Archive

Category Archives for "Security"

Technology Short Take #64

Welcome to Technology Short Take #64. Normally, I try to publish Short Takes on Friday, but this past Friday was April Fools’ Day. Given the propensity for “real” information to get lost among all the pranks, I decided to push this article back to today. Unlike most of what is published around April Fools’ Day, hopefully everything here is helpful, informative, and useful!

Networking

Some notes on Ubuntu Bash on Windows 10

So the latest news is that you can run Ubuntu and bash on Windows 10. In other words, from the bash command-line, you execute apt-get to get/run any Ubuntu binary -- the same binary that runs on Linux. How do it work?

I don't know yet, but browsing around on the Internet suggests that it's a kernel driver in Windows that emulates Linux system calls.

Remember, the operating system is two parts: the kernel and user-space. The interaction between them is ~300 system-calls. Most of these are pretty straight-forward, such as opening a file, reading from the file, and closing the file.

To make a system call, you put the integer number in eax/rax register, fill in the other registers as needed, then calling the SYSENTER instruction.

Each process maintains a table of what the system calls do. In fact, a hacker/debugging/reversing technique is to edit that table in order to hook system calls, do some hackery things, then call the original system call.

That means Microsoft can write a driver, that runs in the kernel, that replaces the system calls for a process, from Windows ones to Linux ones. This driver then needs to emulate the Linux functionality. Continue reading

tl;dr of LambdaConf drama

Short: SJWs dont like person's politics, try to shutdown small programming con due to person being speaker. (from @jcase).

LongerLambdaConf (a tiny conference for LISP-like programming languages) accepted a speaker with objectionable political views, who under a pseudonym spouted Nazi-like propaganda. "Social justice" activists complained. The conference refused to un-invite the speaker, since his talk content was purely technical, not political. Also, because free-speech. Activists then leaned on sponsors, many of whom withdrew their support of the conference. Free-speech activists took up a collection, and replaced the lost money, so that the conference could continue.

Much longer:

LambaConf is just a tiny conference put on by a small number of people. It exists because, in the last few years, there has been a resurgent interest in "functional languages".

The speaker in question is Curtis Yarvin. He has weird views, like wanting to establish a monarchy. Last year, he was censored from a similar conference "Strangeloop" for a similar reason: a technical, non-political talk censored because people couldn't tolerate his politics. The current talk seems to be similar to last one, about his "Urbit" project.

LambdaConf, in the spirit of diversity, stripped the authors names when Continue reading

Automating Security Group and Policy Creation with NSX REST API

As we’ve seen in many of the prior posts, VMware NSX is a powerful platform decoupling networking services from physical infrastructure. NSX effectively enables logical networking and security within a virtualized environment; this brings many of the same benefits we’re familiar with gaining from server virtualization such as flexibility, faster provisioning, better utilization of hardware, cost savings, decreased downtime, etc. One of the major benefits of the software approach that NSX brings is the ability to automate easily via REST API. In this post, we’ll take a look at a simple yet realistic use case focused around security where automation can help.  Continue reading

Docker Machine, OpenStack, and SSH Keys

I wanted to provide readers a quick “heads up” about some unexpected behavior regarding Docker Machine and OpenStack. It’s not a huge deal, but it could catch someone off-guard if they aren’t aware of what’s happening.

This post builds on the earlier post I published on using Docker Machine with OpenStack; specifically, the section about using Docker Machine’s native OpenStack driver to provision instances on an OpenStack cloud. As a quick recap, recall that you can provision instances on an OpenStack cloud (and have Docker Engine installed and configured on those instances) with a command like this:

docker-machine create -d openstack 
--openstack-flavor-id 3 
--openstack-image-name "Ubuntu 14.04.3 LTS x64" 
--openstack-net-name lab-net-5 
--openstack-floatingip-pool ext-net-5 
--openstack-sec-groups docker,basic-services
instance-name

(Note that I didn’t include all of the optional parameters; refer to either my earlier blog post or the Docker Machine OpenStack driver reference for more details).

One of the optional parameters for Docker Machine’s OpenStack driver is the --openstack-keypair-name parameter, which allows you to specify the name of an existing keypair to use with instances created by Docker Machine. If you omit this parameter, as I have above, then Docker Machine will auto-generate a new SSH Continue reading

Sometimes techy details matter

How terrorists use encryption is going to become central to the Cryptowars 2.0 debate. Both sides are going to cite the case of Reda Hame described in this NYTimes article. On one hand, it shows that terrorists do indeed use encryption. On the other hand, the terrorists used TrueCrypt, which can't be stopped, no matter how many "backdoor" laws the police-state tries to pass.

The problem with the NYTimes article is that the technical details are garbled. (Update: at the bottom, I correct them). Normally, that's not a problem, because we experts can fill in the details using basic assumptions. But the technique ISIS used is bizarre, using TrueCrypt containers uploaded to a file-sharing site. This is a horrible way to pass messages -- assumptions we make trying to fill in the blanks are likely flawed.

Moreover, there is good reason to distrust the NYTimes article. Small details conflict with a similar article in the French newspaper Le Monde from January 6. Both articles are based on the same confession by Reda Hame from last August.

For example, in discussing a training accident with a grenade, the NYTimes article says "Mr. Hame did not throw it far Continue reading

How to detect TrueCrypt blobs being passed around

So, challenge accepted:

tl;dr: The NSA should be able to go back through it's rolling 90 day backlog of Internet metadata and find all other terrorist cells using this method.

From what we can piece together from the NYTimes article, it appears that ISIS is passing around TrueCrypt container files as a way of messaging. This is really weird. It has the has the property of security through obscurity, which is that it has the nice property of evading detection for a while because we'd never consider that ISIS would do such a strange thing. But it has the bad property that once discovered, it now becomes easier to track. With the keys found on the USB drive, we can now start decrypting things that were a mystery before.

We are going off of very little information at the moment, but let's imagine some fictional things.

First, we need to figure out what is meant by a file or hosting site in Turkey. Such hosting sites are all over the place, as you can find with a Continue reading

Some other comments on the ISIS dead-drop system

So, by the time I finished this, this New York Times article has more details. Apparently, it really is just TrueCrypt. What's still missing is how the messages are created. Presumably, it's just notepad. It's also missing the protocol used. It is HTTP/FTP file upload? Or do they log on via SMB? Or is it a service like DropBox?

Anyway, I think my way is better for sending messages that I describe below:


Old post:

CNN is reporting on how the Euro-ISIS terrorists are using encryption. The details are garbled, because neither the terrorists, the police, or the reporters understand what's going on. @thegrugq tries to untangle this nonsense in his post, but I have a different theory. It's pure guesswork, trying to create something that is plausibly useful that somehow fits the garbled story.

I assume what's really going is this.

The terrorist is given a USB drive with the TrueCrypt software and an encrypted partition/file. The first thing the terrorist does is put the USB drive into a computer, run the TrueCrypt program, then mount the file/partition, entering a password. In other words, all you see on the USB drive is the directory "TrueCrypt", and a large Continue reading

Comments on the FBI success in hacking Farook’s iPhone

Left-wing groups like the ACLU and the EFF have put out "official" responses to the news the FBI cracked Farook's phone without help from the Apple. I thought I'd give a response from a libertarian/technologist angle.

First, thank you FBI for diligently trying to protect us from terrorism. No matter how much I oppose you on the "crypto backdoors" policy question, and the constitutional questions brought up in this court case, I still expect you to keep trying to protect us.

Likewise, thank you FBI for continuing to be open to alternative means to crack the phone. I suppose you could've wrangled things to ignore people coming forward with new information, in order to pursue the precedent, in the longer term policy battle. I disagree with the many people in my Twitter timeline who believe this was some sort of FBI plot -- I believe it's probably just what the FBI says it is: they first had no other solution, then they did.

Though, I do wonder if the FBI's lawyers told them they would likely lose the appeal, thus setting a bad precedent, thus incentivizing the FBI to start looking for an alternative to get out of the case. Continue reading

Prophylactic Network Security

Trojan Defender

This week’s comedy gold was listening to a conversation emanating from a nearby inhabitant of our corporate cube accomodations, where one of my colleagues, Bob, was explaining to another coworker, George, the reasoning behind the decision to deploy firewalls to a particular new location.

Roughly summarized, the argument was this:

George, deploying a firewall is like having sex.

(No; I confess I had not anticipated ever typing that particular sentence, and I hope I never have to type it again.)

When you want to have sex, you decide whether you want a baby, and thus you choose whether or not to use contraception. If you don’t use contraception, while there’s no guarantee that a baby will arrive, there’s a real good chance that it will, so don’t be surprised if it does. Contraception isn’t perfect, but it at least reduces the likelihood of having a baby.

I confess I was laughing hard as I listened to the explanation because it’s an inspired analogy. However, buried somewhere in my subconscious was an Australian voice saying something like All these security products are a waste of money. It’s cheaper to save the money you would have spent, deal with a breach Continue reading

How the media really created Trump

This NYTimes op-ed claims to diagnose the press's failings with regard to Trump, but in its first sentence demonstrates how little press understands the problem. The problem isn't with Trump, but with the press.

The reason for Trump is that the press has discarded its principle of "objectivity". Reasonable people disagree. The failing of the press is that they misrepresent one side, the Republicans, as being unreasonable. You see that in the op-ed above, where the very first sentence decries the "Republican Party’s toxic manipulation of racial resentments". In fact, both parties are equally reasonable, or unreasonable as the case may be, with regards to race.

The article suggests the press should have done more to debunk Trump in the"form of fact checks and robust examination of policy proposals". But the press doesn't do that for Democrats, so why should a Republican candidate they don't like get singled out? No amount of attacking Trump sticks because the press is blatantly unfair.

Hillary clearly is complicit in the "Benghazi" affair, because she led the charge to inject weapons into Libya to take down Ghadaffi, then ignored Chris Steven's efforts to clean up the mess. Hillary's use of her own Continue reading

I’m skeptical of NAND mirroring

Many have proposed "NAND mirroring" as the solution to the FBI's troubles in recovering data from the San Bernadino shooter's iPhone. Experts don't see any problem with this approach, but that doesn't mean experts know it will work, either. There are problems.

The problem is that iPhone's erase the flash after 10 guesses. The solution is to therefore create a backup, or "mirror", of the flash chips. When they get erased, just restore from backup, and try again.

The flaw with this approach is that it's time consuming. After every 10 failed attempts, the chips need to be removed the phone, reflashed, and reinserted back into the phone. Then the phone needs to be rebooted.

For a 4-digit passcode, this process will need to be repeated a thousand times.This is doable in a couples of days. For a 6-digit passcode that is standard on iOS 9, this needs to be repeated 100,000 times, which will take many months of nonstop effort 24-hours a day. Presumably, you can make this more efficient by pipelining the process, using multiple sets of flash chips, so that a new fresh set can be swapped in within a few seconds, but it still takes Continue reading

Rethinking BGP path validation (part 2)

This is the second post in the two part series on BGP path validation over on the LinkedIn Engineering blog.

We left off last time after having described the eight operational requirements that must be met for any system that reduces our reliance on transitive trust in relation to the AS Path. As a reminder, AS, or Autonomous Systems, is a set of routers which all follow a standard set of policies. A typical AS is run by a single organization, such as a company or an ISP. Now, let’s see how this kind of system might work in practice.

LinkedInTwitterGoogle+FacebookPinterest

The post Rethinking BGP path validation (part 2) appeared first on 'net work.

Should We Stop Encryption? Can We?

It’s not like they’re asking for a back door for every device.
If the world goes dark through encryption, we’ll be back to the wild west!
After all, if it were your daughter who had been killed in a terrorist attack, you’d want the government to get to that information, too.

While sitting on a panel this last week, I heard all three reactions to the Apple versus FBI case. But none of these reactions ring true to me. security-net

Let’s take the first one: no, they’re not asking for a back door for every device. Under the time tested balance between privacy and government power, the specific point is that people have a reasonable expectation of privacy until they come under suspicion of wrongdoing. However, it’s very difficult to trust that, in the current environment, that such power, once granted, won’t be broadened to every case, all the time. The division between privacy and justice before the law was supposed to be at the point of suspicion. That wall, however, has already been breached, so the argument now moves to “what information should the government be able to trawl through in order to find crimes?” They are asking for Continue reading

1 147 148 149 150 151 178