Tuesday, October 28, 2014

No evidence feds hacked Attkisson

Former CBS journalist Sharyl Attkisson is coming out with a book claiming the government hacked her computer in order to suppress reporting on Benghazi. None of her "evidence" is credible. Instead, it's bizarre technobabble. Maybe her book is better, but those with advance copies quoting excerpts  make it sound like the worst "ninjas are after me" conspiracy theory.

Your electronics are not possessed by demons

Technology doesn't work by magic. Each symptom has a specific cause.

Attkisson says "My television is misbehaving. It spontaneously jitters, mutes, and freeze-frames". This is not a symptom of hackers. Instead, it's a common consumer complaint caused by the fact that cables leading to homes (and inside the home) are often bad. My TV behaves like this on certain channels.

She says "I call home from my mobile phone and it rings on my end, but not at the house", implying that her phone call is being redirected elsewhere. This is a common problem with VoIP technologies. Old analog phones echoed back the ring signal, so the other side had to actually ring for you to hear it. New VoIP technologies can't do that. The ringing is therefore simulated and has nothing to do with whether it's ringing on the other end. This is a common consumer complaint with VoIP systems, and is not a symptom of hacking.

She says that her alarm triggers at odd hours in the night. Alarms work over phone lines and will trigger when power is lost on the lines (such as when an intruder cuts them). She implies that the alarm system goes over the VoIP system on the FiOS box. The FiOS box losing power or rebooting in the middle of the night can cause this. This is a symptom of hardware troubles on the FiOS box, or Verizon maintenance updating the box, not hackers.

She says that her computer made odd "Reeeeee" noises at 3:14am. That's common. For one thing, when computers crash, they'll make this sound. I woke two nights ago to my computer doing this, because the WiMax driver crashed, causing the CPU to peg at 100%, causing the computer to overheat and for the fan to whir at max speed. Other causes could be the nightly Timemachine backup system. This is a common symptom of bugs in the system, but not a symptom of hackers.

It's not that hackers can't cause these problems, it's that they usually don't. Even if hackers have thoroughly infested your electronics, these symptoms are still more likely to be caused by normal failure than by the hackers themselves. Moreover, even if a hacker caused any one of these symptoms, it's insane to think they caused them all.

Hacking is not sophisticated

There's really no such thing as a "sophisticated hack". That's a fictional trope, used by people who don't understand hacking. It's like how people who don't know crypto use phrases like "military grade encryption" -- no such thing exists, the military's encryption is usually worse than what you have on your laptop or iPhone.

Hacking is rarely sophisticated because the simplest techniques work. Once I get a virus onto your machine, even the least sophisticated one, I have full control. I can view/delete all your files, view the contents of your screen, control your mouse/keyboard, turn on your camera/microphone, and so on. Also, it's trivially easy to evade anti-virus protection. There's no need for me to do anything particularly sophisticated.

We are experts are jaded and unimpressed. Sure, we have experience with what's normal hacking, and might describe something as abnormal. But here's the thing: ever hack I've seen has had something abnormal about it. Something strange that I've never seen before doesn't make a hack "sophisticated".

Attkisson quotes an "expert" using the pseudonym "Jerry Patel" saying that the hack is "far beyond the abilities of even the best nongovernment hackers". Government hackers are no better than nongovernment ones -- they are usually a lot worse. Hackers can earn a lot more working outside government. Government hackers spend most of their time on paperwork, whereas nongovernment hackers spend most of their time hacking. Government hacker skills atrophy, while nongovernment hackers get better and better.

That's not to say government hackers are crap. Some are willing to forgo the larger paycheck for a more stable job. Some are willing to put up with the nonsense in government in order to be able to tackle interesting (and secret) problems. There are indeed very good hackers in government. It's just that it's foolish to assume that they are inherently better than nongovernmental ones. Anybody who says so, like "Jerry Patel", is not an expert.

Contradictory evidence

Attkisson quotes one expert as saying intrusions of this caliber are "far beyond the the abilities of even the best nongovernment hackers", while at the same time quoting another expert saying the "ISP address" is a smoking gun pointing to a government computer.

Both can't be true. Hiding ones IP address is the first step in any hack. You can't simultaneously believe that these are the most expert hackers ever for deleting log files, but that they make the rookie mistake of using their own IP address rather than anonymizing it through Tor or a VPN. It's almost always the other way around: everyone (except those like the Chinese who don't care) hides their IP address first, and some forget to delete the log files.

Attkisson quotes experts saying non-expert things. Patel's claims about logfiles and government hackers are false. Don Allison's claims about IP addresses being a smoking gun is false. It may be that the people she's quoting aren't experts, or that her ignorance causes her to misquote them.


Attkisson quotes an expert as identifying an "ISP address" of a government computer. That's not a term that has any meaning. He probably meant "IP address" and she's misquoting him.

Attkisson says "Suddenly data in my computer file begins wiping at hyperspeed before my very eyes. Deleted line by line in a split second". This doesn't even make sense. She claims to have videotaped it, but if this is actually a thing, it sounds like more something kids do to scare people, not what real "sophisticated" hackers do.

So far, none of the quotes I've read from the book use any technical terminology that I, as an expert, feel comfortable with.

Lack of technical details

We don't need her quoting (often unnamed) experts to support her conclusion. Instead, she could just report the technical details.

For example, instead of quoting what an expert says about the government IP address, she could simply report the IP address. If it's "75.748.86.91", then we can judge for ourselves whether it's the address of a government computer. That's important because nobody I know believes that this would be a smoking gun -- maybe if we knew more technical details she could change our minds.

Maybe that's in her book, along with pictures of the offending cable attached to the FiOS ONT, or the pictures of her screen deleting at "hyperspeed". So far, though, none of those with advanced copies have released these details.

Lastly, she's muzzled the one computer security "expert" that she named in the story so he can't reveal any technical details, or even defend himself against charges that he's a quack.


Attkisson's book isn't out yet. The source material for this post if from those with advance copies quoting her [1]][2]. But, everything quoted so far is garbled technobabble from fiction rather that hard technical facts.

Disclosure: Some might believe this post is from political bias instead of technical expertise. The opposite is true. I'm a right-winger. I believe her accusations that CBS put a left-wing slant on the news. I believe the current administration is suppressing information about the Benghazi incident. I believe journalists with details about Benghazi have been both hacked and suppressed. It's just that in her case, her technical details sounds like a paranoid conspiracy theory.

The deal with the FTDI driver scandal

The FTDI driver scandal is in the news, so I thought I'd write up some background, and show what a big deal this is.

Devices are connected to your computer using a serial port. Such devices include keyboards, mice, flash drives, printers, your iPhone, and so on. The original serial port standard called RS232 was created in 1962. It got faster over the years (75-bps to 115-kbps), but ultimately, the technology became obsolete.

In 1998, the RS232 standards was replaced by the new USB standard. Not only is USB faster (a million times so), it's more complex and smarter. The initials stand for "Universal Serial Bus", and it truly is universal. Not only does your laptop have USB ports on the outside for connecting to things like flash drives, it interconnects much of the things on the inside of your computer, such as your keyboard, Bluetooth, SD card reader, and camera.

What FTDI sells is a chip that converts between the old RS232 and the new USB. It allows old devices to be connected to modern computers. Even new devices come with RS232 instead of USB simply because it's simple and reliable.

The FTDI chip is a simple devices that goes for about $2. While there are competitors (such as Silicon Labs), FTDI is by far the most popular vendor of RS232-to-USB converters. This $2 may sound cheap, but relatively expensive for small devices which cost less than $50. That $2 is often greater than the profit margin on the entire device. Therefore, device manufacturers have a strong incentive to find cheaper alternatives.

That's where clones come in. While the FTDI sells them for $2, the raw chips cost only pennies to manufacture. Clone chips are similarly cheap to manufacture, and can be sold for a fraction of FTDI's price. On Alibaba, people are advertising "real" FTDI chips for between $0.10 and $1 apiece, with the FTDI logo on the outside and everything. They are, of course, conterfeits.

FTDI is understandably upset about this. They have to sell millions of chips to make back development and support costs, which they can't do with clones undercutting them.

FTDI's strategy was to release a driver update that intentionally disabled the clone chips. Hardware devices in a computer need software drivers to operate. Clone chips use the same drivers from FTDI. Therefore, FTDI put code in their software that attacked the clones, disabling them. The latest FTDI driver through Windows Update contains this exploit. If your computer automatically updates itself, it may have downloaded this new driver.

Every USB devices comes with a vendor identifier (VID) and a product identifier (PID). It's these two numbers that tells operating systems like Windows or Linux which driver to load. What FTDI did was reprogram these numbers to zero. This, in effect, ruined the devices. From that point on, they can no longer be recognized, either by FTDI's driver or any other. In theory, somebody could write software that reprogrammed them back to the original settings, but for the moment, they are bricked (meaning, the hardware is no more useful than a brick).

This can have a devastating effect. One place that uses RS232 heavily is industrial control systems, the sort of thing that controls the power grid. This means installing the latest Windows update on one of these computers could mean blacking out an entire city.

FTDI's actions are unprecedented. Never before has a company released a driver that deliberately damages hardware. Bad driver updates are common. Counterfeits aren't perfect clones, therefore a new driver may fail to work properly, either intentionally or unintentionally. In such cases, users can simply go back to the older, working driver. But when FTDI changes the hardware, the old drivers won't work either.. Because the VID/PIDs have been reprogrammed, the operating system can no longer figure out which drives to load for the device..

Many people have gotten upset over this, but it's a complex debate.

One might think that the evil buyers of counterfeits are getting what they deserve. After all, satellite TV providers have been known to brick counterfeit access cards. But there is a difference. Buyers of satellite cards know they are breaking the rules, whereas buyers of devices containing counterfeit chips don't. Most don't know what chips are inside a device. Indeed, many times even the manufacturers don't know the chips are counterfeit.

On the other hand, ignorance of the law is no excuse. Customers buying devices with clone chips harm FTDI whether they know it or not. They have the responsibility to buy from reputable vendors. It's not FTDI's fault that the eventual end customer chose poorly.

It rankles that FTDI would charge $2 for a chip that costs maybe $0.02 to manufacturer, but it costs money to develop such chips. It likewise costs money to maintain software drivers for over 20 operating systems, ranging from Windows to Linux to VxWorks. It can easily cost $2 million for all this work, while selling only one million chips. If companies like FTDI cannot get a return on their investment in RND, then there will be a lot less RND -- and that will hurt all of us.

One way to protect RND investment is draconian intellectual-property laws. Right now, such laws are are a cure that's worse than the disease. The alternative to bad laws is to encourage companies like FTDI to protect themselves. What FTDI did is bad, but at least nobody held a gun to anybody's head.

Counterfeits have another problem: they are dangerous. From nuclear control systems to airplane navigation systems to medical equipment, electronics are used in places where failure costs human lives. These systems are validated using the real chips. Replacing them with counterfeits can lead to human lives lost. However, counterfeit chips have been widespread for decades with no documented loss of life, so this danger is so far purely theoretical.

Separate from the counterfeit issue is the software update issue. In the last decade we've learned that software is dynamic. It must be updated on a regular basis. You can't deploy a device and expect it to run unmodified for years. That's because hackers regularly find flaws in software, even simple drivers, so they must be patched to prevent hacker intrusions. Many industries, such as medical devices and industrial control systems, are struggling with this concept, putting lives at risk due to hackers because they are unwilling to put lives at (lesser) risk when changing software. They need more trust in the software update process. However, this action by FTDI has threatened that trust.


As a typical Libertarian, I simultaneously appreciate the value of protecting RND investments while hating the current draconian government regime of intellectual property protection. Therefore, I support FTDI's actions. On the other hand, this isn't full support -- there are problems with their actions.

Update: As Jose Nazario points out, when Microsoft used Windows Update to disable pirated copies of WinXP, pirates stopped updating to fix security flaws. This resulted in hackers breaking into desktops all over the Internet, endangering the rest of us. Trust in updates is a big thing.

Saturday, October 25, 2014

Review: The Peripheral, by William Gibson

After four years, William Gibson is finally coming out with a new book, “The Peripheral”. Time to preorder now. http://www.amazon.com/gp/product/B00INIXKV2

There’s not much to review. If you like Gibson’s work, you’ll like this book. (Also, if you don't like Gibon's work, then you are wrong).

What I like about Gibson’s work is his investment in the supporting characters, which are often more interesting than the main characters. Each has a complex backstory, but more importantly, each has a story that unfolds during the book. It’s as if Gibson takes each minor character and writes a short story for them, where they grow and evolve, then combines them all into the main story. It’s a little confusing at the start, because it’s sometimes hard to identify which are the main characters, but it pays off in the end. (I experienced that in this book, among the numerous characters he introduced at the start, it was the least interesting ones that turned out to be the main characters -- it's not that they were boring, it's that they took longer to develop).

One departure from his normal work is that this book is maybe a little more autobiographical. Gibson grew up on the countryside in the south, which is part of the setting in this book. He describes it in such detail that the reader feels at home there every much as in the urban dystopic fantasy.

Another departure from his normal work is that it’s as much about a dystopic present as it is about a dystopic future. Frankly, the modern world has caught up with Gibson – we are the future he was writing about 30 years ago. He can’t very well dream of a “cyberspace” when it’s all around us right now.

He deals with the dystopic present with nuance. For example, there is an analogue to the Westboro Baptist Church. These guys are a bunch of bastards that are easy to hate, so the average fiction writer would come up with a horrible disfiguring plague to wipe them out, to give us readers satisfaction. Gibson doesn’t.

The book has a scifi trick that you don’t figure out until about a quarter of the way through the book. Most reviews of the book give this up as a spoiler. I won’t here, because I really enjoyed trying to figure it out for myself as I read the book. I therefore recommend that you don’t read other reviews.

Friday, October 17, 2014

FBI's crypto doublethink

Recently, FBI Director James Comey gave a speech at the Brookings Institute decrying crypto. It was transparently Orwellian, arguing for a police-state. In this post, I'll demonstrate why, quoting bits of the speech.

"the FBI has a sworn duty to keep every American safe from crime and terrorism"
"The people of the FBI are sworn to protect both security and liberty"

This is not true. The FBI's oath is to "defend the Constitution". Nowhere in the oath does it say "protect security" or "keep people safe".

This detail is important. Tyrants suppress civil liberties in the name of national security and public safety. This oath taken by FBI agents, military personnel, and the even the president, is designed to prevent such tyrannies.

Comey repeatedly claims that FBI agents both understand their duty and are committed to it. That Comey himself misunderstands his oath disproves both assertions. This reinforces our belief that FBI agents do not see their duty as protecting our rights, but instead see rights as an impediment in pursuit of some other duty.

Freedom is Danger

The book 1984 describes the concept of "doublethink", with political slogans as examples: "War is Peace", "Ignorance is Strength", and "Freedom is Slavery". Comey goes full doublethink:
Some have suggested there is a conflict between liberty and security. I disagree. At our best, we in law enforcement, national security, and public safety are looking for security that enhances liberty. When a city posts police officers at a dangerous playground, security has promoted liberty—the freedom to let a child play without fear.
He's wrong. Liberty and security are at odds. That's what the 4th Amendment says. We wouldn't be having this debate if they weren't at odds.

He follows up with more doublethink, claiming "we aren’t seeking a back-door", but instead are instead interested in "developing intercept solutions during the design phase". Intercept solutions built into phones is the very definition of a backdoor, of course.

"terror terror terror terror terror"
"child child child child child child"

Comey mentions terrorism 5 times and child exploitation 6 times. This is transparently the tactic of the totalitarian, demagoguery based on emotion rather than reason.

Fear of terrorism on 9/11 led to the Patriot act, granting law enforcement broad new powers in the name of terrorism. Such powers have been used overwhelming for everything else. The most telling example is the detainment of David Miranda in the UK under a law that supposedly only applied to terrorists. Miranda was carrying an encrypted copy of Snowden files -- clearly having nothing to do with terrorism. It was clearly exploitation of anti-terrorism laws for the purposes of political suppression.

Any meaningful debate doesn't start with the headline grabbing crimes, but the ordinary ones, like art theft and money laundering. Comey has to justify his draconian privacy invasion using those laws, not terrorism.

"rule of law, rule of law, rule of law, rule of law, rule of law"

Comey mentions rule-of-law five times in his speech. His intent is to demonstrate that even the FBI is subject to the law, namely review by an independent judiciary. But that isn't true.

The independent judiciary has been significantly weakened in recent years. We have secret courts, NSLs, and judges authorizing extraordinary powers because they don't understand technology. Companies like Apple and Google challenge half the court orders they receive, because judges just don't understand. There is frequent "parallel construction", where evidence from spy agencies is used against suspects, sidestepping judicial review.

What Comey really means is revealed by this statement: "I hope you know that I’m a huge believer in the rule of law. ... There should be no law-free zone in this country". This a novel definition of "rule of law", a "rule by law enforcement", that has never been used before. It reveals what Comey really wants, a totalitarian police-state where nothing is beyond the police's powers, where the only check on power is a weak and pliant judiciary.

"that a commitment to the rule of law and civil liberties is at the core of the FBI"

No, lip service to these things is at the core of the FBI.

I know this from personal experience when FBI agents showed up at my offices and threatened me, trying to get me to cancel a talk at a cybersecurity conference. They repeated over and over how they couldn't force me to cancel my talk because I had a First Amendment right to speak -- while simultaneously telling me that if I didn't cancel my talk, they would taint my file so that I would fail background checks and thus never be able to work for the government ever again.

We saw that again when the FBI intercepted clearly labeled "attorney-client privileged" mail between Weev and his lawyer. Their excuse was that the threat of cyberterrorism trumped Weev's rights.

Then there was that scandal that saw widespread cheating on a civil-rights test. FBI agents were required to certify, unambiguously, that nobody helped them on the test. They lied. It's one more oath FBI agents seem not to care about.

If commitment to civil liberties was important to him, Comey would get his oath right. If commitment to rule-of-law was important, he'd get the definition right. Every argument Comey make demonstrates how little he is interested in civil liberties.

"Snowden Snowden Snowden"

Comey mentions Snowden three times, such as saying "In the wake of the Snowden disclosures, the prevailing view is that the government is sweeping up all of our communications".

This is not true. No news article based on the Snowden document claims this. No news site claims this. None of the post-Snowden activists believe this. All the people who matter know the difference between metadata and full eavesdropping, and likewise, the difficulty the FBI has in getting at that data.

This is how we know the FBI is corrupt. They ignore our concerns that government has been collecting every phone record in the United States for 7 years without public debate, but instead pretend the issue is something stupid, like the false belief they've been recording all phone calls. They knock down strawman arguments instead of addressing our real concerns.

Regulate communication service providers

In his book 1984, everyone had a big screen television mounted on the wall that was two-way. Citizens couldn't turn the TV off, because it had to be blaring government propaganda all the time. The camera was active at all time in case law enforcement needed to access it. At the time the book was written in 1934, televisions were new, and people thought two-way TVs were plausible. They weren't at that time; it was a nonsense idea.

But then the Internet happened and now two-way TVs are a real thing. And it's not just the TV that's become two-way video, but also our phones. If you believe the FBI follows the "rule of law" and that the courts provide sufficient oversight, then there's no reason to stop them going full Orwell, allowing the police to turn on your device's camera/microphone any time they have a court order in order to eavesdrop on you. After all, as Comey says, there should be no law-free zone in this country, no place law enforcement can't touch.

Comey pretends that all he seeks at the moment is a "regulatory or legislative fix to create a level playing field, so that all communication service providers are held to the same standard" -- meaning a CALEA-style backdoor allowing eavesdropping. But here's thing: communication is no longer a service but an app. Communication is "end-to-end", between apps, often by different vendors, bypassing any "service provider". There is no way to way to eavesdrop on those apps without being able to secretly turn on a device's microphone remotely and listen in.

That's why we crypto-activists draw the line here, at this point. Law enforcement backdoors in crypto inevitably means an Orwellian future.


There is a lot more wrong with James Comey's speech. What I've focused on here were the Orwellian elements. The right to individual crypto, with no government backdoors, is the most important new human right that technology has created. Without it, the future is an Orwellian dystopia. And as proof of that, I give you James Comey's speech, whose arguments are the very caricatures that Orwell lampooned in his books.

Tuesday, October 14, 2014

Some POODLE notes

Heartbleed and Shellshock allowed hacks against servers (meaning websites and such). POODLE allows hacking clients (your webbrowser and such). If Hearbleed/Shellshock merited a 10, then this attack is only around a 5.

It requires MitM (man-in-the-middle) to exploit. In other words, the hacker needs to be able to to tap into the wires between you and the website you are browsing, which is difficult to do. This means you are probably safe from hackers at home, because hackers can't tap backbone links. But, since the NSA can tap into such links, it's probably easy for them. However, when using the local Starbucks or other unencrypted WiFi, you are in grave danger from this hack from hackers sitting the table next to you.

It requires, in almost all cases, JavaScript running in the browser. That's because the attacker needs to MitM thousands of nearly identical connections that can fail. There are possibly rare cases where such connections may happen (like automated control systems), but JavaScript is nearly a requirement. That means your Twitter app in your iPhone is likely safe, as the attacker can't run JavaScript in the app. Although, a lot of apps use web GUIs underneath, if only to serve ads, so not all "apps" are safe.

It doesn't hack computers, but crack encryption. It reveals previously encrypted data.

What the hacker will likely try to do is hack your session cookies. That means they won't get your password for your account, but they will be able to log in as you into your account. Thus, while you are at Starbucks, some hacker next to you will be able to post tweets in your Twitter account and read all your Gmail messages. These are two examples -- they really have near complete control over your accounts. They won't be able to steal your password, however.

In theory, the attacker can do much more, but that attacking cookies it the overwhelming most likely vector.

It's the standard protocol that is vulnerable, not anybody's code.  Essentially, they got the math wrong.

Only older versions of SSL are impacted -- but everybody is backwards compatible with older versions. Thus, part of the attack is to "downgrade" both sides, forcing both the client and server to use the older version.

This attack is against SSLv3, which is 15 years old and known to be obsolete. After this version of SSL, engineers renamed it to TLS and reset the version number to 1.0, because they are jerks and want to confuse people. (Actually, the story is that Netscape created SSL, and Microsoft insisted on a name change because they hated Netscape). Thus, the next version after SSLv3 is TLSv1.0.

The solution is to disable SSLv3 (and all prior versions), and leave only TLS version 1.0 (and later versions) enabled. If either the server (the website) or the client (the browser) doesn't support SSLv3, then the hack won't work.

Disabling SSLv3 in servers is difficult, because a lot of users still use IE6, Microsoft's browser from a decade ago. When servers remove SSLv3, then users with IE6 will no longer be able to access the server. However, CloudFlare, which hosts a lot of websites, has disabled SSLv3 across their systems. Apparently they are comfortable with breaking IE6 -- which is good guidance for other people considering the same.

Disabling SSLv3 in browsers is easy. On Chrome, use the command-line flag  --ssl-version-min=tls1, and on Firefox set security.tls.version.min to 1. Generally, there virtually no servers out there who don't support TLSv1, so this shouldn't break anything.

The simplest explanation is, as usual for such things, on Adam Langeley's blog here.

Standards are a farce

Today (October 14) is "World Standards Day", celebrating the founding of the ISO, also known as the "International Standards Organization". It's a good time to point out that people are wrong about standards.

You are reading this blog post via "Internet standards". It's important to note that through it's early existence, the Internet was officially not a standard. Through the 1980s, the ISO was busy standardizing a competing set of internetworking standards.

What made the Internet different is that it's standards were de facto not de jure. In other words, the Internet standards body, the IETF, documented things that worked, not how they should work. Whenever somebody came up with a new protocol to replace an old one, and if people started using it, then the IETF would declare this as "something people are using". Protocols were documented so that others could interoperate with them if they wanted, but there was no claim that they should. Internet evolution in these times was driven by rogue individualism -- people rushed to invent new things with waiting for the standards body to catch up.

The ISO's approach was different. Instead of individualism, it was based on "design by committee", where committees were dominated by Big Government and Big Corporations. They standardized how protocols should work first, then implemented them second -- the opposite order from the Internet. They created something so complex that it could never be correctly implemented.

The group's name, by the way, was called "OSI" or "Open Systems Interconnect". The only reason most people have heard of this name is because of the OSI model. It's important to note that everything they know about the OSI model is wrong. What they think they know about the "Network" and "Transport" layers is what they know about IP and TCP respectively, and not what OSI designers originally intended. What they know about the Session, Transport, and Application layers is even worse: it's completely wrong, often specifying the opposite way things work in the Internet TCP/IP world. The standard "OSI Model" survives because it's a "standard" even though it's irrelevant in every way that something can be irrelevant.

However, while the model survives, almost the entire suite of OSI protocols have failed. We don't have a "connection oriented network protocol", for example. These standard protocols do exist, but in isolated places on the Internet. For example, the power grid runs a lot of stuff on port 102, the OSI standard "Transport" on top of TCP/IP. Since those things are based on ASN.1, they are full of buffer-overflows and easily hackable.

Standards are ultimately the modern form of fascism, where authoritarian people insist on subjugating everyone to a single set of rules. So, on October 14, I'm going to celebrate the demise of OSI, and the historic success of the Internet in the face of coordinated action by standards bodies to suppress it.

Sunday, October 12, 2014

Don't sign that CFAA petition

This White House petition reforming the CFAA/DMCA is foolish. Don't sign it. We all support the goal of decriminalizing research, but this isn't the way of doing it.

The problem is that "reform" means nothing. It doesn't state exactly which reforms the petitioners want. That means politicians will deliver on what they asked, reforming the DMCA/CFAA, but in the opposite direction. The mood in Washington D.C. is one of great fear of Chinese hackers and cyberterorrists. Once you start reform, these forces will take over and drive it the other way.

In other words, the petition is like somebody on a submarine saying "the air is stuffy, let's open a window and let some fresh air in". It's best to keep that window closed rather than getting drowned.

A second problem is the declaration that "safe code" is the problem. That will encourage law-makers to solve that problem with legislation requiring manufacturers to follow rules -- without needing weaken the DCMA/CFAA. This is bad. So far rule-based security like Common Criteria and PCI certification have proven to be an enormous burden that does little to address the problem.

Lastly, there is the problem that this is a "White House" petition. The president doesn't make laws, s/he enforces them. It's appropriate to petition the White House to publish narrower rules on how DMCA and CFAA will be prosecuted, but inappropriate to ask for a law. Instead, if you want changes to laws, the best place to start is to talk to your congressional representatives. Call them up and schedule a time to talk to them. You'll likely talk to a staffer in a local office, but this will still influence them. Signing a petition takes no effort, and politicians therefore give it no credence. Showing up at their offices, or spending time talking on a phone, takes effort, showing that you really care.

Personally, as a white-hat researcher who scans the Internet, I'm most at threat from the CFAA. Yet, I'm not going to sign that petition. I have talked to my congressional representatives. I have also signed this letter, which much more narrowly defines our goals.

Wednesday, October 08, 2014

Response to Kathy Sierra

People are asking me about this post from Kathy Sierra. It’s inaccurate, twisted, and personally insulting. That Kathy was doxxed and harassed 7 years is indeed an awful thing, but that doesn’t justify her own bad behavior toward others.

I always defend targets of lynch mobs, such as accused Boston Bomber Dzhokhar Tsarnaev. To the right is a picture of what appears to be Tsarnaev placing the bomb right behind 9 year old boy Martin Richards who died in the blast. I feel sick to my stomach looking at it. But here’s the thing: Tsarnaev is an American citizen, and I will vigorously defend his rights to due process. When they violated his civil rights, interrogating him for days while he hung near death in his hospital bed, begging for a lawyer, I vocally condemned this. All fruits of that interrogation need to be thrown out, even if it means Tsarnaev goes free. And I have no problem saying this to the face of Martin Richard’s parents.

Weev may be a bad human being, but he’s not as vile as mass bomber. I likewise defend him from lynch mobs. His arbitrary conviction and imprisonment under the CFAA was a gross violation of his constitutional rights. Had his conviction stood, the precedent would have threatened all our rights.

What’s twisted about Kathy Sierra’s rhetoric is that she equates defending Weev against the lynch mob as defending Weev’s harassing behavior. That’s like claiming I defend Tsarnaev because I like bombing children. It’s an insulting accusation.

Kathy barged into a conversation last Saturday that started with the claim Weev belonged in jail for doxxing her. However, there is no evidence supporting such a conviction – that’s just more lynch mob mentality. There is a NYTimes article from 2008 quoting Weev as claiming he did it, yet Weev has long claimed he was misquoted. The situation is like Dorian Nakamoto, who denies he admitted to Newsweek that he created bitcoin.

As I pointed out on Twitter, we can’t believe Weev either way. He is notoriously unreliable. We can’t trust his denials today, but at the same time, we can’t trust his statements from 2008. As I pointed out on Twitter, Weev has claimed credit for trolls that he was at best only peripherally involved in. Yet, Kathy Sierra insultingly claims this means I somehow believe Weev.

When Sierra bombarded me with Tweets containing insulting and twisted arguments, I was wholly polite in my responses (as you can read for yourself, as they are public). Her reaction, and that of her supporters, is wholly unjustified. Nobody deserves being threatened or doxed, but Kathy certainly deserves all the other hostility that comes her way. She is a very mean person.

Wget off the leash

As we all know, to grab a website with wget, we'll use the "-r" option to "recurse" through all the links. There is also the '-H' option, means that wget won't restrict itself to just one host. In other words, with '-r -H' together, it'll try to spider the entire Internet. So I did that to see what would happen.

Well, for a 32-bit bit process, what happened is that after more than a month, it ran out of memory. It maintained an ever growing list of URLs that it has to visit, which can easily run in the millions. At a hundred bytes per URL and 2-gigabytes of virtual memory, it'll run out of memory after 20 million URLs -- far short of the billions on the net. That's what you see below, where 'wget' has crashed exhausting memory. Below that I show the command I used to launch the process, starting at cnn.com as the seed with a max timeout of 5 seconds.

How much data did I download from the Internet? According to 'du', the answer is 18-gigabytes, as seen in the following screenshot:

It reached 79425 individual domains, far short of the millions it held in memory. I don't know how many files it grabbed -- there's so many that it takes hours to traverse the entire directory tree.

What sorts of domains did it visit? As you can see in the screenshot, all sorts of stuff, like "www.theemporiumbarber.com.au" or "hairymenofcolor.tumblr.com". How all this stuff is reached via "cnn.com", I just don't know.

Note that the point of this experiment wasn't to actually spider the net; there are far better tools for that. Also, there is a nice project on Amazon AWS called the "Common Crawl Corpus" where they crawl the Internet for you (billions of links) and then let you process it with your own EC2 instance.

Instead, the point is what hackers always do. In this case, it's answering the question "I wonder what -H does". I mean, I know what it does, but I still wonder what happens. Now I've got a nice 18G of random stuff from the Internet that is what happens.

You can get better, more rigorous data sets (like the Common Crawl stuff), but if you want a copy of this data set, hit me up at the next hacker/security con. I'll probably have it on a USB 3.0 flash drive (srsly, my flash drives are now 64gigabyte in size -- for the small ones). It'll be good for various testing projects, like building parsers for things like JPEGs or PDFs.

Six-month anniversary scan for Heartbleed

I just launched my six-month anniversary scan for Heartbleed. I'll start reporting early results tomorrow afternoon. I'm dialing the scan to run slowly and spreading it across four IP addresses (and 32k ports) in order to avoid unduly alarming people.

If you would like the results of the scan for your subnet, send us your address ranges to our "abuse@" email address. We'll lookup the abuse contact email for those ranges and send you what we found for that range. (This offer good through the end of October 2014).

Here is a discussion of the options.

--conf /etc/masscan/masscan.conf
You don't see this option, but it's the default. This is where we have the 'excluderanges' configured. Because we exclude everyone who contacts us an "opts-out" of our white-hat scans, we are down to scanning only 3.5 billion hosts now, out of around 4 billion.
The the "/0" means "the entire Internet". Actually, any valid IPv4 address can replace the and it'll produce the same results, such as "" to amuse your friends.

This says to scan on port 443, the default SSL port. At some point in the future, I'll scan for some other common SSL ports, including the STARTTLS ports like port 25.

This means to create a full TCP connection with the system and grab "banner" info. In this case, that means sending an SSL "hello" request and to parse the received X.509 certificate. It'll parse that certificate and dump the hostname from it.

--capture cert
This means to also capture the X.509 certificate. I don't really care for this scan, but on general principles, grabbing certificates is good for other SSL research. This happens before the heartbleed check.

This means that after the initial SSL Hello that it will attempt a "Heartbleed" request. In this case, the returned information will just be a "VULN: [Heartbleed]" message for the IP address. If you want more, then "--capture heartbleed" an also be used to grab the "bleeding" information. I don't do that.

-oB heartbleed.scan
This means to save the results in a binary file called "heartbleed.scan". This is the custom masscan format that can be read using the --readscan option later to convert to XML, JSON, and other output formats. I always scan using this format, but I think I'm the only one.

--rotate-dir /var/log/masscan
You don't see it here on the command-line because it's in masscan.conf (see above), but every hour the contents of "heartbleed.scan" are rotated into this directory and a new file created. That file is timestamped with the current time.

--rotate hourly
You don't see it here, but it's in masscan.conf. This means that rotation to /var/log/masscan should happen every hour on the hour. If you start a scan at 1:55, it'll be rotated at 2:00. It renames the file with the timestamp as the prefix, like 141007-020000-heartbleed.scan, so having it aligned to an even hour makes things easier to work with. Note that "minutely" and "daily" are also supported.

--rate 80000
People don't like getting scanned to fast, it makes IDS and firewall logs unhappy. Therefore, I lower the rate to only 80,000 packets/second to reduce their strain. This consequently means the scan is going to take 13 hours to complete.

On the same principle as slowing the rate, spreading across multiple source IP address makes IDS/firewalls squawk less, and makes people less unhappy. We have only a small range to play with, so I'm only using 4 IP addresses. Note that masscan has it's own TCP/IP stack -- it's "spoofing" these IP addresess, no machine actually exists here. If you try to ping them, you'll get no response. This is the best way to run masscan, though people still find it confusing.

--source-port 32768-65535
By default, masscan uses a randomly assigned source port. I prefer to use a range of source ports.

Monday, October 06, 2014

Who named "shellshock"?

Because it's terribly important to cybersec, many are debating the origin of the name "shellshock". I thought I'd write up the definitive answer.

The answer is that it came from this tweet by Andreas Lindh. That's the absolute origin of the term. Andreas made it up himself.

Also, to some extent Davi Ottenheimer deserves some credit for starting the conversation among a bunch of people with his tweet saying "it's not big until there's a logo". Lots of people posted logos as that point.

Also to some extent I deserve some credit for then pimping the "shellshock" name in my blogposts, which received a lot of attention in the early hours of the shellshock crisis. As you can see from the pageview stats below, these posts got a lot of attention. Also, most of the early news stories on "real" news websites referenced me and my posts. Those news sites got the name from me, and I got it from Andreas and nobody else.

I suspect what really helped it along is that when I scanned the Internet for the bug, putting it in everybody's webserver logs. I included a pointer to the "shellshock scan" post in the user-agent string. That pretty much made it official for every geek looking at logs, regardless of what name news stories might choose.

The reality is that nobody knows how these things happen. A lot of us were online on twitter discussing the bug, the technical details, and goofball things like what its logo should be. It's a product of mass consciousness and insanity rather than any one person. But if you had to pick somebody to blame, it's Andreas Lindh.

Understanding the HP split

HP is splitting itself into "enterprise" and "consumer" companies. Why the split? Isn't the goal of big companies to get bigger? Well, no, that's just the cynical view of companies. The actual goal is to deliver value to stockholders. Splitting delivers value in two ways. The first is that it "exposes" the underlying business. The second is that it avoids dis-economies of scale.

Conglomerates like GE (General Electric) have a problem. While some businesses do well and grow, other businesses fail and shrink. You can't buy stock in the individual components of GE's business you think are growing, you have to take all or none. GE Medical has been growing fast, but you can't invest in it individually.

Thus, big companies frequently spin out such companies, either to divest themselves of the dead weight that isn't growing, or conversely, to let a growing part of these business to fly free without being held back by the deadweight. The fast growing parts of a business aren't inherently better. They tend to also be riskier, meaning that while their stock may surge, they have equal probability of going bankrupt soon.

We can see how this philosophy worked in the case of HP's previous spinoff of "Agilent", the test-and-measurement business that was the origins of HP.

Test-and-measurement is a boring product category. Thus, since the spinoff, Agilent has closely tracked the S&P 500. The HP computer business was the exciting business with growth potential, which has done better, although with more volatility. The thing to note here is that if you average the two stock prices together, then investors wanting high-risk growth stocks would've gotten a smaller return. That's why HP divested itself of Agilent -- it freed itself of the deadweight.

The second reason to split is dis-economies of scale. Larger is not better The biggest problem is the corporate brand. What does the "HP" brand stand for? On one hand, the brand is trying to service enterprise market where the brand is wants to stand for "boring reliability". On the other hand, the brand is trying to service the consumer market where HP wants to compete with Apple for "cool awesomesauce". Trying to be both weakens the brand in both markets.

Thus, the real goal of the split is to free the brand. HP has a big presence in the home market with its printers and laptops. Freeing the brand means HP can start selling other consumer products, such as tablets and phones, with exciting HPness, without being offending it's enterprise customers. Conversely, the new "Hewlett-Packard Enterprise" and become even more stodgy and boring.

The stock jumped 6% today, because investors are betting on the future shares. When the split happens, they'll receive one share in each business to replace an existing share. Investors wanting steady growth will immediately sell the consumer share. Investors wanting high-risk/high-return stock will likewise dump the stodgy enterprise share.

CEO Meg Whitman is staying with the enterprise business. It's not that this is the better company. Instead, it's because the consumer market fighting against Apple is for younger, more energetic CEOs.

By the way, as an investor, I'd dump the consumer stock. Its printer ink business is a cash cow, but I don't think they know how to compete against Apple and achieve growth. Several years from now, they still won't be the luxury brand demanding high margins that everyone wants, but still will be the boring/cheap brand they are today.