There is no concept more central to blackhat SEO than system exploitation. A lot of this cannot be taught. However, I’m still going to attempt to explain the basics of why this important, the goals of exploitation(aside from money), and perhaps a basic idea or two on how to look for your loopholes. That’s right folks. This is entry is the essence of shady.
And yes, it bears a bit of a resemblance to a previous entry we had on finding search engine rules, but I really wanted to expand on that entry more.
Why is System Exploitation so Important Online?
The quick answer to this is that the internet is a system made up of millions of smaller systems. To understand how these interact, or better yet, to control how certain aspects interact, is to gain the ability to control it. Obviously, no one person can control the entire thing, but one man can greatly influence little corners of it. From the largest search engine, to the tiniest social news site, the entire internet interacts.
How to Test the Bounds of Any Quantity-Based System
There’s a pretty basic method to test the boundaries of almost any system. Take any variable you want to test, and run it to the extreme. For example, there’s a reason most blackhats worth the keyboard they type on can whitehat with the best of ‘em. Any problem in a blackhat site, due to the sheer volume(speed, links, pages, etc), is amplified 100 fold. So any issue you have, becomes ridiculously apparent.
The same concept can be cross-applied to any section of the internet. For example, I broke the captcha to a popular social bookmarking service. When I broke it, I generated some 400 accounts off the bat through various IPs. Note that this is MANY more accounts than needed for my goal. I wrote a quick-rig CuRL script to add a URL with shuffling descriptions titles. It did not take long to notice that it took very little time for my site to get banned from their setup. Ok. So fresh domain, fresh accounts, fresh IPs, and then drop down the speed/quantity. Rinse, lather, and repeat, until you’re either successful, or if you never are, examine the possibility they’re nailing the IPs as being proxies. By starting out at an extreme(not so extreme as to alert people to your intentions), it’s much easier to determine what you can, and can’t do within the system.
Testing Non Quantity-Based Bounds within a System
If the internet was only a quantity based system, we’d all be wealthy by now. And while 99% of it is reducible to just that, that remaining 1% is a bitch. People often give the internet too much credit for being *POOF* magical. Remember when testing a system, that there is only so much information a website has to work with when evaluating us(excluding quantity based limits as said above). Now, the downside is a lot of friggin information. I’ll list some stuff that they have access to try and make this point clear. But I’m not going to list it all, so don’t nag me about it. This list only contains what they get access to as soon upon page load, and information that it is completely unavoidable to not give to them.
IP Address
Physical Location(Country/City)
Is your country/proxy’s
country natural for
that site’s traffic?
Previous Actions on that IP
Various Cookies
Time Delay Between Page Loads
Browser
Referrer(Not to be overlooked)
Ability to Process Javascript
Any accounts/associated creation dates on that site
In addition to this, there’s a variety of more specific ones. Whether or not you’re using a proxy for example. Whether your “browser” calls images. All of these things factor in, and must be controlled. You want to fit in with the norm as much as possible. For this, pay special attention to the rates at which things happen on the site. Pageloads, votes, anything like that.
Non-Boundary Based Exploitation
This is where we start to run into sketchy ground that I must be careful about. I’m not going to teach you how to hack here kids. Jail is no fun for you, and loses me a potential RSS subscriber. Nobody wins. But think about it this way. Up until this point, everything I’ve covered is teaching you how to play within the bounds of the rules. A good non-boundary based exploitation will leave the bounds altogether.
Just look at it like this: If I were a coder, how would I have done XYZ(try and get as close to how the targeted performed XYZ as you can), and then sit there for a bit and punch holes in your own idea. I find that thinking of it as if you’re the one creating the system removes a lot of the mystery that we tend to see around others code, and leads to a deeper understanding of the code itself.
What is the Goal of a Successful Run at Exploitation?
Ultimately, they all have the same goal. To not be detected. If what you’re doing was not detected in any way, then you have a reusable tactic in your arsenal of hacks. Don’t abuse it. For example, if someone could(and I would bet a LOT of money someone can) run something up the front page of Digg, they would not do so with “Buy Viagra”. They would find things that debatably could have gotten up on it’s own under proper circumstance. If someone figures out what they did, it will be fixed, and then it’s worthless. That’s right. You need quality spam. Which of course, begs the question of it is still spam then….oh well. That’s for a different entry.
I’m sure I’ll take some crap for this entry. But whatever. It’s a reality of blackhat today. Deal.
-XMCP
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment