Samsung Galaxy Phones Factory Reset Persistent Local Information Disclosure

A couple years back, I handed my Samsung Galaxy S1 down to a friend. When she got it she browsed the file system out of curiosity and noticed that it had retained private information; both from applications, as well as content I generated (e.g. pictures). While she promised to do a write-up of all the information left behind, she never did (flake!). This is obviously a problem for those who reset their phone thinking it is truly wiped clean, and then hand it off to a friend, sell it, or trade it in for credit.

The other day, a relative and I both upgraded our phones. Him from a Galaxy S2 to a S5, and me from a Galaxy S3 to a S5. So I figured why not check both out to see if they did the same. Cliff notes: The Samsung Galaxy S2 (model SGH-T989) ‘factory reset’ leaves a lot of personal information behind, while the Samsung Galaxy S3 (model SGH-T999) does not. It certainly does not delete your content.

Here is what I found left behind on the Galaxy S2. Directories for installed applications that did not get deleted, or deleted entirely:
\CamScanner
\foursquare
\gameloft
\Intsig
\Lazylist
\telenav
\data\flixster
\convertpad

files:
\telenav70\sdlogs\4\22\2014042208.txt
\telenav70\sdlogs\5\23\2014052320.txt
\Photo Editor\2014-03-30 19.11.22.jpg
(personal picture)
\lookout\log.txt
\Intsig\CamScanner\.log\log-2013-12-25_21-59-09.log
\DCIM\Camera
(55 personal pictures)
\contactBackup\contacts.csv
\contactBackup\contacts.pdf
(both contain full list of contacts: name and phone #. this is from an app that backed up contact info)
\Android\data\com.zynga.words\cache\FBImages
(three images, FB avatar pics of players)
\Android\data\com.facebook.katana\cache\.facebook_-372648771.jpg
(private image from FB)
\tmp_fsquare.jpg
\tmp_fsq
(a PNG thumbnail of avatar selected for the app)
tmp_fsquare

The Galaxy S3 (model SGH-T999) that I used pretty heavily, was much better after factory reset. I found the following left behind:

\Phone\Application\SMemo
(didn’t use this app despite installing it. files suggests private info may be available after reset)

All pictures, contact info, and information from applications is gone. So from the Galaxy S1 to the Galaxy S3, Samsung figured out the ‘Factory Wipe’ finally.

Screenshot_2014-07-03-20-26-56

Why I Love and Hate Presenting at Security Cons

Hate

I am not really a public speaker. I am nervous when I speak, even on topics I am very familiar with. Part of that is because I hold myself to a high standard for accuracy and ‘no bullshit’ given my history of calling others out on it. Just like I was right to do it to them, anyone in the audience is right to do it to me. My most recent talk has a ‘rule’ at the start that questions can wait until then end, but if I make a mistake speak up immediately. If you are right, I will correct it, apologize, and give you credit for holding me to such standards. If you are wrong, I will mock you. Seems fair! I hate dealing with AV, I don’t like dealing with cons and logistics and setup. This is partially due to past incidents where I am a registered speaker on schedule, and have to spend 15 minutes convincing the staff I am actually a speaker and have been attending that con for a decade just to get a badge (e.g. BlackHat). Every con does a different setup, where you aren’t sure if the speaker laptop will be ‘extending the monitor’ or ‘duplicating the monitor’. This matters for those of us using ‘presenter view’ in PowerPoint. I must have my speaker notes available in most talks as I tend to include dates, numbers, and details that I can’t otherwise remember.

Love

I also love presenting, because when I opt to do so, it is fairly interesting research or perspective. My talks are not technical, they won’t help you exploit a kernel or bypass memory protection. Instead, they are more in line with a historical and unique perspective in some cases (e.g. Anonymous, Cyberwar), or specialized to something I have focused on for two decades (vulnerability databases and related matters like statistics). I fully understand that some of my topics are not for everyone. Hell, they aren’t for most of the industry as far as a talk. While they likely use a vulnerability database, they certainly aren’t interested in the minutiae that goes with it. That doesn’t really matter to me. I’d rather have 20 people truly interested in the talk listening, rather than a ‘standing room only’ situation despite half the room not knowing the material past the first slide. For those handfuls of people out there, I know my presentations are improving on the common body of knowledge.

Hate, with a Twist

My most recent presentation, 112 years of vulnerabilities, has led me to develop a new kind of hate of presenting. The first time I gave the talk was in 2013 at BSidesDE. After the talk, I gave it twice more; once at a community college as a favor to a friend, and at a small boutique conference at a business school of a college. In doing the talk there, the conference organizer and a professor offered to try to get a copy of the ‘Repaired Security Bugs in Multics’ from 1973. What seemed like an impossible-to-find book ended up being a 7 page paper. But she managed to get a copy via inter-library request as a professor. With that simple gesture, the vulnerabilities in Multics I had cataloged jumped from 10 to 16. Thanks A.M.!

Six months later I get to spend some of my little free time going through more historic papers and find another dealing with Multics. Not only do I find more context around material in that presentation, I find that it is actually a lot more detailed and fascinating. The incident I describe actually happened twice, once in 1979 as I outline, and years before in 1974 with different results. The time spent digging into that came shortly after giving the talk to a security company on the east coast by request. Shortly after giving the talk, which extended to two hours with additional detail, Q&A, and a mix of discussion with them, I was approached about the electro-mechanical rotor cipher machines discussed. We got to talking for half an hour where he gave me pointers and information to later research. Before I left that day, he gave me two books on military cryptoanalysis from 1956 that were previously classified. Yep, just laying on his shelf, he had two tomes of incredible knowledge that might help me in cataloging the history of vulnerabilities. I’ve only had an hour or two to go through them so far. While I determined the first book had no usable information, the second is a treasure trove. A single appendix of that book appears to have information that will double the vulnerability entries I have on such machines and the compromise of their crypto systems. Thanks J.M.!

Every time I find such information, it makes me regret giving the talk. While the talks were given to show perspective and it was clear the history was incomplete, I hate that my audiences didn’t get all of the information. Doesn’t matter that I didn’t have the information originally, I feel that I should have taken more time to research all of this better. I’m both afraid and excited that every time I give this talk, someone else will come forward with a wealth of new knowledge. It is an absolute delight for the vulnerability historian in me, but an absolute dread for someone who can’t stand delivering less than a complete talk.

Moving Forward

Since the first time I delivered the talk, I have had several people tell me I should write a book on the vulnerability history I outline. There is certainly an abundance of material there, and boiling it down to a 45 minute talk has caused me to deliver the talk at a faster pace each time. Part of me wants to write such a book, and release it as a free e-book to the community. It would be fun doing so. On the other hand, it would also take months of dedicated research to finish a true preliminary overview of such history and time is a valuable commodity to say the least.

So to my previous attendees, I apologize. I certainly hope you enjoyed the talk, but I really hope you understand that this is work in progress. Work that I have been doing for a long time, and will continue to do. At some point, if I come up with a more complete work, I hope to be able to share all of it with you in some fashion.

You have a new security initiative? Great, here’s some advice…

I am getting frustrated with the never-ending stream of ‘new’ security initiatives being announced. Doesn’t matter if they are community driven, compliance-based, or ‘industry standards’. For twenty years, we’ve heard it over and over, yet things just aren’t changing.

Most of these initiatives flop. Some may make it months or even years, limping along with virtually no support. Even projects with hundreds of people involved or supporting represent such a tiny fraction on the InfoSec industry, let alone the general IT industry, to say nothing of the rest of the world. In a few cases, the ‘new’ idea might even make a slight improvement for 0.000001% of the world. At best…

Largely though, they are worthless. People sometimes even spend more time banging on the initiative war-drum than the end result. Worse, for every one announced that does any real and lasting good, another hundred end up wasting time and going nowhere.

So you want to announce a new initiative to save the world? Great! How about instead, skip the initiative name, the policy, the name, the graphics, and the rest of the things that take time from actually doing something. Don’t talk about the project day in and day out. Just do good.

If you really feel that a structured movement with lofty ambitions and a brand are required, then do good first. Show the world you are serious and capable. Announce your new initiative on the back of a big ‘win’ or change. That will demonstrate you have the drive and dedication. Come out of the gate on the back of something concrete, not fluffy bullet points that are indistinguishable from any for-profit security company or charlatan.

Yes, everyone knows you want to ‘help’ and ‘protect’ and ‘improve’ and ‘secure’. The exact same thing everyone else in the industry says, both good and bad. And like many of them, your new initiative may not deliver either.

Crossing the line on ‘appropriate’ response to a breach…

You have likely seen the news that eBay was compromised and disclosed on Wednesday the 21st, resulting in as many as 145 million customers being affected. eBay was quick to state that the criminals did not gain access to financial information, trying to allay customer concerns. Despite that, there are many aspects of the aftermath that concern people. Andy Greenberg at Wired and Madeline Bennett at The Inquirer are just two of many to write articles on “how not to handle a security breach”.

It didn’t take long for several US Attorney Generals and one official in the UK to start or express interest in a formal investigation. I think it is warranted given the slow response from eBay and given that there are no details about the incident available from the company. It took them several days to finally add a banner to their site warning users to change their password.

ebay-banner

What is disturbing is that four days later, I have not received an email from eBay warning me of this breach, while still receiving notices of random auctions ending that I am not watching. Getting notice of a breach for several days via the news, and not the company is bad form. In a comment made to BBC on Friday, the 23rd, eBay said:

EBay told the BBC that it was not aware of any technical problems with the password reset function on the site.
“The site is busy, but our secure password reset tool is working,” a spokesman said.

This caught my eye today as I read it just hours after seeing a Tweet from Kenn White in which he shows how ‘secure’ the password reset feature is:

ebay-passwd-snafu

Between the lack of response, slow action to get a visible password reset warning, not mandating that users change passwords, and not understanding what good password security is, I think it is time for the FTC to step in. Companies must be held accountable for the security of their customers.

Update #1: I received my breach notification letter and request to change password an hour ago, almost eight hours after posting this blog, four days after it hit the news.

Update #2: @miaubiz points out that the actual breach happened between late February and early March, leading to questions on why it took them so long to disclose.

Surprise! Guinea pigs… (the end of an era)

Almost 7 years ago (August 18, 2007), I returned from a business trip to find a guinea pig in my living room. My significant other at the time, Kay, had wanted to rescue a guinea pig or three. We had talked about it and I was willing, but wanted to talk about it more. She figured why wait. So upon returning home… surprise! Guinea pig. This turned into a steady stream of adoptions that led me to have a herd. This is an important distinction in the guinea pig world. One or two pigs can bond with their human if given a lot of attention. They will happily sit in their human’s lap and look forward to it every night. When you have more than two though, especially a lot more, they will revert to their more natural herd mentality. This is considered to be healthier by many people, but is not favorable to many owners. Why? Because pigs are prey animals, and you are perceived as a threat to them. You don’t get to bond with them and they do not enjoy being picked up. But, if healthier for the pigs, that is important so we had a herd. A few years later, Kay and I split and I decided to take the pigs. While they were her idea, it was clear that I was a better and more consistent provider for them. Even when given the opportunity to come over and help with cage cleaning, or even keep me company while I did it, she rarely showed. Eventually, she became a completely absentee parent, leaving me to care for the pigs. The following is a list of the guinea pigs adopted, in the order that they moved on. While I cared for all of them equally and to the best of my ability, two of the nine were ‘mine’ in some fashion.

The first was ‘Snickers’, aka A156576, a female Abyssinian adopted from the Boulder Valley Humane Society. One of my hesitations on adopting is because I had not taken the time to read up on them, but Kay had. Our first pig ended up not being the typical adoption. Only four years old, she had serious hair loss and complications due to a life of poor nutrition. Snickers reminded us that guinea pigs are frequently not cared for properly. I wrote a brief summary of her adoption and what was going through my head at the time. While she was not with us long, she opened the gates for more adoptions.

‘Pringle’, originally named Cerra aka A253868), a female American shorthair adopted from the Larimer Humane Society on March 9, 2008. Estimated to be around 4 years old, she was picked up and found to be extremely skinny (660 grams). She was surrendered to the shelter with no history other than “good with kids”. Based on her weight and appetite the first night, we’d guess she was not given hay or veggies very often. Once home, she took to most veggies instantly and slept by the hay bowl half of the night. By the next day she was energetic, standing on her rear feet wheeking happily for veggies and sleeping all over the cage. Better, she was already up to 730 grams. Her first vet appointment confirmed that she had mammary tumors which were removed successfully during surgery with a very fast recovery. After the surgery, she proved she was the perfect pig in temperament and demonstrated how pigs can recover from the worst of environments. Pringle passed on April 15, 2009 due to masses on several internal organs. She was also experiencing very minor weight loss and potentially had neurological issues (serious spasms when she slept sometimes). She went peacefully in her sleep, head on a pillow.

JuineaPig, originally Ginny aka A419947, was a female Abyssinian adopted from the Denver Dumb Friends League on December 29, 2007. When we went in, she was described as “problematic” and it took over 30 minutes for the staff to catch her because “she bites”. Given up for adoption for “recently starting to bite”, despite being almost two years old, once securely held she seemed to do fine. Due to her behavior, the DDFL had decided to pull her adoption information down and were going to declare her unsuitable for adoption. Once we gave the rundown of our current herd and ability to properly take care of her, they agreed that we could provide a good home for her. In the months after adoption, the only time she would bite is if she felt directly threatened, and even then, only warning nips. It was immediately clear that her previous owners had not given her any veggies as it took several months to get her to eat a wide variety. Since adoption, she was nothing but a sweet pig and clearly not a biter. JuineaPig passed on May 20, 2009 due to many internal complications including cancerous tumor, kidney issues, bladder stone, GI obstruction, and more. Her last two days were not very happy, but she fought as best she could.

snickerspringlejuineapig2

Figlet, originally Willow aka A762196, was a female Abyssinian (likely with a peruvian mix) adopted from the Humane Society of the Pike’s Peak Region on June 20, 2008. Originally down there to adopt another ‘female’, we found two large males with health problems. Despite correcting the shelter on the gender of the pigs, they didn’t appear to care or update the web page days later. Figlet was in a large cage by herself (good), but with half of it covered in water-soaked litter and no water in her bottle. Almost unable to hold her, we managed to get her in the carrier and bring her to the pig mansion. She integrated into the herd within hours (after quarantine) and did great. Clearly younger than advertised, Figlet was the most energetic and spastic pig we had. Even six months after adoption, she was almost impossible to hold for more than a few seconds as she tried to escape and find her own footing. Fearless doesn’t begin to describe her. Figlet passed on Oct 15, 2009 due to complications during surgery to remove a mass causing Hyperthyroidism, a rare condition in guinea pigs. A full write-up of diagnosing and treating her was created to share information about this rare condition in pigs. Figlet was ‘my’ pig and I spent a lot of time trying to figure out what was wrong, and went to great lengths to try to help her live a happy life. After losing her, that convinced me that I was not going to rescue any more pigs myself; rather, I would continue to support shelters and rescues.

Nugget, originally Nibbles, was a female American shorthair adopted from the Denver Dumb Friends League on November 2, 2007. They believed her to be about four years old but we suspected she was a bit younger. She was our first shorthair guinea pig with a great personality and strong love for hay and veggies. The DDFL said she was “surrendered because the previous owners couldn’t afford to maintain her” which is sad, as a pig is relatively cheap to house and feed. Nugget was hands-down the most mellow guinea pig and frequently ends up being a vet buddy when one of the other pigs needs to see the doc. Nugget passed on Oct 31, 2010 from natural causes. She was a senior piggy and lived a glorious three years with me. While I can accept that logically she had already moved on and was not aware of her surroundings or had any real mental faculty, the last 45 minutes of her life were spent in my lap at 3AM having spasms. That is very hard to deal with.

OLYMPUS DIGITAL CAMERAnugget

Zesty, unnamed aka A089150, was a female Abyssinian adopted from the Denver Municipal Animal Shelter (DAS) by Kay on September 7, 2007, one of three guinea pigs brought in that were apparently found near an auto repair shop, left to fend for themselves. The only female of the bunch, she was described by the staff as an ‘escape artist’ and estimated to be approximately one year old. We feared she was pregnant due to being housed with the two males she was found with, which was another reminder that despite the good intentions of shelters, guinea pigs simply aren’t well known. We soon learned that she was indeed an escape artist but fortunately not pregnant. She became the queen of the herd, and was certainly the most feisty guinea pig we had. Zesty passed on June 3, 2012 from natural causes. Based on her life history, she lived a long time all things considered.

Biscuit was a female Abyssinian adopted the same day as Zesty to provide companionship to the feisty beast. Oh, and she was ridiculously cute and mangled. Our third guinea pig at the time and first baby, adopted at only 5 weeks old, Biscuit knew no fear since she grew up in a happy home full of daily vegetable platters, endless hay, and a huge play pen to run around in. She was definitely the most tranquil pig, and knew absolutely no hardship in her life like the rest had. Biscuit passed on September 28, 2012. Sweetest of the herd, she lived a wonderful life.

zestybiscuit

Waffle was a female Abyssinian personal adoption taken in on November 16, 2007. She was ‘my’ second pig, adopted selfishly. Part of regrets that we got her from a pet store, but I wanted one guinea pig that we knew the absolute history on and who should have no health problems as compared to the hit-or-miss you get with shelter rescues. Despite that desire, she lived her life with some respiratory issues. It never affected her, but hearing her ‘hoot’ as if congested was a constant reminder of her being in the herd. Ultimately, she lived over 6 years and her frequent breathing issues had nothing to do with her passing. Waffle was the most distinct color we had seen, a great blend of white, grey, and black, giving a ‘peppered’ appearance. Her black feet were also quite distinct and made her stand out in the herd (and a pain to trim the black nails as we couldn’t see the quick). Approximately five weeks old when adopted, she seemed to live for fresh hay more than anything else. When she wasn’t bouncing around her home she would lay in one of the hay lofts for easy access to her precious hay. Waffle reached end of life on May 9, 2014 (today) due to an intestinal tumor.

At this point, it left me with a single pig (Tater) that had grown up in a herd and knew nothing else. When Biscuit passed, Tater did not handle it well. That point moved from three pigs to two, which is decidedly not a herd. After three weeks, Tater finally settled down and accepted the situation and fell back into a happy routine with Waffle. With Waffle’s passing today, I fear for the worst; that Tater will realize Waffle is gone (she hasn’t as of writing this blog) and freak out. Today, she has gotten a series of extra veggies, a cob of corn, and fresh hay. I have checked on her periodically to ensure she is doing alright. In the morning, I will be taking her to Cavy Care, the only all-guinea pig rescue in Colorado. I have visited the sanctuary several times over the years and love what they do. They treat their guinea pigs exceptionally well and screen adoptions to ensure it will work. Unlike pet stores who will sell pigs to anyone, even if it is not ideal for the animal, Cavy Care will make sure the would-be owners understand what they are getting into. Tater will be given a new friend, also a senior female piggy, to live with. While it isn’t the herd, she will have companionship like she has had for the last two years. As a now senior pig, it is hard to tell when she will move on. In the last few months, she has lost over 100 grams which is considerable for a pig, and a sign that health issues are happening. I hate to take a pig to a rescue that is already over-burdened, but they understand my choice, and Tater will come with a donation and all of my supplies to help the shelter. So more about Tater…

Tater is a female Peruvian Abyssinian Silky (longhair) personal adoption taken in on April 11, 2008. The runt of a five-pig litter, she was taken from a family that had pigs living in poor conditions and mostly neglected as they “didn’t have time for them any more”. If left in those conditions, she certainly would have been housed with mom, dad, and any brothers in her litter leading to a very early pregnancy. Said to be four weeks old, we believe she was much closer to two weeks old when we got her. It only took her a few days to become extremely lively, eat any veggie she was given, and develop a great personality. She integrated faster than any other pig had, likely due to being around many other pigs early on. She received hair cuts every couple of months as her coat was too long and bulky, dragging the cage and getting mucked up. While she whines during the trimming, she becomes considerably more energetic and seems much happier afterwards.

waffletater

For the last four to five years, I have been the only provider for my pigs. While Kay started the adoption spree, they lived a majority of their lives under my care. In that time I learned a lot about them. Everything from behavior quirks, to proper care, to treating odd conditions. I drove hours to ensure they received the best care possible. Every week for five years, I bought $20 – $40 of vegetables for them, special ordered Timothy Gold hay, and gave them a steady stream of chewable houses and items to keep them stimulated. I cleaned their cages every week when the herd was big, using bleach and vinegar to scrub down the ‘trays‘, washed their bedding, rotated their hay, and more. I adjusted my lifestyle and social availability to guarantee they got their vegetables about the same time every night. When traveling, they had in-home sitting most of the time, or twice-daily visits if not. When the air conditioning went out, I made sure someone was here to fix it within hours, as pigs can overheat easily. The temperature in my place very rarely crossed 76 degrees for their benefit. Every month or three, they got weighed to better determine they were healthy, as significant weight change is one of two ways to diagnose problems (the other being behavioral changes). I learned of common pig problems like cysts and little growths that can be removed, as well as common problems with senior female piggies like tumors, ovarian cysts, and unknown masses. When someone in a herd wheeks, I can identify it generally as it reflects on their emotional state. I have had to separate Zesty from the herd from going on a three-hour dominance mounting spree, ‘terrorizing’ the other pigs in her way. I have almost gotten kicked out of pet stores when I overheard a sales person spewing bullshit about guinea pigs. I have sighed casually and spouted back more disturbing facts than “you know some people eat guinea pigs?” to assholes trying to shock me (they were a lot more shocked than I was). Yes, I have read more books about guinea pigs than you have, about their history and indigenous lifestyle.

This is an end of an era in my life. Not having a huge guinea pig mansion in my living room, a few feet from where I spend a considerable amount of my life. Not hearing the happy wheeking, the frenzied wheeking as a pig tries to mount another, and the general chatter of guinea pigs day in and day out. Quarantining a newly adopted pig for 30 days before integrating into the herd. Bathing a guinea pig in some cases, no easy feat. No more setting up a play pen in the living room so they could run full speed, at least while they were young. No more watching Zesty jump over the guinea pig fence, and then laughing as Nugget observed Zesty and followed suit. I remember having to buy a new set of fences that were much taller to thwart the escape artists. Biscuit running in circles in the living room, entirely too fast for my camera to capture. The many nights I would take Figlet out of the cage and put her on the kitchen counter as I prepared veggies, giving her first shot to enjoy them without contest. The elaborate veggie platters I would make for the herd. Buying wheat grass for them to enjoy, because that was like crack to them. Cutting Tater’s hair, leaving a little sprout on her forehead because it amused me.

Despite the emotional turmoil in taking care of these critters, they were definitely worth it. If you have a bad day, you can look in the habitat and see the adorable guinea pig living their life. They have their own drama and dynamics, but ultimately it gives you perspective on your own drama. Picking up a guinea pig and getting nothing but an abject reaction reminds you they keep it real.

herd

You keep using that word… (a note on “bullying”)

As a tech editor who apparently hit the glass ceiling, perhaps my only value to the industry is reminding people what words mean. Usually that is done for the author before something is published but it is clear the industry could gain some value this time. With the terms “bully” and “bullying” being thrown around more liberally recently, it is important to remember what it really means. Like most words in the English language, that answer varies greatly. Not only with historical changes, but with social changes as words are used, reused, and co-opted. Let’s start with what Google tells us!

According to stopbullying.gov, the definition is:

Bullying is unwanted, aggressive behavior among school aged children that involves a real or perceived power imbalance. The behavior is repeated, or has the potential to be repeated, over time. Bullying includes actions such as making threats, spreading rumors, attacking someone physically or verbally, and excluding someone from a group on purpose.

Some readers are certainly homing in on this definition while glossing over an important qualifier. We are not “school-aged children” despite often acting like it on Twitter. This definition is custom-written to be suitable to kids in school that face bullies. Next up, Wikipedia defines it as:

Bullying is the use of force, threat, or coercion to abuse, intimidate, or aggressively impose domination over others. The behavior is often repeated and habitual. One essential prerequisite is the perception, by the bully or by others, of an imbalance of social or physical power.

Those same readers may now be homing in on this definition based on the last line, but it is important to note that is a two-way street. If we can arbitrarily call it “bullying” solely based on one side’s perception, then we’re all equally guilty of bullying. If I call you a jerk, and you call me an ass in return, we are both potentially guilty of it. In reality, I think we can all agree that is a bit absurd. I think if you drop that last line and focus on the first two lines the definition is pretty good, especially given the next choice. According to the dictionary:

  • 1 (archaic): sweetheart or a fine chap
  • 2a : a blustering browbeating person; especially one habitually cruel to others who are weaker
  • 2b : pimp
  • 3 : a hired ruffian
  • bully verb
  • : to frighten, hurt, or threaten (a smaller or weaker person)
  • : to act like a bully toward (someone) to cause (someone) to do something by making threats or insults or by using force
  • transitive verb
  • 1 : to treat abusively
  • 2 : to affect by means of force or coercion

We can certainly agree that the archaic definition isn’t what anyone means when using the term. Similarly, a pimp or hired ruffian is probably just as archaic and not intended. Focusing on the rest you have a variety of definitions that range from “treat abusively” to the more dominant that includes the purpose of the activity. The words threat, force, and coercion appear more than once in the definitions above and are the crux of what bullying is about. Everyone who is now equating the term “bullying” with anything less than a malicious, sustained campaigns of hatefulness with the intent of coercing/threatening is the worst sort of cowardice and dishonesty. They are doing a disservice to society and themselves.

Someone stating their opinion is just that. Calling someone a name or insulting them over appearance or action makes them an ass, nothing more. They aren’t trying to coerce you, they aren’t trying to force you to do something, and they aren’t threatening you. In this country they are simply exercising their first-amendment rights. As such, you have the right not to listen to them. If someone on Twitter is saying something you don’t like, stop following them. If they are including you in the messages, block them. Add their Twitter ID to a filter so it helps ensure you don’t read anything to, from, or about them. Remember, it is a push medium that you opt into. By using the service, by following people, by subscribing to lists, or by searching for specific words, you are specifically choosing to read it.

Cliff notes for the rest of you. Simple name calling or stating opinion on Twitter is not bullying, even if it is mean and you don’t like it. Those using the term in such a fashion are the real bullies here; they are capitalizing on a social stigma and social movement to brand what has been our way of life for hundreds of years as some new form of persecution. You are trying to use social pressure to coerce us into changing our behavior. Worse, by equating simple insults and jabs as bullying, you make it harder for those who have truly been bullied to be believed. Sorry, I won’t cave into bullies, something your crowd keeps telling us to do ironically enough.

To finish this post, I want to answer a question put forth by someone crying “bully”:

Can my daughter take criticism? Yes but not publicly. You got to have a pretty tough skin to be able to take criticism publicly. Most of us don’t have that tough skin. I think that’s good because that usually goes hand in hand with compassion. If I had to choose only one thing missing in this InfoSec community, it would be compassion. The nonconstructive criticism is so public and so vicious that you end up missing that one nice person who is trying to offer the constructive criticism that could really make a difference. And that’s sad. That person who is trying to help gets lumped in with the naysayers, and no one benefits. Is this really the InfoSec community you want?

Yes! That is exactly what I want the industry to be. More importantly, that is exactly the type of industry our society needs. There are two aspects to this, and one of them is so entirely simple, but seems to be missed time after time.

First, the InfoSec industry has two fundamental sides; those who break things (attack), and those who fix things (defend). The entire attack (a.k.a red-teaming, tiger teaming, vulnerability assessment, or offense) side of it is built itself on the act of tearing others down. When you perform a penetration test, you are showing how the programmers and/or IT staff have failed in some way. In some cases, you are taking years of their work and shitting all over it in a PDF or by PowerPoint with pretty colors. That million lines of code to perform incredibly complex actions to make a seamless experience for their paying customers? You tell them it is Swiss cheese, that it shouldn’t be on a production network, and that they must go back and make it better while flippantly giving them the oh-so-helpful remediation instructions of “sanitize user input“. You get paid, handsomely even, to do just that day in and day out. Did you develop software that makes that process easier? Then you are facilitating colleagues so they can more easily tear down the work of other people. This is a simple fact and how our industry operates. You are offering what you think to be constructive criticism. The developers and admins receiving the report do not think it is constructive. You are a “naysayer” and yet both sides benefit ultimately. The notion that “no one benefits” is absurd.

Second, the more emotional answer. Our industry, and society at large, need more people that are not afraid to speak their mind, tell the truth, and demand better from everyone. That is how things get fixed, and that is how we improve as a society. Your friend being a douche-nozzle? Do you think they intend to act that way? No, so you tell them in whatever terms are needed so they stop acting like one. Your customer running insecure software that would allow little Bobby Tables to expose all of their client data? You tell them so they can fix it. Your report can soften the blow a bit, but ultimately you are telling them they have failed in a spectacular fashion. This isn’t some circle-jerk hug fest. This is an industry largely based on critique, which is a vehicle to improve.

When your day job is based on leveling criticism at other people, it is your responsibility to be able to take criticism. If you release software to the world, you are a vendor so to speak. Someone reporting a vulnerability in your software is not them “picking on you”. That is them making a sincere effort to help you improve your software, just as you are trying to help your customers (or students) improve. If you don’t understand how these are fundamentally the same, then you don’t belong in this industry. That is not a threat, force, or coercion. That is a fact.

(Courtesy of memegenerator.net)

(Courtesy of memegenerator.net)

What the Harlem Globetrotters Really Teach Kids

A couple weeks ago, friends and I attended a Harlem Globetrotters game. It started out as a joke over football about underdog teams, when my friend Amanda reminded me of the poor Washington Generals. If that name rings a bell but you can’t quite place it, they are the go-to team that plays the Harlem Globetrotters. From their web page: “The Washington Generals are the most well known and recognized opponents of the World Famous Harlem Globetrotters.” The header graphic even shows a chalkboard and their amazing number of losses, with a single win. We figured it would be fun to attend a Globetrotters game and root for the Generals.

This began the descent into the ego and madness that is the Harlem Globetrotters. As a kid, you only remember black basketball players doing tricks, spinning balls, doing fancy dunks, and always winning. Yes, I used “black” as an an adjective. Show me a “white” Globetrotter. This exclusion actually carries forward to present day. There are still no white Harlem Globetrotters, despite white people living in Harlem. In 2014, they still proudly boast about their ninth black female Globetrotter taking the court several times throughout the game, turning her into a feature. But no whites. We’ll get back to that in a bit.

The Generals’ web site ‘Player Opportunities‘ page has an important reminder, and why we showed up to root for them. “The Generals serve an important role in the Globetrotters tours and realize the final score does not always define winners.” That is awesome, and really sums up what kids sports should be about. While I don’t think every player in a league deserves a trophy, I think that kids should be reminded that effort matters, even if they didn’t win.

But now, we have to back up again. I went to order the tickets for the three of us and noticed something. The Harlem Globetrotters were playing! Err, OK I got that. But who were they playing? It wasn’t listed. I checked the Harlem Globetrotter page hoping their line-up would have it. Nope. I Tweeted to them asking who they were playing, asking they bring the Generals. To this day, the assholes never answered. That level of disrespect is very telling about the organization. So I did what any logical fan would do, I called the ticket-seller and asked. I spoke with a nice young lady who checked her information and was surprised to find she couldn’t answer my question. She took down my information and said she would get to the bottom of it by calling the Globetrotter organization to find out. Hours later she called back and reported that the Globetrotters would be facing the “World All Stars”. Hrm, never heard of them, so Google their name. I don’t see anything front page indicating that is a viable option. Tack on the word “basketball” and they only show up as the 5th result in a loss to the Globetrotters. What kind of shitty game is this where the opponents aren’t even mentioned anywhere? Where I can’t easily find out they are playing their almost 100-year rival?

The All Stars don’t have a web site. I can’t order a jersey to wear to support them. Other than “lost to the Globetrotters”, they are nothing. “What the shit is that?!

So we did what any fan would do. We ordered and wore our Washington Generals clothing to the game, and we made signs to support the All Stars. To be effective, we had to make sure they would see us, so we got court-side seats.

20140330_140659

Granted, being the cheapskate I am, there was one row of people before us. But at a Globetrotter game, that is actually a layer of protection from being drug on the court and embarrassed by them. From courtside, we were in a position to support our team.

20140330_141613

Wow, they didn’t look thrilled to be here. The game started out all about the Globetrotters. They did their warm up, their comedy banter, got introduced one-by-one. When it came time for the All Stars to come in, they barely got their name mentioned. Both teams warmed up to get ready for the game. Just before the game started, Big Easy, with a microphone pinned to his jersey so the entire stadium could hear him, taunted the All Stars. The only taunt I remember was him pointing out that one of the five All Stars on the court was white, mocked him for it, and ended by laughing at him. The other nine players on the court were black. Do I need to remind anyone the definition of racism and that it goes every direction?

The game proceeded, now with ‘fan voted rules’ that were put into effect each quarter. This included a “trick shot challenge” and a “special jersey double point” benefit. So on top of the four point rings (yes, these games have four-point shots), the player wearing the red jersey could do a four-point shot and gain eight points for it. The All Stars tried several times but only made one of them. As best I recall, that was one more than the ‘talented’ Globetrotters. Speaking of, the world famous Globetrotters have a second career as brick layers if it comes down to it. Those dumbasses threw up more bricks and missed more dunks than I have seen in my life. Yes, they missed set-up dunks where the other team wasn’t defending. Absolutely pathetic.

Halftime rolls around and the Globetrotter mascot, Globie, comes out. He did his little dance routine and entertained the crowd.

20140330_143616

As he left the court, he pointed at Amanda and my Generals’ attire and shook his head. For a brief moment I thought he might take a diving leap and try to tackle us. He seemed pretty pissed we were there supporting the opposite team. That said, during the “trick shot challenge” quarter, the coach of the All Stars noticed us and pointed to us twice smiling. At least someone recognized our efforts and appreciated some support from the crowd.

During the game, we also got to witness a variety of things that ranged from “what…” to “oh jesus avert your eyes”. It started with an All Star going to make a slam dunk, only to find the Globetrotters stripped him of his shorts and jersey in the process. Leaving him in his underwear to scream out loud and run in a panicked manner toward the locker room. The Globetrotters followed this up with their “slow-mo replay” gag that not only had them reaching between an All Star’s legs and sexually assaulting him, but doing it repeatedly in slow motion. But that was absolutely nothing compared to the half-time show.

I honestly could not watch a majority of the show because of social “norms”. Seriously. They had four local dance troupes doing their dance routines to music. Each wave was full of underage girls wearing revealing skin-tight outfits, doing sexually suggestive dances. Some of their moves and gestures I have seen in strip clubs. I feared that if I watched them like any other person, someone might think me a sexual deviant in all the wrong ways. That was the most uncomfortable 20 minutes I have suffered in years. Back to basketball…

While the All Stars did their share of missing shots, like the Globetrotters, I started to take notice of the scoreboard more often in hopes they would catch up. That is when I noticed that the rigged game is more rigged than I realized. Sure, we know they are told to lose the game and that is expected. The ego-filled Globetrotters have to win, except that one time where the Generals beat them (and we’d love to know the story behind that!). Yes, the Generals’ sweatshirt I wear proudly displays their motto, “Over 12,000 losses since 1926!” Remember the four-point shots, and the bonus with the red jersey due to the special per-quarter rule announced shortly before? At least one time when the All Stars scored an eight-point shot, they were only credited with four. Because the Globetrotters were throwing up so many bricks, and missing so many set-up dunks, the score-man had to further help throw the game.

What does that leave us with?

20140330_151454

The Harlem Globetrotters holding the bag. Kids show up and have a fun time. In reality, they leave with a long list of subtle messages driven into their head. That racism is OK because it is humorous. That the underdog can’t win, and that the name-brand will cheat in multiple ways to win. That being a female in this sport is a ‘rare thing’ and makes you a two-minute highlight during the game. That physically and sexually assaulting the opposing team is humor, not a bad thing. Is that really what our kids should be learning growing up? I don’t think so. If anyone else did this on the school playground, they might face being expelled.

That is why I proudly show up and support the opponents. I even retained the serves of a local artist to make sure my signs were high-quality, because I care. Washington Generals or All Stars, doesn’t matter. They need our support to help them win their second game in almost one-hundred years. I encourage you to attend your next Globetrotter game, wave signs, and proudly support the other team.

IMG_0493

IMG_0494

On the origins of the term ‘Hacktivism’…

This blog is not about debating the definition of Hacktivism; I will leave that to the academics and self-described hacktivists. This article is to clear up confusion on the origin of the term, and point out that Wikipedia’s handling of factual information is sketchy. Further, it will point out that the Cult of the Dead Cow (cDc) happily went along with the notion that they coined the term, when they did not. Even when it was clear that their own dates and stories didn’t line up, that didn’t dissuade them from keeping up appearances.

The Wikipedia entry on Hacktivism currently states that the term was coined by cDc:

The term was coined in 1996 by a Cult of the Dead Cow member known as “Omega”.[2] However, similar to its root word hack, hacktivism is an ambiguous term (computer hacking is tied to several meanings).

There is no other reference to the source of this term today. If you look back at the page on prior dates, that isn’t the case. On May 17, 2013 we see:

The term itself was coined by techno-culture writer Jason Sack in a piece about media artist Shu Lea Cheang published in InfoNation in 1995.

This line was added by ‘Orb Weaver’ on July 23, 2009 with this edit. It was deleted by ‘Pkinnaird’ on May 20, 2013 with this edit. The notes for the edit say:

(Removed references to destructive activities since they are well described in cyberterrorism article. Clarified that the word ‘hacktivism’ is contentious and removed most discussion of hacktivists as cyberterrorists since that is a separate notion.)

This looks like an innocent edit, removing a long list of ‘hacktivism’ incidents and changing it to a few short examples. However, in doing so, this effectively killed any reference to a prior source of the word. In short, this edit is very irresponsible. I would cite you the purpose of Wikipedia and something along the lines of “factual”, but curiously enough that is not part of the mission statement. While you may quickly associate “develop educational content” as being factual, that is simply not the case. Look at the battle in the US over schools teaching evolution versus creationism. No matter which you believe in, the other safely becomes “developing educational content” as a valid argument.

The line about Omega of Cult of the Dead Cow was added on November 22, 2011 with this edit and a change message of “Term coined in 1994 by “Omega” of the Cult of the Dead Cow Hacker collective.” At the bottom of the page, the first reference is “Hacktivism and How It Got Here“, a Wired piece by Michelle Delio from July 14, 2004. Note that Delio is not known for quality journalism and was let go from Wired due to serious issues surrounding her sketchy sources and fabrications. From Delio’s article:

But no one called technology-enabled political activism “hacktivism” until 1998, when cDc members Omega, Reid Fleming and Ruffin were chatting online and were, Ruffin said, “bouncing some wacky ideas around about hacking and political liberation, mostly in the context of working with Chinese hackers post-Tiananmen Square.”
“The next morning Omega sent an e-mail to the cDc listserv and included for the first time the word hacktivism in the post,” Ruffin said. “Like most cDc inventions, it was used seriously and ironically at the same time — and when I saw it my head almost exploded.”

Interesting that Delio says it was coined by cDc in 1998 citing cDc member Oxblood Ruffin in her 2004 article, yet Wikipedia said 1994. In a different interview with Elinor Mills from 2012, Ruffin was quoted as saying it originated in 1996. The Wikipedia page has cited this source for most of the page’s history, but has changed years to mention 1994, 1996, and 1998. In most cases, Ruffin’s story is the same about the term originating in an email between cDc members, but apparently has never provided a copy of this email to journalists or made it public. It is clear that Ruffin is not a reliable source on this and is likely doing it to subvert the media, a stated objective of cDc.

An Earlier Origin

As mentioned above, Wikipedia once attributed the term differently:

The term itself was coined by techno-culture writer Jason Sack in a piece about media artist Shu Lea Cheang published in InfoNation in 1995.

A couple years ago I tried to reach out to Jason Sack to confirm this. My early attempts at reaching him did not work due to finding one email address that he no longer used. Last year, Space Rogue reached out via a different email address and got a response. We both asked Sack if he could dig up the original article and send a copy. Since he only had a copy in print, it took a while to find it, scan it in, and send it to us. But he did. As suspected, and as the original sourcing in Wikipedia says, he uses the term ‘hacktivist’ in 1995 under the pen name ‘Jason Logan’. A year or three before cDc supposedly did. Courtesy of Jason, the cover of the InfoNation magazine along with scans of the article are available as a more definitive reference (click thumbnails below for full size). As the author of this blog, I cannot update Wikipedia to correct the errors in it due to a conflict of interest. Someone else out there will have to do it.

infonation-nov-1995-00  infonation-nov-1995-01  infonation-nov-1995-02  infonation-nov-1995-03  infonation-nov-1995-04

CNN, the TSA, and the ‘Theatre’ of Terrorism

News flash from CNN a few minutes ago:

Terrorists may try to hide explosives in toothpaste or cosmetics tubes, U.S. warns airlines flying into Russia.

A law enforcement source said the warning is based on new information and added that there is no known threat to the United States.

Wait a minute! For ten years now, Americans have had to limit toothpaste and other toiletries in their carry-on bags. Why exactly did we have to do that? If there is “no known threat to the United States” today, then why isn’t this silly restriction lifted? The original cause of this restriction was a hypothetical scenario from a consultant or academic I bet, not known cases of this being used. Even now, if we banned all toiletries including toothpaste, it would be trivial to sneak a significant amount of gel onto a plane.

Further, are they really saying that terrorists would be flying into Russia, via the U.S.? Come on, geopolitics 101 says that is absurd when there is more than a fair share of terrorists already living in proximity to Russia that would not require air travel.

Not only do we live under silly policies that enforce the illusion of anti-terrorism, but we are constantly reminded of how absurd they are. Yet, we still can’t manage to get rid of them and use tactics that have a long track record of actually working.