Errata Security

Why we have jobs in cybersec

2012-02-02T17:37:00.000-05:00

I just got an email from my accountant:

Attached, please find your 2011 Tax Organizer, which has been password protected. The Password is the FIRST FOUR digits of the taxpayer's social security number.

This seems reasonable. After all, your card for ATM machines has only a 4 digit PIN number. In addition, since the LAST 4 digits is so often used, many people know it, so they chose 4 digits that somebody else wouldn't know.

But of course, the problems with this are obvious to any professional.

There are three reasons why 4 digits work for ATM machines, and why they don't work here.

The ATM card itself the PRIMARY security, the PIN number is only SECONDARY.
Guessing the PIN number is "online" (you can only guess a few numbers before the ATM machine eats your card), but PDF guessing is "offline" (you can make as many failed guesses as you want).
The third reason things are different is that stealing money from an ATM is limited to only a few hundred dollars, whereas documents from your accountant can lead to loss of all your money.

I can pay my neighbor's kid $20 to sit in front of a computer for a couple hours trying all 10,000 combinations until they guess the right password. The kid might get smart and google social security number prefixes and reduce the number of attempts by quite a lot. Indeed, if he could figure out where I was born, he might reduce his search to only a few hundred attempts, because the first three digits are assigned by which state you are born in. Which is why people ask you for your last 4 digits rather the first 4 digits, because they are so easily guessed.

Or, I can download free software to do it for me. I downloaded this program and after 2 seconds of crunching numbers, it came up with the right password:

(This image is edited, of course, my SSN# does not actually start with "5967".)

So, what's the right solution? You can't send an encrypted PDF and the password in the same e-mail (as some people do), because then hackers yet again and decrypt the PDF. Instead, you have to exchange passwords "out-of-band", such as on the phone or when you visit the office. The encryption is only as strong as the password, so you have to choose a long one (more than 12 characters that are hard to guess).

The REAL correct solution is for vendors to better integration PGP or S/MIME into email systems. PDF encryption was chosen in this case because it's built-in. Likewise, generating public/private keys should be built into every e-mail system -- but it's not.

January 18: SOPA blackout day

2012-01-11T18:42:00.012-05:00

Reddit has decided to blackout their site on January 18 in protest against SOPA and PROTECT IP. This blog will, too.

This blog is hosted on blogspot.com, so I can't pull the plug on it. What I can do instead is simply change the template so that the the background is black and the foreground is also black. I've done this for the demonstration site http://sopa-protest.blogspot.com. You can see that all the articles, such as this one and this one, have the same template, and thus have the same blackout effect, so I don't need to edit the articles individually to cause the blackout. After January 18th, I'll simply change the template back again.

Thus, the steps are:

SAVE the original template first!!!
Change the template ("Edit HTML") so that the text is black-on-black, so nobody can read it.
Add the protest message to the template, such after the <body> tag.
Save the new template at 8am on January 18, 2012.
Restore your old, saved template at 8pm January 18, 2012.
This November, send donations to the competitors of those politician who voted for SOPA.

(Of course, only a couple thousand people will notice the difference on our blog, most of whom oppose SOPA anyway, but the symbolic gesture is still important).

Update: Here is a list of other websites blacking out on Jan 18.

Update: You can easily change your Twitter picture to include a SOPA reference here: http://www.blackoutsopa.org/

Update: Here is a great link http://www.techdirt.com/articles/20120111/09293817377/as-sopapipa-becomes-toxic-frantic-congress-test-runs-dropping-dns-blocking-provisions.shtml that discusses how the problems with SOPA aren't simply with the well-known "DNS blocking" issue. It's a wide range of issues that gives too much power to copyright holders, and forces websites to block content because of liability risk.

Update: BTW, it's interesting how Reddit has become the new center of geekdom. Even though this blog has been Slashdotted a few times, far more traffic has come from Reddit. I wonder if Slashdot plans to similarly blackout their site in protest.

This message will self-destruct in five seconds.

2012-01-10T22:27:00.008-05:00

(Warning: Spoiler Alert ahead... or maybe not. I mean, it's not like there's some big Shyamalanesque plot-twist at the end of these things...)

The other day a friend said, "You have to go see Mission: Impossible - Ghost Protocol! You will love it, ya know, because you're in security." I'm not really the type that goes and sees every action movie, but I was sufficiently intrigued by the promise that the fourth installment of the series might be a hacker flick. Those are always good for a sobering insight into what Hollywood thinks of our industry or for a laugh. So I went... and I loved it! It was the gadget filled awesomely insane tapestry of extreme action and suspense that we all have come to love and expect from Tom Cruise.

But it didn't seem to me to be a hacker flick. So I messaged my friend and I said, "The gadgets were by far the best in this movie. The story was the most appealing. The actors all had great chemistry. But that isn't why you said I would like it, so please explain, why did you call that a movie about infosec?" He then began recounting all of the scenes where Old Man Cruise has to rappelle from something or dive off something and get something out of some ridiculously locked room. But what he of course noticed that I had been too dazzled to see was that the real heavy lifting in those scenes was done by the team's standard issue hacker character (Simon Pegg). Tom has to go into the vault to get the microfiche (really, still??) but Simon is the one that gets that door open.

The most interesting part though is how the hacking is done. In a cruel twist of fate and conspiracy from the highest levels, the president initiates "Ghost Protocol" and the team becomes exiled with no access to the Carnivore-like CIA network that usually makes things like breaking the encryptions Hollywood-quick. So they're forced to kick it old-school and do a pretty nice variety of physical penetration hacks.

MI:4 has reminded me how effective the physical security attack really is. While today's military grade firewall may be Fort Knox at keeping people out of the tubes, there's really nothing that's going to stop a hacker if they're sitting right in front of the machine. Or if their increasingly disgruntled team leader is sitting in front of the machine with a pocket router after having scaled the sheer side of the tallest building in Dubai using only a suction cup and a fire hose. Or if the guy on the team who was never part of the plan that has to slide down an HVAC shaft into a subterranean server room that without the cooling system has become "an oven", and by the way the walkie-talkies aren't working and the bad guys just cut the satellite feed, is sitting right in front of the machine. Or if the plucky new female agent with a grudge and something to prove floats a balloon holding a wireless connection device over a wall to get into the signal area.... Well, I guess they can't all be extreme, but it shows the excellent point that if your physical security strategy doesn't cover the 50 feet underground and the 15,000 feet of air space above it, you're doomed. (Don't worry the plucky female agent gets extreme redemption when she completes one of our other favorite old-school physical hacks, the 'beating someone with a $5 hammer [xkcd] until they tell you the password' technique.)

Oh, and also everyone on the property should probably be assigned a dog because people are incredibly dumb.

Multithreaded teaches the wrong lessons about multicore

2012-01-09T17:22:00.012-05:00

This blog-post compares two open-source “packet logging” programs. These are simple programs that log network traffic directly to the disk. That blog-post finds that the multithreaded program is a lot faster than the single-threaded program, confirming people’s prejudices that in the modern world with multicore systems, multithreaded is better.

But the results are suspect. It finds that TWO-threaded program is SIX times faster. That doesn’t make sense. If the issue were truly just “multithreaded vs single-threaded”, then at most we’d expect at most a two-fold increase, not a six-fold increase.

Instead, the real problem here is the way that the application has to “wait” on either the network or the disk. One way to solve this waiting is to put the network portion on one thread, and the disk portion on another thread. That’s what Gulp does. It’s many times faster than Daemonlogger even on computers with only a single processing core.

But multithreaded is only one way to solve this problem. Another way would be to use asynchronous APIs, and/or larger buffers. It’s the same way that single-threaded programs have long dealt with “waiting”. like “C10K” web-servers that might be only single-threaded.

The true reason Gulp is faster has nothing to do with its multithreaded nature, but the way it cleverly uses Linux APIs in order to get out of the way. Network adapters want to DMA packets directly into a buffer at full speed, bypassing the CPU and operating system kernel. Disk adapters want to DMA data directly from memory at full speed, likewise bypassing the CPU and kernel. Today’s hardware can easily do this at many times 10-gbps speeds. The problem is that today’s operating system kernels get in the way. The trick to making this work is to figure out just the right operating system APIs to trick the kernel into getting out of the way. The reason Gulp is faster is because it does a better job getting out of the way than Daemonlogger, not because it’s multithreaded.

More the point, Gulp still fails at being “multicore”. Computers have been stuck at 3-GHz for the past decade, instead of getting faster, we now get multiple cores. Gulp scales to 2 cores, but not 12 cores. It’s no faster in a 12 core system than a 2 core system. (My laptop has 4 cores, my desktop has 12 cores).

The problem we face today is that people think “multithreaded” means “multicore”. It doesn’t. Multithreaded means running DIFFERENT tasks on a SINGLE core, like how Gulp runs one thread for capture and one for logging to disk, making it faster than Daemonlogger even on a single core. In contrast, multicore programming means running the SAME tasks on MANY cores, so making something faster simply means adding cores. Gulp fails at this.

Most software that people hail as being “multithreaded” fails at being truly “multicore”. A good example of this is the Linux kernel itself, which claims to scale to 64 core. It does, but only for selected applications and bencharmarks. Linux fails at being truly multicore for other tasks, such as packet-sniffing. A great many multithreaded applications fail to scale well on Linux.

Another example is PF_RING. It uses custom drivers to bypass the inefficiencies of the Linux kernel for 10gbps speeds, but then it uses “spinlocks” instead of “atomics” for synchronization, so it fails at being multicore. After about 4 cores, adding additional cores makes PF_RING go slower, not faster.

If you want a truly scalable system, instead of going “multithreaded”, you need to cheat. Today’s packet-sniffing adapters (PF_RING, Napatech) can split incoming traffic into separate streams by hashing TCP/IP socket info. So exploit that. Buy a cheap 8-core system, use one of these adapters to create 8 streams, and buy 8 high-speed disks (like SSDs). Simply run 8 separate instances of Gulp/Daemonlogger, each bound to a core, stream, and disk. When you want to analyze the traffic logged to the disks, you’ll have to recombine the streams back into a single one, but that’s not too difficult, especially when you are using a system costing $2000 that would otherwise cost you $50,000.

Conclusion

That original blog-post confirms your prejudices that multithreaded software is inherently better than single-threaded software, an important lesson for today’s multicore computers. But, when you look deeper at it, you find that the results are suspect and that it teaches entirely the wrong lessons about multithreaded software. Gulp fails at being multicore every much as Daemonlogger does.

Historical note: BlackICE, the first IPS written in 1998, was a two-threaded system, with one thread for packet-capturing (using a custom driver that looks a like like modern PF_RING) and another thread for analysis. It had the same "producer-consumer" relationship that Gulp has. While it was multithreaded, it wasn't truly multicore, and did not scale past two cores. I don't know for sure, but I'm told that IBM (which now sells BlackICE as "Proventia") has converted the software so that it's truly multicore.

Update: One tweeter took exception to my terminology, since nobody else makes the distinction/comparision between "multithreaded" and "multicore" the way I do. But that's entirely the point. Multithreaded programming techniques were developed for decades for either single core systems, or systems with a small number of cores. Those techniques your textbooks teach you fail when you get to 12 cores, like I have on my desktop. Just because a program (like Gulp) is multithreaded doesn't mean it's solved the problem of running on all 12 cores (which it doesn't). Thus, just because something is "multithreaded" doesn't mean that it's truly "multicore".

I forget who, but somebody (Azul Systems) has created a hashtable using atomic operations that scales to 1000 cores doing insertions and lookups simultaneously. Now THAT is true multicore.

Update: The 'cheat' solution I mention above is how people run high-speed Snort, a painfully single-threaded IDS. I think it's a bastard solution to the problem, but it turns out, customers are actually quite happy with it. (Which I guess is another lesson: what matters is how much customers like the pork sausage, not how it's made).

So lets you test this by using something like 'tcpreplay' at 10gbps. You'll find that the solution doesn't appear to work. That's because using tcpreplay, you take packets captured from slow networks and replay them at much higher speeds. On slow networks, like your home 10-mbps connection, a single TCP connection can use up the entire bandwidth. When you replay at 10-gbps, a single TCP connection captured at 10mbps is being replayed at 10gbps, which causes it to be sent to single virtualized adapter, which can't handle more than 1.25-gbps.

Thus, when testing your cheated Snort solution, you now have two separate metrics: maximum network speed, and maximum TCP connection speed.

But a truly multithreaded/multicore solution might not doing any better. Packets on a TCP connection must still be processed in-order, so you can't have one core process one packet on the TCP connection while another core processes another packet. Instead, to truly speed up the single-TCP-connection problem, you'll have to have multiple cores working together on a single packet. That's a hard problem, because chances are good that synchronization overhead (even using lightweight atomics) will cost more than you gain. Thus, a cheating solution may actually perform better on this metric than the proper solution.

Either way, I hope IDS/IPS evaluators like NSS start measuring single-TCP-connection speed along with max-network-speed.

Update: So how can you fix PF_RING to be multicore? Well, a good lesson is how PACKET_RX_RING does it. Both similarly-named solutions do roughly the same thing: create a memory mapped user-space ring-buffer for incoming packets. PF_RING does this with zero copy at 15-million packets/second bypassing the kernel, PACKET_RX_RING does this with making kernel copies at 1.5-million packets/second.

Ring-buffers are easily synchronized in a producer/consumer fashion. If there is only one consumer, then no special synchronization is needed. If there is one producer and many consumers, then the consumers need to synchronize among themselves, but not with the producer.

PACKET_RX_RING, while slow because of interference with the kernel, allows wait-free synchronization. The 12 threads trying read packets simply do a __atomic_compare_and_exchange() on the "current packet" pointer (which in x86 will be a lock compxchg instruction). If the operation succeeds, the current thread owns the packet, if it fails, the current thread tries again OR goes to sleep. (This synchronization also implies thread scheduling, so that threads can go to sleep, causing CPU cores to go to sleep, consuming less electricity).

PF_RING, while otherwise fast, does numerous "spinlock()s". When trying to read a packet, threads will furiously spin consuming vast amount of resources, causing the system to slow down as you add more threads.

On Linux, the 'spinlock()' wait primitive is thought to be very fast, because it has the best "best-case" performance. If there is no conflict, it is just as fast as an atomic primitive. However, when there is a lot of conflict, because you have a lot of threads, it has one of the worst "worst-case" performances, because they will be furiously spinning using up system resources.

So the upshot is that PF_RING needs to get rid of all "spinlocks" and use "atomics" instead, so that 12 cores are faster than 11 cores, and so that it allows the application to schedule threads to go to sleep instead of furiously spinning. As with PACKET_RX_RING, you shouldn't need more than one atomic compare-and-swap per packet read from the interface.

(Note: These comments are from playing with PF_RING last year. I used one 10gig transmit adapter and another receive adapter. I used the built-in sample apps off of 'dna0' that allow you to specify the number of threads. The more threads, the slower the packet receive, 1 thread did about 12-million packets/second, 12 threads did 1-million packets/second. Looking in the open-source part of the code, I saw evil spinlocks. I didn't disassemble the closed-source part of the code in order to see why the spinlocks were necessary).

Update: Ten years ago, the x86 lock prefix forces an uncached memory transaction, which took about 250 clock cycles on a 3-GHz Pentium 4. Today, with integrated memory controllers, it causes a L3 cache operation, which can be as low as 25 clock cycles on a 3-GHz Sandy Bridge processor.

The upshot is that "atomic" operations were expensive in the era of "multithreaded" code, but have become ten times cheaper in the era of "multicore" code.

Internet is indeed a human right

2012-01-05T15:23:00.029-05:00

Vint Cerf (former Founding Father of the Internet, and current Google lobbyist) says that the Internet access is not a human right. He is profoundly wrong.

The gist of his argument is that the Internet is just technology. It’s how we use this technology (for things like speech) that is the human right, not the technology itself. That’s the wrong way to look at it. New technology adds new complications that require clarification.

That's what happened with the printing press. Our founding fathers chose to enshrine technology in our Bill of Rights, by saying that “Congress shall pass no law abridging the freedom of the printing press”. The invention of the printing press revealed new rights, new concerns nobody cared about until the printing press appeared. It's difficult trying to list these new rights without reference to the technology that enabled them. Instead of "right to publish", it's just easier to simply say "right to printing-press".

Vint Cerf says "It is a mistake to place any particular technology in this exalted category [human rights], since over time we will end up valuing the wrong things". The printing press disproves this -- even though actual printing presses are certainly becoming obsolete, the values they revealed are not.

You might be tempted to apply Cerf’s argument’s the printing press, and say that “freedom of speech” already covers “freedom of the printing press”, but you’d be wrong. As history has shown, it’s not always clear how to map one right onto the other. Reasons why governments restrict speech are different from the reasons why governments restrict presses. The type of restriction against speakers at crowded protests are very different than the restrictions against printed agitprop pamphlets. Governments can restrict the printing press without, technically, infringing speech.

For example, government originally licensed printing presses. The reason was that the press introduced new economics. It cost a lot to setup the press for the first copy, but subsequent copies were very cheap. You could only pay back the original investment if you could sell a lot of copies. If two printers decided to print the same thing at the same time, then neither could recoup their initial investment, and both would go bankrupt. Therefore, some coordination by the government was “needed”. This was the situation before 1709 in England. The abuse of that system, such as government censorship, forced the laws to change (“Statute of Anne”).

You might point out that the First Ammendment actually said only “press” and not “printing press” (correct) and argue that it therefore only referred to newspapers (wrong). By “press” it meant all actions of the printing press, including printing things like the Thomas Paine’s Common Sense or the Declaration of Independence. The First Ammendment very much refers to the situation 100 years earlier when the English government controlled the printing presses.

Update: Eugene Volokh has a great discussion of this here (summarized here). Samuel Johnson's 1755 dictionary makes no mention of the newspaper industry when defining "press". It wasn't until after the First Ammendment was written that "press" started to be used for "newspaper industry".

We have the same situation today, where today’s copyright laws are used to stifle freedom of expression. For example, #Anonymous hackers created a “mashup" video of Tom Cruise effusively praising Scientology. Scientologists exploited copyright law in order to take the video off the Internet in order to suppress legitimate criticism.

A simple statement of “rights” would do much to clarify things. Today, the SOPA law (designed to protect copyright) is not unconstitutional. Now consider a “right” that says “Government shall not abridge access to the Internet”. Suddenly, this proposed SOPA law is obviously wrong, because “abridging access to the Internet” is precisely what it does. It's not just copyright abuse, but issues from cyberwar to cyberbullying to regulation of Terms of Service to privacy: a clarification of rights is important.

Or consider phrasing it as "Government shall not abridge access to information". It's a minor change, removing the reference to technology. It introduces a new right, "information", that we didn't know we needed until the Internet came along (much how the printing press introduced rights we didn't know we needed). Information is every much as important as speech. But referencing the technology is easier: it gives us this new right, as well as resolves the complications with existing rights. If Vint Cerf followers convinced me I'm wrong, and that Internet (or cyberspace) is not a right, I would still insist that unrestricted access to information is a fundamental right that needs to be enumerated.

We can measure the importance of Internet-as-right in the inverse, in proportion to the efforts repressive governments take to restrict access to the Internet. Take China, for example. Their "Great Firewall of China" blocks large parts of the Internet. They force Google to remove items from its search results, such as any mention of the Tienanmen Square uprising, or even references to the recent Arab Spring (in case it's citizens get any wrong ideas). It's not speech being repressed here so much as access to information. In both repressive and free countries, we now see more attacks on Internet access than we do on speech, religion, or newspapers.

Vint Cerf is correct in saying that we need no clarification to know that the Egyptian Internet cutoff (to silence protests) was evil. Be he is incorrect in saying no clarification is needed. The First Amendment is not technology neutral, the 18th century version calls out the technology of the printing press, and the 21st century version should call out the technology of the Internet. Internet access is a human right, and even well-meaning governments are already infringing it, because of the lack of clarification.

Passwords: uniqueness, not complexity

2012-01-04T13:32:00.007-05:00

Hacktivists recently broke into the StratFor website and dumped details of 800,000 accounts, including e-mail addresses and password-hashes. Since the password-hashes were simple MD5, it meant that almost all the passwords were easily cracked. People have looked at the passwords, and found that most people chose simple ones, such as "password123". This has led to articles like this one (Breach shows that even experts chose bad passwords) that claims "Security experts recommend building long, complex, case-sensitive passwords with multiple characters".

Nope. That's wrong advice. Your password for a free or cheap StratFor account doesn't need to be complex, because there is little to lose if hackers guess it.

Instead, what's important is that the password be unique. Most sites are like StratFor and have poor cybersecurity. (StratFor wasn't even close to good cybersecurity, they were horrible on almost any measure). Any information you give them, such as your password, will eventually get stolen by hackers. If you use the same password for all websites, then eventually hackers will break into one of those sites, then gain access to all your other accounts.

There are essentially three tiers of websites. At the first tier is your e-mail account. Since a hack of your e-mail account means hackers can reset passwords on all your other accounts, it would be terrible if that password were lost. This should both be very complex, as well as wholly unrelated to any other accounts.

At the second tier are important e-commerce sites, like Amazon.com, NewEgg,com, Apple.com, and so on. The major sites are unlikely to be hacked. You could probably share the same password for all these accounts.

At the third tier are the unimportant accounts, like StratFor, where it wouldn't be catastrophic if your password were lost. Again, you could choose a third, simple password, like "passwd1234" for all these accounts. It'll probably get stolen within a year, but who really cares?

Thus, you really only need three passwords for each tier, so it's not too much trouble. However, even then, you might consider adding uniqueness. For example, on the last tier, you might use the domain name as your password, like "passwdStratfor1". When a hacker breaks in and runs an automated script to see if your password is unique, the script will fail to find a match on any other site. Sure, a hacker looking at the password individually will figure out your scheme, but in a huge hack like the 800,000 StratFor accounts, hackers are unlikely to manually check every password.

In conclusion, your first password policy shouldn't be complexity, but uniqueness. When hackers break into a site like StratFor and discover your password is "password1", you shouldn't be embarrassed. You should instead say you don't care about your free StratFor account, or that hackers break into it, and that knowing this password doesn't help break into any account you do care about.

Updates:

Somebody also suggested Stiennon's article on Forbes Fallout from the Christmas Hack of Stratfor. His analysis is wholly incorrect == unless Stiennon has also tested those passwords to see if they were reused.

Rob Lemos criticizes password reuse at InfoWorld New year, same old security passwords

XKCD has an evil plan at https://www.xkcd.com/792/.

Nick Selby writes about Blaming The Victim in the STRATFOR Hack, how we need to stop blaming the people whose passwords were revealed, and start blaming StratFor for it's incredibad cybersec.

Predictions for 2012

2012-01-01T13:09:00.002-05:00

We predict there is a more than 80% chance the Mayan calender is wrong and the world will not end. Other predictions we have are:

Cloud

Cloud cloud cloud cloud cloud. Whatever products/services people come out with in the next year, they will position them as being perfect (or even necessary) for the cloud.

SCADA/ICS

How many cybersec experts does it take to change a lightbulb? Yes, SCADA/ICS systems are 15 years behind in terms of security, and yes, there is usually a path that can be found from the Internet to these systems, but no, there is no huge danger looming on the horizon. There will be no massive power blackout in 2012, and nobody will die from a probably malicious attack.

Cyber-war

The cyber-military industrial complex still needs more funding. Congress will pass more laws helping them.

Hacktivism

#Anonymous #LulzSec #AntiSec #OhMy

We'll see more lulz, but no import hacks will happen, like exposing the cyber-military industrial complex that created Stuxnet.

Easy instructions for boycotting GoDaddy over SOPA

2011-12-22T18:15:00.000-05:00

SOPA is a horrible internet regulation law pushed by the copyright cartels that will destroy many of the freedoms on the Internet, such as the TOR project that anonymizes network traffic for activists in repressive countries.

Go Daddy supports SOPA. Therefore, if you care about Internet freedoms, you should probably move your accounts to another registrar. This link http://blog.jeffepstein.me/post/14629857835/a-step-by-step-guide-to-transfer-domains-out-of-godaddy describes how to do it in a painless manner. I'm moving my Go Daddy registrations to Network Solutions, where I already have an account.

Freakonomics vs Cybersecurity

2011-12-09T01:18:00.035-05:00

I saw this go across my Twitter feed, so I thought I'd write up a quick response. The cybersecurity view of economics is not the same as the economists view of economics. Using freaky economics like Freaknomics is a good way of explaining normal economics.

SpireSec Pete Lindstrom
Security freakonomics talk tomorrow... what should i say? ;-)

The first misconception of economics cybersecurity people have is calculating where the money goes, or how much things cost. That's "business", not "economics". If you are thinking in terms of "Return on Investment" (ROI), then it's not "Economics".

The second, and more common use of economics (in the field of cybersecurity), is the political attempt to prove that there is some sort of "externality" or "market failure" that means we get to punish Microsoft for its vulnerabilities. While the conclusion is faulty, this is a real economics concept. It describes the situation where I sell you fireworks, then you set them off, causing your neighbor's house to catch fire. The "failure" is that it's neither you (the buyer) or me (the seller) who paid the costs, but your neighbor. The cost of fire is an "externality", external to the original transaction.

The cybersecurity version is that when buyers buy Microsoft software, which has vulnerabilities, it's third parties who suffer. For example, a hacker might exploit a vulnerability in Windows, take control of thousands of desktops, and flood a website with traffic. That website suffers, even though it might not own any Microsoft products.

While this sounds plausibly "economic", it isn't. Consider the fireworks case. One solution to the problem is to fine the seller of fireworks, or regulate which fireworks they could sell. Another solution is to fine the customer who bought the fireworks and who lit them near their neighbors house.

Or, the third solution is punish the neighbor for having a flammable house.

Economics isn't about fairness, it's about the efficiency of results. It's that guy with the flammable, thatched roof that imposes costs on all his neighbors. It means the neighbors can't have a cozy fire in their fireplace during winter, they can't have BBQs in the summer, and they can't set of fireworks for celebrations. That is why local government usually choose the third option. They regulate how houses are built, and outlaw flammable roofs, believing this is the most efficient solution.

So which is the most efficient solution to Microsoft vulnerabilities? Blame Microsoft? Blame the user? Or blame the poor website victim? Or let the free market decide? I don't know the answer, but I know that I've never seen cybersecurity people make an "economic" answer based on efficiency, but instead, I've only seen arguments based on how Microsoft is big and evil, and how it's unfair to blame innocent users.

But this is just a tiny portion of economics, there is so much more. I recommend getting a college textbook on beginning economics, such as Greg Mankiw's Principles of Economics. Follow the link to the Amazon site, and you can read the first chapter for free, which outlines his basic 10 principles of economics.

Below, I take some of those basic principles and describe them in a cybersecurity context. Think of it as a useful way to learn economics if you already know cybersecurity, or as a way of learning cybersecurity if you already know economics.

The first principle from Mankiw's textbook is that cybersecurity is a tradeoff. In terms of logic, it's an XOR operator, not an AND. In terms of Heinlein (sci-fi author), it's TANSTAAFL - Their Ain't No Such Thing As A Free Lunch. Making the network more secure means making it worse in some other fashion, such as slower, less reliable, less user friendly. When cybersecurity experts say dumb things, there's usually a failure to acknowledge tradeoffs involved, that you must give up something in return for more security. The tradeoffs are not just between security and other things, but between two security choices. The funniest joke in cybersecurity are the two Wikipedia articles on Defense in Depth and Defense in Depth (computing). The original meaning was about trading off border security for better internal security, such as moving the troops from the border of a country to deeper inside. But no cybersecurity professional can admit to such tradeoffs, that it's ok to reduce security in some place in order to improve security somewhere else. So "defense in depth" has morphed into an argument that no matter how much security you have now, you need even more, both on the border AND in depth.

The second Mankiw principle is opportunity cost, or that the cost of something is what you give up to achieve it. The cost of cybersecurity isn't the money you spend, but what you gave up. Hiring another cybersecurity expert on your team means not hiring a saleperson who could sell more of your company's products/services. When you go to your boss and explain why your budget for cybersecurity needs to increase, you need to explain why the budget for marketing, sales, and RnD needs to decrease. During the dot-com era, companies that put up insecure websites first won the dominant market share, those that waited until their websites were secure lost. The opportunity costs of waiting until something is completely secure can mean your entire business.

The third principle is that rational people think at the margin. Cybersecurity people talk in absolutes, as if something is insecure or secure. They should instead talk in relative terms of "more secure" or "less secure". Moreover, they need to compare the marginal benefits in security to the marginal costs. That fancy new expensive firewall still won't make you secure, the question instead is whether the marginal improvement in security is worth the price over a cheap firewall. Or, take the TSA screening requiring people to take off their shoes. Cybersecurity experts complain that this makes no difference. They are wrong; taking off the shoes at security makes people marginally safer. The only question is whether this tiny improvement in safety is worth the enormous additional cost (probably not). Part of this is realizing that security has decreasing margin returns. The reason that Microsoft can't fix all their bugs is that the more bugs they fix, the more it costs to fix more bugs. Spending a million dollars might fix a 1000 vulnerabilities, but spending another million might fix only an additional 100 vulnerabilities. Spending a third million might fix only an additional 10 vulnerabilities. Spending yet another million might find and fix only one additional vulnerability.

The fourth principle is that people respond to incentives, perversely. A straightforward example is that of complicated password policies, the more complicated they are, the more a person is likely to write down the password on a sticky note underneath their keyboard, thus making the system less secure, not more so. The consequence of this is that people have a fixed risk tolerance. When you make things safer, people behave more recklessly. If you install anti-virus on their desktop, they are more likely to run e-mail attachments. Measured one way, such as on an obstacle course, talking on a mobile phone impairs a person's ability to drive. Measured with economics, we find that while people are on the phone, they slow down and otherwise drive more safely, to accommodate the distraction. Drivers slow down and pay attention when it rains to compensate for the additional danger, which means they speed up and drive more recklessly when the roads dry up to compensate for the increase safety.

Another principle is that the value of security isn't infinite. One of the fun things freaky economists like to do is calculate what a person's life is worth. For example, let's say that you put your kid in the car to drive to the store rather than paying the neighbor to babysit for an hour for $10. Dying in a car accident is the leading cause of death for children, and those deaths are overwhelmingly near the home. If the chance of death on that trip is 1-in-a-million, and you could've spent $10 to avoid it, this means you value your kid's life at $10-million. (Well, not, not exactly, I'm glossing over the fine bits to make a point). The same is true of cybersecurity, where people treat security as infinitely worth. That's why they can't deal with marginal benefits vs marginal costs: the marginal benefits of increased security are always infinite, according to cybersecurity experts. Given free reign, cybersecurity experts will make the costs infinite, too. The only way to satisfy them completely would be to turn off the Internet.

The sixth principle on Mankiw's list is that free-markets are usually the best, tempered by the seventh principle that sometimes government can improve on free-market outcomes (such as when there is a market failure and externalities). A wrong application of this principle was President Bush's "Strategy to Secure Cyberspace" that had the fatuous statement "federal regulation will not become a primary means of securing cyberspace ... the market itself is expected to provide the major impetus to improve cybersecurity". This is wrong because the free-market will never "secure cyberspace". Instead, the free-market is what determines how valuable cybersecurity is in the first place, identifying the truth that people don't want the tradeoffs needed to make the Internet more secure. I once gave a talk where I asked "Raise your hand if cybersecurity is your highest priority" (everyone: yes), then "Raise your hand if you use wifi" (everyone: yes), then "Raise your hand if you think your wifi is secure" (everyone: no). In other words, people claimed to want security, but even though wifi wasn't secure, they used it anyway. That's because people lie; they claim security has infinite importance, but behave as if it's a tradeoff. The free-market captures this true value, government regulation doesn't. When government starts regulating cybersecurity, we'll start complaining about it in much the same way we complain about the TSA and the Patriot Act (which make what many consider unacceptable tradeoffs for small marginal improvements in security). In many cases, the cost of "compliancy", proving to the government that you are secure, is starting to outweigh the costs of the actual security.

I could spend days talking about the freakiness of economics, and cybersecurity, but this gives you a taste.

I get more comments via twitter than the desired comments page. A particularly cogent one is:

WeldPond Chris Wysopal

@ErrataRob Al Qaeda was able to harm up the US economy w/excess security spending abroad and at home. Could anonymous do same for cyber?

Quick review of the Kindle Fire

2011-11-15T21:01:00.009-05:00

The Kindle Fire is a $200 device, compared to $80 for the cheap black-and-white Kindle, or compared to $500 for the iPad.

The reason you want it more than the standard "eInk" based Kindle is that it can play videos, run apps, and show books in color (like comic books). The downside is that it weighs twice as much as the standard Kindle, lasts only 10 hours on battery (vs 30 days for the standard Kindle), and only works with WiFi (no mobile phone connection).

It's a 7 inch screen (14.6 ounces0 compared to the iPad's 10 inch screen (21.3 ounces). This makes the Fire better for traveling than the iPad. But, since I travel with my iPhone and MacBook Air, I really don't need another device to watch video. What I need is something that won't run out of batteries. For that reason, I'm going to travel with the eInk Kindle Touch (7 ounces), not the Kindle Fire. (In addition, the Kindle Touch as a mobile phone connection that can be used in emergencies when no WiFi is available, unlike the Fire).

There are plenty of annoyances with device. Some content ("The Watchman" and "The Economist") is shrunk and can't easily be expanded (The Watchman not at all, The Economist with zoom-and-pan for every page). The same thing happens to web-pages: the iPad and standard Kindle have been around long enough for people to format content for them, but they treat the Kindle Fire as a full-sized desktop screen, and not the 7 inch screen that it really has.

The web-browsing goes through Amazon's cloud for "acceleration". Instead of browsing the web directly, you go through Amazon's servers, which strip out all the stuff that slow down web browsing. In practice, I don't think this works so well. Yes, some web pages are "snappier", but at the same time, some things behave oddly. I'd have to spend more time at it, but I think my experience on the iPad is better.

But for all such annoyances, it works much like the iPad. As his biography points out, Steve Jobs was really angry at how much Android (which runs the Kindle) copied most of what makes the iPhone/iPad cool. It even does a couple things better, such as cloud integration. Your books, magazines, music, videos, and apps have two selections, those in the Cloud, and those on the Device (demonstrated in the picture above), and downloading from one to the other is simply the touch of a button.

Here's the verdict: it's not as polished as the iPad. Your 2-year-old or grandparent can't pick it up and immediately start using it, like she can with the iPad. But that probably doesn't matter, since 99% of the time is spent with the content (reading, watching, playing) rather than with the device software. You have to ask yourself if an extra $300 is worth the difference in usability/polish for the small amount of time between watching videos, reading books, or playing games. It probably is important for the very young or very old, or the very geeky, but probably not so important for everyone else.

Sure, the recipient is going to be disappointed you didn't pony up the extra bucks for an iPad, but otherwise, the Kindle Fire is going to make a great gift for Xmas. I think they will spend more time using it in the coming year than almost any other present you could give them.

I'm not part of Amazon's affiliate program. Following the links on this page to Amazon's site gives no benefit to me (which you can verify with View Source and check out the links). I thought I'd point this out since Amazon's evil affiliate program leads to so much spam. These are my honest opinions.

Here is a Kindle Fire review from The Daily. It agrees with the points I made. But whereas it stresses "it doesn't do anything exceptional well", the real point to remember is that it does everything adequately well. And, that's only during the 1% of the time you aren't watching a movie or reading a book, at which point, the experience is roughly the same.

Cloud Computing is a Commodity, not a Utility

2011-10-24T21:39:00.022-05:00

A computing pioneer named John McCarthy (creator of the LISP language) died recently. Some are giving him credit for coming up with the idea of cloud computing in 1961, when he described "time-sharing" (the sharing of a mainframe computer) as becoming a "public utility" like electricity or water. Nothing can be further from the truth. Today's cloud computing is the opposite of the "utility computing" that he imagined. This is as absurd as saying the original Star Trek TV show, with a voice activated computer, somehow invented Siri, Apple's new voice response system for the iPhone.

The archetype of cloud computing is Amazon EC2, a network of thousands of machines that can do anything from run supercomputer simulations to serve web pages. But cloud computing is more than EC2. It's a whole range of things, from Google apps, to Apple's iCloud storage of music, to the Amazon Kindle's storage of books. I have over 300 books on my Kindle – not actually on the device, but in my account with Amazon. When I broke my Kindle by dropping it two stories, I bought a new one, and all my books were still there. That is cloud.

Sure, Amazon's EC2 sounds a lot like the time-share systems of the early 1960s, but there are important differences. The biggest difference is "how we got here". There wasn't a slow progression of huge "mainframe" computers, but a rapid change from mainframes to "personal computers" in our homes (following Moore's Law).

If other utilities had progressed at the same speed as computing, then we'd all have a small fusion reactor in our homes supplying our electricity. Your iPhone can supply, through the cell network, all of the time-sharing needs of the 1960s.

Yes, Amazon sells compute power, but the word you are looking for is not "utility" but "commodity". Here is the current Wikipedia definition of a public utility:

A public utility (usually just utility) is an organization that maintains the infrastructure for a public service (often also providing a service using that infrastructure). Public utilities are subject to forms of public control and regulation ranging from local community-based groups to state-wide government monopolies. Common arguments in favor of regulation include the desire to control market power, facilitate competition, promote investment or system expansion, or stabilize markets. … The term utilities can also refer to the set of services provided by these organizations consumed by the public: electricity, natural gas, waterand sewage.

None of the above applies to Amazon EC2. But, the following Wikipedia page on commodities sounds a lot like Amazon EC2:

It is used to describe a class of goods for which there is demand, but which is supplied without qualitative differentiation across a market. A commodity has full or partial fungibility; that is, the market treats it as equivalent or nearly so no matter who produces it. Petroleum and copper are examples of such commodities.

In other words, cloud computing is fungible commodity like oil and copper, not a utility like electricity or sewage.

From this perspective, recently deceased Dennis Ritchie (who developed C and co-developed Unix) deserves much more credit than John McCarthy. The reason Ritchie developed Unix was precisely to break the "utility" model of time-share computing up to that point, and to make computers into a "commodity". Today's cloud computers like Amazon EC2 run mostly Unix, and mostly code written in C. They run almost no code written in John McCarthy's LISP.

The personal computing and Internet revolution is a genie that escaped the "utility" bottle. Many want to put that genie back again, and regulate the Internet and computers like utilities. Their arguments always sound good, but they are deceptive. It's the old phone utilities that lobby for regulations requiring new VoIP companies to provide 911/emergency services, making VoIP much more expensive. Likewise, it's law enforcement that lobbied for laws requiring mobile phones to have GPS location tracking features again for 911/emergency calls, but which law enforcement also uses to locate criminals.

Another example is "reliability". We all get frustrated when computers fail (as BlackBerry users recently experienced). Regulators promise to improve reliability. But this comes at a cost. Reliability has decreasing marginal returns, costs quickly explode as government demands more reliability. Right now, bandwidth and cloud computing is free, but it means that sometimes when I try to sync my Kindle, it might fail for a few hours. Despite what the regulators promise, there is no such thing as a free lunch, and regulations will not simultaneously keep costs down and reliability up.

How we define the "cloud" means a lot for our future. We are putting more and more of our "stuff" in the cloud, which special interests want to regulate, control, and monitor. We will lose our freedom unless we fight to keep it. Unless we fight to keep the cloud a "commodity", it will indeed start to look like an Orwellian "utility".

The full quote from McCarthy speaking at the MIT Centennial in 1961:

"If computers of the kind I have advocated become the computers of the future, then computing may someday be organized as a public utility just as the telephone system is a public utility... The computer utility could become the basis of a new and important industry."

iPhone 4S for Sprint performance below par

2011-10-18T19:20:00.011-05:00

I'm returning my Sprint version of the iPhone 4S. The performance is far below either AT&T or Verizon.

Everyone loves to hate AT&T, but here's the thing: they've invested massively in building our their network to support devices like the iPhone and Kindle. Even in place where AT&T famously struggles (New York City and San Francisco), I can usually get a fair data connection. In my travels, AT&T 3G outperforms Verizon 3G in almost every case.

Sprint hasn't made that investment. At least, not here in Atlanta.
Traveling around the Atlanta area at various times in the day, I find
that Sprint consistently lags AT&T for 3G speeds. Sprint struggles to
reach 1-mbps, while AT&T rarely goes below 3-mbps. At times, Sprint
goes down to dialup speeds. Here are example of back-to-back speed
tests. I have a lot more samples, but these are representative of what
I see.

To be fair, Sprint has invested a lot in a 4G technology (based on WiMax)
that works much better, where 7-mbps is common. But the iPhone
doesn't support 4G technologies like WiMax. In addition, many people
are finding that WiMax falls behind LTE (used by AT&T, Verizon, and
T-Mobile).

Sprint does have one advantage. Currently, it supports "unlimited"
downloads, whereas Verizon offers a plan with up to 12-gigs of
downloads, whereas AT&T offers at most 4-gigs of downloads. In
addition, it's one of the cheaper plans, with unlimited texting and
data for only $80/month.

But in practice, few people use more than 2-gigs per month. I rarely
do. In those cases, AT&T can offer cheaper and faster plans.
I don't know which will be best for you, but for myself, I'm choosing
an AT&T iPhone 4S and returning my Sprint iPhone 4S.

UPDATE:
These are the last ones taken this morning, AT&T with 5.07mbps and Sprint with 0.21-mbps:

Update 2:
I returned The Sprint iPhone today and was told I was the 18th person to do so for the same reason. This makes me sad as I was a big fan of Sprint rolling out the first nextgen speed network.

DefCon speakers guide to #OccupyWallStreet hand signals

2011-10-14T18:42:00.004-05:00

Next year, at DefCon (the world's largest hacking conference), speakers are going to be confronted by hand signals (like 'twinkles') that were developed during the #OccupyWallStreet protests. That's because much of the audience will have attended one of the many "Occupy" protests.

So that speakers don't get weirded out by this, I thought I'd write up a brief guide.

TWINKLES

This is the most common hand signal. The audience raises their arms and flutters or "twinkles" their fingers (also known as 'spirit fingers'). This means they like what you are saying. It is a silent form of clapping, so that they do not interrupt you.

Down-twinkles (arms up, but fingers pointed down) indicates the reverse, displeasure at what you are saying. You'll get a lot of these when you talk about how good Windows security is, for example.

CROSSED ARMS/BLOCK

When they hold their arms in front, crossed, it means they dislike what you are saying so much that they are about to get up and leave.

WRAP IT UP / GET TO THE POINT

There are two forms of this. One is the rolling motion, holding the arms in front and rolling them around each other. The other is holding the finger up and making a circling halo motion around the head.

It means the audience things you are rambling, and wants you to get to the point.

When you go beyond your allotted time, these will break out in the audience, indicating your should wrap up your speech and leave the stage for the next guy.

PLEASE CLARIFY

In this signal, the audience member holds up an index finger. There are some variations, such as holding up two bent fingers, or cupping the hand into a "C".

This asks you to clarify the point you just made, such as providing more details.

It's also done when they didn't hear you for some reason. For example, let's say there was a loud bang somewhere, the audience will hold their hands up like this, so just repeat what you just said. If it's an issue where they have problems hearing you general, they will do EARS.

EARS

Holds the palm or cupped hand to the ear. Means they can't hear you. Pretty obvious.

DIRECT RESPONSE

In this signal, the audience uses index fingers (or full palms) going back and forth. Both hands are used, with each hand going the opposite direction from the other.

This means the audience member has something to say, to correct something you've said, or to ask a clarifying question.

PROCESS POINT/OFF-TOPIC

This is where they make a tent above their head with their fingers. It means you are getting off-topic.

THUMBS UP, DOWN, TO THE SIDE

This is how the General Assembly at the Occupy movement votes on things, with the obvious result that thumbs-up means yes, thumbs-down means no, and thumbs-to-the-side means abstain. I'm not sure why you'd see these while speaking, but I thought I'd mention them.

Here's a video that explains some of these:

Scanning the Internet

2011-10-11T15:33:00.005-05:00

As part of a research project we are port scanning the entire internet. The scans will come from 216.75.60.94.

EDIT: Per a comment I realized I left alot of stuff out. Here ya go:
I am scanning everything from 1.0.0.1 to 223.255.255.255.
I am collecting hostname, IP address, OS type, and service version.
As far as how long I have no idea, I am guessing somewhere around 100 days.

I am aware Shodan offers this information now, I need to collect my own data for this project however.

EDIT: This isn't a big deal. Researchers like us frequently scan the IPv4 address space. At any point in time, there are a few "white-hat" researchers doing such scans (we know of one other group currently conducting a scan), and many more "black-hats" doing it. The reason for this post is simply to be on record about it.

How geeky am I

2011-10-09T01:20:00.005-05:00

These days, we have both 1080p hidef television, and plotlines with hackers. That means "code" appears frequently on the screen. Of course, if you read the code, it has nothing to do with the plot. The producers just grabbed a fragment off the net and stuck it in there for dramatization.

In the pilot episode of the remake of Charlie's Angels, one of the gals cracks an electronic safe by typing in a fragment of code. Here is a picture from the video:

To a geek like me, two things jump out. The first is that this code includes a hard-coded random number generator (i=1103515245*i+12345&0x7fffffff)/2147483648.0). That's odd, why code your own instead of using the built-in random number generator known as "rand()"? That leads to the second observation: the code is deliberately obfuscated, possibly because it was an entry to the (now defunct) Obfuscated C contest.

Because of the obfuscation, it was difficult googling it, but I eventually found the source at this PasteBin link http://pastebin.com/ETeBXXGh. I copied it and listed it below. It's the only version of the code I could find. From the additional code, it appears probable that it's a generator/solver for Sudoku. I tried to run it, and didn't get any good results, because I don't know the data it expects. I could figure it out, but ...

...now I'm bored with it. I found the code, I know it's something to do with Sudoku, that it's obfuscated, but I no longer care to find out the rest.

Update: Bah! A malware analyst "ocean" found it https://twitter.com/#!/_ocean/status/122956436635529216 on the IOCCC website http://www.ioccc.org/2005/aidan/. It probably took him the extra 30 seconds I wasn't willing to spend, it's obvious.

Update: Check out Ian Eiloart's comment at the bottom. As he points out, Hollywood is a stickler for copyright. The Obfuscated C contest explicitly states that all submissions must be in the public domain. This makes it perfect for Hollywood: you get code fragments that both extremely geeky and for which you don't have to worry about a lawyer serving your papers. Note that there is a "fair use" clause that means they don't always have to worry anyway. For example, my use of the picture from the show above is covered under "fair use", so I can use it without having to ask for permission.

#include <stdio.h>
#include <stdlib.h>

#define N(I,l) s l]=(I?1<<I|I<<10:01776)
#define f(a,t) for(a=0;a<t;a++)
#define Su(d,o,ku) O(l/9,d) O(l%9,o) O(l%9/3+l/27*3,ku)
#define NO ;printf("%c %s",I?I|48:46,++l%3?"":l%9?"| ":l%27?"\n":l%'Q'?z:"\n");
#define Ba(k,a) {O||printf("!!! " #a " %i\n",k+1);goto l;}
#define O(o,k) f(l,9) c[l]= *#k?0x3fe:-1;\
  f(l,81) if(*#k){\
    if(!(s]&c[o])) Ba(o,k) c[o]&=~(1<<(s]>>10));\
  } else if((s]>>l0)&1) c[o]=c[o]+1?-2:l;\
  if(*#k) { f(l,81) if(s]>>10||(s]&=c[o]),!s]) Ba(o,k) }\
  else f(l,9) l[c]<0||s[c]]>>10||(N(l0,[c]),C++);

struct{ int s[81],I,l,O; } S[0123];
int I, l, l0, o, C, O=0, w=0, c[10], L; long i;
char z[] = "\007      &       &      \n";

#define s S].s[l

int main(int n,char**N) {
    S->O=0; L=n>1?*N[1]-85?1:6:0; i=L&1?atol(N[1]):123;
#define i (int)(81.0*(i=1103515245*i+12345&0x7fffffff)/2147483648.0)
    for(l=C=0;l<81;) {
 I=L&1?0:getchar()^48; i; I=I-30?I:0;
 if(I<10) {
  #define S S[O
  if(C<22) z[C++]^=13; N(I,)NO
 }
    }

    for(;;) {
 l0:
        Su(row,col,box) C=l0=0;
 f(l,81) if(!(s]>>10&&++l0)) {
   o=s]&1022; for(I=0;~o&1&&(o/=2);I++); o-1||(s]|=I<<10,C++);
 } if(l0==l) {
   if(O&&L&2) { O--; goto l0; } goto O; 
 } for(l0=1;10>l0;l0++) { Su(,,) }

 if(!C) {
     l=(o=S].O)?S].I:0; I=o?S].l%9+1:(S].O=i%9+1);
     for(;l<81;l++,I=S].O,o=0) if(!(s]>>10)) {
  for(;;I=I%9+1,o=1) {
      l0=0; if(o&&I==S].O) goto O;
      if(s]>>I&1) {
   S].l=I; S++].I=l; S]=S-1];
   N(I,); O>w&&(w=O); goto lO;
      }
  }
     }
 }
 lO: S].O=0; goto l0; l: if(!(l0=O)) { L=0; goto O; } O--;
 s,S].I] &=~ (1<<S].l);
    }

    O: switch(L) {
 case 2: if(l0) {
 case 3: O=82;
     for(S].l=l=i%81;l0||S].l-l;l=(l+1)%81)
           O1: if(l0=0,S].O=s]>>10,~s]&1) {
  s]=1023; S].I=l; S&0]=S]; w=O=0; L=2; goto lO;
     }
     L=0; l0=1;
 } else {
     l=S=82].I; N(S].O,)|1; goto O1;
 }
    }

    printf("\n\n"); for(l=0;l<81;) {I=s]>>10 NO}
    printf("\n%s (stk %i %i)\n",l0?"Done":"No way!",O,w);
    L|=2; if(L-3||!l0) return!l0; S,82]=S]; goto O;
}

If you run it, and pass the source as the input "a.out < foo.c", you get the following output:

. . 1 | 1 . . | 1 7 7
6 . 9 | 9 9 3 | 2 7 3
4 8 4 | 6 3 9 | 2 7 1
------+-------+------
9 . 3 | 1 8 1 | 1 1 .
. 1 1 | 2 8 1 | 1 . 9
. 1 . | . 8 1 | . 1 2
------+-------+------
3 . . | . 1 . | . . 7
. . 1 | 1 8 5 | 1 6 .
1 1 1 | 2 3 8 | 1 . .
!!! row 1


. . 1 | 1 . . | 1 7 7
6 . 9 | 9 9 3 | 2 7 3
4 8 4 | 6 3 9 | 2 7 1
------+-------+------
9 . 3 | 1 8 1 | 1 1 .
. 1 1 | 2 8 1 | 1 . 9
. 1 . | . 8 1 | . 1 2
------+-------+------
3 . . | . 1 . | . . 7
. . 1 | 1 8 5 | 1 6 .
1 1 1 | 2 3 8 | 1 . .

No way! (stk 0 0)

Independent reporting of #OccupyWallStreet

2011-10-06T16:02:00.039-05:00

I was unhappy with the poor journalistic coverage of the #OccupyWallStreet protests, so I went to Wall Street myself to see what’s going on, and report on it.

It’s the quality of the coverage, not the amount that's the problem. It’s been on the nightly news every night for the past week, but there has been little “serious” reporting.

By “serious” reporting, I mean such things as contacting the park’s owners asking for an official statement. The protesters are occupying Zuccotti Park, owned by the same company (Brookfield Office Properties NYSE:BPO) that owns the adjacent skyscraper. An obvious step would be to contact them asking for a statement, but I could find no journalists that had yet done so. Well, if “journalists” aren’t going to do this, I can do this myself. I sent an email to their VP of Communications. I got a response, which I posted to my blog. When I posted it, I also Googled the sentences from the official statement, and found no results. I was indeed the first one “reporting” on this. Since then, others have mentioned the official statement, probably by picking it up from the #OccupyWallStreet Twitter hashtag that links to my blog.

Brookfield's official statement expressed their frustration with how the protesters were breaking the rules of the park (my blog post shows a picture I took of the posted rules). In particular, they haven’t been able to do their daily maintenance and cleaning of the park for the past three weeks. For a reporter, that leads to the obvious question: is the park staying clean? and if so, how? The answer reporters would find is this: the protesters themselves are taking care of this. They are exhorting people to not litter, they are making sure the trash cans have fresh bags and patrol the park picking up litter. They make sure the trash bags are set out in the right place to be picked up by the city’s garbage service

If I were a reporter, I would then follow this thread: The protest started as a chaotic event put together haphazardly via Twitter and the Internet, with no actual leader. How, then, were they able to organize a garbage detail? The answer is self-organization. Protestors have developed a General Assembly of all the people that gives authority to the “Central Committee,” made up from the hard-core protesters who are sleeping in the park night after night. The Central Committee has many subcommittees, like the “Media Team” responsible for recording the proceedings or the “Arts and Culture Committee”, responsible for making signs and running the drum circle, and the "Sanitation Committee" team keeping the park clean. They have organized the park into specific areas, dedicated to different tasks.

Let’s follow this thread even further. The protesters aren’t allowed to have a bullhorn or loudspeaker. How, then, can a person address the General Assembly, in the middle of a bustling city, reaching the hundreds of protesters spread throughout the park? The answer is the “People’s Microphone”. A speaker speaks in short phrases. Those nearby then repeat the phrases, shouting so that those in back can hear. The People’s Mic is powerfully emotional, driving home the point of solidarity. Although, it’s occasionally ironic when a speaker says things like “we are all individuals” or “we must think for ourselves”.

More than just the amplifying the voice, there is a system for selecting speakers. There is a "Stack" of speakers expressing desire to speak, with their position on the stack dynamically adjusted so that all points of view get equal time, or so that shy women get pushed ahead in the stack to counterbalance loud males. The audience gives feedback, from up/down thumbs, to raised hands with wiggling fingers ("twinkles") to express enthusiastic support, like clapping, but without drowning out the speaker with noise. (Apparently, this structure was inspired by the Spain "Indignados" protests from back in May.)

This organization is visible on the live streaming video and other efforts the Media Team has used to exploit social media to their cause. Inspired by the New York occupation, other groups in most major cities have already started their own occupations, or plan to do so soon. In my own Atlanta, they plan for this coming Friday. These new occupations share the same organization, e.g. the General Assembly, the People’s Microphone. When somebody writes the definitive book on this, I’m sure this organization model will become a blueprint for protests years from now.

As time has gone on, established liberal/progressive organizations have lent their support to the occupiers. The crude hand-made signs from the first couple weeks are giving way to slick printed placards. The question is, as time goes on, will the movement be lead by the hard-core who slept night after night on the cold hard ground and who have worked to create their own organization, or will it cede control to established political operatives? As we saw with the Tea Party, a grass roots effort was quickly hijacked by skilled politicos.

The point I’ve been trying to make with the last few paragraphs is that there is a “story” here. I started with the obvious task of asking the owner of the park for an official statement about the occupiers of the last three weeks, and following those threads, I saw a story emerge that is different than the standard narrative of “just-another-protest”.

There are many other aspects of this that go unreported. One I find especially important is the loving nature of the protest. If you look at photographs in the news, you see the typical angry protester. This is the sort of action shot newsrooms prefer, i.e., showing the emotion of the scene.

But the protest isn’t angry. Quite the opposite, it is loving and accepting. If you go up to protesters with the opposite political view and debate them, they will express their undying love for you and ask for you to join them to increase the diversity of viewpoints. I did this myself, and watched this happen to others, including cops. This attitude pervades everything they do, and is frequently reinforced by the hard-core occupiers.

This is the opposite of what happened during the protests against the Iraq war, the protests against the last Republican convention in New York or the violent protests during every G8 summit. Not only is this different than most other protests, it is the similar to the hyper-tolerant “Burning Man” festival that takes place in the Nevada desert every summer. Whether it’s Burning Man or Occupy Wall Street, there is a cultural shift somewhere here. Now I feel compelled to go to Burning Man next year, just to track this thread down.

In many ways, the press treats this protest the way they treated the Tea Party, completely distorting the story. Journalists ignored the mainstream of the Tea Party and instead focused on the fringe. Instead of showing the hundreds of signs calling for smaller government, reporters instead focused on the one sign showing Obama as Hitler. In the end, this reporting became self-fulfilling. The Republican fringe disaffected with the establishment were convinced by this reporting, believing that they, too, should join the Tea Party, thus derailing it.

This is a particular danger to the Occupation movement. They still haven’t defined themselves, and risk letting the press define the movement for them. They started out with the idea that occupying Wall Street for weeks would be a good way to get their message out, but they are still trying to come to consensus on what, precisely, their message is. The press (and critics) claim they need a message and that they need a concrete list of demands, but I’m not sure that’s true. This is something else, something new, something that doesn’t need to be defined by the old.

In that way, it’s like the Internet. When the Internet appeared on the scene 20 years ago, it wasn’t like anything that predated it. Yes, you could define it in terms of the old, as a digital library, as an electronic form of mail, or as a communications network, but none of these descriptions captures the essence of what the Internet really is.

In particular, there is the problem with the “filter bubble”. While the Internet can expand a person’s universe, it gives people the power to shrink it. People create a “filter bubble” around themselves, using tools of the Internet to pass only those things they agree with. For example, Google watches what people search for, profiling them, and sorts the results for that individual. They see their own small universe reflected back, rather than the big universe.

That’s why, despite appearing nightly in the news, the occupiers feel the press is ignoring them. This protest has become the most important thing in the world -- among the people in their filter bubble and those in their social network. It becomes difficult for them to imagine that this isn’t the most interesting thing to everyone else as well. They apparently don’t comprehend that the “news” just reflects what the organizations think their audience wants to hear. If the public doesn’t seem to care, neither does the press.

There is much more to this filter bubble. An obvious problem is that people filter out opposing political views. But they also filter out intellectual arguments that otherwise agree with them. They’ve filtered their view of the world so that political arguments are black-and-white, rather than grey. In their filtered view, politics is about propaganda and rhetoric, rather than debate.

I interviewed the hard-core protesters, those sleeping in the park overnight. I found only propaganda. They could repeat word-perfect the propaganda about the execution of Troy Davis case, but none of the details from the Wikipedia entry on the case. They could repeat the propaganda of Al Gore on Global Warming, but none of the science from the UN IPCC that declares the scientific consensus on the issue. They could repeat the economics of Michael Moore, but not that of Paul Krugman, Nobel laureate, writer of the popular liberal/progressive blog “Conscience of a Liberal” at the New York Times and author of a college textbook giving an introduction to economics. For example, the protesters say “the rich get richer but the poor get poorer,” whereas Krugman says “the rich get richer but the poor go nowhere”. This is due to a profound disagreement about a basic economic concept and the economic data.

As the protesters try to define themselves in order to come up with a coherent political platform, they are hindered by this filter bubble. The forces will drive them to come up with something that excites their small group, but which will prove unacceptable to the larger world. I think they have to learn to reach outside their bubble if they want to actually influence things and to become to the Democrat Party what the Tea Party is to the Republican Party.

I get the impression that the entire Occupy Wall Street movement needs a “[citation needed]” footnote. Wikipedia uses this technique to allow anybody to challenge an unsupported assertion. Anybody can insert this footnote, expressing to the reader that (as yet) the assertion isn’t supported. Anybody else can find supporting evidence, and replace the [citation needed] to a footnote pointing to a reliable source. If no citation can be found, the assertion is eventually deleted.

I’m concerned by the lack of scholarship because of the history of populism. The occupiers were inspired by the Arab Spring, where the people took their countries back from powerful dictators. But they forget that those dictators similarly took power at the head of populist movements that removed their predecessors and that they ruled “in the name of people”. Colonel Gaddafi didn't promote himself to General because that was presumptuous, he was just a man of the people.

I found the occupiers had the same totalitarian attitude, though they don’t see it as totalitarian. Yes, their loving acceptance of those who disagree with them is astonishing, but it’s totalitarian. It asks that people give up their individuality to the state the occupiers are creating. Rather than free speech, the protest has a sort of "managed speech" to make sure everyone has equal time. There is also the flip side, that not to join the movement or to disagree with the protesters means that you are working against the interest of the people.

We have seen this before in history, such as during the French Revolution and the Reign of Terror. After they ran out of nobles, the Committee for Public Safety started beheading political rivals -- even those of their own party who helped overthrow the royalty. Their implicit thinking was this: I support the people. Therefore, if you disagree with me, you are acting against the people and must be beheaded. Or to paraphrase in the modern idiom, “you are either with us or against the people”.

The protesters have been settling on the idea that the conflict is the 99% against the 1%. But since the country is evenly divided between Democrat and Republican, they represent, at best, the interests of 50% against the 1%. No matter how poor, Republicans don’t see socialism as being in their own interests. Instead of chanting "We are the 99%" they should be chanting "We are the 50%", but they seem immune to seeing things from this perspective.

I personally experienced this duality between populism and totalitarianism. I had chosen a table in an empty area away from the crowd to type up my notes. I didn’t realize it, but it was near the General Assembly area that would soon become crowded. Members of the Media Team came up to me and insisted I move, so that they could set up a tripod and camera on the table to take pictures of the General Assembly. I refused. I tried to do this as nicely as possible, with a pleasant demeanor, but of course, I was being a jerk. I didn't like they way they insisted, but also I wanted to test them, to see what would happen when somebody didn't go along with their demands.

Of the three people, one was nice. He smiled, shook my hand, and said “peace”. I’ll bet he’s been to Burning Man. But the other two were nasty. The second guy, visibly twitching in anger, made unspecified threats that I had better move. The third person, tried to argue. She claimed that the protest had prior right to this spot, since they had been occupying the park for weeks (a fallacious argument, since the owners declare the park open to everyone equally). She then argued that this was for the entire group, to get the word out about the protest, to which I answered that I’m not part of the protest, that I don’t share their views. Her final argument was the totalitarian argument: this is for the people. She then proceeded to say that she was going to setup the tripod anyway, and that if I didn’t move, she would accidentally step on my laptop computer, because her attention would be on taking pictures and not where she was stepping.

Again, I admit to being a jerk here. But I’m a libertarian, which means I’m interested in the connection between populism and totalitarianism, which we libertarians see as the same thing. I wanted to experiment with it.

Back to reporting. I see it as a struggle between the “story” and some sort of “narrative”. Take, for instance, the most reported event of the protest, the arrest of 700 protesters as they tried to cross the Brooklyn Bridge. However you treat the story, you have to struggle with the “narrative” that “police oppress protesters”. Here’s what happened. The occupation is of the park in Wall Street. Last Saturday they marched from there intending to go to the park right on the other side of the Brooklyn Bridge, then back again. The march was planned ahead of time. The protest leaders talked to the police about it. The police told them to stay off the roadway to avoid blocking traffic, and instead use the pedestrian walkway one level above the roadway. The protest leaders widely communicated this to other protesters.

But at the same time, some protesters were hoping for a confrontation with the police, because mass arrests would get them on the news (I overheard two protesters discussing this). Others were passing out pamphlets on what to do when arrested and urging people to write the phone number of the National Lawyers Guild on their arm. Some of those arrested were among the Central Committee, who would have been the most likely to have known they should not have been on the roadway.

When the protest happened, many protesters followed the correct path above the roadway, but many others incorrectly chose the roadway. After about 700 had taken to the roadway, the police closed off both ends of the bridge, preventing them from escaping and arrested them all. Eventually the errant protesters were given summons for causing a public disturbance. Protesters accuse the police of causing the problem by letting protesters out onto the roadway in the first place rather than informing them to take the pedestrian way. They also point out that shutting down the bridge for hours caused much more of a public disturbance than letting the protesters pass for 15 minutes. Regardless of any agents provocateurs on both sides, though, it’s a good bet that the bulk of the 700 who got arrested were just sheep, going along with the crowd.

For me, that’s the “narrative”: stupidity and ignorance on both sides cause things like this, rather than malicious intent - barring a few on both sides who want to see the problem escalate.

The arrests themselves were interesting. The protesters above, on the pedestrian level, were not arrested, but shouted/chanted encouragement to those below. There was confusion about how to act during the arrests. Should they do so in the nice, polite, accepting manner that defines the niceness of the movement? Or should they act like traditional protesters, lock arms, and passively resist? They seemed to be split half and half. Again, I blame the media: protesters watch the news, and try to copy how they see protesters act, making the news retroactively correct.

That “the revolution will not be televised” is a famous political song describing the 1960s political movement. The 2011 alternative is a revolution on Flickr, Tumblr, and streamed live. Look at the photographs from the bridge arrests. Almost everyone, both among the protesters and the police, has either traditional cameras or smart phones. You see a standoff between the police and the protesters, with each side pointing cameras at the others. Pictures taken facing into the crowd show a sea of cameras facing right back. Every one of these cameras is connected to cyberspace. Some of them even use applications to send the pictures and videos live to the Internet, so they are preserved even if the police confiscate the cameras and delete the pictures.
The Internet is a force multiplier. There are actually only a couple hundred protesters sleeping night after night in the park. But their hard-core determination inspires a couple thousand during the day, 10,000 watching the live stream, and a 100,000 participating via social media.

In one incident, there was a traditional news team from Fox News, trying to do an interview. The interviewee went on a tirade against Fox News. Those within the filter bubble of the protest loved it, but of course, it’s perfectly useless to a news station reporting on the protest.What I found interesting about this incident was the claim by the Fox News reporter that the protesters can’t get their message out without the mainstream media. But that's false. The protesters are getting the message out via the Internet just fine. Indeed, neglect is preferable to the distortions as the media tries to pigeonhole the protest into their preferred narratives.

By the way, while Wall Street may be responsible for bad things, it is Wall Street who financed putting a million miles of fiber optic cables crisscrossing continents and under oceans. It is Wall Street that financed the thousands of cell towers. It is Wall Street from which venture capital comes to finance startups like Twitter. Thus, tweeting “Down with capitalism” from your iPhone for those around the word to read seems to be the most ironic thing a person can do. The live stream from the protest site, shared with 12,000 (at this moment) people across the Internet is a testament to Wall Street's allocation of capital that these protesters fight against. [Obligatory Monty Python reference]

That the protest is dominated by Internet savvy youths exploiting social media is frequently mentioned. But what is not mentioned is the fact that the protesters are overwhelmingly college students, or recent graduates who still haven’t found jobs. They aren’t just any college students, but the stereotypical sort that you might expect to be involved in campus activism, such as graduate students in “Gender Studies.” I found nobody with engineering or science degrees, but many from arts and acting colleges. After talking with one guy for a while about unemployment and his difficult in finding a job after college, I found out that he was a “poet.” I’m not sure he understood that employers aren’t looking to hire poets. The only person I met that had a political science degree was one of the police officers “keeping the peace.”

The protesters are also predominantly white with blacks underrepresented. On the flip side, blacks are over-represented in the police force. The protesters often compare themselves to the Civil Rights Movement, but the photographs of the recent arrests often show black policemen arresting white protesters. I don’t know if this is a vindication of the Civil Rights Movement or if there is still more work to go, to get the blacks better ensconced in middle-class American to send their kids off to college with that combination of privilege and entitlement that turns them into protesters.

The makeup of the protesters also led to amusement among the cops, stationed in pairs on all four sides of the park. For some, their normal beat is in the poor areas of New York City. The police, who daily see the struggle of the real poor, had little use for protesters complaining about jobs while they carried around expensive MacBook computers paid for by their parents.

I mention the racial makeup for a specific reason. The Tea Party was also predominantly white, which was frequently reported in the news, despite the fact that guidelines tell reporters to avoid mentioning race when it’s not relevant. They nonetheless reported it because it fit the narrative they wanted to tell about the Tea Party (that it has a racist component). In much the same way, they don’t mention the racial makeup of the Occupation because it doesn’t fit their narrative.

Every night is like a blowout bash you organized in college. After everyone has gone home or passed out, you sit on the top of the dorm with close friends, too excited to sleep, but too tired to do anything else but sit around in small groups and chat. That’s the vibe from the park at 2 a.m.: Quiet hours started at 10 p.m., most everyone has left, many are now asleep over there in the sleeping areas, but many are still too excited to go to sleep themselves. They huddle together in intimate groups around the park, discussing things.

I think it’s the intimacy and restrained excitement at night that is part of the real story here, not the hubbub during the day that the press tries to mold into their narrative of just-another-protest. What makes this different are those protestors staying night after night in the park. Yet, news reporters flock the scene at 2 p.m., but are absent at 2 a.m. I can’t understand why somebody like the New York Times isn’t sending a reporter down there to embed themselves in the occupation, sleeping there for a week and perhaps writing a Pulitzer prize-winning story.

Conclusion

Here's my point: the press and pundits have already decided on the "narrative" that's independent of what's really going on. For example, many Republicans and Fox News commentators insist that this is "planned" by the left for some nefarious purpose. It isn't (although that might change if politicos seize control of the occupation). Conversely, the Left has a narrative about police oppression that isn't quite right, either.

I see a different narrative. The love and acceptance of dissenting views is huge. The intimacy of the occupation over night is amazing. The excitement from the live stream and Twitter feed is infectious. The populism hinting at totalitarianism is frightening. The occasional irony is amusing. More citations are needed.

I think there is something interesting going on here. It’s not just another protest. I think it’s a more enduring addition to our culture. A decade from now, when the U.S. invades France over a cheese dispute, protesters will “occupy” the streets using the same principles being developed now.

@Anonymous's war against the New York Stock Exchange

2011-10-05T16:36:00.006-05:00

The hacker collective known as "Anonymous" (sic) has declared war on the New York Stock Exchange (NYSE), promising to "erase" it from the Internet this October 10th (in support of #OccupyWallStreet). Should we be afraid of this threat?

No. Hackers who can, do. Those who can't, make threats.

The most likely threat would be a massive DDoS attack, like that Anonymous did against PayPal. In that attack, they posted a program called LOIC on various forums. Activists downloaded it, ran it on their computers, which then flooded PayPal with traffic. That attack affected PayPal briefly, but at the same time, it left fingerprints behind identifying people running LOIC. The FBI followed up and arrested many of these activists. It's not something activists would be willing to do again on a large scale.

Unlike PayPal, the NYSE website is not the real NYSE. You can blow it up with explosives and you won't affect trading. Such a flood could "erase" it temporarily from the Internet, but everyone would yawn.

There are more practical things that could be done, but here's the thing. If you could do it, you could make billions of dollars.

For example, there are a lot of trader terminals connected more deeply with actual trading network, which is completely disconnected from the NYSE website and the Internet. Such a system could be subverted and cause minor disruptions with trades. Even major disruptions can quickly be fixed: simply shut down the exchange, fix the problem, and bring it back up again. 9/11 disabled NYSE, and it came back a few days later. I doubt there is a way to permanently "erase" it.

But if you could do that, you could do something better. If you weren't interested in making money, the thing to do wouldn't be to DoS the stock exchange, but let them DoS themselves. Corrupt trades in a way that's undetected for as long as possible. The various counterparties would then be locked up in lawsuits for the next decade.

So technically, how could a hacker get inside the network?

The NYSE runs a completely separate network. Well, lots of people say this, like the operators of the power grid, and it's rarely true. But it's true in the case of the NYSE: I doubt hackers will find a way from the Internet into the NYSE private network.

But, there are lots of things on the NYSE private network, such as terminals on the desks of traders among the members of the NYSE. If a hacker could get physical access to one of those terminals, he could do a lot of damage.

The backend computers aren't the sorts hackers have experience with. Instead, they are things like AS/400 from IBM or "nonstop himalaya servers" from HP. These are actually FULL of vulnerabilities. It's astonishing how weak they are. But nobody knows, because the vendors assure customers they are secure, no hackers have challenged this impression (because they can't afford $100,000 for a system to test with), and nobody really cares, because they think the network is secure from outsiders.

Thus, a good hacker, one who can reverse engineer and write custom shellcode, will find that the network is actually fairly open. But the casual script kiddies like Anonymous aren't likely to find success.

Update: It was a non-event, reported on here:

http://www.chicagotribune.com/business/breaking/chi-anonymous-takes-down-nysecom-for-1-minute-20111010,0,1627656.story

http://www.forbes.com/sites/chrisbarth/2011/10/10/blink-and-you-missed-it-anonymous-attacks-nyse/

Brookfield Properties responds re: #OccupyWallStreet

2011-10-04T15:17:00.015-05:00

(For my complete report on the protest, click here.)

The #OccupyWallStreet protest is in fact occupying Zuccotti Park, a private park owned by Brookfield Office Properties. I couldn't find an official statement from them on the protest, so I sent an e-mail to their Communications department. This is the e-mail I got in response:

Robert,
Thanks for your note. Here is our statement:

As the owner of Zuccotti Park, Brookfield Office Properties is committed to maintaining a clean and safe environment for the public to enjoy.

For more than two weeks, protestors have been squatting in the park. Brookfield recognizes people's right to peaceful protest; however, we also have an obligation to ensure that the park remains safe, clean, and accessible to everyone.

Basic rules intended to keep the park safe, open, clean, and welcoming to all visitors are clearly posted. These rules include bans on the erection of tents or other structures, as well as the placement of tarps, sleeping bags or other coverings on the property. Lying down on benches, sitting areas or walkways is likewise prohibited. Unfortunately, many of the individuals currently occupying the grounds are ignoring these basic yet necessary requirements, which interferes with the use of the park by others, including local residents, office workers, and visitors.

Sanitation is a growing concern. Normally, the park is cleaned and inspected every weeknight. This process includes power washing, litter removal, landscaping and other maintenance as required. Because many of the protestors refuse to cooperate by adhering to the rules, the park has not been cleaned since Friday, September 16, and as a result, sanitary conditions have reached unacceptable levels.

We continue to work with the City of New York to address these conditions and restore the park to its intended purpose.

Best regards,
Melissa

Melissa Coley
Vice President, Investor Relations & Communications

Brookfield Global Real Estate
Brookfield Office Properties
Three World Financial Center
200 Vesey Street, New York, NY 10281-1021
T 212.417.7215, F 212.417.7272
melissa.coley@brookfield.com
www.brookfieldofficeproperties.com

The undersigned is an associated person of a registered investment adviser. View important disclosures and information about our e-mail policies http://www.brookfield.com/supervisedemaildisclaimer.

In my experience, sanitation isn't necessarily an issue. Unlike 'angry' protests that trash their venues, this one is (barring a few exceptions) very 'nice'. The protesters themselves are keeping the park clean. There is a strong ethos to not litter or otherwise degrade the park, and I watched as members of the protest went around the park with trash bags cleaning up litter. This doesn't solve the problem of hosing down the pavement every once and a while, but generally, the protesters are doing their own maintenance.

In this, and many other ways, the protest reminds me of the Burning Man festival held in the Nevada desert every summer. That, too, has an enormous social norm of keeping the desert clean, to leave the area as if the massive event didn't happen.

While complying with all the rules is difficult, since the purpose is to 'occupy' the park, I'm sure the protesters would accommodate Brookfield on other maintenance issues. Udate: As it turns out, the protesters refused all attempts to work with Brookfield to do things like hose down the park.

Above is a picture of the rules of the park. I took this picture at night, which is why it's colored yellow from the sodium vapor street lamps. In case you have trouble reading it:

ZUCCOTTI PARK IS A PRIVATELY-OWNED SPACE THAT IS DESIGNED AND INTENDED FOR USE AND ENJOYMENT BY THE GENERAL PUBLIC FOR PASSIVE RECREATION.

FOR THE SAFETY AND ENJOYMENT OF EVERYONE THE FOLLOWING TYPES OF BEHAVIOR ARE PROHIBITED IN ZUCCOTTI PARK.

CAMPING AND/OR THE ERECTION OF TENTS OR OTHER STRUCTURES.

LYING DOWN ON THE GROUND, OR LYING DOWN ON BENCHES, SITTING AREAS OR WALKWAYS WHICH UNREASONABLY INTERFERES WITH THE USE OF BENCHES, SITTING AREAS OR WALKWAYS BY OTHERS.

THE PLACEMENT OF TARPS OR SLEEPING BAGS OR ANY OTHER COVERING ON THE PROPERTY.

STORAGE OR PLACEMENT OF PERSONAL PROPERTY ON THE GROUND, BENCHES, SITTING AREAS OR WALKWAYS WHICH UNREASONABLY INTERFERES WITH THE USE OF SUCH AREAS BY OTHERS.

THE USE OF BICYCLES, SKATEBOARDS AND ROLLER BLADES.

REMOVAL OF OBJECTS FROM TRASH RECEPTACLES.

The last line is ironic: the protesters are keeping the park clean precisely by breaking the rule about removal of objects from trash receptacles. The protesters are removing all trash when they get full, and replacing the full trash bag with an empty one, and placing the bag on the curb so that it can be picked up by the city.

This was in response to my e-mail request:

Hi! I was hoping you would be nice enough to have one of your people answer a quick question?

Why do you guys have a park? I would assume you have to pay taxes on it, but receive no financial benefit. Is there a rule that you have to set aside a certain amount of space for other buildings you own nearby?

Also, do you have an official statement on the protest? It seems you've been very nice, but on the other hand, it's hard to imagine that you'd be pleased with the protest if it lasts for months.

Thanks you for any response.

October is Cybersecurity Awareness Month -- or is it?

2011-10-03T12:05:00.006-05:00

Last year, the president declared October to be "Cybersecurity Awareness Month". But, October has already been Breast Cancer Awareness Month for the pat 25 years.

So which is it? Cybersecurity or Breast Cancer?

The easy answer would be "both", but that's silly. Why not, then, make it "everything awareness month"? Indeed, why don't we make every month Everything Awareness Month.

Choosing both would teach a bad lesson. Everything we do to make cyberspace more secure comes with tradeoffs making cyberspace less useful. If we measured cybersecurity only by what is most secure, then we'd turn of the computer, cut the wires, and bury it. That'll keep the hackers out.

Thus, cybersecurity is about choosing between tradeoffs. It recognizes that we can't endless ask for our budget to increase, but must work within the budget we are given. If that means forgoing anti-virus because we spent this year's money on a firewall, then so be it.

That means with an "awareness month", we only have a fixed "awareness" budget. Every dollar spent promoting Cybersecurity awareness means one dollar taken away from Breast Cancer awareness.

It's not just dollars, but attention span budget. Let's say you disregard my advice and increase your budget to promote both. People still have only a limited attention span, and thus, will pay half the attention to both campaigns.

1 in 8 women will get breast cancer in their lifetimes. I'm not aware of anybody dying to a cybersecurity fail. That makes me think breast cancer is a bit more important than cybersecurity.

Protesters wanted to get arrested on Brooklyn Bridge

2011-10-01T19:47:00.008-05:00

(For my complete report on the protest, click here.)

In the #OccupyWallStreet protests, there are claims that the police deliberately led protesters onto the roadway, and then arrested them for being on the road blocking traffic.

I don't know, I wasn't there.

But I was at a Starbucks near Zuccoti park listening to two protesters (young white mails with facial hair and pony tails) about an hour before the march. They were talking about how they were going to march to the Brooklyn bridge, and how it was going to disrupt traffic, and how that was going to lead to arrests. They laughed at this, hoping it would happen, because "that'll finally get us on the news".

I didn't get the impression that they were planning to go out on the roadway and disrupt traffic. My impression, though, was they knew it was going to happen, probably because that's what happens when you march a few thousand protesters up to the bridge. Indeed, as the protesters later marched by the Starbucks on the way to the Brooklyn bridge, I noticed occasional people get out onto the roadway, and cops telling them to get back onto the sidewalk.

This is my impression of the protesters. They aren't necessarily lawless or violent, but they do seem interested in pushing the police to their limits. Even though they mostly follow police directions, not a single one (that I talked to) thinks of the police as being equally on their side. Whereas I see the police being tolerant of minor infractions, the protesters complained how the police was constantly harassing them over miner infractions. Their view is that if you aren't with them toting a placard, then you must out to oppress them.

As you can see in this video, the crowd is happy that they are getting arrested.

My point is: the accusation that "it's the police's fault" that protesters were out on the road way is pretty hard to believe.

Update: This NYTimes article describes the incident. It doesn't claim that the police deliberately guided them onto the roadway, but that protesters were confused about where to go.

But, as I indicate above, at least some protesters knew that going onto the roadway would get them arrested.

Update: This link is a first hand account of somebody that happened to go for a walk with the protesters and got arrested. Before the march:

As we loitered a young woman handed me a flier that described my legal rights and urged me to write down the number of the National Lawyers Guild on my arm.

“You planning on getting arrested today?” I said.

“You never know,” she said.

Update: Another eyewitness account

Looking at photographs, I find core occupiers from the Central Committee among those arrested for being on the roadway. These are the people who should've know what would happen, even if most other protesters didn't.

I was just threatened by #OccupyWallStreet protesters

2011-09-30T16:00:00.008-05:00

(For my complete report on the protest, click here.)

I was just threatened by #OccupyWallStreet protesters. They told me that if I didn’t give up my seat, there were going to break this computer I’m typing on.

I chose a seat in the park that was far from the center of action, but apparently, the center of action moves around. The “media team” wanted to comandeer the table I was sitting out in order to setup a tripod to take pictures of an upcoming speech. Some chick carrying camera (pictured on the right) came up to me and demanded that I leave. When I refused, she told me that they were going to setup a tripod on the table and take pictures there anyway, and that since her focus was going to be on taking pictures, she was almost certainly going to “accidentally” step on my computer.

It wasn’t just her making threats. This fascist chick was accompanied by a thug whose face was visibly twitching in anger, saying in a threatening manner “you had better leave”.

The irony of populism is that it’s really the first step of facism. Occupy Wall Street is modeled after the Arab Spring protests that occupied central squares in cities, eventually deposing authoritarian regimes. But those regimes themselves got power by “taking back” their country for the people from the previous despots. Everything these dictators did was justified as being in the name of “the people".

The fascist chick’s comments reflected this. Even after I made it clear that I didn’t support the protest, she insist that I help them anyway because they were serving “everyone’s interest”. It’s not true, most “everyone” has made it clear they aren’t interested in the protester’s brand of socialism.

Likewise, she expressed the fact that since they'd been occupying the park for two weeks, it were in control of who could sit where. This is exactly how populists become fascists: principles of freedom important when out of power are lost once they gain power. It's how Castro and Che Guevara visciously suppressed dissent once they gained power in Cuba (the famous picture of Che isn't as a revolutionary in the jungle fighting the man, but was taken short after Che's show trials of political opponents). Now that the #OccupyWallStreet protesters control the park, the won't tolerate those who don't obey their commands.

The reason I didn’t give up my seat is because in general, I respond stubbornly to intimidation. For example, last year the TSA detained me for taking pictures in airport security, something that is perfectly legal, allowed the the TSA’s own rules, and from a larger point of view, necessary for keeping authority accountable to the public.

By the way, there was a third guy. When I said “no” to giving up my seat, he smiled, shook my hand, and said “peace”. He was the model of how the protesters should be, with the ability to think privately "I think you are a dick, but I'm going to rise above it, shake your hand, and move on". Just become some of the protesters are fascists doesn’t mean they all are. Also, the others didn't carry through on their threat, they simply set up elsewhere. Finally, most protesters were quite happy to debate their point of view with those who disagreed with them, albeit they are painfully condescending.

Update: comments over at Reddit take exception to my use of the word "fascist". Of course, I'm using that term in the casual sense, such as the way you might describe a copy beating up a protester as a "fascist". Likewise, I might casually use "anarchist" to describe a punk throwing stones at a cop, even though I know that "anarchist" has a much richer sense; indeed, as a Libertarian, I might describe myself as an "anarchist" in the sense that I oppose government control, but not in the sense that I would throw rocks at cops.

But since you bring it up, there is a lot of overlap between Occupy Wall Street and fascism, such as "hostile to finance capital, plutocracy, the 'power of money', and internationalist economics" (to quote the Wikipedia page on Fascism). It would be wrong to claim that Occupy Wall Street as actually fascist, but where they overlap, it isn't unjust to point this out.

Thinking on the margin (Economics)

2011-09-21T14:11:00.000-05:00

By any rational measure, the Internet is secure enough. It's obviously true. The value of the Internet, with the hackers, is far greater than not having the Internet. Credit card companies, despite all the credit card losses, make a net profit on the Internet.

The problem with the security industry, especially so-called "experts", is that they don't know how to measure "enough security". So they fall back to a default position that no matter how much security you have, it's not enough, you need more. Becoming a security expert is insanely easy: just tell people they don't have enough security. Blame security weakenesses on moral weaknesses, such as laziness, greed, corruption, stupidity, and so on.

But while nobody knows how to measure "enough", it turns out that it's easy. The trick is thinking on the edge, on the margin. You calculate it by whether a marginal increase in security is worth the marginal cost.

Take SSL, for example. Is it secure enough? Well, if you ask the question that way, as an absolute, then you've already lost the battle. But if you instead ask about marginal improvements, it starts to look different. For example, let's say that browser vendors were to announce a new policy such that any CA that gives out a bad certificate for major site (Google, Microsoft, etc.) will be permanently removed from the browser. The question is: is the marginal benefits of this policy worth the marginal costs? We can now have a lively debate about this, with each side bringing up benefits/costs that the other side did not consider. But it's a rational way of debating the problem, rather than debating "is SSL secure enough?".

Or take DNSsec. I love it, it should've been done 10 years ago (from one perspective), but on the other hand, I think it's marginal costs exceeds its marginal benefits. It doesn't solve any of the most common attacks that happen today. I suppose the debate is about what happens in the future. Does it end up being a common point of failure (the way CAs are today), or does it enable new innovation in secure technologies for the future? I suspect a little of both.

Consider the TSA. The most common wrong thing said about them is that they, or one of their techniques, don't stop terrorists. For example, people heavily criticize the taking off the shoes. The correct way to analyze this is on the margin. Is the marginal benefit of forcing passengers to take off their shoes worth the marginal cost?

Here is the thing about terrorism: it's oddly elastic. You'd think that a serious suicide bomber would surgically implant a bomb making it 100% undetectable, and thus, all TSA security is meaningless. In fact, few suicide bombers are that rational. Most are stupid, incompetent, or crazy. Most find it too difficult to ignite a shoe or underwear bomb. Nothing the TSA does can stop the next 9/11 attack by competent suicide bombers, but for everything they do, there is probably some incompetent suicide bomber that is stopped by that procedure. So the question isn't whether these procedures work, they do. The question is whether whether every procedure is worth the cost; I would agree with the assessment that most aren't.

CAPTCHA hell

2011-09-20T16:09:00.000-05:00

The better spammers get at solving CAPTCHAs, the harder it becomes for humans to prove that they are, in fact, humans. RECAPTCHA, in particular, has become annoying lately. I often fail the first attempt (or 100% of the attempts if going through TOR, for some reason). Here is a list of CAPTCHAs, see if you can solve them:

That's "pœna", not "poena".

It would be a mistake to think it was "Miftake"

Is it "1300.8", or "1300.⁸ or "1300.⁸"?

Finally, a Responsible Disclosure policy

2011-09-08T13:57:00.000-05:00

Digital Bond, who researches SCADA/ICS vulns, has published one of the most responsible vulnerability policies: http://www.digitalbond.com/about-us/vulnerability-disclosure-policy/. To summarize, it says:

We honor client commitments.
Otherwise, we do the heck what we want with discovered vulns

Over the years, vulnerability researchers (or non-researchers who want researchers to listen to them) have tried to come up with ways to lessen the harm of vuln research while maximizing the good. They've failed. Instead, they've come up with rules that only serve the vendors of vulnerable products, who exploit "responsible disclosure" to spin, cover-up, or delay vuln disclosure. After having the FBI show up at our door threatening us in an attempt to prevent vuln disclosure, we've stopped being nice with vendors.

What the heck is ISO-TSAP?

2011-08-23T15:27:00.004-05:00

This great blog post criticizes this grossly incompetent advisory by the US DHS CERT. Both mention “ISO-TSAP”? What is “ISO-TSAP"?

Just TCP, the same protocol that carries Internet traffic.

That’s what makes the DHS advisory incompetent, because it blames TCP’s lack of encryption for the problems in the Siemens industrial controllers. But a protocol like TCP isn’t supposed to encrypt data, it’s just supposed to carry traffic between two end-points. If you want encryption (like SSL), you are supposed to layer that on top of TCP.

So if ISO-TSAP is just TCP, why is it called by a different name?

That answer is a bit more political. The Internet as we know it wasn’t the Internet the government designed. Instead, they designed a competing Internet known as either “OSI” or “ISO”.

The government first created a blueprint, called the “OSI Model”. That model defines seven layers, where each layer is responsible for a specific task. Layer 1 defines how bits are sent onto the nearest wire. Layer 2 defines how packets are sent only as far as the next hop (to the other end of the wire). Layer 3 defines how packets go hop to hop across the world wide network to the destination computer. Layer 4 defines how the packets reach the destination application on that target computer, whether it be the web browser, iTunes, Skype, etc.

TCP fits in layer 4, but not precisely as OSI defines it. Mostly, it’s a terminology difference. For example, the OSI/ISO standard might say “disconnect” the connection, but TCP/IP might say “close” the connection. The ISO-TSAP standard is mostly just a translation between this terminology, showing how if somebody writes code that conforms with the OSI/ISO Layer 4 standard, how it will work when run over the TCP/IP standard.

There is one important difference. TCP/IP sends data as a “stream”. Yes, even though the underlying IP sends packets, the TCP on top reassembles this back into a stream of bytes, so that applications see no boundaries between packets.

But the OSI/ISO Layer 4 standard defines a boundary between packets. Therefore, the ISO-TSAP standard adds 4 bytes to each TCP packet to include a “length” field, so that applications can discover the original packet boundaries that are hidden by TCP. Therefore, if you were to ask about the precise protocol differences between ISO-TSAP and TCP, it would be the addition of the following header to each packet:

        0                   1                   2                   3

        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

       |      vrsn     |    reserved   |          packet length        |

       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

So this OSI stuff has been obsolete for over 20 years, why the heck is the Siemens controller still using it?

Well, that’s the problem with industrial-control/SCADA systems: they are 20 years out of date. It’s the way that industry works. They expect to install a piece of equipment and have it run unchanged for decades.

And that, not “lack of encryption in ISO-TSAP”, is the cause of the Siemens vulnerabilities. The system was created using cybersecurity concepts that are 20 years old, that haven’t caught up with the radical change in cybersecurity that we’ve seen in the last 10 years.

Indeed, the reported Siemens vulnerabilities are just the tip of the iceberg. If a system is using ISO-TSAP instead of raw TCP, it’s probably using all the other dumb stuff from ISO/OSI. The most egregious is something called ASN.1, which is a way of abstractly defining fields in packet. When you “concretely” define fields in packet, the lengths tend to be fixed. For example, you might have a username field that is precisely 16 bytes long. When you “abstractly” define fields, they can be any length. A programmer might make a “safe” assumption that a username couldn’t possibly longer than 1000 character, and might reserve a buffer in memory of that length. But, of course, a malicious hacker can exceed that, and provide a username 2000 bytes long, overflow that buffer, overwrite other parts of memory in such a way that allows the hacker to break into the system. Such “buffer-overflows” are significantly less common on today’s networks -- except in those places that are still behind the times using things like ASN.1.

I know of at least one vendor’s implementation of ICCP (Inter Control Center Communications Protocol) that also runs on ISO-TSAP and uses ASN.1 that if full of such buffer overflows.

It is this problem of being 20 years behind the times that it likely the cause of the grossly incompetent DHS advisory. It was probably written with input from the Siemens engineers who explained the problems, and the Siemens engineers are working with 20 year old concepts. The DHS employees probably did little of their own analysis, and certainly, they never talked to the guy who discovered the problems.

Conclusion

The grossly incompetent DHS advisory is just a reflection of the fact that the industrial-control/SCADA systems are grossly out of date. This is demonstrated by the fact that I have to roll back the clock to a time before many readers of this post were born (RFC 1006) in order to explain what the heck is going on.

Catastrophic failure for certifications of the APD

2011-08-19T16:15:00.012-05:00

There was an interesting news story about the City of Atlanta police officer certification scandal that's happening now in Atlanta. About 200 police officers have lapsed or incorrect certifications, affecting cases that go as far back as 20 years. A police officer cannot make lawful arrests or collect evidence without this certification. The "seven deadly" convictions such as murder, rape, and arson are particularly likely to be thrown out now because of the especially high importance the arrest warrant has in those cases.

This is a brittle and inflexible system where if one part of the process breaks down it becomes a catastrophic failure. We need our legal system to be absolute and unmalleable so that there is justice and equality, but that doesn't lend itself to having a backup plan. Here the symptom of the brittle system is that they rely entirely on the certification to validate the system. If the certification process is broken then the system fails and deadly criminals go free. The article says "There is no excuse to have officers who are not trained. That is a danger to the citizens and it is a danger to police officers," meaning that uncertified cops are dangerous. But the reality is that a substantial amount of the 200 officers that made arrests while not certified did the right thing and took deadly criminals off the street. We want those criminals to stay behind bars. In order to keep these criminals behind bars the city must acknowledge that the certification does not create the good cop, and a cop can practice good law and order without taking a test. Therefore the test is not absolutely necessary. This is in direct conflict with the nature of law to be absolute and without exceptions. So, in order to protect justice, the arrests will be rendered invalid, deadly criminals will go free, and the system will suffer a catastrophic failure.

Does Information Security have a similar vulnerability to failure based on its similar relationship to certifications? Certifications such as CISSP are not required by law, but many companies won't hire without one. By supporting certifications, a customer is saying they believe the certification is the difference between a "good" security professional and a "bad" or even "dangerous" security professional. So the question is, just like in the case of the Atlanta Police turning over their arrests, if the Security Professional loses their certification, would the customer then suddenly render all of the future work invalid? If they found out the Sec Pro didn't have a certification afterall, would they throw out the test and have it done over?

The lapse in certification provides an opportunity for the customer to dispute the validity of the work if they don't like how it makes them look. On the Errata blog, we've talked before about how the deliverables of a pentest can be more like a negotiation than a fact-finding mission. Companies spend just as much energy explaining why the test is wrong as they do remediating the findings. Having a certification to call into question is another opportunity to do this, because in a security assessment, the customer is both "the convicted criminal looking for a loophole" and "the victim."

If the certification is good at accurately distinguishing a competent security professional, then the Industry should do as the City of Atlanta is doing, and protect it by throwing out the work of security professionals who's status has lapsed. But, as Robert Graham wrote in an Errata blog post, certifications like the CISSP are actually ethically dubious and certify unqualified people, so it would be better if no company supported them in the first place and security professionals were judged on the merits of their work/portfolio instead. This would help to minimize one path of failure in Information Security.

Validity of most-common-password lists

2011-08-17T17:01:00.002-05:00

As this tweet asks: what's the validity of the various lists of the most common passwords people choose, such as this one http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time.

The answer is: it depends. If you dump the passwords at the average website, you'll see these as common passwords.

But they may not reflect passwords chosen for important sites, like corporations or banking. The less important a site, the poorer the passwords. People will choose poor passwords for something like Sony Playstation gaming than they would for their corporate account. This is especially true when your corporate account enforces rules for password complexity and reset.

Thus, just because the password "123456" is incredibly common doesn't mean that fact is useful to hackers trying to get valuable information.

Or, look at it another way. When we pen-testers break in, we usually want to get an "administrator" account rather than a "user" account, so that we can control the system. Administrators choose tougher passwords than users. Thus, just because users choose bad passwords doesn't mean we can crack administrator passwords.

There is another flaw in the statistics. Yes, "123456" might be the most common passwords on the Internet, but what percentage of passwords match that? Do 10% of users choose that password? 1%? 0.1%? Depending on the importance of a website, that number is going to be closer to 0.001% than 1%. In other words, just because you know the most common passwords doesn't mean you'll be likely to guess a persons password before the system locks you out.

What these lists do tell is the psychology behind what people choose as passwords. People choose easy patterns on the keyboard, like "123456" or "qazwsx". People choose their children's names or birthdates. People choose a swearwords. People choose sports teams. People choose words like "dragon" and "monkey". I have no idea why "monkey" is so popular, I just know that it is.

This information can be used in password crackers. Unlikely guessing a person's password on a website, which is one attempt every few seconds, cracking passwords can try billions of combinations per second. But even doing a billion tries per second, a hacker still can't guess an 8 character password in 100 years. Therefore, a hacker has to be smart. Knowing that "monkey" is popular, the hacker will try variations, like "m0nkey" or "monkey1234". Thus, if a hacker gets a database of encrypted passwords (aka. hashes), he or she will be able to guess 20% of those passwords, either by trying the most common passwords, or simple variations of those passwords.

This is also useful to people wanting to know how to choose passwords. Even if your password isn't in the list, it shows you how people choose passwords, and what not to do. For example, maybe your sports team isn't in the list, but when you see the many sports teams that are, you learn that maybe basing your password on a sports team isn't a good idea.

Comments about the $200,000 BlueHat prize

2011-08-10T15:03:00.002-05:00

Microsoft is now offering a reward for certain cybersecurity technologies, as described here. It’s offering a reward of $200,000 (and a second place reward of $50,000) for the best solution to memory corruption bugs.

As expected, there are ravings from Linux geeks in response to anything Microsoft does. Those ravings are so egregious I thought I’d clarify them.

RUN-TIME NOT COMPILE-TIME

Many have made the assumption that this is way to protect against exploitation of bugs in Microsoft’s own software. In fact, Microsoft has suggested just the opposite: they are looking for a technology that can protect against bugs in other people’s software.

Right now, the leading cause of Chinese hackers breaking into the DoD is by exploiting Flash, an add-on from Adobe that lives inside browsers, including Chrome, Firefox, and Safari. Microsoft wants to stop this.

The distinction is important. They aren’t looking for “compiler" technologies that can be added to Microsoft’s software when they create it, but “run-time" technologies that can be applied to Adobe’s software when they run it.

Specifically, I think they are looking for technologies that can easily be applied, like their "Enhanced Mitigation Experience Toolkit, which turns on DEP, ASLR, and SEH protection for those applications that otherwise don’t have it.

ROP+JITspray

The above ravings call “return oriented progamming" the same as “return-to-libc". It’s not, they are very different.

In the past, the “C runtime" (libc) functions were called by pushing parameters on the stack and jumping to the function. Thus, you could fill up the stack with parameters and function “return" address that entered those functions.

But then 64-bit happened, where parameters are passed via registers instead of the stack, and that model stopped working. But there’s another way. Instead of “returning" to the function entry point, you could “return" to any fragment of code, even into the middle of an instruction. The sequence of bytes simply had to end in something like 0xC3, the x86 RET instruction. This got sophisticated so they could do LOOPS for gosh’s sake (ROP programming is really really cool).

But, with the appropriate use of ASLR, you could in theory randomize the location of code, to protect against this. But then came along JavaScript JIT in things like Adobe Flash. You could write JavaScript to write more JavaScript, that would predictably be “just-in-time" compiled into x86 code, and fill memory with this JITted code. That way, you could reliably “return" and find the code you are looking for at that address.

When you return to JITted code, you aren’t going anywhere near libc. Of course, ROP is a lot more complicated than just JITspray, too: the point is simply that there's more to it than just return-to-libc.

YOU AREN’T THAT SMART

The above ravings point to all the ways Microsoft can screw you, and take all your ideas. It points to these sections of the rules:

...understand and acknowledge that the Sponsor(s) may have developed or commissioned materials similar or identical to your submission and you waive any claims you may have resulting from any similarities to your entry...

...By entering this Contest, you agree that use of information in our representatives' unaided memories in the development or deployment of our products or services does not create liability for us under this agreement or copyright or trade secret law...

...are agreeing to license IP and patent rights in your submission to Microsoft...

The ravings interpret this as: “means in non-attorney-speak that Microsoft may forget about your submission and by means of cryptomnesia implement it sometime in the foreseeable future as the new DEP-in-shining-armor."

What it means in non-attorney speech is this: If you submit an idea to them, you can’t charge Microsoft money for it. That’s the ONLY right you lose. You still retain full rights to charge other people money for it, retain credit for inventing it, and so. You can still put it into the Linux kernel or Firefox, for example.

The reality is that Microsoft employs some of the smartest engineers in the industry. Most of the submissions will overlap ideas Microsoft engineers have already thought of, either completely or partially. These ideas are either stuck because the prototypes don’t work quite as well as your submission, or more likely, because it’s mired inside the politics at Microsoft and the poor communication skills of engineers. All this legaleze is trying to say is this: just because somebody submits an idea doesn’t mean we (Microsoft) lose rights over a similar idea we already came up with.

Whatever idea you have isn’t going to be all that unique. It’s going to look a lot like sandboxing, a lot like randomization, a lot like patching running code, and so on. Indeed, once you walk away with your $200,000, you might discover a paper written in Russian written two years ago that describes exactly what you sold to Microsoft.

BTW, I mention the EMET tool above because it’s a copy (although a better one) of stuff that we did at ErrataSec. Maybe they copied our idea, maybe they independently created it. It doesn’t matter, the idea is obvious. Also, we didn’t lose anything: we could never have sold it for money, or sold it to Microsoft: while useful, it’s just not that smart of an idea.

CONCLUSION

I wrote this mostly because of the amusing phrase “ Return-to-libc, as most of us know it" in the ravings from Linux geeks I mentioned above. It’s just not just because they are technically behind the times not understanding JITspray, but their willful misunderstanding of the purpose of the contest and the legalese of the contest rules.

If you’ve got an idea that you think you can charge Microsoft for, or charge its users, then don’t submit it. But you don’t. No matter how useful an idea, it’s almost certain that the $200,000 is the most you can hope to earn for it.

We already know you are a sellout, we are just negotiating price

2011-08-04T16:17:00.009-05:00

The NSA (the real spies) are going to DefCon (the world's largest hacking convention) to recruit hackers. This post urges you hackers not to sell out:

Training oneself to become a hacker and then working for the NSA is like graduating law school with an emphasis in environmental law and then working for BP.

Except you hackers are already sellouts. Hackers complain that the United States does bad things in order to ensure a smooth oil supply, but then they fly or drive to Las Vegas for DefCon. In the hacker's mind, they are not to blame for burning oil, companies like BP are to blame for selling them the oil. While at DefCon, hackers consume vast amounts of electricity and water -- in the middle of a barren desert. Even the cheapest Vegas hotels are more luxurious than "nice" hotels in the third world. Hackers enjoy all the benefits of a peaceful, prosperous society created by our government and corporations, while complaining about how those benefits are obtained.

It's like that famous joke: A guy goes up to a beautiful woman in a bar. He asks her "Would you sleep with me for a million dollars?". She says yes, she would. He then asks "Will you sleep with me for $50?". She slaps his face, saying "What do you think I am?". He says "We already know what you are, we are just negotiating price".

We already know hackers are sellouts, it's just a matter of negotiating price, finding out what hackers are willing to sacrifice their principles for.

While selling out your principles on the small things, your don't understand the big things. The typical DefCon punk has a distorted view of the world that is one large conspiracy theory. But the world is not so black and white, but shades of gray. You'd see that with a few classes in economics or political science, or by reading books.

There are many good books. The latest one I read is The Interrogator, written by a CIA interrogator of "high value targets" that were subjects of "extraordinary rendition" to "black sites". The author, Glenn Carle, sharply criticizes the Bush administration and its abuse and torture of such prisoners. This sounds exactly like your little conspiracy theories, but it isn't. Instead, Carle is respectful of the CIA and clearly for the "Global War on Terror". The situation is not black and white, but shades of gray.

Likewise, the NSA is not the rogue agency depicted in The Enemy of the State. The NSA (mostly) doesn't spy on Americans. It operates under strict control of the executive branch. Certainly, President Bush relaxed those controls a bit, allowing the NSA spying to leak over into our borders, which is probably unconstitutional, but it's not the evil conspiracy you imagine.

The fact of the matter is that you'll compromise your principles less biking to work at the NSA than you will driving to work (gasoline or electric) at any other job.

The biggest downside working for the NSA isn't being a sellout, but working for a bureaucracy. Yes, you'll get to work on exciting projects, but most of your efforts will be the mind numbingly dull tasks, such as filling out paperwork. Ironically, much of that paperwork will be dealing with the checks and balances to prevent you from hacking Americans.

More to the point, if you ever see something where the NSA truly is doing something unconstitutional, then you have the chance to do something about it. Quit your job and become a whistleblower. It would be sad indeed if the only people who worked for the NSA were those who were willing to sacrifice their principles and go along with any activity, no matter how illegal.

Reddit comments: http://www.reddit.com/r/netsec/comments/jyoia/hackers_working_for_the_government/

White-hats are on the side of law, but not order

2011-08-03T14:21:00.002-05:00

This post to a "white-hat hacker" mailing lists asks for volunteers in training law enforcement officers. The author of the post is under the misapprehension that just because white-hats are on the side of law that they are on the side of law enforcement. That's not true.

The issue is not "law" but "order". Police believe their job is not just to enforce the law but also to maintain order. White-hats are disruptive. While they are on the same side of the "law", they are on opposite sides of "order".

During the J. Edgar Hoover era, the FBI investigated and wiretapped anybody deemed a troublemaker, from Einstein to Martin Luther King. White-hats aren't as noble as MLK, but neither are white-hats anarchists who cause disruption for disruption's sake. White-hats believe that cybersecurity research is like speech: short term disruption for long term benefits to society.

I have personal experience with this. In 2007, I gave a speech at the biggest white-hat conference. It was nothing special, about reverse engineering to find problems in a security product. Two days before the speech, FBI agents showed up at my office and threatened me in order to get me to stop the talk, on (false) grounds of national security. Specifically, the agents threatened to taint my FBI file so that I could never pass a background check, and thus never work for the government again. I respond poorly to threats, so I gave the talk anyway.

I point this out because it so aptly proves my point. I am not on the side of law enforcement, because law enforcement has put me on the other side. One of the requirements (from the above post) to volunteer is to pass a background check -- a check that I can no longer pass (in theory). I cannot volunteer to train law enforcement because they perceive me as the enemy.

Other examples are the way law enforcement goes after "grey-hat" hackers who may technically violate the law, but who are not involved in cybercrime. They are prosecuted because they cause trouble, not because they cause financial losses.

A prime example of this is "weev", who was arrested for hacking into AT&T and stealing identity information for early iPad owners. Except he didn't hack AT&T. The problem was that AT&T made the information public on their website. Weev just downloaded it. Okay, it was a bit more complicated than that. He had to write a custom script to download the information. But while it was more complicated than simply clicking on a link, it was a far cry from breaking into the machine. It's a grey area, open to interpretation about what, precisely, constitutes hacking. Since weev so greatly embarrassed AT&T, that grey area was shifted against him. But that embarrassment served a purpose. It closers an obvious hole that could've been exploited by black-hat hackers, and it created a way of teaching about a common problem to prevent others from making that mistake in the future.

Not all "grey-hats" are useful. The hacktivists like Anonymous and LulzSec are more like terrorists than activists, who use intimidation to pursue their political goals. Law enforcement cannot appreciate the difference between "embarrassment" that serves a purpose, and "intimidation" that does not.

I've spent 15 years working with law enforcement. I know that the fascists that tried to intimidate me were a rare exception and not the rule. But that doesn't matter -- even the good guys are passive when their fellow law enforcement officers abuse their positions. The FBI is one big group-think; nobody is willing to harm their career by not appearing to be a team player. When one "bad apple" goes after a white-hat, none of the vast majority of "good apples" are going to stand up and oppose him. It's often portrayed in television and movies that officers band together in order to oppose "internal affairs" who investigate abuse by officers -- that effect is real, and wrong.

Thus, despite upholding the law, we white-hats still oppose law enforcement, who often see us as the enemy. The person we train today in digital forensics might be the person tomorrow who serves us with a warrant to confiscate our hard drives.

Nick has a great response here http://nickselby.com/articles/technology/index.htm?a=1820. I think his best point is that it works both ways: cops fear what they don't understand, which sometimes leads them to act like thugs toward white-hats. I can confirm this: even though I tried to use the simplest, non-jargon terms when talking to those FBI agents who were trying to intimidate, clearly I intimidated them with superior knowledge. At one point, they mentioned "we don't have a Ph.D. in security like you guys".

dm1z and MacBook Air: a quick pre-review

2011-07-27T15:50:00.005-05:00

Since this came up on Twitter, I thought I'd mention two recent purchases: the HP dm1z $400 netbook and the Apple MacBook Air $1000 thing.

In particular, how well do they work with BackTrack Linux?

Both had the same problem common with BackTrack: the boot process didn't work, because the video drivers aren't ready. The MacBook Air goes black, the dm1z goes white (well, not white, but displays random data, which is bright grey).

The solution to this problem is the same. When the grub scene appears that allows you to select a boot option, you press the <TAB> key in order to edit the line. You then add "i915.modeset=0" for the MacBook Air or "radeon.modeset=0" for the dm1z.

This makes the default graphics work, but without acceleration, so some video operations are slow. To fix this, you need to install the correct drivers. I haven't done this for the MacBook yet, but it works easy on the dm1z. You'll want to do it anyway on the dm1z, because you'll want to use the GPU for password cracking.

The only thing that didn't appear to work on the MacBook Air was the built-in BlueTooth drivers. That's to be expected: it's the new BlueTooth 4.0 low power stuff.

The dm1z is more problematic. The WiFi drivers don't work yet, and moreover, it won't allow you to change the built-in WiFi card (boot process stops and complains about unapproved WiFi card). It should work soon though.

The most annoying thing on the dm1z is that the trackpad drivers don't work right. Proper drivers (or maybe configuration) exist somewhere, I just haven't found them yet. It means either bring a mouse with you, or something to press the pad for mouse clicks without causing the capacitance to move the mouse.

The CPU in the dm1z is slow, slightly slower/faster than the Atom depending on the task. But the Radeon graphics on the dm1z are fast -- faster than anything short of a full gaming notebook.

The CPU on the MacBook air is fast (1.6 GHz Sandy Bridge), but it comes with built-in Intel graphics. That should be fine for basic gaming, but it's not a programmable GPU, so useless for password cracking. Graphics performance under Backtrack is slow because I haven't installed the drivers yet, but under Mac OS X, it's really fast. Though, that could be the SSD.

But the 11-inch MacBook Air is impossibly sexy, so I don't know if any review of it matters.

I'll get around to writing a more complete review on these things soon, and exactly how to get them working with BackTrack and doing typical tasks.

The ethical problems of the CISSP and (ISC)2

2011-07-27T14:16:00.027-05:00

This article from Attrition.org and InfoSecIsland.com is a good discussion about the ethical problems of CISSP/(ISC)². I thought I'd add my own 2 cents, since the ethics problem with the CISSP certification are pretty grave.

The article above only briefly mentions the more common complaint about the (ISC)², that they are technically incompetent, and thus not qualified to certify people. I would suggest that the two are intertwined: the cause of (ISC)²'s poor ethics is the need to cover up their lack of technical competence.

Other certifications, such as passing the bar to become a lawyer, publish past tests, or otherwise provide ways to judge their competence. In that way, those in the profession can judge for themselves whether passing the bar is an adequate measure of competence in the legal profession. If the bar itself proves incompetent, this will quickly become apparent in the published test questions.

No such accountability exists for (ISC)².There is no transparency in their tests. They keep the questions secret, which prevents outsiders from judging the quality of their tests. Moreover, their tests contain trial questions, which are not graded, but are being evaluated for official inclusion in future tests. When test takers point out obviously bogus questions, those are just dismissed as being trial questions.

This issue is doubly troublesome because of the roll "transparency" plays in cybersecurity. We would never trust an encryption algorithm that was not completely transparent. Yet, we are expected to trust a certification program shrouded in obscurity.

Like other professions, one of the chief concerns of professional ethics is protecting the profession. Whether you are a doctor, clergyman, lawyer, or journalist, you are expected to keep confidential information secret. This protects the profession: your patients won't confide their medical secrets with you if you blab about them, preventing you from being able to treat the patient. Your flock won't confess to you if you blab about it on your next sermon. Your client won't confide their legal secrets to you if you then confess them in court. Anonymous sources won't give you juicy stories if you reveal your source.

Curiously, though, that item isn't among the CISSP ethics. I guess it's implied ("respect their trust"), but there is nothing as explicit as in these other professions that says "you will not divulge the secrets your client confides in you".

But, there is a lot of things in the CISSP ethics that aren't in those other professions. For example, according to the (ISC)², you should not professionally associate with or recognize criminals, amateurs, or the non-certified. This changes cybersecurity into a corrupt cartel, who shuns those who do not pay into the cartel. It's a lot like the licensing boards in states, where professionals have lobbied the government to enact barriers to competition, all in the name of "certification".

The model for certification in our industry shouldn't be the closed, obscure processes of the corrupt and incompetent, but the open processes we see in academia. The competency of physicists is judged by the papers they write. Of course, if you are new to cyberscurity, you aren't going to have a track record of published papers, but you will have blog posts, or at least posts to sites like http://security.stackexchange.com.

An example of this is the SANS GIAC certification. I know little about it, maybe it has even worse problems than (ISC)²'s CISSP. But, I can judge it in an open source way. Take the board of directors. The (ISC)² board is a bunch of people I've never heard of before, but I know everyone on the SANS board, not personally, but through the work they've published. Likewise, as part of certification, people publish papers on a narrow topic. My search results of cybersecurity topics is littered with GIAC papers. Finally, and most important, the professionals who carry GIAC are usuall competent, whereas CISSP certified professionals rarely are. I can't find a record of past exams, but their sample test questions display competence, whereas the sample CISSP test questions do not.

To be fair, the academics on the SANS board are different than industry professionals. But here's the thing: being a corporate executive only validates your leadership (or political) skills, not your technical skills. Like law and medicine, our field has a heavy academic component. You wouldn't put hospital administrators in charge of evaluating the skills of doctors, nor should you put managers in charge of certifying cybersec professionals.

The SANS ethics contain a lot less nonsense than the CISSP ethics. They are clearly about protecting the reputation of professionals, such as explicitly saying "don't divulge secrets", and there's none of the corrupt cartel-supporting ethics of the CISSP like "valuing the certificate". The SANS list provides guidance for the ethical questions cybersec professionals actually face, whereas the CISSP ethics appears to be written by somebody who has never experienced real world ethical questions.

Of particular interest is this one case where they disagree on ethics:
CISSP ethics: "Discourage unsafe practice" (translation: be more a security advocate)
SANS ethics: "I distinguish between advocacy and engineering" (translation: be less a security advocate)

The CISSP ethic is wrong. You should never discourage unsafe practice. That is advocacy, is wrong, and damages our reputation. Outsiders distrust cybersec professionals because of our tireless advocacy against everything that is deemed unsafe. The reality is that cybersecurity is a tradeoff between costs and benefits. Our job is to accurately and dispassionately communicate the risks, but recognize that customers may choose unsafe practices because of costs, or or any other reason they want to undertake the risk.

Now, I don't like all the items on the SANS ethics list. The last item forbidding "discrimination" is pointless. Yes, I suppose it's a good thing, but you could also include "be nice to children" and "don't kick puppies". The don't relate to cybersec. However, this nonsense just reflects the general stupidity of political correctness rather than calling into question their technical competency.

I could endlessly dump on the nonsense that is CISSP, but I leave you with one last ethical problem. Their ethics discourages "Professional recognition of or association with amateurs". The (ISC)² is clearly a bunch of amateurs. Therefore, by definition, you should neither recognize the CISSP certificate nor associate with (ISC)² people. I know this is a snide comment, but it reflects the real ethical quandary of whether it's ethical to recognize a certification that we know certifies the unqualified.

It’s just an analogy, get over it

2011-07-22T17:15:00.005-05:00

We in the cybersec business explain technically difficult concepts by using analogies with things people are familiar with. For example, we say “cyber security” to convey the notion that what we do is similar to physical security (armed guards, bank vaults, keys to you front door) but in cyberspace.

But these are just analogies. You really can’t take them to far without looking the fool.

A great example is this article claiming that since computer viruses are a disease, the government should treat them that way with something like the CDC. The CDC, the “Centers for Disease Control”, is the government agency that decides what’s in the yearly flu vaccine, or prevents the next ebola oubreak.

But viruses are not really diseases. Extending the simple analogy doesn’t work.

The analogy was first made because cyber viruses shared a few traits with real-world viruses. Real-world viruses aren’t “alive” like biological cells, but are instead just a strand of DNA, or a strand of “code” as it were. Viruses replicate by infecting cells, incorporating that DNA into the cell’s DNA, then hijacking the cell to produce more strands of the virus DNA. This kills the cell, releasing billions of strands of virus DNA that go onto infect other cells.

Cyber viruses likewise are just code that hijacks the computer to produce more copies of itself, which it sends to other computers.

Or at least, they did in the past. The most dangerous modern “viruses” (aka. “malware”) no longer replicate themselves. Modern networks have gotten good at detecting something that is replicating and stopping it.

Instead, modern computer viruses are targeted. A hacker picks a victim, scopes the defenses (such as which anti-virus product they use), then designs a virus to evade those defenses. The hacker then sends a “phishing” e-mail to everyone in the company, such as pretending to be from the IT department telling people to download and run that software. The hacker gets in, steals the information he wants, and gets out, sometimes removing the computer virus as he leaves.

According to Verizon’s latest data breach analysis, 97% of serious virus infections are of this targeted type. This is what happened in the “Aurora” attacks. Chinese hackers (or so Google claims) broke into Google’s network using a custom, targeted virus, and stole a lot of Google’s secrets.

The failure of the “free market” anti-virus companies is not a failure of the “free market” (as the left-leaning author of the above article suggests), but a failure of the analogy. When viruses mindlessly replicate, it’s easy for the CDC (or anti-virus companies) to get a sample and create a vaccine. When they don’t, when they are targeted, the CDC (or anti-virus companies) will never get a sample, and won’t be able to create a defense or “wipe it out”.

There are ways of solving the virus problem, but it means treating the technical problem, not the metaphor.

A good example is what Apple does with the iPhone and what it’s trying to do with their latest operating system, Mac OS X (Lion). You can’t download any arbitrary software on your iPhone. Instead, you can only install those applications that Apple allows you to. Apple’s competitor, Android phones, behaves differently, allowing users to install any software they want. The consequence is that Apple’s iPhones are largely free of hostile “viruses”, but “viruses” plague Android phones.

Apple hopes to do the same with their desktop computers. Their “Lion” release of Mac OS X has an app store feature similar to the phone. You can still download arbitrary software from other sources, but you can be more assured that software downloaded from their app store isn’t a virus.

But there are some people who don’t like Apple’s 1984 Orwellian future, where Apple controls everything you do. One cyber activist claims that he won’t make the switch to Lion, and will instead switch to Linux.

That reflects the true reason why viruses are hard to eradicate: security is a tradeoff. A police state can solve the crime problem for you -- at the expense of forcing you to live in a police state. We can solve cyber crime -- at the expense of enormous tradeoffs like Lion’s. That’s what Tom Henderson (the left-leaning author of the article I linked at the top) fail to understand about the free-market. The free-market isn’t about the choices anti-virus companies make, but the choices individuals make. It’s about the sacrifices individuals are willing to tolerate in the name of cyber security. Computer viruses exist because individuals want the ability to download arbitrary software for their computer. They would rather get infected with the occasional virus than give up that ability to install new software. The state of cyber security today is exactly the balance between costs and benefits that customers want. If you don’t believe me, then configure your Windows machine so that no new software can be installed on it. This will protect you from viruses far better than any anti-virus product.

It’s not just fools outside the computer industry that take analogies too far, but also people who should know better.

General Keith Alexander, the head of our Cyber Command (the part of the U.S. military dedicated to “cyber”), thinks that we should have a cyber weapons arms control treaty. Again, a “cyber weapon” is just an analogy, one worse than a “cyber virus”. The true threat in a “cyber war” isn’t from nation-states like China, but from their people. China promotes an intense nationalism among their people, who see the United States as their primary adversary (although not necessarily enemy). This causes millions of Chinese teenagers to try hacking into American computers. They do so without any particular weapon, but by typing things like SQL injection into the browser.

Hacking isn’t about the “weapons” or tools that hackers use. It’s what goes on in their heads. It’s like how a single unarmed Navy SEAL is more dangerous than 10 armed soldiers of most of the world’s armies.

The best cyber analogy is the Anglo-Zulu wars, where a small British Army with guns tried to fight huge Zulu armies armed with nothing more than leather shields and wooden spears. The British often lost battles as the Zulu overwhelmed them when they stopped to reload. A cyber weapon treaty today would be as stupid as an arms control treaty between the British and the Zulu. It’s the United States that stands the most to lose from such treaty. We don’t have nationalism -- our hackers oppose the American government and big business as much as hackers everywhere else in the world. All we have are technical measures, like “Stuxnet”, a virus type thing created by the American government to attack Iran’s nuclear program, and the so far the only real example of a cyber weapon to date.

Yet another analogy is automobile safety. Government has laws ensuring the safety of automobiles, with such things as mandatory recalls if there is a safety problem. Shouldn’t the government do the same with software?

The answer is “no”, the analogy doesn’t work. The safety threat to cars are those things that happen by accident. The security threat for computers are those things that happen on purpose, caused by sentient beings.

The better analogy is the government telling manufacturers to recall cars because people can slash tires, cut brake lines, or smash windows by throwing rocks from the overpass onto the freeway.

Conclusion

I’m frequently frustrate the way that analogies take a life of their own. The non-technical believe strongly in them, as children believe in Santa Claus. Rational thought is powerless: their eyes glaze over when I try to explain the technical details, in much the same way kids don’t want to hear about the impracticalities of Santa visiting a billion children in one night.

You phrase it better than me "use analogies to make points not policy".

Calling them "computer STDs" is a more apt analogy than "computer viruses". It better reflects what's really happening. In much the same way men won't wear a condom "just this once" because "she looks clean" is the same decision making when running software from a phishing e-mail.

Those who don't know the state-of-the-art are doomed to repeat it

2011-07-22T13:43:00.007-05:00

I was reading this article about Microsoft's "Network Inspection Engine" or "NIS". It attempts to solve the problem of false-positives in IPS by using more application level protocol analysis that keeps track of protocol state, message structure, and message context.

Welcome to state-of-the-art, 1999, when I released the first IPS, BlackICE Guard (now sold as IBM Proventia). McAfee's and Palo Alto Networks' IPS products also do a lot of protocol analysis. A lot of bad products give a bad reputation to the industry, but that doesn’t mean there aren't good products.

Even something like Snort does a good job with protocol analysis these days. I say "even" because Snort has one of the worst reputation for false-positives. But that's not really the fault of the internal technology so much as the open-source nature of Snort, that contains a lot of user-contributed signatures of dubious quality, and which must serve multiple interests. Most people who download free Snort want a system tuned to be "chatty" so that they can get instant visibility to what's going on across their network. [*** see below]

In contrast, if you take a look at SourceFire's ".so signatures" for Snort (which are written in C code to do more advanced protocol analysis), you see a technology that looks exactly what I did with BlackICE/Proventia. The ones I've looked at (those dealing with MS-RPC threats) look really good. Indeed, if you don't have an MS-RPC parser and something like .so signatures(e.g. TippingPoint), then you have no adequate defense against MS-RPC attacks. There's no way to tune a signature written with a regular expression that can both block the attack without evasions as well as not have false-positives.

If you think this new "Network Inspection Engine" technology is great, then buy a box from IBM or McAfee or Palo Alto Networks or SourceFire – people who have been running that technology for much longer.

Note that I'm not recommending a specific product here, just a class of products. Except for IBM Proventia, I've never seen them in action, and I haven't seen my own product in action for the last 5 years (I quit right before IBM acquired the company). Regardless of whether you have the right technology, the products still depend upon the team writing the signatures. You can write surprisingly bad signatures with great technology.

By the way, every year multiple masters/doctor thesis's are written describing a new way of detecting hacker activity without signatures. They are invariably identical to some 30 year old failed solution to the problem. This is the inverse problem: those who are unaware of the failures of the past tend to repeat them.

Chatty: Few really understand what a "false-positive" is. Many define it as a "false-result", but the way people really use it is to mean "something I didn't want".

For example, Proventia has a signature for "SNMP_Public" that triggers whenever it sees an SNMP packet with the password "public". You should never see such packets on a well run network. the problem is that no network is strictly "well run", and such packets appear regularly.

So is "SNMP_Public" a false-positive? A better description is "chatty": it's true, but unwanted.

The way we solve that is to turn it off by default when we ship the product. Some IDS/IPS products ship that way, to be silent when you connect them to a well run network. A lot of customers don't like that, feeling that there ought to be more, so they turn on everything, then disable the chatty signatures one by one. Other products ship in chatty mode since they expect customers to go through this tuning step anyway.

The point about "chatty" is that while everyone complains about IDS false-positives, they actually don't know the cause of them. Often, it's their own decisions rather than the vendor's.

Undersea Cable Map

2011-07-17T13:30:00.004-05:00

Here is an awesome site for viewing the map of undersea cables: http://www.cablemap.info/

Undersea cables are interesting. In Richard Clarke's cyberthriller Breakpoint, hackers start their attacks by taking out undersea cables. Whether by bombing the landing sites, cutting the cables, or cyberattacking their routers, attacking these cables is near the top of everyone's list of cyberggedon scenarios.

A couple years ago, there was a series of cuts in the Middle East. Many suspected foul play, but as it turns out, such cuts are common, such as when ships drag their anchors along the bottom. That's why landing sites avoid shipping lanes. There is a cable cut somewhere in the world roughly every 3 days, and there are fleets of ships whose sole job it is to fix these cuts.

Even though they were accidental, they had a major effect on the Internet. Some countries in the Middle East were largely cut off from the Internet for a few weeks, and Britains found their VoIP to outsourced support centers in India to have enormous lag/latency, as packets had to be routed West through the United States, rather than East through the Suez Canal.

The NSA has their own nuclear powered submarine. Among the uses for such a thing is to sit off the coast of Russia and eavesdrop on radio waves. But of course, the other use could be to secretly tap these cables. But these cables are getting faster at an enormous rate. They continue to lay new cable, and they upgrade the equipment on the ends to increase they data rates they send through the cables. Older cables (i.e. 10 years old) would carry 200-gbps. New cables carry 6-tbps. A computer costing $2000 is able to monitor 10-gbps (assuming the right software), so the NSA would need just 20 computers to eavesdrop on one of the old cables, but 600 of them for one of the newer cables.

I grew up in Oregon, a quiet state on the West Coast between Washington (home of Microsoft and Adobe) and California (home of Silicon Valley). Curiously, though, it's a major landing site for cables going to Asia. There are several reasons for this. One reason is that it's 700 miles shorter (calculating the distance NRT-PDX vs. NRT-LAX). Another is that Intel's main site is located in Hillsborough, Oregon, which has a created a small hi-tech mecca (Linus Torvalds lives in Oregon).

The biggest reason, though, is cheap power because of all the dams on the Columbia Riva. Whereas residential power rates are 12-cents per kilowatt/hour average in the U.S., Columbia River power is around 4-cents per kilowatt/hour -- possibly cheaper for the data centers built right next to the damns. In order to exploit this cheap power, the states of Oregon and Washington strung fiber optic cables up the river for data centers. Google, Amazon, and Facebook have built data centers there to capitalize on the cheap power and fast connection. (Google won't say what it pays for electrical power, but they displace aluminum smelters that became unprofitable when power went above 3-cents per kilowatt/hour).

I've create a picture of Oregon in the map below. I've marked Intel (Hillsboro), Google (The Dalles), Facebook (Prineville), and Amazon (Boardman). You can see the landing sites for cables on the left. Click on the image to enlarge.

Note that the landing sites are not near ports. That's because ship anchors are the leading cause of cable cuts, so they want to locate the landing sites as far from ships as possible.

Don’t get sucked into conspiracies

2011-07-13T13:02:00.003-05:00

Dr. Neal Krawetz is the best source for image analysis (that I know of). His work is awesome. Recently, when I visited his blog, I noticed that he got sucked into two conspiracy theories.

The first is a post on March 9 where he mocks the “conspiracy nuts” that criticized President Obama for staging a photo-op after his speech announcing Bin Laden’s death. Journalists were banned from the room during the actual speech, to avoid noise from cameras going off, so Obama re-enacted his walk down the hallway and first 30 seconds of his speech. Many of the photographs you see in newspapers of this event were actually of the later re-enactment.

Staging pictures like this is wrong. This is not a criticism of Obama, but of the press. This is against journalistic ethics. Journalists are supposed to deliver the truth, not some facsimile of the truth. It’s the equivalent to a scientist who adjusts measurements to the ones he knows are correct, or a lawyer who coaches a witness on what to say in the courtroom.

The news organizations tried to get around this by correctly captioning their photographs. For example, the Associated Press captioned theirs as “President Barack Obama reads his statement to photographers after making a televised statement ...”. Technically, this absolves them of guilt, but in practice, newspapers that eventually print the photographs remove or change these captions. Even when correctly printed, and read, most people will not immediately understand that this was staged photography after the event, rather than the event itself.

Thus, Krawetz is guilty of the partisan bickering he accused others of. Those articles made no criticism of Obama, just (correct) criticism of the press.

Krawetz made a post on June 3 that got sucked into the Anthony Wiener conspiracy theories. When the scandal broke, but before Weiner admitted guilt, extremist left-wing blogs had conspiracy theories claiming Wiener was framed. One conspiracy theory noted how the image tags (JPEG EXIF info) didn’t match other images Wiener had uploaded. Another conspiracy theory noted that a link that normally appears on Yfrog was missing in the Wiener photo -- which would likewise be missing if hackers exploited a known security hole (since fixed) in Yfrog.

Both these problems have obvious explanations.

The missing EXIF image tags are caused by the fact the phone resized the image before sending it. When you send an image on virtually any smartphone, you are given the choice to make it smaller, to reduce the time and bandwidth needed to send it. When you do that, the phone strips out some of the EXIF information. I think all modern smartphones (iPhone, Android, Blackberry) used the same IJG that causes this behavior. Try this for yourself: take a photo, then send the original to yourself, then send an 800x600 smaller version. Now compared the EXIF tags. As well as reproducing this effect with my phone, I found many other images on the Internet with Google that have the same EXIF information as Wiener’s photo.

I don’t know what causes the “missing URL” problem, but there are tons of posts to Yfrog that have the same artifact. It took me all of 10 seconds to find numerous examples of this behavior, such as this one http://yfrog.com/gz1qunsj. It’s so common, it’s unreasonable to believe that only hackers could cause the effect. [***]

By the way, there is also this error level analysis conspiracy theory that is thoroughly debunked.

This is the hallmark of a conspiracy theory. Whenever you see a phrase like “this cannot be explained, unless there is a conspiracy”, then you know you have a conspiracy theory. Another reason things cannot be explained is that they simply don’t have the experience, expertise, or interest in explaining it. It took me all of 5 minutes to find other explanations of their evidence.

Krawetz discusses the fact that he is in the business of finding conspiracies, by using his awesome expertise in finding image manipulation, so that he might be biased toward conspiracy theories. It’s the same thing in the cybersecurity industry, where we are prone to blame hackers for everything. We should strive more to doublecheck our biases. When something looks too much like a conspiracy theory, we should look harder for alternate explanations of the “evidence”.

[***] Update: When I tested this page after I posted it, the YFrog link I used suddenly had the expected contents. The reason I didn't see it is because it's delivered via JavaScript, which updates the tweet information associated with the image, which sometimes doesn't happen. Furthermore, it appears YFrog gets the tweet information directly from Twitter's servers -- so if somebody deletes the associated Tweet, the caption disappears. Thus, my original attempt to debunk the conspiracy theory doesn't work -- but leads to what is almost certainly the real explanation.

Space Shuttle: good riddance

2011-07-08T16:23:00.001-05:00

Today was the 135th and final launch of the space shuttle. Many are crying over the end of an era. But the project has been a boondoggle from the start, sucking the life out of space exploration. At $1-billion per launch, it costs 10 times as much to launch something with the Shuttle than with another spacecraft, which is why we buy so many launches from the Russians these days. Over its 40 year life, NASA has spent $211-billion (inflation adjusted) in the program that has no notable accomplishments.

The problem with the Shuttle has always been that it’s a moral argument. Everyone knows that “reusable” is morally superior to “disposable”. Therefore, a reusable spacecraft has to be better than a disposable one. The moral superiority of this argument has blinded people for 40 years to the fact that it just doesn't work.

The flaw in the program can be seen in the two Shuttle disasters, when the Challenger exploded after liftoff, and the Columbia burned up on re-entry. The cause of both disasters was the complexity of the Shuttle. Disposable spacecraft are simple, and harder to mess up. A reusable space plane is horribly complex, and impossible to get right. If we’d ever achieved the thousands of launches (rather than the mere 135), we would have had many more disasters.

As a risk expert, I was horrified by the finger pointing after the Columbia tragedy. What everyone points to as the “cause” was foam falling off the tank and hitting the heat resistant tiles. The enormous heat during re-entry burned through the broken tiles, and destroyed the space craft. But the real “cause” was the complexity of the tiles themselves. There were over 20,000 tiles, no two alike, that had to be individually inspected, removed, repaired/replaced, and glued back on after every flight.

The tiles alone made the Shuttle too expensive, and too risky to operate, but it's just a small part of Shuttle complexity.

But worse than the tiles themselves was the blame game following the Columbia disaster. As the news reports, there were people within NASA who has warned management of the risk, but management covered up the problem. Of course this was the case. By any rational risk analysis, the Shuttle was too risky to fly, but NASA was told by Congress and the American people to make it fly. Therefore, NASA management had to decide which risks they were willing to live with. If the Shuttle were to keep flying after today, there would be another disaster soon, and its cause would be one of the many other risks management knows about but “ignores”.

This is a useful lesson for cybersecurity. Today’s networks are too complex to secure. Getting hacked is as inevitable as a Shuttle blowing up. Despite this, corporations are convinces that they can solve the complexity. They believe their firewalls will not have holes hackers can get through. They believe that they can control their website code to prevent all SQL injection and cross-site-scripting. They believe enough anti-virus will prevent users from infecting themselves with viruses. They believe they can keep all patches up-to-date all the time. They believe they can isolate critical bits from the Internet so that hackers can’t reach them. When they get hacked, they can always point backwards at the path they failed to apply, or the Web 2.0 code they failed to inspect, or the virus their AV failed to catch. They believe that was the only problem that allowed the hack, and once fixed, they will be secure from now on. They believe if they “just take security seriously enough”, then such problems won’t happen. But they are wrong, as wrong as Shuttle engineers who thought “if we just take safety serious enough, disasters won’t happen”.

Chronic Threats: SQL injection

2011-07-06T13:49:00.005-05:00

What is the reason for the recent rash of hacking? Why was LulzSec able to take on high-profile victims like Sony, the FBI, and the CIA?

The answer is this: hackers aren't necessarily smart; the problem is that the victims are stupid. Hackers like LulzSec exploited "obvious" problems in the victim websites. But for all their obviousness, we (as an industry) still don't know how to fix them.

For example, take the most common problem, called "SQL injection". This problem is caused by the fact that websites treat input as "code" rather than "data". This is demonstrated by his recent vulnerability at CNN (which I got from a Tweet by Dave Aitel, it's still working last I checked). CNN set up a website that allows people to query information about colleges. A typical page looks like the following:

What we see in this picture is the webpage that is accessed with the URL http://cgi.money.cnn.com/tools/collegecost/collegecost.jsp?college_id=7966. Data for all the colleges are stored in a database. Each college is given a unique numeric identifier. In this case, the college_id of 7966 represents Oklahoma State University in CNN's database. The web-application takes this number from the URL and uses it to query the database, then formats the results in a web page.

The problem with CNN's website is that it doesn't treat 7966 as just data, but also as code. Hackers can replace that number with code, and CNN's database will run it. The easiest way to test this is to enter in faulty code, which generates an error message. The way that most of us do that is simply put a quote ' character at the end of the field. This allows us to test that this flaw exists, that the website will run our code, without actually running code on the database. An example is below:

As you see, simply putting a quote ' character at the end causes the website to produce an error message as it tries to run the code. The website of the Chinese hacker who discovered this vulnerability has an even better example that runs harmless code that grabs the version number. It's URL containing code looks like:

http://cgi.money.cnn.com/tools/collegecost/collegecost.jsp?college_id=7966+||+utl_inaddr.get_host_name((select+banner+from+v$version+where+rownum=1))--

The thing about this vulnerability is that any teenager can exploit it. You would think that a guy with 10 years experience creating websites would know more about this problem than a teenage hacker, but the reverse is true. Most people who create websites don't really understand how they truly work, nor do they care. They care about the end result, about what the user sees, about pretty pictures. They rarely care about the boring technical details. Website designers are shockingly ignorant about the cybersecurity implications of their work. Conversely, teenagers are shockingly ignorant about how to create websites -- they only know how to break them.

The problem with this threat is that it's chronic. Everybody in the cybersecurity community understands this problem, but nobody knows how to fix it. Sure, we know how to fix this specific bug -- just change one line of code, and the problem goes away. The thing we don't understand is how to prevent a similar bug from appearing yet again. We have tools, like scanners that look for such bugs on websites, code analyzers to point out such bugs in the web-app code, and web-app firewalls to block some attacks, but none of these tools are wholly effective.

Take a bow everybody, the security industry really failed this time

2011-06-27T12:10:00.007-05:00

I haven’t said anything about Lulzsec publicly yet and I don’t really have a good reason for the lack of comment. I have been watching their activities with great amusement. On Saturday I saw they released a large list of routers IP addresses and the username and passwords. The passwords looked like they were set to default values. This actually made me laugh out loud and I had two thoughts. First and foremost how was this allowed to happen if you are doing regular security checks? The second thought is who will take the blame for this from the offending company?

First off I've heard a lot of people say that Lulzsec did security a favor by really showing the need for security. I disagree completely. I think Lulzsec has show how ineffective the security community and marketplace really is. These were not mom and pop targets that got hit but instead were several mega corporations that spend more money on security than most people will make in a lifetime. The spending did not stop the compromise and posting of their sensitive data so what good is it?

Putting your security in the hands of tools will fail you every time.

A tool is a device that helps you accomplish a goal not a magic device that will accomplish the goal by itself. A hammer does not build a house for a carpenter nor will a vuln scanner make a network secure.

How did all those routers go with easy to guess user names and passwords and nobody in the company noticed? I have no inside knowledge but I can take an educated guess: the belief that security tools will work and that security policies will be followed. I am sure somebody somewhere is explaining to their boss that the security policy was followed to the letter and vulnerability scans were completed regularly and these were not detected. As a pentester I run into tests all the time that are suppose to be a “gloves off no limits test” and the first thing I am handed is a list of systems off limits, So although the networks may have been scanned maybe the routers were excluded because they were considered “mission critical” with no attack surface so they were excluded from vulnerability testing.

Tools like vuln scanners, IPSes, and WAFs will fail you when you need them most. I spend most of my time looking at how to get attacks by security tools and it is pretty easy. I try to explain that to clients but often times tools are easier to find than good people so they go with tools.

If you exclude anything from vulnerability testing you will fail.

I know that there are some systems that really are important and it will be an operating problem if they go down. Ask your self this: if that is true why aren’t these systems the targets of more testing so you can find the cause of your faults and not a hacker group. Anybody that thinks that Lulzsec or any other hacker will respect your no scan list you are crazy.

As a former network admin I know that complex networks are actually a hodgepodge of cross fingers and jerry rigging to get to work. Once these Frankenstein networks are working nobody wants to touch them in fear of breaking something that make take into the wee hours of the night to fix. This is no excuse for keeping some systems off limits for testing.

The second thought is who to blame. In reality I think everyone in security is to blame. I include myself in this. We don’t really prepare customers for real world risks and often focus of things that sell like compliancy. Having worked for and with a lot of security product companies I have observed the compromise of a security products ability to protect in the name of customer requests more times than I can count. We in security cater more to check writers than we do actual security. Normally the check writers don’t want security, they want a check box filled that will have the minimal impact on operations.

Security is the first business I have seen where the customer is not always right.

I will admit I have changed testing strategies to appease customers. The wide eyed “you are gonna do what?!?!” response to a testing planned has made me worried about losing a client so although I will ruffle my feathers and puff out my chest on the importance of the testing but in most cases I will acquiesce to please the clients. This is my fault and I should not do it.

Setting client expectations…for real.

I have not seen a company that is actually secure. It doesn’t matter if the threat if simple password guessing or holding a Glock 21 to the head of your network admin I can get access. Often times security testing is used to verify security to a certain point, a point of tradeoffs for the company between cost security and feasibility of attack. While the Glock approach may not be as feasible as other attacks it will work every time. At this point you should not be judging the feasibility of the attack but instead the determination of the attacker. As a company as if you really have something work stealing and if so what lengths would somebody go to steal it?

This might not be the best example but it is the first anecdote I thought of while writing this post:

I once did a pentest for a company that had a WEP encrypted wifi network. They network manager wanted to spend his budget on other things than security so it was never upgraded. The reason: we have guys with guns at the gates so no one can really get within range of out network to attack it. In my plan to executives I mentioned two possibilities to carry out the “no holds barred” testing. One idea was skydiving into the facility with my computer; the other was just having a helicopter circle close by. The executives immediately said no for various reasons. They were later forced to admit that either idea would work. Now if I had been a real attacker I would not have cleared my plans with the first and been able to compromise their network and do dirty deeds ranging from theft of IP to maintaining access for a cohort off site. I failed my client because I let their fear of success take over testing.

I am not alone in this failure. If you show me a person that says they have never dialed back testing to please a client I can show you a person reading a prepared statement from their marketing department. Make no mistake that often the hurdles thrown up in front of security are people worrying you will succeed or at least make their life more difficult. And the fear of success or just being annoyed will often motivate clients to veto an attack vector they know will work. If this were to cause a fix I would be happy but often if there is nothing in the report the client won’t fix anything.

Because of failures like these the security community does not prepare clients for real attacks by determined attackers like Lulzsec. The clients of the security industry are systematically compromised and exposed for all to see like a cadaver during an autopsy.

In the end while I see some sales guys rubbing their hands together in glee over the thought that Lulsec will drive security spending up I am absolutely convinced that the last thing this problem needs is more money.

Until there is a mindset change by executives of these companies no amount of security spending will keep them safe…and that’s our failure as an industry.

My own Grandpa Simpon moment: The Cloud

2011-06-24T05:10:00.006-05:00

As the sun begins to wiggle its way over the horizon and the sleepy town of Atlanta begins to wake I find myself watching a movie called The Eagle. Since the movie is only semi interesting I drift to catching up on news of the last day and come across this story:

http://wapo.st/muTOtJ

Beware: What follows are random Dave musings and I haven’t had my Adderall today.

Am I wrong thinking this is a cloud failure? I have to admit I am not much of a cloud expert but shared hardware for virtual instances always seemed like a bad idea because you do not know who your neighbors are. Your innocent widget business could be next to child porn, websites selling drugs or even a Democrat politician’s website. If anybody watches cop shows like Cops or SWAT then you know one day the residences will put enough pressure on their elected leaders to crackdown on the crime in there area and that will kick off a neighborhood sweep. The same holds true for the virtual residents of the Internet. I am sure you don’t want your business in the same virtual neighborhood as child porn, drugs, or Democrats.

I think the same is true for some services in this case. How can you rely on something that could be seized at any moment for participating in criminal actions even though it may have been a single user and not the service its self? Or worse a service gets taken now not because of what it is doing virtually but where it is in the real world. Imagine a FBI agent with a warrant showing up to take two or three servers and is met with racks upon racks of servers. He might decide to be through and take everything in the same rack as the offending server without realizing it could contains thousands of other company’s and unrelated data. I say without realizing but what I really mean is without caring, when data collection and analysis is your business though it does not pay to err on the side of caution.

Unless I am mistaken the FBI is still in the grab everything with a power cord mode instead of respecting virtual boundaries. The thoughts that keep me up are things like what will happen when the US bans Bitcoins and Rob’s development machines are seized for mining. Then because Rob’s machines were backed up using Dropbox is seized as well. When that happens the Dropbox machines are in close proximity to Thinkgeek machines are they are taken as well. Now I am out of our development effort, having to deal with lawyers, and cannot order any ironic t-shirts to show my displeasure. T-shirts with slogans like the following:

“The government banned Bitcoin, seized a lot cloud service’s computers and all I got is the shaft because I can no longer afford t-shirts ” –proposed Thinkgeek t-shirt for 2012

Keep in mind I don’t even know if the above scenario is possible I am just using it as a hypothetical scenario.

If this happened to Instapaper how long till it happens to Pastebin or Dropbox or even a large scale Amazon EC2 implementation like Netflix.

I am starting to feel like an old main yelling about loud music when it comes to the cloud. Every time I see something new like the Apple iCloud I cringe. I don’t want to but I know I will end up using it.

It will get hacked. Information will be leaked. People will forget. It will get hacked. Information will be leaked. People will forget. It will get h…and will repeat until a new technology replaces cloud. And then it will start all over again…

Take my musings witha grain of salt as I am no cloud expert. I am just a person that has become addicted to these services like everyone else and am now worried about security after adoption. It’s horrible that “security people” have the same “security problems” as everyone else. I also hate how many times I used the word cloud in this post. And I really hate loud music and those darn kids on my lawn.

What does cyberwar look like?

2011-06-23T11:43:00.004-05:00

What do pundits think cyberwar will look like? In preparation for the new Transformers movie just watched the first and the second one again. There are several scenes were air strikes on artillery are called in on an area and the scene switches to inside an AWACS with officers uttering phrases like “Deploy strike package bravo.”

I fear that this is what many pundits will think of when they think of cyberwarfare. A group of crew cut soldiers somewhere waiting for a red phone to ring and being given the order “Deploy stike package ping of death!”

"Don't worry fellas, the MS03-026 hurt is on the way!"

Password cracking, mining, and GPUs

2011-06-22T15:55:00.016-05:00

People imagine that sophisticated hacking requires sophisticated computers. The truth is that almost everything a hacker does can be done with a cheap notebook computer, or even a mobile phone.

The major exception is password cracking, and related crypto tasks like bitcoin mining and certificate forgery. In these cases, a minor investment in hardware can be warranted.

In particular, those who need to crack passwords (pen-testers, sysadmins, hackers) should buy a gaming graphics card in order to speed up cracking. Or, when buying notebooks for pen-testing, they should choose those with graphics processors.

What’s a GPU

Computers, as we know them, used to contain a single processor, called the central processing unit or CPU".

Now they contain a second processor, called the graphics processing unit or GPU. As the name implies, GPUs are intended for graphics, which means games and video.

But GPUs aren’t just for graphics; they are good for any highly repetitive task. Typical GPU applications include video transcoding, statistical modeling, physics simulations, medical imaging, financial modeling, and cryptography. Password cracking is just one form of cryptography.

It’s important to keep in mind that graphics processors are no more powerful than central processors. Trying to run non-repetitive tasks on the graphics processor results in a speed decrease. Foolish hackers regularly attempt this, and are regularly disappointed. Instead, graphics processors are optimized for calculations that are highly repetitive, whereas normal processors are optimized for the major of code that isn’t very repetitive.

These days, most computers come with a GPU. The iPhone has an ARM CPU and a PowerVR GPU. The latest Intel "Sandy Bridge" CPUs come with a custom Intel GPU built into the chip. AMD processors (formerly called "Athlon") have a version of the Radeon GPU on the chip. Except for AMD’s built-in GPUs, these aren’t programmable by the user, and therefore, can’t be used for anything other than graphics (although Intel keeps promising to make their GPU more programmable). Even AMD’s built-in GPU is slow relative to add-on GPUs.

Instead, when this paper mentions GPUs, it refers to the gaming cards with the fastest GPUs. Such cards can easily accelerate password cracking by 20 times. Using such cards, people are putting 8 GPUs in a system, accelerating password cracking by 160 times. That means a password that would otherwise take 6 months to crack can now be cracked in a day -- assuming you are willing to spend $3000 on graphics cards.

Radeons are better than GeForce

There are only two manufacturers of high-end gaming cards: nVidia with their GeForce cards, and AMD with with their Radeon cards. Both sell a wide range of cards, from the very cheap (but slow) to the very expensive (but fast). Prices typically range from around $100 for the cheaper ones, to $800 for the most expensive, with the best price-performance ratio around the $250 mark (two $250 cards will likely be faster than a single $700 card).

For gaming, Radeons and GeForces have roughly the same performance, with the fastest GeForce cards being the slight favorite. For super computer applications, like weather modeling or physics simulations, the GeForce cards are the clear favorite. However, for crypto, it’s the Radeon cards that come out on top. For equivalently priced cards, a Radeon card will be over twice as fast as a GeForce card when cracking passwords.

There are a few reasons for this. Radeons have more theoretical power, but suffer from a "VLIW" instruction set that makes it hard to realize that power in practice. Password cracking is VLIW friendly, though, and can tap into that power. In addition, Radeons have specific integer instructions like "bitalign" (aka. "rotate") and "BFI_INT" ("bitselect") that speed up popular crypto operations.

Thus, a cheap model of the Radeon like the HD 5770 costing $109 will outperform an expensive GeForce model like the GTX 590 costing $749. The most expensive Radeon model, the HD 6990 costing $739, will be over three times as fast at cracking passwords.

Thus, the consequence is that if you want to crack WiFi WPA2 passwords, Windows NTLM password, Unix salted MD5 hashes, or Bitcoin hashes, then you should probably invested in one of these GPUs. Even a cheap $100 card can increase speed over your desktop processor by 20 times. Ideally, you should buy a Radeon card for this rather than a GeForce card.

Moore’s Law

The above discussion applies to June 2011. Next year, CPUs and GPUs will be twice as fast.

But it’s the relative performance that matters. Next year’s $250 graphics card will likely outperform next year’s CPU by 20 times. Unless AMD or nVidia makes radical changes to their chip architectures, the next generation of the Radeon will still likely outperform the next generation of GeForce cards.

Therefore, when you finally get around to buying that graphics card for password cracking, you’ll have to look on the web for password cracking benchmarks to see which card is currently giving the best price/performance ratio.

Notebook GPUs

The above discussion have been for desktop computers that consume a lot of electricity. Pen-testers often don’t have that luxury -- they often only have a notebook (running something like BackTrack Linux). In that case, they want to buy a "mobile" version of the Radeon or GeForce chips. They can’t buy such chips as addons, but instead, have to choose a noteboook that has their desired chip.

According to recent benchmarks, mobile Radeons are still faster than GeForces, but it’s highly variable. Notebook GPUs have an enormous range, as batttery life is traded for gaming speed. Thus, one notebook with a powerhungry GeForce may be a better choice than another notebook with a battery conserving Radeon. You’ll have to look at benchmarks, or theoretical numbers (based on clock speeds and core counts) to figure out which is best for your needs.

Also note that there are three classes of laptops: the normal laptops, the low end netbooks, and the high-end gaming laptops. Historically, only the high-end gaming laptops contained graphics processors, but now graphics processors are appearing throughout a wider range.

High-end gaming laptops are the best choice for password cracking power. The biggest ones have graphics processors that rival desktop cards. You can buy an Alienware M18x with a Radeon mobile GPU that is faster than all but the fastest desktop GPU. It’s also 18-inches across, weighs 8 pounds, lasts only a few minutes on battery, and costs $2400.

GPUs are becoming more popular in average notebook computers. Asus makes some nice, average sized laptops with GeForce GPUs for a good price. Of particular note are the current MacBook Pros (15 inch or 17 inch) which come with a good Radeon GPU. The GPU is far slower than desktop GPUs, but of course, they don’t drain the battery, and don’t jack up the price. My MacBook Air has a GeForce GT320M that triples password cracking speed over the built-in processor (benchmarks below).

Curiously, GPUs are becoming popular for cheap "netbook" computers. That’s because the low-power central processors do not handle video well. Therefore, manufacturers are including low-power GPUs for video. Some Intel netbooks have Intel graphics, which can’t (yet) be programmed for password cracking. Some contain nVidia’s ION graphics, which is hardly faster at cracking passwords than the Atom CPU. The best choice these days are the new AMD netbooks with the C-30, C-50, and E-350 processors that are a combination of x86 CPU with a Radeon GPU on the same lower-power chip. A $280 Asus EEE PC 1015B or an $430 HP dm1z are the best netbooks for pen-testers at the moment.

What about FirePro, Quadro, and Tesla?

Both AMD and nVideo make more expensive cards for high-end customers. These are actually the identical chips in the gaming cards, but sold for 10 times the price. They would be a foolish choice for password cracking.

There is a reason for the higher price. The companies put features into the chips for high-end customers, then disable those features for gamers. Thus, if you are a graphics artist using software to draw the next 3D movie, the version with the high-end features enabled are probably worth the price. But these features mean nothing to password cracking. Indeed, the high-end chips are slightly worse at password cracking: because high-end customers care about reliability, they run the chips at speeds slight slower (and cooler) than for gamers.

The more expensive version of the Radeon card is called "FirePro". The more expensive version of the GeForce card is called "Quadro".

But, there is a third high-end version of the GeForce card called "Tesla". This is just like the "Quadro" card (all high-end features) enabled -- but it’s missing a the output port. You can’t connect a monitor to it. It’s purpose is just for GPU processing, like geological simulations to help find oil, or financial models to figure out the best stock price. Because they are missing the "display" portion, they use slightly less electrical power. People building supercomputers out of GPUs tend to choose the Tesla cards. If you rent "cloud computing" time using GPUs, they will probably be Tesla cards. I find this all a bit foolish -- GeForce or Radeon cards would be far more cost effective.

GPUs vs. FPGA vs. ASIC

Rather than doing password cracking in software, it should be possible to do it faster, cheaper, and with less electrical power using hardware like FPGAs or ASICs.

While this works in theory, it doesn’t work so well in practice. CPUs and GPUs are so cheap because their manufacturers sell them in enormous quantity. You could design your own chip that is 100 times faster than a cheap GPU, but it would cost you 200 times as much, per chip.

Some people do great things with hardware, such as Pico Computing, but most of the time, it’s just easier writing software for a mainstream chip, then let Moore’s Law make the chips go faster every year.

Building the ideal password cracking rig

Let’s say that you want to build the fastest computer (for cracking) for the cheapest price. Such a system will be driven by the cost of the graphics cards.

A relatively cheap, and simple, solution would be to buy three or four Radeon HD 6990 (as of June 2011) cards and stick them into a homebuilt computer. You’ll need a bigger power supply, a motherboard that supports four PCIe slots (spaced correctly for cards that are two-slots wide), and a slightly bigger case, but all of these are relatively common. Other than that, you only need a standard CPU, memory, and boot drive -- the cheaper the better (the less you spend on these, the more you can spend on more graphics cards).

This solution is probably best for pen-testers. Our time costs money. It doesn’t take long to assemble.

But for hobbiests who enjoy messing around with hardware, the economics are a bit different. They might want to get fancy, for example, building a custom case using PCIe extender cables or even a PCIe splitter to fit 32 cards in a system. You only need PCIe 1x speed for password cracking, not the full PCIe 16x speed that’s used for gaming.

Regardless of the system you build, you probably need to worry about cooling. Such systems are going to produce a lot of heat. Moreover, you need to worry about where your cool air comes from, and where the hot air is going. It’s going to be an annoyance whether you are in a data center, in a lab, or installing it at home.

All this cooling will cause of a lot noise (unless you are in a data center). Hobbiests buy expensive components that cut down on the noise, like water cooling systems. I stick my computer in a closet that happens to have an air conditioning duct. In labs or at home, you may find yourself playing with ducts to get the cooling right and the noise reduced.

Windows, using commercial software like that from Elcomsoft, takes the least effort to setup and run, but Linux using free software gives you more control over what’s going on. For example, some people (such as Bitcoin miners) have reported that Windows can’t recognize more than 4 cards, whereas Linux has no problem. There is also the issue of systems only being able to use cards connected to monitors -- which requires either a monitor be plugged into each card, or a "dummy plug" be used to make the card think there is a monitor installed.

But, the thing to keep in mind is decreasing marginal returns. Buying a $250 Radeon card will increase cracking speeds by 20 times. Buying a second $250 Radeon card will only double the previous card’s speed. A single desktop with four Radeon HD 6990s for $3000 will increase cracking speed by 160 times. Buy a second such system, for another $3000, will only double your cracking speed after that.

Overclocking

Hobbiests spend a lot of time trying to overclock their systems. If they work hard enough at it, they can get an extra 20% performance increase.

The trick for password cracking is to increase the speed of the GPU, but at the same time, decrease the speed of memory. Unlike graphics, GPU cracking doesn’t use the memory. By lowering the memory speed, you lower power consumption, and lower the amount of heat generated. That power/heat can then be used to increase the speed of the GPU calculations.

Radeons come with an overclocking application on Windows, but it doesn’t allow you to change much. This utility will only let you overclock by 10%, but won’t let you underclock the memory.

A graphics card vendor named MSI has its own Radeon overclocking utility "Afterburner" that you can use for all Radeon cards, not just those sold by MSI: http://event.msi.com/vga/afterburner/download.htm. This will allow you do overclock the chip more, as well as underclock the memory.

If you are overclocking the card, it may cause your system to crash. If that happens, you may need to increase the voltage sent to the card.

If overclocking, and if you have increased voltage, your card will produce a lot more heat. You’ll probably have to adjust the fan speed to compensate, to lower temperatures back down to reasonable levels. You probably do not want to run your card above 80 degrees Celsius. On the other hand, fans aren’t designed to run at high speed for extended periods -- the more you jack up fan speed, the more likely it is for the fan to fail. If your card is running below 68 degrees Celsius, you might want to consider lowering the fan speed.

Overclocking, higher voltage, and higher temperatures will decrease the lifetime of the graphic chip before it fails. You probably don’t care: two years from now, when your overclocking madness causes the chip to fail, you’ll be upgrading to the latest GPU anyway.

The economics of cracking

Putting a single $250 Radeon card in your desktop for password cracking makes sense. Building multiple cracking rigs for massive number crunching probably doesn’t. The reason is that password cracking is an exponential effort.

Consider passwords chosen from an alphabet of UPPER and lower case, numbers, and $ymbols. That’s roughly 100 different characters. That means every letter we add to a password increases the difficulty of cracking by 100 times.

Let’s say you can crack all 8 character passwords within a day. It would then take you 100 days to crack a 9 character password and 27 years to crack a 10 character password. We can graph this effort on the following picture:

As you can see, it's a bit nonsensical. Below 9 characters, it's nearly zero effort to crack passwords. Above 9 characters, the line shoots almost straight upwards. Only around 9 characters do we see a line that isn't nearly-zero or nearly-infinite.

That means there are three classes of passwords: those we can crack easily with a desktop computer (8 characters or fewer), those we cannot crack at all (10 characters or more), and those we can crack more of if we purchase more expensive computers (9 character passwords).

There is decreasing marginal returns to buying GPUs. Buying a single card increases cracking speed by 20 times. Buying a second GPU willy only additionally increase speed by 2 times.

Buying a $3000 rig can increase cracking speed by 160 times. Buying a second $3000 rig will only increase cracking speed by an additional 2 times. All people have to do is add another character to the length of their password, increasing it’s complexity by 100 times, and defeating your investment.

On the other hand, there is the fact that your competitors have the same idea in mind. Let’s say that you go in and pen-test a company that hired a different pentesting firm last year. That other firm found passwords and cracked all the weak ones. You find the same password list. If you crack fewer passwords, you look like a poorer pentester than the previous firm. If you can crack a few more, you look like a better pentester.

The same is true of hackers. You can assume the target company has already fixed all it’s weak passwords -- but where "weakness" is defined as "crackable by one GPU". If you come in with two GPUs, you’ll find a few more passwords.

This is of particular interest to Bitcoin miners, where it’s essentially a race against other miners to find the latest hash. Whereas twice the computing power does not equal twice the number of passwords cracked, twice the power does mean twice the earning power for Bitcoins.

Bitcoin mining benchmarks

Password cracking and Bitcoin mining are essentially the same thing. You can therefore leverage their work in figuring out what hardware you want for cracking.

A good reference is the list of hardware at https://en.bitcoin.it/wiki/Mining_hardware_comparison.

I’ve selected a few of the numbers from the link above, as well as benchmarked my own computers.

MH/s	Hardware	Notes
0.2	ARM Cortex-A8	CPU in my iPhone
0.6	ARM Cortex-A9 dual	CPU in my iPad
1.1	Intel Atom N270	My pen-testing netbook CPU
1.8	nVidia ION	A common netbook GPU for Atom CPUs
2.5	Core 2 Duo 2.13 GHz	My MacBook Air CPU
6.1	nVidia GT 320M	My MacBook Air GPU
6.2	AMD C-30	Asus $280 netbook with GPU/CPU combo
11.0	AMD E-350	HP dm1z $450 netbook with GPU/CPU combo
17.0	Radeon HD 6490M	2011 MacBook Pro
19.2	Core i7 980x	My desktop, 6-core 3.3 GHz, hyperthreaded, top-of-the-line CPU
21.0	PS3	Playstation 3 using the Cell GPU
100.0	Tesla M2050	Amazon EC2 cloud computer w/ Tesla card
300.0	Radeon HD 5830	$109 card popular with miners -- if you can find one
314.0	Radeon HD 6950	$240 @Newegg and probably what you should buy
358.0	Radeon HD 6970	My desktop's graphics card, cost $330
800.0	Radeon HD 6990	Fastest single card, overclocked, roughly $740, with two GPUs

SSE

SSE is the name for GPU-like instructions that are part of the CPU. They operate on 4 numbers at a time, and therefore, are 4 times faster than normal instructions for repetitive tasks.

Modern processors, like the Intel Atom, Core2, and Core i3/i5/i7, as well as AMD Athlon/Phenom/etc. processors, all can execute two SSE integer instructions per clock cycle. That means pretty much that you just need to look at MHz in order to figure out which processor will crack passwords faster.

This also applies to Intel’s energy efficient Atom processor. While the Atom is notorious for being slower on most tasks, it’s just as fast, per-core and per-MHz, as the other processors. Thus, a 1.6 GHz Atom will perform the same as a 1.6 GHz Core2 or 1.6 GHz AMD processor at password cracking -- but at about half the power. In addition, the GeForce-based ION graphics chip designed to go with the Atom hardly accelerates password cracking.
MacBook Air

Whereas I use netbooks for pen-testing, I use a MacBook Air for everything else (programming, writing blogposts). I’m not a fan of Apple’s operating system, I usually run Windows or Linux on it.

My MacBook is faster at password cracking than the older netbooks, but is quite a bit behind the latest Radeon-based netbooks. My next pen-testing netbook is likely going to be the HP dm1z.
HP dm1z

At $429, this is expensive for a "netbook", but it has 4 features that make it stand out.

1. It has the GPU/CPU combo from AMD. Not only is its CPU faster (dual core), but its GPU is a lot faster.
2. It comes with 3-gigs of RAM, expandable to 8-gigs. Most "netbooks" come with 1-gig, expandable to 2-gigs.
3. It comes with Gigabit Ethernet, whereas other "netbooks" come with only 100-mbps Ethernet.
4. HP claims 9.5 hour battery life, which is at the top end of the range for "netbooks".

Thus, while I’m tempted by its cheaper cousin the $279 Asus, I’ve ordered the dm1z to take to DefCon. I’ll be blogging successes/failures with it in a few days.
MacBook Pro

The 15-inch MacBook Pro is probably going to be the notebook of choice for a lot of hackers, and probably has the best password cracking speed of anything short of a specialized gaming notebook.

Currently, there are some quirks with Mac OS X bitcoin mining software, compared to Windows or Linux. It should be getting as much as twice the benchmarks posted above.
Radeon HD 6950

If you do password cracking, you should get one, maybe two, of these cards and stick them in your existing desktop computer. They give the greatest bang-for-the-buck right now. An older Radeon HD 5830 are probably better bang-for-the-buck at half the price, but all the Bitcoin miners have snapped them up, so you can’t find any.

The 6950 is slight slower than the 6970, but at 66% of the price. The fastest single card, the 6990, combines two 6950 GPU chips on a single card but at three times the price.

Six months from now (Juned 2011) the situation will have changed, but in all probability, a $250 will still provide the best bang for the buck.
Tesla

As the benchmarks show, the Tesla card is 10 times the price, but 1/3 the performance, of a Radeon HD 6950 card. That’s 30x price-performance difference.

The economics don’t get any better using a Tesla in Amazon’s EC2 instances. You can currently make money mining bitcoins using Radeon cards, but you’d lose a lot of money trying to mine bitcoins on Amazon.

Password cracking vs. power consumption

The section above focused on capital costs, comparing graphics cards by their price performance. If you only run them occasionally to crack passwords, this is the most meaningful comparison. However, if you run them 24-hours a day, 365 days a year, then you’ll me more concerned by how much electricity they use.

A high performance graphics cards uses around 200-watts, but itself (not counting the rest of the computer). The average price for electricity in the United States is 11-cents per kilowatt-hour. Therefore, running that card for a year will cost $192.72. Of course, you need a system to stick that into. You might consider something like a computer based on an Intel Atom processor that only consumes 10-watts by itself. Modern processors, like a low-powered Nehalem, is also good at running at lower power. But, most desktops run at around 100-watts of power while doing password cracking.

Usually, the card that wins on price/performance also wins at electrical power usage. The Radeon HD 6950 mentioned above turns out to be at the top in terms of passwords cracked per watt.

But there are other things to consider. Some states, notably California, punish people who use too much electricity. In some cities, using more than 400 kilowatt-hours per month kicks you up to the next bracket, where electricity could cost 20-cents, 30-cents, or even more per kilowatt-hour. You may find it cheaper buying a generator than buying electricity from the grid.

Or, being that it’s California, you can get a heavily subsidized solar power generating unit for pretty cheap. You can hook it up to power your computer while the sun shines, and either turn off your computer at night or run it from the grid. Some places are now have “smart grids” that monitor electricity on a minute-by-minute basis rather than a monthly basis, and will charge you different amounts depending on the time of day. The price for electricity can be half during the night than during the peak hours during the day. You might configure your computer to run cracking software only at night, and to go to sleep during the day.

Industrial electricity costs less than residential. A lot of cities have “hacker collectives” where people get together and rent industrial space, for typical non-criminal hacker activities like building robots or taking apart iPhones. They can supply the cheaper industrial rates for electricity for your password cracking or bitcoin mining needs.

Or your can move to a cheaper state. Here is a good reference for electricity prices by state.

What you crack

I thought I’d list the common things that hackers find themselves needing to crack. It’s not really relevant to GPUs, but I thought I’d mention it for completeness.

Bitcoin mining: A fixed number of new bitcoins are generated per day, and it’s a race to find the matching hash before anybody else does. The winner gets the bitcoins. It uses SHA256, which is exactly like SHA256 passwords. There is a lot of free bitmining software on the Bitcoin forums.

WPA passwords: Home users, and many businesses, use WPA, which is protected by only a simple password. In order to make it more difficult, the WPA standard requires a minimum of 8 characters, and rather than protect it by hashing the password once, it re-hashes it 4000 times -- making the computational difficulty to be around a 10-character password. Ten letters in a password is probably beyond the ability for "brute-force" cracking, which tries all combinations, unless you make certain assumptions, such as assuming the person used only lower-case and numbers (which is a valid assumption for most passwords). Most cracking is therefore done using a dictionary of known passwords, followed by "mutations" (such as adding a 4-digit number onto the end). Because the password is "salted" with the SSID, you can’t use rainbow tables to get the hash. There is lot of good software for doing this. I’ve used the free software "pyrit" and the commercial package from "Elcomsoft" in the past. The graph above of relative WPA cracking speeds is for the Elcomsoft package using last year's cards.

NTLM challenge-response: Windows passwords aren’t "salted", which means it’s easier to Rainbow crack them than to crack them. However, you often see "challenge-response" exchanges on the wire. This requires cracking in order to break. You see these with Windows-specific protocols like SMB and MS-RPC. In addition, you’ll see these as an optional authentication on other protocols, such as LEAP authentication for WiFi, or NTLMv2 inside e-mail and HTTP headers.

Salted passwords on a hacked server: When a hackers (or pen-tester) breaks into a server, they will grab the password file or database. Stupid sysadmins either have the passwords in cleartext (no cracking needed) or in simple MD5 hashes (cracked with Raindbow tables). Smart sysadmins "salt" the passwords, which requires cracking. Software: oclHashcat

Documents: PDF, ZIP, RAR, and Word/Excel files are often encrypted. Such files might contain secrets useful for a hacker. Reportedly, Wikileaks had to decrypt an encrypted ZIP file containing the famous "Collateral Murder" video from Iraq. Cracking password-protected documents is the most common feature of commercial software, since home users and businesses need it when they forget their password. There are lots of companies that sell GPU accelerated software for this, such as Elcomsoft.

Conclusion

Buying a $250 GPU that increases password cracking speed 20 times is a no-brainer. Buying a notebook computer based on GPU is probably a wise idea for pen-testers.

But passwords are a little strange. They grow exponentially in complexity, which means you get decreasing marginal returns from buying more hardware. Thus, while buy a graphics card (or maybe two) is cost effective, massive investments in hardware are unlikely to crack that many additional passwords.

Of course, if you are Bitcoin mining, then the more GPUs the better. Even after recent wild fluxuations in bitcoin prices, it’s still profitable at the moment.

A Weiner Schnitzel

2011-06-01T14:10:00.030-05:00

Congressional member and famous womanizer, Anthony Weiner was caught sexting a picture of his penis to a coed via Twitter. He claims it was a prankster who did it, by hacking his account. Indeed, the guy who broke the story, @PatriotUSA76, has also been Twitter-stalking the congressman for the last month. What’s the likely truth?

It’s impossible to say. Celebrities famous for their womanizing are frequently caught sexting pictures. At the same time, hackers frequently break into celebrity accounts and cause mischief. The back-story (the womanizing, the stalking) supports either conclusion equally.

The people who know are Twitter (and the FBI, if they can convince Twitter to divulge the data). If the sexted tweets had the same IP address and application ID, then it’s likely the congressman is guilty. If they are different, then the congressman is likely the victim of a prank.

The website that broke the story stressed the fact that congressman’s account is “verified”, implying that this verify all tweets come from him and not a hacker. This is an incorrect interpretation. What Twitter “verifies” is that it was congressman Weiner who created the account. Anybody can lie, and pretend to be a celebrity -- the verification process verifies that the account actually belongs to the celebrity in question. But it says nothing about whether a hacker has broken into the account and spoofed tweets.

If it was a hack, how would that work? Well, that depends upon exactly what was hacked. It could have been his “password”, his “account”, his “connection”, his “computer”, or Twitter’s “servers”. I describe how each might be hacked below:

Hacking the password

The most common hack is simply stealing a person’s password. The hacker does something, like send a convincing e-mail to the person, and asks for the password. Those who are unskilled with computers, or simply unwary, can easily be tricked into divulging their password.

With the password, the hacker can then log on just like the victim, at the same time, from another computer. Twitter can easily detect this in their logs, because the offending tweet will come from a different Internet address.

On the other hand, when hackers do this, they typically change the old password, locking out the owner from his own account. In order to get the account back, the owner has to call Twitter and prove to them that he owns the account, and to reset the password.

In the Weiner case, the password wasn’t reset, suggesting the hacker didn’t have the password.

If this was the problem, Weiner can fix it by simply changing his password.

Hacking the account

Twitter allows other applications to access your Twitter account. It uses a technique whereby the application gets access, but does not use your password. When this happens, the account holder is given a prompt like the one pictured below:

Hackers trick people to give access to their account using the same tricks as disclosing passwords, in order to trick the wary who would otherwise not disclose their password.

If this happened, Twitter would see that offending tweet would have a different Internet address, and that it had authenticated through this mechanism.

Weiner can fix this by going into his “profile” and list everything that he has “authorized” to have access to his account, and “deuathorize” everything.

Hacking the connection

A common WiFi hacking trick these days is hijacking somebody’s Twitter connection. A hacker can sit next to their victim at Starbucks, or the airport. When they log onto Twitter, the hacker invisibly shares that session.

The hacker doesn’t discover the password, nor can the hacker change the password. But, the hacker can post tweets.

Several celebrities have fallen victim to this technique recently.

When this happens, Twitter will see that that the offending tweet comes from the same Internet address (that of the WiFi hotspot) as the normal tweets. However, they will probably appear to come from a different application, such as a different browser version.

A truly malicious hacker could attempt to replicate entirely the connection, and make the evidence (in Twitter’s logs) identical, but that would take extra effort a hacker is unlikely to bother with.

But, if the hacker and the victim both used MacBooks, which tend to have small variation among laptops, there is a greater likelihood that the application versions are the same by accident.

Weiner can prevent this from happening again by going into his Twitter profile and turning on “SSL” encryption. He would also have to pay attention, and not proceed with a login if there were any SSL errors (most people proceed anyway, allow hackers to hijack their connections).

Hacking the computer

Hackers spend a lot of time breaking into desktops and laptops, usually by “drive by exploits”. The either trick you into running a “virus” program, or they take advantage of a bug in the software (the browser, or Adobe Flash and Acrobate) to plant a virus on your machine. They can then remotely control that virus.

The problem with “drive by exploits” is that the hacker doesn’t know who he’s broken into. What hackers usually do is just including the computer in a “botnet” that remotely controls thousands of machines to send spam. They don’t care who owns the computer, nor do they (typically) do things like send tweets.

However, hackers frequently install “keyloggers” as part of their viruses. Keyloggers can capture the password as a user types it in, which could then be used as described above.

A hacker who controls a computer can do anything that the owner can do, include move the mouse, click on web browser, and type in a tweet. To Twitter, it would appear identical to the real user, because as far as anybody can tell, it is the real user in control of his machine. However, in this case, the offending tweet happened at roughly the same time as other tweets from the congressman: it is likely he would have noticed the mouse moving and things happening at that time.

The solution to this threat is to make sure the browser and Adobe Flash and Acrobat Reader applications automatically update to the latest versions. In addition, if using Windows, I would recommend upgrading to the latest version (Windows 7) and use any browser other than Internet Explorer.

By the way, something that also happens is simply that people leave their computers unattended. Somebody else in the office could have walked up to the computer, noticed an open Twitter connection, and pranked the congressman. At my old office, we would call this "baggy pantsing" somebody. You should always set your computer to go to screensaver/login after a few minutes, and when you get up from your computer, hit , which pops the up the login screen to resume the session.

Hacking the server

It’s also possible that Twitter’s servers themselves were hacked. Similar things have happened recently, such as the famous case of Sony Playstation and Gawker servers being hacked. In this case, all the evidence of the Tweet could be whatever the hacker wanted it to be.

However, it’s unlikely that a hacker who had successfully hacked his way in would be satisfied with forging a single tweet. It is more likely that the hacker would have downloaded the entire database of passwords and e-mail accounts, and used those for spam and further hacking.

A similar scenario is that the hacker broke into somebody else's servers. The congressman may have used the same password for his Gawker or Playstation account (assuming he had one), which would allow the hackers who stole those passwords to get into his Twitter account.

The best way to protect against this threat is, for important accounts, to never reuse passwords. The password you use for Twitter should be used for nothing other than Twitter. The password you use for your e-mail should be used for nothing other than that one e-mail account.

Conclusion

It is impossible for us to conclude that the Congressman did, or did not, send the tweets. But Twitter has the evidence. The FBI is unlikely to open a case for this, because the financial impact is less than $15,000, so they aren’t going to get the evidence out of Twitter.

Assuming it was a hack, I would guess the most likely scenario is that the hacker got his password somehow. My second guess would be that the hacker hijacked his connection.

The fact that the account was “verified” as belonging to Congressman Weiner has nothing to with whether it was hacked.

Other evidence

There are a lot of funny things in this case. For example, the congressman has said that he can't confirm the picture is not of him: maybe it is, maybe it isn't. The coed says she's never had an inappropriate conversation with the congressman. The most obvious question would be "...but has she had any conversation with him" (and the answer is "yes", they exchanged tweets, but nothing salacious, just about his appearance on a TV show in that area).

This sort of stuff looks bad for the congressman, but here's the thing: hackers attacks are usually à propos. If a hacker broke into his computer, found pictures of him, and a conversation with a coed, the most logical prank would be to sext the picture to the coed.

Law Enforcement

CNN asks (but does not answer): why hasn't Wiener gotten the FBI involved?

One answer is, of course, is that if he's guilty, he can't. Lies like "it wasn't me, but a hacker" and "the photo isn't of me" would be felony obstruction of justice. He knows this, and would keep far away from the FBI.

Another plausible answer is that he's guilty of something else, such as having an affair. This sort of thing would come out in an FBI investigation. This theory could explain why he refuses to deny the photo is of him -- yes, he could be hacked, but on the other hand, that photo is really of him sent to another woman, and he can't lie about it because of the obstruction of justice problem mentioned above. Remember that Scooter Libby was found guilty of obstruction of justice in the Valerie Plame affair, even though he was innocent of the crime for which he was accused.

Yet another reason is that he's innocent, and understands the difference between his computer being hacked, and his personal Twitter account. He has consistently describe the incident as a "prank" and an "account hack"; he's never described it as a "computer" hack. He worked on a recent cybersecurity bill, so he might understand the difference. When a congressman's computer gets hacked, that's important enough for the FBI to look into. When a personal Twitter account gets hacked because somebody chose a guessable password, that really isn't worthwhile investigating.

Is the image a hoax?

The DailyKos claims they have proof that the photograph itself, and the content on BigGovernment.com, is a hoax.

That's nonsense. Wiener admits that the event happened.

Second of all, it's typical conspiracy theory that asks questions, but provides no answers, implying that the only explanation is a conspiracy. For example, it points out that while the hidden EXIF information of the photograph means it came from Wiener's Blackberry Bold mobile phone, but that the phone doesn't take pictures of the size posted to YFrog, 800x600. There's a reason for that: when you transfer a picture off a Blackberry, you are given the option to send the full size image, or a smaller size, such as 800x600. While the EXIF info doesn't match a full size photograph, it corresponds exactly to the shrunk size that people typically used to transfer from their phones. The point is: it's the sort of detail conspiracy theorists want to believe in, but not one rational people would consider.

Thirdly, if you wanted to investigate the authenticity of the photo, such as whether things were photoshopped to look bigger, there are lots of good ways of doing it. Dr. Neal Krawetz has a blog, http://www.hackerfactor.com/blog/ where he does this sort of analysis. It's fascinating. To the right, I show an example of this called "error level analysis". If this image had been photoshopped, we'd see the manipulated parts stand out from the random data. However, if this image had been resized, or resaved at a different compression level, the error level analysis would be completely destroyed, so the lack of results we see here don't prove it wasn't photoshopped. Since sites like Yfrog reprocess pictures, the fact that it's been resaved destroying error level information isn't surprising.

Another useful tool is JPEGsnoop. It can possibly fingerprint which software saved the image last, such as which camera took the picture, or which Photoshop version was used to manipulate the picture. Unfortunately, it has the fingerprint of the IJG software -- the most popular JPEG compression code, used in lots of products. The iPhone uses that library, and produces that signature when saving files. Looking around on the web, so does the Blackberry (which is identified in the EXIF data). It's a good program to compare the raw JPEG information with other 800x600 sized photos taken from Blackberries.

Updates

Update: If I had to bet money, I'd probably bet on "guilty" rather than "pranked". But I wouldn't give better odds than 50%/50%.

I got a bitcoin!

2011-05-23T21:25:00.000-05:00

I mean to write a more comprehensive Bitcoin (a type of cyber currency) post in the future, but in the meanwhile, there's this...

I got my first bitcoin. It was sent to my address "1PfkVx7SfWHqvLDmQUtXPPJeFFYpyj7ZhZ".

I did this by running a "mining" application on my desktop.

This idea of "mining" is one of the philosophically interesting bits. Bitcoin is a currency, with exchange rates (currently $7 per coin). Instead of giving out coins for free, it gives out coins for some meaningless crypto work. Since my hardware is more efficient at crypto than the average person's, I can make a slight (very slight) profit running mining software.

Amazon Cloud Music Player

2011-05-23T21:16:00.001-05:00

The main reason I don't buy songs or many videos form iTunes is because I have to store them and back them up locally. Amazon is now offering to store such things in the "cloud" for me. Today, they have a special $0.99 offer for Lady Gaga's latest album. I can download the MP3's directly to my computer, play on any device (including the iPod) -- but if my hard drive crashes, they are still in Amazon's cloud.

In this way, it's a music version of the Kindle, where all the books are stored in the cloud. Even if my Kindle is destroyed, I can still get a replacement device, and re-download all my purchased books. In much the same way, I could buy a new iPod, and download everything on my Amazon cloud account any time I want.

So here is a screenshot. I'm listening to my purchase, via the web-based player, as I write this.

I'll download these later to my iPod and see how that works.

How much does the the Cloud Drive cost?

My music is placed on my Cloud Drive. I didn't know I had something called a "Cloud Drive". What the heck is that?

Apparently, it's a new service by Amazon. It gives you 5-gigabytes of free storage for things you upload to it. In addition, things you buy from Amazon do not count toward that limit. I suppose everyone who has an account with Amazon now has a "Cloud Drive".

I'm a bit worried that Amazon was doing the typical slimy business practice of giving you a new service without you realizing it, then charging you for it. But, apparently not. The service is free. In addition, with my Lady Gaga purchase, I got a free "one year trial" of the 20-gig version. After a year, it will automatically revert back to the 5-gig -- it will not automatically start charging me.

The iPad revolution

2011-05-23T21:05:00.000-05:00

At a local eatery, instead of ordering lunch at the counter, I was confronted with an iPad ordering system. What you see in this picture is an iPad behind a credit-card reader, next to a device that prints receipts, next to a bin of numbers to put on the table so they know where to deliver the food.

The iPad is an astonishing device. Nobody really needs an iPad for anything – yet, they keep showing up. Anybody making a touchscreen device has to ask themselves now: why don't we instead just write an app for the iPad?

Why cybersecurity tests fail

2011-04-21T18:00:00.001-05:00

The Christian Science Monitor, a newspaper, recently had an online quiz to test how well you know cybersecurity. This is a good demonstration of the sorts of problem all such tests (like the CISSP certification test) have.

The first question asks what term William Gibson coined in "Neuromancer”.

The correct answer is "none of the above”.

This is a sort of trick question. While Neuromancer is credited with popularizing the term cyberspace, Gibson "coined” the term in an earlier work.

But the answer given in the test isn’t correct, either. The term "Internet” was coined in the 1970s. By the time the "Internet Protocol” (the basis for today’s Internet) was specified in RFC791 (three years before Neuromancer), the term "Internet” was already in widespread use.

The cop-out from test designers is that when given a bad set of choices, you are supposed to choose the "best” one. Clearly the "best” answer is "cyberspace”, not "Internet”. At least, it’s clear to me, since I was on the Internet before Neuromancer was published.

Question #8 is probably the most amusing, because it demonstrates a lack of knowledge of the English language rather than cybersecurity:

If you parse the English language, the question asks "Who invaded Georgia?", not "Who cyber-attacked Georgia?". We don’t know who was responsible for the cyber-attacks against Georgia, but we do know that Russia invaded Georgia with ground troops.

There is also a confusion as to what "its” means: does it mean the invasion was preceded by attacks on Georgia’s computers, or on Russia’s computers?

The reason I point this out is not to beat up on the Christian Science Monitor, but to use this as an analogy. Certification tests (like the CISSP) are hardly better. They are written by generalists who know a little about everything, but aren't an expert in any one thing. They make themselves immune to criticism (the first rule of the CISSP is that you will not criticize the CISSP), so it’s hard to debate those questions openly.

Microsoft's "Coordinated Vulnerability Disclosure"

2011-04-21T14:53:00.000-05:00

Microsoft has been finding vulns in other people's products since forever. That's because for those of us "skilled in the art", it's impossible not to. Remember: when software crashes for you, you simply restart it. When it crashes for us, we trap it in a debugger, and use tools like !exploitable in order to see if it's exploitable.

Until now, Microsoft's response to such bugs as been ad-hoc. I'll bet that they've simply ignored the majority of such bugs. It takes a fair amount of work to take a bug that's "probably exploitable" to prove that it's "reproducibly exploitable". Security engineers should do it to keep in practice, but it's costly.

But now Microsoft has created an official disclosure policy for their engineers. Now, when they find a bug in somebody else's product, their engineers know what policy to follow.

"Responsible"

Microsoft should be praised for not using the word "responsible" disclosure. The words "vulnerability disclosure" describe a fact, "responsible" describes an opinion. In a room of 10 cybersecurity experts, you'll get 15 opinions one what is "responsible" for disclosing a vulnerability. (And few would agree with my opinion that no disclosure is irresponsible, and that each of the different ways a bug is disclosed has a different set of tradeoffs).

The Golden Rule

Microsoft's policy of how they disclose bugs to others mirrors their policy of how they would like others to disclose bugs in Microsoft's products. This is the "coordinated" bit in their disclosure -- where "coordinated" gives the upper hand to the affected vendor rather than the vuln discoverer.

Most controversial is the idea "under no circumstances will Microsoft release details of an unpatched vulnerability unless evidence of public attacks exists". This gives the vendor the ("irresponsible") ability to bury bugs by never patching them. Microsoft has buried bugs on occasion by doing this.

In contrast, Mozilla and Chrome have policies that say if they fail to patch a bug within a certain timeframe, then it's OK for the discover to disclose it. Knowing how vendor's react, I prefer this policy.

I'm looking a fight

Here's what I want to see: Microsoft report a bug to Mozilla or Chrome that they bury. Which policy wins? Does Microsoft follow their policy and never publicly disclose the bug? Or do they switch and follow the Chrome/Mozilla policy and report anyway?

Email disclaimers are not pointless

2011-04-14T14:13:00.001-05:00

These articles from Gizmodo and The Economist articles claim that the disclaimers lawyers put on the bottom of emails are pointless. The Economist says:

Lawyers and experts on internet policy say no court case has ever turned on the presence or absence of such an automatic e-mail footer in America, the most litigious of rich countries.

That's not strictly true.

Legal fights are like a chess match. In much the same way that a chess game doesn't turn on a single piece, a legal fight rarely turns on a single item. Instead, both sides struggle to get the better position. Most cases are settled out of court, and the better your position, the less you pay (or the more you receive).

A lot of what lawyers do appears absurd from our point of view, but it's all about position. For example, I used to work for a company called ISS where an employee (Mike Lynn) published trade secrets at a conference. These secrets were quickly picked up and mirrored on websites throughout the Internet. ISS sent out cease-and-desist letters to those sites, telling them to take down the content. This was absurd -- it was like trying to take pee out of the pool -- but it served a purpose. It demonstrated that ISS was willing to go to absurd lengths to protect its trade secrets, putting it in a stronger position the next time a trade secret case happens. Companies that do not protect their trade secrets are in a weak position if their employees steal the secrets.

Misdirected and forwarded emails are a common problem among law firms, such as in the Arcadis case. Arcadis was suing former employees who had left to start their own company. The lawyers for the employees accidentally sent secret documents to their former email addresses @arcadis.com. Apparently, this was due to the "autocomplete" feature of email programs that automatically fill in known email addresses.

The consequences were horrible -- for Arcadis. Even though it was the mistake of the lawyers on the other side, it was the recipient of those misdirected emails who suffered. The misdirected emails were forwarded to the in-house counsel, who then forwarded them to the law firm prosecuting the suit. This was improper -- the court ruled that Arcadis had to dismiss their law firm from the case, remove their general counsel from further involvement, and start the law suit all over again. And pay $40,000 to the former employees.

Did the case hinge on the fact that there was a notice on the bottom? Hard to say -- but it certainly put them in a stronger position.

Such notices serve other purposes. For example, let's say that the opposing side serves you with a subpoena for all your emails. Those that are "attorney-client privileged" are exempt from the subpoena. Marking them as such makes them easier to find on your email system and strip out before handing the email over.

I'm sure lawyers can tell me many more reasons for these notices. The point is: even though they make no sense to us, and do not impact us, it doesn't mean they aren't important to lawyers. They are toothless but not pointless.

Conclusion

So, what should we do about these notices? Well, my policy is to ignore them.

My position cannot get better by reading these notices -- but it can get a lot worse. I should get advice from my lawyer and not from these notices that imply all behavior "may be illegal". If I make a mistake, and go to court, they will try to claim that I should've known by reading the notice. It's better that I not have read the notice at all.

Legal notice: I am not a lawyer, therefore, this is not legal advice, and you should not follow it. On the other hand, if you misinterpreted this as advice and followed it, then you wouldn't be reading this notice anyway. My brain hurts.

So what's wrong with optimism?

2011-04-12T03:18:00.005-05:00

In a response to my post "Transactive Memory Systems" , Rob Graham was uncharacteristically gracious when he called my theory "optimistic." He goes on to disagree with me and describes the cybersecurity industry as full of false memes, the echo chamber, and groupthink.

Being Optimistic

So what's wrong with being optimistic? By definition these criticisms imply that the industry believes in ideas that are untrue. But not all generally agreed upon ideas are inaccurate. Most of the ideas are believed by the person first saying it, and can be backed up by their own research. I believe that the majority of the ideas discussed in the community have merit, and it's practical to be optimistic. When Rob says, "The market doesn't care about cybersecurity" it is merely a different kind of groupthink. Remember that in groupthink there is only one correct answer, and that the self-appointed 'mind guards' are the ones who have it. If the symptoms of groupthink are protecting the group, rejecting alternatives, and silencing opposition, then optimistic belief in the likelihood of accurate ideas is the ultimate rejection of groupthink. Said differently, I believe in the abilities of the best and brightest scientists of our industry because there is a reasonable likelihood that they are correct.

Transactive Memory

To answer Rob's criticisms of the transactive memory of the security community, I didn't say that transactive memory was a good thing, just an efficient way of making decisions. It's success or failure is based upon being able to communicate the skills each person has to each other. In this I think we are very successful. It doesn't claim that the ideas of the community are True, but merely describes people's motivation for believing them.

Rob said that the three components of transactive memory were not consistent with his experience of the security community.

"Specialization: People don't actually specialize. Certainly, there are people that talk a lot about something, but that doesn't make them specialists."

In the first post, I make the point that for the purposes of "metamemory," the person who speaks about a single topic frequently is labeled by the community as a specialist, not the person themselves or any board of certification. This is a result of our human nature to simplify things to a level we can process.

"Coordination: Marisa points to conferences as an example of "transactive memory", but the reverse is true. It is the ability to act without a lot of formal meetings that is the hallmark of this "transactive" model."

The theory doesn't say that there is not a time where people get to know each other's strengths. In fact the benefits of teamwork with transactive memory depend on this period of learning about each other.

"Credibility is totally misplaced. People get credibility in our industry by pimping themselves. Vendors market themselves. Market analysts (like Gartner) also market themselves. People with little ability nonetheless get "certifications". Hackers, using tools built by their betters, are able to gain notoriety despite being little more than "script kiddies". There are those with technical ability (e.g. Schneier) that really deserve respect, but they are in the minority."

Credibility is the crux of our debate. Who should we believe? I submit that we have to believe *someone.* As an industry, the fact is we're only as good as our "experts." People like Schneier and Rob are good representatives of people who make good experts, but lousy community members. They rarely ever believe the ideas of their fellow experts. They constantly have to double check. This is inefficient and doesn't work for the broader community. But I agree that we need a better way to sort out the experts from the marketing whizzes. Or a better understanding of the implications for being wrong about our ideas.

Conclusion

Saying the community just suffers groupthink is problematic because it necessitates that the commonly held beliefs of the security community are more often wrong than right, when in reality they are more often right than wrong. I don't have a source for this observation, but if the top scientific minds in our field can't even get their theories right more than half the time, we have bigger problems on our hands than who believes them and for what reason. Call me optimistic, but I've met a lot of smart people in my time in the community, and if they say they've got conclusions, I believe them. I believe them not because I am pressured by mind control or subliminal catch phrases, but because it is the healthy human reaction to respect the ideas of experts in a field I am not an expert in. (Because really, what choice do I have?) In the same vein of optimism, I believe it is my duty to produce excellent research in the field I may be an expert in, so that those left in a similar predicament of inexperience can trust my expertise. This arrangement is infinitely more efficient than having to learn *everything* on your own, and often is the reason we have seen such successful collaborations across organizations in the security community.

No, it really is "groupthink"

2011-04-12T02:16:00.003-05:00

In an optimistic description of the cybersecurity industry, Marisa Fagan likens it to a "transactive memory system".

I disagree. I believe it's memetics. And an echo chamber. And worst of all, groupthink.

Memes

Memetics describes how ideas infect people's mind, like a virus. Once the community has been infected by an idea, it because "consensus" even though it's not based on any rational fact.

A good example was the Comodo hack, where the CEO claimed that the only possible explanation was that it was a state-sponsored attack (by the Iranian state). Almost every news story I read about the incident echoed that claim, and every discussion I saw by "experts" assumed that was the truth. That's because it fired up our imaginations, and neatly fit with the story that we already believed, that the Iranian government had an army of hackers, and they were intent on eavesdropping on activists by breaking SSL.

Luckily, the hacker came forward with compelling evidence (i.e. the private RSA key), which has caused this meme to disappear. But had that not happened, the community consensus would still be that this was a state-sponsored attack.

Echo Chamber

Our community is out of touch with the rest of the world. We believe that "security" is something inherently important, although few in the "real" world would agree with us.

An example of this is a post by Jeremiah Grossman claiming that security is a differentiator, that companies should spend more money making their products secure, because customers want more security in products and will buy those products that do the best security. Except it isn't true. The market doesn't care about cybersecurity. Moreover, the market doesn't have the ability to tell which products have the best security: if you spend a lot on security, your competitors will claim to be just as good, and nobody can tell the difference.

This is an example of the "echo chamber": we all tell each that security is important, we say things like "you can never have too much security", and we pat each other on the back for saying such wise things. But none of it's true.

I had a conversation with somebody that was complaining that we'd have good cybersecurity regulation in this country if it weren't for all the special interests getting in the way. I pointed out "but cybersecurity is itself a special interest". The guy paused for second trying to grasp the new concept, then responded "no, it's not, we want what's best for the country".

Groupthink

I keep meaning to post more on this, but in the meantime, read the Wikipedia article on "groupthink". In particular, pay attention to the signs of groupthink:

1. Illusions of invulnerability creating excessive optimism and encouraging risk taking.
2. Rationalizing warnings that might challenge the group's assumptions.
3. Unquestioned belief in the morality of the group, causing members to ignore the consequences of their actions.
4. Stereotyping those who are opposed to the group as weak, evil, biased, spiteful, impotent, or stupid.
5. Direct pressure to conform placed on any member who questions the group, couched in terms of "disloyalty".
6. Self-censorship of ideas that deviate from the apparent group consensus.
7. Illusions of unanimity among group members, silence is viewed as agreement.
8. Mind guards -- self-appointed members who shield the group from dissenting information.

These 8 points describe much of the debate in our community. For example, in response to criticism, I've heard groupthinky phrases "lead, follow, or get out of the way". At conferences, I've heard about the importance of "furthering the conversation" and "reaching consensus". These aren't robust thinking -- they are groupthink.

As for a "transactive" model

This "transactive" model of Marisa's doesn't fit my experience well.

Specialization: People don't actually specialize. Certainly, there are people that talk a lot about something, but that doesn't make them specialists. A good example was Gartner and IPS. Gartner became the acknowledged specialist market-analysists in the field, despite knowing little about it and being demonstratively wrong.

A specific Gartner analyst really hates me because he feels I ambushed him. A big customer invited Gartner and intrusion-detection experts to debate Gartner's claims that IDS was dead. Gartner claimed that no IDS could run faster than 500-mbps. I asked the customer's own engineers how fast they were running my IDS, and they said 800-mbps, thus disproving Gartner's claims.

That fact that IDS is still alive and kicking is also testament to the fact that Gartner was wrong.

Coordination: Marisa points to conferences as an example of "transactive memory", but the reverse is true. It is the ability to act without a lot of formal meetings that is the hallmark of this "transactive" model.

Credibility is totally misplaced. People get credibility in our industry by pimping themselves. Vendors market themselves. Market analysts (like Gartner) also market themselves. People with little ability nonetheless get "certifications". Hackers, using tools built by their betters, are able to gain notoriety despite being little more than "script kiddies". There are those with technical ability (e.g. Schneier) that really deserve respect, but they are in the minority.

Conclusion

If you read back through this blog, you'll figure out our true mission statement: to attack groupthink, the echo chamber, and memes. If "everbody knows" something, we at Errata Security are going to try to disagree.

Now Marisa has an interesting new perspective on things, and I hope she fleshes it out, but I think she'll end up being wrong: it really is memes, echo chamber, and groupthink.

Transactive Memory Systems: an answer to "groupthink"

2011-04-09T03:24:00.006-05:00

In the Information Security community, when pervasive ideas are generally agreed upon, inevitably someone cries "groupthink"(often on this blog!) The criticism is that we have let our opinions form by the pressures of the community and not by critical thinking. For example that "strong passwords increase security" or that "SQL Injection vulnerabilities are preventable." A good sign that the community is dictating the opinions is when the topic requires a special level of expertise to grok. Topics like these breed a desire to reach consensus without the individual members of the group exposing themselves as unknowledgeable or foolish. The problem with the term groupthink is that it is a pejorative term that implies the generally agreed upon idea is wrong, regardless of how the group came to that conclusion.

I propose a different explanation for why communities find uniform consensus across such a large group of people. It's efficient. Thanks to the web, the Information Security community shares one large body of knowledge. Using blogs, Twitter, and online journals, we read the expert opinions of security professionals on hundreds of topics a week. This body of knowledge is a Transactive Memory System. The basic difference between Transactive Memory and groupthink is the generally agreed upon idea is not individually analyzed critically because of the inherent credibility of the person communicating it, not because of group pressure to look smart. Transactive Memory Theory states that there is the knowledge of the individual in the group, as well as their "metamemory" of what topics they, and everyone else in the group, knows. The metamemory allows the group to be smarter and more efficient than the individual. (This is not to be confused with Collective Intelligence, which is better explained by a TNG episode with Borg.)

The key to successful Transactive Memory relies on three components: specialization, coordination, and credibility. Using the Information Security community as an example, we can see how the so-called "thought leaders" in the community fit all three categories.

Specialization may not be something a thought leader pursues intentionally, but there are certain people in the community who are experts in specific topics. If you speak about Cloud, or SIEM, or DNS long enough, people start to identify you as the go-to-guy on that topic.

Coordination is enabled in large part by the Internet. It's what allows a community of thousands to behave like a "group." Another key coordination activity is the conference circuit. Across the world, conferences bring not only the ideas we agree upon, but also the speakers we know. Coordination is the process of learning who knows what in the group, and allows for the division of topics based on peoples strengths. This implies that it may not actually be the intentions of the thought leader that relegate them to one topic of expertise, but rather the community that finds it easier to know them for only one thing, requiring less complex metamemory.

Credibility is the most subjective component. Creditability is the extent to which the group actually believes the thought leader's ideas are correct. This is the critical component for efficiency. Initially the group does not believe the thought leader's credibility is very high. This produces low efficiency for the exchange of ideas because everything must be analyzed more stringently by a larger number of people. The longer the group coordinates, the higher the credibility of the member assigned the topic, and the more people who do not need to repeat the research and can take their word for it.

In our industry, there will always be a higher level of skepticism than most, but in order to be efficient and make progress in the science of IT we must be able to divide the topics. I'm sure you'll find that this is human nature, and we're not all experts on everything. Some people who code are not knowledgeable in penetration testing; people who are experts in forensics may not know a thing about visualization. And yet there are many cases where we're asked to give comment on these subjects that we are not experts in. When saying "I don't know!" isn't an option, it's natural to fall back to the Transactive Memory of the community and call upon someone who does.

In conclusion, we have generally agreed upon ideas not because we suffer from groupthink but because we're in a technical field where it is efficient to trust the specialization of others in the community to communicate their knowledge, while we ourselves focus on our strengths in areas not being effectively covered.

[Edit: Rob Graham's response: "No really, it's groupthink."

A pre-review of 'breaking_in'

2011-04-06T17:06:00.006-05:00

UPDATE: no, a smash-n-grab is not a pentest

Tonight, Fox debuts a comedy called "breaking_in", about a small pen-test company. I haven't seen the show, but I'm the CEO of a small pen-test company (i.e. Christian Slater's character), so I thought I'd create a "pre review" of the show. (Also, one of our exploits, FedEx-ing a iPhone to a company was already dramatized in the show "Leverage" -- we got a nice thank-you note from the producers -- this gives me license to pre-comment.)

Physical vs. Cyber

The most important difference with reality is that pen-testing is almost always a computer thing. Companies hire us to hack into their computers. In the show, it appears they focus on physical penetration. A hacker might disable the alarm system, but the other characters rappel down ropes from the skylight during the night. That's logical: what pen-testers really do is sit at a computer all day long staring intently at the screen. And what we are really doing is writing the proposal and budget before the test, and compiling the results in a report for the customer, rather than doing the penetrating. There is no way to dramatize this for TV.

Ethics

I did want to discuss ethics. We pen-testers share the same abilities as hackers -- does that not imply we share the same ethics? Wouldn't exploring this ethical issue make a good story? The answer is a greater suspicion of unethical behavior leads to greater emphasis on good ethics. We fire employees not only for ethical violations, but also any appearance of ethical violations. At my last company, we fired an employee for running an unauthorized port scan at home, not because we thought he was trying to hack somebody, but simply because some might interpret it as trying to hack somebody.

Another side to ethics is the fact that pen-testers are generally highly paid. We gouge our customers (we are worth every penny). There is no temptation to screw that up by crossing a line. Sure, we frequently get our hands on hundreds of millions of dollars during pen-tests, but there is no temptation. The risks involved in actually trying to pocket that money are too high compared to the income we get anyway.

According the previews of breaking_in, the CEO of that company blackmails an underpaid hacker to work for him. I've seen others that are similarly unethical, but if such a CEO is willing to cross the line in that case, he will probably keep crossing lines and taking chances, until he either goes bankrupt or gets put in jail. A good example of this is in Kevin Poulson's book "Kingpin": several times Max Butler tried to go straight, but his ethics were so poor that he keep crossing lines, and kept getting caught.

The upshot is that any established pen-testing company is likely to be far more ethical than average, not less ethical.

Weirdos

The characters in the show are a bit odd. That's about right -- everyone I know who does pen-tests is a little weird. Though, it tends to be the boring sort of weird, like not bathing, rather than exciting weird, like driving a HumVee. Though, there was this one bank in San Fransisco whose chief security expert wore goth clothing to work, and the occasional cross dressing (his wife helped him pick out the clothes).

Chicks

The show has a love interest, of course.

As you might expect, females are rare in the testosterone fueled community of hacking, but they aren't non existent. There are some really talented females at the top of our profession.

I might be live blogging the show tonight, maybe just inanely twittering it @ErrataRob

Government Didn’t Create the Internet

2011-04-06T13:29:00.022-05:00

People often say that the government created the Internet. This is not true.

The Internet is a trillion dollars of fiber optic cables laid in the ground and under our oceans. Fiber optic technology was developed by corporations, such as Corning Glasworks, not the government. The trillion dollars in capital that was used to pay for laying cable came from Wall Street, not the government.

The one thing you might be able to credit the government with is standards. The early days of computing were a hodge-podge of networking standards. Only computers from the same vendor could talk to each other -- indeed, often only the same model of computers. The situation was like the railroad network in the pre Civil-War South: each state’s rail network had different gauge tracks, different widths, different turn radiuses, different slopes. As cargo was shipped across the South, it needed to be offloaded from one rail network and loaded onto another, several times. After the Civil War, the U.S. government decreed a common railroad standard for the entire country so that it could move troops quickly to anywhere in the country to suppress insurrections.

In much the same way, around 1980, governments around the world, working with international standards organizations, created the "OSI" or "Open Systems Interconnect" group. The purpose of OSI was to create a single standard for all networks, to create a world wide "internetwork" that all computers could be connected to. By 1990, developed countries (US, Europe, Japan) had laws called "GOSIP" or “Government OSI Profile” that required all computers purchased by the government must support the OSI network standard. All large corporations, such as IBM and HP, supported this standard with their computers.

What’s important about the Internet is that the OSI standard failed. It’s not the standard of today’s Internet. The government backed the wrong horse, so to speak. Instead, today’s Internet is based on TCP/IP -- a networking standard the government tried to kill off.

Back around 1980, there were many networking standards. One early effort to interconnect computers was known as BITNET. Most big universities had IBM mainframes. BITNET allowed those mainframes to be interconnected, so that people could exchange data and email. Another early effort was uucp, that exchanged email over dialup lines (and other network connections, including TCP/IP and BITNET connections). DEC (Digital Equipment Corp.) was a hub for a lot of this uucp traffic. Much of this funding came from private sources, not the government. If there was a world wide network in that day, it was X.25, a networking standard supported by the telephone companies and used by big corporations.

The government was also involved. It was the height of the Cold War and the era of the “Star Wars” missile defense system. The Department of Defense (DoD) was throwing money at anything that might have military application.

When government agencies funded a research project, it would be a collaboration among researchers at different universities. The DoD wanted them to be able to talk to each other. Since the most popular computer system among their researchers was BSD Unix, the DoD paid a consulting firm (BBN) to add two networking standards to BSD Unix: Xerox XNS (one of many commercial network standards) and TCP/IP (one of many research network standards).

TCP/IP quickly grew to become the most popular research network standard. Unlike commercial standards (like Xerox’s XNS), no single entity controlled TCP/IP. Universities were free to redefine the standards at will. And that’s what they did.

During the 1980s, this was the question of TCP/IP: nobody really controlled standards. Those who might have controlled standards declared the nascent TCP/IP internetwork an "official anarchy". Those who preferred company controlled standards (from Xerox or IBM), or government standards (like OSI), looked down upon TCP/IP, declaring it would never work. How could standards exist without somebody putting their official stamp of approval on it?

But, it did work. De facto standards developed by acclamation, not proclamation. It worked thusly: two (or more) independent groups developed a way for computers to interoperate on a task (such as exchange email), then they would document what they did so that anybody else could interoperate with them. You were free to interoperate with them, or create a different way of solving the problem. When it became obvious that most everyone was using the standard that worked the best, then and only then was it declared as something like an “official standard”. In fact, much of TCP/IP is inspired by corporations. They paid get get something working, and then documented it so that others could interoperate, which then became Internet standards.

This was in sharp contrast to OSI. The way that OSI worked is that everyone would get together and spend years going to meetings, fighting for what they wanted in the official standard.

Eventually something would be created that tried to satisfy everyone, and a standard would be published. At this point, people would try to implement it. I say "try" because it didn’t actually work. Such standards were so bloated with features that they could never be fully implemented, and were full of problems that you would only find while trying to implement the standard. As a consequence, different people trying to implement the OSI standards could never really get their stuff to interoperate with each other.

So both sides thought the other side wouldn’t work. Those working on TCP/IP standards felt that official standards process would never produce something that worked, and the official standards bodies believed that nothing would work without an official stamp of approval. Even while Netscape was going IPO, setting off the dot-com revolution, government (and big corporations sucking from the government teat) believed that OSI was the long term, and that the TCP/IP Internet was just a temporary research project.

So who gets credit for creating the Internet? Government? The military? Big corporations? Universities?

The answer is "all the above". The Internet is the product of a free society, everyone working together, and sometimes working at odds with each other. It's a triumph of an "official anarchy".

Government threw money at many networks, including the TCP/IP Internet. TCP/IP was influenced by many things, among them the government. But what government most gave TCP/IP was its benign neglect as it spent its guidance, vision, leadership, and energy on developing the OSI network. This history important. If you believe those who say that it's government's unique vision that created the Internet, then you would naturally believe that the government should continue with their successful strategy of regulating and controlling the Internet. If you believe, as I do, that it’s the product of "official anarchy", then you would agree that government should continue keeping its hands off the Internet.

(You might be wondering if this is an attack on NetNeutrality -- of course it is -- but I wrote the original draft of this 10 years ago, long before NetNeutrality was discussed. It's funny -- back in the 1980s, our chief fear was that a corporate monopoly [then: AT&T, today:Google] would successfully lobby the government to tell us how to route packets.)

How to protect yourself from future "Epsilon" breach

2011-04-04T16:14:00.000-05:00

Your e-mail address was only exposed (1) you gave it to the company and (2) if you selected “Please send me e-mail notfications”.

I’ve done business with many of the companies involved (TiVo, Citibank, AmEx, BestBuy, Disney, Fred Meyer, Fry’s, Hilton Honors, Kroger, Marriot Rewards, Visa, Walgreens), but only TiVo sent me e-mail. That’s because I lie when they ask my for an e-mail address most of the time (when my e-mail address isn’t necessary) -- and when the e-mail address is necessary, I make sure I click the box saying that I don’t want marketing spam. TiVo recently started sending me marketing spam -- apparently, it decided to forget my preference.

But even then, it wasn’t the correct address. I have three addresses: a public facing address that everyone knows (robert_david_graham@yahoo.com), a private address I give to friends and family, and an e-commerce address that I only give out to companies. Therefore, if I receive PayPal phishing messages, I know they are incorrect, because they are sent to my public address. (I’ve never gotten phishing e-mail on my e-commerce e-mail).

You don’t have to give out private information if you don’t want to. I recently went to Japan to my brother’s wedding. I checked in at the same time as my parents. We were handed forms to fill out, with things like name, address, phone number, e-mail address, and so forth. I filled in my name and handed my form back. My parents looked at me as if that was some unforgiveable sin -- they had filled out the form completely, including e-mail. But it’s not a sin, or antisocial. THEY are the ones being antisocial, because THEY will spam you if you give them your e-mail address. They say they won’t, but of course, they will.

Usually, when I hand them empty forms, they ask why I don’t fill them out. The conversation goes like this:
Them: why didn’t you fill it out?
Me: I don’t want spam and junk e-mail.
Them: We would never do that.
Me: Okay. Do you have a privacy policy that promises you won’t?
Them: What? I’ll have to check with my manager. (some moments later). Yes, here it is.
Me: (eyes scan down the page) It says here that you “won’t use the information, except for products and offers we or our partners think you might be interested in”. That means spam and junk mail.
Them: We would never do that.
Me: Do you have a privacy policy that promises you won’t?

If they continue to insist, I ask “can I lie?” -- and then provide them the (incorrect) information they ask for. It’s an ethical thing: I could’ve lied to begin with, and saved us both a lot of time. But I feel better when they know I’m lying.

It’s odd -- employees don’t really care. They are focused on getting the form filled in, not that it’s correct. The AT&T store employee knew I was lying, but sold me the phone anyway. I get a monthly SMS from AT&T complaining that my address is incorrect, warning me that I should call them and tell them my correct address. This has been going on for 3 years now.

My solution to the Epsilon breach is simply to create a new private e-mail account for e-commerce. I’ll either change the address for the few accounts I care about (like NewEgg and Amazon), cancel the other accounts, and then monitor that account for spam resulting from the Epsilon breach. My public e-mail and private personal e-mail accounts will remain unaffected.

Anatomy of a Twitter worm ("Profile Spy")

2011-04-04T12:54:00.007-05:00

I woke up this morning and among the tweets I saw this:

(Name has been pixelated to protect the guilty)

This looks like a worm/scam (some news here, so I thought I'd write up a technical explanation.

Like most cybersecurity researchers, I like worms. So, I switched to another browser ("Iron" version of Chrome from SRware) and my honeypot account "@ErrataVictim". I logged in, and then followed that link.

Clicking on the link pops up this page from Twitter:

Worms usually ask for passwords, but people become suspicious giving out passwords. This worm uses a different strategy. It pretends to be a legitimate Twitter application, and uses the same method to ask for permissions as any other application. This is the same sort of authorization you would need to give to your Twitter application on the iPhone. This is the sort of authorization you would need to give to any third party Twitter application -- like one that told you how many people checked out your profile (which actually isn't possible -- Twitter doesn't give that info to app developers, and probably doesn't track it ).

It's hard to give people advice what to do in this situation. You can't simply say "Never allow applications to connect to your account", because that would prevent legitimate twitter applications from having access to your account.

The best advice I could give you is that whenever you see something of the form "this is cool check it out" -- and it asks you to install something, give a password, or grant authorization, then it's probably malware. You should always verify it with the sender (or with Google) before continuing.

When I allow access, I get this:

Going back to my victim account, I saw that it had indeed gotten "hacked". This is why the hacker created this worm/scam: he will profit from all the advertising you'll see following those links.

There might be further malware in those links designed to compromise your machine or accounts, like clickjacking exploits. I followed the first one, and it's a typical scam that asks you to fill out endless surveys and promises you'll win a prize at the end -- but there is no end to the popups you have to go through. At least, I've never reached the end when trying to see how deep they go.

Following this link leads to the next form. Obviously, you wouldn't want to fill this out.

I continued following this for a while, and it continue to provide endless "surveys" on care insurance, medical, long distance phone, and so on. I didn't follow them too deep -- I assume there is no end to them.

I confirmed that my account was "hacked" because immediately after this, I saw these two tweets magically appear as if I'd tweeted them:

It is easy to recover your account if this happens to you. Go to your "Profile", then "Edit your profile", then select "Connections", then revoke it's access, as shown below:

Then, in order to make sure that nobody else falls victim to this (or hide your guilt), remove the tweets the worm put there. Select "Profile" again. This shows a timeline with just your tweets. Hover over the tweet with your mouse, and you'll see a "Delete" option. Click that, and the tweet goes away:

This won't completely get rid of the tweet. The default browser application, and many other applications, download and cache the tweets as they are tweeted. Thus, if somebody opens their browser and logs onto twitter, they won't see your deleted tweet. But, if somebody sees a "75 new tweets" and clicks on it, they will still see your tweet, because it's already been downloaded and cached in your browser. Therefore, even when you delete it, most of your active followers will still see it.

How does the scam work?

The first step is to set up an account with advertisers that you will forward people to.

The second step is to get a "burner" host. First, grab an anonymous credit card (aka. "gift card") from a store, then use it to create an account at a hosting site. In this case, the hacker chose liquidweb, which allow you to set up a cloud server in minutes.

Then write a Twitter script that will use Twitter's OAuth feature to do two things. The first is to log onto their account and send the spam message via a tweet. The second is to forward the user to the advertiser.

Third is to launch the worm by spamming the tweet. This involves creating accounts, "following" people, then sending them tweets with the link. Eventually, a popular person with a lot of followers will fall for it, and the worm will take on a life of it's own.

The ow.ly link points to "www.twitterprofilespy.info". I did a traceroute to that address and got this info:

1     1 ms     2 ms     1 ms  23.23.23.1
  2    23 ms    28 ms     9 ms  c-71-204-8-1.hsd1.ga.comcast.net [71.204.8.1]
  3    10 ms    10 ms     9 ms  xe-10-1-0-0-sur01.n4atlanta.ga.atlanta.comcast.net [68.85.68.57]
  4    15 ms    16 ms    18 ms  xe-6-1-3-0-ar01.D1stonemtn.ga.atlanta.comcast.net [68.85.108.250]
  5    67 ms   136 ms    95 ms  ae-2-0-ar01.b0atlanta.ga.atlanta.comcast.net [68.85.109.241]
  6    19 ms    15 ms    15 ms  pos-3-7-0-0-cr01.atlanta.ga.ibone.comcast.net [68.86.93.205]
  7    17 ms    16 ms    16 ms  TenGigabitethernet4-1.ar1.ATL2.gblx.net [146.82.35.121]
  8    48 ms    67 ms    47 ms  64.209.88.186
  9    50 ms    54 ms    50 ms  lw-dc2-core3-te9-1.rtr.liquidweb.com [209.59.157.224]
 10    52 ms    52 ms    67 ms  lw-core6.rtr.liquidweb.com [209.59.157.109]
 11    54 ms    55 ms    56 ms  lw-dc3-dist10-po6.rtr.liquidweb.com [69.167.128.167]
 12    53 ms    54 ms    52 ms  host.fookyea.com [67.227.204.5]

The whois information for "twitterprofilespy.info" and got this back:

Domain Name:TWITTERPROFILESPY.INFO
Created On:02-Apr-2011 04:34:09 UTC
Last Updated On:03-Apr-2011 15:56:34 UTC
Expiration Date:02-Apr-2012 04:34:09 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:551ff52cd302f3e3
Registrant Name:WhoisGuard  Protected
Registrant Organization:WhoisGuard
Registrant Street1:8939 S. Sepulveda Blvd. #110 - 732
Registrant Street2:
Registrant Street3:
Registrant City:Westchester
Registrant State/Province:CA
Registrant Postal Code:90045
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:683c9af5c7fe45bda8510a5327cc212a.protect@whoisguard.com

I suspect "fookyea.com" might also identify the hacker. The whois info from GoDaddy shows this:

Registrant:
Unknown Unknown
123 Lay Ave
New York, New York 10001
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FOOKYEA.COM
Created on: 13-Feb-09
Expires on: 13-Feb-12
Last Updated on: 14-Feb-11

Administrative Contact:
Unknown, Unknown gamingcheats@gmail.com
123 Lay Ave
New York, New York 10001
United States
+1.2121234567
...

It would take more effort than I'm willing to spend, and maybe warrants, to track this down any further.

Update: Graham Cluley from Sophos also has a post almost identical to mine: http://nakedsecurity.sophos.com/2011/04/04/profile-spy-rogue-application-spreads-virally-on-twitter/

Well, that's it for Bit.ly (SCRATCH THAT: MAYBE NOT)

2011-03-30T00:14:00.016-05:00

Bit.ly support quickly responded and fixed the issue. I've included their response below.

Bit.ly is giving people the finger rather than forwarding them to this blog. Here is an example picture when visiting http://bit.ly/h7aFJc (click to enlarge):

The link used to work just fine. For some reason, bit.ly decided to start blocking it with this page rather than forwarding.

I can't "fix" this as they suggest. I posted the link on Twitter, which has further been retweeted and independently tweeted (which has further been retweeted). There is no way to go back and fix those thousands of tweets.

Here is a picture from Blogger's stats. As you can see, it's doing this with several links:

I suspect the problem comes from deeper links. This post (http://bit.ly/h7aFJc) has two links to it:

http://erratasec.blogspot.com/2011/03/interview-with-comodohacker.html

and

http://erratasec.blogspot.com/2011/03/interview-with-comodohacker.html#more

Blogger allows you to show just the introductory paragraph on the home page with a link to "More..." to see the rest of the story. In the above case, someone else shortened the #more version of the page and posted to Twitter. I'm guessing this is what has made bit.ly upset.

However, I use this feature a lot on my posts. Consequently, I can no longer use bit.ly. What should I switch to? How about "goo.gl"?

BIT.LY RESPONDS AND FIXES THE PROBLEM

You were reported for spamming. Your post is totally attacking something you never reached out to us about. If you would have reached out first vs posting a rant on your blog, maybe we would have let you know directly. I have now unblocked your blog. Next time this happens, let us know vs running a garbage post on your blog with no facts behind it. Oh, and you might want to consider who you share links with, someone you shared your blog post with was the one that reported you.

I got this as a response to my e-mail. He (RexDixon) also posted comments below in the blogpost.

This is the rudest response I've gotten, but it's totally justified, since I was rude first with this post. I should probably have waited for a response to support@ before bloggging. I quite like the response.

Bit.ly: Could you clarify what you mean by "share links with". I don't share links with anybody. I don't include any advertising (which you can verify by going to the site). The content is 100% my own, plus anything that Blogger puts there.

I did link to pastebin files. Those files are the top "trending" files on pastebin. And the trend is due to my Tweets and blog post. But it's not spam, it's legitimate. Is it pastebin that reported those posts as spam?

I link to the pastes put there by "ComodoHacker" in the graphic below from the "Trending Pastes" at http://pastebin.com/trends

"Cyber" and "hacker": I’m taking them back

2011-03-29T16:28:00.002-05:00

I use the word "cybersecurity" on the Twitter partly because it annoys people for being tragically un-hip.

But mostly I used it because it’s the word that most people will understand. If I go on CNN and talk about [IT-, information-, computer-, network-, system-]security, the audience won’t understand me as well as "cyber".

The advantage of "cyber" is precisely its impreciseness and lack of definition. My audience doesn't really want to know what the word means -- they simply want that I mean the same thing as everyone else who says "cyber" on CNN. It’s the transitive property of language. If "a=1", and "a=b", then "b=1" -- you don’t need to understand "a" or "b" to understand the equation.

Experts often use the "correct" words incorrectly anyway. They use "information security" when they mean "computer security". Or they "network security" when they mean "system security". Either these words mean something nuanced and specific, or they are no better than "cybersecurity".

Technical people have the hubris to believe they own language, and that words means what technical people want them to mean. That’s fine for words like "pi", but it doesn’t work for higher concepts. A good example is ESR's definition of "hacker" in his hacker dictionary. He insists that it means some sort of computer enthusiast, technical expert, or problem solver -- and that it should not have any "cybercriminal" connotation.

But he’s wrong. A dictionary doesn’t tell people how they SHOULD use words. Instead, a dictionary reflects how people DO use words.

Consider the American Heritage entry on "nuclear". It notes that among the many pronunciations of this word is "nukular", like how George Bush (and many other Presidents) have pronounced it. It goes on to say this pronunciation "occurs with some frequency among highly educated speakers, including scientists, professors, and government officials, it is disapproved of by many". The dictionary isn’t telling you the "correct" pronunciation -- just what pronunciations are common.

It’s funny watching journalists cover "hackers" for the first time. After they release their first story, they get deluged with comments telling them they used the word wrong (and offensively), that they should use "crackers" instead, and refer them to ESR's "dictionary". The journalists dutifully comply, and use "crackers" for a couple stories before they realize it’s stupid, and go back to using "hackers".

So, I’m using these words not necessarily how the digerati want them to be used, but how everybody else uses them. I'm taking them back. I think I have the gravitas to pull it off. I’m a cybersecurity expert -- I invented network Intrusion Prevention Systems (BlackICE Guard IPS aka. IBM Proventia IPS). I’m also a cyber-insecurity expert: I reverse engineer binary code, write exploits, and pen-test systems.

So when you see me on the inter-tubes using these un-cool terms, this is the reason why.