Trust, Safety, And The NSA

2013-09-05 21:32:11 by chort

If you have any interest in security or privacy, you've probably read the revelations today that the NSA has been actively trying to subvert commonly available and commercial crypto. If for some reason you haven't read Bruce Schneier's essays on the topic, you should do so now.

The NSA is supposed to be protecting Americans and keeping us safe from threats. One way of doing that is to surveil adversaries and get advanced warning of their plans to do harm. The NSA has unparalleled ability to collect intelligence, does pioneering research into threat detection, and has vast resources to bring to bear. As a result, they see a lot more threats than anyone else, and they can see the failings of many domestic victims who are being attacked. It appears that the NSA has lost faith in the ability of domestic organizations to protect themselves, and thus feels that the NSA is the last, best, and only chance to protect Americans.

Read the rest of this story...

Tiers of Penetration Testing Maturity

2013-08-29 21:09:08 by chort

Today Dave Aitel (presumably in response to a certain company announcing their "0day pentesting partnership") decided to dredge up an old post from Haroon Meer related to 0days and penetration testing. The basic point by Haroon was, what exactly is this testing? The conversation on Twitter brought up some good points, which prompted me to write a longer analysis of why I think most pentesting is a total waste of time.

Read the rest of this story...

Belittling Opponents Belies Reasoned Debate

2013-08-24 15:32:55 by chort

Thus far I've avoided blogging about the US domestic surveillance scandal. Most of my opinions have been advanced by others, so restating them here would serve little use. However, today an aspect of the debate struck me that I think deserves closer examination

Read the rest of this story...

How Does Society Change as Privacy Evaporates?

2013-05-17 20:41:31 by chort

I was listening to the Risky Business podcast episode on analyzing DPRK agricultural production from public satellite data. This got me musing; if anyone can learn so much about one of the most secretive areas of the world using public data, what does that say about how much could be learned in open societies?

Read the rest of this story...

Quasi-review: The Way of the Knife

2013-04-25 20:54:58 by chort

I'm not really good at book reviews, but this one is worth jotting a few things down.

Read the rest of this story...

Rights: Not Just For People You Like

2013-04-19 21:37:49 by chort

In the wake of the Boston Marathon bombing, fear-mongers are falling over themselves in an attempt to out-do each other with the most "patriotic" response. That is to say, they've been competing for who can suggest suspending the most/greatest rights in their haste to bring perpetrators to "justice" (vengeance).

To these people, no right is too dear, no consequence is too great, to stop invasive surveillance, religious/ethnic persecution, or imposition of martial law. Don't take my word for it, read what they said for yourself.

Read the rest of this story...

A Special Message For Tickets.com

2013-03-28 21:14:14 by chort

After spending 15 unsuccessful minutes doing battle with their website and infuriating phone menu, I sent an email to customerhelp@tickets.com in a last ditch effort to actually be able to spend money on them.

I have to complain about the huge waste of time to walk through the annoying, automated phone menu with no hope of talking to a human. It's ridiculous for the synthetic voice to have a name, and it's patronizing for the message to claim "I found the seat you're looking for" when the only piece of information I supplied was a price. I was never given an option to select a section, side of the stadium, deck level, etc. How does your ignorant system determine that the seat it choose is one I'll enjoy sitting in? If your phone system was designed to piss people off, your product folks have done an outstanding job. If instead, they were trying to design a system that people would enjoy using and that would actually help them find what they wanted, perhaps you should actually use human beings who can listen and understand.

PS charging me an $8 "convenience fee" for using your phone menu must be one of these ironic hipster jokes I hear so much about.

Arrogant Anti-virus Doesn't Appreciate Your Choices

2013-03-15 08:00:35 by chort

I'm all for having safe defaults in security software, i.e. erring on the side of turning on protection, and leaving it up to the user to disable it if they feel it's too restrictive. Recently I had an experience with a particular anti-virus program that went well beyond this. Every time I turned me head, the program had overridden my choices.

Read the rest of this story...

Building YARA 1.7 on OSX

2013-03-05 21:10:11 by chort

Several people have been having issues building YARA on OSX. This is what I did to get it working on Snow Leopard with Macports. Testing working with -r 164

$ sudo port install re2
$ svn checkout http://yara-project.googlecode.com/svn/trunk/ yara-project-read-only
$ cd yara-project-read-only
$ export LDFLAGS='-L/opt/local/lib'
$ export CPPFLAGS='-I/opt/local/include'
$ aclocal
$ automake
$ autoconf
$ ./configure --with-re2
$ ./bootstrap.sh
$ make
$ sudo make install

POW!

$ cd yara-python
$ python setup.py build
$ sudo python setup.py install

PS the first version of this blog post missed ./bootstrap.sh, which is required.

Export and Import GPG Secret Keys with OpenSSL Protection

2013-03-03 14:37:50 by chort

Some times I need to move GPG/PGP secret keys around, but I get very nervous about having them "in flight." Of course the passphrase protects they key, but call me paranoid. I had been encrypting with OpenSSL, then decrypting right before import, than rm -P (or shred -u) the file. Wouldn't it be nice to skip the step of having the key decrypted on disk at all? Turns out gpg can read from STDIN (and so can OpenSSL), so it's very simple.

srchost$ gpg --export-secret-key -a "user@domain" \
| openssl aes-256-cbc -a -salt -out user.key.enc

dsthost$ openssl aes-256-cbc -d -a -in user.key.enc \
| gpg --allow-secret-key-import --import -

gpg:    secret keys imported: 1