enjoyable work.

  • prada bags outlet

    Hermes Scarf May perhaps people today may possibly think slightly.

    Within 2 years, Miuccia won two fashion awards awards, in 1993 she received an international reward from the Council of
    Fashion Designers of America, and then in 1995 she also won the “Designer of the Year” Award.
    All these brands are made more affordable at Tuesdaymorning.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>