Friday, February 24, 2017

A quick note about iconoclasm

I'm an iconoclast [*]. Whenever things become holy, whereby any disagreement is treated as heresy, then I disagree. There are two reasonable sides to every argument. When you vilify one of the sides in the argument, then I step into defend them -- not that they are right, but that they are reasonable.

This makes many upset, because once a cause has become Holy, anybody disagreeing with orthodoxy (like me) is then, by definition, a horrible person. I get things like the image to the right.

(Please don't harass/contact this person -- she believes what many do, and singling her out would be mean).

For the record, I'm rabidly feminist, anti-racist, pro-LGBT, pro-civil-rights. It's just that while I care a lot, I'm not Orthodox. I likely disagree with you about the details. When you vilify those who disagree with you, I will defend them.

...which is the best troll, ever. Admitting somebody is wrong, but defending them as reasonable, seems to upset people more than just arguing the other side is right.

Tuesday, February 21, 2017

Border Digital Safety for Journalists

The CPJ, the "Committee to Protect Journalists", offers some horrible advice [*] on Digital Security, especially when crossing the border.

The most important piece of advice I can give you is this: if somebody's life depends upon it, then no simple piece of advice, no infographic, is going to help you. You have to learn about cybersecurity enough to make intelligent decisions for yourself. You have to make difficult tradeoffs yourself. Anybody giving you simple advice or infographics is a charlatan.

So I thought I'd discuss what's wrong with the following infographic:

I. Passwords, managers, and two-factor

The biggest issue is don't reuse passwords across different accounts. If you do, when hackers breach one of your accounts, they breach all of them. I use a simple password for all the accounts I don't care about, then complex unique passwords for all my important accounts. I have to write them down on a piece of paper I've got hidden at home, because sometimes I forget them.

Password managers certainly help you have multiple strong passwords across many accounts. On the other hand, it puts all your eggs in one basket, and the police can grab them from the company.

Two-fact can help, but hackers have shown they can intercept SMS messages to your phone number.

One problem you have to deal with is that going through border control, they'll ask for all your social media passwords. If you are using two-factor authentication (SMS to a phone) then it won't do them much good having the passwords. Not having your phone with you while your cross the border isn't hard. You can use a separate Google Voice phone number (free) which you disconnect form your phone before traveling across the border, and reconnect when you get back home. You can also use a cheap $3/month account (like one of the M2M/IoT SIMs) on a second phone.

II. Encrypt laptop and screen lock

Border control, law enforcement, and smart criminals can bypass the "screen lock". This is practically true for MacBooks (with their Thunderbolt ports), they've got the tools to do this with ease. This is theoretically true for Windows, though without Thunderbolt or Firewire, I don't know how to easily break out the screen lock on most of them.

The upshot is that before going through border security, power off your laptop completely.

Encrypting your laptop is excellent advice, but you are still likely to fail at this. In all likelihood, you are going to choose a weak password that can be "brute-forced" (guessed) by the police. Or, you are going to setup a "password recovery" feature where the police can get your password by subpoenaing Apple or Microsoft. Describing how to do this well requires multiple pages of text.

III. Use Signal or WhatsApp

Using Signal is good. However, they still get the metadata who you are talking to. Also, using Signal in a foreign country makes you stand out, because only people with something to hide from the police use Signal. Using WhatsApp is better, because lots of people use WhatsApp for normal day-to-day chat. These are the sorts of subtle issues you have to think through.

IV. Secure Browser

On the phone, use Brave. It's like having Chrome with HTTPS-Anywhere and uBlock origin built in, getting rid of privacy tracking cookies and ads. Indeed, one of the engineers of HTTPS-Anywhere is one of the principle engineers of Brave.

On a laptop, either configure the browser to forget all cookies when it exits, or use "incognito" mode a lot. Features that secure cookies aren't as important as not leaving a cookie trail to begin with. I've got Twitter, Gmail, Spotify, and other privacy-identifying apps open in Chrome, but use "incognito" mode whenever I google search for something (like "weapons grade uranium"), so that the government can't tie the search back to me.


Don't take this post as advice what you should do.

Instead, the purpose of this post is to show the limitations of a simple infographic. While it's not precisely bad advice, if you do what it says, you (the journalist in the case) will still divulge all your sources to border control when coming into the United States.


The situations you are really confronted with are things like border control demanding access to your Facebook account before they let you into the country. How long are you willing to wait? They'll certainly try to detain you long enough until you miss your connecting flight. Whatever security you have still depends upon how much pressure they can apply. If you aren't willing to miss your connecting flight, no amount of security is going to help you.

Monday, February 20, 2017

Skillz: editing a web page

So one of the skillz you ought to have in cybersec is messing with web-pages client-side using Chrome's Developer Tools. Web-servers give you a bunch of HTML and JavaScript code which, once it reaches your browser, is yours to change and play with. You can do a lot with web-sites that they don't intend by changing that code.

Let me give you an example. It's only an example -- touching briefly on steps to give you an impression what's going on. It's not a ground up explanation of everything, which you may find off-putting. Click on the images to expand them so you can see fully what's going on.

Saturday, February 18, 2017

You don't need printer security

So there's this tweet:

What it's probably refering to is this:

This is an obviously bad idea.

Well, not so "obvious", so some people have ask me to clarify the situation. After all, without "security", couldn't a printer just be added to a botnet of IoT devices?

The answer is this:
Fixing insecurity is almost always better than adding a layer of security.
Adding security is notoriously problematic, for three reasons

  1. Hackers are active attackers. When presented with a barrier in front of an insecurity, they'll often find ways around that barrier. It's a common problem with "web application firewalls", for example.
  2. The security software itself can become a source of vulnerabilities hackers can attack, which has happened frequently in anti-virus and intrusion prevention systems.
  3. Security features are usually snake-oil, sounding great on paper, with with no details, and no independent evaluation, provided to the public.

It's the last one that's most important. HP markets features, but there's no guarantee they work. In particular, similar features in other products have proven not to work in the past.

HP describes its three special features in a brief whitepaper [*]. They aren't bad, but at the same time, they aren't particularly good. Windows already offers all these features. Indeed, as far as I know, they are just using Windows as their firmware operating system, and are just slapping an "HP" marketing name onto existing Windows functionality.

HP Sure Start: This refers to the standard feature in almost all devices these days of having a secure boot process. Windows supports this in UEFI boot. Apple's iPhones work this way, which is why the FBI needed Apple's help to break into a captured terrorist's phone. It's a feature built into most IoT hardware, though most don't enable it in software.

Whitelisting: Their description sounds like "signed firmware updates", but if that was they case, they'd call it that. Traditionally, "whitelisting" referred to a different feature, containing a list of hashes for programs that can run on the device. Either way, it's a pretty common functionality.

Run-time intrusion detection: They have numerous, conflicting descriptions on their website. It may mean scanning memory for signatures of known viruses. It may mean stack cookies. It may mean double-checking kernel modules. Windows does all these things, and it has a tiny benefit on stopping security threats.

As for traditional threats for attacks against printers, none of these really are important. What you need to secure a printer is the ability to disable services you aren't using (close ports), enable passwords and other access control, and delete files of old print jobs so hackers can't grab them from the printer. HP has features to address these security problems, but then, so do its competitors.

Lastly, printers should be behind firewalls, not only protected from the Internet, but also segmented from the corporate network, so that only those designed ports, or flows between the printer and print servers, are enabled.


The features HP describes are snake oil. If they worked well, they'd still only address a small part of the spectrum of attacks against printers. And, since there's no technical details or independent evaluation of the features, they are almost certainly lies.

If HP really cared about security, they'd make their software more secure. They use fuzzing tools like AFL to secure it. They'd enable ASLR and stack cookies. They'd compile C code with run-time buffer overflow checks. Thety'd have a bug bounty program. It's not something they can easily market, but at least it'd be real.

If you cared about printer security, then do the steps I outline above, especially firewalling printers from the traditional network. Seriously, putting $100 firewall between a VLAN for your printers and the rest of the network is cheap and easy way to do a vast amount of security. If you can't secure printers this way, buying snake oil features like HP describes won't help you.

Wednesday, February 01, 2017

1984 is the new Bible in the age of Trump

In the age of Trump, Orwell's book 1984 is becoming the new Bible: a religious text which few read, but which many claim supports their beliefs. A good demonstration is this CNN op-ed, in which the author describes Trump as being Orwellian, but mostly just because Trump is a Republican.

Monday, January 30, 2017

Uber was right to disable surge pricing at JFK

Yesterday, the NYC taxi union had a one-hour strike protesting Trump's "Muslim Ban", refusing to pick up passengers at the JFK airport. Uber responded by disabling surge pricing at the airport. This has widely been interpreted as a bad thing, so the hashtag "#DeleteUber" has been trending, encouraging people to delete their Uber accounts/app.

These people are wrong, obviously so.

Thursday, January 26, 2017

Is 'aqenbpuu' a bad password?

Press secretary Sean Spicer has twice tweeted a random string, leading people to suspect he's accidentally tweeted his Twitter password. One of these was 'aqenbpuu', which some have described as a "shitty password". Is is actually bad?

No. It's adequate. Not the best, perhaps, but not "shitty".