Our Lord of the Flies moment
In its war on researchers, the FBI doesn't have to imprison us. Merely opening an investigation into a researcher is enough to scare away investors and bankrupt their company, which is what happened last week with Chris Roberts. The scary thing about this process is that the FBI has all the credibility, and the researcher none -- even among other researchers. After hearing only one side of the story, the FBI's side, cybersecurity researchers quickly turned on their own, condemning Chris Roberts for endangering lives by taking control of an airplane.You cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents— Alex Stamos (@alexstamos) May 16, 2015As reported by Kim Zetter at Wired, though, Roberts denies the FBI's allegations. He claims his comments were taken out of context, and that on the subject of taking control a plane, it was in fact a simulator not a real airplane.
I don't know which side is telling the truth, of course. I'm not going to defend Chris Roberts in the face of strong evidence of his guilt. But at the same time, I demand real evidence of his guilt before I Continue reading
Those expressing moral outrage probably can’t do math
Many are discussing the FBI document where Chris Roberts ("the airplane hacker") claimed to an FBI agent that at one point, he hacked the plane's controls and caused the plane to climb sideways. The discussion hasn't elevated itself above the level of anti-vaxxers.It's almost certain that the FBI's account of events is not accurate. The technical details are garbled in the affidavit. The FBI is notorious for hearing what they want to hear from a subject, which is why for years their policy has been to forbid recording devices during interrogations. If they need Roberts to have said "I hacked a plane" in order to get a search warrant, then that's what their notes will say. It's like cops who will yank the collar of a drug sniffing dog in order to "trigger" on drugs so that they have an excuse to search the car.
Also, security researchers are notorious for being misunderstood. Whenever we make innocent statements about what we "could" do, others often interpret this either as a threat or a statement of what we already have done.
Assuming this scenario is true, that Roberts did indeed control the plane briefly, many claim that this is especially Continue reading
Revolutionaries vs. Lawyers
I am not a lawyer; I am a revolutionary. I mention this in response to Volokh posts [1, 2] on whether the First Amendment protects filming police. It doesn't -- it's an obvious stretch, and relies upon concepts like a protected "journalist" class who enjoys rights denied to the common person. Instead, the Ninth Amendment, combined with the Declaration of Independence, is what makes filming police a right.The Ninth Amendment simply says the people have more rights than those enumerated by the Bill of Rights. There are two ways of reading this. Some lawyers take the narrow view, that this doesn't confer any additional rights, but is just a hint on how to read the Constitution. Some take a more expansive view, that there are a vast number of human rights out there, waiting to be discovered. For example, some wanted to use the Ninth Amendment to insist "abortion" was a human right in Roe v. Wade. Generally, lawyers take the narrow view, because the expansive view becomes ultimately unworkable when everything is a potential "right".
I'm not a lawyer, but a revolutionary. For me, rights come not from the Constitution. Bill of Rights, or Supreme Continue reading
NSA: ad hominem is stil a fallacy
An ad hominem attack is where, instead of refuting a person's arguments, you attack their character. It's a fallacy that enlightened people avoid. I point this out because of a The Intercept piece about how some of NSA's defenders have financial ties to the NSA. This is a fallacy.The first rule of NSA club is don't talk about NSA club. The intelligence community frequently publishes rules to this effect to all their employees, contractors, and anybody else under their thumb. They don't want their people talking about the NSA, even in defense. Their preferred defense is lobbying politicians privately in back rooms. They hate having things out in the public. Or, when they do want something public, they want to control the messaging (they are control freaks). They don't want their supporters muddying the waters with conflicting messaging, even if it is all positive. What they fear most is bad supporters, the type that does more harm than good. Inevitably, some defender of the NSA is going to say "ragheads must die", and that'll be the one thing attackers will cherry pick to smear the NSA's reputation.
Thus, you can tell how close somebody is to the NSA by Continue reading
Some brief technical notes on Venom
Like you, I was displeased by the lack of details on the "Venom" vulnerability, so I thought I'd write up what little I found.The patch to the source code is here. Since the note references CVE-2015-3456, we know it's venom:
http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
Looking up those terms, I find writeups, such as this one from RedHat:
https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/
It comes down to a typical heap/stack buffer overflow (depending), where the attacker can write large amounts of data past the end of a buffer. Since this is the kernel, there are no protections like NX or ASLR. To exploit this, you'd likely need some knowledge of the host operating system.
The details look straightforward, which means a PoC should arrive by tomorrow.
This is a hypervisor privilege escalation bug. To exploit this, you'd sign up with one of the zillions of VPS providers and get a Linux instance. You'd then, likely, replace the floppy driver in the Linux kernel with a custom driver that exploits this bug. You have root access to your own kernel, of course, which you are going to escalate to root access of the hypervisor.
People suggest adding an exploit to toolkits like Continue reading
How to fix the CFAA
Someone on Twitter asked for a blogpost on how I'd fix the CFAA, the anti-hacking law. So here is my proposal.The major problem with the law is that the term "authorized" isn't clearly defined. You non-technical people think the meaning is obvious, because you can pick up a dictionary and simply point to a definition. However, in the computer world, things are a bit more complicated.
It's like a sign on a store window saying "No shirt, no shoes, no service" -- but you walk in anyway with neither. You know your presence is unwanted, but are you actually trespassing? Is your presence not "authorized"? Or, should we demand a higher standard, such as when the store owner asks you to leave (and you refuse) that you now are trespassing/unauthorized?
What happens on the Internet is that websites routinely make public data they actually don't want people to access. Is accessing such data unauthorized? We saw that a couple days ago, where Twitter accidentally published their quarterly results an hour early on their website. An automated script discovered this and republished Twitters results to a wider audience, ironically using Twitter to do so. This caused $5-billion to drop off Continue reading
Ultron didn’t save the world
Tony Stark builds "Ultron" to save the world, to bring peace in our time. As a cybernetic creation, Ultron takes this literally, and decides the best way to bring peace is to kill all humans.
The problem, as demonstrated by the movie, isn't that there was a bug in Stark's code. The problem was the hubris thinking that Stark could protect everyone. Inevitably, protecting everyone meant ruling everyone, bringing peace by force. It's the same hubris behind the USA's effort to bring peace to Iraq and Afghanistan.
I mention this because in the cybersecurity industry, there are many who propose to bring security through authority. They want government mandated rules on how to write code, imposed liability requirements, and so on.
This sounds reasonable. After all, nobody wants medical equipment like pacemakers to be hacked. But here's the thing. Computer-controlled devices have the potential to vastly improve health, whether it's Watches monitoring your heart, pacemakers, insulin pumps, and so on. While these devices can be hacked, the practical reality is that if you want Continue reading
Review: Avengers, Age of Ultron
Remember that this movie is part of the Marvel Avengers arc, consisting of Ironman (3 movies), Captain America (2), Thor (2), Hulk, and Avengers (2). This arc also includes two TV series, and also a (so far) unrelated Guardians of the Galaxy movie. Everything is leading to the Infinity Wars movies.
I point this out because while this movie seems like a fine standalone movie for those who have seen none or only a few of the others, the greatest enjoyment will be in seeing it within context. In particular, while Ironman 3 isn't a terribly good movie, it's worth seeing before this movie, as it Continue reading
Some notes on why crypto backdoors are unreasonable
Today, a congressional committee held hearings about 'crypto backdoors' that would allow the FBI to decrypt text messages, phone calls, and data on phones. The thing to note about this topic is that it's not anywhere close to reasonable public policy. The technical and international problems are unsolvable with anything close to the proposed policy. Even if the policy were reasonable, it's unreasonable that law enforcement should be lobbying for it.Crypto is end-to-end
The debate hinges on a huge fallacy, that it's about regulating industry, forcing companies like Apple to include backdoors. This makes it seem like it's a small law. The truth is that crypto is end-to-end. Apple sells a generic computer we hold in our hand. As a user, I can install any software I want on it -- including software that completely defeats any backdoor that Apple would install. Examples of such software would be Signal and Silent Circle.
It seems reasonable that you could extend the law so that it covers any software provider. But that doesn't work, because software is often open-source, meaning that anybody can build their own app from it. Starting from scratch, it would take me about six-months to write my Continue reading
The hollow rhetoric of nation-state threats
The government is using the threat of nation-state hackers to declare a state-of-emergency and pass draconian laws in congress. However, as the GitHub DDoS shows, the government has little interest in actually defending us.
It took 25 days to blame North Korea for the Sony hack, between the moment "Hacked by the #GOP" appeared on Sony computers and when President Obama promised retaliation in a news conference -- based on flimsy evidence of North Korea's involvement. In contrast, it's been more than 25 days since we've had conclusive proof the Chinese government was DDoSing GitHub, and our government has remained silent. China stopped the attacks after two weeks on their own volition, because GitHub defended itself, not because of anything the United States government did.
The reason for the inattention is that GitHub has no lobbyists. Sony spends several million dollars every year in lobbying, as well as hundreds of thousands in campaign contributions. When Sony gets hacked, politicians listen. In contrast, GitHub spends zero on either lobbying or contributions.
It's not that GitHub isn't important -- it's actually key infrastructure to the Internet. All computer nerds know the site. It's the largest repository of source-code on the Continue reading
Solidarity
The government's zealous War on Hackers threatens us, the good hackers who stop the bad ones. They can't tell the good witches from the bad witches. When members of our community get threatened by the system, we should probably do more to stand in solidarity with them. I mention this because many of you will be flying to SFO this coming week for the RSA Conference, which gives us an opportunity to show solidarity.Today, a security researcher tweeted a joke while on a plane. When he landed, the FBI grabbed him and confiscated all his stuff. The tweets are here:
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)
— Chris Roberts (@Sidragon1) April 15, 2015Chris Roberts' area of research is embedded control systems like those on planes. It's not simply that the FBI grabbed him because of a random person on a plane, but specifically because he's a security researcher. He's on the FBI's radar (so to speak) for things like this Fox News interview.
I suggest we all start joke tweeting along these lines, from the airplanes, like:
DFW->SFO. Playing with airplane wifi. I Continue reading
Masscanning for MS15-034
The bug comes from adding the following header to a web request like the following
Range: bytes=0-18446744073709551615As you can see, it's just a standard (64-bit) integer overflow, where 18446744073709551615 equals -1.
That specific header is harmless, it appears that other variations are the ones that may cause a problem. However, it serves as a useful check to see if the server is patched. If the server is unpatched, it'll return the following error:
HTTP/1.1 416 Requested Range Not SatisfiableFrom the PoC's say, a response that looks like the following means that it is patched:
The request has an invalid header nameHowever, when I run the scan across the Internet, I'm getting the following sorts of responses from servers claiming to be IIS:
HTTP/1.1 200 OK
HTTP/1.1 206 Partial Content
HTTP/1.1 301 Moved Permanently
HTTP/1.1 302 Object moved
HTTP/1.1 302 Found
HTTP/1.1 302 Redirect
HTTP/1.1 401 Unauthorized
HTTP/1.1 403 Forbidden
HTTP/1.1 404 Object Not Found
Continue reading
Should billionaires have to disclose their political contributions?
The Intercept has a story about a billionaire sneaking into a Jeb Bush fundraiser. It points out:"Bush’s campaign operation has taken steps to conceal the names of certain big-money donors. ... Bush’s Right to Rise also formed a 501(c)(4) issue advocacy wing, which, like a Super PAC, can raise and spend unlimited amounts of money — but unlike a Super PAC, never has to reveal donor names."This leads me to ask two questions:
- Should billionaires be allowed to spend unlimited amounts of money promoting their politics?
- If they can spend unlimited amounts, should they be forced to disclose them?
If you know me, you know that I'm asking a trick question. I'm not referring to venture capitalist Ron Conway, the billionaire mentioned the story. I'm instead referring to Pierre Omidyar the billionaire founder of eBay who funds The Intercept, which blatantly promotes his political views such as those on NSA surveillance. Can Omidyar spend endless amounts on The Intercept? Should he be forced to disclose how much?
This question is at the heart of the Supreme Court decision in Citezen's United. It comes down to this: the Supreme Court was unable to craft rules that could tell Continue reading
Scalability of the Great Cannon
The first question is how much bandwidth China needs to monitor. According to the this website, in early 2015 that's 1.9-terabits/second (1,899,792-mbps).
The second question is how much hardware China needs to buy in order to intercept network traffic, reassemble TCP streams, and insert responses. The answer is about one $1000 desktop computer. In other words, China can deploy the Great Cannon using $200,000 worth of hardware.
This answer is a little controversial. Most people think that a mere desktop computer could not handle 10-gbps of throughput, much less do anything complicated with it like reassembling TCP streams. However, they are wrong. Intel has put an enormous amount of functionality into their hardware to solve precisely this problem. Unfortunately, modern software like Linux or Windows is a decade behind hardware advances, and cannot take advantage of this.
The first step is to bypass the operating system. This sounds a bit odd, but it's not hard to do. Continue reading
Stop making the NSA the bogeyman of privacy
Snowden is my hero, but here's the thing: the NSA is the least of our worries. Firstly, their attention is foreign, not domestic. Secondly, they are relatively uncorrupt. Our attention should be focused on the corrupt domestic law-enforcement agencies, like the ATF, DEA, and FBI.I mention this because a lot of people seem concerned that the "cyber threat sharing" bills in congress (CISA/CISPA) will divulge private information to the NSA. This is nonsense. The issue is private information exposed to the FBI and other domestic agencies. It's the FBI, ATF, or DEA that will come break down your door and arrest you, not the NSA.
We see that recently where the DEA (Drug Enforcement Administration) has been caught slurping up international phone records going back to the 1990s. This appears as bad as the NSA phone records program that started the Snowden disclosures.
I know the FBI is corrupt because I've experienced it personally, when the threatened me in order to suppress a conference talk. We know they are corrupt in the way they hide cellphone interception devices ("stingray") from public disclosure. We know they are corrupt because their headquarters is named after J Edgar Hoover, the notoriously corrupt Continue reading
No, 75% are not vulnerable to Heartbleed
The issue isn't patches but certificates. Systems are patched, but while they were still vulnerable to Heartbleed, hackers may have stole the certificates. Therefore, the certificates need to be replaced. Not everyone has replaced their certificates, and those that have may have done so incorrectly (using the same keys, not revoking previous).
Thus, what the report is saying is that 75% haven't properly updated their certificates correctly. Naturally, they sell a solution for that problem.
However, even this claim isn't accurate. Only a small percentage of systems were vulnerable to Heartbleed in the first place, and it's hard to say which certificates actually needed to be replaced.
That's why you have the weasely marketing language above. It's not saying 3 out of 4 of all systems, but only those that were vulnerable to begin with (a minority). They aren't saying they are still vulnerable to Heartbleed itself, but only that they are vulnerable to breach -- due to the certificates having been stolen.
The entire report is so full of this Continue reading
The .onion address
One quibble I have with the document is section 2.1, which says:
1. Users: human users are expected to recognize .onion names as having different security properties, and also being only available through software that is aware of onion addresses.
This certain documents current usage, where Tor is a special system run separately from the rest of the Internet. However, it appears to deny a hypothetical future were Tor is more integrated.
For example, imagine a world where Chrome simply integrates Tor libraries, and that whenever anybody clicks on an .onion link, that it automatically activates the Tor software, establishes a circuit, and grabs the indicated page -- all without the user having to be aware of Tor. This could do much to increase the usability of the Continue reading
Pin-pointing China’s attack against GitHub
For the past week, the website "GitHub" has been under attack by China. In this post, I pin-point where the attack is coming from by doing an http-traceroute.GitHub is a key infrastructure website for the Internet, being the largest host of open-source projects, most famously Linux. (I host my code there). It's also a popular blogging platform.
Among the zillions of projects are https://github.com/greatfire and https://github.com/cn-nytimes. These are mirrors (copies) of the websites http://greatfire.com and http://cn.nytimes.com. GreatFire provides tools for circumventing China's Internet censorship, the NYTimes contains news stories China wants censored.
China blocks the offending websites, but it cannot easily block the GitHub mirrors. It's choices are either to block or allow everything on GitHub. Since GitHub is key infrastructure for open-source, blocking GitHub is not really a viable option.
Therefore, China chose another option, to flood those specific GitHub URLs with traffic in order to pressure GitHub into removing those pages. This is a stupid policy decision, of course, since Americans are quite touchy on the subject and are unlikely to comply with such pressure. It's likely GitHub itself can resolve the issue, as there are a zillion ways to respond. If Continue reading
War on Hackers: a Clear and Present Danger
President Obama has upped his war on hackers by declaring a "state of emergency". This triggers several laws that grant him expanded powers, such as seizing the assets of those suspected of hacking, or taking control of the Internet.One one hand, this seems reasonable. Hackers from China and Russia are indeed a threat, causing billions in economic damage every year, by stealing money and intellectual property. This declaration specifically targets these issues. Presumably, in the next few weeks, we'll see announcements from the Treasure Department seizing assets from Chinese companies known to have stolen intellectual property via hacking.
But on the other hand, it's problematic. Declarations of emergency tend to be permanent. We already operate under 30 declarations of emergencies dating back to the Korean war. Once government grabs new powers, it tends not to give them back. Also, this really isn't an "emergency", the hacking it addresses goes back a decade. It's obvious corruption of the "emergency" provisions in the law for the President to bypass congress and rule by decree.
Moreover, while tailored specifically to the threats of foreign hackers, it ultimately affects everyone everywhere. It allows the government to bypass due process and seize Continue reading
Message to Errata employees
Dear employees,Starting next week, Errata Security will be following RSA Conference's lead and institute a "Morality Dress Code" in order to deal with the problem of loose women on the premises.
Attire of an overly revealing or suggestive nature is not permitted. Examples of such attire may include but are not restricted to:
- Tops displaying excessive cleavage;
- Tank tops, halter tops, camisole tops or tube tops;
- Miniskirts or minidresses;
- Shorts;
- Lycra (or other Second-Skin) bodysuits;
- Objectionable or offensive costumes.
These guidelines are applicable to all staff, regardless of gender, and will be strictly enforced. Therefore, Dave's practice of showing up on casual Friday's in a miniskirt and push-up bra will no longer be tolerated. We have burkas on hand of varying sizes for those who fail to comply.
If you have any questions, please consult the Morality Officer for your department.
Regards,
Robert Graham
CEO, Errata Security
 |
| "Shalim" by Zivya - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:Shalim.JPG#/media/File:Shalim.JPG |
PS: This is satire, of course. We don't support RSA's morality code.