Robert Graham
Author Archives: Robert Graham
- Home → Author's archive:
Robert Graham
We should all follow Linus’s example
Yet another Linus rant has hit the news, where he complains about how "your shit code is fucking brain damaged". Many have complained about his rudeness, how it's unprofessional, and part of the culture of harassment in tech. They are wrong. Linus Torvalds is the nicest guy in tech. We should all try to be more like him.The problem in tech isn't bad language ("your shit code"), but personal attacks ("you are shit").
A good example is Brendan Eich, who was fired from his position as Mozilla CEO because people disagreed with his political opinions. Another example is Nobel prize winner Tim Hunt who was fired because people took his pro-feminist comments out of context and painted him as a misogynist. Another example is Pax Dickinson, who was fired as CTO of Business Insider because of jokes he made before founding the company. A programmer named Curtis Yavin* was booted from a tech conference because he's some sort of monarchist. Yet more examples are the doxing and bomb threats that censor both sides of the GamerGate fiasco. The entire gamer community is a toxic cesspool of personal attacks. We have another class of people, the "SJW"s, Continue reading
The Godwin fallacy
As Wikipedia says:Godwin's law and its corollaries would not apply to discussions covering known mainstays of Nazi Germany such as genocide, eugenics, or racial superiority, nor to a discussion of other totalitarian regimes or ideologies, if that was the explicit topic of conversation, because a Nazi comparison in those circumstances may be appropriate, in effect committing the fallacist's fallacy, or inferring that an argument containing a fallacy must necessarily come to incorrect conclusions.An example is a discussion whether waving the Confederate flags was "hate speech" or "fighting words", and hence undeserving of First Amendment protections.
Well, consider the famous march by the American Nazi party through Skokie, Illinois, displaying the Swastika flag, where 1 in 6 residents was a survivor of the Holocaust. The Supreme Court ruled that this was free-speech, that the Nazi's had a right to march.
Citing the Skokie incident isn't Godwin's Law. It's exactly the precedent every court will cite when deciding whether waving a Confederate flag is free-speech.
I frequently discuss totalitarianism, as it's something that cyberspace can both enable and defeat. Comparisons with other totalitarian regimes, notably Soviet Russia and Nazi Germany, are inevitable. They aren't Godwin hyperbole, they are on point. Continue reading
Prez: Rick Perry selling his mailing list
I created separate email accounts to receive email from each of the 25 presidential candidates (and donated money to all them). This allows me to track their behavior -- or misbehavior.Rick Perry exited the race 50 days ago. Today, I got two emails to my special Perry address. One email was from Ted Cruz, another presidential candidate. The other was from Paul Ryan, the new Speaker of the House.
Here's Ted Cruz's email, sent to my Perry account. It's actually identical to one I received on my Cruz account. (I've hidden the To: address, except for the 'rick' part).
The email headers look like:
Received: from mail3.postup.targetedvictory.com (mail3.postup.targetedvictory.com [69.56.54.35])
by projectp (Postfix) with ESMTP id 1266C26041B
for; Fri, 30 Oct 2015 16:28:59 +0000 (UTC)
Rick Perry uses the company "TargetedVictory" for his mass emailings, where Ted Cruz uses another company. This shows that Perry didn't give his address list to Cruz, but instead let Cruz use the address list.
I saved a copy of Perry's privacy policy when I made the donation. It implies that he won't give out my private information to somebody else, but nothing in the Continue reading
Prez: donation numbers
I've given $10 to every candidate to monitor what they do. As I blogged before, just before the quarterly filing deadline, I got emails from all the candidates begging for money, to impress people how much money they've gathered. Well, here are amount each candidate received last quarter:| Hillary | 29,921,653.91 |
| Bernie | 26,216,430.38 |
| Carson | 20,767,266.51 |
| Jeb! | 13,384,832.06 |
| Cruz | 12,218,137.71 |
| Walker | 7,379,170.56 |
| Carly | 6,791,308.76 |
| Rubio | 5,724,784.46 |
| Kasisch | 4,376,787.95 |
| Christie | 4,208,984.49 |
| Trump | 3,926,511.65 |
| Rand | 2,509,251.63 |
| O'Malley | 1,282,820.92 |
| Huckabee | 1,241,737.51 |
| Graham | 1,052,657.62 |
| Lessig | 1,016,189.22 |
| Webb | 696,972.18 |
| Jindal | 579,438.39 |
| Santorum | 387,985.42 |
| Perry | 287,199.29 |
| Pataki | 153,513.89 |
Of course Hillary and Bernie are at the top, since they are the only two major contenders on the Democrat side, so split the pool between them.
What's interesting is that how Scott Walker exited the race, and Jeb! scaled back his spending, because their donations dropped precipitously. Even though they got huge donations last quarter, they spent the money as fast as they could. Presidential campaigns are like venture capital that way: you spend money aggressively in order to make more money. If you are right, this Continue reading
Yes, the CNBC moderation was biased
In anger over CNBC's left-wing bias, the Republican party has suspended them from moderating future debates. Is there something to this?Yes and no. CNBC, like most of the media, has a strong left-wing bias. On the other hand, the Republicans are quick to label legitimate criticism as examples of bias.
There is an easy way to detect improper bias. The principle of journalism is that there are two reasonable sides to any debate. One side may be wrong, of course, but both sides are reasonable. Partisan bias, however, involves arguing that one side in the debate is unreasonable. When the press calls somebody a "comic book clown", then it's bias. Merely saying they are "wrong" is not bias.
That's what happened many times during the CNBC moderated debate of Republican candidates, most egregiously when they called Trump a "comic book" version of a candidate. We all know that Trump is a demagogue, that he appeals to the ignorant masses more than intelligent people. But when you drill down on Trumps ideas, what you'll find is that he's usually merely wrong rather than irrational. For example, a couple months ago, Trump was attacked in the press for saying "the constitution Continue reading
OMG, the machines are breeding! Mankind is doomed! DOOMED!!!
My Tesla has the same MAC address vendor code as an AR Drone. These are two otherwise unrelated companies, yet they share the same DNA. Flying drones are mating with land-based autonomous vehicles. We are merely months away from Skynet gaining self-awareness and wiping out mankind.You can see this in the screenshot below, were we see the output of a hacking program that monitors the raw WiFi traffic. The AR Drone acts as an access-point so that your iPhone can connect to it in order to fly the drone's controls. The Tesla, on the other hand, is looking for an access-point named "Tesla Service", so that when you drive it in for service, it'll automatically connect to their office and exchange data. As you can see, both devices have the same vendor code of "90:03:B7" for Parrot SA.
Here is a picture of the AR Drone cavorting with the car. The top arrow points to the drone, the bottom arrow points to the car.
So why the relationship? Why does the Tesla look like a drone on WiFi?
The company Parrot SA started out creating kits for cars that contain WiFi, Bluetooth, and voice control. Since they were already Continue reading
Dumb, dumber, and cybersecurity
The reason you got hacked is because you listen to dumbasses about cybersecurity, like Microsoft.An illustrative example is this article on "10 steps to protect" yourself. The vast majority of cyber threats to a small business are phishing, password reuse, and OWASP threats like SQL injection. That article addressed none of these threats.
But it gets better.
At the bottom of that article is a link to this "Cyber Security IQ" quiz at Microsoft's small-business website. The first question asks about password sharing. I show their "right" answer here:
Their correct answer is "None of the above", meaning that it's not okay to share your passwords with anybody. But this is nonsense. For your work account, of course it's okay to share your password with your boss. In fact, it's often necessary.
There have been several court cases where IT administrators have been fired, where the companies later found that the fired employee is the only one with passwords to certain critical systems. The (former) administrators were prosecuted for refusing to give their former bosses the passwords.
If your boss demands your password to your corporate accounts, of course you must give them your password.
But it Continue reading
Ethics of killing Hitler
But it's the ethical question that comes up the most often, and it has real-world use. It's pretty much the question Edward Snowden faced: should he break his oath and disclose the NSA's mass surveillance of Americans?
I point this out because my ethical response is "yes, and go to jail". The added "and go to jail" makes it a rare response -- lots of people are willing to kill Hitler if they don't suffer any repercussions.
For me, the hypothetical question is "If you went back in time and killed Hitler, would you go to jail for murder?". My answer is "yes". I'd still do my best to lessen the punishment. I'd hire the best lawyer to defend me. It's just that I would put judgement of my crime or heroism in the hands of others. I would pay Continue reading
Car hacking is as fake as the moonlanding
 |
| How can the flag stay up? There's no wind on the moon!! #fake |
Of course, "hacking a car" probably doesn't happen as the public imagines. Delving into the details, you'll find things you didn't expect. It's like the stars in pictures at the moon landing. Because of contrast issues with the bright foreground, the dim stars disappear. This has led to crazies saying the lack of stars are proof that the moon landings were faked, because they don't understand this technical issue. Similarly, Pogue claims car hacking is fake because the technical details don't match his ignorant prejudices.
Pogue's craziest claim is that the Jeep hack is fake because Jeep fixed the issue. Nobody can hack a Jeep as the researchers claim. But that's because the researchers proved to Jeep that it was possible, and gave time for Jeep to fix the problem. It's like claiming the 9/11 terrorist attacks are purely hypothetical, because the Twin Towers of the World Trade Center no longer exist.
The Continue reading
Biden vs Risk Analysis
What we try to do in cybersecurity is "risk analysis". Most people get this wrong.
An example of this is today's announcement by vice president Joe Biden that he won't run for president. Many pundits have opined that it's because he can't beat Hillary Clinton. This is wrong.
The phrase "can't beat Hillary" makes no sense. It imagines a world were risk is binary, you either can or you can't. That's not how it work. Instead, we calculate the odds of beating Hillary. That number is not 0%. For one thing, a meteor might hit the earth and strike Hillary dead, so there's always some chance of beating her.
Responsible risk analysts ignore the rhetoric and try to calculate the odds. The easiest way of doing this are on the many betting websites, which have variously given Biden a 5% to 10% of winning the presidency. Given that the presidency is easily worth a billion dollars, and you don't spend your own money (just donations), these are great odds. Everybody who believes their chance is greater than 5% runs -- which is why we have over 20 candidates right now.
In other words, would you pay $10 for a 5% Continue reading
DEF CON drink-off — for science!
The DEF CON hacking conference is a mixture of techies and drinkers. I propose we exploit this for science. Specifically, we should take a look at vodka. Vodka is just ethanol and water with all taste removed by distillation and filtering. We can answer two important questions.- Poorly made, cheap vodka lets too much of the (bad) flavor through. Can this be improved by running it through a filter? (Such as a cheap Brita water filter).
- Well-made vodka should be indistinguishable from each other. Can people really taste the difference? Or are they influenced by brands?
We need to science the shit out of these questions with a double-blind taste test. DEF CON is a perfect venue for getting a statistically relevant number of samples. We should setup a table in a high-traffic area. We'll ask passersby to taste a flight of several vodkas and to rate them.
I suggest the following as the set of vodkas to test.
1. Smirnoff, by far the market leading vodka in America, a "mid-shelf" vodka at $22 for a 1.75 liter bottle.
2. Grey Goose, the third most popular vodka in America, a "top-shelf" vodka for $58 a 1.75 liter bottle.
Continue reading
DH-1024 in Bitcoin terms
The recent paper on Diffie-Hellman "precomputation" estimates a cost of 45-million core-years. Of course, the NSA wouldn't buy so many computers to do the work, but would instead build ASICs to do the work. The most natural analogy is how Bitcoin works. Bitcoin hashes were originally computed on CPU cores, then moved to graphics co-processors, then FPGAs, then finally ASICs.
The current hashrate of Bitcoin 460,451,594,000 megahashes/second. An Intel x86 core computes about 3-megahashes/second, or 153,483,864,667 CPU cores. Divided this by 45-million core-years for precomputing 1024bit DH, and you get 3410 DH precomputations per year. Thus, we get the following result:
The ASIC power in the current Bitcoin network could do all the necessary precomputations for a Diffie-Hellman 1024 bit pair with 154 minutes worth of work. Or, the precomputation effort is roughly equal to 15 bitcoin blocks, at the current rate.(Update: I did some math wrong, it's 154 minutes not 23 minutes)
Another way of comparing is by using the website "keylength.com", which places the equivalent effort of cracking 1024 DH with 72 to 80 bits of symmetric crypto. At the current Bitcoin rate, 72 bits of crypto comes out to 15 bitcoin blocks, Continue reading
Infosec is good people
For all that we complain about drama in our community, we are actually good people. At a small conference yesterday, I met "Kath". She just got her degree in advertising, but has become disillusioned. Her classes in web development and app development has shown her how exploitative online advertising can be. ("PHP has made me cry" -- yes, it's made all of us cry at some point).
She's felt alone, as if it were only her who that those feelings, then she discovered the EFF, and privacy activists like Yan (@bcrypt) who have been fighting for privacy. Kath grew up in the middle of nowhere in Texas, and went to college in another middle-of-nowhere place in Texas. Being a muggle, she's never heard of infosec before -- but she got a ticket and flew to New York to attend this little infosec conference where Yan was speaking. (Well, that and also to apply for the NYU graduate program in media).
She found things she didn't expect. She found, for example, how she can contribute, using her skills in usability to make crypto and privacy better for users. She also found a community that was accepting and approachable. Advertising is a Continue reading
Jeb Bush is a cyber-weenie
Jeb Bush, one of them many 2016 presidential candidates, has numerous positions on "cyber" issues. They are all pretty silly, demonstrating that not only he but also his advisors profoundly misunderstand the issues.For example, his recent position opposing "NetNeutrality" regulations says this:
these rules prohibit one group of companies (ISPs) from charging another group of companies (content companies) the full cost for using their servicesUh, no, that's how Democrats frame the debate. ISPs charging content providers is actually a very bad thing. That we Republicans oppose NetNeutrality is not based on the belief that "charging content companies" is a good thing.
Instead, NetNeutrality is about technical issues like congestion and routing. Congestion is an inherent property of the Internet. NetNeutrality shifts the blame for congestion onto the ISPs. NetNeutrality means the 90% of Comcast subscribers who do not use Netflix must subsidize the 10% who are.
Or at least, that's one of the many ways Republicans would phrase the debate. More simply, all Republicans oppose NetNeutrality simply because it's over-regulation. My point is that Jeb Bush doesn't realized he's been sucked into the Democrat framing, and that what he says is garbage.
A better example is Jeb's position Continue reading
Prez: Candidate synchronization
So last week I gave $10 to all the presidential campaigns, in order to watch their antics. One thing that's weird is that they often appear to act in unison, as if they are either copying each other, or are all playing from the same secret playbook.The candidates must report their donations every quarter, according to FEC (Federal Elections Commission) rules. The next deadline is September 30th. Three days before that deadline, half the candidates sent out email asking for donations to meet this "critical" deadline. They don't say why it's critical, but only that's is some sort of critical deadline that must be met, which we can only do so with your help. The real reason why, of course, is that this information will become public, implicitly ranking the amount of support each candidate has.
Four days before this deadline, I didn't get donation pleas mentioning it. Three days before, half the candidates mentioned it. It's as if one candidate sees such an email blast, realizes it's a great idea, and send's out a similar email blast of their own.
Two days before the deadline, three of the candidates sent out animated GIFs counting down to the deadline. Continue reading
I gave $10 to every presidential candidate
What happens when your candidate drops out of the 2016 presidential race? What do they do with the roughly million names of donors they've collected?I've decided that somebody needs to answer this question, so I've donated $10 to each of the roughly ~25 current presidential candidates (yes, even the hateful ones like Trump and Lessig). By donating money, I've put myself on the list of suckers who they can tap again for more donations. After the election next year, we'll be able to figure out how each candidate has used (or misused) the email addresses I gave them.
For most candidates, the first two pieces of information they ask of your is #1 your email address and #2 your zip code. They need the zip code so that when there is a local rally in your area, they can contact you to get your to turn out. But as a side effect, it means being able to extract favors from local politicians.
Therefore, to do this right, I'd have to make a donation from every congressional/senate district in the country. I suspect one use of this information is when one Representative goes to another and says "If you Continue reading
Zerodium’s million dollar iOS9 bounty
Zerodium is offering a $1 million bounty for a browser-based jailbreak. I have a few comments about this. The two keywords to pick up on are "browser-based" and "untethered". The word "jailbreak" is a red-herring.It's not about jailbreaks. Sure, the jailbreak market is huge. It's really popular in China, and there are reports of $1 million being spent on jailbreaks. But still, actually getting a return on such an investment is hard. Once you have such a jailbreak, others will start reverse engineering it, so it's an extremely high risk. You may get your money back, but there's a good chance you'll be reverse-engineered before you can.
The bigger money is in the intelligence market or 0days. A "browser-based" jailbreak is the same as a "browser-based" 0day. Intelligence organizations around the world, from China, to Europe, and most especially the NSA, have honed their tactics, techniques, and procedures around iPhone 0days. Terrorist leaders are like everyone else, blinging themselves out with status displays like iPhones. Also, iPhone is a lot more secure than Android, so it's actually a good decision (intelligence organizations have hacked Android even more).
Every time Apple comes out with a new version (like iOS9), they Continue reading
Some notes on NSA’s 0day handling process
The EFF got (via FOIA) the government's official policy on handling/buying 0days. I thought I'd write up some notes on this, based on my experience. The tl;dr version of this post is (1) the bits they redacted are the expected offensive use of 0days, and (2) there's nothing surprising in the redacted bits.Before 2008, you could sell 0days to the government many times, to different departments ranging from the NSA to Army to everybody else. These government orgs would compete against each other to see who had the biggest/best cyber-arsenal.
In 2008, there came an executive order to put a stop to all this nonsense. Vuln sellers now only sold 0days once to the government, and then the NSA would coordinate them with everyone else.
That's what this "VEP" (Vuln Equities Process) document discusses -- how the NSA distributes vulnerability information to all the other "stakeholders".
I use "stakeholders" loosely, because there are a lot of government organizations who feel entitled to being part of the 0day gravy train, but who really shouldn't be. I have the impression the NSA has two processes, the real one that is tightly focused on buying vulns and deploying them in the field, Continue reading
There are two sides to every story
In today's "clock" controversy, the clock didn't look like these:
Instead, this is the picture of the device (from the police department):
It's in a "pencil case", not a briefcase. You can compare the size to the plug on the right.
They didn't think it was a bomb, but a "hoax bomb". If they thought it might be a real bomb, they would've evacuated the school. Texas has specific laws making illegal to create a hoax bomb -- it is for breaking this "hoax bomb" law that the kid was arrested.
This changes the tenor of the discussion. It wasn't that they were too stupid they thought it was a bomb, it was that they were too fascist believing it was intentionally a hoax.
These questioned him, and arrested him because his answers were "passive aggressive". This is wrong on so many levels it's hard to know where to begin. Of course, if the kid's innocent his answers are going to be passive aggressive, because it's just a clock!!!
It was the english teacher who turn him in. Probably for using a preposition at the end of a sentence. The engineering teacher thought it was a good project.
It's actually Continue reading
Maybe with less hate
I wanted to point out President's rather great tweet in response to Ahmed Mohamed's totally-not-a-bomb:Cool clock, Ahmed. Want to bring it to the White House? We should inspire more kids like you to like science. It's what makes America great.— President Obama (@POTUS) September 16, 2015The reason this tweet is great is that it points out the great stupidity of the teachers/police, but by bringing Ahmed up rather than bringing them down. It brings all America up. Though the school/police did something wrong, the President isn't attacking them with hate.
The teachers/police were almost certainly racist, of course, but they don't see themselves that way. Attacking them with hate is therefore unlikely to fix anything. It's not going to change their behavior, because they think they did nothing wrong -- they'll just get more defensive. It's not going change the behavior of others, because everyone (often wrongly) believes they are part of the solution and not part of the problem.
Issues like Ahmed's deserve attention, but remember that reasonable people will disagree. Some believe the bigger issue is the racism. Other's believe that the bigger issue is the post 9/11 culture of ignorance and suspicion, where Continue reading