Monday, July 28, 2014

Cliché: open-source is secure

Some in cybersec keep claiming that open-source is inherently more secure or trustworthy than closed-source. This is demonstrably false.

Firstly, there is the problem of usability. Unusable crypto isn't a valid option for most users. Most would rather just not communicate at all, or risk going to jail, rather than deal with the typical dependency hell of trying to get open-source to compile. Moreover, open-source apps are notoriously user-hostile, which is why the Linux desktop still hasn't made headway against Windows or Macintosh. The reason is that developers blame users for being stupid for not appreciating how easy their apps are, whereas Microsoft and Apple spend $billions in usability studies actually listening to users. Desktops like Ubuntu are pretty good -- but only when they exactly copy Windows/Macintosh. Ubuntu still doesn't invest in the usability studies that Microsoft/Apple do.

The second problem is deterministic builds. If I want to install an app on my iPhone or Android, the only usable way is through their app stores. This means downloading the binary, not the source. Without deterministic builds, there is no way to verify the downloaded binary matches the public source. The binary may, in fact, be compiled from different source containing a backdoor. This means a malicious company (or an FBI NSL letter) can backdoor open-source binaries as easily as closed-source binaries.

The third problem is code-review. People trust open-source because they can see for themselves if it has any bugs. Or, if not themselves, they have faith that others are looking at the code ("many eyes makes bugs shallow"). Yet, this rarely happens. We repeatedly see bugs giving backdoor access ('vulns') that remain undetected in open-source projects for years, such as the OpenSSL Heartbleed bug. The simple fact is that people aren't looking at open-source. Those qualified to review code would rather be writing their own code. The opposite is true for closed-source, where they pay people to review code. While engineers won't review code for fame/glory, they will for money. Given two products, one open and the other closed, it's impossible to guess which has had more "eyes" looking at the source -- in many case, it's the closed-source that has been better reviewed.

What's funny about this open-source bigotry is that it leads to very bad solutions. A lot of people I know use the libpurple open-source library and the server (run by CCC hacking club). People have reviewed the libpurple source and have found it extremely buggy, and chat apps don't pin SSL certificates, meaning any SSL encryption to the CCC server can easily be intercepted. In other words, the open-source alternative is known to be incredibly insecure, yet people still use it, because "everyone knows" that open-source is more secure than closed-source.

Wickr and SilentCircle are two secure messaging/phone apps that I use, for the simple fact that they work both on Android and iPhone, and both are easy to use. I've read their crypto algorithms, so I have some assurance that they are doing things right. SilentCircle has open-sourced part of their code, which looks horrible, so it's probable they have some 0day lurking in there somewhere, but it's really no worse than equivalent code. I do know that both companies have spent considerable resources on code review, so I know at least as many "eyes" have reviewed their code as open-source. Even if they showed me their source, I'm not going to read it all -- I've got more important things to do, like write my own source.

Thus, I see no benefit to open-source in this case. Except for Cryptocat, all the open-source messaging apps I've used have been buggy and hard to use. But, you can easily change my mind: just demonstrate an open-source app where more eyes have reviewed the code, or a project that has deterministic builds, or a project that is easier to use, or some other measurable benefit.

Of course, I write this as if the argument was about the benefits of open-source. We all know this doesn't matter. As the EFF teaches us, it's not about benefits, but which is ideologically pure; that open-source is inherently more ethical than closed-source.

Wednesday, July 23, 2014

Everything can be a bomb

This last week, pranksters replaced the US flag on top the Brooklyn Bridge with a white-flag. Nobody knows who or why. Many in the press have linked this to terrorism, pointing out that it could've been a bomb. Not only local New York newspapers have said this, but also CNN.

Such irrational fears demonstrate how deeply we've fallen for police-state fears, where every action is perceived as a potential terrorist threat.

It could've been a bomb, of course. But what could also have been a bomb is a van full of C4 explosives driven across the bridge. There are no checkpoints at either end inspecting vehicles with bomb sniffing dogs. What also could've been a bomb is a ship full of fertilizer that, when ignited, would act as a small nuke. The point is that everything can be a bomb. Instead of using this as justification for an ever increasing police-state, we just need to accept this and live with the danger -- because this danger is, in the end, tiny. A thousand 9/11 events would still not equal cancer, for example.

I mention this because the former 9/11 commission released a new report yesterday stoking the fears of cyber-terrorism, calling for an increase in the cyber-police-state. This is nonsense. If government wants to fix cybersecurity, their first effort should focus on fixing their own computers rather than violating our rights. Enable SSL on all government computers, disable SQL string pasting, and get rid of all default/backdoor passwords.

Government is trying to ratchet up the fear of cyber-terror. It's not that their scenarios aren't possible, it's that they use this fear to drive the police-state. In exactly the same way we shouldn't have bomb sniffing dogs checking every car before it crosses the Brooklyn Bridge, we should not have the current proposals for cybersecurity that violate rights.

Tuesday, July 22, 2014

Um, talks are frequently canceled at hacker cons

Talks are frequently canceled at hacker conventions. It's the norm. I had to cancel once because, on the flight into Vegas, a part fell off the plane forcing an emergency landing. Last weekend, I filled in at HopeX with a talk, replacing somebody else who had to cancel.

I point this out because of this stories like this one hyping the canceled Tor talk at BlackHat. It's titled says the talk was "Suddenly Canceled". The adverb "suddenly" is clearly an attempt to hype the story, since there is no way to slowly cancel a talk.

The researchers are academics at Carnegie-Mellon University (CMU). There are good reasons why CMU might have to cancel the talk. The leading theory is that it might violate prohibitions against experiments on unwilling human subjects. There also may be violations of wiretap laws. In other words, the most plausible reasons why CMU might cancel the talk have nothing to do with trying to suppress research.

Suppressing research, because somebody powerful doesn't want it to be published, is the only reason cancelations are important. It's why the Boston MTA talk was canceled, because they didn't want it revealed how to hack transit cards. It's why the Michael Lynn talk was (almost) canceled, because Cisco didn't want things revealed.  It's why I (almost) had a talk canceled, because TippingPoint convinced the FBI to come by my offices to threaten me (I gave the talk because I don't take threats well). These are all newsworthy things.

The reporting on the Tor cancelation talk, however, is just hype, trying to imply something nefarious when there is no evidence.

Monday, July 21, 2014

More fun with #TSA

That's Julian in the center waving at me to stop taking pictures.
That's Michael faced away on his right
Coming back through JFK, my bag was stopped in the x-ray. The examiner shouted "bag checked", and sat and waited. And waited. Nobody came. Finally, he shunted it aside to the special bag check area. Where it sat, and sat.

There was as TSA agent standing around doing nothing, except flirting with a cute passenger standing right next to me bag. Finally, I pointed out that my bag needed to be checked, at which point he talked to the x-ray examiner, pulled it out, and checked it (I had a spray can of foot powder I bought because omg I wore my workout shoes that stink to the convention).

So, of course, I asked to see his badge, which was turned away from me, and to talk to his manager. He refused to even tell me his name, but he did get the supervisor, who confirmed his name was "Michael Vails". The manager was quite rude, looking at me in disbelief as I pointed out the guy was standing around flirting with girls instead of checking my bag. He wouldn't let me see his badge either, but claimed his name was "Julian something". I forget the something because I'm not good with names and forgot it by the time I was able to jot down notes.

So, I stood out of the way of traffic and started taking pictures. At this point, Julian came up to me and threatened me with arrest. I pointed out I'd read the TSA rules, which say it's legal (here). He said he knew the rules too, and that it wasn't illegal.

Unfortunately, I couldn't press the point, because I was at 1% battery, and had an electronic checking, needing a charged phone to get on the plane. Otherwise, I woulda popped out live video then and there. So I sat down and charged for a while.

I went back shortly after 3pm. I say a bunch of non-TSA non-police "security" people. I asked them about it, and they said that the actual police guy was just around the corner -- the only guy authorized to arrest me and carry a gun.

I was "streaming" to UStream at this point ( -- or so I thought. You guys missed the conversation. I was very polite, saying sir, ma'am (as appropriate), please, thank you, and "have a nice day".

I found the cop, and talked to him. He confirmed that he'd read the TSA guidelines and knew it was legal. He further confirmed that when they called for an arrest, it'd be him, and no, he wouldn't arrest me. I shook his hand and left.

I headed back to the TSA to take UStream video, and after checking it, realized I hadn't been streaming. So I took new video, this time getting it right, but it's quite boring. Unfortunately, the 3pm shift change happened, and there were new TSA agents, and the new ones didn't care that I was filming.

Anyway, that's today's adventures going through TSA. By the way, always remember when pissing off the TSA: be polite, calm, nice, and make sure you aren't standing in the way impeding traffic.

This was an awesome tweet somebody sent me:

The case involved a guy going through security charged with all sorts of things. It shows how the police can charge me with things no matter what I do. Luckily, the jury found this guy innocent, but there's a good chance an otherwise identical case might find somebody guilty.

Update: Some people on twitter asked "what's the goal" of this, or "what I'm trying to point out". The answer is "violation of rights". We have the right to hold the police accountable. When they threaten us to stop taking pictures, if we are afraid to take pictures, then we live in a police-state. Whipping out your cell phone and filming the TSA is something all passengers should do every time the TSA displeases them for any reason -- as long as they are doing so in a non-disruptive manner out of the way of traffic.

Also, remember to always have phone charged before going through TSA :).

Friday, July 18, 2014

Omg Hotel Pennsylvania sucks

Customer service is a tradeoff you get with price, thus I'm not terribly offended by things such as that recent terrible Comcast support call. If you don't want shitty service/product, then pay more. Often simply paying 10% more yields something vastly better.

The only problem is finding those "deals".

I'm at the HopeX conference, so to make life easier, I decided to stay at the venue, the Hotel Pennsylvania. Since it's a late booking, the price was $199 a night for an "upgraded" room. The room was horrible. It was tiny, the walls in the bathroom were crumbling as the damp seeped into the concrete, the furniture was scraped and dented, and the room's one tiny window looked out onto other rooms only 20 feet away. I could bear all that -- but the "non-smoking" room stank of smoke to the point that I couldn't fall asleep. So at 1:30am I gave up and checked out.

I went two (short) blocks down to the Hotel Affinia, which cases $224 for a room that's twice the size and "upscale": everything is nice new and pretty, and this non-smoking room doesn't smell a bit like smoke. It doesn't even smell like the deodorants hotels use to try to mask the smoke. The lady at the desk confirmed that they get a lot of customers from the Hotel Pennsylvania, like this one customer who entered their room to find a rat eating discarded food housekeeping hadn't cleaned up.

So I write this not because OMGWTF is the Hotel Pennsylvania bad, but OMGWTF why didn't anybody tell me??!!???.

Behind the Hotel Pennsylvania checkin desk is a six-screen multi-monitor setup running WinXP displaying live content, with a warning message that the firewall/AV is disabled. I was soooo tempted to not checkout and stay up all night hacking the network instead, because goatse.

Tuesday, July 15, 2014

EFF lies about NetNeutrality

The EFF has completely and thoroughly repudiated JP Barlow's "Declaration of Independence of Cyberspace", such as in this tweet:

This tweet is lie. Congress can't "kill Net Neutrality" because Net Neutrality doesn't currently exist. Net Neutrality proponents don't want to maintain the status quo, but radically change the Internet, converting it from the private network it is now into a public utility, regulated by the government.

What the left-wing populists tell you about Net Neutrality is a lie. Corporations aren't doing the evil things they claim. There is no technical idea behind it like "end-to-end". Net Neutrality is just the political belief that corporations are inherently evil and that the government must run the Internet.

Internet "fast lanes" are not a bad thing. They already exist, and the Internet can't function without them. Sniff your home traffic and then traceroute every IP address your system communicates with. You'll find that 90% of you home traffic goes to a server in your local city. That's because most websites use a fast lane to the "content delivery network" ("CDN") like Akamai, or a private CDN by Google, Apple, or Facebook. No company with a major web presence can compete unless they, too, pay for a fast lane.

Such fast lanes are the way the Internet has to work. We imagine that I can setup my own website at home and the entire world can access it (in an end-to-end fashion), but Internet backbone simply cannot handle the traffic. Netflix alone requires thousands of times more bandwidth than the Internet backbone can provide without using fast lanes. That's the difference between "broadcast" television where a million people can watch the same stream, and "unicast" video where everyone watches their own custom stream.

This dispute between Comcast and Netflix is not what they claim. Netflix already pays for a fast lane by putting servers in every city, because it wouldn't work otherwise. The only question is how, within each city, the traffic streams from Netflix's servers to Comcast's network.

And even then that's still not the key question. Netflix now pays Comcast for a faster lane, putting their servers directly on the Comcast network. Yet, during peak hours (8pm to 10pm), the system still slows down dramatically to under 3-mbps (where I live). That's because Comcast's urban network still can't handle the bandwidth. For Netflix to truly work, either Comcast will have to put more fiber in the ground to spread the streams around, or Netflix will have to spread their servers around the city.

Either way, it's Netflix's customers that should have to pay for the upgrade. Comcast's network works fine for the 90% of customers who don't stream lots of Netflix videos. It's only Netflix customers who have the problem. Forcing Comcast to upgrade their network to support Netflix means forcing the majority of low-bandwidth customers to subsidize the high-bandwidth customers. This is inherently unfair. I'm a Netflix binge watcher, and I appreciate that my viewing has been subsidized, but I still find it unfair. The only fair solution is for Netflix's customers to pay for Comcast's build-out.

Net Neutrality proponents claim that American broadband is the slowest and most expensive in the world. Of course it is. American cities are spread out. Our commute distances are twice that of European cities. The greater the suburban sprawl, the more expensive the Internet service. My city has less than 10% the population density of Paris, of course Comcast broadband is going to cost more here. American's pay a lot more to commute to work, they should pay a lot more for broadband.

Comcast is a monopoly in my city. Only Comcast provides more than 6-mbps for home service (my service is 75-mbps). However, the fault is government regulators. They won't allow another company to come in and lay a fiber optic network unless that company agrees to lay fiber everywhere -- even the poor areas of town. That's why Google could afford to put fiber in places like Kansas City, because the city council agreed that Google only had to lay fiber in neighborhoods that would pay for the service. The answer to Comcast monopoly practices is less regulation, not more. If you want companies to provide high-speed broadband to poor neighborhoods to solve the digital divide, then it's something you should pay for, rather than forcing Comcast's potential competitors into paying for it. Companies don't operate at a loss -- when you force them to, they simply choose to not operate at all.

Net Neutrality is just left-wing populism run amok, playing on your fears in order to convert the private Internet into a government-regulated public utility like water, gas, and electricity. This won't "save" the Internet as they promise, but kill all innovation. Of course, if you are a left-winger, this is something you'll want, and nothing I can say can convince you otherwise. But it's something that libertarians and right-wingers will oppose.

Monday, July 14, 2014

JTRIG weekend projects

The Intercept has released a page of JTRIG tools and techniques. I thought I'd comment on them.

Largely, this is a long list of small projects. Few of these projects require more than a couple lines of code, or would take an average hacker more than a weekend to accomplish.

For example, there is CHANGELING, which says "Ability to spoof any email address and send email under that identity". That's the sort of thing you'd ask as an interview question for a cybersec company. You'd expect the candidate to produce this in 20 minutes.

Some sound like big projects, but they are in fact just leveraging existing large open-source projects. A tiny amount of scripting on top of a project like OpenBTS would deliver big, scary results, such as fuzzing GSM.

I point this out because people have the misapprehension that the intelligence services have advanced "cyber-weapons". That's not true. Instead, what's going on is like Rambo stuck in a jungle with only a knife, who can fashion anything into a weapon, from twigs to rocks. That's what you see going on here: given the existing base of open-source (and closed-source) code, cyber-warriors fashion new tools with a little bit of added code.

Rather than being scared of their "advanced" cyber-weapons, what we should be scared about is their "access" and their "brute-force".

Intelligence services have access to things we don't. An example is MUSTANG's "access to the location of GSM cell towers". That information isn't public, and is the sort of thing that intelligence services would have. This allows them to have better location tracking tools than the public -- not because they have better technology but because they have better access.

Intelligence services can spend bajillions of dollars on things. An excellent example is XKEYSCORE, which is a rather primitive packet-sniffer as its base, but spread throughout the world on a thousand systems. They tap undersea fiber-optic cables, and insert monitors into ISPs in target countries. They spend hundreds of millions of dollars on this. If you live in Iraq, it's unlikely you can do anything on the Internet without getting monitored by this system.

Upcoming speaking schedule

I've an unusually dense talk schedule over the next month. Please ask questions at end of talk. Also ambush me afterward and ask more questions.

Sunday July 20, 2:00pm, Olson room
Technology walkthrough of XKeyScore and how to jam it

PasswordsCon 2014:
Wednesday August 6, 12:10pm Track 1
Overview of password hashes in network protocols

Saturday August 9, 10:00am, Track 3

Friday August 8, 2:00pm, Track 2
Panel. I'm being this for several years, I still don't know what it is