SilentCircle and technical debt

I hate to beat up on Silent Circle -- when they come for our crypto, it'll be Silent Circle testifying in the Senate defending our freedoms (that's why I give them money). However, their software is horribad.

That was displayed this week with Mark Dowd's discovery of 0day vulns in the ZRTP library used by Silent Circle and others. That Silent Circle has vulns isn't the problem; vulns happen to the best of companies. The problem is Silent Circle's response to the vulns, which has been craptastic. They've done a poor job informing customers of the problem (a traditional press release and a twitter update is needed). That they could not immediately release a fix demonstrates that their software has enormous technical debt.

NSA hacking Chinese: it's self defense

One of Edward Snowden's revelations is that the NSA has been hacking China, such as hacking into 63 computers at Tsinghua University. This is probably true, but it's self-defense. Many of the hacks coming from China over the last decade have been coming from Chinese Universities. In fact, the Chinese hackers have been brazen about it, making little attempt to hide what they are doing, where they are coming from, or where the hacked information is ending up. Tsinghua University has been a major source of hacking against the United States for over a decade.

It's indeed Tsinghua that I was obliquely referring to in this post last March, where I say:

From the top, China sets goals. It may decide that in the next 10 years it wants to become the leading supplier of turbine engines. It then figures out what it needs in order to accomplish that goal. It’ll need a supply of titanium from Russia. It’ll need to setup factories in Guangdong. It’ll need to greatly expand it’s training of turbine engineers coming from technical universities.

What if you are a Chinese aeronautics professor tasked with expanding the turbine engine program at your university? How do you teach your students the latest cutting edge technology? Well, you go read papers on the subject published in the United States. You then grab the author’s email addresses. You send them e-mails saying “I enjoyed your talk at Xyz Conference. I was wondering if you had any comments on this paper I’m writing”. You attach a PDF document with an exploit (written by a student in CompSci). The recipient downloads it, gets pwned, and has all their research stolen, including the latest stuff funded by Lockheed.

How can you independently verify my claims? I'm not sure. I've gotten this from casual private conversations for over a decade. That's the problem with this whole NSA thing: it's over-classified, so it's hard to distinguish rumor from fact. At least in several cases, I've interviewed people with first hand experience, so I know some of it it true. On the other hand, I don't have anything close to the entire picture.

My point is this: Tsinghua University hacks the United States. It's not unreasonable to expect for the United States to hack back.

A Glass FAQ

There are better sources of info about Google Glass, I thought I'd write up my own answers to frequently asked questions, since mine will often differ with others.

I survived Google's re-education camp

I took this picture during the indoctrination phase of picking up Google Glass. As you probably know, "Glass" is the hip/trendy new device from Google that is going to change the world, except that you can't have one. They've restricted purchases so far to developers and influential bloggers.

Even Microsoft has to pay for it

Microsoft has joined Google, Mozilla, and the rest by finally offering a bug bounty.

In the past, Microsoft didn't have to offer bounties. Windows was ubiquitous. Whenever something crashed, security professionals would launch the debugger, figure out what crashed, how to repeat the crash, and thus, find the vuln. Disclosing the bug to Microsoft, and getting credit for it, was an important resume builder. A lot of early cybersec pros got their first high-paying jobs based on their public disclosure of vulnerabilities.

In addition to the carrot, Microsoft had a stick. Because of its dominating position in the industry, most company's survival depends upon goodwill from Microsoft. With it's "responsible disclosure" policy, Microsoft has made it clear that this goodwill would disappear if people didn't follow their policy, such as disclosing a bug before Microsoft fixed it (even if it took them a year to fix it). This intimidation forced many security researchers to play along.

Then the things changed. Starting about 10 years ago with WinXP SP2, Microsoft go real serious about defense. They went from the joke of the industry (though unfairly) to the leader in writing secure code. We professionals spend more time with our iPads, Androids, and other systems and less time with Microsoft products. We are less likely to come across bugs accidentally in daily use, and we are less likely to be intimidated into responsible disclosure.

The biggest change has been the rise of the "vuln market". Instead of pimping your vuln for fame, you can now sell it to an interested party, such as Russian organized crime, Chinese spies, or the NSA cyberwarriors. The right bug, to the right customer, at the right time, can be worth $1 million. Even crappy bugs can be worth $10,000. That means Microsoft can no longer count on people disclosing bugs to them -- they have bid against the Russians, Chinese, and Americans.

Bug bounties from the vendors still pay lower than the "market rate", for good reason. If you sell to the Russians, you may find yourself (or a family member) getting kidnapped. If you sell to the NSA, you might find the FBI raiding your house. Also, you don't know who, precisely, to sell to, so you'll be going through a middleman, who will take a cut. Thus, the safest and surest route is to sell your bug to the vendor -- even at a fraction of the price.

Upcoming revelations speculations

Greenwald/Snowden claim even more explosive revelations are coming. I thought I'd write some guesses of what those revelations might be.

Factoring 1024 bit keys

I don't think the NSA can crack any RSA key through the use of quantum computers. If they could, only 10 people would know, and it wouldn't filter down to people like Snowden. Moreover, Snowden tried to get Greenwald to use PGP -- which he wouldn't have done if the NSA could crack it.

NSA poll: You are reading the numbers wrong

Everyone is misquoting the Pew poll that finding 54% of Americans support surveillance. That's not what the poll asked. Instead, the poll asked "surveillance or terrorism?".

Consider instead if the poll had asked, as described in this story, whether:

Is it acceptable for the government to monitor all phone records, looking for patterns, even if those numbers have no known connection to terrorism?

Or, consider this story, and the results of a poll that would ask:

Is it acceptable for the government to use monitored phone records in the pursuit of political objectives?

Or, consider stories like this one which points out that Americans are as likely to be killed by furniture as terrorism. Do Americans have a rational appreciation for the risks of terrorism? Or is this something government misleads the public about, in order to justify their actions?

Oaths, conscience, and honor

When does something become so unconscionable that it's worth forswearing your oaths? Some say never, absolutely, and would suffer any evil rather than break their word. Others break their principles whenever they are slightly inconvenient.

Libradar: Is Edward Snowden libertarian?

People are asking if Edward Snowden (the NSA leaker) is libertarian. My answer is "probably".

We libertarians have a sort of "gaydar", we can spot fellow libertarians even when they say things that are completely neutral and non-political. Back in the day, I was in the "libertarian-closet", and tried to hide my wacky feelings for limited government. I tried to talk and act like everyone else. However, other libertarians could tell my true self. I never understood how that was possible.

Now that I've gotten older, I've discovered that I've got libradar, too, and can often recognize my fellow wackos. I can't say consciously what makes me feel that Snowden is libertarian, but I get that vibe from him.

NSA is wrong, not evil

My twitter feed has gotten this one-sided view of the NSA. Soon, they’ll be claiming the NSA practices witchcraft and eats babies, because, as everyone knows, the NSA is evil. In truth, the NSA is not evil, just wrong. I point this out because there are two sides to every story. The better we understand the NSA’s point of view, the better we can fight them. Power corrupts: understanding this from their point of view will teach us how this happens.

In this post, I describe my first hand experiences dealing with the NSA, and what I understand from their point of view. I don't like the NSA, as you can tell from my other posts, but at the same time, I hate this "us vs. them" attitude that just because we oppose them, that we can impute all sorts of evil untrue attributes onto them.

Vote for my short story!

This years conference, DefCon 21, has a short story contest. I entered a story called Demo Demons. Go read it, and if you like it, go vote for it (story #13389). Since only about 20 people have voted so far, even one vote matters (remember, to vote, you have to first create a DefCon forums account).

The thing that's interesting about my story is that a lot of it is drawn from my experiences over the last 15 years as a "hacker" who speaks at conferences. The title, demo demons, is the phrase we speakers use to refer to the fact that our hacker demonstrations always go awry, no matter who well we practice. Conversely, I've given demos where I've inadvertently been too successful -- capturing too much information and showing it to the audience.

One of my experiences is dealing with the FBI. When they were threatening me once, while talking about "vulnerabilities", an FBI agent said "we don't know what that is, we don't have a Ph.D. in computer science". So, I put that sort of experience into the story.

There are lots of tidbits that you people may recognize. For example, the story refers to female cryptographer who does a surprising crypto trick. That's obviously in reference to a cool trick that Nadia Henninger did. So, if you read bits and wonder if I'm refering to something, the answer is that I probably am.

My point is that even though this is my first attempt at creative writing, and it was written quickly in a week to meet the contest's deadlines, it's worthwhile reading to understand the point-of-view of the hacker culture.

---

By the way, I'm interested in feedback. I'd like to flesh out this story a bit more, and maybe make a series of similar stories, and publish as an ebook. So I'd appreciate comments like:

• this bit sucks, fix it
• this bit rocks, don't change it
• I'd like to know more about this bit

Reconciling PRISM claims

I thought I'd write up a brief piece of journalists on reconciling the admissions by the NSA and the denials by the companies involved with the PRISM program.

The thing you need to look at is my Altivore program, a bit of code I wrote back in 2000 to explain the Carnivore controversy. Like the current issue, there were irreconcilable claims about Carnivore. One set of claims is that it eavesdropped on everyone's traffic, including "Echelon" style keyword searching of emails. The second set of claims is that it was just a law enforcement tool, that it only captured the traffic of a single person that was the subject of lawful warrant.

If we can shoot them, we can cyber them

The latest Greenwald/Guardian leak is a Presidential directive covering offensive cyberwarfare. As someone with some experience in this field, I find nothing particularly interesting.

All the document says is that "cyber" is the same as "kinetic" warfare. Any rules that apply to shooting somebody also apply to hacking them. It means, for example, that the CIA or military can't go off on its own and hack a foreign country without going through the chain of command.

Those who have not read Orwell are doomed to repeat him

Journalist William Saletan writes that the government's surveillance program isn't Orwellian because the government surpervises itself. But government supervising itself doesn't make something less Orwellian. If anything, it it makes it more.

To quote Wikipedia, the book Nineteen Eighty-Four is about "perpetual war, omnipresent government surveillance, and public mind control -- under the control of a privileged inner party elite". As I show below, so is the NSA's surveillance of American citizens.

Welcome to Echelon 2.0

The NSA isn't spying on you. They don't have to. They just outsource it to businesses.

Back 20 years ago, there was a conspiracy theory going around called "ECHELON" that claimed the NSA was monitoring the content of everyone's phone calls and emails, everywhere in the world, including the United States. Echelon (probably) existed, but it's wasn't technically feasible to be as extensive as claimed. It was also against the constitution: the NSA is a bunch of bastards, but they would never cross that line.

But they'll move the line. That's what today's revelation by Glen Greenwald (@ggreenwald) at the Guardian has shown us. While the NSA cannot intercept signals within the United States, then can get a court order for most of the information from businesses, with help from the FBI and the FISA court. The court order demanded everyone's call records from Verizon. It demanded not just records of calls made to foreign countries, but those wholly within the United States as well.

Manning trial: looking up serial numbers

At the Bradley Manning trial, prosecutors identified the laptops by serial number. So I looked up the serial number on the vendor's websites.

Bradley Manning's laptop was a MacBook with a serial number of W8939AZ066E. I went to the Apple Care support site (https://selfsolve.apple.com/agreementWarrantyDynamic.do) and entered that information. I find that it's a mid-2009 MacBook Pro, 13-inch.

Manning transcripts: day one

The website https://pressfreedomfoundation.org/ hired a court reporter in order to publish transcripts of the Bradley Manning trial. The first day's transcripts are here. This majority of this transcript is the "opening arguments" -- the unfiltered arguments directly from the horse's mouths, so to speak.

Smart or Dumb: The OSX update saga

Have you ever logged into OSX at gotten a message about needing updates although you are sure you have applied them already? How about a message saying that you need to accept certain packages like iPhoto in the update manager but when you try you are told they have been purchased with another account and you need to login with that one to install them? Looking at the Apple OSX support forums across a number of sites I can tell you don't bother answering, I know it is a rhetorical question. These errors happen to a lot of people and all the time. Eventually some other forum user will suggest some bit of command line trickery that has nothing to do with the problem and the errors go away.

Haswell and cybersec: it's about the crypto

This last weekend Intel formally released their “Haswell” x86 microarchitecture. I thought I’d discuss the changes that are meaningful to cybersec. The tl;dr version is this:

• New instructions double the speed of most crypto
• Transactions enabling code to use more cores
• Triple graphics speed, programmable with OpenCL
• Lower power

BitCoin is a public ledger

BitCoin is not so much a "currency" as an "emergent phenomenon". It makes things possible that have nothing to do with money.

For example, let’s say that you have a screen-play for a movie. Before shopping it around in Hollywood, you want to prove that it’s yours, so that a greedy producer can't steal it. Using BitCoin, you can add the signature (and date) of your screen-play to the "block chain", the "public ledger" where all Bitcoin transactions are stored. Now, if producers get greedy, you can (in theory) pull out this proof in a court and sue them.

As another example, let’s say that you have a great idea for a patent, but it’s not quite ready. Well, write it up into a file, then add the file’s signature to the block chain. Years from now, if somebody beats you to the patent filing, you can prove that you had the idea ahead of time.

You don’t need to really know how this works. There’s a website called http://proofofexistence.com that takes care of this for you. Put whatever it is you want in a file, the sign the file using that site. Years from now, you can prove to somebody then that this file existed right now, today.

This is just one example of many emergent phenomenon popping up around BitCoin. It’s not just about electronic currency, it’s about a lot of weird crypto concepts.