0

Um, talks are frequently canceled at hacker cons

Talks are frequently canceled at hacker conventions. It's the norm. I had to cancel once because, on the flight into Vegas, a part fell off the plane forcing an emergency landing. Last weekend, I filled in at HopeX with a talk, replacing somebody else who had to cancel.

0

More fun with #TSA

That's Julian in the center waving at me to stop taking pictures. That's Michael faced away on his right

Coming back through JFK, my bag was stopped in the x-ray. The examiner shouted "bag checked", and sat and waited. And waited. Nobody came. Finally, he shunted it aside to the special bag check area. Where it sat, and sat.

There was as TSA agent standing around doing nothing, except flirting with a cute passenger standing right next to me bag. Finally, I pointed out that my bag needed to be checked, at which point he talked to the x-ray examiner, pulled it out, and checked it (I had a spray can of foot powder I bought because omg I wore my workout shoes that stink to the convention).

So, of course, I asked to see his badge, which was turned away from me, and to talk to his manager. He refused to even tell me his name, but he did get the supervisor, who confirmed his name was "Michael Vails". The manager was quite rude, looking at me in disbelief as I pointed out the guy was standing around flirting with girls instead of checking my bag. He wouldn't let Continue reading

0

Omg Hotel Pennsylvania sucks

Customer service is a tradeoff you get with price, thus I'm not terribly offended by things such as that recent terrible Comcast support call. If you don't want shitty service/product, then pay more. Often simply paying 10% more yields something vastly better.

The only problem is finding those "deals".

I'm at the HopeX conference, so to make life easier, I decided to stay at the venue, the Hotel Pennsylvania. Since it's a late booking, the price was $199 a night for an "upgraded" room. The room was horrible. It was tiny, the walls in the bathroom were crumbling as the damp seeped into the concrete, the furniture was scraped and dented, and the room's one tiny window looked out onto other rooms only 20 feet away. I could bear all that -- but the "non-smoking" room stank of smoke to the point that I couldn't fall asleep. So at 1:30am I gave up and checked out.

I went two (short) blocks down to the Hotel Affinia, which cases $224 for a room that's twice the size and "upscale": everything is nice new and pretty, and this non-smoking room doesn't smell a bit like smoke. It doesn't even smell like the Continue reading

0

EFF lies about NetNeutrality

The EFF has completely and thoroughly repudiated JP Barlow's "Declaration of Independence of Cyberspace", such as in this tweet:

TAKE ACTION: Congress is trying sneak through a dangerous amendment that will kill Net Neutrality. Call right now: https://t.co/lmObQjG49N
— EFF (@EFF) July 15, 2014

This tweet is lie. Congress can't "kill Net Neutrality" because Net Neutrality doesn't currently exist. Net Neutrality proponents don't want to maintain the status quo, but radically change the Internet, converting it from the private network it is now into a public utility, regulated by the government.

What the left-wing populists tell you about Net Neutrality is a lie. Corporations aren't doing the evil things they claim. There is no technical idea behind it like "end-to-end". Net Neutrality is just the political belief that corporations are inherently evil and that the government must run the Internet.

Internet "fast lanes" are not a bad thing. They already exist, and the Internet can't function without them. Sniff your home traffic and then traceroute every IP address your system communicates with. You'll find that 90% of you home traffic goes to a server in your local city. That's because most websites use a fast lane to the Continue reading

0

JTRIG weekend projects

The Intercept has released a page of JTRIG tools and techniques. I thought I'd comment on them.

Largely, this is a long list of small projects. Few of these projects require more than a couple lines of code, or would take an average hacker more than a weekend to accomplish.

For example, there is CHANGELING, which says "Ability to spoof any email address and send email under that identity". That's the sort of thing you'd ask as an interview question for a cybersec company. You'd expect the candidate to produce this in 20 minutes.

Some sound like big projects, but they are in fact just leveraging existing large open-source projects. A tiny amount of scripting on top of a project like OpenBTS would deliver big, scary results, such as fuzzing GSM.

I point this out because people have the misapprehension that the intelligence services have advanced "cyber-weapons". That's not true. Instead, what's going on is like Rambo stuck in a jungle with only a knife, who can fashion anything into a weapon, from twigs to rocks. That's what you see going on here: given the existing base of open-source (and closed-source) code, cyber-warriors fashion new tools with a little bit Continue reading

0

Upcoming speaking schedule

0

NSA: walk a mile in their shoes

While this is mostly a technical blog, our most popular posts deal with cyber-rights, supporting Snowden, Weev, and Swartz. Yet sometimes I appear to defend the NSA. People ask me why, so I thought I’d write up a response.

Most American schools force students to read the book To Kill a Mockingbird. It’s a great book for many reasons. Most people think it’s about racism, but it’s not – it’s about bigotry. Racism is just one of the forms of bigotry found in the book. The full message, repeated several times, is that we should get along with others by trying to understand their point of view.

Our society is improving with regards to racism, but other forms of bigotry are alive and well. Webster’s defines bigotry as: “obstinate and unreasoning attachment of one's own belief and opinions, with narrow-minded intolerance of beliefs opposed to them”. Our society praises such bigotry. Tolerance and understanding of other opinions is condemned.

People like Glenn Greenwald, Jacob Appelbaum, and others in the ‘activist’ movement are extreme bigots. There is good reason to oppose the NSA and its leaders who have egregiously mislead the public. Yet, this is still not justification for Continue reading

0

An introduction to Zero Trust virtualization-centric security

This post will be the first in a series that examine what I think are some of the powerful security capabilities of the VMware NSX platform and the implications to the data center network architecture. In this post we’ll look at the concepts of Zero Trust (as opposed to Trust Zones), and virtualization-centric grouping (as opposed to network-centric grouping).

Note: Zero Trust as a guiding principle to enterprise wide security is inspired by Forrester’s “Zero Trust Network Architecture”.

What are we trying to accomplish?

We want to be able to secure all traffic in the data center without compromise to performance (user experience) or introducing unmanageable complexity. Most notably the proliferation of East-West traffic; we want to secure traffic between any two VMs, or between any VM and physical host, with the best possible security controls and visibility – per flow, per packet, stateful inspection with policy actions, and detailed logging – in a way that’s both economical to obtain and practical to deploy.

Trust Zones of Insecurity

Until now, it hasn’t been possible (much less economically feasible or even practical) to directly connect every virtual machine to its own port on a firewall. Because of this, the Continue reading

0

An introduction to Zero Trust virtualization-centric security

This post will be the first in a series that examine what I think are some of the powerful security capabilities of the VMware NSX platform and the implications to the data center network architecture. In this post we’ll look at the concepts of Zero Trust (as opposed to Trust Zones), and virtualization-centric grouping (as opposed to network-centric grouping).

Note: Zero Trust as a guiding principle to enterprise wide security is inspired by Forrester’s “Zero Trust Network Architecture”.

What are we trying to accomplish?

We want to be able to secure all traffic in the data center without compromise to performance (user experience) or introducing unmanageable complexity. Most notably the proliferation of East-West traffic; we want to secure traffic between any two VMs, or between any VM and physical host, with the best possible security controls and visibility – per flow, per packet, stateful inspection with policy actions, and detailed logging – in a way that’s both economical to obtain and practical to deploy.

Trust Zones of Insecurity

Until now, it hasn’t been possible (much less economically feasible or even practical) to directly connect every virtual machine to its own port on a firewall. Because of this, the Continue reading

0

An introduction to Zero Trust virtualization-centric security

This post will be the first in a series that examine what I think are some of the powerful security capabilities of the VMware NSX platform and the implications to the data center network architecture. In this post we’ll look at the concepts of Zero Trust (as opposed to Trust Zones), and virtualization-centric grouping (as opposed to network-centric grouping).

Note: Zero Trust as a guiding principle to enterprise wide security is inspired by Forrester’s “Zero Trust Network Architecture”.

What are we trying to accomplish?

We want to be able to secure all traffic in the data center without compromise to performance (user experience) or introducing unmanageable complexity. Most notably the proliferation of East-West traffic; we want to secure traffic between any two VMs, or between any VM and physical host, with the best possible security controls and visibility – per flow, per packet, stateful inspection with policy actions, and detailed logging – in a way that’s both economical to obtain and practical to deploy.

Trust Zones of Insecurity

Until now, it hasn’t been possible (much less economically feasible or even practical) to directly connect every virtual machine to its own port on a firewall. Because of this, the Continue reading

0

“Fun” with RFC4620 Section 6.4 and discovering IPv4 information over IPv6

As part of a request at work to figure out IPv4 addresses of devices on a network where broadcast pings don’t work, and no administrative access to the switches/routers, I took a look at solving this with IPv6. We know that you can ping6 the all-nodes multicast address, and get DUP! replies from IPv6 enabled hosts on that LAN segment. These will typically be link-local addresses, from which you can determine a MAC address. How to resolve that MAC address on a client host and not the router/switch, I was thinking reverse ARP or something, but support for that wasn’t present in my Ubuntu 13.10 kernel on the main machine I was working with. I started looking around for other options using IPv6 and found RFC4620, Section 6.4.

The gist of it is that you send an ICMPv6 Type 139 packet to an IPv6 address, asking if it has any IPv4 addresses configured either on that interface the target address is on, or any interfaces on the machine itself. And this is why this is disabled by default on hosts, and *IF* you insist on filtering ICMP6 Types, definitely make certain this is one of them. It works Continue reading

0

Healthy Paranoia Show 15: The Dudes of REN-ISAC

It’s the latest dudilicious episode of Healthy Paranoia! This time we’ll be covering the topic of information sharing and analysis centers (ISAC), specifically in the research and educational networking sector, aka REN-ISAC. Joining Mrs. Y on this adventure into the land of dudeness is Wes Young, REN-ISAC Principal Security Engineer and Architect (El Duderino), Keith […]

Author information

The post Healthy Paranoia Show 15: The Dudes of REN-ISAC appeared first on Packet Pushers Podcast and was written by Mrs. Y.

0

Network Security and the N00b Meter

This morning I read an article in which the writer thought that wireless security was too inconvenient and difficult, so he simply disabled it, leaving his network wide open. He was tired of his complex password being too hard for guests to use and made the comparison that they didn’t have to use these kinds […]

Author information

The post Network Security and the N00b Meter appeared first on Packet Pushers Podcast and was written by Mrs. Y.

0

Snowden Media Douchebaggery

Recently the New York Times posted an article stating that while Edward Snowden was at the NSA, he learned to be a hacker by taking a CEH course and getting the certification. But the certification, listed on a résumé that Mr. Snowden later prepared, would also have given him some of the skills he needed […]

Author information

The post Snowden Media Douchebaggery appeared first on Packet Pushers Podcast and was written by Mrs. Y.

0

Cisco ASA Virtualization with Mixed-Mode Security Contexts

The Cisco ASA firewall has supported multiple security contexts since version 7 was released in 2005. This feature allows you to configure multiple independent logical firewalls in the same ASA hardware.  When version 8.5(1) released in July 2011, support was added for mixed mode firewalls in which both routed and transparent contexts can reside on […]

Author information

The post Cisco ASA Virtualization with Mixed-Mode Security Contexts appeared first on Packet Pushers Podcast and was written by Eyvonne Sharp.

0

Healthy Paranoia Show 14: Digital Forensics and Incident Response with Andrew Case

Get ready for another nerdilicious episode of Healthy Paranoia featuring Andrew Case, digital forensics researcher and a core developer for the Volatility Framework. Liam Randall joins Mrs. Y. as they discuss topics such as: The difference between forensics and incident response. Malware analysis vs. reverse engineering. Why you should treat a compromised system like a […]

Author information

The post Healthy Paranoia Show 14: Digital Forensics and Incident Response with Andrew Case appeared first on Packet Pushers Podcast and was written by Mrs. Y.

0

Are Forensics Tools the New IDS?

For the past few years, many people have been suggesting that the days of IDS (intrusion detection system) are numbered. When IDS was first launched, it was seen as an answer to a lot of network security problems: deep packet inspection with constant monitoring and alerts. However, one of the biggest problems with IDS is […]

Author information

0

Centec V330: My Kind of OpenFlow Switch

This is my third and probably last installment of an ongoing story about our quest for OpenFlow 1.0 capable switches with a specific requirement - the capability to modify L3 destination addresses. The background of why Sakura Internet needs such switches for the purpose of DDoS attack mitigation is explained in my first article, along with […]

Author information

The post Centec V330: My Kind of OpenFlow Switch appeared first on Packet Pushers Podcast and was written by Tamihiro Yuzawa.

0

Thinking About SDN Packet Processing: You’re the One Talking to a Fish

Barbie films (yes, I really am talking about Barbie in a network blog post) are a big hit with my kids, and surprisingly with me too. I’ll possibly regret telling the world that, but anyway, there’s an exchange in one film* that always make me laugh. It goes like this. Human (Australian accent): “You’re bonkers!” […]

Author information

The post Thinking About SDN Packet Processing: You’re the One Talking to a Fish appeared first on Packet Pushers Podcast and was written Continue reading

0

Fun With Unmanaged Switches + Port Security

I’ve just passed a year of my job working at a smallish non-profit, and one part that I really am enjoying is passing on knowledge to the front-line staff. This week, there was an interesting case, and I had to explain to my colleagues what was happening and why. So, I did a little demo, and […]

Author information

The post Fun With Unmanaged Switches + Port Security appeared first on Packet Pushers Podcast and was written by Matthew Mengel.