It all started with a closet full of old computers. They looked like the laptop version of the zombie apocalypse. We had this crazy notion to vulnerability scan the entire freaking Internet and publish the results for free -- because that’s the sort of thing we think up on a Tuesday -- and we were going to use a Hadoop cluster to do it. That zombie hoard of laptops became our first Hadoop cluster, and that crazy idea became our first open source project, PunkSPIDER.
Hyperion Gray is a small research and development company focused on web security, software development, distributed computing, and any combination thereof. Full disclosure: We're slightly off. We color outside the lines and put the square peg in the round hole. We like to come up with ideas and solutions that push the boundaries of the status quo. We don't just think outside the box -- we don't even *see* the box. Work with us and you'll see what we mean. :)
PunkSPIDER is our flagship open source project, so it holds a special place in our dark little hearts. It's a distributed web application vulnerability scanner and search engine unleashed on the entire Internet. It checks sites for basic vulnerabilities and provides the results to the public for free. The concept is simple: a user can go to the PunkSPIDER website and search for any url to see if it has any basic vulnerabilities (currently our scanner checks for sqli, bsqli, xss, path traversal, mail header injection, operating system command injection, and xpath injection vulnerabilities). This can be the user's own website or one they use in their day-to-day lives. Either way, they can find out whether the site is vulnerable in just a few seconds and make an informed decision on whether to trust it with their information. This is something that most Internet users aren't empowered to do, but we think they should be.
So how does it work exactly? We'll tell you! PunkSPIDER 2.0 uses a custom-written crawler (version 1.0 used Apache Nutch) to crawl for sites and then it indexes them to a Solr database, where they are queued up to be scanned (aka "fuzzed") for vulnerabilities. Not all together complicated, but there's a twist! (::gasp::) Every part of this process is distributed across a Hadoop cluster, which makes it faster and more efficient than conventional crawling and fuzzing. (Quick shout out to Apache and the Hadoop community for their awesome projects).
PunkSCAN, which is what we call the fuzzer piece of it, is able to detect vulnerabilities far faster than any existing tool on the market because we're leveraging the power of distributed computing in a whole new way. We've scanned several million hosts so far and are working on a version 3 that's going to make Formula 1 look like a street parade.
The PunkSPIDER project was first unveiled at ShmooCon 2013 and received as much positive acclaim from the community as it created controversy. Most people loved it, and we were even successfully crowd-funded on Kickstarter, but some people freaked out a little bit. Sure, at first it's scary to think that we're publishing all this vulnerability information and making it publicly available. But what's scarier than that is the fact that the Internet's Dark Side already knows which sites are weak, while the average users of the web don't. We believe in what we're trying to do here, which is to empower the average Internet user to make informed decisions about which sites they visit, and to encourage web developers to treat security like a commitment to the users of their sites, a hallmark of good design just like any other. And based on the ever-growing volume of traffic to PunkSPIDER, we like to think we're getting somewhere.
Alejandro Caceres, owner, founder of Hyperion Gray, had the honor of speaking at ShmooCon 2013, where he unveiled the PunkSPIDER project to a great crowd. They provided some great feedback on the project and even laughed at some of Alex's jokes! You can watch the video of the talk below. Wait 'til you find out what the angry Iranian man is all about...
So we were over the moon about getting a talk at ShmooCon, but then Alex got accepted to be on the Closing Plenary panel at ShmooCon 2014, moderated by Bruce Potter himself! ::swoon:: If you weren't able to make it to the con this year, you can watch the closing panel here. Let's just say it was wholly entertaining. Where else but ShmooCon can you get a scan of the entire Internet in record time, a real time screenshot of someone typing "porn" into Google, and a fiery defense of American-made nipple covers all on the same stage?? Oh, and of course there's an interesting discussion on the ethics and legalities around mass scanning the Internet.
We were selected for two talks at DEF CON 21. If you've never been to the con, you should. It. Is. Awesome. You can watch both of our talks right here!
The Massive Attacks project came about when Alejandro was surreptitiously accused of building a "cyber weapon" with PunkSPIDER and, after giggling to himself a little bit, thought, "Hey, what would a mass scale distributed cyber weapon actually look like?" So he went about creating the PunkCRACK and Mr. Injector tools. He threw his hat in the ring to speak at DEF CON 21 and, holy crap, was accepted. This talk demos these two proof-of-concept tools and discusses the theoretical repercussions of distributed cyber weapons.
This talk was based on our DARPA Cyber Fast Track (CFT) project, whiched we audaciously named Web 3.0. The project came about when a fellow developer, Teal Rogers of Trinary Software, saw Alejandro's PunkSPIDER project on KickStarter. He contacted Alejandro, they soul-gazed via Skype, and then decided to go after a DARPA CFT together. Since the program has, sadly, come to an end, we were thrilled to have been accepted to the last round of awards AND get accepted to speak at DEF CON about it.
The idea of the Web 3.0 project was to create a powerful yet beautiful, intuitive 3D view of the Internet that shows interconnections between domains while also showing which pages within a domain contain vulnerabilities. The interface is designed to give the user an experience of "flying" through 3D space as they navigate their domains of interest, just like in the movies but for real. We developed a proof of concept model for the CFT, and we're currently devising plans for the future of the Web 3.0 concept.
In addition to our open source projects and con talks, we actually do real work. Really! We are currently performers on the super cool DARPA Memex program.
In 2013 we were also performers on the DARPA Cyber Fast Track program.
We occasionally do freelance development work and any cool research projects we can get our hands on.
We're a small software development company focused on innovative research in a variety of areas. Our backgrounds are as hackers, pen testers, developers, engineers, security researchers and intel analysts. We spent some time in the infosec services world but we just aren't cut out for business suits and trade shows.
So, we decided to start Hyperion Gray as a way to develop and release our open source projects -- a tough business model, we admit, but we love it. We get to think up crazy ideas and make them happen without anyone telling us we can't, and we still get to tell our parents that we have real jobs -- with business cards and everything!
Our goal is to continue to apply disruptive research and development to solve hard problems in whatever fields interest us. We don't want to grow into a billion dollar company or anything; we're small but immensely talented and we like it that way (hey, we already told you that we're slightly off). We want to create and maintain an intellectual space where we can be free to create revolutionary solutions to complex problems, without the distractions of board meetings or stock prices. If you want to love what you do, do what you love, right?
In addition to the folks listed below, we also have a roving group of incredibly talented people whom we call upon as needed. We all wear matching rings and assemble like super heroes. It's awesome.
Alejandro (Alex) began his hacker journey at the ripe young age of 15, causing minor (read: probably not illegal) trouble on AOL. While studying Physics in college, he learned all about how distributed computing could help with massive simulations of scientific problems in heavy ion collisions, and he's been in love with distributed computing ever since. Upon entering the real world, he spent a few years working in the information security field. But late at night, when no one was looking, he would play around with distributed computing, and he began applying it to web app hacking, thus effectively combining two of his favorite things.
He originally started Hyperion Gray as a venue for releasing his open source stuff, but it picked up speed and eventually he decided to leave his day job to focus on Hyperion Gray full time. We think he made the right decision.
Amanda began her career as a geopolitical intel analyst (think pirates and terrorists and rebel groups and such), and a few years ago she incidentally fell into the world of software development. She's glad she did -- it's fun here! Her official title at Hyperion Gray is "Queen Overlord of All Things Business-y" but she is also the project manager, the accountant, the coffee and tea maker, the make-sure-you-eat-something-er, the are-you-sure-you-want-to-do-that-er and the all-around do-whatever-needs-doing-er (like building this website...). She does pretty much everything but write code, although she will probably do that too eventually.
Tomas joined our team very early on and we don't know where we would be if we hadn't (we don't like to think about it...). He has supported us on the PunkSPIDER project since the beginning and was fundamental to getting it off the ground. He is a highly skilled (understatement) Java and Python guru and is also well-versed in distrubuted computing technologies like Apache Nutch, Solr, Hbase, Hadoop and Hive.
We can't neglect to mention all of the people who have helped us along the way on our great adventure here. This includes our families who've supported us leaving our stable day jobs to do what we love, the companies who believe in us enough to team up with us, and the hacker community, which has been an integral part of Hyperion Gray from the get-go. From the developers who've contributed to our projects, to folks who've put our stuff to good use, to the people who supported us on KickStarter, to the journalists who write about us, and the tons of people who've visited our sites, blogged about us, told your friends about us or re-Tweeted us -- THANK YOU for your support! We're so glad that you've come along for the ride. We take your input and feedback to heart and we hope you stick with us as we continue to grow up.
Here are a few articles about us and our projects. If you see any more floating around the web -- or if you write one yourself -- be sure to let us know so we can add it here!
The Register, one of our personal faves, released an article shortly after our ShmooCon debut of PunkSPIDER, you can read the article here.
Here's another article in The Register about our DEF CON talk on massive attacks with distributed computing. Zombie PCs are for crimelord chumps: Fear clusters, says infosec ace.
When PunkSPIDER was released, it understandably met with some controversy. Slashdot published one of our submissions here and things got a bit heated. If you love Internet haters, this article is a great place to see angry comments attacking Hyperion Gray and Alejandro personally! Enjoy!
We got another post on Slashdot about Web 3.0. We love poking the bear just a little bit -- it's fun! DEF CON Hackers Unveil a New Way of Visualizing Web Vulnerabilities.
Here's a guest post on Cloudera's blog about how we leveraged Hadoop for PunkSPIDER. It offers an admittedly biased perspective on the project (uh... because we wrote it).
Here's a blog entry by the popular SecurityMonkey about PunkSPIDER.
If you are with the media and are interested in covering any of our projects or just chatting with us in general, send an email to firstname.lastname@example.org and we'll be happy to talk your ears off.
Yes, we have a blog, but no, we're not bloggers. We mainly use it to communicate about new releases, give you a backstage view of our conference talks, and occassionally muse on things of our interest. Also, having a blog is an official business requirement these days, right?