Wednesday, September 30, 2015

Jeb Bush is a cyber-weenie

Jeb Bush, one of them many 2016 presidential candidates, has numerous positions on "cyber" issues. They are all pretty silly, demonstrating that not only he but also his advisors profoundly misunderstand the issues.

For example, his recent position opposing "NetNeutrality" regulations says this:
these rules prohibit one group of companies (ISPs) from charging another group of companies (content companies) the full cost for using their services
Uh, no, that's how Democrats frame the debate. ISPs charging content providers is actually a very bad thing. That we Republicans oppose NetNeutrality is not based on the belief that "charging content companies" is a good thing.

Instead, NetNeutrality is about technical issues like congestion and routing. Congestion is an inherent property of the Internet. NetNeutrality shifts the blame for congestion onto the ISPs. NetNeutrality means the 90% of Comcast subscribers who do not use Netflix must subsidize the 10% who are.

Or at least, that's one of the many ways Republicans would phrase the debate. More simply, all Republicans oppose NetNeutrality simply because it's over-regulation. My point is that Jeb Bush doesn't realized he's been sucked into the Democrat framing, and that what he says is garbage.

A better example is Jeb's position on cybersecurity. His position is essentially that we need to create a Cyber Police State to solve the problem. He opposes the free market, wanting government regulate business cybersecurity. He uses terms like "public-private partnerships", which are terms invented by Democrats to justify over-regulation.

One position paper talks about the CISA bill:
We are not powerless unless we choose to be. It would be a start for the President to show leadership on Capitol Hill, and to throw his weight behind the House’s effort to improve cybersecurity information-sharing between the government and the private sector — a critical impediment to cybersecurity according to experts.
Uh, what "experts"? I am a top expert. I know the other top experts. I know of no expert who believes this -- except those who have close ties to the government. Most experts oppose the CISA bill in question, as a violation of civil liberties that would have an insignificant benefit to cybersecurity.

Beyond the "sharing" features of CISA, the bill would almost certainly contain amendments that will make us weaker. Cyber-weenies in government can't tell the difference between cyber-criminals and cyber-defenders. These amendments that attempt to crack down on cyber-criminals inadvertently threaten cyber-defenders. The current law already has a minor chilling effect on cyber-defenders -- rather than fixing that problem, the proposed changes would create a huge chilling effect.

Cyber-issues are important. Instead of farming out position papers to flunkies with little knowledge of cyber, they should get competent people. For example, the controversial Derek Khanna is a policy wonk who is not a weenie on cyber issues.

Here are some off-the-cuff cybersecurity policy suggestions. While not much thought has gone into them, I claim they are vastly better than Bush's. They are based on Republican principles, as well as cybersecurity expertise.

1. Retaliate against China

In reality, most cyber attacks from China are not directed by the government. It's just that they encourage a culture that rewards people who hack America. But we do have have clear evidence of the Chinese government conducting cyberwar against the United States, such as the DDoS on GitHub.

Retaliating in cyber-space itself is a bad idea, as that legitimatizes cyberspace as a battleground for attacks against us. But we should retaliate in other ways, such as trade restrictions. In the near term, this will hurt the United States, too. But in the long run, China needs to fear consequences for it's unrestricted hacking against us. Without consequences, China will never stop.

2. Government fix thyself

Before government tampers with the free market, they need to solve their own cyber issues first. We can't expect the government to "promote best practices in the private sector", as Bush wants, unless they first implement those best practices in the government sector.

That the OPM hack happened is inexcusable. It's not simply that OPM failed at "best practices", but that the data never should have been Internet-accessible in the first place. I point to this policy because it's radically different from Jeb Bush's. Disconnecting a department's computers from the Internet is a radical policy that doesn't happen because of internal resistance. It takes a strong leader with a competent cyber team to overcome such resistance.

Bush's solution to OPM, firing the leaders, is attractive, but incomplete. You also fire leaders who don't deliver on other demands, such as easy access to data from other departments. Sometimes these demands are incompatible. It's often the leaders above departments who are fault, giving subordinates an impossible task. It's the sort that says "I don't care about the obstacles -- just make it happen". What you've created is an environment where the leaders choose the option that will keep them in job the longest. That means doing the insecure thing now, to avoid getting fired now, and hope hackers don't find out until they've moved onto some other job.

3. Get a technical cyberczar

From Bush's brother through Obama, all cyberczars have been cyber-weenies with essentially no technical knowledge. Indeed, the current cyberczar prides himself on his lack of technical knowledge, believing (falsely) that it allows him to see the bigger picture without getting bogged down in details.

In truth, he's right that most problems aren't technical in nature. A cyberczar skilled in technology, but unskilled in government, will have a lot problems. But here's the thing: everything starts as a technical problem. Government has a culture of cyber-weenies with nobody, from the top on down, being competent to solve technical problems. Teams remain dysfunctional because their leader doesn't have sufficient technical skill to know that lacking technical skills are the problem. Change needs to start at the top, meaning establishing a minimum set of technical credentials for the cyberczar, then among those qualified choose the best bureaucrat.

4. Support the defenders

Right now, because of government cluelessness, the defenders are under attack. CISA amendments threaten them. CFAA extensions threaten them. Export restrictions threaten them. Corrupt copyright interpretations threaten them. Civil lawsuits threaten them. The recent executive order declaring a "cyber state of emergency" threatens them. Heck, the president has arrogated to himself the power to drone strike a cyber-expert he feels may be a threat to national security.

I scan the entire Internet looking for things like Heartbleed (a famous vulnerability), and report what I find to the cybersecurity community. But I exclude military systems from such scans, because our military threatens me. This doesn't stop the Chinese, of course. Therefore, the Chinese know about such weaknesses in our military systems, but the American people don't.

This is an application of what's known as "Kerckhoffs's principle", which underpins cybersecurity, which promotes openness and transparency -- a principle opposed by cyber-weenies in government who believe in keeping everything secret, even from defenders.

Empowering defenders is almost a 2nd Amendment thing. Current government policy takes away power from the defenders, trying to give government a monopoly on cyber-defense.  Good Republican policy should be the opposite, to do more to empower the people to defend themselves.


Reasonable people can disagree about policy. My point here isn't to declare the best policy. My point instead is to highlight the flaws in Jeb Bush's policy. His people have created positions that are typical government insider generalities, demonstrating no actual expertise in the subject. He declares that the next leader of this country needs to solve this problem -- while demonstrating he isn't the leader to do so.

Disclaimer: I've donated $10 to the Jeb Bush campaign, and will vote for whichever Republican candidate wins the primary over any Democrat (except Trump, of course).

Tuesday, September 29, 2015

Prez: Candidate synchronization

So last week I gave $10 to all the presidential campaigns, in order to watch their antics. One thing that's weird is that they often appear to act in unison, as if they are either copying each other, or are all playing from the same secret playbook.

The candidates must report their donations every quarter, according to FEC (Federal Elections Commission) rules. The next deadline is September 30th. Three days before that deadline, half the candidates sent out email asking for donations to meet this "critical" deadline. They don't say why it's critical, but only that's is some sort of critical deadline that must be met, which we can only do so with your help. The real reason why, of course, is that this information will become public, implicitly ranking the amount of support each candidate has.

Four days before this deadline, I didn't get donation pleas mentioning it. Three days before, half the candidates mentioned it. It's as if one candidate sees such an email blast, realizes it's a great idea, and send's out a similar email blast of their own.

Two days before the deadline, three of the candidates sent out animated GIFs counting down to the deadline. (These were auto-generated with a PHP script when I read the emails to be accurate to the then current time, but are of course now out of date.)

All three arrived within an hour. I don't know which candidate did it first.

One theory is that they are copying each other. The teams for each candidate watch their competitors rather like I am, then whenever one candidate does something good, everyone else playscatchup.

Another theory is that they may all be playing from the same playbook. Professional campaign people move around campaigns a lot, so they all might be copying things that other people have done in the past. It's really weird how so many candidates appear to act all in unison, even those of different parties, which really hints they'd planned on doing these things, at these specific times, long ago.

Tuesday, September 22, 2015

I gave $10 to every presidential candidate

What happens when your candidate drops out of the 2016 presidential race? What do they do with the roughly million names of donors they've collected?

I've decided that somebody needs to answer this question, so I've donated $10 to each of the roughly ~25 current presidential candidates (yes, even the hateful ones like Trump and Lessig). By donating money, I've put myself on the list of suckers who they can tap again for more donations. After the election next year, we'll be able to figure out how each candidate has used (or misused) the email addresses I gave them.

For most candidates, the first two pieces of information they ask of your is #1 your email address and #2 your zip code. They need the zip code so that when there is a local rally in your area, they can contact you to get your turn out. But as a side effect, it means being able to extract favors from local politicians. 

I suspect one use of this zip information is when one Representative goes to another and says "If you support my bill, I'll blast out a fund raising message for you to all my donors who are in your district". Therefore, to do this right, I'd have to make a donation from every congressional/senate district in the country. I'm not willing to go that far.

A donor list also adds to their influence within their respective parties. I suspect that once they drop out of the race, candidates will start pumping their email lists with pleas for donations to the party.

Interacting with the various websites tells me a lot about the candidates. Hillary's gave me the impression of one the smartest websites. She appeared to handle all the important technical features herself on the website, rather than outsourcing everything to third parties (as you'd expect, since she's been running for president longer than the Internet has been around). Once you sign up on the website with an email address, and then decided to donate, her's was the only website to filled in your address/zip for you, so that you didn't have to type them in again.

Conversely, Bernie Sander's website gave the impressing of a bumbling old grandpa that still doesn't understand the Internet. Mike Huckabee had its own set of problems, namely SSL errors meaning his forms weren't securely submitting credit card numbers.

Rand Paul was the only one who accepted Bitcoin, of course.

There is a wide spectrum on exactly what the website does. For many candidates, it's just a storefront. You go to the site once to donate and find out about the candidate's stance on the issues, but then you never go there again. Others are more complex, going full tilt interacting with people over the Internet. Rand Paul's website is very complex this way -- such as providing images for supporters to put on their blogs (as shown here). But then, he's really more part of a wacko libertarian movement than just a candidate.

These sites don't like like they did 8 years ago. All the websites have big fonts and images, so that their content works well on phones. Marco Rubio has this annoying "infinite scrolling" thing going on. Rick Perry has a pretty awesome video (instead of image) as the background.

The websites vary in their use of dark patterns. These are techniques on websites that encourage people to accidentally do the wrong thing, such as sign up for things they didn't intend. Most of the emails contain tracking images/links designed to detect when you've received an read your emails, to invade your privacy. Most websites do their best to invade your privacy from various tracking companies, in order to discover more about you.

Websites are like sausage: you don't want to see the messy tricks your beloved candidate is really doing behind the scenes.

Anyway, over the course of the coming election, I'll blog about use and misuse of email addresses. Four years from now, I'll probably write a post about how this crop of candidates has turned out.

Monday, September 21, 2015

Zerodium's million dollar iOS9 bounty

Zerodium is offering a $1 million bounty for a browser-based jailbreak. I have a few comments about this. The two keywords to pick up on are "browser-based" and "untethered". The word "jailbreak" is a red-herring.

It's not about jailbreaks. Sure, the jailbreak market is huge. It's really popular in China, and there are reports of $1 million being spent on jailbreaks. But still, actually getting a return on such an investment is hard. Once you have such a jailbreak, others will start reverse engineering it, so it's an extremely high risk. You may get your money back, but there's a good chance you'll be reverse-engineered before you can.

The bigger money is in the intelligence market or 0days. A "browser-based" jailbreak is the same as a "browser-based" 0day. Intelligence organizations around the world, from China, to Europe, and most especially the NSA, have honed their tactics, techniques, and procedures around iPhone 0days. Terrorist leaders are like everyone else, blinging themselves out with status displays like iPhones. Also, iPhone is a lot more secure than Android, so it's actually a good decision (intelligence organizations have hacked Android even more).

Every time Apple comes out with a new version (like iOS9), they fix old vulns, requiring intelligence organizations to scramble to come up with new ones. Since 50% of iPhone users have updated to iOS9 in the past three days, intelligence organizations are "going dark" quickly -- unless they can get a new 0day.

One of the keywords in Zerodium's statement is "exclusive". What that means is Zerodium plans on reselling the same bug to multiple governments. I would expect such bugs to actually sell for only around $300,000. Thus, I expect that Zerodium intends to make a profit by reselling the bug, non-exclusively, to multiple governments. If they can sell it to four different countries for $300,000, they'll make a profit. On the other hand, some countries will pay more for exclusive access to a bug -- paying for the privilege of cyber-superiority.

Another keyword is "untethered", meaning the implant will be "persistent" even after the phone is turned off and on again. From what I've heard, this is the most difficult part, where in some cases they just don't have persistence. Instead, they'll rely upon the fact that people rarely let their phones run out of batteries, and the fact that if they've adequately tapped the network, it's trivial to re-exploit the phone.

Note that there other elements to an iPhone browser kill-chain. You have to not only get an 0day in the browser, but you need a separate 0day to escape the sandbox. It'll then take further privilege escalation 0days in order to get the implant successfully installed on the phone, and to access things like the microphone in order to eavesdrop on conversations, such as the all-important Facetime.

The price for important 0days has been going up every year. It's actually quite plausible that a single intelligence organization (China or the NSA) may be willing to pay $1 million for exclusive access to such a bug. If not now, the that may happen in the next few years.

At this point, Zerodium is late to the game. The beta for iOS9 has been available to developers for a while. Chances are good that whoever is selling 0days already had them available on, well, day zero of the iOS9 launch. If not on day zero, then the day after as they tweeked their exploits for the release version.

In summary, my point is this: Zerodium phrases their bounty in terms of "jailbreaks", but I'm pretty sure the market for "intelligence 0days" is much greater. Actually using it for jailbreaks would mean it would quickly get reverse engineered, and even fixed by Apple, so I doubt they'd use it for that purpose.

Friday, September 18, 2015

Some notes on NSA's 0day handling process

The EFF got (via FOIA) the government's official policy on handling/buying 0days. I thought I'd write up some notes on this, based on my experience. The tl;dr version of this post is (1) the bits they redacted are the expected offensive use of 0days, and (2) there's nothing surprising in the redacted bits.

Before 2008, you could sell 0days to the government many times, to different departments ranging from the NSA to Army to everybody else. These government orgs would compete against each other to see who had the biggest/best cyber-arsenal.

In 2008, there came an executive order to put a stop to all this nonsense. Vuln sellers now only sold 0days once to the government, and then the NSA would coordinate them with everyone else.

That's what this "VEP" (Vuln Equities Process) document discusses -- how the NSA distributes vulnerability information to all the other "stakeholders".

I use "stakeholders" loosely, because there are a lot of government organizations who feel entitled to being part of the 0day gravy train, but who really shouldn't be. I have the impression the NSA has two processes, the real one that is tightly focused on buying vulns and deploying them in the field, and a notional one where they deal with the bureaucratic nonsense that is government. This VEP document is probably the second one.

I don't think the redactions hide anything of consequence. For example, take a look at the first redaction:

The missing words are "Offensive Capabilities", and this isn't too hard to figure out.

The next redaction is refers to paragraph 49 of NSPD-54/HSPD-23. Well, EPIC got this document a while ago, and it's here ( (also here). Though paragraph 49 is redacted here, we can read it form the original document there.

Activists have pointed out this unhelpful part of the document:

But as the text says, these parts redacted here are simply a summary for what is detailed in the sections below. Those are mostly not redacted. So we can reconstruct the process:

a. All 0days must first be sent through this process before anything else (with exceptions).
b. Each department involved will designate a point-of-contact who ensures their organization is represented in the process.
c. This process applies only 0days (newly discovered vulns that aren't publicly known).
d. The NSA is in charge of this process.
e. Any organization that gets an 0day gives it to the NSA, then the NSA distributes that 0day to all the member organization point-of-contacts.
f. Organizations will then evaluate the 0day, and then have their point-of-contact report what the organization believes should be done (e.g. use for cyber-offensive, or contact vendor and have them patch it).
g. The executive board made up of all organizations will decide what to do with the 0day.

The organizations involved are intelligence (NSA, CIA, etc.), military (Army, Air Force, JSOC, etc.), Departments of State, Justice, Commerce, Treasury, Energy, and of course, Homeland Security.

I'm not sure what the word "equities". I think it means anybody who has an "ownership interest" in an 0day. These are listed in Appendix A, but most are redacted. They show the "defensive" need and essentially nothing else.

But we know what the redacted equities are about "offensive" use of vulns, in particular, for intelligence and for military operations.

Whatever this policy states, I'm sure practically things are handled much differently. For 0days in SCADA/ICS equipment, for example, they go directly to the Department of Energy, and the focus will be on getting those things patched.

On the other hand, the NSA has its offensive programs. Every time Apple updates iOS with new Safari protections, they'll buy the first 0day that gets around it. I suspect there's just a standing item of "iPhone 0days" where all departments have agreed that go to the NSA for offensive exploitation, since the particulars (other than iPhone version) never change. Indeed, the NSA has a whole class of similar bugs, bought from the 0day market that flow through to their tools for exploitation.

Moreover, as I read the document, the NSA (at its discretion) can trump the entire process and keep things secret. For example, if somebody sold a way to factor 2048 bit numbers to the NSA for $1 billion, they'd keep that secret from everyone in the government except maybe the President. It'd be interesting knowing how often this has happened.

Note that this document is phrased in terms of 0days the government just happens to come across. To some extent this is valid, where the Department of Energy and DHS comes across 0days in industrial systems. But mostly what's talked about here is where the NSA buys 0days in the shady underground vulnerability market. Again, this shows a difference between the claimed process in the document, and what's really happening.


So in summary, as we reverse engineer the redacted bits, we see just what we'd expect for offensive use of 0days. As we read the document, we see just what we'd expect from bureaucracy. The missing bits aren't the redaction themselves, but what practically happens in the real world: this policy seems aspirational, what everyone agrees is the official policy, and how 0days are handled that nobody really cares about. But for the real 0days that the NSA uses, like whichever latest iPhone 0day that exists, I suspect in practice there's a very different process.

Update: Kim Zetter has discussions of the "equities" process in her Stuxnet book. Where this post just reflects my experiences with the government, her book is researched talking to lots of people.

Op-ed: By the way, I disagree with most privacy/security activists. I think it's nonsense that the NSA buying 0day makes our computers less safe; I suspect quite the opposite is true. I do think the NSA has gone too far and needs to be reigned in a bit, but there's nothing special about 0days in this regard.

Wednesday, September 16, 2015

There are two sides to every story

In today's "clock" controversy, the clock didn't look like these:

Instead, this is the picture of the device (from the police department):

It's in a "pencil case", not a briefcase. You can compare the size to the plug on the right.

They didn't think it was a bomb, but a "hoax bomb". If they thought it might be a real bomb, they would've evacuated the school. Texas has specific laws making illegal to create a hoax bomb -- it is for breaking this "hoax bomb" law that the kid was arrested.

This changes the tenor of the discussion. It wasn't that they were too stupid they thought it was a bomb, it was that they were too fascist believing it was intentionally a hoax.

These questioned him, and arrested him because his answers were "passive aggressive". This is wrong on so many levels it's hard to know where to begin. Of course, if the kid's innocent his answers are going to be passive aggressive, because it's just a clock!!!

It was the english teacher who turn him in. Probably for using a preposition at the end of a sentence. The engineering teacher thought it was a good project.

It's actually a sucky project. He didn't build his own clock so much as put existing parts of a clock together into a box.

Maybe with less hate

I wanted to point out President's rather great tweet in response to Ahmed Mohamed's totally-not-a-bomb:

The reason this tweet is great is that it points out the great stupidity of the teachers/police, but by bringing Ahmed up rather than bringing them down. It brings all America up. Though the school/police did something wrong, the President isn't attacking them with hate.

The teachers/police were almost certainly racist, of course, but they don't see themselves that way. Attacking them with hate is therefore unlikely to fix anything. It's not going to change their behavior, because they think they did nothing wrong -- they'll just get more defensive. It's not going change the behavior of others, because everyone (often wrongly) believes they are part of the solution and not part of the problem.

Issues like Ahmed's deserve attention, but remember that reasonable people will disagree. Some believe the bigger issue is the racism. Other's believe that the bigger issue is the post 9/11 culture of ignorance and suspicion, where common electronics projects are seen as bomb threats.

But in today's political discourse, anybody who disagrees is labeled unreasonable. Those who think "ignorance" was a bigger issue than "racism" are viciously attacked for not taking racism seriously enough.

Even that is not enough hate. "Social justice" activists have used this incident to attack all white people for the crime of being "privileged".

We need less hate in the discussion. If you are a white nerd who believes the problem was ignorance more than racism, your opinion matters, too.

Personally, while the racism angle is more objectionable, the ignorance issue is more easily addressed. I've tried a little with humor:

My point is this. Less anger and hate, that'll just drive people away from the lessons they could learn from this incident. Instead, more humor, and more bringing people up -- like the President's tweet.

Tuesday, September 15, 2015

How to hack my Tesla

This post is just for my own notes. I'm buying a new car (arrives in October) and I need to gather up notes on how to hack it.

To start with is the generic car hacking information. One good source I found is the Car Hacker's Handbook, which has a good explanation of the basics.

Another good start is the various papers produced by Charlie Miller and Chris Valasek, such as their early work and their latest Jeep hack. [1] [2]

Specifically to my car, a Tesla, there is this site that documents all the undocumented bits about the car, such as listing the 56 CPUs found in the car.

Specifically, there is the work by Kevin Mahaffey and Marc Rogers covering their Tesla hacking. I hate them, because they've already done some of the obvious things I would've tried first, such as popping up an X Window on the display.

Anyway, this post is for my own benefit, so when I lose my notes, I can find them again by googling. Maybe other people in similar situation might find it a bit useful, too.