Tuesday, November 16, 2010

Move Complete

My blog move has been completed! In the future I'll write up notes about the process and share the python code I used to do the migration.

Tuesday, November 2, 2010

Thursday, October 28, 2010

Adobe: Productive Media Tools

Adobe should incorporate some of the security buzz into their marketing:




Adobe media tools increase productivity, giving you 0-day turnaround.




The SEO opportunities are endless.

Tuesday, October 26, 2010

Advanced Evasion Techniques: A Long-Winded Explanation of the Threat

Recently a company called Stonesoft launched a website called http://www.antievasion.com/ with videos warning us about the threat of Advanced Evasion Techniques that can float right through your network security and attack systems you thought were protected. The videos on their site are worth watching, if for no other reason that they approach self-parody.


Their concern lies mostly in Intrusion Detection/Prevention System (IDS/IPS) software and appliances. These devices observe traffic passing through looking for behavior indicative of an attack in a fashion conceptually similar to antivirus/antimalware. IDS systems merely “observe and report” while IPS systems intervene, trying to cut connections or otherwise stop the attack. The limitation of these types of systems is that they’re primarily signature-based; they are looking for a specific set of indicators to determine that something is an attack. They cannot say with certainty that anything is safe.


Compare this to police mugshots. You can use them to identify known bad guys but you can’t use them to identify unknown bad guys or bad guys with convincing disguises. Modern IDS/IPS (and antivirus) are smarter. They’re better at recognizing fake beards, hats, and changes of clothes. These kinds of attack disguises have often been referred to as “IDS/IPS evasion techniques” and they’re almost as old as IDS/IPS technology itself. As is always the case on the Internet, the good guys cause the bad guys to evolve and vice versa. IDS/IPS technology gets better, IDS/IPS evasion techniques get better.


These “disguises” involve changing the properties of the transmission in ways that are still valid (enough) but violate the IDS/IPS product’s assumptions about how the data should be transmitted. For example, some IDS/IPS products can only look at one packet at a time. If you break the attack transmission into small enough pieces, the IDS/IPS won’t be able to see the signature. For IDS/IPS products that are a little smarter, transmitting the pieces in the wrong order might fool them. There are lots of permutations at various levels.


To build an analogy, IDS/IPS systems are like TSA personnel. They scan through your luggage looking for things that might be dangerous. They can’t possibly know every possible threat and disguising a threat, like hiding it in your underpants, can potentially get through the screening process (in all fairness, the underwear bomber didn’t go through TSA screeners, he might have got caught but that demonstrations a point about security; you attack through a channel with weaker defenses).


TSA screeners could be incredibly effective against a known threat. If we knew attackers were going to carry a weapon onboard a plane in a red stuffed unicorn, TSA personnel would have a clear thing to search for. If the weapon were moved to something else, maybe it would be found, maybe not. In the same vein, when a new vulnerability is discovered, providing a good signature for your IPS could provide adequate detection until a patch becomes available. That is, unless an attacker decides to put a moustache on it.


So what are Advanced Evasion Techniques? Simply put they are IDS/IPS evasion techniques that are applied at more levels of the network stack. Where previous techniques might manipulate the transmission at the IP and TCP/UDP levels, advanced techniques might also manipulate the application layer. It’s an evolution on the attackers’ part that many vendors didn’t anticipate but it’s not really breaking new ground.


What does this mean to your network? Hopefully, nothing. The conditions for a successful attack are that a service has to be exploitable and the attacker has to get the attack passed the IPS and… it has to get passed the firewall. The inability of your IPS to stop an attack is moot if the target is not vulnerable or if there is no path from attacker to target. If either of those cases hold you can be pretty confident. The “The Principles of AntiEvasion” video seems to presume that your IPS is the only thing protecting your unpatched services. If you’re relying on your IPS in that fashion then you probably are at risk. If your firewall is configured sanely and your patches and configuration are solid, that video is mostly just FUD.


To tie this up I’ll return to the “human screener” analogy. An IPS is like a person looking at people entering and leaving a building, trying to guess at motive. The building itself is like a firewall: it limits points of entry with walls and locked doors. Relying on your IPS to protect you is like foregoing walls and trying to guard a valuable resource in the middle of an open field with only a handful of guards.

Tuesday, October 5, 2010

On Saturday we adopted our second cat: Sam. Please forgive the mediocre photo. I was thoroughly impressed by the Silicon Valley humane society. Their facilities were excellent and I felt that the staff were genuinely interested in helping us find the right cat. If you’re thinking of adopting and you’re in the area I definitely recommend them: http://hssv.org/

Friday, October 1, 2010

Tuesday, September 7, 2010

Nikon D90

I got my first DSLR and I’m having a blast with it. On my third day with the camera I managed to get some awesome shots:






From Random




From Random




From Random

I think they’re awesome, at least. I’m having fun with it.

Thursday, September 2, 2010

Got Froyo on My Incredible

This morning I found that Froyo was available for my Incredible. =D



After the update, I found that the crapware previously available in the Verizon section of the Market was “preinstalled”. D=



Granted, I haven’t tried VZ Navigator so maybe it’s super awesome. But the reason I’ve never tried it is because Maps works great and I have no need… for any of this software.

Tuesday, August 31, 2010

High-Def for the Internet

I think I missed my calling in Marketing/PR. If we want to sell people on IPv6, here’s the slogan:



IPv6: It’s High-Def for the Internet.



True to the spirit of Marketing/PR, I make no statements about the truth of my slogan.

Friday, August 27, 2010

Guerilla Feature Request

You want a feature in a piece of software but you don’t want to implement it yourself. Luckily, you have access to the repository.



Don’t bother actually working on the feature. Don’t bother putting in a feature request. Instead, add a unit test that checks for the feature and check that in. When the software starts failing unit tests the maintainers will have to decide to toss the test or fix the test by implementing the feature. This would be slightly more effective if the checkin included other tests that were actually useful.



I think this may be apex of Test-Driven Development.

Wednesday, August 25, 2010

Thursday, July 15, 2010

Rode to Work

This time it was 19:40 in to work. I haven’t been sleeping well so I haven’t been riding. I need to get back on the horse.

Thursday, July 8, 2010

Bogus Log Generator

I wonder what the legal implications might be of a framework that makes it easy to create generators for bogus but convincing log data.




Prosecution: “Your honor, I present to the court computer logs that show that the defendant participated in online activities for which he is charged.”



Defense: “Your honor, I present to the court computer logs that are completely falsified but are completely indistinguishable in form from the logs presented by the prosecution.”




Flying Monkies, GO!

Wednesday, June 30, 2010

Rode to Work

Actually, I’ve ridden to work about five times since I last posted about it. Totally different route now.




  • Distance: 4.4 miles

  • Moving Time: 18:09

  • Riding Music: Bassnectar - Mesmerizing the Ultra


I think the time is a personal best but I’ve only tracked it with the GPS twice now. Good riding music, but a little bland for my taste. Would be appropriate to play in a gym where they have that special selection of music that sounds upbeat but isn’t actually exciting.




  • Moving Time Home: 19:45 - stuck behind a couple slowpokes.

Tuesday, June 8, 2010

Anonymizer Universal on Anroid

Anonymizer Universal on Anroid


While at Anonymizer I got to use Anonymizer Universal and I thought it was pretty sweet. It doesn’t take long with a packet sniffer on a popular public wireless access point to see that you have little protection if any without some sort of VPN. Anonymizer Universal is a commercial VPN service that protects your traffic on the local network and allows it to exit through Anonymizer. I got it working on my Android phone using a little hand-configuration. This doesn’t require the phone to be rooted/jailbroken; it’s part of the standard functionality. Note that while it works, it’s not a supported platform…

Monday, June 7, 2010

I'll Be Here All Week

Raffy: I'm quite surprised BP's networks aren't getting a "Free of charge" penetration test right about now
crunge: maybe they are
crunge: Raffy: however, if there are any security holes....
crunge: anyone?
crunge: not
crunge: getting
crunge: successfully
crunge: plugged.

Friday, June 4, 2010

No Longer With Anonymizer

I guess this is a bit late but it shouldn’t be Earth-shattering news to anyone. April 30th was my last day at Anonymizer. I had never before been in the position of leaving a job I liked but an opportunity fell into my lap that was too good to pass up. I’ve taken up a position as a security engineer at a Fortune 500 company in the Silicon Valley area that’s doing a lot of interesting things and has a lot of interesting challenges to wrestle with. As such, I had to relocate to the valley which, aside from moving away from my friends and family, was an exciting proposition.



There are a few things I’d like to say about Anonymizer. First and foremost is that they really are passionate about people’s privacy. Lots of people have said that it’s the perfect place for the government to back door to spy on us citizens. While that’s an accurate observation, at the time I left there was no back door, no special eavesdropping equipment or privileges for anyone, and no plans for those things to change. Unfortunately I can’t go into further detail without risking disclosing proprietary information. I believe in the products I used, Nyms and Anonymizer Universal, enough to continue using them to protect my privacy.



I would also like to mention that Anonymizer was a really interesting place to work. If you’re in the San Diego area and you think you know your stuff when it comes to networking, Linux, etc, it’s worth shooting them your resume.



Anyway, new beginning for me. This is the first time I’ve done security as the focus of my job rather than something orthogonal to my job. I expect I’ll have a lot more security stuff to talk about fairly soon. I was in the San Diego area for 12 years and while I liked it I’m excited to explore a new city. I expect to enjoy doing a lot of touristy stuff without having a short vacation window to explore the bay area.

Thursday, May 27, 2010

wepwn

wepwn


Some months ago I wrote a couple scripts to capture the workflow of cracking WEP. Essentially you could use the scripts to scan for targets and then specify the target to attack by ESSID or BSSID.



I came into a situation where I needed to learn python so I consolidated those scripts into a single python script and that is wepwn. It was developed on Backtrack 4 but may work on other Linux distros without modification.



I was reluctant to release it without much testing but it’s not going to get much testing in my environment beyond what I’ve done. I’d appreciate feedback, bug reports, or patches. Enjoy.

Friday, May 21, 2010

Friday, May 7, 2010

Todo Sushi

Todo Sushi off of Carroll Canyon Rd. Tuna roll: good. Baby lobster dynamite roll: very good. Volcano roll: incredible.

Saturday, May 1, 2010

Verizon Service for Android Purchase

When I went to buy my Droid Incredible the Verizon sales rep was very friendly and helpful. One thing that was lame was that he offered to sell me an 8GB or 16GB microSD card for my phone. I refused figuring I’m better off just picking one up at Fry’s or wherever. A few minutes later he pulls out a 2GB microSD card and says that it’s free. This seems like a totally shady upsell, not telling me it came with a 2GB card up front.



On the other hand, the second day with my phone I was trying to wiggle in the USB cable and a small thin bar of plastic above the USB connector snapped. Obviously it was my fault that it broke and I need to be more careful in the future. I went back to the store to talk about it and pick up a car mount for the phone. I explained that I had broke it and that it was still functional and my real concern was that this little piece of protruding plastic would catch on stuff. The same rep who sold me the phone looked at it carefully, made a note in the system about it and said that I could call an 800 number and get a new one under their 30-day Worry-Free Guarantee. This was all before I mentioned an intent to purchase the car mount.



The shady upsell in the beginning was weak, but the follow-up service for minor damage to my phone was excellent.

Walls Get Bombed

Walls Get Bombed


I like graffiti so I’ve started a semi-public blog for graffiti. Check it out.

From "The Privacy Blog" Intelligence collection *from* open proxy servers

From "The Privacy Blog" Intelligence collection *from* open proxy servers


The short version: you use an open proxy someone set up and the logs of what you’ve visited are stored there. Possibly those logs are poorly protected. It’s also possible that the proxy was set up with the specific purpose of surveillance.

Friday, April 30, 2010

Drinks at Hamilton's

Had some drinks at Hamilton’s in South Park. Seemed like a pretty nice place. Even if it weren’t, I had a few beers and a lot of friends there and those things alone would have made it a good time.

Thursday, April 29, 2010

Droid Incredible - Not Seeing MP3s

Dropped a bunch of MP3s in the exiting Music folder in an organization structure similar to the existing one. It’s seeing none of the files that I added. If I figure out the issue I’ll post the solution. Sending the sound output playing the songs that were there to my care stereo via bluetooth went seemlessly.



Oh, it was me be stupid. I was using Amarok to copy media to it and adjusting the naming. I failed to put .mp3 on the end of the naming template. I don’t think I should have to. After all, what if I’m copying media of different formats?

Droid Incredible

Got a Droid Incredible this morning, upgrading from a first grn iPhone. This thing is sweet. Hopefully it will still be after the honeymoon is over.



Oh yeah, except that the mail app silently errors how when connecting to my mail systems which have certs signed by my private CA. and it won’t let me click through. People on the tubez say it won’t do self-signed either. I’ve imported my CA cert into the browser but that has not affected the mail application. And since I don’t know which CAs the mail client trusts I don’t know where I can try to get a free/cheap cert for my mail servers.

Friday, April 23, 2010

Studio Diner in Kearny Mesa. Friday night special was Sea Bass. It was excellent.

Monday, April 19, 2010

AssRace: Possible Advantage For A Rogue DHCP Server

One method for MITM attacks is to set up a rogue DHCP server. In this situation you’re in a race with the real DHCP server and you may not always (if ever) win.



I’ve been sitting on an idea for a couple weeks where under certain circumstances you could have a distinct advantage in the race. Specifically when the DHCP client is on WiFi. Before WiFi clients pull DHCP they usually have to associate with the access point which involves an exchange of packets. The idea was that you could have your rogue DHCP server listen for clients associating then immediately start spamming the client with appropriate DHCP replies. In this scenario you may be able to get your reply in before the client has even finished sending the request. The cool thing here is that if the network is encrypted but you’re wired in and the wireless just bridges to the wired network you don’t necessarily need the encryption key. You can see the association in the clear then start sending your DHCP messages on the wired network destined for the new client on the wireless network. Because that MAC address hasn’t been seen yet the switching infrastructure should just unicast flood the message everywhere so it should get to the target.



This morning I realized I’d probably never get around to actually implementing this idea, which is a shame given the snazzy name. I was looking at the RFCs for DHCP and it looks like the client picks an ID number and if your replies didn’t have that ID number then the attack probably wouldn’t work. Since you’re sending replies before you’ve seen the request you can’t know what the request is. Perhaps if you’re on the wireless network and the DHCP server is on the wired network you have a few microseconds of a head start. Perhaps you could guess the ID number the client will use somehow. Perhaps I’ve misinterpreted the RFC, I didn’t read through it closely. All that aside, maybe this will give someone else some workable ideas.

Sunday, April 18, 2010

Gentoo is Dead, Long Live Debian!

I had decommed my old gentoo home server that hadn’t been patched in around three years a few weeks ago. A week or so ago I wiped the drives as best I could since they were malfunctioning. I installed my new drives this evening: 2 80GB and 2 500GB SATA drives. They’re RAID1 together in pairs. The 80s will hold the OS and home directories, the 500s are all for media. Right now I have everything on another box with home directories on a VMWare host, media on a USB drive attached to the host, and all the services running in guests. I’m looking forward to migrating things back so I can rebuild the host as Debain 64 bit with VirtualBox.



I wrote about this before. Gentoo was great when I was in college and had plenty of time to muck about with things and get it just the way I want it. Having a full-time job I just don’t have the time.

Tuesday, March 30, 2010

From Stored XSS to DDoS, almost

The backbone of science is sharing your failed experiments so here goes.



I was a little frightened when directed to RFC 2397. Basically it says that included objects that you would reference by a URL can be provided inline in one or more forms. It looks like this:




<img src=”data:image/png;base64,alkj2K09…..” />




Try it. It’s kind of neat-o. The idea I had was that maybe you could provide a java applet that way. You can already deliver an applet by reference with XSS but an applet is only supposed to be able to make connections back to the site that it was downloaded from. If you try to connect to anything else, like the target site, it generates a pop message that the user has to click through. If I could get the target site to provide the applet it should be able to connect back to the target site without the user being aware.



The fun idea I had was to write a java applet implementation of the slowloris attack. The really awesome thing if this were possible is that if you find a stored XSS vulnerability in the target site you could get the legitimate users of the site to DDoS it indefinitely. Beyond that, you may be able to make SSH or other authenticated connections back for random password guessing; perhaps the results could be reported back to the attacker via DNS requests. The difficulty (if it worked) is that the target site would have to allow a pretty large stored XSS. If the stored XSS vulnerability is against a TEXT database column you’re fine. If it’s against a VARCHAR(128) and you’re trying to deliver a 1.2KB jar file it’s not going to work.



I could get the applet to work flawlessly at attacking my test web server. It would sometimes even do so without the socket connection sandbox permission dialog from popping up. It wouldn’t work properly with the inline jar file though. Eventually I tried Firefox+Sun JRE on windows and it gave me the error message I needed: unknown protocol: data or something similar.



Maybe this could still work with Flash or some funky contortions with JNLP. I, however, am done working on it.

Monday, March 29, 2010

Ohh...: Does anyone ever talk about what sort of psychological relief Walmart...

Ohh...: Does anyone ever talk about what sort of psychological relief Walmart...



Does anyone ever talk about what sort of psychological relief Walmart brought to the individual in the small town, in terms of alleviating the burden of over-judgmental townies who ran the local Rx, hardware, grocery, etc., by offering purchasing anonymity (I mean socially; not in terms of…




Everything lost is something else gained, and vice versa. Walmart has a lot of detractors and a lot of promoters. I haven’t seen this side of the debate before.

DoSassination Market

From Wikipedia:




An assassination market is a prediction market where any party can place a bet (using anonymous electronic money, and pseudonymous remailers) on the date of death of a given individual, and collect a payoff if they “guess” the date accurately. This would incentivise assassination of individuals because the assassin, knowing when the action would take place, could profit by making an accurate bet on the time of the subject’s death. Because the payoff is for knowing the date rather than performing the action of the assassin, it is substantially more difficult to assign criminal liability for the assassination.




What if a site existed where there would be various pools for betting on when a given site’s Denial of Service attack would end. The rules would state that the betting pool site would attempt to retrieve a given site’s root page in its entirety. If it succeeded it would make 9 more attempts randomly dispersed over the next five-minute period. If all of those subsequent attempts succeeded the site would be considered “up”. If any of them failed, the test would begin again after a random delay of between 5 and 60 minutes.



To win the betting pool, Bob has to add to the pool and he has to guess when the DoS will end. The best way for him to make that guess is to extend the current DoS attack with his own and then end his on the moment of his prediction, hoping that any other ongoing attacks have also ceased. As more people participate in this flash DoS, the betting pool grows, bringing more interest to the “contest” and more people who will try their own DoS to win the pool.

Sunday, March 14, 2010

elitehackercontest.meh

Brilliant idea of the day.



I register the domain, “elitehackingcontest.org” or somesuch nonesense. I make sure the website says that the target sites are “realistically simulated Internet sites”. I then just pick random sites on the internet and point target1.elitehackingcontest.org.



I then advertise the crap out of it and let hilarity ensue.

Saturday, March 6, 2010

Alice In Wonderland

Saw “Alice In Wonderland”. Meh. Glad I didn’t pay to see it in sphincter-puckering IMAX 3D. The casting was good, the acting was good… I just felt that it wasn’t engaging.

Thursday, February 25, 2010

Properly Deploying a Private CA Cert in Ubuntu

I think the true strength of the certificate PKI is the ability to set up a CA for your organization and mint your own certs. You get the advantage of proper certificate validation without the cost of paying a third party to validate your identity (snicker).



There are copious sets of instructions on how to create your own CA but I had a very difficult time finding proper instructions on deploying the cert to clients. Most of them simply say, “post it on your web server, visit it in your browser, then click Trust.” That’s fine on your computer but what about a larger organization. Are you going to just tell all your users to do this and expect them to get it done? What about multiple browsers? That kind of solution just doesn’t scale.



In my personal environment my clients are Ubuntu Karmic. I’ve seen some kind of hackish solutions where you put the cert in /etc/ssl/certs then add softlinks or run c_rehash if you’ve read some man pages. After searching the Internet and not getting far I finally started digging through /usr/share/doc/ca-certificates and found the README.Debian file. It states that the proper way to install private CA certs is to put them in /usr/local/share/ca-certificates and ensure that the names end in .crt. Once that’s done you run update-ca-certificates and the appropriate linking is done for you. With that complete you may need to start your various clients but it should be working for your command line web tools and graphical browsers.



I said visiting a URL in the browser and having users click through dialog boxes was unrealistic. Frankly, it’s cumbersome, but is copying the file out to each machine and running a command any better? Because I run cfengine, absolutely! My additions look something like this:




control:

AddInstallable = ( ... NewCACert )
...
directories:
/usr/local/share/ca-certificates owner=root group=root mode=0666
...
files:
...
$(masterfiles)/CA/cacert.pem
dest=/usr/local/share/ca-certificates/lub-dub_CA.crt
mode=0444
owner=root
group=root
inform=true
encrypt=true
define=NewCACert
server=$(policyhost)
...
shellcommands:
...
NewCACert::
"/usr/sbin/update-ca-certificates"


The only thing missing is the fact that while my desktop systems are Ubuntu my server systems are Debian Lenny. The Karmic version of ca-certificates is 20090814 while the Lenny version is only 20070303. The update-ca-certificates script in the Lenny version doesn’t look in /usr/local/share/ca-certificates so I’ve had to add that myself.

Sunday, February 21, 2010

The Secret Life of Chaos

The Secret Life of Chaos


If you’re even remotely interested in science or mathematics, set aside an hour to watch this.

Wednesday, February 17, 2010

Mitre's 25 Most Dangerous Programming Errors

Mitre's 25 Most Dangerous Programming Errors


I look at those things and I fear that people will look at it as “Oh, as long as I do these n items I’m fine.” Those people convince themselves they’re safe when they’re not. If your application has error #26, or #52, or #375, it’s still broken, it’s still insecure. The attackers don’t care if your application has RFI, SQL injection, or has a backdoor account. Anything that lets them in is fine.



In my mind I criticize these kinds of lists but really I think usually the people that make those kinds of lists are earnestly trying to help people and improve the situation. I just think their approach is futile. Then I ask myself if I have a better solution and of course I don’t.



I wonder how long each of the programming errors on that list have been spoken about on the Internet as a hazard. I’m sure each one has been discussed ad nauseum on lists like this for a few years at least. Still, we have programmers who don’t care, programmers who don’t bother reading the list, programmers not aware of the list, and “programmers” who wouldn’t understand the list if it were right in front of them. There is an endless supply of new, bad, and apathetic programmers to replace any corrected by such lists.



Do lists like this make things any better?

Monday, February 15, 2010

Microwave + RFID = Plasma

It would appear that RFID chips in a microwave make plasma, and plasma melts glass microwave turntables. While I understand the latter, I was not expecting the former. The impressive thing was it kicked off at about 2.5 seconds. I wonder if it would have been “safely” destroyed in a glass jar submerged in water, this being a bank card.



Hopefully I’ve never made claims that I’m notably smarter than anyone else.

Friday, February 12, 2010

PCI

The security of a transaction-processing network varies inversely with the value the operators place in PCI.

Tuesday, February 9, 2010

Apply Directly To Brain

Mandelbrot Fractal Set Trip To e214 HD from teamfresh on Vimeo.


Apply directly to brain.

0(mfg)day

The term 0day has lost any significance in meaning. The original meaning was that a public vulnerability disclosure was made and the same day someone produces a working exploit.



Now 0day can mean a lot of things. It usually means something to the effect of “an exploit for which there is no patch available” but depending on who you ask it might mean “an exploit that’s leet because I wrote it”.



I’d like to throw some terms out here that are much more sensible than 0day. The scary thing about 0day is that there’s isn’t a fix for it. Perhaps in one situation it’s because no one knows about the vulnerability. Maybe the exploit was discovered being used in the wild. In any case, the fear is not that some shadowy person or organization has an exploit that they aren’t sharing; the scary thing is that there’s no fix. It is an unpatched vulnerability. If last Wednesday there was an announcement on bugtraq of a vulnerability in Flash, and today you got hacked (because it’s not Adobe’s Patch October yet) you didn’t necessarily get hacked by 0day. You got hacked by an unpatched vulnerability. Maybe the exploit was created the day of the announcement, maybe it was created days later. It doesn’t matter. You got breached because there was no fix and you didn’t disable Flash.



The term unpatched vulnerability is being used here and there on the Internet already. A term that isn’t being used but really should be is proprietary exploit. At the time of this writing a google search for “proprietary exploit” (quotes included) returns 449 results. When people talk about 0day exploits because they want to sound cool, what they’re often thinking of are proprietary exploits. These are exploits that aren’t being shared. Maybe the vulnerability isn’t patched, maybe it’s not even publicly known. That’s really the essence of the threat with proprietary exploits: maybe people are breaching your systems using attacks your scanners can’t detect because no one even knows there’s a vulnerability. That’s why people use the term wanting to sound cool, “I’ve got 0day so you can’t keep me out.” Perhaps after some high-profile compromise (Google/Aurora) people will capture samples of the exploit code and figure out what the vulnerability is.



Anyway, the purpose of this is not to inspire fear for threats you can’t fully defend against. I’m just sick of the term 0day and the way it’s used by people who don’t know what they’re talking about. If you understand the difference, will you pick terms with less ambiguity and media baggage?

Sunday, February 7, 2010

Lock Picking Observations

In a previous comment I noted that I intended to share my observations on beginning lock picking. I’ve only really been raking so far, not per-pin picking.



First, it’s very easy to apply too much pressure to the torsion wrench. Start by applying just a little bit of pressure and slowly increase the pressure. The wrenches with the half twist will absorb some of the pressure by bending so they may be a good choice while you get a feel for the right amount of pressure. The downside is that you lose some of the sensitivity of what’s going on with the plug. While I was getting a feel for it I would vary the pressure as I was raking. Sometimes I would let up to much and give up pins I had set, sometimes I would press too hard and false set some pins. Eventually my hands learned the proper range of pressure. If you eat sushi I think the right pressure range is what you might use picking up a cut roll with chopsticks. If you don’t eat sushi, you’re missing out.



Second, the raking pressure should also be pretty light. I think of it like brushing teeth. You’re not trying to rub your gums off but you are trying to remove plaque. Raking too hard has less of a negative impact than applying too much torsion.



Third, don’t try to hard. The more you work at it the less success you have. Keep your practice lock, torsion wrench, and pick/rake at your desk. Pick them up and fiddle with them when you’re thinking or need to take a break. Just don’t focus on it. Your hands need to figure things out on their own. I found that my first half dozen or so times getting my practice lock I was absently fiddling and had no idea what I had done to make it work. Every time I’d try to figure it out and get nowhere. When I stopped paying attention I eventually found that my hands just knew what to do.

4chan

4chan is an Internet fever dream.

Thursday, February 4, 2010

Spoofing For Charity... or Not

The media is reporting a lot about SMS charities. You send a text message to a certain number and your cell phone company bills you $10 or whatever. The company keeps a percentage or flat fee and passes the rest on to a charity. It’s a very convenient way for charities to get money. Of course it’s huge for Haiti charities.



What if you set up your own SMS “charity”. Then you get yourself a PBX system that can send text messages with whatever caller/sender number you want. You then send out texts to thousands of cell numbers with the caller/sender as your charity number. The messages you send are those that are likely to illicit a response, even if just a “WTF?”. Perhaps they say, “Where are you?” or “Who is this?” or “I just found out she’s bi” or “Mom’s dead” (thanks Aaron). People reply to ask you who you are or what you’re talking about and boom you just made $10.



Maybe if you’re nice(ish) you spoof the number of a real charity. Of course, a lot of those people would want it taken off their bill which means it would have to be taken back from the charity. This would really be the opposite of nice(ish).

Monday, February 1, 2010

Ain't No Mountain High Enough

Some of my friends know that I have clinical depression. For the most part I have it licked; I was on medication for a couple years while I learned how to deal with it. Now I occasionally go through some bad patches but they usually don’t go on for longer than a week. I’ve learned that if I just wait them out they’ll pass. I had been stuck in one for all of January which finally broke last Saturday.



Something people often don’t understand about depression is how it impedes your ability to get simple, important things done. Even when depressed if you have a gun to your head you can usually do just about anything required of you but there never really is a gun held to you head. Frankly you can probably do the laundry tomorrow when you might feel better. Today you just feel terrible.



Used to be I couldn’t get much of anything done. I couldn’t go grocery shopping, I couldn’t take care of our pets, I couldn’t get my bills paid even though I had the money. This month I could take care of the bills mostly. I could go grocery shopping because we’re pretty thoroughly resolved not to go out to eat during the week. I could take care of the pets because I’ve seen how much happier they’ve been when I’m taking care of things properly. The laundry had been piling up on the floor and the dishes piling up in the sink because I just couldn’t muster the will to take care of them. Saturday it broke, I felt great, and I knocked those things out. Overall this bad patch wasn’t as bad as they’ve been in the past but it was much longer for reasons unknown.



I was explaining the situation to a friend and he had a hard time understanding lacking the will to take care of these basic, small things. He did acknowledge that there was a reason for it but that he didn’t have the experience to wrap his head around it.



Eventually I thought of away to explain it that I hadn’t really thought of before. If you’ve ever been exposed to a motivational speaker or anyone similar you’ve probably heard something to the effect of: If you have the will to succeed, the size of the challenge doesn’t matter. The idea here being that the challenge can be very, very large but the will to succeed will make you overcome the challenge. Here’s another version that is also true: If you lack the will to succeed, the size of the challenge doesn’t matter. In this case the challenge can be very, very small but lacking the will to succeed will make it insurmountable.



Depression robs you of your ability to try, even things you’re good at and you know can succeed at.

Sunday, January 31, 2010

Locks... not so much

I started practicing lockpicking with a basic set of lock picks. So far I’ve really just been raking and I’ve found that the C rake works best for me. I’ll eventually work up to per-pin picking but for now I happy just having success raking and getting a feel for things.



I’ve been practicing on a cheap padlock I got at a grocery store. A few minutes ago I took a try at my second lock - the deadbolt on my front door. First try took about 30 seconds to figure out the space I could move the rake in. Once I started raking it took about 10 seconds. Thinking I might have gotten lucky I locked it again and it took about 5 seconds to find the working space again and then another 10 seconds to rake it open.

Tuesday, January 19, 2010

Colo Cage Hunting

I love colo cages because a lot of people think they alleviate the need for cabinets. Just put up four-post racks in your cage and you’re done. The cage gives you all the physical security you need.



I was told the phrase “the cage will keep malicious people from plugging things in”. Aside from the fact that cages can’t sense intent, I don’t think it can keep anyone from plugging things in.



I’d like to tell you a story. The story is about a hunter and his niche - hunting in colo cages. Here’s a photo:



Rawr!



That’s quite a mighty spear he has. Can it penetrate the hearty flesh of your protective colo cage? Let’s take a closer look:



Careful! U3 Poison!



Oooo… looks like U3 Poison. That’s nasty, particularly on Windows systems before Server 2008. Will it have an affect on his game? His quarry today is one of the young of his normal prey, the rackmount server. Perhaps he has a taste for veal:



Isn't it cute?



He stalks his prey into the bush of the cube prairie. Outside its normal protective cage the little one is even more vulnerable. Our hunter attacks!



He pounces!



Quite a nail-biter! Will the hunter get to eat or will the young one escape to live another day?



It's a kill!



Looks like our hunter was too fast. Would the little one have survived had he been in his cage? Seems doubtful. That spear is pretty long and could be even longer. This one was rather “field expedient”. He could possibly keep a collapsible, elastic-corded tent pole on his survival pack (netbook bag). What if the U3 poison wouldn’t work on the larger beasts? Many of those larger beast have an unused but enabled second network interface. Many beasts will react to a new ethernet link by asking for DHCP. Other beasts might have a firewire orifice which bypasses their immune system.



If you tend to beasts like this, keep the hunters at bay. Put cabinets in your cage or spay/neuter them using connectors with the cables clipped off. It’s even possible to find chastity belts for yours.

Friday, January 15, 2010

Copying Windows Binaries

Maybe this is piracy, maybe it’s not. I have a tool installed on my computer and when new programs are installed it discovers them and pops up a lovely prompt asking if I will allow the executable to be copied to some computer somewhere. I haven’t looked into it deeply but it doesn’t seem to be aware of software licenses and whether the license for that binary allows for it to be redistributed. Maybe it is and maybe it’s not. It doesn’t seem like the tool is based on some kind of prior agreement between the tool author and the owners of each and every software package that it’s prompted me to allow copying their binaries. If it did, it doesn’t seem like it would need to ask me if it’s okay, except to honor my privacy. Maybe this copying falls under “Fair Use” or maybe it’s just not worth suing over. Maybe it’s piracy and I’m an accomplice.



The tool in question seems to be an inherent feature of Windows 7. It may have been in Vista, which I skipped. If I recall correctly the prompt says it’s part of Windows Defender which I believe is part of Windows security. The obvious conclusion is that it’s grabbing the file to analyze it for malware. If it is, it seems like it could just run a few different cryptographic hash functions over it and if any one of them differ, then it copies the file. I don’t think it’s doing that because I’m sure I’m not the first person to install the latest Acrobat Reader appropriate for my platform. What are they doing with them? Maybe we help them collect binaries for competitive analysis and it’s not just strictly for security.



Maybe it isn’t enforceable or no one would dare sue Microsoft, but it seems to me like I’m violating someone’s copyright or license.

GPEN Certified

I just passed my GPEN at 94%. Wewt.

Thursday, January 14, 2010

Chinese Server

I need to get a server in China. Then if I hack something or use it as a phishing site people will just assume the big, mean, Chinese government is behind it.

Tuesday, January 12, 2010

I Have Comments Now

Sorry about that, Richard. I’ve wanted to have a comment system for a while but tumblr doesn’t have built-in support for it and I was just lazy. I had to switch templates or hack up the HTML and I really want nothing to do with HTML.

Monday, January 11, 2010

On Being a Bastard

On Being a Bastard


I’ve probably been kicked out of #perl by mst. I also probably deserved it.

Most technical discussions of security are in a context with no practical constraints.



In practice you have constraints you have to work around. You have a limited budget, limited man-hours, user requirements. All of these affect the security-effort and security-usability curves.



For every security policy and tool you want to implement you have to weigh the effort and usability affects against the security it will offer, and you have to understand the needs of your users as part of that.

It Wasn't Me, It Was the Seeder Worm

The media cartels like to hold the user of an IP address liable for any file sharing done through that IP. So if someone breaks into your WiFi and runs bittorrent it’s your fault. To some degree I believe that it’s the responsibility of the individual to secure their network that problem is basically intractable. At any rate, you could have DMCA invoked on you for whatever happens on your assigned IP address. I’m fairly sure the legality of this is debatable, especially looking at the response templates provided by the EFF for TOR users, but I’m a hacker not a lawyer.



Who’s liable if my server gets infected with Slammer or Conficker? It came to my system from some other system. Shouldn’t the owner of that IP be liable? I haven’t heard of any legal pursuit to that effect. It would seem that if you get infected with a worm it’s not your fault and you won’t be held liable.



To put this in perspective, if someone gains access to your network and uses it for file sharing you’re liable because you control the security of your network. If your system gets a worm and is infecting other systems on the Internet you’re not liable, even though you control the security of your server. Worms cost definite, calculable loss of revenue. File sharing may cause loss of revenue but no one’s really sure and there’s no way to know much.



What if the next big worm surreptitiously installs a minimal bittorrent client. It then randomly grabs one of the top 100,000 torrents from on of the top 50 torrent sites and runs it to seed? What if the next java plugin/flash/acrobat/Active X exploit did the same? What if this seeder tool was created as a Metasploit payload?



Are you liable for file sharing because you got infected with malware?

Thursday, January 7, 2010

Avatar in sphincter-puckering IMAX 3D

Saw Avatar again, this time in IMAX 3D. If you haven’t seen Avatar and have access to see it in IMAX 3D (not just regular 3D or regular IMAX) I recommend doing that first instead of in a normal theater.



The 3D was pretty good. In scenes with a lot of action the 3D seemed to get fuzzy. When a scene had a tight depth of focus it kind of messed with me. I think my brain recognized the 3D and as my eyes searched around they couldn’t bring arbitrary objects into focus (because they were out of focus for the camera).



It was a great movie at a normal theater but the IMAX 3D definitely added a lot. That’s not to say that all movies should be in 3D… there weren’t a lot of things flying at the viewer for 3D shock effect. It was well used.



I think there’s still a lot of work to be done in 3D. The focus issue was often somewhat distracting but I’d say it was worth it.



Anyway, I realized something on this watching: the height of evolution is growing a USB port.