How Does Society Change as Privacy Evaporates?

2013-05-17 20:41:31 by chort

I was listening to the Risky Business podcast episode on analyzing DPRK agricultural production from public satellite data. This got me musing; if anyone can learn so much about one of the most secretive areas of the world using public data, what does that say about how much could be learned in open societies?

Read the rest of this story...

On Goals, Part 2: Call to Action

2013-02-02 14:42:42 by chort

In part 1 I outlined what I believe to be some of the fundamental, strategic problems facing Western society, and in a general sense how it applies to US businesses. In this part I'm going to relate that to specific courses of action and how anyone reading this can change their behavior to shape a better future.

Read the rest of this story...

On Goals, Part 1: Statement of Values

2013-02-02 13:26:46 by chort

One of the things I don't do well, that I feel is characteristic of the InfoSec discipline as a whole, is setting goals. I'm talking about relevant, worthwhile, and attainable goals. In their absence, it's easy to busy ourselves with tactical issues.

When thinking about goals, it makes sense to first define your values, so you can choose goals that align with or advance your values. One of the values I hold dearly is building a future that my offspring have the opportunity to enjoy. That means many things, but one that I think about frequently is the global economic situation and where the Western world, particularly the United States of America fits into it. I think far too many people have allowed instant gratification to confuse tactical decisions with strategic decisions. If we're serious about giving our kids the opportunities we had, we need to make sure our nation and democratic values are strongly positioned in the global market.

If this all sounds very grand and abstract, that's because it is. Please be patient, since it's a necessary foundation for the rest of this post, which gets into very actionable and practical steps. It has everything to do with Information Security and how we live our daily lives.

Read the rest of this story...

Courage is Temporal, or: USA's Overdeveloped Sense of Heroism

2011-11-20 20:37:44 by chort

In struggling to come to grasp with what the Occupy Wall Street movement really means to society, I realized there had been a serious shift in public perception of law enforcement--at least by the white middle class*. If we think back 10 years, nearly everyone was heralding law enforcement and other first-responders as heroes, for risking their lives at the World Trade Center site. If we look at the press today, we see police, sheriff, and campus security forces being roundly criticized for widely publicized incidents of violence. Public officials appear to have been caught off-guard and their response has ranged from bi-polar (Jean Quan, in Oakland) to defiant (Michael Bloomberg, New York City). What accounts for this change?

Read the rest of this story...

The Death of Meritocracy?

2011-10-29 00:15:49 by chort

You must be living under a rock to not know about the Occupy Together protests that are happening right now in the United States, and other countries around the world. There has been a lot of press coverage trying to come to grips with what it is that the protesters are actually upset about. One of the best pieces on protester sentiments is this one in Rolling Stone. The gist of it is that Wall Street tycoons aren't getting rich by working hard and having better ideas, they're doing it by cheating the system. While I agree with this assessment, there's more to it.

Read the rest of this story...

Lulzsec, Lies, and the Call to Wake

2011-06-27 00:03:05 by chort

For the past 50 days LulzSec has captured the attention of the information security community, the mainstream media, and just about every other kind of media. Has anyone stopped to wonder what it is that causes the LulzSec saga to be so "sticky?"

Read the rest of this story...

De Facto Wars

2011-05-05 00:12:03 by chort

Recently I became involved in a debate with Jacob Appelbaum regarding the legality of US forces killing Osama bin Laden. Jacob contends that bringing bin Laden to justice is essentially a law enforcement matter and as such he is afforded a trial (making his recent death illegal). I disagree. Due to the limitations of Twitter we were not able to have real debate. I'm going to present my side here.

Read the rest of this story...

What if We Have the RSA Token Threat Backwards

2011-04-18 22:59:03 by chort

Thus far, all the speculation I've seen regarding the RSA SecurID breach centered on speculation that if attackers could somehow discover the serial numbers of tokens in use, they could derive the seed and whittle it down to 1-factor authentication. The advice from RSA certainly lends credibility to that theory, since they're essentially telling customers to double the length of the PINs in use, exponentially increasing the difficulty of guessing that factor.

If we accept the claim (and I am not suggesting we should merely for being asked to) by RSA that the attack was sponsored by an arm of the Chinese Communist government (let's drop the diplomatic "APT" BS), then perhaps there is another threat vector we haven't considered. As we know, plenty of counterfeit gear is manufactured in China. There is also speculation that what was stolen was not the seed database itself, but the serial-to-seed mapping algorithm. Imagine if they were able to create knock-off SecurID tokens that actually worked, then pollute the supply chain through resellers, and have them end up in organizations that are later targeted for break-ins.

It's clear from past behavior, the Chinese government and/or military are willing to take the long view on industrial espionage. I'm sure they wouldn't mind waiting for this gear to infiltrate high-value organizations. Besides, imagine if they added a few "bonus" features to the tokens, such as cellular radios, and microphones.

No, I don't have any inside information, this is all speculation on my part. This is just an angle I haven't heard anyone mention yet.

Cyveillance IP list updated

2010-01-26 11:53:28 by chort

A while back I noticed Cyveillance, Inc were aggressively spidering my site. I found quite a few other references on the web to their anti-social behavior, including links to the recording industry's heavy-handed and borderline illegal tactics. In order to block them from my network, I compiled a list of their IPs.

It's been some time since I've actively monitored my firewall and over time the list had grown stale. I'd also previously been stymied on doing more research by my inability to figure out the nuances of some RWHOIS systems. Happily I made a breakthrough this week and I've been able to update my list, which I'll share for the good of humanity. The link above has the same list.

# Cyveillance @ Cogent
38.99.209.176/30
38.100.3.128/28
38.100.19.8/29
38.100.21.0/24
38.100.41.64/26
38.104.29.36/30
38.104.29.156/30
38.105.71.0/25
38.105.83.0/27
38.105.109.168/29
38.105.109.192/29
38.112.21.140/30
38.118.25.56/29
38.118.42.32/29

# Cyveillance @ Verizon (incomplete?)
65.213.208.128/27
65.222.176.96/27
65.222.185.72/29

# Previous(?) Cyveillance IPs
#63.146.13.64/27
#63.148.99.224/27
#63.213.208.128/27
#65.118.41.192/27

I'll try to update the text file over time to match current reality as best I can, but this blog post will go stale. I'm only putting the IPs here for spiders to find. If you want to use the list on your firewall, download the linked version. The list is admittedly incomplete since I haven't been able to reliably query Verizon for IPs (let alone other possible providers).

Updated 2010-03-28 to add 65.213.208.128/27, which came to me via a comment. Thanks for the tip!

Blogs attract PHP scans

2010-01-24 23:54:49 by chort

I've been noticing that since I put up this blog I've been getting scans for common PHP files/site layouts. This is interesting because my main site hasn't been scanned for them at all during the same time period.

I also noticed that the majority of the spider traffic to my blog is from Baidu, in contrast with the rest of my site.

I had forgotten how fun it is to scan my webserver logs for patterns.