Apple_Security++

Recent hires by Apple reveal an increasing emphasis on security. The rise of mac malware, botnets, and research in mobile attacks indicate the need for Apple to take security seriously. Genius hackers like Charlie Miller and Dino Dai Zovi have already been researching Mac vulnerabilities for some time now, and many more are on the way. Hopefully this influx will introduce more tools. Good tools are already available—IDA Pro was recently released natively for OS X—but we need more freely available tools to fuel research and open the doors to more researchers (such as poor students like myself). OS X needs tools like OllyDbg and Immunity debugger. Paterva needs to hurry up—I can't wait any longer. It's an exciting time to be a Mac. Let the fun begin.

Vigilante Justice

Recently the Jester (th3j35t3r) has come under increased public scrutiny as a result of his wikileaks attack and ensuing scuffle with Anonymous. His behavior is illegal, but legal and ethical are not always synonymous. The internet is a lawless frontier much like the wild west: the government cannot police it, but citizens cannot simply allow themselves to be thrown to the wolves. We have the right to defend ourselves and the responsibility to defend others when the government can or does not. For example, Batman is a one-man vigilante; still, he is typically viewed as a hero—we find something noble and good in him. The Jester has similarly inspired others: people leave words of support on his blog; some ask how they can help; and others are thinking of more villains, such as child pornography, to target next. Vigilante justice is a complicated beast. Are the Jester's actions lawful? No. Are the Jester's actions ethical? Considering that his attacks aid law enforcement, hinder terrorist communication, protect lives, and cause no collateral damage, I would be inclined to say that they are.

Unfriending

For the past several months I've been whittling away at my Facebook friends, slowly removing superfluous relationships. I since have removed over 400 friends. It was difficult at first; I enjoyed appearing popular and didn't want to offend anyone. However, with a little practice it becomes easy—and almost addictive. I don't feel like vomiting every time I visit Facebook anymore: there's less clutter, no more struggling to put names with faces, hiding nuisances from my feed, or avoiding people.

In addition, I've realized that unfriending has another very important benefit—a security one. Each friend you add introduces risk: you have bound your accounts together. If a friend's account is compromised, even with a "Friends Only" privacy policy, your information is exposed. Unfriending people you don't know well reduces your attack surface and keeps your exposed data safer.

Establish a circle of trust; just because you took a class together, attended the same school, or met at a party doesn't make you friends. Don't hesitate to ignore friend requests or remove people you don't communicate with. I've found purging my friend list to be incredibly refreshing and empowering: I spend less time on Facebook because I only see what I care about, and I can better maintain important relationships. You only have so much time and energy in this life—invest it in people that matter to you.

Don't Punch My Junk

The TSA is creating a world of fear and inconvenience—terrorists can go ahead and vacation while the TSA does their work for them. The TSA harasses, detains, and infringes upon the rights of innocent Americans in the name of national security, while providing only an illusion of such. They obsess over anomalies such as the underwear bomber, while failing to recognize the key threats—such as the nice targets made by long lines in front of security checkpoints. It doesn't take a genius to see that changes need to be made.

In the following is presentation given by Deviant Ollam at Dojocon 2010, Deviant does an excellent job summing up recent events, while offering ideas about what we can do to fix it. (Warning: contains strong language.)

What I find especially interesting are his observations about how Israel handles terrorism; even in a country that is such a high target, Israel's airports are much more simple, efficient, and safe. It's frustrating to see how security could be done, and then realize the only thing holding us back is the bureaucratic nightmare we live in. Hopefully by banding together we the people can solve this issue, and then start working on the next item in an endless list of problems we call the U.S. Government.

Child Pornography Laws Need Work

I think regardless of personal feelings about pornography and its availability, all rational human beings can agree on at least one thing: child porn is wrong and needs to be fought. This morning I read this disturbing article about two individuals in Oregon convicted for child pornography whose cases were overturned on the basis that there needs to be intent to download. Basically they were viewing child porn but did not actually have any of the data on their machines—all the porn was being hosted elsewhere—so they got off the hook.

The frightening aspect of this story is that there is nothing to stop people from viewing and supporting child porn. Obviously if the server were somewhere in the U.S., the government could hunt them down and then come knocking at the door.  Unfortunately we are more organized, technically advanced, and responsible (?) than certain other countries. How will we be able to combat child porn if we let people view it at their leisure simply on the basis that they aren't downloading it? We can't depend on other governments to protect children. 

On one hand, it could be argued that "intention to download" protects those who innocently stumble upon child pornography. I can't claim to be especially knowledgeable in the area of child pornography, but I use the internet a lot and I have this sneaking suspicion that it's rather difficult to just happen across child porn; I would wager that even those who frequent hard core porn sites would be hard pressed to run into it. Either way, I think it's safe to assume you wouldn't encounter it often, in which case perhaps frequency should be taken into account. How would this be measured? I don't know, but I'm sure we can figure something out—I think we can intuit pretty well when it's accidental and when it's purposefully sought after.

Of course the truth of the matter is that in reality by viewing child porn they have downloaded it. The file may not be found in its entirety at any one moment on their machine—but the data was there, whether in RAM or secondary storage—else they couldn't have viewed it. Assuming it were intentionally viewed, it could reasonably be construed that it was indeed intentionally downloaded. Such an argument would likely lead to a battle of semantics, with the defense attempting to define intentional downloading as explicitly telling your software to save the media in permanent storage. This introduces another issue: how does law enforcement tell the difference? Internet traffic may not be able to tell you. Law enforcement will need to physically go through the hard drives with forensic software.


One of my personal theories is that lawyers and hackers really are the same—just one manipulates the laws of government and the other the laws of computers. The defense lawyers hacked this one hard; the phrase "intention to download" is the defense's dream come true—the ultimate fudge factor. They will be running in circles around this phrase for years to come, and if we let them child pornographers and pedophiles will have won a major victory. Fortunately, the article appears to indicate that an amendment to the law is on its way. Let's hope so; this type of allowance of child pornography is effectualy supporting child sexual abuse, and although even a reformed version of this law won't by itself stop child pornography, at least it won't be a leap backwards.