My BIS/Wassenaar comment
This is my comment I submitted to the BIS on their Wassenaar rules:----
Hi.
I created the first “intrusion prevention system”, as well as many tools and much cybersecurity research over the last 20 years. I would not have done so had these rules been in place. The cost and dangers would have been too high. If you do not roll back the existing language, I will be forced to do something else.
After two months, reading your FAQ, consulting with lawyers and export experts, the cybersecurity industry still hasn’t figured out precisely what your rules mean. The language is so open-ended that it appears to control everything. My latest project is a simple “DNS server”, a piece of software wholly unrelated to cybersecurity. Yet, since hackers exploit “DNS” for malware command-and-control, it appears to be covered by your rules. It’s specifically designed for both the distribution and control of malware. This isn’t my intent, it’s just a consequence of how “DNS” works. I haven’t decided whether to make this tool open-source yet, so therefore traveling to foreign countries with the code on my laptop appears to be a felony violation of export controls.
Of course you don’t intend Continue reading
Software and the bogeyman
This post about the July 8 glitches (United, NYSE, WSJ failed) keeps popping up in my Twitter timeline. It's complete nonsense.What's being argued here is that these glitches were due to some sort of "moral weakness", like laziness, politics, or stupidity. It's a facile and appealing argument, so scoundrels make it often -- to great applause from the audience. But it's not true.
Legacy
Layers and legacies exist because working systems are precious. More than half of big software projects are abandoned, because getting new things to work is a hard task. We place so much value on legacy, working old systems, because the new replacements usually fail.
An example of this is the failed BIND10 project. BIND, the Berkeley Internet Name Daemon, is the oldest and most popular DNS server. It is the de facto reference standard for how DNS works, more so than the actual RFCs. Version 9 of the project is 15 years old. Therefore, the consortium that maintains it funded development for version 10. They completed the project, then effectively abandoned it, as it was worse in almost every way than the previous version.
The reason legacy works well is the enormous regression testing Continue reading
More ProxyHam stuff
Somebody asked how my solution in the last post differed from the "ProxyGambit" solution. They missed my point. Just because I change the tires on the car doesn't mean I get credit for inventing or building the car. The same thing with this ProxyHam nonsense: nobody is "building a solution". Instead, we are all just using existing products the way they are intended. We are all just choosing a different mix of components.People get all excited when they see a bare Raspberry Pi board, but the reality is that there's nothing interesting going on here, no more than lifting the hood/bonnet on your car. This is photograph from ProxyGambit:
What ProxyGambit is doing here is using cellular data on the far end rather stealing WiFi from Starbucks or the local library. Their solution looks fancy, but you can do the same thing with off-the-shelf devices for a lot cheaper. Here is the same solution with off-the-shelf products:
This is just a TL-WR703N ($26) router with a 3G USB dongle. You can get these dongles cheap off eBay used, or new for around $17. Combined, they are cheaper than a Raspberry PI. If you want to customize this, Continue reading
How to build your own ProxyHam
"ProxyHam" created controversy because the talk was supposedly suppressed by the US government. In this post, I'll describe how you can build your own, with off-the-shelf devices, without any code.First, head on over to NewEgg. For a total of $290.96, buy two locoM9 repeaters (for $125.49 each), and two WiFi routers, like the TL-WR700N for $19.99 each.
Grab your first WiFi device. Configure it in "client" mode, connecting it to the "Starbucks" SSID. In this mode, you can then connect your laptop via Ethernet to this device, and you'll have access to the Internet via your WiFi device to Starbucks. In other words, it acts as a WiFi dongle, but one that you attach via Ethernet instead of USB.
Now grab your two locoM9 devices and configure them for "transparent bridging". In this mode, whatever Ethernet packets that are received on one end get sent over the air to the other end. Connect each localM9 via the TL-WR700N via the supplied Ethernet cable.
Now grab the second WiFi device and configure it as a normal WiFi router.
Now, assuming you aim the localM9's correct toward each other with reasonable line-of-sight, you've got a "ProxyHam".
The reason Continue reading
ProxyHam conspiracy is nonsense
This DEF CON conspiracy theory is about a canceled talk about "ProxyHam", which has been canceled under mysterious circumstances. It's nonsense.The talk was hype to begin with. You can buy a 900 MHz bridge from Ubquiti for $125 (or MicroTik device for $129) and attach it to a Raspberry Pi. How you'd do this is obvious. It's a good DEF CON talk, because it's the application that important, but the technical principles here are extremely basic.
If you look careful at the pic in the Wired story on ProxyHam, it appears they are indeed just using the Ubuiti device. Here is the pic from Wired:
And here is the pic from Ubquiti's website:
I don't know why the talk was canceled. One likely reason is that the stories (such as the one on Wired) sensationalized the thing, so maybe their employer got cold feet. Or maybe the FBI got scared and really did give them an NSL, though that's incredibly implausible.
Anyway, if DEF CON wants a talk on how to hook up a Raspberry Pi to a UbiQuiTi NanoStation LOCOM9 in order bridge WiFi, I'll happily give that talk. It's just basic TCP/IP configuration, and if you Continue reading
Some notes when ordering Google’s Project Fi
I just ordered my "Project Fi" phone. You probably should, too. Here are some notes (especially near the bottom on getting a new phone number).Project Fi is Google's MVNO. An "MVNO" is a virtual mobile phone company -- they don't have any of their own network backbone or cell towers, but just rent them from the real mobile phone companies (like AT&T or T-Mobile). Most mobile phone companies are actually MVNOs, because building a physical network is expensive.
What makes Google's MVNO interesting:
- Straightforward pricing. It's $20 a month for unlimited calling/texting, plus $10 per gigabyte of data used during the month. It includes tethering.
- No roaming charges, in 120 countries. I can fly to Japan, Australia, and France, and still use email, Google maps, texting -- for no extra charge.
The pricing is similar to other phone companies, a little less or a little more depending on exactly what you want. For around 3 gigs a month, Project Fi is cheaper than AT&T, but for 30 gigs, it's more expensive.
There are more and more MVNOs providing easy international roaming (like Ultra.me), and your own phone company is increasingly solving the problem. T-Mobile, for example, Continue reading
There are more and more MVNOs providing easy international roaming (like Ultra.me), and your own phone company is increasingly solving the problem. T-Mobile, for example, Continue reading
CyberUL is a dumb idea
Peiter “mudge” Zatko is leaving Google, asked by the White House to create a sort of a cyber “Underwriter Laboratories” (UL) for the government. UL is the organization that certifies electrical devices, so that they don’t short out and zap you to death. But here’s the thing: a CyberUL is a dumb idea. It’s the Vogon approach to the problem. It imagines that security comes from a moral weakness that could be solved by getting “serious” about the problem.It’s not the hacking problem
According to data-breach reports, 95% of all attacks are simple things, like phishing, SQL injection, and bad passwords – nothing related to software quality. The other 5% is because victims are using old, unpatched software. When exploits are used, it’s overwhelmingly for software that has remained unpatched for a year.
In other words, CyberUL addresses less than 0.1% of real-world attacks.
It’s not the same quality problem
UL is about accidental failures in electronics. CyberUL would be about intentional attacks against software. These are unrelated issues. Stopping accidental failures is a solved problem in many fields. Stopping attacks is something nobody has solved in any field.
In other words, the UL model of accidents is Continue reading
How would you use Lua scripting in a DNS server?
I'm currently putting Lua into a DNS server, and I'm trying to figure out how people would use it.A typical application would be load-balancing. How I would do this is to create a background Lua thread that frequently (many times a second) queried an external resource to discover current server utilitzation, then rewrote the RRset for that server to put the least utilized server first. This would technically change the zone, but wouldn't be handled as such (i.e. wouldn't trigger serial number changes, wouldn't trigger notification of slave zones).
Such a thread could be used for zone backends. Right now, DNS servers support complex backends like SQL servers and LDAP servers. Instead of making the server code complex, this could easily be done with a Lua thread, that regularly scans an SQL/LDAP server for changes and updates the zone in memory with the changes.
Both these examples are updating static information. One possible alternative is to execute a Lua script on each and every DNS query, such as adding a resource record to a zone that would look like this:
*.foo.example.com. TXT $LUA:my_script
Every query would cause the script to be executed. There are some Continue reading
Because dossiers
Here's the thing about computers -- even your laptop can support "big-data" applications. There are only 300-million people in the united states. At 1-kilobyte per person, that's still only 300-gigabytes -- which fits on my laptop hard-drive.Building dossiers is becoming a thing in the hacking underground. Every time they break into a retail chain, hospital, insurance company, or government agency, they correlate everything back to the same dossier, based on such things as social security numbers, credit card numbers, email addresses, and even IP addresses. Beyond hacked secrets, public sources of information are likewise scanned in order to add to the dossier. Tools such as Maltego make it surprisingly easy to combine your own private information with public sources in order to build such dossiers.
When even the small hacking groups are focused on this effort, you can bet the big guys like China and Russia are even more interested in this.
This is one explanation behind the OPM hack. The hackers may have had something specific in mind, such as getting the personal information from SF86 forms where those seeking clearance are forced to disclose their various addictions and perversions. It may be used to blackmail people -- Continue reading
Should I panic because Lastpass was hacked?
Maybe, maybe not. Lastpass uses 100000 iterations in its PBKDF2 algorithm. If you chose a long, non-dictionary password, nobody can crack it. Conversely, if you haven't, then yes, you need to change it.I benchmarked this on my computer using "oclHashcat". It's not an exact match with the Lastpass algorithm, but it's close enough to show the performance.
As you can see, my machine is getting 2577 (two and a half thousand) random password guesses per second. This may sound like a lot, but it's not not, because cracking passwords is exponentially difficult.
Consider normal hashes, not the stronger ones used by Lastpass. My desktop can crack 1 billion of those per second. Consider that a password can be built from UPPER and lower case letters, numbers, and punctuation marks -- or about 64 variations per character.
In this case, a 5 letter password has 1 billion combinations, so a fast computer can guess it in a second. Adding one letter, with it's 64 different possibilities, makes this 64 times harder, meaning it'll take a minute. Another letter (7), and it becomes an hour. Another letter (to 8), and it becomes several days. Another letter (9), and it becomes a Continue reading
How to code: lesson 27
I was reading some code on the Internet today and came across this:
The thing to notice is the hang & symbols in front of the variables, instead of just making things line up. It's a stylistic quirk of the author of this code. It's a good lesson on what not to do.
There is only one important style rule and it is this: make your code look like everyone else's. The question isn't whether it's good or bad, only that it's unusual. Yes, this quick is relatively insignificant, but I point it out is that you should not be tempted, even on the smallest of things.
You see this with the evolution of programmers. In the beginning, their code is quirky as hell. Over time, as they they are exposed to more and more source by others, they start to see how these quirks are irritating, and stop doing them in their own code. The style becomes blander and blander -- but at the same time, the greatness of their construction of the code starts to shine.
When you start writing great code, you'll eventually have to break this rule and do something big and strange. For example, I Continue reading
How we really know the Sunday Times story is bogus
Stories sourced entirely from "anonymous senior government officials" are propaganda, not journalism. The identities of the sources are hidden not to protect them from speaking out against the government, since they are in fact delivering exactly the message the government wants to get out. Instead, their identities are kept secret so that their message cannot be challenged.It's not just me claiming this. Every journalistic organization criticizes the practice. Every set of journalistic ethics guidelines calls this unethical.
Yet, somehow it keeps happening. The latest example is the The Sunday Times, Britains largest newspaper, reporting government officials critical of Snowden. We know the story is bogus, because it quotes solely government official spouting the party line. Moreover, even if that weren't the case, it's obvious propaganda, arguing one side of the story, and not even attempting to get the other point of view from Russia, China, or Snowden himself. Snowden is often quoted in newspapers, he can't be that hard to get a hold of. Not contacting Snowden for his side is also a violation of journalistic ethics.
I point this out because there are lots of good criticisms of the story, for example, pointing out that the correct term Continue reading
Intel has 4 processor lines
Just a quick note: Intel has four different processor lines -- or four different "microarchitectures". All Intel processors support the x86 instruction set externally, but have very different microarchitectures internally.To start with is their mainstream processor in desktops, notebooks, servers, and supercomputers. This accounts for the bulk of their business, and what we think of as an "Intel processor". The latest version of this microarchitecture is "Broadwell". Previous versions have been Haswell, Ivy Bridge, Sandy Bridge. It's sold as the Xeon, Core i7/i5/i3, Pentium, Celeron, etc.
Then there is the low power processor to compete against ARM in cellphone devices known as the "Atom". There are have been two radically different versions of this processor. The older version of the microarchitecture from 2008 was known as "Bonnel", and it kinda sucked (dual-issue, but in-order). The newer version of the microarchitecture, "Silvermont", is out-of-order, and is much better. Atom processors are just as power efficient as ARM processors. Indeed, many phones use them without people really being aware of the difference. I point this out because there is a widespread misconception that ARM processors are more power efficient than Intel processors. Note that all these processors are 64-bit internally, though Continue reading
What’s the state of iPhone PIN guessing
I think even some experts have gotten this wrong, so I want to ask everyone: what's the current state-of-the-art for trying to crack Apple PIN codes?This is how I think it works currently (in iOS 8).
To start with, there is a special "crypto-chip" inside the iPhone that holds your secrets (like a TPM or ARM TrustZone). I think originally it was ARM's TrustZone, but now that Apple designs its own chips, that they've customized it. I think they needed to add stuff to make Touch ID work.
All the data (on the internal flash drive) is encrypted with a random AES key that nobody, not even the NSA, can crack. This random AES key is stored on the crypto-chip. Thus, if your phone is stolen, the robbers cannot steal the data from it -- as long as your phone is locked properly.
To unlock your phone, you type in a 4 digit passcode. This passcode gets sent to the crypto-chip, which verifies the code, then gives you the AES key needed to decrypt the flash drive. This is all invisible, of course, but that's what's going on underneath the scenes. Since the NSA can't crack the AES key Continue reading
Uh, the only reform of domestic surveillance is dismantling it
A lot of smart people are cheering the reforms of domestic surveillance in the USA "FREEDOM" Act. Examples include Timothy Lee, EFF, Julian Sanchez, and Amie Stepanovich. I don't understand why. Domestic surveillance is a violation of our rights. The only acceptable reform is getting rid of it. Anything less is the moral equivalent of forcing muggers to not wear ski masks -- it doesn't actually address the core problem (mugging, in this case).
Bulk collection still happens, and searches still happen. The only thing the act does is move ownership of the metadata databases from the NSA to the phone companies. In no way does the bill reform the idea that, on the pretext of terrorism, law enforcement can still rummage through the records, looking for everyone "two hops" away from a terrorist.
We all know the Patriot Act is used primarily to prosecute the War on Drugs rather than the War on Terror. I see nothing in FREEDOM act that reforms this. We all know the government cloaks its abuses under the secrecy of national security -- and while I see lots in the act that tries to make things more transparent, the act still Continue reading
Understanding TSA Math
At the end of every year, the TSA blogs about the weapons and explosives it prevented from getting on board airplanes. They are trying to brag about all the dangers they've stopped. But the opposite is true, when you do the math, you realize that they are stopping no dangers at all. The TSA stops less than half the bombs that get on board airplanes -- yet airplanes are not falling out of the sky due to the bombs that do get on board. Thus, mathematically, bombs aren't a danger. It therefore doesn't matter if the TSA stops bombs or not.
We know the TSA stops less than 50% of bad stuff from various sources. The first is the government's own tests, such as that described in a recent story where the TSA failed a shockingly 95% of the time.
Another is a statistic reported by the TSA where the number of firearms they stop every year is rapidly increasing. This does not match any other trend in society, such as the number of people carrying firearms. The only reason for such rapid growth is that the TSA gets better every year at detection. That means, historically, the TSA is Continue reading
Ulbricht’s judge punished him for political dissent; you should find this outrageous
Silk Road operator Ross Ulbricht was sentenced to life in prison without parole. Maybe this is a fair sentence for selling $200 million in illegal drugs. Or, since all the lawyers I talk to think it's excessive (worse than what even the prosecutors asked for), maybe it's within the normal range of excess in the War on Drugs. I'm not a lawyer, so I can't judge this.But, I'm interested in the comments the judge made justifying her hard sentence. According to Andy Greenberg at WIRED, the judge said:
“The stated purpose [of the Silk Road] was to be beyond the law. In the world you created over time, democracy didn’t exist. ... Silk Road’s birth and presence asserted that its…creator was better than the laws of this country. This is deeply troubling, terribly misguided, and very dangerous.”This is silly on the face of it. The stated purpose of all crime is to "be beyond the law". I mean, when I go above the speed limit in my BMW, my stated purpose is to go beyond the legal limit. I'm not sure I understand the logic here.
I'm being disingenuous, of course, because I do understand. What the Continue reading
Some notes about Wassenaar
So #wassenaar has infected your timeline for the past several days. I thought I'd explain what the big deal is.What's a Wassenaar?
It's a town in Europe where in 1996 a total of 41 nations agreed to an arms control treaty. The name of the agreement, the Wassenaar Arrangement, comes from the town. The US, Europe, and Russia are part of the agreement. Africa, Middle East, and China are not.
The primary goal of the arrangement is anti-proliferation, stopping uranium enrichment and chemical weapons precursors. Another goal is to control conventional weapons, keeping them out of the hands of regimes that would use them against their own people, or to invade their neighbors.
Historically in cybersec, we've complained that Wassenaar classifies crypto as a munition. This allows the NSA to eavesdrop and decrypt messages in those countries. This does little to stop dictators from getting their hands on strong crypto, but does a lot to prevent dissidents in those countries from encrypting their messages. Perhaps more importantly, it requires us to jump through a lot of bureaucratic hoops to export computer products, because encryption is built-in to virtually everything.
Why has this become important recently?
Last year, Wassenaar Continue reading
EFF and intrusion software regulation
To its credit, the EFF is better than a lot of other privacy groups like the ACLU or Privacy International. It at least acknowledges that regulating "evil" software can have unintended consequences on "good" software, that preventing corrupt governments from buying software also means blocking their dissidents from buying software to protect themselves. An example is this piece from several years ago that says:"First and foremost, we want to make sure we do not leave activists with fewer tools than they already have. Parliament must be mindful of legislation just based on types of technology because broadly written regulations could have a net negative effect on the availability of many general-purpose technologies and could easily harm very people that the regulations are trying to protect."But that does not stop the EFF from proposing such regulations.
In that same piece, the EFF first proposes rules for transparency. This will not stop the bad companies, but will be a burden on the legitimate companies that have no interesting in dealing with corrupt governments anyway. Most of this stuff is sold by small companies, like FinFisher, who focus on the "corrupt regime" market. They would not be embarrassed by transparency -- Continue reading
This is how we get ants
Today's Wassenaar proposal to limit 0days -- and thereby virtually all cybersecurity products -- is partly the result of lobbying by the ACLU and EFF. The principle technologist of the ACLU called 0day sellers "merchants of death". The EFF called for 0day sales to governments to be the center of any policy debate on cybersecurity.
Yet, they deny responsibility for Wassenaar -- because the regulations go too far, and appear to restrict virtually all cybersecurity software and any free-speech on the topic. These groups now back off and claim they never called for 0day restrictions in the first place.
For example, when the EFF said "exploit sales should be key point in cybersecurity debate", nowhere in the article does it explicitly call for a ban on exploit sales. Their focus was on limiting the actions of the NSA in buying exploits, not so much those who would sell the exploits.
This is true, but only technically. There's no conceivable situation where the US Government would unilaterally disarm itself of cyberweapons while allowing everyone else to purchase them. It's also not conceivable that when you've put that much work into calling 0days evil and unethical, that a reasonable Continue reading