Wednesday, April 26, 2017

"Fast and Furious 8: Fate of the Furious"

So "Fast and Furious 8" opened this weekend to world-wide box office totals of $500,000,000. I thought I'd write up some notes on the "hacking" in it. The tl;dr version is this: yes, while the hacking is a bit far fetched, it's actually more realistic than the car chase scenes, such as winning a race with the engine on fire while in reverse.

[SPOILERS]

Monday, April 17, 2017

Mirai, Bitcoin, and numeracy

Newsweek (the magazine famous for outing the real Satoshi Nakamoto) has a story about how a variant of the Mirai botnet is mining bitcoin. They fail to run the numbers.

The story repeats a claim by Mcafee that 2.5 million devices were infected with Mirai at some point in 2016. If they were all mining bitcoin, how much money would the hackers be earning?

Sunday, March 19, 2017

Pranksters gonna prank

So Alfa Bank (the bank whose DNS traffic link it to trump-email.com) is back in the news with this press release about how in the last month, hackers have spoofed traffic trying to make it look like there's a tie with Trump. In other words, Alfa claims these packets are trying to frame them for a tie with Trump now, and thus (by extension) it must've been a frame last October.

There is no conspiracy here: it's just merry pranksters doing pranks (as this CNN article quotes me).

Indeed, among the people pranking has been me (not the pranks mentioned by Alfa, but different pranks). I ran a scan sending packets from IP address to almost everyone one the Internet, and set the reverse lookup to "mail1.trumpemail.com".

Wednesday, March 15, 2017

Assert() in the hands of bad coders

Using assert() creates better code, as programmers double-check assumptions. But only if used correctly. Unfortunately, bad programmers tend to use them badly, making code worse than if no asserts were used at all. They are a nuanced concept that most programmers don't really understand.

We saw this recently with the crash of "Bitcoin Unlimited", a version of Bitcoin that allows more transactions. They used an assert() to check the validity of input, and when they received bad input, most of the nodes in the network crashed.

The Bitcoin Classic/Unlimited code is full of bad uses of assert. The following examples are all from the file main.cpp.

Saturday, March 11, 2017

Some confusing language in the 0day debate

As revealed in last week's CIA #Vault7 leaks, the CIA has some 0days. This has ignited the debate about whether organizations like the CIA should be disclosing these 0days so that vendors can fix them, rather than "stockpiling" them. There seems to be some confusion about language.

Thursday, March 09, 2017

FBI: what to look for in the Trump/AlfaBank connection

As CNN reports, the FBI seems to be looking into that connection between Trump and Alfa Bank. Here are some things to look for.

First, get your own copy of the logs from root name servers. I don't trust the source of the original logs. I suspect they've been edited in order to show a relationship with Alfa Bank. You've got lots of sources both inside government and in private industry that can provide a copy of these logs without a warrant. (Which sucks, you should need a warrant, but that's the current state of affairs).

Second, look at the server in question. It's probably located at 140 Akron Road, Ephrata, PA. What you are looking for are the logs of anything sent from the server during that time, specifically any e-mails.

Third, talk to Cendyn, and ask them what that server was used for during that time. Their current statement is that it was used by the Metron meeting software. In other words, they say that after they stopped using it to send marketing emails, they started using it for their meeting product. They seem a little confused, so it'd be nice to pin them down. Specifically, get logfiles indicating precisely what happened, and figure out how Metron works, what sorts of messages it will generate.

Fourth, talk to Cendyn, and ask them about customers of their Metron meeting software, namely who used it to arrange meetings with Alfa Bank or the Trump organization. My guess is that this is where you'll really get the juicy information, getting a list of what meetings happened when and who was invited.

Fifth, talk to Cendyn and get logfiles form their DNS servers to figure out who was resolving that domain name (mail1.trump-email.com) during that time period.

Sixth, ask Alfa Bank for logfiles from their DNS resolvers that would tell you which machines internally were generating those requests.

My guess is that all of this will come up empty. There's a coincidence here, but a small one. Much of the technical details have been overhyped and mean little.

Some notes on the RAND 0day report

The RAND Corporation has a research report on the 0day market [ * ]. It's pretty good. They talked to all the right people. It should be considered the seminal work on the issue. They've got the pricing about right ($1 million for full chain iPhone exploit, but closer to $100k for others). They've got the stats about right (5% chance somebody else will discover an exploit).

Yet, they've got some problems, namely phrasing the debate as activists want, rather than a neutral view of the debate.

Wednesday, March 08, 2017

A note about "false flag" operations

There's nothing in the CIA #Vault7 leaks that calls into question strong attribution, like Russia being responsible for the DNC hacks. On the other hand, it does call into question weak attribution, like North Korea being responsible for the Sony hacks.

There are really two types of attribution. Strong attribution is a preponderance of evidence that would convince an unbiased, skeptical expert. Weak attribution is flimsy evidence that confirms what people are predisposed to believe.