Packetknife's Space

Patriot Hackers, Cyber Vigilantes, and Shot Placement

Tue, 22 May 2012 03:27:15 -0700

This podcast serves as Part II for now.. didn't get to everything I wanted to cover but wanted to limit it to 45m. The big miss is that I wanted to discuss how and where to pool our resources against extremism but I'll just write about that instead.

http://mixlr.com/packetknife/showreel/patriot-hackers-cyber-vigilantes-and-shot-placement (Playback)

https://minus.com/mleQThWa2/ (Playback and Download)

Cheers, -Ali

Permalink | Leave a comment »

Two YouTube videos you should watch

Fri, 11 May 2012 01:48:42 -0700

I was re-reading Acheter et vendre des exploits - part1 2007 (French) on the Zero Day market and thinking about a few tweets from earlier in the day w/ @ErrataRob.. and it reminded me of the mind-numbing number of times we have as InfoSec professionals had to explain to the "Left" hand that we were working with the "Right" hand in some or across some other Government organization.

Do yourself a favor and watch both of these videos - in entirety. And always get everything in writing, business cards, log every call, hard copies of emails, always have an Attorney contact, etc. etc. Just do it. I don't stay vigilant enough myself.

Don't Talk to Police

Protect Yourself from FBI Manipulation

The second video is w/ Harvey Silverglate that wrote the excellent book "Three Felonies a Day" - worth a read BTW. That's all, Cheers, -Ali

Permalink | Leave a comment »

Patriot Hackers: Stand YOUR Ground - Not Mine

Mon, 16 Apr 2012 07:00:00 -0700

As part of my participation in Wikistrat, I get to see some pretty brilliant debates on what can - can't - will - and (hopefully) won't happen across the geopolitical sphere. And while the Cyber sphere of geopolitics continues to trouble many with Fear - Uncertainty - Doubt, there is one area where the general consensus of the "Good Guys" is the same:

We do not need Cyber vigilantism to become the norm

Let me preface the rest of this by saying I do not care who The Jester, The Raptor, YamaTough, Anons, etc. are. As a matter of fact across various interactions I'm fairly sure most of these people have their hearts entirely in the right places, I probably would get along just fine in real life with them, and they are otherwise interesting characters. I also don't care if any or all of them are constructs or "condoned" operations of a given Nation-State.

My problem is what messages they send "on behalf" of their respective Nation-State or Quasi-Movement-Nation-State (e.g. Anons - Occupy) hosts AND the collateral damage they create or are even victims of.

With that out of the way lets first touch briefly on what I consider to be the two biggest enablers of the "problem of" Cyber vigilantes:

Governments have spent the past eleven years drumming up Citizen corps to treat their neighbors as suspects - breeding environments of xenophobia - and creating boutique markets of Big Brothers and Little Brothers alike.
Governments have not fulfilled their accessibility to security obligations to their citizens - specifically the comfort of being able to "call the police" in this space and get a reasonable response.

Out of (1) the result has been a polarization of reactions to perceived threats - on one side you have an overly politically-correct to the point of being naive movement to frame every potential threat as basically non-existent and entirely a construct of the ~other~ side. And on that "other" side you have near-religious zealotry defining everything in absolute terms. In effect the environment cultivated in (1) exasperated the problem across all facets of Security.

Additionally out of (2) those people "in the middle", including many of our bravest and those most in harms way (see: Powerful Peace), have no way to get reasonable issues addressed without either risking strange retaliation and skepticism from a/the Government tasked with protecting them or the hostile adversarial groups themselves. Indeed the actual moderates, not just extremists that self-proclaim themselves moderates, become perceived as enemies at both polarized ends.

Now - I'm intentionally trying to distill this into the two biggest problems - but this is hardly comprehensive. Regardless I stand by the idea that Cyber Patriots are an inadvertent creation of, and now problem for, the host Governments.

OK, now that I've perhaps alienated everyone, let me explain my title. I fully encourage and endorse protecting what's yours on a personal and private entity level. I've been adamant that waiting for Government to solve your security problems is a losing proposition. However, this is always been in the frame of defensive security problems - not becoming the aggressor. You have to make sure you understand the line between investigating a problem passively and pursuit/action that ends tragically.

In the same way I support Gun Rights, Agorist-Voluntaryist, Libertarian, and Austrian Economics in "real" life - it all spans to my suggested cyber postures. To use a comic book cliche - With Great Power Comes Great Responsibility (my apologies to Voltaire).

You're a better Citizen, a better hero, a better Sheepdog for your community if you know where to draw the lines in your own applications of Balanced Power.

"The truest testament to a warriors' worth isn't how often he unleashes his sword, but what he can accomplish without doing so." ~ Venator

So now I'm speaking to The Jesters and The Raptors of the World...

I know, believe me I know, what it's like to head-desk-repeat when trying to get action out of an upstream Government agency. I know how frustrating it can be to see messages of hatred and threats against your Country go unanswered in all forms of media. I know what it's like to be unfairly treated by your home country. I have sinned and been sinned against. I have felt betrayed or let down by both my country of birth (Iran) and my country of heart (USA). And I have taken up "cyber arms" myself - I'm not an innocent bystander regrettably.

I also know this - This course of action gets out of hand before you realize it and the repercussions on a geopolitical level with the leaders of Nation-States will be well well WELL outside of your ability to control it. It doesn't end with forums and individual sites. It doesn't end with doxing. It doesn't end with a zero-day market - Patriot and rogue Cyberweapons Dealers.

It ends with more barriers to Internet Freedom - it ends with slowed economic integration in the regions that need it the most - it ends by further breeding an already troubling enemy-combatant Cyber Vigilante. It ends with kinetic action. It. Ends. Badly.

Lets not replicate the sins of our Governments at our scale. Lets not aggravate the problems Governments already face. We can hack for good, share information, integrate economically, integrate through gaming, coffee house conversations, any number of other outlets for this Patriotic energy.

There is no doubt we need a balanced approach to power, I'm not a pacifist and I don't disregard the threats radicalization online and cybercrime bring. I'm just suggesting Cyber Vigilantism is not a movement we want to support by also throwing "our" Western weight behind it.

NEXT TIME: How Governments can enable the Cyber Citizenry without breeding FUD and Vigilantism

(BTW, you all can join Wikistrat on Facebook and participate in their unique experiment. And I strongly encourage you to pickup Powerful Peace and see what happens when things get out of hand - and ideas on how to reign them back in.)

Permalink | Leave a comment »

Book Review: "Powerful Peace: A Navy SEAL's Lessons on Peace from a Lifetime at War"

Thu, 12 Apr 2012 15:20:24 -0700

Today I found out Amazon is listing Powerful Peace for pre-order and I'm happy - delighted even - to provide you my review based on a review copy provided by author J. Robert DuBois. Since Doctor Who is not in season there will be no Spoilers. ;-)

Mr. DuBois isn't a new face on the geopolitical circuit and he isn't an academic. What Mr. DuBois is - and we're all lucky for it - is an honorable, well studied, and experienced practitioner of "Applied" Smart Power. And, not of small coincidence, a Veteran of the Navy SEALs who was in theatre before, during, and after the past decade's operations in Afghanistan and Iraq.

The body of Mr. DuBois' book is divided into Body - Mind - Heart - and Soul and each section is divided into short chapters that further open with a succinct Mission Statement of sorts and an applicable quote. This format maintains a conversational tone and provides an immediate connection to the author and his experiences. Indeed the book is written as a window - an introspective window, into Mr. DuBois' experiences and desires for The People. You're not being lectured by a journalist or academic - Mr. DuBois is inviting you to the geopolitical and physical battlefield, into the homes of enemies and friends, through the military and political processes of War, and into the minds of the many men and women that serve in the Armed Forces.

Consider the opportunity here.. you have, in effect, an ideal man to take you through the whole process and history of - there isn't a word for it even... Of an organization, a culture, a point in history of remarkable consequence - at a unique intersection of culture, technology, religion, and history. To use analogies Mr. DuBois has been the engineer, the shop blacksmith, middle management, the consultant, the diplomat, and now a Professor of Powerful Peace. You simply don't get these opportunities often - and when they come about they have the ability to resurrect a dying cause or organization.

The content itself, from my viewpoint, really attacks two broad problems pervasively:

The sources of hatred among and between people
The "solutions" to hatred that do not work

The second point is key here - Mr. DuBois isn't providing an academic survey - he is providing a real effectual narrative based on first-hand observations in (easily) the most conflict prone and conflicted theatre of ideological, military, and political battle since World War II.

Powerful Peace isn't an absolute proponent or doesn't absolutely condemn any course of action - he merely, and compellingly, asks the reader to consider their actions in a new light. And this if the the ultimate strength of the book in my opinion - he isn't forcing the read to "choose a side" other than that of humanity. And that type of neutrality to all views (Hawks and Pigeons alike) makes this a great - GREAT - book to build a sense of pride and urgency upon. You can simultaneously be embarrassed and Proud - entirely Proud - entirely embarrassed but whatever feeling you want to take away - or even agonize over - Mr. DuBois leaves you with hope and an urge to action.

[ACT NOW AND YOU GET THE INFOSEC PERSPECTIVE!]

So let me tie this to the burgeoning field, like it or not, of Cyberwarfare. Powerful Peace absolutely applies in our field as well. In a series of different contexts an Information Security professional can draw out the roadmap to economic and potential physical catastrophe. In this field we won't have the benefit of hindsight, we need to get it right before it gets out of control, otherwise the consequences will be every bit as bad as a brutalized and devastated physical theatre of operations. Instead of smoldering rubble you'll have a series of ill-advised Nation-State Intranets that will further oppression, censorship, and economic isolation - and that will all in-turn further provide a platform of radicalization and roots for Terrorism.

While the predominant powers of the world are ignoring the diplomatic channels or the economics of potential Cyberwarfare - while they sometimes incubate Cybercrime and Cyberespionage - there are huge swaths of the Globe that remain only superficially "connected" both economically and technically. And while "we" are all busy laying battle lines we're neglecting the ICT, education, and economics that will make the world a safer and more free place.

I hope Mr. DuBois sticks around in the writing field and provides wise mediation to the discussions that need to be had. And I hope you do him the respect of reading his first and compelling entry as an author.

Permalink | Leave a comment »

The trick Richard Clarke and ZDNet just played

Tue, 27 Mar 2012 17:30:28 -0700

By now a lot of you have seen this:

Richard Clarke: China has hacked every major US company

And, by now, at least twenty times as many C-levels and Nation-State policy influencers have seen it too.

Stop for a moment.. now.....

The inference being that a Nation-State - namely China (or Iran or Russia) - was ~required~ to make such hacks possible.
Further inferring that it will take another Nation-State - namely that country known as the DHS now - to protect you from the Chinese.

And the article further seems to indicate that the goal should be to prevent the "thousand cuts" when in reality, like all business before it, you have to manage the consequences and incidents. You. Are. Going. To. Get. Cut. It doesn't matter if you have TS/SCI falling out of your ears - the Government isn't going to save you. Contractors helping the Government aren't going to save you.

I see it every day with business either waiting for or hoping to use the Government as the whole of their defense and offense. This is a doomed approach. You can't afford to wait for Government to share their secrets (aside from debating quality of those secrets) and you can't afford to wait for Government to raise some protectionist barrier to minimize your losses. -Ali

Permalink | Leave a comment »

In defense of continued use of RSH

Fri, 16 Mar 2012 18:27:31 -0700

There are numerous reasons why RSH use can be reasonably justified. This is a fairly comprehensive list of the best justifications I've heard recently:

Permalink | Leave a comment »

Who fights for the users? Part II - FBI's AntiSec

Wed, 14 Mar 2012 21:44:56 -0700

On Tuesday March 13th, in relation to my first installment, I tweeted:

"While you worry about the exploits the bad guys know about, you should also worry about the exploits the "good guys" (Gov) keep secret."

So news and timelines are rampant with speculation that the FBI created the whole of AntiSec as a sting operation. There are a lot of curious things that come out of this:

All the other doxs and hacks - not all of it was staged - collateral damage? And how does some of that damage, say the financial fraud out of the STRATFOR hack, play into criminal proceedings? Or people who may have had costs accrued to replace credit cards, pay minor fees against larger fraudulent charges, etc.
The FBI / Scotland Yard phone call - staged? Seems more likely if they did create AntiSec. That or the operation was held tightly within a smaller group of FBI. Which also ties into..
They ask around - why? Just to push InfoSec professionals and OSINT armchair hobbyists off into the woods to preserve operational security? (There is a Jester tie to that.)
How many contracts, papers, talks, etc. have come out of AntiSec related activities? How much Congressional funding or support? The term Military-Industrial Complex - and all the political implications - comes to mind.
How much cover was provided to other Nation-State and Non-State Actors in the AntiSec umbrella and Anonymous as a whole as a result of such a thing?
The lists goes on an on.. where is that alleged Bank of America information from Wikileaks? Related? The Tarnac 9 manifesto that appears in AntiSec and Occupy related events? How about the Symantec source that magically appeared after a few years? How meddlesome did this become in traditional media outlets and "investigative journalism"? I2P and Tor channels. Conspiracy feeding conspiracy? Where do FOAI requests, FBI National Security Letters - "Hand written" Warrants, etc. fall in all of this? Where does transparency begin again? Should it have ended so abruptly and so widely?

Of course this is all still speculation but it's not the kind that endears you to The People and Private sector as a whole. Is it a self-feeding sort of mechanism? Like those that already wonder if all the homegrown terrorists are being "created" by the FBI and if those people would have really crossed the line otherwise? Is the ability to cross the line when properly resourced enough of a criminal intent? Thought crime much? Heck... that leeds down too many rabbit holes to plot (and a lot of boardrooms and Government offices to boot).

So proponents of a FBI AntiSec already jump up and down that it's not over yet - the FBI was just gathering all random anti-Government hackers into one place - and it's actually a better more comprehensive way? What? Since when has that worked in traditional domestic terrorism and international terrorism? Why would it work here? Jim, Lone Wolf is Lone Wolf. I'm not sure I see a roadway to consolidation. I've been looking for various publications out of RAND for related data to consider.

On the other hand, lets say that consolidation was partially or even mostly accomplished. Did we do that - and potentially push people over the edge - instead of roping them back in some other way? Is that our new modus operandi - even the most basic outlier should be given resources and goaded into crossing a line to test their will at all times 24/7? Doesn't that say more about how we treat different people across society as a whole? Sure it's easy to say we just want all those type of people out of our hair. Except, are you that wholesome and without fault all the time? Who gets to judge? We know it's not always a Jury of Our Peers anymore - Grand Jury indictments not even included. (BTW, check out Harvey Silverglate's resources.)

I'm intentionally going to a further extreme to explore this - yes, conspiratorial. Cans of conspiracy worms get opened and they can't ever be closed. Something Government should strive to avoid - not cultivate.

Even as Clearances expand (all branches and types), and even as a Unified Cyber Command is in development, a majority of people responsible for Security will remain in uncleared and in the Private sector, including outside of the US, and shouldn't be repeatedly exposed to such potential collateral damage. Again, assuming this is all true and not just a construct by Anonymous to try to outmaneuver the FBI in the Sabu aftermath.

Or - as I've said regarding certain geopolitical topics - sometimes you have to choose a side.

Some circles, that I respect greatly, think you should't open your mouth if you don't have a solution. I believe transparency is a solution but I believe transparency has limits. So I end this second, unplanned, installment the same way I closed the first: I'm not offering a solution, I honestly have conflicted feelings myself, I just think it's well past time to more openly and thoroughly discuss this evolving ruleset. And I don't think wanting to discuss it should make you an Enemy of The State either - as some Twitter timelines suggest.

Permalink | Leave a comment »

Oh please... @Krypt3ia's credibility is not at stake.

Mon, 12 Mar 2012 18:39:13 -0700

I tried hard not to comment on the INSCOM / Krypt3ia / Treadstone debacle but in all the pissing I think some good issues are being missed.

First, lets get this out of the way. Scot and I have worked together professionally, work together informally, he is a good friend, we co-host the Cloak & Swagger podcast. We've been accused of cuddling over stacks of jihadist forum posts. I wouldn't have posted what Scot did here but I'm not at all surprised it is posted nor do I think the various reactions are realistic. Scot does good work and even if this turns out to be wrong - he still brought to light numerous issues that should be corrected by the effort owners.

It's not Scot's job to vet sites and how the heck are we supposed to get these things officially vetted? No clear way. And just because it's not his job doesn't mean he can't talk about it. This wasn't a Jester approach to things, he didn't DDoS the site. If it's legitimate did he perhaps hurt the contracting companies or recruitment efforts? Perhaps. Or maybe upon further review INSCOM will reconsider how this should be done and a better system will result. A few bruised egos and wallets - that's unfortunate - but not the end of existence. If it happens to you, it sucks, I get it.. keep reading.

If it's legit, why the heck did it not get linked or announced on the INSCOM website itself? There are a number of links about employment and recruiting there. It would've reduced a lot of headache for everyone involved. As it stands various LinkedIN information, a Facebook page, a few PRs, a few other sites, WHOIS information, etc. can all be pulled. Even PR on contract announcements but it's hard to track those back to an Army verifiable site. Again, solve this problem by coordinating the announcement w/ the INSCOM - linking where their existing employment information does.

"Shadow IT" does these things all the time, I've seen it a number of times, from recruiting, to bids for new "secure" offices, to fleet management - costs and processes don't fall in line and people have a deliverable. They either don't know where to go or have little to no oversight. And, often, when they do go to the right pathway - that path is entirely too difficult or expensive to maneuver. And ultimately the original person given the contract and/or task will pay the price of non-delivery. It's not right - it's reality - we have to consider that across the board (Government or Private enterprise) to reduce our exposures. It's in Government and Private industries best interests to hammer these procedural issues out quickly to allow a continued lower-cost sourcing approach without unnecessarily increasing risk exposure.

The risk of the site even if it was phishing really doesn't change much of the landscape. It's not entirely clear if it was panic worthy but again, even if it was entirely panic worthy, who the fsck are you supposed to panic to? Companies put out security addresses and forms, prominently displayed, why do we not have the same thing for the Government? Perhaps the various Inspector General offices would be the brokering agents while the DHS and friends work out a Cyber Command? These are large organizations, much biggest than any private enterprise, and we all (should) know how hard it can be to find the right "owner" of a project sometimes. An argument could be made, as Scot clearly has National Security on the mind, that he legitimately wanted the highest possibly visibility to this immediately. He got it. Style points weren't his goal here.

Scot's human and has biases. The other day he himself RTed a Monsanto / Blackwater conspiracy story without vetting it. I've done similar before. That's not a hanging offense - not even close. Credibility doesn't get destroyed by making a mistake. Credibility is just as likely to be destroyed if you buckle to an angry mob (of one even). Scot had to take a step back and wait and see. At ~this~ point, that's the right thing to do. If he rushes to try to vet he may make a mistake and either further damage or legitimize something he isn't responsible for or unsure of. Again, at this point, when the cat is out of the proverbial bag... that's the right thing to do. He'll apologize in his own stabby way if appropriate. He is taking a risk here too - he knows that - he isn't naive.

Tone. Yeah, I've disagreed w/ Scot on his tone and approach a lot before. Disagree here too. Except I don't go to Scot's site expecting FactCheck.org and some British formality. That's not what he does and if you don't like it, chill the fsck out. He isn't the Pope and Catholics aren't changing their browsers to Biblefox over this.

No publicity is bad publicity so if this is entirely legit I bet better candidates will result out of the whole debacle. You won't want those not willing to understand realities of enterprise issues (Government level in this case). And you don't want those running haphazardly to hand over everything.

With all that said if it were me and I was raising an eyebrow, I ask around... from what I understand, Scot did. And then he went forward with it. We can argue about specific tactic but it still doesn't change the realities of process noted above. There was no clear right way to be on either side of this issue. Minor changes could've prevented a whole bunch of headache. Lets work on that now instead of trying to assassinate one particular blogger.

I feel bad for ATSC, Treadstone71, MBACSI, and Scot in this case. I don't see how anybody could've done what was right by them in an environment that seems sometimes engineered against clarity and transparency. Cheers, -Ali

Permalink | Leave a comment »

Who fights for the users?

Sat, 10 Mar 2012 01:00:26 -0800

So Google, PinkiePie, and VUPEN walk into a bar....

VUPEN turns to Google and says "U MAD BRO?"

Google *snickers* and says "Nope."

PinkiePie eats a yogurt (because he isn't old enough to drink yet) and wonders what's the big deal?

Punchline: An unseen person with a nice suite walks out with your data.

Haha! Funny, right?

----

I remember well when Dino A. Dai Zovi explained the No More Free Bugs philosophy and I agreed entirely with the premise. There were of course outlier situations which Dino himself would certainly pause to consider. However, there really was no reason not to support the general position - the No More Free Bugs effort. It really has changed the landscape by which security research is done and consumed by end-users and vendors alike. Prior to No More Free Bugs you had one monetized "market" for such research - the black market - otherwise there really wasn't a legitimate outlet.

Since then a new player has entered the fray, Government, and I'm not entirely sure I like where this is going. It has most recently been highlighted, without ever saying "Government", by the Google - TippingPoint - VUPEN dynamic around Pwn2Own and Pwnium. TippingPoint (and VUPEN) put down that six-figure rewards aren't enough for the rarest security bugs. Google presented their argument and played at a trap. PinkiePie didn't seem to get involved in controversy and just did good work (awesome).

Originally, in No More Free Bugs, a major premise was that this work was hard and cost money. "They", the vendors, are getting the work for free when it would otherwise cost them monies in staff, training, break-fix, etc. OK, that's fine - and there was even a slight interlude about No More Free Bugs not quite being the same for FOSS projects (except Chromium because, apparently, Google should be punished for that FOSS contribution). Alright (snark aside) still mostly fine.

However, when did six figures become reasonable for a bug? Well, it became precisely reasonable because there is one legal customer who has the need and resources to pay for it - Government. Sure there is a black market but No More Free Bugs wasn't meant to play on the black market. More specifically, the alternative is probably illegal and these security researchers really want - like most people in society - to stay above board in legitimate markets. I'm not talking informal economies, I'm specifically talking illegal black markets with an express nefarious purpose. Finally, in the background of all this is a "right fighting" dynamic where security researchers and vendors go back-and-forth about what is reasonable and fair. Who is "right" to hold their position. Yet nobody seems to stop and ask "Who fights for the users?"

Not long ago Christopher Soghoian taked about the risks of this evolving market turning against "us". I'm not going to delve into that geopolitical aspect here - that's for another time - but it's worth noting because the market dynamic I am worried about is directly related. How can private industry be expected to further protect assets, that the Government itself is saying are matters of National Security, if the Governments themselves are encouraging behavior which adds a hostile dynamic to the security research marketplace? Government complicity in this secret security research market is in direct competition ~against~ vendors who are trying, and in my opinion quite reasonably, to deliver better more secure product. (Side note: Obviously we're just talking about compounding problems - 0-days aren't how a huge majority of security escapes happen.)

It would seem to me this is just a way Government still gets the back door without actually asking for and documenting a back door. They just price the bug, I mean back door, in. How is this OK?

The market is going to exist and I think No More Free Bugs is certainly the right way to go. I'm just not entirely sure that Government should be a player in that market. Yes - the bad guys are going to know what they know, Governments are going to do what they do. I just have to believe that Government inflating costs isn't in the best interest of the Government or The People. And, oh yeah, the Government is supposed to be working for The People.

I'm not offering a solution, I honestly have conflicted feelings myself, I just think it's well past time to more openly and thoroughly discuss this evolving ruleset. In the meantime I'm going to do some market research on my measly security bugs - I need new furniture.

Permalink | Leave a comment »

Capturing more of a rant, trying to distill it..

Sun, 19 Feb 2012 01:09:00 -0800

- This is not an attack on security vulnerability researchers. The
market of "bug bounties" and paid exploits for use in security
products has been generally well developed these past seven/eight
years.

- I say generally because boutique shops like FinFisher and VUPEN
indeed pay, and then keep secret, their vulnerabilities from upstream
development shoppes unless there is another customer agreement in
place. And it's somewhat suspect if even in those cases there is not
another agreement, with a Nation-State, that trumps that concern in
the name of National Security.

- When the likes of Charlie Miller, one of the most respected and
successful vulnerability researchers (and a good guy by all accounts),
takes $50k USD payouts from the United States Government for 0-days
and then also pleads poverty - something is seriously wrong with the
perceptions of what the market can bear. Even if he wasn't entirely
serious he defends his position by saying if he was a billionaire
software shoppe it'd be equal game against him.

- So as an industry security just points the finger of blame at
programmers and business people. Business and programmers say security
is too hard. And as a security professional myself I actually believe
they're right BUT they aren't right because they've actually tried and
failed. They just happen to be right and haven't come any closer to a
middle ground as "we" (the collective security industry) has to
providing easier failsafe pathways to security

- So the landscape has, at least:
-- Poor architectural choices with protocols and systems developed as
Turing complete in the worst possible places - document formats,
network management protocols, etc.
-- Poor software engineering practices on top of potentially naively
developed programming languages. Or languages developed well before
the scope of problems were understood with installed bases entirely
too huge to undo/address comprehensively in any reasonable timeframe.
-- And installed base of legacy systems at all levels of society that
are hard to replace, are sometimes undocumented, and increasingly
connected to the Internet.
-- Ongoing business and political drivers that favor expedient
distractions and movement over longterm strategic security.
-- (Really simplifying to save pages.)

- Then you have a World with the same old problems and dynamics.
Lesser developed economies look for the fastest most expedient way to
expand and in-turn make Faustian bargains at all levels. And as their
ICT infrastructure comes into play they find a world of easy money
cybercrime waiting for them. They also in-turn host already capable
actors of questionable ethical beliefs. The hot-beds of cybercrime,
and not spam or other junk, are indeed the economies which developed
the ICT the fastest while everything else lagged behind. It's popular
to go the US is still the biggest exporter of cybercrime but that's
been counting installed base infections (not malice per se) and spam.
Even with current Anonymous related activities it's not even
comparable to the actual underground black market of cybercriminal
wares overseas.

- Western powers respond in more traditional means to little overall
effect. Even the biggest busts have effective lifespans of days - if
that. And the politics kicks into high gear with FUD and ineffectual
grand strategies that usually involve more surveillance, more control
over the Internet, less Privacy, more hardware and software engrained
requirements, etc. etc. that increase costs, don't get adopted by the
Nation-States acting as cybercrime safe-havens, and are usually
technically impotent anyway.

- So in the end the Western responses create two beastly bodies to
deal with: One) They actually just further burden the Western
economies and development while developing tools that are being used
elsewhere to actually further disconnect the rest of the world (RE:
Wikileaks Spy Files). And the activist response is ineffective because
as the cat's out of the bag the alternative providers, from Russia and
the Far East right now, step in to take over. And Two) They erect
barriers and strange ideas of more control and isolation over an
ecosystem that can't afford to be, and really isn't going to be
easily, fragmented.

- This fragmentation and a drive toward National Intranets again loops
back into rising costs, less information freedom, less educational
resources, isolationism, etc. and creates a negative feedback loop for
all participants. And it further legitimizes the efforts of already
oppressive censorship regimes. So, in effect, the West has just
dramatically improved the market for this undesirable pathway
regardless. Even if they're not directly enabling troubling regimes.

- The Actors most hurt by this continued slide are those at the lowest
end of the ICT development spectrum. They now have reduced information
resource, reduced investment from the West (sometimes in direct
response to "not enabling" cybercrime), and then less integration with
the Core. And as most people understand now, that lack of integration
is the single greatest threat to International Security today (e.g.
breeds extremism).

- So going full bore loop back to the topic at hand you've now got
serious five and six digit sums being paid for 0-day exploits by
*Governments*. They may be single fire opportunities or even if they
last a while they will be discovered and, even if you release details
and patches are generated, a large swath of systems will remain
vulnerable for years to come. And even if the cyber weapon (I hate the
nomenclature but it is what it is) is sufficiently unique enough not
to be readily applicable elsewhere the techniques and tactical
processes behind it are still exploitable by another adversary. This
will, it absolutely will, cause situations where you're likely facing
your own medicine.

- And as a response to that, like cybercrime response, there is more
isolationism and protectionism. Instead of open standards systems you
end up with larger scale conspiracy and grandiose edicts.

Permalink | Leave a comment »

Wait - What? @TrailOfBits

Mon, 13 Feb 2012 15:23:00 -0800

@chriseng - Chris Eng
I find it interesting and refreshing that @trailofbits is focusing on
*defensive* services. Breakers do make the best defenders, IMHO.

@taosecurity - Richard Bejtlich
@chriseng Cool to see @trailofbits Tho, IMHO, breakers aren't great
defenders b/c they don't appreciate how operationally tough defense
is.

@taosecurity - Richard Bejtlich
In my experience, breakers can't handle the political, legal, org,
etc. straightjackets in a biz; much tighter than rules governing
offense.

@taosecurity - Richard Bejtlich
@dguido No disrespect, but have either of you been a CSO, or run a sec
team w/operational responsibilities at a company? It's different.

----

I found this (growing) exchange somewhat bizarre.

1) Now that we've now drawn the C-level line between Breakers and
Defenders... exactly what is the body of huge massive successes the
Defender CSO can stand behind? And exactly how much (and what source!)
pot was smoked to come to that delusion? Seriously, have we
"Defenders" that have run all sorts of teams to date had massive
success? Do we really truly believe we haven't had leaks out the kazoo
and incidents we responded to "perfectly" that still dribbled bits
onto the floor?

2) Have you READ what Dan, Dino, and Alexander have done? Even the
most cursory review would tell you they have PATIENCE, are POLITICALLY
AWARE, have dealt with LEGAL issues, .. to do what they've published
publicly takes a particularly insightful, well researched, hard
working, patient, agonizingly detailed, and aware person.

3) Have you written a reliable exploit that works across millions of
disparate installs, networks, languages, eras, .. fsck? Even when you
try to trace the exact steps Alexander has laid out at times, you just
fsckin' piss yourself. I repeat: Even AFTER they give you the SOLUTION
it's still non-trivial to try to reproduce and understand the steps
and do something new with it at remotely close to the same scales.

Lets say for a moment you completely disregard their collective
Defensive abilities (read the rest of the timelines). What they've
brought to the table in sheer Engineering, Motivation, and Process
capabilities should be enough to go Whoa. WHOA. Yeah, they're bringing
something new to the table.

Most importantly this is about respect in an industry which seems to
have none for itself, peers amongst us, and a tendency to "eat its
young".. w/ all the charlatans running around we sure could use a bit
more recognition when serious collaborations like this come together.
And yes, I was being a bit disrespectful above myself. And we all need
to cut it the fsck out. -Ali

Permalink | Leave a comment »

Programming Note

Fri, 10 Feb 2012 23:11:00 -0800

Writing will return after a side-project matures to announcement.
Hopefully before Q1 ends. In the meantime check out the Cloak &
Swagger podcast at http://mixlr.com/packetknife or RSS and
alternative downloads at https://packetknife.minus.com/. Cheers, -Ali

Permalink | Leave a comment »

A quick note about Stratfor "sources"..

Wed, 28 Dec 2011 00:24:29 -0800

Why is it people think ~everything~ has to be spelled out to be
exposed? There seems to be a large population that believes that
Startfor's various sources, collaborators, etc. will be spelled out in
email and that will be that. That's a gross oversimplification of how
sources get exposed, their awareness, complicity or lack thereof, etc.
Agencies and organizations all over the world will not only be looking
at email address and names but they'll be checking their logs to see
who has been talking to these newly exposed email addresses. They'll
be doing basic OSINT to find area codes and check if there is some
correlation between suspect subversives and long-distance calls.
Harvest Skype information or nyms. etc. etc. That's not ever
addressing the contents of the emails, just the bloody headers. So it
annoys me, the hypocrisy, when people FREAK OUT (rightly so) about
Blue Coats in Syria but are a-OK with Anon/Anti/Lulz perhaps
indirectly exposing Syrian activists by providing a whos-who of who
they might be passing information to on the outside. Anyhow, just a
quick rant... -Ali

Permalink | Leave a comment »

#InfoSec: Homer Simpson or George Washington?

Sun, 27 Nov 2011 20:05:03 -0800

Take your pick of great strategic thinkers: George Washington, Carl
von Clausewitz, Garry Kasparov, Lord Nelson, Napoleon Bonaparte, Sun
Tzu, Herman Kahn, etc. Now, sit them at a table and have them look
over reams of InfoSec incident responses. Assuming you’ve accomplished
this time and culture travel they’ll already be well familiar with
Homer Simpson and, if we’re lucky, they’ll compare us favorably to
Homer’s professional accomplishments.

Mmmm… more blinky lights…

I find it’s useful to consider three contemporary fields in particular
when pondering InfoSec strategies and our future: Defense, Economics,
and Healthcare. And all three fields have grasped nonlinear
preventative and swarm tactics in a way InfoSec would be wise to
consider. And, like InfoSec, all three also have their snake oil
salesmen and demons to satiate.

Recently Meredith Patterson (@maradydd) tweeted about an opinion piece
in The New York Times (1) on Healthcare:

“If high touch medicine offers additional monitoring and services, how
can it save money? Arnold Milstein, now a Stanford professor,
identified physician groups that were above average in quality but
treated patients for 15 to 20 percent less money than average.

How did they do it? By preventing emergency room visits and subsequent
hospitalizations.”

I’d argue this approach is missing almost entirely in Enterprise
Security plans. Conceptually everybody talks about preventative care
(e.g. configuration/patch management, security life-cycles) and rapid
incident response. However, we discharge the patient as soon as
possible with a new gizmo hanging somewhere and pat ourselves on the
back. Only to be revisited by misery a short time later to do the
InfoSec triage over again.

Organizations need to invest in strategic longterm care of their
assets. Every response should be pervasive and prompt a re-examination
on existing architectures, controls, training, etc. Don’t scoff, it’s
really not that difficult. Your team has likely considered every
nuance in their minds more than once. Actually addressing them isn’t
as intensive each subsequent time. And, like the study (2) The New
York Times opinion piece covered, you’re going to see a cost savings
and quality improvement across your Enterprise.

When I broach this topic I usually get a range of responses but they
all circle one issue: Nobody cares about the longterm because they
won’t be there. That’s not frequently true, it simply can’t be,
because professionals need to have an accomplished and tangible record
to move on in the first place. And usually a significant body of work
to progress your career. Such a body of comprehensive and responsible
work, as I suggest above, would produce more data and metrics. It also
gives your colleagues and team more confidence in your leadership
abilities. In the respect you have for their body of work. There is
nothing an InfoSec professional hates more than to see their hard work
squandered.

Do you want your team to look at you as a Homer Simpson or a Lord Nelson?

(1) http://opinionator.blogs.nytimes.com/2011/11/16/saving-by-the-bundle/
(2) http://content.healthaffairs.org/content/28/5/1317.abstract

Homer Simpson is awesome and is © 20th Century Fox

Permalink | Leave a comment »

The Tin-foil Turban: The CIA & Hezbollah

Mon, 21 Nov 2011 16:34:24 -0800

The news today that Hezbollah's June claims of uncovering numerous CIA
agents in their ranks, Lebanon, Libya, Iran, Syria, etc. is being
confirmed by "unnamed" sources among some half-named sources. And this
is making plenty of news in the US today but what of Iran? Why didn't
Iran capitalize on this more in June and since? Basically because Iran
doesn't think this was a significant victory if a victory at all.

It would seem at least some Iranians believe the US used "idiots"
intentionally to take Hezbollah and others off of the "true"
operational pathways. This is somewhat curious to me because it really
attributes a degree of strategic forethought to the US leadership. At
the same time many of these same people have berated the US for the
levels of stupidity in not understanding the Egyptian Spring, Afghani
tribal politics, or Iraq. Had anybody in this circle been tied to say,
a captured American "hiker", then it would have been a completely
different (and victorious) story. While I read and listened to the
back-and-forth in this particular chatroom two things occurred to me:

- Iranian armchair geopoliticians have their conspiracies
diametrically opposed to one another

- The Iranian "grip" on the Internet and media is more effective than I thought

It's the latter point that was more bothersome to me. Indeed it does
appear that many people inside of Iran that were familiar with tools
like Tor actually do believe, and repeat emphatically, that various
sources of software inside of Iran include countermeasures and
poisoned versions of various anonymity and anti-censorship tools. This
had come up on one of the Tor lists fairly recently and when pressed
for sample or details, nothing came of it. I also dismissed it. Now
I'm seeing/hearing it from people that should know better and again,
when pressed, they are afraid to get involved or provide evidence. And
simultaneously they had a degree of faith in this video/voice/text
chatroom? However, this time I'm having a harder time dismissing the
initial claim entirely.

Anyhow, random rambling musings of the evening. Cheers, -Ali

Permalink | Leave a comment »

Adventures in #Movember and #Racism

Mon, 14 Nov 2011 19:58:28 -0800

Anybody who knows me also knows that I have ridiculously thick and
fast growing facial hair. I've kept it a manageable goatee for most of
my life but every November I participate in Movember events. This year
I tried a different style of facial hair known as either "The Mexican"
or "Fu Manchu".

http://lockerz.com/s/155222904

My first mention of this was online via Twitter and the response was
mild and supportive. And that ended the positive reception. In the few
days since I've lost count of how many "friends" and professionals
have commented that I look "Mexican" and I should get rid of it. More
than once I was told it's "unprofessional" and, again, "it looks
Mexican"..

So I decided to ask somebody I trust from a Fortune 100 company if
this facial hair would really be a deciding factor for a position. An
excerpt of the conversation quoted to the best of my memory a few
hours later:

Him: "Yeah, of course, it looks low-class and hoodlum."

Me: "Are you talking customer-facing or just generally?"

Him: "It doesn't matter, it wouldn't go over well with
upper-management. I just wouldn't hire the person."

Me: "Even me?"

Him: "*pause* Well, I guess not, I know you though. That's not a good
comparison."

I'm honestly more than a bit taken aback. I get dressing
professionally and being clean. I understand pretty people do better.
If this happens to a professional man for facial hair that wasn't, in
my opinion, unusual.. then what the heck do women go through?!
*boggles* -Ali

Permalink | Leave a comment »

#SecBiz -- Who will be InfoSec's Pariah?

Mon, 07 Nov 2011 17:54:52 -0800

More-so in the past three months than I remember at anytime since the
'great cryptography wars' of the 90s, InfoSec has become overrun with
Fear, Uncertainty, and Doubt (FUD). Marketing pitches have somehow
moved beyond guarantees of protection against APTs straight into
Dragon Tear Mace. We're on the verge of bottoming-out and
reconstructing our collective industry souls. The next three years
will be exciting times for our industry.

And the first major breakthrough will be finding our pariahs.

Every major movement has a pariah moment that, whether remembered or
not, change the approach of The People radically and quickly. In
environmental activism it came from Bjorn Lomborg ("The Skeptical
Environmentalist") and in military projection/geopolitics it came from
Thomas P.M. Barnett ("The Pentagon's New Map"). You can endlessly
debate the staying power and nuances of the messages but the bottom
line is that the ~way~ people thought about problems changed
significantly w/ Lomborg and Barnett.

You may not remember it well but take a good look through Google News,
LexisNexis, and Factiva. You'll notice the same, roughly, three-year
cycle whereby a small vocal group of "thought leaders" responded that
Lomborg and Barnett were idiots, naive, or liars. Then it slowly crept
into The Economist, NY Times, WSJ, etc. And finally, while
simultaneously dismissing their contributions, people started sounded
more-and-more like Lomborg and Barnett. In Lomborg's case it went so
far as institutional character assassination later rebuked/reversed by
larger Government investigations.

I think it beneficial to concentrate on Lomborg for the moment. In
particular these three books which he wrote or edited:

The Skeptical Environmentalist (2001)
Solutions to the World's Biggest Problems (2007)
Global Crises, Global Solutions (2009)

Specifics on each book's details or proposed solutions is not the key
takeaway. The key takeaway was that Lomborg and contributing authors
proposed using resource and fiscal economics balanced against
measurable metrics of human well-being as the basis for ~all~ big
decisions.

OK, so a bunch of you are going: "I do that! This is old news! Pfft,
tell me something I don't know!"..

Yeah, you're probably right. I'd wager most of my Twitter friends
actually think similarly to this already. And have for quite some
time. However, the InfoSec Industry as a whole does not. And we need a
voice or a few voices to totally shatter the "thought leaders" of
yesterday. Of today even. Who decided who these so-called thought
leaders are? Where was this committee convened? Consider for a moment
that encryption, courtesy of Bruce Schneier, is still quite frequently
considered the end-all of security. It's been nearly two decades since
"Applied Cryptography" and even Schneier can't shake this Ghost of
Security.

Here is the good news… great news actually. Lomborg and Barnett had to
come from the proverbial left field to make their impact. Our change
is evolving internally due to a pervasive awareness of bigger issues
(e.g. environmentalism and geopolitics) by practitioners in InfoSec.
Our pariahs are already in place but not well recognized outside of
our community. (I'm going to avoid naming names, unless asked
directly, simply because it'd be unfair of me to singularly nominate
some people.)

So here is what I'm proposing..

Take the community models that have driven InfoSec's greatest changes
of the past decade. In particular a fairly new entry into the
community, PTES (Penetration Testing Execution Standard), and base an
outreach program on that model. An informal to semi-formalized
committee of peer reviewing open Wiki publishing InfoSec practice
ideals. Things that can translate to Congressional Hearings, DoD
Acquisition Guidelines, Insurance Riders, Mainstream Media, etc. etc.
Explicitly not built upon an existing certification or standards
group. Not ISC, not Jericho, not SANs, nobody.. something more organic
and peer driven.

A group like this can take public perception and discussion in a
better direction than either Anti-virus or new-fangled Anti-Dragon
Tear's APT Conan Swords. A group like this can hold enough weight to
temper the FUD of a few whoring repetitive messages in the press. CNN,
Christian Science Monitor, Fox, etc. need a more balanced message? We
got it. Congress needs more reasonable perspective? We got it.

Yes? Can't this be done in a community driven, organic, and
professional way? I do indeed believe so!

So who wants put their name in the hat as a prospective Pariah? It'll
be the most fulfilling skewering you ever get. -Ali

Permalink | Leave a comment »

#BSides around Tampa/St. Pete.. #BSidesTampaBay or #BSidesBeerSides??

Mon, 07 Nov 2011 14:01:31 -0800

Just thinking out-loud and have not contacted the BSides people (as
required) per their very clear and helpful instructions. It came up
today because a group I've worked with was offering up conference
space and telling me stories of small-ish conferences they host w/
Busch Gardens trips on the side. And immediately #BSidesBeerSides
imprinted on my brain. However, I can think of many places better than
Busch Gardens to take speakers and attendees but having that family
friendly option is always good. Rambling, -Ali

Permalink | Leave a comment »

Hrmm. Lets say #OpCartel was a bad hoax. Still.... err.. this can't be good..

Fri, 04 Nov 2011 22:10:37 -0700

A lot of people reacted the same way when the news came out that Los
Zetas had (unknowingly?) released the Anonymous captive they had, then
actually knew they had, and Anonymous (again) called off #OpCartel.
Which might be on again.

You'd be forgiven for getting mixed up and I'm confident I still am.
Oh yeah, so a lot of people went..... Say what?! Los Zetas released
somebody alive?!

(UPDATE: Meanwhile The Grey Lady updates their coverage at
http://www.nytimes.com/2011/11/05/world/americas/in-mexico-facts-blur-as-onli...
..)

So I decided to do some digging because some discussions on IRC
indicated Los Zetas actually has released prisoners in the past and
participated in swaps. However, I can find nothing to corroborate this
in the tsunami of Los Zetas news. Quite simply, the only people being
released by Los Zetas alive seem to be the upwards of three hundred
prisoners broken out of Mexican prisons w/ the help (alleged) of Los
Zetas. In news between 2008 and mid-2011, and looking across multiple
cartels and operations across Latin America, there seems to be no
reason to believe Gulf, Sinaloa, La Familia, New Republic, Beltran
Leyva, etc. (much less Los Zetas) made a habit of releasing much of
anybody alive. There does appear to be affiliated kidnap and ransom
releases further down into South America but I'm not seeing much tied
to the numerous Mexican drug cartels.

So here is my thought now... is this a lose-lose-lose for Anonymous
regardless? Even if they release nothing and back off #OpCartel
completely the coverage of this issue has been insane.

If you goto news.google.com and select "past hour" you'll notice the
Spanish language sources alone was in the 600 - 1200 range. A majority
of that is syndicated distribution of sorts but regardless, it's a
huge amount of very loud coverage. The question becomes, when it comes
to drug cartels, is there no such thing as bad press? And as this is a
compelling storyline for many, does Los Zetas have something to gain
by continuing it in a traditional fashion w/ Anonymous?

What I'm saying is... I'm not sure Anonymous and Barrett Brown can
just walk away from #OpCartel even if they want to. They might be
done-and-done but Los Zetas sets the rules and the pace in this
engagement.

I have said elsewhere and before that organizations like Los Zetas
operate more like Nation States in African war-torn regions than
anything most are familiar with. That's my longtime perception
although I won't claim any expertise. The thing about that is though,
you don't touch Nation States unless you're one. It's part of the club
rules. You can kick and scream and moan (e.g. WikiLeaks) but you just
don't touch.

I think this story gets a lot louder before it goes away. Cheers, -Ali

Permalink | Leave a comment »

#EntSec pt. II -- Accepting Exceptional Mediocrity

Thu, 03 Nov 2011 19:01:00 -0700

In the opening barrage
(https://www.infosecisland.com/blogview/17677-EntSec-Not-Business-Relevant.html),
I suggested the greatest sin of security professionals is not using
their skills to produce better product for the Enterprise. Both
internal and customer deliverable product. My second point, and the
topic of this post, was stated as "Security needs to provide product,
service, and visibility to the core business" and in retrospect that
was possibly the worst way of saying "Security needs to be a selling
point for all products and services"..

Now that we've decided we're going to engage our skill set through
side-channels to help our Enterprise deliver better product, increase
our business relevance, and integrate ourselves into the development
lifecycle we're going to ~market~ our new-found Enterprise Religion to
the outside world. Marketing and Engineering won't like this, I can
almost promise that. However, when those same exact people are
customers elsewhere they fall prey to market-speak about security like
the infamous 'Military-grade encryption' gambit. So it's time we take
back our own marketing and talk about security and privacy as we
expect our own family members and professional counterparts to
practice it.

I don't know a better way of expressing this than through hypothetical
examples...

Lets say you're Zerocks and rolling out a new multi-function
copier/printer/fax/bagel toaster. Don't be afraid to talk about how
you've integrated security into the development lifecycle. Right on
the one/two page PDF put information on where they can find out about
your privacy policy for support, your security contacts for reports
and questions, your downloads for security errata. Just like the total
page lifecycle and failure rates are stated, make sure your security
message and availability is provided. You work 24/7, monitor your
email, stay up hoping not to see your company name on Pastebin.. let
them know exactly how hard you work for their security. Everyone is
going to suffer escapes, and just like technical incident response,
it's how you communicate and make yourself available to customers that
defines how they'll react to you in the future.

Now you've moved on to Jawbohn and you've created a new-fangled
bluetooth enabled health recording device. What's the security model?
How do you wipe the device? Is your on-line portal for syncing to say,
Nyke, tested regularly for vulnerabilities? All of this needs to be
clearly documented, turned into standard work, and integrated into the
marketing and support workflows across the Enterprise.

Insist on it. Insist.

I'd go so far as saying if you're interviewing for new employment talk
about these ideas and see how receptive a new employer is to raising
the visibility of their Enterprise Security department.

If you get pushback, approach it from the same perspective that
Engineers would for an Industrial product. Have you increased fuel
efficiency? Interval between regular maintenance? Etc.

In reality you've done exactly those type of improvements through your
integrated security lifecycle and participation discussed in the prior
post. Start, with humility, to take credit for it and communicate it
pervasively. This stuff matters to customers, it really does. Now, I
know that Sony and others have seemingly gotten away with massive
escapes, but that tide has shifted. It may not have reflected in stock
prices yet, but if you wait until it does, you've waited too long. It
can be a competitive advantage now and, in particular, with the key
tech and privacy savvy influencers of families, Universities, and
classmates. Respect of a brand can carry with someone through decades.
It's my belief that if you influence through Enterprise Security that
you will attract a better breed of customer and customer loyalty. This
is a worthy selling point and worth marketing. And you still don't
have to shave or put on shoes to do it.

We need a bigger piece of the proverbial pie, we simply must have it
(1), and I hope you agree that my rambling musings can help you slowly
get a bigger cut for your Enterprise Security department.

Cheers, -Ali

(1) Daniel Geer and Peter Kuper:
http://geer.tinho.net/ieee/ieee.sp.geer.1109.pdf

Permalink | Leave a comment »