User talk:Ho8a

Welcome!

 * }

January 2011
Welcome to Wikipedia. Although everyone is welcome to contribute constructively to the encyclopedia, your addition of one or more external links to the page Padding oracle attack has been reverted. Your edit here was reverted by an automated bot that attempts to remove links which are discouraged per our external links guideline from Wikipedia. The external link you added or changed is on my list of links to remove and probably shouldn't be included in Wikipedia. I removed the following link(s): http://www.youtube.com/ampliasecurity#p/u/0/2jvmT5lmIIM. If the external link you inserted or changed was to a media file (e.g. a sound or video file) on an external server, then note that linking to such files may be subject to Wikipedia's copyright policy and therefore probably should not be linked to. Please consider using our upload facility to upload a suitable media file. If you were trying to insert an external link that does comply with our policies and guidelines, then please accept my creator's apologies and feel free to undo the bot's revert. However, if the link does not comply with our policies and guidelines, but your edit included other, constructive, changes to the article, feel free to make those changes again without re-adding the link. Please read Wikipedia's external links guideline for more information, and consult my list of frequently-reverted sites. For more information about me, see my FAQ page. Thanks! --XLinkBot (talk) 22:56, 5 January 2011 (UTC)

October 2011
Hello. I suspect from the contributions that you've made to Pass the hash that you are connected to Amplia Security. If so, kindly take note of Wikipedia's policy regarding conflict of interest. Thank you. Socrates2008 ( Talk ) 11:58, 19 October 2011 (UTC)


 * Hi Socrates2008!,
 * I'm sorry, I've read the 'using talk pages' page but I'm not sure if this is the right way to answer your comments on my Talk page. I hope it is.
 * Basically I wanted to tell you I'm Hernan Ochoa, I'm the author of the Pass-The-Hash Toolkit, and I'm also the author of Windows Credentials Editor (WCE). As the author of the pass-the-hash technique on windows and also the technique to dump credentials from lsass's memory (This statement is backed up by many presentations and papers I published over the years. I believe it is public knowledge), I believed I could talk about them; I never tried to hide anything as my username in wikipedia is basically my name (ho8a, ho = hernan ochoa and 8a = reads Ochoa in Spanish).
 * I'm not sure why you did not remove the reference to the 'Pass-the-Hash toolkit', but you did remove the references to WCE, I wrote both tools and authored all techniques used by them, so I didn't think crediting my authorship was a conflict of interest; People are credited for their work all over wikipedia. WCE is specially relevant right now, more even than the 'pass-the-hash toolkit' because .. well... it works and the PTH doesn't anymore, and also WCE implements new techniques I created related to pass-the-hash (eg:to find and decrypt credentials, different from the techniques I created before), allowing the technique to work on Windows Vista/7/2008.
 * The previous description of the technique was not correct; and it also included a lot of references to Metasploit, and I'm not sure why those were accepted and not marked as a promotion (especially when Metasploit has nothing to do with the technique, they just implemented the same modified SMB stack already published by Paul Ashton in 1997 and implemented by many many other tools before them).
 * In Summary, I believe my references to WCE are valid and relevant; if people try to use the 'pass-the-hash toolkit' it will simply not work; WCE is the tool of choice now; and in terms of the history of the technique, the reference to the 'pass-the-hash toolkit' is also relevant because it marked a change in the practice and the introduction of new techniques previously unknown.
 * I also think the references to Metasploit should stay; I'm only saying that the reference to WCE should also be there. It's not self-promotion, it's the truth :), it's what happened :). I did not just write a 'new tool' that implemented a technique, I created and published for the first time the techniques.. that's the difference to me..I did the same thing again with WCE and pass-the-hash on Windows Vista/7/2008 (and also with pass-the-ticket for kerberos, although that's for another article).


 * I just included three references about WCE, because these were references to the tool (which is revelant I think, as it is the ONLY tool that is able to obtain the hashes from memory without using code injection using the techniques I authored); and the other references were links to presentations I did that included a LOT of information describing how the technique works, full of windows internals, someone could even take that information and duplicate my implementation. They also included insight on how to use the technique during a penetration test, and also talked about zombie logon sessions and other things are VERY useful for penetration testers when using the pass-the-hash technique). I was just trying to add useful information; yes I wrote that information, but that's simply because I authored the techniques described.


 * Let me know what you think.
 * Thank you! Ho8a (talk) 14:28, 19 October 2011 (UTC)


 * Thanks for your reply, which I have moved back here to keep the discussion in one place. Yes, I surmised as much, which is why I have called this out for you.  Wikipedia unfortunately takes a very dim view of contributions by someone who is closely connected to the subject of an article.  The primary reason for this is that it introduces bias.   I am familiar with your toolset and the exploit, and understand that you are very knowledgeable in this area.  However I have also noticed that a number of your edits have been self-published, promotional or autobiographic.  Consequently you will see that I have edited a number of these out already.
 * My recommendation is that you take a look at WP:Suggestions for COI compliance, which should give you some ideas how you could contribute to the article without breaking WP policies and guidlines. I'd be happy to assist on a best efforts basis via the article's talk page. Socrates2008 ( Talk ) 20:54, 19 October 2011 (UTC)


 * Hi Socrates2008! I understand your concern, but could you tell me what was the info I added to the article you think was biased? It would really help me. I authored the techniques, I wrote the tools, I published the tools, I published information on how the tools/technique work, etc.; I truly don't see where I'm being biased. What are the things I wrote you think are not accurate? To be fair, off the top of my head, I think the only thing you removed were my references to WCE, so I imagine you think me mentioning that tool (but not the pass-the-hash toolkit, which I also authored) was biased, is this correct? if it is, why?? WCE is part of the same story, all the tools are free, etc.
 * I've read Conflict of interest and I'm convinced mentioning WCE (and my other contributions) were complaint with the "Citing oneself" section. I think at least, my tool WCE should be mentioned; otherwise the information on the entry is not complete and outdated; users reading the entry may try to go and fetch the pass-the-hash toolkit and they will discover it no longer works. So, are you ok with me adding a reference to WCE? or do you still think it is not appropriate? Thank you! Ho8a (talk) 21:31, 19 October 2011 (UTC)
 * I didn't say that anything you added was inaccurate - it really boils down to issues of neutrality, weighting and advocacy, and these problems were readily apparent in the article before you outed yourself. For example, the number of links you create to your website, mentioning your tools almost exclusively (other people also offer tools to do hash and password harvesting), the promotional language used and the autobiographical notes are examples of this.  Please note that I'm trying to help you - it would be a shame if another editor came along who did not appreciate the consequences of this technique, and requested the article be deleted because it looked like an advertisement.  If your work is truly noteworthy and published (I think it is), then WP's view is that people will notice it, and will be able to write about it objectively, citing published sources, and that would result in a more balanced and neutral article.  Of course you are a subject matter expert here, but to use an analogy, you need to be on the coaching bench in this case (i.e. the talk page), not in the game itself (i.e. the article). Socrates2008 ( Talk ) 22:13, 19 October 2011 (UTC)
 * I don't believe my original article had issues of neutrality, weighting and advocacy at all. Again, I authored the technique and the tools. All other tools out there came after I published a paper explaining the technique AND the tools with full source code freely available (and still they don't do the same thing nor all the things pass-the-hash toolkit did, and WCE does). So why shouldn't my tools which implement the techniques I authored be mentioned?
 * I can see you're trying to do the right thing and have good intentions; but truly I feel very sad because I don't understand why you feel I cannot add at least one reference to WCE and to the techniques I created in the same way I did with the pass-the-hash toolkit (WCE implements new techniques, and no other tools implements those techniques). I have published source code, the presentations I did contain lots of detail with regards to how the techniques work, lots of internal information, they are not commercial ads they contain lots of useful and technical information, I'm contributing to the community, I'm the only one releasing information and new techniques all the time about this and I don't know why you feel crediting me for my work is bad or biased, or not neutral, especially when we are talking about something I created. Like you mention, anyone else can edit the entry and add what they want, that doesn't mean I have to do it, and that doesn't mean since no one else has done it, I should not be able to add things that are true, accurate, I created, and are relevant. No one else took time to make this entry better, I did. I have also given credit where credit is due, for example, to Paul Ashton. My sensation is that you know what I wrote is accurate, and that I did the things mentioned in the article, but since I wrote those things, even when they are true, they cannot be there; but if someone else comes and writes the same things, just because it is someone else, in that case it would be ok. So I don't understand.. I respect your opinion but I disagree; I contributed and I feel I'm being punished for that. Anyway, thank you for taking the time to answer me. Ho8a (talk) 22:53, 19 October 2011 (UTC)
 * As I mentioned before, even though you may not have done so intentionally, there was a clear pattern to your edit history that indicated the very sort of issues that WP's conflict of interest policy seeks to address. This framework has been developed over a long time by the community here, so those are the "rules" that you will need to abide by for this particular article.   Once again, your opinion is respected, but you are very much encouraged to express these on the article's talk page, not in the article itself.  Please note that further attempts to edit the main article will lead to you being blocked by an administrator (which would be a "punishment"), however I'm hoping that it will not come to that.  So please work with the community, not against it to make this article better.  Socrates2008 ( Talk ) 07:37, 20 October 2011 (UTC)


 * PS1: A few things that you can do to help:
 * Find published works, notably from other people, that explain PtH as this will help other editors to verify the article content and establish its neutrality.
 * Suggest any changes and additions to the article on its talk page
 * PS2: IE9 flags the links to WCE as malicious content, which is why I initially removed it. Socrates2008 ( Talk ) 08:12, 20 October 2011 (UTC)
 * You are making this so difficult! You yourself added the links to PTH! I don't understand this at all! this makes no sense! and I don't understand why you edited out my mitigations! the current mitigations are incorrect! you are confusing pass-the-hash with dump credentials from memory which I also authored, but these are two different techniques! pass-the-hash != dumping credentials from memory
 * And pass-the-hash IS NOT THE SAME as credentials forwarding! SMBRELAY has nothing to do with pass-the-hash!
 * I'm adding links about WCE authored by other people.
 * You removed my link to WCE because IE9 ????? says it is malicious content? you said you know me and my tools, and still you remove my link to my tool because of IE9? Ho8a (talk) 11:01, 20 October 2011 (UTC)
 * I made it my business to find out about your tools after I got hacked by them recently - my very first edit to this article when IE9 flagged your link as malicious pre-dated that event. My initial objective when I subsequently returned to this article was to address the obvious issue of COI, so I edited out most of your self-promotional links and raised the issue with you.  Now if you want to participate, you'll find me on the article's talk page, but I have nothing further to add here. Socrates2008 ( Talk ) 11:36, 20 October 2011 (UTC)
 * Well, flagging a link as 'malicious' because IE9 says so, and not knowing my tool is not my fault. The rest of the world does know it. And I did everything you wanted, I added links and everything to the talk page of the article and still you flagged me as having COI? please!... and the information you are adding is incorrect, please reconsider.Ho8a (talk) 11:40, 20 October 2011 (UTC)

Mitigations
The mitigations described are not accurate. Pass-the-hash refers only to the fact of using NTLM hashes to authenticate. The mitigations you describe appear to be referring to users dumping from memory NTLM hashes; but that's a different technique, that's not 'passing the hash'. SMBRELAY has nothing to do with pass-the-hash.