Archive

Category Archives for "Security"

I gave $10 to every presidential candidate

What happens when your candidate drops out of the 2016 presidential race? What do they do with the roughly million names of donors they've collected?

I've decided that somebody needs to answer this question, so I've donated $10 to each of the roughly ~25 current presidential candidates (yes, even the hateful ones like Trump and Lessig). By donating money, I've put myself on the list of suckers who they can tap again for more donations. After the election next year, we'll be able to figure out how each candidate has used (or misused) the email addresses I gave them.

For most candidates, the first two pieces of information they ask of your is #1 your email address and #2 your zip code. They need the zip code so that when there is a local rally in your area, they can contact you to get your to turn out. But as a side effect, it means being able to extract favors from local politicians. 

Therefore, to do this right, I'd have to make a donation from every congressional/senate district in the country. I suspect one use of this information is when one Representative goes to another and says "If you Continue reading

Zerodium’s million dollar iOS9 bounty

Zerodium is offering a $1 million bounty for a browser-based jailbreak. I have a few comments about this. The two keywords to pick up on are "browser-based" and "untethered". The word "jailbreak" is a red-herring.

It's not about jailbreaks. Sure, the jailbreak market is huge. It's really popular in China, and there are reports of $1 million being spent on jailbreaks. But still, actually getting a return on such an investment is hard. Once you have such a jailbreak, others will start reverse engineering it, so it's an extremely high risk. You may get your money back, but there's a good chance you'll be reverse-engineered before you can.

The bigger money is in the intelligence market or 0days. A "browser-based" jailbreak is the same as a "browser-based" 0day. Intelligence organizations around the world, from China, to Europe, and most especially the NSA, have honed their tactics, techniques, and procedures around iPhone 0days. Terrorist leaders are like everyone else, blinging themselves out with status displays like iPhones. Also, iPhone is a lot more secure than Android, so it's actually a good decision (intelligence organizations have hacked Android even more).

Every time Apple comes out with a new version (like iOS9), they Continue reading

Some notes on NSA’s 0day handling process

The EFF got (via FOIA) the government's official policy on handling/buying 0days. I thought I'd write up some notes on this, based on my experience. The tl;dr version of this post is (1) the bits they redacted are the expected offensive use of 0days, and (2) there's nothing surprising in the redacted bits.


Before 2008, you could sell 0days to the government many times, to different departments ranging from the NSA to Army to everybody else. These government orgs would compete against each other to see who had the biggest/best cyber-arsenal.

In 2008, there came an executive order to put a stop to all this nonsense. Vuln sellers now only sold 0days once to the government, and then the NSA would coordinate them with everyone else.

That's what this "VEP" (Vuln Equities Process) document discusses -- how the NSA distributes vulnerability information to all the other "stakeholders".

I use "stakeholders" loosely, because there are a lot of government organizations who feel entitled to being part of the 0day gravy train, but who really shouldn't be. I have the impression the NSA has two processes, the real one that is tightly focused on buying vulns and deploying them in the field, Continue reading

There are two sides to every story

In today's "clock" controversy, the clock didn't look like these:


Instead, this is the picture of the device (from the police department):



It's in a "pencil case", not a briefcase. You can compare the size to the plug on the right.

They didn't think it was a bomb, but a "hoax bomb". If they thought it might be a real bomb, they would've evacuated the school. Texas has specific laws making illegal to create a hoax bomb -- it is for breaking this "hoax bomb" law that the kid was arrested.

This changes the tenor of the discussion. It wasn't that they were too stupid they thought it was a bomb, it was that they were too fascist believing it was intentionally a hoax.

These questioned him, and arrested him because his answers were "passive aggressive". This is wrong on so many levels it's hard to know where to begin. Of course, if the kid's innocent his answers are going to be passive aggressive, because it's just a clock!!!

It was the english teacher who turn him in. Probably for using a preposition at the end of a sentence. The engineering teacher thought it was a good project.

It's actually Continue reading

Maybe with less hate

I wanted to point out President's rather great tweet in response to Ahmed Mohamed's totally-not-a-bomb:


The reason this tweet is great is that it points out the great stupidity of the teachers/police, but by bringing Ahmed up rather than bringing them down. It brings all America up. Though the school/police did something wrong, the President isn't attacking them with hate.

The teachers/police were almost certainly racist, of course, but they don't see themselves that way. Attacking them with hate is therefore unlikely to fix anything. It's not going to change their behavior, because they think they did nothing wrong -- they'll just get more defensive. It's not going change the behavior of others, because everyone (often wrongly) believes they are part of the solution and not part of the problem.

Issues like Ahmed's deserve attention, but remember that reasonable people will disagree. Some believe the bigger issue is the racism. Other's believe that the bigger issue is the post 9/11 culture of ignorance and suspicion, where Continue reading

How to hack my Tesla

This post is just for my own notes. I'm buying a new car (arrives in October) and I need to gather up notes on how to hack it.

To start with is the generic car hacking information. One good source I found is the Car Hacker's Handbook, which has a good explanation of the basics.

Another good start is the various papers produced by Charlie Miller and Chris Valasek, such as their early work and their latest Jeep hack. [1] [2]

Specifically to my car, a Tesla, there is this site that documents all the undocumented bits about the car, such as listing the 56 CPUs found in the car.

Specifically, there is the work by Kevin Mahaffey and Marc Rogers covering their Tesla hacking. I hate them, because they've already done some of the obvious things I would've tried first, such as popping up an X Window on the display.

Anyway, this post is for my own benefit, so when I lose my notes, I can find them again by googling. Maybe other people in similar situation might find it a bit useful, too.

Leverage Micro-Segmentation to Build a Zero Trust Network

Applications are a vital component of your business…but are your applications and data safe?  Have you considered implementing a Zero Trust model at your organization to protect your vital resources?  Join this hour-long webcast on Tuesday, September 29, 2015 at 11:00 AM PST / 2:00 PM EST to find out how to leverage micro-segmentation to build a true Zero Trust data center network.

Join our guest speaker, John Kindervag, VP and Principal Analyst at Forrester Research, as he discusses the results of the August 2015 commissioned research study, “Leverage Micro-segmentation To Build A Zero Trust Network”, conducted on behalf of VMware. Kindervag will cover Forrester’s three key findings from the study:

  • Security gaps and disconnects are the unfortunate norm across Enterprises today.
  • Network virtualization helps to reduce risk and supports a higher-level security strategy.
  • Micro-segmentation provided through network virtualization paves the way for implementing a Zero Trust model.

Protecting your data doesn’t have to be difficult! Reserve your spot for this webcast today.

Micro-Segmentation and Security at Tribune Media

And to learn more about how other leading organizations are using micro-segmentation to build a Zero Trust Model, watch the video below from David Giambruno, CIO of Continue reading

Information wants to be protected: Security as a mindset

George-Orwell-house-big-brotherI was teaching a class last week and mentioned something about privacy to the students. One of them shot back, “you’re paranoid.” And again, at a meeting with some folks about missionaries, and how best to protect them when trouble comes to their door, I was again declared paranoid. In fact, I’ve been told I’m paranoid after presentations by complete strangers who were sitting in the audience.

Okay, so I’m paranoid. I admit it.

But what is there to be paranoid about? We’ve supposedly gotten to the point where no-one cares about privacy, where encryption is pointless because everyone can see everything anyway, and all the rest. Everyone except me, that is—I’ve not “gotten over it,” nor do I think I ever will. In fact, I don’t think any engineer should “get over it,” in terms of privacy and security. Even if you think it’s not a big deal in your own life, engineers should learn to treat other people’s information with the utmost care.

In moving from the person to the digital representation of the person, we often forget it’s someone’s life we’re actually playing with. I think it’s time for engineers to take security—and privacy—personally. It’s time Continue reading

What’s that drama?

The infosec community is known for its drama on places like Twitter. People missing the pieces can't figure out what happened. So I thought I'd write up the latest drama.

It starts with "Wesley McGrew" (@McGrewSecurity), an assistant professor at Mississippi state. He's been a frequent source of infosec drama for years now. Since I, myself, don't shy away from drama, I can't say that he's necessarily at fault, I'm just pointing out that he's been involved in several Big Infosec Drama Blowups.

Then there is "Adrian Crenshaw" (@irongeeek_adc) (aka. "Irongeek") who maintains a website http://irongeek.com, which hosts a lot of infosec videos. He'll work with conferences to make sure talks get recorded and uploaded to his site. A lot of smaller cons host their video there. If you frequently watch infosec videos, then you know the site.


I think this specific drama started back in April, when Irongeek made this April Fool's joke:
https://twitter.com/McGrewSecurity/status/583250910387789824

Many, most especially McGew, criticized Irongeek for this, claiming it was an "unfunny slap to women in security".

I don't know when it happened, but Irongeek punished McGrew by blocking students from McGrew's university, Mississippi State. This was noticed last week.

https://twitter. Continue reading
1 161 162 163 164 165 181