Friday, October 17, 2014

FBI's crypto doublethink

Recently, FBI Director James Comey gave a speech at the Brookings Institute decrying crypto. It was transparently Orwellian, arguing for a police-state. In this post, I'll demonstrate why, quoting bits of the speech.

"the FBI has a sworn duty to keep every American safe from crime and terrorism"
"The people of the FBI are sworn to protect both security and liberty"

This is not true. The FBI's oath is to "defend the Constitution". Nowhere in the oath does it say "protect security" or "keep people safe".

This detail is important. Tyrants suppress civil liberties in the name of national security and public safety. This oath taken by FBI agents, military personnel, and the even the president, is designed to prevent such tyrannies.

Comey repeatedly claims that FBI agents both understand their duty and are committed to it. That Comey himself misunderstands his oath disproves both assertions. This reinforces our belief that FBI agents do not see their duty as protecting our rights, but instead see rights as an impediment in pursuit of some other duty.

Freedom is Danger

The book 1984 describes the concept of "doublethink", with political slogans as examples: "War is Peace", "Ignorance is Strength", and "Freedom is Slavery". Comey goes full doublethink:
Some have suggested there is a conflict between liberty and security. I disagree. At our best, we in law enforcement, national security, and public safety are looking for security that enhances liberty. When a city posts police officers at a dangerous playground, security has promoted liberty—the freedom to let a child play without fear.
He's wrong. Liberty and security are at odds. That's what the 4th Amendment says. We wouldn't be having this debate if they weren't at odds.

He follows up with more doublethink, claiming "we aren’t seeking a back-door", but instead are instead interested in "developing intercept solutions during the design phase". Intercept solutions built into phones is the very definition of a backdoor, of course.

"terror terror terror terror terror"
"child child child child child child"

Comey mentions terrorism 5 times and child exploitation 6 times. This is transparently the tactic of the totalitarian, demagoguery based on emotion rather than reason.

Fear of terrorism on 9/11 led to the Patriot act, granting law enforcement broad new powers in the name of terrorism. Such powers have been used overwhelming for everything else. The most telling example is the detainment of David Miranda in the UK under a law that supposedly only applied to terrorists. Miranda was carrying an encrypted copy of Snowden files -- clearly having nothing to do with terrorism. It was clearly exploitation of anti-terrorism laws for the purposes of political suppression.

Any meaningful debate doesn't start with the headline grabbing crimes, but the ordinary ones, like art theft and money laundering. Comey has to justify his draconian privacy invasion using those laws, not terrorism.

"rule of law, rule of law, rule of law, rule of law, rule of law"

Comey mentions rule-of-law five times in his speech. His intent is to demonstrate that even the FBI is subject to the law, namely review by an independent judiciary. But that isn't true.

The independent judiciary has been significantly weakened in recent years. We have secret courts, NSLs, and judges authorizing extraordinary powers because they don't understand technology. Companies like Apple and Google challenge half the court orders they receive, because judges just don't understand. There is frequent "parallel construction", where evidence from spy agencies is used against suspects, sidestepping judicial review.

What Comey really means is revealed by this statement: "I hope you know that I’m a huge believer in the rule of law. ... There should be no law-free zone in this country". This a novel definition of "rule of law", a "rule by law enforcement", that has never been used before. It reveals what Comey really wants, a totalitarian police-state where nothing is beyond the police's powers, where the only check on power is a weak and pliant judiciary.

"that a commitment to the rule of law and civil liberties is at the core of the FBI"

No, lip service to these things is at the core of the FBI.

I know this from personal experience when FBI agents showed up at my offices and threatened me, trying to get me to cancel a talk at a cybersecurity conference. They repeated over and over how they couldn't force me to cancel my talk because I had a First Amendment right to speak -- while simultaneously telling me that if I didn't cancel my talk, they would taint my file so that I would fail background checks and thus never be able to work for the government ever again.

We saw that again when the FBI intercepted clearly labeled "attorney-client privileged" mail between Weev and his lawyer. Their excuse was that the threat of cyberterrorism trumped Weev's rights.

Then there was that scandal that saw widespread cheating on a civil-rights test. FBI agents were required to certify, unambiguously, that nobody helped them on the test. They lied. It's one more oath FBI agents seem not to care about.

If commitment to civil liberties was important to him, Comey would get his oath right. If commitment to rule-of-law was important, he'd get the definition right. Every single argument Comey make seeks demonstrates how little he is interested in civil liberties.

"Snowden Snowden Snowden"

Comey mentions Snowden three times, such as saying "In the wake of the Snowden disclosures, the prevailing view is that the government is sweeping up all of our communications".

This is not true. No news article based on the Snowden document claims this. No news site claims this. None of the post-Snowden activists believe this. All the people who matter know the difference between metadata and full eavesdropping, and likewise, the difficulty the FBI has in getting at that data.

This is how we know the FBI is corrupt. They ignore our concerns that government has been collecting every phone record in the United States for 7 years without public debate, but instead pretend the issue is something stupid, like the false belief they've been recording all phone calls. They knock down strawman arguments instead of addressing our real concerns.

Regulate communication service providers

In his book 1984, everyone had a big screen television mounted on the wall that was two-way. Citizens couldn't turn the TV off, because it had to be blaring government propaganda all the time. The camera was active at all time in case law enforcement needed to access it. At the time the book was written in 1934, televisions were new, and people thought two-way TVs were plausible. They weren't at that time; it was a nonsense idea.

But then the Internet happened and now two-way TVs are a real thing. And it's not just the TV that's become two-way video, but also our phones. If you believe the FBI follows the "rule of law" and that the courts provide sufficient oversight, then there's no reason to stop them going full Orwell, allowing the police to turn on your device's camera/microphone any time they have a court order in order to eavesdrop on you. After all, as Comey says, there should be no law-free zone in this country, no place law enforcement can't touch.

Comey pretends that all he seeks at the moment is a "regulatory or legislative fix to create a level playing field, so that all communication service providers are held to the same standard" -- meaning a CALEA-style backdoor allowing eavesdropping. But here's thing: communication is no longer a service but an app. Communication is "end-to-end", between apps, often by different vendors, bypassing any "service provider". There is no way to way to eavesdrop on those apps without being able to secretly turn on a device's microphone remotely and listen in.

That's why we crypto-activists draw the line here, at this point. Law enforcement backdoors in crypto inevitably means an Orwellian future.


There is a lot more wrong with James Comey's speech. What I've focused on here were the Orwellian elements. The right to individual crypto, with no government backdoors, is the most important new human right that technology has created. Without it, the future is an Orwellian dystopia. And as proof of that, I give you James Comey's speech, whose arguments are the very caricatures that Orwell lampooned in his books.

Tuesday, October 14, 2014

Some POODLE notes

Heartbleed and Shellshock allowed hacks against servers (meaning websites and such). POODLE allows hacking clients (your webbrowser and such). If Hearbleed/Shellshock merited a 10, then this attack is only around a 5.

It requires MitM (man-in-the-middle) to exploit. In other words, the hacker needs to be able to to tap into the wires between you and the website you are browsing, which is difficult to do. This means you are probably safe from hackers at home, because hackers can't tap backbone links. But, since the NSA can tap into such links, it's probably easy for them. However, when using the local Starbucks or other unencrypted WiFi, you are in grave danger from this hack from hackers sitting the table next to you.

It requires, in almost all cases, JavaScript running in the browser. That's because the attacker needs to MitM thousands of nearly identical connections that can fail. There are possibly rare cases where such connections may happen (like automated control systems), but JavaScript is nearly a requirement. That means your Twitter app in your iPhone is likely safe, as the attacker can't run JavaScript in the app. Although, a lot of apps use web GUIs underneath, if only to serve ads, so not all "apps" are safe.

It doesn't hack computers, but crack encryption. It reveals previously encrypted data.

What the hacker will likely try to do is hack your session cookies. That means they won't get your password for your account, but they will be able to log in as you into your account. Thus, while you are at Starbucks, some hacker next to you will be able to post tweets in your Twitter account and read all your Gmail messages. These are two examples -- they really have near complete control over your accounts. They won't be able to steal your password, however.

In theory, the attacker can do much more, but that attacking cookies it the overwhelming most likely vector.

It's the standard protocol that is vulnerable, not anybody's code.  Essentially, they got the math wrong.

Only older versions of SSL are impacted -- but everybody is backwards compatible with older versions. Thus, part of the attack is to "downgrade" both sides, forcing both the client and server to use the older version.

This attack is against SSLv3, which is 15 years old and known to be obsolete. After this version of SSL, engineers renamed it to TLS and reset the version number to 1.0, because they are jerks and want to confuse people. (Actually, the story is that Netscape created SSL, and Microsoft insisted on a name change because they hated Netscape). Thus, the next version after SSLv3 is TLSv1.0.

The solution is to disable SSLv3 (and all prior versions), and leave only TLS version 1.0 (and later versions) enabled. If either the server (the website) or the client (the browser) doesn't support SSLv3, then the hack won't work.

Disabling SSLv3 in servers is difficult, because a lot of users still use IE6, Microsoft's browser from a decade ago. When servers remove SSLv3, then users with IE6 will no longer be able to access the server. However, CloudFlare, which hosts a lot of websites, has disabled SSLv3 across their systems. Apparently they are comfortable with breaking IE6 -- which is good guidance for other people considering the same.

Disabling SSLv3 in browsers is easy. On Chrome, use the command-line flag  --ssl-version-min=tls1, and on Firefox set security.tls.version.min to 1. Generally, there virtually no servers out there who don't support TLSv1, so this shouldn't break anything.

The simplest explanation is, as usual for such things, on Adam Langeley's blog here.

Standards are a farce

Today (October 14) is "World Standards Day", celebrating the founding of the ISO, also known as the "International Standards Organization". It's a good time to point out that people are wrong about standards.

You are reading this blog post via "Internet standards". It's important to note that through it's early existence, the Internet was officially not a standard. Through the 1980s, the ISO was busy standardizing a competing set of internetworking standards.

What made the Internet different is that it's standards were de facto not de jure. In other words, the Internet standards body, the IETF, documented things that worked, not how they should work. Whenever somebody came up with a new protocol to replace an old one, and if people started using it, then the IETF would declare this as "something people are using". Protocols were documented so that others could interoperate with them if they wanted, but there was no claim that they should. Internet evolution in these times was driven by rogue individualism -- people rushed to invent new things with waiting for the standards body to catch up.

The ISO's approach was different. Instead of individualism, it was based on "design by committee", where committees were dominated by Big Government and Big Corporations. They standardized how protocols should work first, then implemented them second -- the opposite order from the Internet. They created something so complex that it could never be correctly implemented.

The group's name, by the way, was called "OSI" or "Open Systems Interconnect". The only reason most people have heard of this name is because of the OSI model. It's important to note that everything they know about the OSI model is wrong. What they think they know about the "Network" and "Transport" layers is what they know about IP and TCP respectively, and not what OSI designers originally intended. What they know about the Session, Transport, and Application layers is even worse: it's completely wrong, often specifying the opposite way things work in the Internet TCP/IP world. The standard "OSI Model" survives because it's a "standard" even though it's irrelevant in every way that something can be irrelevant.

However, while the model survives, almost the entire suite of OSI protocols have failed. We don't have a "connection oriented network protocol", for example. These standard protocols do exist, but in isolated places on the Internet. For example, the power grid runs a lot of stuff on port 102, the OSI standard "Transport" on top of TCP/IP. Since those things are based on ASN.1, they are full of buffer-overflows and easily hackable.

Standards are ultimately the modern form of fascism, where authoritarian people insist on subjugating everyone to a single set of rules. So, on October 14, I'm going to celebrate the demise of OSI, and the historic success of the Internet in the face of coordinated action by standards bodies to suppress it.

Sunday, October 12, 2014

Don't sign that CFAA petition

This White House petition reforming the CFAA/DMCA is foolish. Don't sign it. We all support the goal of decriminalizing research, but this isn't the way of doing it.

The problem is that "reform" means nothing. It doesn't state exactly which reforms the petitioners want. That means politicians will deliver on what they asked, reforming the DMCA/CFAA, but in the opposite direction. The mood in Washington D.C. is one of great fear of Chinese hackers and cyberterorrists. Once you start reform, these forces will take over and drive it the other way.

In other words, the petition is like somebody on a submarine saying "the air is stuffy, let's open a window and let some fresh air in". It's best to keep that window closed rather than getting drowned.

A second problem is the declaration that "safe code" is the problem. That will encourage law-makers to solve that problem with legislation requiring manufacturers to follow rules -- without needing weaken the DCMA/CFAA. This is bad. So far rule-based security like Common Criteria and PCI certification have proven to be an enormous burden that does little to address the problem.

Lastly, there is the problem that this is a "White House" petition. The president doesn't make laws, s/he enforces them. It's appropriate to petition the White House to publish narrower rules on how DMCA and CFAA will be prosecuted, but inappropriate to ask for a law. Instead, if you want changes to laws, the best place to start is to talk to your congressional representatives. Call them up and schedule a time to talk to them. You'll likely talk to a staffer in a local office, but this will still influence them. Signing a petition takes no effort, and politicians therefore give it no credence. Showing up at their offices, or spending time talking on a phone, takes effort, showing that you really care.

Personally, as a white-hat researcher who scans the Internet, I'm most at threat from the CFAA. Yet, I'm not going to sign that petition. I have talked to my congressional representatives. I have also signed this letter, which much more narrowly defines our goals.

Wednesday, October 08, 2014

Response to Kathy Sierra

People are asking me about this post from Kathy Sierra. It’s inaccurate, twisted, and personally insulting. That Kathy was doxxed and harassed 7 years is indeed an awful thing, but that doesn’t justify her own bad behavior toward others.

I always defend targets of lynch mobs, such as accused Boston Bomber Dzhokhar Tsarnaev. To the right is a picture of what appears to be Tsarnaev placing the bomb right behind 9 year old boy Martin Richards who died in the blast. I feel sick to my stomach looking at it. But here’s the thing: Tsarnaev is an American citizen, and I will vigorously defend his rights to due process. When they violated his civil rights, interrogating him for days while he hung near death in his hospital bed, begging for a lawyer, I vocally condemned this. All fruits of that interrogation need to be thrown out, even if it means Tsarnaev goes free. And I have no problem saying this to the face of Martin Richard’s parents.

Weev may be a bad human being, but he’s not as vile as mass bomber. I likewise defend him from lynch mobs. His arbitrary conviction and imprisonment under the CFAA was a gross violation of his constitutional rights. Had his conviction stood, the precedent would have threatened all our rights.

What’s twisted about Kathy Sierra’s rhetoric is that she equates defending Weev against the lynch mob as defending Weev’s harassing behavior. That’s like claiming I defend Tsarnaev because I like bombing children. It’s an insulting accusation.

Kathy barged into a conversation last Saturday that started with the claim Weev belonged in jail for doxxing her. However, there is no evidence supporting such a conviction – that’s just more lynch mob mentality. There is a NYTimes article from 2008 quoting Weev as claiming he did it, yet Weev has long claimed he was misquoted. The situation is like Dorian Nakamoto, who denies he admitted to Newsweek that he created bitcoin.

As I pointed out on Twitter, we can’t believe Weev either way. He is notoriously unreliable. We can’t trust his denials today, but at the same time, we can’t trust his statements from 2008. As I pointed out on Twitter, Weev has claimed credit for trolls that he was at best only peripherally involved in. Yet, Kathy Sierra insultingly claims this means I somehow believe Weev.

When Sierra bombarded me with Tweets containing insulting and twisted arguments, I was wholly polite in my responses (as you can read for yourself, as they are public). Her reaction, and that of her supporters, is wholly unjustified. Nobody deserves being threatened or doxed, but Kathy certainly deserves all the other hostility that comes her way. She is a very mean person.

Wget off the leash

As we all know, to grab a website with wget, we'll use the "-r" option to "recurse" through all the links. There is also the '-H' option, means that wget won't restrict itself to just one host. In other words, with '-r -H' together, it'll try to spider the entire Internet. So I did that to see what would happen.

Well, for a 32-bit bit process, what happened is that after more than a month, it ran out of memory. It maintained an ever growing list of URLs that it has to visit, which can easily run in the millions. At a hundred bytes per URL and 2-gigabytes of virtual memory, it'll run out of memory after 20 million URLs -- far short of the billions on the net. That's what you see below, where 'wget' has crashed exhausting memory. Below that I show the command I used to launch the process, starting at as the seed with a max timeout of 5 seconds.

How much data did I download from the Internet? According to 'du', the answer is 18-gigabytes, as seen in the following screenshot:

It reached 79425 individual domains, far short of the millions it held in memory. I don't know how many files it grabbed -- there's so many that it takes hours to traverse the entire directory tree.

What sorts of domains did it visit? As you can see in the screenshot, all sorts of stuff, like "" or "". How all this stuff is reached via "", I just don't know.

Note that the point of this experiment wasn't to actually spider the net; there are far better tools for that. Also, there is a nice project on Amazon AWS called the "Common Crawl Corpus" where they crawl the Internet for you (billions of links) and then let you process it with your own EC2 instance.

Instead, the point is what hackers always do. In this case, it's answering the question "I wonder what -H does". I mean, I know what it does, but I still wonder what happens. Now I've got a nice 18G of random stuff from the Internet that is what happens.

You can get better, more rigorous data sets (like the Common Crawl stuff), but if you want a copy of this data set, hit me up at the next hacker/security con. I'll probably have it on a USB 3.0 flash drive (srsly, my flash drives are now 64gigabyte in size -- for the small ones). It'll be good for various testing projects, like building parsers for things like JPEGs or PDFs.

Six-month anniversary scan for Heartbleed

I just launched my six-month anniversary scan for Heartbleed. I'll start reporting early results tomorrow afternoon. I'm dialing the scan to run slowly and spreading it across four IP addresses (and 32k ports) in order to avoid unduly alarming people.

If you would like the results of the scan for your subnet, send us your address ranges to our "abuse@" email address. We'll lookup the abuse contact email for those ranges and send you what we found for that range. (This offer good through the end of October 2014).

Here is a discussion of the options.

--conf /etc/masscan/masscan.conf
You don't see this option, but it's the default. This is where we have the 'excluderanges' configured. Because we exclude everyone who contacts us an "opts-out" of our white-hat scans, we are down to scanning only 3.5 billion hosts now, out of around 4 billion.
The the "/0" means "the entire Internet". Actually, any valid IPv4 address can replace the and it'll produce the same results, such as "" to amuse your friends.

This says to scan on port 443, the default SSL port. At some point in the future, I'll scan for some other common SSL ports, including the STARTTLS ports like port 25.

This means to create a full TCP connection with the system and grab "banner" info. In this case, that means sending an SSL "hello" request and to parse the received X.509 certificate. It'll parse that certificate and dump the hostname from it.

--capture cert
This means to also capture the X.509 certificate. I don't really care for this scan, but on general principles, grabbing certificates is good for other SSL research. This happens before the heartbleed check.

This means that after the initial SSL Hello that it will attempt a "Heartbleed" request. In this case, the returned information will just be a "VULN: [Heartbleed]" message for the IP address. If you want more, then "--capture heartbleed" an also be used to grab the "bleeding" information. I don't do that.

-oB heartbleed.scan
This means to save the results in a binary file called "heartbleed.scan". This is the custom masscan format that can be read using the --readscan option later to convert to XML, JSON, and other output formats. I always scan using this format, but I think I'm the only one.

--rotate-dir /var/log/masscan
You don't see it here on the command-line because it's in masscan.conf (see above), but every hour the contents of "heartbleed.scan" are rotated into this directory and a new file created. That file is timestamped with the current time.

--rotate hourly
You don't see it here, but it's in masscan.conf. This means that rotation to /var/log/masscan should happen every hour on the hour. If you start a scan at 1:55, it'll be rotated at 2:00. It renames the file with the timestamp as the prefix, like 141007-020000-heartbleed.scan, so having it aligned to an even hour makes things easier to work with. Note that "minutely" and "daily" are also supported.

--rate 80000
People don't like getting scanned to fast, it makes IDS and firewall logs unhappy. Therefore, I lower the rate to only 80,000 packets/second to reduce their strain. This consequently means the scan is going to take 13 hours to complete.

On the same principle as slowing the rate, spreading across multiple source IP address makes IDS/firewalls squawk less, and makes people less unhappy. We have only a small range to play with, so I'm only using 4 IP addresses. Note that masscan has it's own TCP/IP stack -- it's "spoofing" these IP addresess, no machine actually exists here. If you try to ping them, you'll get no response. This is the best way to run masscan, though people still find it confusing.

--source-port 32768-65535
By default, masscan uses a randomly assigned source port. I prefer to use a range of source ports.

Monday, October 06, 2014

Who named "shellshock"?

Because it's terribly important to cybersec, many are debating the origin of the name "shellshock". I thought I'd write up the definitive answer.

The answer is that it came from this tweet by Andreas Lindh. That's the absolute origin of the term. Andreas made it up himself.

Also, to some extent Davi Ottenheimer deserves some credit for starting the conversation among a bunch of people with his tweet saying "it's not big until there's a logo". Lots of people posted logos as that point.

Also to some extent I deserve some credit for then pimping the "shellshock" name in my blogposts, which received a lot of attention in the early hours of the shellshock crisis. As you can see from the pageview stats below, these posts got a lot of attention. Also, most of the early news stories on "real" news websites referenced me and my posts. Those news sites got the name from me, and I got it from Andreas and nobody else.

I suspect what really helped it along is that when I scanned the Internet for the bug, putting it in everybody's webserver logs. I included a pointer to the "shellshock scan" post in the user-agent string. That pretty much made it official for every geek looking at logs, regardless of what name news stories might choose.

The reality is that nobody knows how these things happen. A lot of us were online on twitter discussing the bug, the technical details, and goofball things like what its logo should be. It's a product of mass consciousness and insanity rather than any one person. But if you had to pick somebody to blame, it's Andreas Lindh.

Understanding the HP split

HP is splitting itself into "enterprise" and "consumer" companies. Why the split? Isn't the goal of big companies to get bigger? Well, no, that's just the cynical view of companies. The actual goal is to deliver value to stockholders. Splitting delivers value in two ways. The first is that it "exposes" the underlying business. The second is that it avoids dis-economies of scale.

Conglomerates like GE (General Electric) have a problem. While some businesses do well and grow, other businesses fail and shrink. You can't buy stock in the individual components of GE's business you think are growing, you have to take all or none. GE Medical has been growing fast, but you can't invest in it individually.

Thus, big companies frequently spin out such companies, either to divest themselves of the dead weight that isn't growing, or conversely, to let a growing part of these business to fly free without being held back by the deadweight. The fast growing parts of a business aren't inherently better. They tend to also be riskier, meaning that while their stock may surge, they have equal probability of going bankrupt soon.

We can see how this philosophy worked in the case of HP's previous spinoff of "Agilent", the test-and-measurement business that was the origins of HP.

Test-and-measurement is a boring product category. Thus, since the spinoff, Agilent has closely tracked the S&P 500. The HP computer business was the exciting business with growth potential, which has done better, although with more volatility. The thing to note here is that if you average the two stock prices together, then investors wanting high-risk growth stocks would've gotten a smaller return. That's why HP divested itself of Agilent -- it freed itself of the deadweight.

The second reason to split is dis-economies of scale. Larger is not better The biggest problem is the corporate brand. What does the "HP" brand stand for? On one hand, the brand is trying to service enterprise market where the brand is wants to stand for "boring reliability". On the other hand, the brand is trying to service the consumer market where HP wants to compete with Apple for "cool awesomesauce". Trying to be both weakens the brand in both markets.

Thus, the real goal of the split is to free the brand. HP has a big presence in the home market with its printers and laptops. Freeing the brand means HP can start selling other consumer products, such as tablets and phones, with exciting HPness, without being offending it's enterprise customers. Conversely, the new "Hewlett-Packard Enterprise" and become even more stodgy and boring.

The stock jumped 6% today, because investors are betting on the future shares. When the split happens, they'll receive one share in each business to replace an existing share. Investors wanting steady growth will immediately sell the consumer share. Investors wanting high-risk/high-return stock will likewise dump the stodgy enterprise share.

CEO Meg Whitman is staying with the enterprise business. It's not that this is the better company. Instead, it's because the consumer market fighting against Apple is for younger, more energetic CEOs.

By the way, as an investor, I'd dump the consumer stock. Its printer ink business is a cash cow, but I don't think they know how to compete against Apple and achieve growth. Several years from now, they still won't be the luxury brand demanding high margins that everyone wants, but still will be the boring/cheap brand they are today.

Friday, October 03, 2014

Two Minutes of Hate: Marriot deauthing competing WiFi

Do you stand for principle -- even when it's against your interests? Would you defend the free-speed rights of Nazis, for example? The answer is generally "no", few people stand for principle. We see that in this morning's news story about Marriott jamming (actually deauthing) portable WiFi hotspots in order to force customers to use their own high-priced WiFi.

The principle I want to discuss here is "arbitrary and discriminator enforcement". It was the principle behind the Aaron Swartz and Andrew "weev" Auernheimer cases. The CFAA is a vague law where it is impossible to distinguish between allowed and forbidden behavior. Swartz and Weev were prosecuted under the CFAA not because what they did was "unauthorized access", but because they pissed off the powerful. Prosecutors then interpreted the laws to suite their purposes.

Opt-in for upcoming Heartbleed results

On October 8, the 6-month anniversary of Heartbleed, I'm going to scan the Internet again for it. I should find about 250k devices are still vulnerable. These are things like webcams, NAS boxes, forgotten VM instances, development machines, and so on -- few real "web servers" will be vulnerable.

I will, of course, exclude from my scan everyone who has asked to be excluded. My scan list is down to only 3.5 billion hosts because of all the exclusions I do. However, asking for whitehats to exclude you from their scans is not a smart security strategy. Therefore, if you are on our exclude list, I suggest you do the reverse: opt back in.

I mention this because we are going to try something new: allow people to opt-in to the results. Send us an email, and we'll send the results of our Heartbleed scan for your address range to the "abuse" address registered for that address range.

Reading the Silk Road configuration

Many of us believe it wasn't the FBI who discovered the hidden Silk Road server, but the NSA (or other intelligence organization). We believe the FBI is using "parallel construction", meaning creating a plausible story of how they found the server to satisfy the courts, but a story that isn't true.

Today, Brian Krebs released data from the defense team that seems to confirm the "parallel construction" theory. I thought I'd write up a technical discussion of what was found.

Thursday, October 02, 2014

Right-winger explains what's wrong with ComputerCop

The EFF has a good article on ComputerCop. Police departments have lashed back, saying the EFF is an "ultra-liberal organization that is not in any way credible on this". While it's true the EFF leans heavily to the left, I'm a right-winger -- and I agree with them in this case. Maybe the police will find my right-wing criticisms of ComputerCop more believable.

The basic issue is that this program isn't "protection", but is instead a "virus". It's the same software hackers use to spy on computers. It's the same software that jealous lovers secretly install on their partner's computer. Some of the copies the police give out will be used for the intended purpose (parents hacking their children's computers), but also some copies will end-up in the hands of evil-doers who use it for general hacking. When investigating domestic abuse cases over the next few years, police will find their own software on the victim's computer, placed there by the abuser. I can imagine the excuse an ex-husband will have for cyber-stalking his wife "but I got the software from the police!!".

Monitoring your child's online activities is a good thing. Hacking your child's computers is probably a bad thing. It's not the sort of activity police departments should be encouraging.

The software maker exploits the fact that rural county sheriffs are rubes with little understanding of technology. As the EFF documents show, the software is poorly written with bugs that in fact endangers the child. The software maker doesn't care, because it knows that it's customers (the police) aren't smart enough to figure this out -- not even smart enough to understand the EFF's clear explanation of the technical details.

But all of this pales in comparison to the real problem: police corruption. It's not police departments with appointed heads who are buying this program, but elected sheriffs or elected district attorneys. It's not sold as normal software with the company's name on the top, but with the elected official's name blazoned across the front. It comes with a nice promotional picture of the official in question (often hanging out with children), and often with what's essentially a political election/promotional video [1] [2] [3] on the disk. For a minimum purchase of 5000 units, the vendor sends a videographer to help make a promotional video to go along with the disk.

Rather than protecting children, this software's true purpose is police corruption, allowing elected officials to funnel money from civil asset forfeitures into election campaign materials.

As a right-winger, this disturbs me greatly. The bedrock of a civilized society rests on trust in the police, both in their competence and their integrity. What we see here is incompetence and police corruption. It's something all right-wingers should oppose.

Update: Some of my friends assumed this was my normal snark. No, I'm not joking this time. This really is police giving malware to parents so they can hack their kid's computer. This really is a clever way to use funds from civil asset forfeitures to promote themselves.