Courage is Temporal, or: USA's Overdeveloped Sense of Heroism

2011-11-20 20:37:44 by chort

In struggling to come to grasp with what the Occupy Wall Street movement really means to society, I realized there had been a serious shift in public perception of law enforcement--at least by the white middle class*. If we think back 10 years, nearly everyone was heralding law enforcement and other first-responders as heroes, for risking their lives at the World Trade Center site. If we look at the press today, we see police, sheriff, and campus security forces being roundly criticized for widely publicized incidents of violence. Public officials appear to have been caught off-guard and their response has ranged from bi-polar (Jean Quan, in Oakland) to defiant (Michael Bloomberg, New York City). What accounts for this change?

Read the rest of this story...

Notes on GPU-based Hash Computation

2011-10-29 16:03:45 by chort

In the last few weeks I've learned a lot about applying GPUs to break password hashes. I'd like to thank @ErrataRob for writing the blog post that got me started in this field. If you haven't read Rob's post, I highly recommend you do that first, because this post builds on it. Don't buy a graphics card until you've read my post though, because there are some important updates.

Read the rest of this story...

The Death of Meritocracy?

2011-10-29 00:15:49 by chort

You must be living under a rock to not know about the Occupy Together protests that are happening right now in the United States, and other countries around the world. There has been a lot of press coverage trying to come to grips with what it is that the protesters are actually upset about. One of the best pieces on protester sentiments is this one in Rolling Stone. The gist of it is that Wall Street tycoons aren't getting rich by working hard and having better ideas, they're doing it by cheating the system. While I agree with this assessment, there's more to it.

Read the rest of this story...

How Casey Anthony is like Spam

2011-07-28 23:48:35 by chort

Unless were living under a rock, you're aware of some public outrage over the acquittal of Casey Anthony on the most serious charges against her. As is usually the case when someone widely believed to be guilty is not convicted, there are all kinds of demands for new laws, criticisms of the jurors, etc. Everyone is so concerned with trying to prevent cases from falling through the cracks that they don't stop to think about how well the system actually does work in general, particularly how rare it is that people are wrongly convicted (rare, but sadly not impossible). It strikes me that this issue is very similar to one I know a lot about.

Read the rest of this story...

Lulzsec, Lies, and the Call to Wake

2011-06-27 00:03:05 by chort

For the past 50 days LulzSec has captured the attention of the information security community, the mainstream media, and just about every other kind of media. Has anyone stopped to wonder what it is that causes the LulzSec saga to be so "sticky?"

Read the rest of this story...

Hey secure.onlineticketorders.com, your website makes me nervous

2011-06-24 16:27:04 by chort

Don't you just love those sites that try to make you feel "extra safe" by putting padlock images on everything, even the "next" button?

Read the rest of this story...

Creating Stickiness Without FUD

2011-06-11 22:22:10 by chort

I must be the last person in the world reading The Tipping Point by Malcolm Gladwell. The book is full of relatable concepts, but the one that's struck me the hardest so far is how a university professor was able to convince students to get tetanus shots.

Read the rest of this story...

Cyberwars are real, but not what you think

2011-05-26 14:08:33 by chort

It struck me today that events are in motion for unavoidable cyber-conflicts. This statement won't shock anyone, since sensationalists have been predicting "a digital Pearl Harbor" for years. I don't agree with the predictions. In fact, I don't think it's likely that any warfare-like confrontations between nation states in cyberspace will happen in the near future. Sure there's rampant electronic espionage, but that hardly counts as warfare.

I think we're already seeing the beginning skirmishes in far more important events. We've seen protestors in various oppressed countries fighting to circumvent filtering and outright disconnection. We've seen massive DDoS attacks against draconian "Big Content" companies in retaliation for their heavy-handed treatment of their own customers. We've seen resourceful people overcome collateral damage caused by clumsy and ignorant government attempts to censor the Internet right here in the United States.

I don't see these events as anomalies or outliers. I see them as precursors. I think there's a strong undercurrent of opposition to the increasing attempts by governments and extremely large corporations to infringe on individual rights. In spite of that, It seems executives of these corporations are determined to forge ahead with rights-trampling legislation to restrict how individuals can access the Internet.

So what happens when out-of-touch elites try to enforce their will on the vast unwashed masses? That's when you get cyberwar. The people enacting new surveillance and censorship measures are forgetting that digital is the great equalizer. Any kid with a $200 laptop can take down a multi-billion dollar corporation. The more laws Big Content lobbyists have passed to make life miserable for average citizens, the more Anonymous* members they are going to create. It's difficult, although not impossible (as dramatically shown in the middle east this year) to physically resist power. To digitally resist power is nearly effortless. Those in favor of extreme enforcement of content "rights" are picking a fight they cannot reasonably be expected to win. The only question is how long it will take them to lose.

*To be clear, I'm not now, nor do I ever plan on being a member of Anonymous.

De Facto Wars

2011-05-05 00:12:03 by chort

Recently I became involved in a debate with Jacob Appelbaum regarding the legality of US forces killing Osama bin Laden. Jacob contends that bringing bin Laden to justice is essentially a law enforcement matter and as such he is afforded a trial (making his recent death illegal). I disagree. Due to the limitations of Twitter we were not able to have real debate. I'm going to present my side here.

Read the rest of this story...

What if We Have the RSA Token Threat Backwards

2011-04-18 22:59:03 by chort

Thus far, all the speculation I've seen regarding the RSA SecurID breach centered on speculation that if attackers could somehow discover the serial numbers of tokens in use, they could derive the seed and whittle it down to 1-factor authentication. The advice from RSA certainly lends credibility to that theory, since they're essentially telling customers to double the length of the PINs in use, exponentially increasing the difficulty of guessing that factor.

If we accept the claim (and I am not suggesting we should merely for being asked to) by RSA that the attack was sponsored by an arm of the Chinese Communist government (let's drop the diplomatic "APT" BS), then perhaps there is another threat vector we haven't considered. As we know, plenty of counterfeit gear is manufactured in China. There is also speculation that what was stolen was not the seed database itself, but the serial-to-seed mapping algorithm. Imagine if they were able to create knock-off SecurID tokens that actually worked, then pollute the supply chain through resellers, and have them end up in organizations that are later targeted for break-ins.

It's clear from past behavior, the Chinese government and/or military are willing to take the long view on industrial espionage. I'm sure they wouldn't mind waiting for this gear to infiltrate high-value organizations. Besides, imagine if they added a few "bonus" features to the tokens, such as cellular radios, and microphones.

No, I don't have any inside information, this is all speculation on my part. This is just an angle I haven't heard anyone mention yet.

Integrating PF with Fail2ban 0.9

2011-03-20 20:27:04 by chort

Many security practitioners are familiar with Fail2ban, an application that scans log files for various types of suspicious failures and bans the source IP after too many attempts. Most users implement it to protect their Linux systems (via Netfilter/iptables and TCP wrappers), but it also includes methods for Sendmail and IPFW (FreeBSD and OSX).

What is notably missing from the above list is the wildly popular PF (Packet Filter). It was originally designed by Daniel Hartmeier to replace IPF in OpenBSD, but has since been adopted by FreeBSD, NetBSD, and DragonflyBSD. PF is widely embraced due to the simplicity and clarity of the syntax, and the comprehensive array of professional-grade features available.

Ironically, PF is probably better known now due to FreeBSD than the originating project, OpenBSD. It's somewhat startling that no one has yet included PF support in Fail2ban. It's also disappointing that Apple hasn't switch from IPFW to PF as their packet filtering firewall (hint hint).

In the spirit of the Open Source "submit a patch or GTFO" mentality, here's how you can use Fail2ban to insert rules into your PF firewall.

Read the rest of this story...

US Populace Doesn't Understand Satire

2011-03-07 14:00:44 by chort

I've been noticing a trend lately. The people participating in online "communities" these days are so blinded by the perceived inherent rightness of their beliefs that they are unable to see how their opinions are viewed by others.

This first struck me in an obvious way as I was wasted a perfectly good night on Youtube a few weeks ago. I got sucked-into The Key of Awesome. It's a Youtube channel that parodies pop music (fairly well, in my opinion). The creator often reads feedback on camera, most of which is facepalm-inducing. Most of the criticism goes along the lines of "dear so-and-so, I really love most of your videos, but the one about [my favorite artist] was totally ignorant! [my favorite artist] is awesome, and the fact that you made fun of them shows you don't understand their genius!"

What the hell is wrong with these people that they think any artist could be so perfect as to transcend criticism, or even caricature? They apparently have no concept of the difference between an opinion and a fact. Aside from that, if you can't even chuckle when someone adeptly roasts your idol, you have some real insecurity issues.

Another example of this can be seen in the Retarded Emails section of The Oatmeal comic. Apparently you can pick any arbitrary topic as the basis for your comedy and people will hate you for it, regardless of the obvious lack of seriousness.

This all makes me think: The massive push in the last 20 years to value self-esteem over any objective measure of merit has convinced each kid that their opinions are the only thing in the world that matters, utterly oblivious that every other human being in the world also has an opinion. We need to be teaching kids how to objectively evaluate themselves in the context of the world around them, or we are in for a future that makes Charlie Sheen look like a thoughtful critical-thinker.

Unauthenticated SSL Sends a Dangerous Message

2011-03-05 16:45:30 by chort

Recently I decided to write an application for Twitter to report changes in my friends and followers. As part of the process I went looking for a pre-built library of methods that I could use to interact with the Twitter API. I settled on python-twitter as an actively-developed solution that should keep up with changes to the API.

Due to Twitter's rocky past with SSL/TLS (henceforth simply SSL) support on their web interface, I decided it would be prudent to investigate whether their API used SSL. It turns out that it does, and it has a properly signed certificate. Then I looked at twitter-python to see if it had and option to connect over SSL, and was pleased to notice that it does by default. On a hunch I checked out the underlying library that python-twitter is using to make HTTP requests, and I was shocked at what I found.

Read the rest of this story...

Stop Trying to Prevent Break-ins

2011-02-20 14:55:29 by chort

Ready for a shocker? You shouldn't be spending all those resources trying to shore-up your network against attacks. It sounds insane, but this is the conclusion I've reached after spending a week talking to some of the best and brightest minds in Information Security.

Read the rest of this story...

BsidesSF 2011

2011-02-19 21:07:55 by chort

I just took 3 days off from work to attend BSidesSF and the Barracuda Networks Security Wine-out, with an interlude to work the RSA Conference. The following is a rambling summary of the topics and ideas I encountered this week, along with my commentary.

Read the rest of this story...

Amazing Free Software and WWIPAS

2011-01-22 16:04:24 by chort

A few days ago I was using a free DNS monitoring utility called dnstop. I had found a few bugs while trying to build and run it on OpenBSD. I knew one of the authors was active on public mailing lists, so I e-mailed him to report the bugs. To my surprise and delight, he responded quickly and began investigating.

When he was unable to setup a test environment to mimic mine in a timely manner, he asked if he could login to one of my systems to verify the behavior. I gave him access to a virtual machine and a day later, after several e-mail exchanges, all my reported problems were fixed and a new version of the software was available for download. Since the software itself was free, but the maintainer had gone to considerable trouble to fix my bugs in a very responsive manner, I offered him the continuing use of the shell account as payment.

A few days later I was downloading an update to TinyUmbrella and noticed a "Donate" button on the website. I thought about how much potential hassle that utility saves me and decided to donate. It only took a minute to contribute a few dollars to the project through PayPal. These two experiences prompted me to muse on the amazing value that authors of free software deliver, and what proper compensation is. This lead me to create the "WWIPAS" rule. What on Earth is that? I'm so glad you asked, read on...

Read the rest of this story...