Archive

Category Archives for "Security"

Prez: Rick Perry selling his mailing list

I created separate email accounts to receive email from each of the 25 presidential candidates (and donated money to all them). This allows me to track their behavior -- or misbehavior.

Rick Perry exited the race 50 days ago. Today, I got two emails to my special Perry address. One email was from Ted Cruz, another presidential candidate. The other was from Paul Ryan, the new Speaker of the House.

Here's Ted Cruz's email, sent to my Perry account. It's actually identical to one I received on my Cruz account. (I've hidden the To: address, except for the 'rick' part).


The email headers look like:

Received: from mail3.postup.targetedvictory.com (mail3.postup.targetedvictory.com [69.56.54.35])
 by projectp (Postfix) with ESMTP id 1266C26041B
 for ; Fri, 30 Oct 2015 16:28:59 +0000 (UTC)

Rick Perry uses the company "TargetedVictory" for his mass emailings, where Ted Cruz uses another company. This shows that Perry didn't give his address list to Cruz, but instead let Cruz use the address list.

I saved a copy of Perry's privacy policy when I made the donation. It implies that he won't give out my private information to somebody else, but nothing in the Continue reading

Prez: donation numbers

I've given $10 to every candidate to monitor what they do. As I blogged before, just before the quarterly filing deadline, I got emails from all the candidates begging for money, to impress people how much money they've gathered. Well, here are amount each candidate received last quarter:

Hillary29,921,653.91
Bernie26,216,430.38
Carson20,767,266.51
Jeb!13,384,832.06
Cruz12,218,137.71
Walker7,379,170.56
Carly6,791,308.76
Rubio5,724,784.46
Kasisch4,376,787.95
Christie4,208,984.49
Trump3,926,511.65
Rand2,509,251.63
O'Malley1,282,820.92
Huckabee1,241,737.51
Graham1,052,657.62
Lessig1,016,189.22
Webb696,972.18
Jindal579,438.39
Santorum387,985.42
Perry287,199.29
Pataki153,513.89

Of course Hillary and Bernie are at the top, since they are the only two major contenders on the Democrat side, so split the pool between them.

What's interesting is that how Scott Walker exited the race, and Jeb! scaled back his spending, because their donations dropped precipitously. Even though they got huge donations last quarter, they spent the money as fast as they could. Presidential campaigns are like venture capital that way: you spend money aggressively in order to make more money. If you are right, this Continue reading

Yes, the CNBC moderation was biased

In anger over CNBC's left-wing bias, the Republican party has suspended them from moderating future debates. Is there something to this?

Yes and no. CNBC, like most of the media, has a strong left-wing bias. On the other hand, the Republicans are quick to label legitimate criticism as examples of bias.


There is an easy way to detect improper bias. The principle of journalism is that there are two reasonable sides to any debate. One side may be wrong, of course, but both sides are reasonable. Partisan bias, however, involves arguing that one side in the debate is unreasonable. When the press calls somebody a "comic book clown", then it's bias. Merely saying they are "wrong" is not bias.

That's what happened many times during the CNBC moderated debate of Republican candidates, most egregiously when they called Trump a "comic book" version of a candidate. We all know that Trump is a demagogue, that he appeals to the ignorant masses more than intelligent people. But when you drill down on Trumps ideas, what you'll find is that he's usually merely wrong rather than irrational. For example, a couple months ago, Trump was attacked in the press for saying "the constitution Continue reading

The Threat of Telecom Sabotage

one_ping


one_ping

Earlier this week, an article in New York Times captured the world’s imagination with the prospect of secret Russian submarines possessing the ability to sabotage undersea communication cables (with perhaps Marko Ramius at the helm, pictured above).  While it is a bit of a Hollywood scenario, it is still an interesting one to consider, although, as we’ll see, perhaps an unrealistic one, despite the temptation to exaggerate the risk.

Submarine cable cuts occur with regularity and the cable repair industry has considerable experience dealing with these incidents.  However, the vast majority of these failures are the result of accidents occurring in relatively shallow water, and not due to a deliberate actor intending to maximize downtime.  There is enormous capacity and resiliency among the cables crossing the Atlantic (the subject of the New York Times article), so to even make a dent, a saboteur would need to take out numerous cables in short order.

A mass telecom sabotage event involving the severing of many submarine cables (perhaps at multiple hard-to-reach deep-water locations to complicate repairs) would be profoundly disruptive to international communications — Internet or otherwise.  For countries like the U.S. with extensive local hosting, the impact Continue reading

OMG, the machines are breeding! Mankind is doomed! DOOMED!!!

My Tesla has the same MAC address vendor code as an AR Drone. These are two otherwise unrelated companies, yet they share the same DNA. Flying drones are mating with land-based autonomous vehicles. We are merely months away from Skynet gaining self-awareness and wiping out mankind.

You can see this in the screenshot below, were we see the output of a hacking program that monitors the raw WiFi traffic. The AR Drone acts as an access-point so that your iPhone can connect to it in order to fly the drone's controls. The Tesla, on the other hand, is looking for an access-point named "Tesla Service", so that when you drive it in for service, it'll automatically connect to their office and exchange data. As you can see, both devices have the same vendor code of "90:03:B7" for Parrot SA.


Here is a picture of the AR Drone cavorting with the car. The top arrow points to the drone, the bottom arrow points to the car.


So why the relationship? Why does the Tesla look like a drone on WiFi?

The company Parrot SA started out creating kits for cars that contain WiFi, Bluetooth, and voice control. Since they were already Continue reading

Getting Started with VMware NSX Distributed Firewall – Part 2

In Part 1, I covered traditional segmentation options. Here, I introduce VMware NSX Distributed Firewall for micro-segmentation, showing step-by-step how it can be deployed in an existing vSphere environment.

Now, I have always wanted a distributed firewall. Never understood why I had to allow any more access to my servers than was absolutely necessary. Why have we accepted just network segmentation for so long? I want to narrow down allowed ports and protocols as close to the source/destination as I can.

Which brings me to my new favorite tool – VMware NSX Distributed Firewall. Continue reading

Dumb, dumber, and cybersecurity

The reason you got hacked is because you listen to dumbasses about cybersecurity, like Microsoft.

An illustrative example is this article on "10 steps to protect" yourself. The vast majority of cyber threats to a small business are phishing, password reuse, and OWASP threats like SQL injection. That article addressed none of these threats.


But it gets better.

At the bottom of that article is a link to this "Cyber Security IQ" quiz at Microsoft's small-business website. The first question asks about password sharing. I show their "right" answer here:


Their correct answer is "None of the above", meaning that it's not okay to share your passwords with anybody. But this is nonsense. For your work account, of course it's okay to share your password with your boss. In fact, it's often necessary.

There have been several court cases where IT administrators have been fired, where the companies later found that the fired employee is the only one with passwords to certain critical systems. The (former) administrators were prosecuted for refusing to give their former bosses the passwords.

If your boss demands your password to your corporate accounts, of course you must give them your password.


But it Continue reading

Ethics of killing Hitler

The NYTimes asks us: if we could go back in time and kill Hitler as a baby, would we do it? There's actually several questions here: emotional, moral, and ethical. Consider a rephrasing of the question to focus on the emotional question: could you kill a baby, even if you knew it would grow up and become Hitler?


But it's the ethical question that comes up the most often, and it has real-world use. It's pretty much the question Edward Snowden faced: should he break his oath and disclose the NSA's mass surveillance of Americans?

I point this out because my ethical response is "yes, and go to jail". The added "and go to jail" makes it a rare response -- lots of people are willing to kill Hitler if they don't suffer any repercussions.

For me, the hypothetical question is "If you went back in time and killed Hitler, would you go to jail for murder?". My answer is "yes". I'd still do my best to lessen the punishment. I'd hire the best lawyer to defend me. It's just that I would put judgement of my crime or heroism in the hands of others. I would pay Continue reading

Getting Started with VMware NSX Distributed Firewall – Part 1

Who saw it coming that segmentation would be a popular term in 2015?!? Gartner analyst Greg Young was almost apologetic when he kicked off the Network Segmentation Best Practices session at the last Gartner Security Summit.

As a professional with a long history in the enterprise firewall space, I know I found it odd at first. Segmentation is such a basic concept, dovetailing with how we secure networks – historically on network boundaries. Network segmentation is the basis for how we write traditional firewall rules – somehow get the traffic TO the firewall, and policy can be executed. How much more can we say about network segmentation?

But there is a problem with the reach of segmentation based on network. If traffic does not cross the firewall, you are blind. All hosts in the same network, commonly the same VLAN, can abuse each other at will. Perhaps netflow or IPS sensors are throughout your network – just to catch some of this internal network free-for-all. And the DMZ? I like to think of all these networks as blast-areas, where any one compromise could potentially take everything else on the same network down.

It’s not really network segmentation that’s all the Continue reading

Car hacking is as fake as the moonlanding

How can the flag stay up? There's
no wind on the moon!! #fake
David Pogue at the Scientific American has an article claiming that hacking cars is "nearly impossible" and "hypothetical", using the same sorts of arguments crazies use trying to prove the moon landing was faked.

Of course, "hacking a car" probably doesn't happen as the public imagines. Delving into the details, you'll find things you didn't expect. It's like the stars in pictures at the moon landing. Because of contrast issues with the bright foreground, the dim stars disappear. This has led to crazies saying the lack of stars are proof that the moon landings were faked, because they don't understand this technical issue. Similarly, Pogue claims car hacking is fake because the technical details don't match his ignorant prejudices.

Pogue's craziest claim is that the Jeep hack is fake because Jeep fixed the issue. Nobody can hack a Jeep as the researchers claim. But that's because the researchers proved to Jeep that it was possible, and gave time for Jeep to fix the problem. It's like claiming the 9/11 terrorist attacks are purely hypothetical, because the Twin Towers of the World Trade Center no longer exist.

The Continue reading

Biden vs Risk Analysis

What we try to do in cybersecurity is "risk analysis". Most people get this wrong.

An example of this is today's announcement by vice president Joe Biden that he won't run for president. Many pundits have opined that it's because he can't beat Hillary Clinton. This is wrong.

The phrase "can't beat Hillary" makes no sense. It imagines a world were risk is binary, you either can or you can't. That's not how it work. Instead, we calculate the odds of beating Hillary. That number is not 0%. For one thing, a meteor might hit the earth and strike Hillary dead, so there's always some chance of beating her.

Responsible risk analysts ignore the rhetoric and try to calculate the odds. The easiest way of doing this are on the many betting websites, which have variously given Biden a 5% to 10% of winning the presidency. Given that the presidency is easily worth a billion dollars, and you don't spend your own money (just donations), these are great odds. Everybody who believes their chance is greater than 5% runs -- which is why we have over 20 candidates right now.

In other words, would you pay $10 for a 5% Continue reading

Ever Heard of Role-Based Access Control?

During my recent SDN workshops I encountered several networking engineers who use Nexus 1000V in their data center environment, and some of them claimed their organization decided to do so to ensure the separation of responsibilities between networking and virtualization teams.

There are many good reasons one would use Nexus 1000V, but the one above is definitely not one of them.

Read more ...

DEF CON drink-off — for science!

The DEF CON hacking conference is a mixture of techies and drinkers. I propose we exploit this for science. Specifically, we should take a look at vodka. Vodka is just ethanol and water with all taste removed by distillation and filtering. We can answer two important questions.

  1. Poorly made, cheap vodka lets too much of the (bad) flavor through. Can this be improved by running it through a filter? (Such as a cheap Brita water filter).
  2. Well-made vodka should be indistinguishable from each other. Can people really taste the difference? Or are they influenced by brands?

We need to science the shit out of these questions with a double-blind taste test. DEF CON is a perfect venue for getting a statistically relevant number of samples. We should setup a table in a high-traffic area. We'll ask passersby to taste a flight of several vodkas and to rate them.

I suggest the following as the set of vodkas to test.

1. Smirnoff, by far the market leading vodka in America, a "mid-shelf" vodka at $22 for a 1.75 liter bottle.
2. Grey Goose, the third most popular vodka in America, a "top-shelf" vodka for $58 a 1.75 liter bottle.
Continue reading

DH-1024 in Bitcoin terms

The recent paper on Diffie-Hellman "precomputation" estimates a cost of 45-million core-years. Of course, the NSA wouldn't buy so many computers to do the work, but would instead build ASICs to do the work. The most natural analogy is how Bitcoin works. Bitcoin hashes were originally computed on CPU cores, then moved to graphics co-processors, then FPGAs, then finally ASICs.

The current hashrate of Bitcoin 460,451,594,000 megahashes/second. An Intel x86 core computes about 3-megahashes/second, or 153,483,864,667 CPU cores. Divided this by 45-million core-years for precomputing 1024bit DH, and you get 3410 DH precomputations per year. Thus, we get the following result:
The ASIC power in the current Bitcoin network could do all the necessary precomputations for a Diffie-Hellman 1024 bit pair with 154 minutes worth of work. Or, the precomputation effort is roughly equal to 15 bitcoin blocks, at the current rate.
(Update: I did some math wrong, it's 154 minutes not 23 minutes)

Another way of comparing is by using the website "keylength.com", which places the equivalent effort of cracking 1024 DH with 72 to 80 bits of symmetric crypto. At the current Bitcoin rate, 72 bits of crypto comes out to 15 bitcoin blocks, Continue reading
1 159 160 161 162 163 181