Filtering Doesn't Work. Education Might.

Internet filtering will not keep your children safe. Your children probably know more about computers than you; they will find or make holes in your software. Even if you whitelist, ban chat and p2p programs, block Google image search, and block every video and image hosting website, you'll never come close to blocking everything. If that's your strategy, you might as well just call up your ISP and cancel. Even then, you cannot monitor your children at their friend's house, at the library, or when they grow up. Filtering can prevent you from stumbling into undesired materials, but it cannot stop someone from breaking out. Teach your children how to use the internet safely. Teach them to be good. Then trust them to make the right decisions. I call it parenting.

Warfare 2.0

Last year Stuxnet attacked rare hardware controllers used by Iran's nuclear program. This year Fukushima faces a nuclear crisis. The crisis was caused by an earthquake, but it's not hard to imagine what a well funded attacker could do. No amount of static defense will make networks secure. The best defense is a good offense, especially in cyber warfare. State funded attackers, criminals, and terrorists need to be hit before they hit our networks. Counter-attacks should be adapted to the target; criminal organizations or terrorists cells get less impunity than states like China or Russia. At least publicly. Anyone with a computer can play war now. But having an army of hackers isn't enough to keep you safe either—the countries of the world need to work together. We need international law to step up to the plate. If it doesn't, you can be sure things will get messy.


Inside Cyber Warfare is a good book.

Teaching Hacking in School

Here is a video I made to show why Computer Security must be taught in school.

Smart DRM—Starcraft 2

People should be paid for their work. Technology has fundamentally changed the way we use media, yet unimaginative, manipulative executives believe that monolithic copyright laws and ineffective DRM technologies will keep their antiquated business models alive. Video games are among the most pirated software: the key verification algorithm can be reverse engineered, and key generators can be developed. Blizzard's Starcraft 2 has a better approach to this problem. You can take your Starcraft II disk and install it on any machine you want. However, in order to play you must log in with your battle.net account, which you have associated with the Starcraft II licence you purchased. The key verification algorithm is safe(r) on Blizzard's server, and you can play from wherever you'd like without having to worry about keeping track of your key; everyone wins. The key is adapting business models and copyright laws to the technology—not the other way around.

You Go, Girl!

It warms my heart to see women in computer science, like this hacker who was programming in x86 and C by age 14. It is baffling that there are so few women in computer science: its flexibility makes it a great profession whether you are career driven, a traditional stay-at-home mom, or anywhere in between. I don't know whether it's the misconception that computer science is for nerdy guys, or some biological difference in women's brains; all I know is a lot of women are missing out on computer science, and computer science is missing out on a lot of women.

Mac Hacker Interview

Today, thanks to Technocrat, I read an awesome interview with two of my hacking idols: Charlie Miller and Dino Dai Zovi. Read it.


Things I liked/found interesting:

• Mac security is far from perfect
• Google Chrome is good
• Education is good—the good guys need to know. Bad guys tend to already know.
• Apple needs to treat researchers better
• Apple's security (like everyone else's) depends on how much it will protect their wallet.
• "As for whether I have an exploit in my pocket, a gentleman doesn't discuss such things, but I'm not a gentleman, so yes." - Charlie
• These guys are smart

There is Good

I wish we lived in a world where we could keep the front door unlocked. Sometimes in my obsession with the vulnerabilities of technology I become so overwhelmed by paranoia and distrust that I forget computers can be a force for good. For every advance made in security, it seems as if attackers make two advances. However, we can't let ourselves be discouraged; people are using computers for good. Perhaps we should count the number of ways that computers bless our lives. Then, armed with a spirit of optimism, continue to harden defenses, improve transparency, and educate users. It's easy to lose faith, but let's have hope that good will prevail and computers will continue to make our world a better place.

Colbert on HBGary v. Anonymous

This is Stephen Colbert's hilarious take on the recent events between HBGary and Anonymous. via Threatpost.

PWNIE Express

A company called the PWNIE Express has released one of the coolest products I have ever seen—the PWN Plug.

Apparently it comes preloaded with Ubuntu, metasploit, ettercap, and the Social Engineering Toolkit, among other awesome tools.

Put on a maintenance shirt. Walk into an office. Plug in this bad boy under someone's desk. Game over.

Teaching Reverse Engineering

One of my favorite blogs, reverse.put.as, recently re-released an awesome reverse engineering tutorial for OS X. The tutorial is very well done and fG! (the author) also links to an amazing .gdbinit file that really makes reversing much nicer in gdb. fG! originally removed the tutorial because he(or she—not sure) was concerned that some would abuse the information. He made clear in the re-release that his intent was not to abet software pirates, but to educate those with desire to learn a very important skill.

Several of the comments indicate that not all agree with him. I think what they fail to recognize, however, is that reversing is not cracking—cracking is merely one use of reversing. Reversing is necessary in the modern world: we need it to fight malware, discover and patch vulnerabilities, give software developers the freedom of interoperability, and to encourage healthy competition.

Will some people use the knowledge for evil? To be sure; anything can be misused. But others will use it to improve the world they live in. Give people information and let them decide how to live.

Scrambling the Cuckoo's Egg

One of the earliest computing honeypots was created as Clifford Stoll allowed the Hannover hacker to waltz through Berkeley's network unchecked—little did the attacker know he was being watched. Using their network as a high-interaction honeynet, Stoll reverse social engineered attackers into requesting information about the fabricated SDINET project; this provided more information about the scope and severity of the attacks. Many modern attack vectors rely on social engineering. Honeypots could be rigged to provide records of fake employees—each associated with social media accounts, email addresses, and phone numbers. This falsified information would then be closely monitored so that social engineering attacks could be observed. These honeypots would require more resources than conventional honeypots: automation is difficult; and humans need to respond directly to attackers in some cases, such as phone calls. Still, the results would be interesting.

A Clever Man

Today I'd just like to point out how clever I think this man is. I ran into his profile a while back when I was trying to get that same user name (logout). I tried several similar names but they appear to be reserved by Facebook—surprised they let him get away with it. Maybe he works there. Either way, a toast to the cleverness of Pushkar.

Russian Doll URL Shortening

Attackers have been hiding malicious URLs using shortening services like TinyURL or bit.ly for some time now. Some smarter folks, however, have plugins that automatically resolve shortened URL's for them.

For a little extra umph, what if the attacker shortened an already shortened URL? I wonder how many of these tools are prepared to unravel a chain of shortened URLs.

I haven't seen this technique yet, so hopefully I'm the inventor and everyone will call it "Russian Dolling."

p.s. On an only slightly related note, does anyone know of any services that let you edit the target URL afterwards? If so, you could create a loop in shortened URLs. That would be awesome.

UPDATE:
Diogo Mónica notified me that he has seen such attacks in the wild, and there are tools that can handle it. While not surprising in the least, I must admit I am still a little disappointed it won't be named Russian Dolling. Alas.

Diogo also pointed out that loops are possible using services such as ow.ly. Such as this one  http://ow.ly/3VcCy. Don't use bit.ly though, because it will warn you of encapsulation. Be sure to check out Diogo's blog if you get the chance, it's awesome.

Grow Up

Many jumping on the Anonymous bandwagon are teenagers with too much time and too little skill. Seeking acceptance and respect from their peers, they are seduced by an alluring sense of community—a mob with no direction, no leaders, no code of ethics, and no cause. Armed with illusions of grandeur, this hive mind trolls about the internet, brandishing the banner of freedom. They fool only themselves. Ironically, the Guy Fawkes mask they wear is intended to symbolize the fight against tyranny; they also believe this mask will hide their accountability. Notwithstanding, they are easily caught with their hands in the cookie jar.

Let Google do the dirty work.

Thanks to the Changelog, today I was introduced to easy_translate. This gem of a ruby gem uses Google translate to, well... translate. Awesome. We need to use Google to do more of our dirty work.

I am not one of the greatest spellers to ever have lived. As I was using a word processor the other day, I observed that when I don't know how to spell a word, I google it instead of using the built in spell checker. Google is far superior to any spellchecker. So if you're writing a word processor, save yourself some work and write a tool that uses google for spell checking.

Apple_Security++

Recent hires by Apple reveal an increasing emphasis on security. The rise of mac malware, botnets, and research in mobile attacks indicate the need for Apple to take security seriously. Genius hackers like Charlie Miller and Dino Dai Zovi have already been researching Mac vulnerabilities for some time now, and many more are on the way. Hopefully this influx will introduce more tools. Good tools are already available—IDA Pro was recently released natively for OS X—but we need more freely available tools to fuel research and open the doors to more researchers (such as poor students like myself). OS X needs tools like OllyDbg and Immunity debugger. Paterva needs to hurry up—I can't wait any longer. It's an exciting time to be a Mac. Let the fun begin.

Vigilante Justice

Recently the Jester (th3j35t3r) has come under increased public scrutiny as a result of his wikileaks attack and ensuing scuffle with Anonymous. His behavior is illegal, but legal and ethical are not always synonymous. The internet is a lawless frontier much like the wild west: the government cannot police it, but citizens cannot simply allow themselves to be thrown to the wolves. We have the right to defend ourselves and the responsibility to defend others when the government can or does not. For example, Batman is a one-man vigilante; still, he is typically viewed as a hero—we find something noble and good in him. The Jester has similarly inspired others: people leave words of support on his blog; some ask how they can help; and others are thinking of more villains, such as child pornography, to target next. Vigilante justice is a complicated beast. Are the Jester's actions lawful? No. Are the Jester's actions ethical? Considering that his attacks aid law enforcement, hinder terrorist communication, protect lives, and cause no collateral damage, I would be inclined to say that they are.

Unfriending

For the past several months I've been whittling away at my Facebook friends, slowly removing superfluous relationships. I since have removed over 400 friends. It was difficult at first; I enjoyed appearing popular and didn't want to offend anyone. However, with a little practice it becomes easy—and almost addictive. I don't feel like vomiting every time I visit Facebook anymore: there's less clutter, no more struggling to put names with faces, hiding nuisances from my feed, or avoiding people.

In addition, I've realized that unfriending has another very important benefit—a security one. Each friend you add introduces risk: you have bound your accounts together. If a friend's account is compromised, even with a "Friends Only" privacy policy, your information is exposed. Unfriending people you don't know well reduces your attack surface and keeps your exposed data safer.

Establish a circle of trust; just because you took a class together, attended the same school, or met at a party doesn't make you friends. Don't hesitate to ignore friend requests or remove people you don't communicate with. I've found purging my friend list to be incredibly refreshing and empowering: I spend less time on Facebook because I only see what I care about, and I can better maintain important relationships. You only have so much time and energy in this life—invest it in people that matter to you.

Don't Punch My Junk

The TSA is creating a world of fear and inconvenience—terrorists can go ahead and vacation while the TSA does their work for them. The TSA harasses, detains, and infringes upon the rights of innocent Americans in the name of national security, while providing only an illusion of such. They obsess over anomalies such as the underwear bomber, while failing to recognize the key threats—such as the nice targets made by long lines in front of security checkpoints. It doesn't take a genius to see that changes need to be made.

In the following is presentation given by Deviant Ollam at Dojocon 2010, Deviant does an excellent job summing up recent events, while offering ideas about what we can do to fix it. (Warning: contains strong language.)

What I find especially interesting are his observations about how Israel handles terrorism; even in a country that is such a high target, Israel's airports are much more simple, efficient, and safe. It's frustrating to see how security could be done, and then realize the only thing holding us back is the bureaucratic nightmare we live in. Hopefully by banding together we the people can solve this issue, and then start working on the next item in an endless list of problems we call the U.S. Government.

Child Pornography Laws Need Work

I think regardless of personal feelings about pornography and its availability, all rational human beings can agree on at least one thing: child porn is wrong and needs to be fought. This morning I read this disturbing article about two individuals in Oregon convicted for child pornography whose cases were overturned on the basis that there needs to be intent to download. Basically they were viewing child porn but did not actually have any of the data on their machines—all the porn was being hosted elsewhere—so they got off the hook.

The frightening aspect of this story is that there is nothing to stop people from viewing and supporting child porn. Obviously if the server were somewhere in the U.S., the government could hunt them down and then come knocking at the door.  Unfortunately we are more organized, technically advanced, and responsible (?) than certain other countries. How will we be able to combat child porn if we let people view it at their leisure simply on the basis that they aren't downloading it? We can't depend on other governments to protect children. 

On one hand, it could be argued that "intention to download" protects those who innocently stumble upon child pornography. I can't claim to be especially knowledgeable in the area of child pornography, but I use the internet a lot and I have this sneaking suspicion that it's rather difficult to just happen across child porn; I would wager that even those who frequent hard core porn sites would be hard pressed to run into it. Either way, I think it's safe to assume you wouldn't encounter it often, in which case perhaps frequency should be taken into account. How would this be measured? I don't know, but I'm sure we can figure something out—I think we can intuit pretty well when it's accidental and when it's purposefully sought after.

Of course the truth of the matter is that in reality by viewing child porn they have downloaded it. The file may not be found in its entirety at any one moment on their machine—but the data was there, whether in RAM or secondary storage—else they couldn't have viewed it. Assuming it were intentionally viewed, it could reasonably be construed that it was indeed intentionally downloaded. Such an argument would likely lead to a battle of semantics, with the defense attempting to define intentional downloading as explicitly telling your software to save the media in permanent storage. This introduces another issue: how does law enforcement tell the difference? Internet traffic may not be able to tell you. Law enforcement will need to physically go through the hard drives with forensic software.


One of my personal theories is that lawyers and hackers really are the same—just one manipulates the laws of government and the other the laws of computers. The defense lawyers hacked this one hard; the phrase "intention to download" is the defense's dream come true—the ultimate fudge factor. They will be running in circles around this phrase for years to come, and if we let them child pornographers and pedophiles will have won a major victory. Fortunately, the article appears to indicate that an amendment to the law is on its way. Let's hope so; this type of allowance of child pornography is effectualy supporting child sexual abuse, and although even a reformed version of this law won't by itself stop child pornography, at least it won't be a leap backwards.