Wednesday, July 23, 2014

Everything can be a bomb

This last week, pranksters replaced the US flag on top the Brooklyn Bridge with a white-flag. Nobody knows who or why. Many in the press have linked this to terrorism, pointing out that it could've been a bomb. Not only local New York newspapers have said this, but also CNN.

Such irrational fears demonstrate how deeply we've fallen for police-state fears, where every action is perceived as a potential terrorist threat.

It could've been a bomb, of course. But what could also have been a bomb is a van full of C4 explosives driven across the bridge. There are no checkpoints at either end inspecting vehicles with bomb sniffing dogs. What also could've been a bomb is a ship full of fertilizer that, when ignited, would act as a small nuke. The point is that everything can be a bomb. Instead of using this as justification for an ever increasing police-state, we just need to accept this and live with the danger -- because this danger is, in the end, tiny. A thousand 9/11 events would still not equal cancer, for example.

I mention this because the former 9/11 commission released a new report yesterday stoking the fears of cyber-terrorism, calling for an increase in the cyber-police-state. This is nonsense. If government wants to fix cybersecurity, their first effort should focus on fixing their own computers rather than violating our rights. Enable SSL on all government computers, disable SQL string pasting, and get rid of all default/backdoor passwords.

Government is trying to ratchet up the fear of cyber-terror. It's not that their scenarios aren't possible, it's that they use this fear to drive the police-state. In exactly the same way we shouldn't have bomb sniffing dogs checking every car before it crosses the Brooklyn Bridge, we should not have the current proposals for cybersecurity that violate rights.




Tuesday, July 22, 2014

Um, talks are frequently canceled at hacker cons

Talks are frequently canceled at hacker conventions. It's the norm. I had to cancel once because, on the flight into Vegas, a part fell off the plane forcing an emergency landing. Last weekend, I filled in at HopeX with a talk, replacing somebody else who had to cancel.

I point this out because of this stories like this one hyping the canceled Tor talk at BlackHat. It's titled says the talk was "Suddenly Canceled". The adverb "suddenly" is clearly an attempt to hype the story, since there is no way to slowly cancel a talk.

The researchers are academics at Carnegie-Mellon University (CMU). There are good reasons why CMU might have to cancel the talk. The leading theory is that it might violate prohibitions against experiments on unwilling human subjects. There also may be violations of wiretap laws. In other words, the most plausible reasons why CMU might cancel the talk have nothing to do with trying to suppress research.

Suppressing research, because somebody powerful doesn't want it to be published, is the only reason cancelations are important. It's why the Boston MTA talk was canceled, because they didn't want it revealed how to hack transit cards. It's why the Michael Lynn talk was (almost) canceled, because Cisco didn't want things revealed.  It's why I (almost) had a talk canceled, because TippingPoint convinced the FBI to come by my offices to threaten me (I gave the talk because I don't take threats well). These are all newsworthy things.

The reporting on the Tor cancelation talk, however, is just hype, trying to imply something nefarious when there is no evidence.


Monday, July 21, 2014

More fun with #TSA

That's Julian in the center waving at me to stop taking pictures.
That's Michael faced away on his right
Coming back through JFK, my bag was stopped in the x-ray. The examiner shouted "bag checked", and sat and waited. And waited. Nobody came. Finally, he shunted it aside to the special bag check area. Where it sat, and sat.

There was as TSA agent standing around doing nothing, except flirting with a cute passenger standing right next to me bag. Finally, I pointed out that my bag needed to be checked, at which point he talked to the x-ray examiner, pulled it out, and checked it (I had a spray can of foot powder I bought because omg I wore my workout shoes that stink to the convention).

So, of course, I asked to see his badge, which was turned away from me, and to talk to his manager. He refused to even tell me his name, but he did get the supervisor, who confirmed his name was "Michael Vails". The manager was quite rude, looking at me in disbelief as I pointed out the guy was standing around flirting with girls instead of checking my bag. He wouldn't let me see his badge either, but claimed his name was "Julian something". I forget the something because I'm not good with names and forgot it by the time I was able to jot down notes.

So, I stood out of the way of traffic and started taking pictures. At this point, Julian came up to me and threatened me with arrest. I pointed out I'd read the TSA rules, which say it's legal (here). He said he knew the rules too, and that it wasn't illegal.

Unfortunately, I couldn't press the point, because I was at 1% battery, and had an electronic checking, needing a charged phone to get on the plane. Otherwise, I woulda popped out live video then and there. So I sat down and charged for a while.

I went back shortly after 3pm. I say a bunch of non-TSA non-police "security" people. I asked them about it, and they said that the actual police guy was just around the corner -- the only guy authorized to arrest me and carry a gun.

I was "streaming" to UStream at this point (http://www.ustream.tv/channel/erratarob) -- or so I thought. You guys missed the conversation. I was very polite, saying sir, ma'am (as appropriate), please, thank you, and "have a nice day".

I found the cop, and talked to him. He confirmed that he'd read the TSA guidelines and knew it was legal. He further confirmed that when they called for an arrest, it'd be him, and no, he wouldn't arrest me. I shook his hand and left.

I headed back to the TSA to take UStream video, and after checking it, realized I hadn't been streaming. So I took new video, this time getting it right, but it's quite boring. Unfortunately, the 3pm shift change happened, and there were new TSA agents, and the new ones didn't care that I was filming.

Anyway, that's today's adventures going through TSA. By the way, always remember when pissing off the TSA: be polite, calm, nice, and make sure you aren't standing in the way impeding traffic.



This was an awesome tweet somebody sent me:



The case involved a guy going through security charged with all sorts of things. It shows how the police can charge me with things no matter what I do. Luckily, the jury found this guy innocent, but there's a good chance an otherwise identical case might find somebody guilty.



Update: Some people on twitter asked "what's the goal" of this, or "what I'm trying to point out". The answer is "violation of rights". We have the right to hold the police accountable. When they threaten us to stop taking pictures, if we are afraid to take pictures, then we live in a police-state. Whipping out your cell phone and filming the TSA is something all passengers should do every time the TSA displeases them for any reason -- as long as they are doing so in a non-disruptive manner out of the way of traffic.

Also, remember to always have phone charged before going through TSA :).

Friday, July 18, 2014

Omg Hotel Pennsylvania sucks

Customer service is a tradeoff you get with price, thus I'm not terribly offended by things such as that recent terrible Comcast support call. If you don't want shitty service/product, then pay more. Often simply paying 10% more yields something vastly better.

The only problem is finding those "deals".

I'm at the HopeX conference, so to make life easier, I decided to stay at the venue, the Hotel Pennsylvania. Since it's a late booking, the price was $199 a night for an "upgraded" room. The room was horrible. It was tiny, the walls in the bathroom were crumbling as the damp seeped into the concrete, the furniture was scraped and dented, and the room's one tiny window looked out onto other rooms only 20 feet away. I could bear all that -- but the "non-smoking" room stank of smoke to the point that I couldn't fall asleep. So at 1:30am I gave up and checked out.

I went two (short) blocks down to the Hotel Affinia, which cases $224 for a room that's twice the size and "upscale": everything is nice new and pretty, and this non-smoking room doesn't smell a bit like smoke. It doesn't even smell like the deodorants hotels use to try to mask the smoke. The lady at the desk confirmed that they get a lot of customers from the Hotel Pennsylvania, like this one customer who entered their room to find a rat eating discarded food housekeeping hadn't cleaned up.

So I write this not because OMGWTF is the Hotel Pennsylvania bad, but OMGWTF why didn't anybody tell me??!!???.

Behind the Hotel Pennsylvania checkin desk is a six-screen multi-monitor setup running WinXP displaying live content, with a warning message that the firewall/AV is disabled. I was soooo tempted to not checkout and stay up all night hacking the network instead, because goatse.

Tuesday, July 15, 2014

EFF lies about NetNeutrality

The EFF has completely and thoroughly repudiated JP Barlow's "Declaration of Independence of Cyberspace", such as in this tweet:




This tweet is lie. Congress can't "kill Net Neutrality" because Net Neutrality doesn't currently exist. Net Neutrality proponents don't want to maintain the status quo, but radically change the Internet, converting it from the private network it is now into a public utility, regulated by the government.

What the left-wing populists tell you about Net Neutrality is a lie. Corporations aren't doing the evil things they claim. There is no technical idea behind it like "end-to-end". Net Neutrality is just the political belief that corporations are inherently evil and that the government must run the Internet.

Internet "fast lanes" are not a bad thing. They already exist, and the Internet can't function without them. Sniff your home traffic and then traceroute every IP address your system communicates with. You'll find that 90% of you home traffic goes to a server in your local city. That's because most websites use a fast lane to the "content delivery network" ("CDN") like Akamai, or a private CDN by Google, Apple, or Facebook. No company with a major web presence can compete unless they, too, pay for a fast lane.

Such fast lanes are the way the Internet has to work. We imagine that I can setup my own website at home and the entire world can access it (in an end-to-end fashion), but Internet backbone simply cannot handle the traffic. Netflix alone requires thousands of times more bandwidth than the Internet backbone can provide without using fast lanes. That's the difference between "broadcast" television where a million people can watch the same stream, and "unicast" video where everyone watches their own custom stream.

This dispute between Comcast and Netflix is not what they claim. Netflix already pays for a fast lane by putting servers in every city, because it wouldn't work otherwise. The only question is how, within each city, the traffic streams from Netflix's servers to Comcast's network.

And even then that's still not the key question. Netflix now pays Comcast for a faster lane, putting their servers directly on the Comcast network. Yet, during peak hours (8pm to 10pm), the system still slows down dramatically to under 3-mbps (where I live). That's because Comcast's urban network still can't handle the bandwidth. For Netflix to truly work, either Comcast will have to put more fiber in the ground to spread the streams around, or Netflix will have to spread their servers around the city.

Either way, it's Netflix's customers that should have to pay for the upgrade. Comcast's network works fine for the 90% of customers who don't stream lots of Netflix videos. It's only Netflix customers who have the problem. Forcing Comcast to upgrade their network to support Netflix means forcing the majority of low-bandwidth customers to subsidize the high-bandwidth customers. This is inherently unfair. I'm a Netflix binge watcher, and I appreciate that my viewing has been subsidized, but I still find it unfair. The only fair solution is for Netflix's customers to pay for Comcast's build-out.

Net Neutrality proponents claim that American broadband is the slowest and most expensive in the world. Of course it is. American cities are spread out. Our commute distances are twice that of European cities. The greater the suburban sprawl, the more expensive the Internet service. My city has less than 10% the population density of Paris, of course Comcast broadband is going to cost more here. American's pay a lot more to commute to work, they should pay a lot more for broadband.

Comcast is a monopoly in my city. Only Comcast provides more than 6-mbps for home service (my service is 75-mbps). However, the fault is government regulators. They won't allow another company to come in and lay a fiber optic network unless that company agrees to lay fiber everywhere -- even the poor areas of town. That's why Google could afford to put fiber in places like Kansas City, because the city council agreed that Google only had to lay fiber in neighborhoods that would pay for the service. The answer to Comcast monopoly practices is less regulation, not more. If you want companies to provide high-speed broadband to poor neighborhoods to solve the digital divide, then it's something you should pay for, rather than forcing Comcast's potential competitors into paying for it. Companies don't operate at a loss -- when you force them to, they simply choose to not operate at all.


Net Neutrality is just left-wing populism run amok, playing on your fears in order to convert the private Internet into a government-regulated public utility like water, gas, and electricity. This won't "save" the Internet as they promise, but kill all innovation. Of course, if you are a left-winger, this is something you'll want, and nothing I can say can convince you otherwise. But it's something that libertarians and right-wingers will oppose.

Monday, July 14, 2014

JTRIG weekend projects

The Intercept has released a page of JTRIG tools and techniques. I thought I'd comment on them.

Largely, this is a long list of small projects. Few of these projects require more than a couple lines of code, or would take an average hacker more than a weekend to accomplish.

For example, there is CHANGELING, which says "Ability to spoof any email address and send email under that identity". That's the sort of thing you'd ask as an interview question for a cybersec company. You'd expect the candidate to produce this in 20 minutes.

Some sound like big projects, but they are in fact just leveraging existing large open-source projects. A tiny amount of scripting on top of a project like OpenBTS would deliver big, scary results, such as fuzzing GSM.

I point this out because people have the misapprehension that the intelligence services have advanced "cyber-weapons". That's not true. Instead, what's going on is like Rambo stuck in a jungle with only a knife, who can fashion anything into a weapon, from twigs to rocks. That's what you see going on here: given the existing base of open-source (and closed-source) code, cyber-warriors fashion new tools with a little bit of added code.

Rather than being scared of their "advanced" cyber-weapons, what we should be scared about is their "access" and their "brute-force".

Intelligence services have access to things we don't. An example is MUSTANG's "access to the location of GSM cell towers". That information isn't public, and is the sort of thing that intelligence services would have. This allows them to have better location tracking tools than the public -- not because they have better technology but because they have better access.

Intelligence services can spend bajillions of dollars on things. An excellent example is XKEYSCORE, which is a rather primitive packet-sniffer as its base, but spread throughout the world on a thousand systems. They tap undersea fiber-optic cables, and insert monitors into ISPs in target countries. They spend hundreds of millions of dollars on this. If you live in Iraq, it's unlikely you can do anything on the Internet without getting monitored by this system.


Upcoming speaking schedule

I've an unusually dense talk schedule over the next month. Please ask questions at end of talk. Also ambush me afterward and ask more questions.


HopeX:
Sunday July 20, 2:00pm, Olson room
Technology walkthrough of XKeyScore and how to jam it


PasswordsCon 2014:
Wednesday August 6, 12:10pm Track 1
Overview of password hashes in network protocols


DEF CON 22:
Saturday August 9, 10:00am, Track 3
Masscan


DEF CON 22:
Friday August 8, 2:00pm, Track 2
Panel. I'm being this for several years, I still don't know what it is



Wednesday, July 09, 2014

NSA: walk a mile in their shoes

While this is mostly a technical blog, our most popular posts deal with cyber-rights, supporting Snowden, Weev, and Swartz. Yet sometimes I appear to defend the NSA. People ask me why, so I thought I’d write up a response.

Most American schools force students to read the book To Kill a Mockingbird. It’s a great book for many reasons. Most people think it’s about racism, but it’s not – it’s about bigotry. Racism is just one of the forms of bigotry found in the book. The full message, repeated several times, is that we should get along with others by trying to understand their point of view.

Our society is improving with regards to racism, but other forms of bigotry are alive and well. Webster’s defines bigotry as: “obstinate and unreasoning attachment of one's own belief and opinions, with narrow-minded intolerance of beliefs opposed to them”. Our society praises such bigotry. Tolerance and understanding of other opinions is condemned.

People like Glenn Greenwald, Jacob Appelbaum, and others in the ‘activist’ movement are extreme bigots. There is good reason to oppose the NSA and its leaders who have egregiously mislead the public. Yet, this is still not justification for bigotry.

It’s so bad that Snowden himself said in a recent interview:

“People have unfairly demonized the NSA to a point that’s too extreme. These are good people trying to do hard work for good reasons.”

I’ve worked with the NSA in the past. I’m an expert in the technology the NSA uses, as demonstrated in my XKeyScore posts. Thus, I know enough that the bigotry is plain to me. Hence, I write blogposts trying to explain the opposite point of view – something that if we truly believed in the message of To Kill a Mockingbird we’d all embrace. Of course, nobody learned that message, they only learned that “racism is bad m’kay?”.

That I get so much hate, being called an “NSA-lover”, confirms to me that I’m on the right track. People don’t debate the specific claims I make (such as how Jacob Appelbaum faked the “NSA tracking Tor users” story). Instead, they criticize me for standing up and defending the NSA, using language matching almost exactly those who criticized Atticus Finch for defending a black man.


Let me be clear: the government’s spying is unconstitutional, citizens have the duty to oppose it. Like Snowden, I would have leaked that Verizon order gathering all metadata. I’d even agree that incendiary terms like “police-state” are a fair description. James Clapper and Keith Alexander have been caught misleading the public. Despite all this, the NSA is not full of evil people. Demonizing the NSA makes you look like a bigot, making you lose credibility among people who matter. Sure, you’ll whip up your followers to a frenzy, but you’ll have no influence in Washington DC. If you want to change what’s going on in the government, then you’ll have to start understanding things from their perspective, walking a mile in their shoes.



Consider this tweet in response to this post:

The first time in To Kill a Mockingbird that Atticus tells Scout to try to understand somebody else's point of view is in regards to her teacher -- a person of authority.

In pre-WWII Germany, few defended the obvious bigotry against Jews because they had power. That's the point of Mein Kampf, claiming that that it was the Jews who ran the press, international finance, the major political parties, and so forth.

Bigotry against the powerful is still bigotry.




I think many think that racism/bigotry is bad because it harms the target. Thus, they don't care if it harms the NSA. I believe the opposite -- that my bigotry harms me. The problem is being obstinate and unreasonable. I may be wrong about the NSA, maybe some or all of their actions are actually valid -- I'll never find out if I persist in bigotry.



Also, of course, there's Ender's Game, which also taught the importance of understanding your enemy -- in order to destroy them.