Rants by Chort
What's wrong with everything

I was listening to the Risky Business podcast episode on analyzing DPRK agricultural production from public satellite data. This got me musing; if anyone can learn so much about one of the most secretive areas of the world using public data, what does that say about how much could be learned in open societies?

Read the rest of this story...

I'm not really good at book reviews, but this one is worth jotting a few things down.

Read the rest of this story...

In the wake of the Boston Marathon bombing, fear-mongers are falling over themselves in an attempt to out-do each other with the most "patriotic" response. That is to say, they've been competing for who can suggest suspending the most/greatest rights in their haste to bring perpetrators to "justice" (vengeance).

To these people, no right is too dear, no consequence is too great, to stop invasive surveillance, religious/ethnic persecution, or imposition of martial law. Don't take my word for it, read what they said for yourself.

Read the rest of this story...

After spending 15 unsuccessful minutes doing battle with their website and infuriating phone menu, I sent an email to customerhelp@tickets.com in a last ditch effort to actually be able to spend money on them.

I have to complain about the huge waste of time to walk through the annoying, automated phone menu with no hope of talking to a human. It's ridiculous for the synthetic voice to have a name, and it's patronizing for the message to claim "I found the seat you're looking for" when the only piece of information I supplied was a price. I was never given an option to select a section, side of the stadium, deck level, etc. How does your ignorant system determine that the seat it choose is one I'll enjoy sitting in? If your phone system was designed to piss people off, your product folks have done an outstanding job. If instead, they were trying to design a system that people would enjoy using and that would actually help them find what they wanted, perhaps you should actually use human beings who can listen and understand.

PS charging me an $8 "convenience fee" for using your phone menu must be one of these ironic hipster jokes I hear so much about.

I'm all for having safe defaults in security software, i.e. erring on the side of turning on protection, and leaving it up to the user to disable it if they feel it's too restrictive. Recently I had an experience with a particular anti-virus program that went well beyond this. Every time I turned me head, the program had overridden my choices.

Read the rest of this story...

Several people have been having issues building YARA on OSX. This is what I did to get it working on Snow Leopard with Macports. Testing working with -r 164

$ sudo port install re2
$ svn checkout http://yara-project.googlecode.com/svn/trunk/ yara-project-read-only
$ cd yara-project-read-only
$ export LDFLAGS='-L/opt/local/lib'
$ export CPPFLAGS='-I/opt/local/include'
$ aclocal
$ automake
$ autoconf
$ ./configure --with-re2
$ ./bootstrap.sh
$ make
$ sudo make install

POW!

$ cd yara-python
$ python setup.py build
$ sudo python setup.py install

PS the first version of this blog post missed ./bootstrap.sh, which is required.

Some times I need to move GPG/PGP secret keys around, but I get very nervous about having them "in flight." Of course the passphrase protects they key, but call me paranoid. I had been encrypting with OpenSSL, then decrypting right before import, than rm -P (or shred -u) the file. Wouldn't it be nice to skip the step of having the key decrypted on disk at all? Turns out gpg can read from STDIN (and so can OpenSSL), so it's very simple.

srchost$ gpg --export-secret-key -a "user@domain" \
| openssl aes-256-cbc -a -salt -out user.key.enc

dsthost$ openssl aes-256-cbc -d -a -in user.key.enc \
| gpg --allow-secret-key-import --import -

gpg:    secret keys imported: 1

You may have heard of Ankit Fadia at some point through the main-stream media. At first glance, his story is one of those made-for-TV scripts of a child prodigy. What you probably don't know is he's widely believed in the security industry to be a charlatan. Everyone is entitled to their own opinion of course, but I invite you to read the long list of supporting evidence that has been compiled by the folks at attrition.org. Most damning, in my mind, is the lists of books Ankit Fadia "wrote" that contain blatant plagiarism. At the time of this writing, all 7 of his books reviewed by attrition.org contained plagiarism.

The message here is pretty clear: Don't use Ankit Fadia as a source for anything. The only thing he should be on TV for again is explaining why he ripped off so many people's work without giving them proper credit.

In part 1 I outlined what I believe to be some of the fundamental, strategic problems facing Western society, and in a general sense how it applies to US businesses. In this part I'm going to relate that to specific courses of action and how anyone reading this can change their behavior to shape a better future.

Read the rest of this story...

One of the things I don't do well, that I feel is characteristic of the InfoSec discipline as a whole, is setting goals. I'm talking about relevant, worthwhile, and attainable goals. In their absence, it's easy to busy ourselves with tactical issues.

When thinking about goals, it makes sense to first define your values, so you can choose goals that align with or advance your values. One of the values I hold dearly is building a future that my offspring have the opportunity to enjoy. That means many things, but one that I think about frequently is the global economic situation and where the Western world, particularly the United States of America fits into it. I think far too many people have allowed instant gratification to confuse tactical decisions with strategic decisions. If we're serious about giving our kids the opportunities we had, we need to make sure our nation and democratic values are strongly positioned in the global market.

If this all sounds very grand and abstract, that's because it is. Please be patient, since it's a necessary foundation for the rest of this post, which gets into very actionable and practical steps. It has everything to do with Information Security and how we live our daily lives.

Read the rest of this story...