A Samsung Galaxy 8, Phantom Notifications, and @Tmobile’s Dreadful Support

This is a blog of two topics. The first, a brief technical explanation of a problem with my Samsung phone after an upgrade to Android 8.0 (Oreo) pushed by T-Mobile, the subsequent debugging, and hopefully help for anyone else experiencing the issue. The second, my horrible experience with T-Mobile Twitter-based tech support.


On April 2, T-Mobile pushed an over-the-air update for my Samsung Galaxy 8 (G8) phone. In addition to a routine Android security patch level update, it also upgraded the phone to Android version 8, code-named Oreo. Shortly after the update, I started getting what I called ‘phantom notifications’, between one and six of them every hour or less. These were audible notifications that didn’t correspond with any discernible event on the phone, sometimes in quick succession. Over the course of a week, there were a few times where an icon would appear in the notification bar for a split second, making me think it was related to a specific event, but I couldn’t figure out what. I engaged with T-Mobile on Twitter, and they offered some ideas. Here is everything I did to debug and figure this out, based on their questions and my own ideas.

  • T-Mobile: SMS App Clear Data/Cache (I suspected it may be related to SMS)
  • Me: Full power cycle
  • Me: Changed default notification to determine if the phantoms are using system notification preferences (they are)
  • T-Mobile: Verify Notification Reminder functionality = OFF
  • T-Mobile: Verify no wireless/bluetooth/NFC turned on during phantoms
  • T-Mobile: Clear cache partition on phone via Debug menu
  • Verified software versions for all functionality (‘About Device’)
  • T-Mobile: Verify all apps are updated via play store
  • T-Mobile: Verify no apps from unknown sources
  • T-Mobile: Enable Developer options (did not change anything)
  • T-Mobile: Device Maintenance showed no app crashes, no hint of a problem
  • T-Mobile / Me: Phantom notifications do NOT vibrate, while SMS is configured to (so not SMS)
  • T-Mobile: No SD card in phone
  • T-Mobile: Uninstall Samsung Health (they suspected app causing this, that app isn’t on the phone)
  • T-Mobile: Backup SMS and clear all of the messages
  • Me: DND mode suppresses the phantom notifications (observation)
  • T-Mobile: Confirm I did not download ANY new apps on Sunday (day before update), Monday (day of update), or Tue – Thur (after update)
  • T-Mobile: Confirm the last time my phone worked w/o phantom notifications was Sunday and Monday before the patch (and every day prior since buying the phone)
  • Me: twice out of hundreds of times, i have seen a ‘health monitor’ type icon appear in notifications for a split second when it happens
  • Me: One-by-one disable app notifications, wait for phantom. process of elimination = found the offending app = PROBLEM SOLVED

Naturally, it was the last app on the list I had notifications enabled for. “Weather & Clock Widget for Android” by Devexpert.NET, which worked fine on Android 7.x, started causing these phantom notifications on Android 8.0. Uninstalling and re-installing did not fix it. The only reason I had allowed notifications from this app, is it would put the current temperature in the notification bar at all times. Blocking notifications for this app didn’t allow this behavior, but also stopped the phantom notifications. No factory reset needed.


Part 2; My dreadful experience with @Tmobile tech support via Twitter DM.

First, this isn’t the first time I have Tweeted and had them reach out via DM, offering support. I don’t recall having a good experience with them before, and this time certainly takes the cake on a poor experience. I am writing this up as a warning to others who might go this route, and as feedback to T-Mobile so they better understand what it is like on the customer side, and offer some tips for improving.

Perhaps the biggest problem with T-Mobile Twitter support, is their system for interacting with customers appears to be designed to resolve issues very quickly. I can’t speak to their workload, average customer engagement time, etc. But for a case like mine? I went through 22 different people over the course of seven days. On April 8, there were nine different people that cycled through to ‘help’ me. On April 7, while working with Reggie (who happened to be the only one out of 21 that I felt was truly helpful), he said he needed to AFK for 15 minutes for break, implying that someone else would take over. By that point, I knew I had already gone through seven others, so I told him I would happily wait until he returned. This high turnover rate on support staff worked against the process entirely for my case. Each time, the new person had to try to read the thread and figure out what was going on, and they rarely skimmed the thread it seemed. When I was offered a summary of my problem by the new person, it was typically wrong or left out important bits. T-Mobile needs to better identify problems that can’t be solved in ten minutes, and keep one or a few people on the case for consistency. When a customer repeatedly asks for a specific support person to re-engage, listen to them. Here is the list of people I dealt with:

  • Apr 3 – Joel Bannister
  • Apr 3 – Harley Sumida
  • Apr 3 – Ruben Hernandez
  • Apr 3 – Dee Medina
  • Apr 3 – Zach Ricketts
  • Apr 3 – Kimmi Smith
  • Apr 3 – Victor Loya
  • Apr 7 – Reggie Reese
  • Apr 7 – Harley Sumida
  • Apr 8 – Lauren Chan
  • Apr 8 – Pete Harman
  • Apr 8 – Marva Biggar
  • Apr 8 – Sora Yi
  • Apr 8 – Marva Biggar
  • Apr 8 – Kate Tomallo
  • Apr 8 – Lauren Chan
  • Apr 8 – Meghan Parks
  • Apr 8 – Eddie Gough
  • Apr 8 – Scott Degelman
  • Apr 8 – Ray Butler
  • Apr 9 – Dee Medina
  • Apr 9 – Mike Perez
  • Apr 9 – Alex Kimbrell
  • Apr 9 – Zach Ricketts
  • Apr 10 – PoxMaphixat [1]
  • Apr 10 – Kyle Saragosa
  • Apr 10 – Scott Degelman

[1] This was the only person that didn’t appear in Twitter DMs with a real name shown by Twitter:


The next bigger problem I faced, is that T-Mobile’s documentation for their support staff is out of date. It’s as if they had never debugged an issue on a Galaxy 8, despite them selling it for half a year. During the ordeal of figuring out my problem, I ran into several times where support failed related to this:

  • Apr 3 – Document for changing SMS message sounds is outdated, not correct for G8 (you apparently can’t on this model)
  • Apr 3 – T-Mobile said to set up a notification log for debugging purposes, yet G8 removed that functionality (ridiculous)
  • Apr 7 – The location of the ‘build number’ to enter developer mode is different on the G8 than previous models
  • Apr 7 – They asked me to go to the ‘Security’ screen in options, yet on the G8 that is ‘Lock Screen and Security’
  • Apr 7 – T-Mobile diagnostic data said ‘apps from unknown sources’ was enabled, my screen said it was disabled
  • Apr 8 – They asked me to check the ‘Samsung Health’ app (there is none, apparently part of the ‘Activity Zone’ app, but that function is disabled)
  • Apr 9 – T-Mobile kept telling me a factory reset is the way to fix this, despite it not necessarily working
  • Apr 10 – T-Mobile told me a factory reset is the way to go AFTER I solved the problem (WTF?!)

After having to correct the T-Mobile support staff this many times, and figure out how to find what they were looking for, it shows an obvious gap in their support ability. As someone who wrote my fair share of technical documentation, I cannot stress how important this is.

As mentioned above, when a new support person steps in, they have to skim the thread to catch up. One person told me that they take extensive notes to alleviate that problem, but after most of the new people offering me a summary got major parts wrong, I don’t think that is the case. Even if they do take notes, I think they are not consolidated, not done in a way for easy transition of the case, and generally convoluted. This causes the support staff to repeat the same things, ask the same questions, and waste customer time.

Next, T-Mobile needs to make sure their employees understand policy. Compare:

  • Apr 3 (Vinny) – “Thanks a bunch for remaining engaged with us at T-Force today, my name is Vinny and I’ll be taking over from here, as Krystn, as she had to step away.”
  • Apr 3 (Joel) – “Thank you so much for reaching out to T-Force! My name is Joel and I will be your #MagentaExpert!”
  • Apr 3 (Ruben) – “I hope you are having an amazing day. My name is Ruben and I will be taking excellent care of you and all of your concerns/questions today.”
  • Apr 3 (Zach) – “Thanks for sticking with us here. My name is Zach, and I’ll be taking over from here.”
  • Apr 7 (Reggie) – “I do want to introduce myself, my name is Reggie and I will be your #MagentaExpert today.”
  • Apr 8 (Meghan) – “My teammate had to step out for a quick meeting but my name is Meghan and I’ll be taking over to provide you with excellent service!”
  • Apr 8 (Eddie) – “Fun fact, Since T-Force is a team and constantly changes to ensure that customers always have support 24/7 we are not supposed to share our name since it already shows on the message.”

After support staff introduced themselves by name six times, Eddie came along and said they aren’t supposed to share their name. He further points out that Twitter shows their name (in the native web interface, not in Tweetdeck BTW), and yet that isn’t the case either as seen by “PoxMaphixat” above.

While some that interact with T-Mobile may say they are really ‘nice’, to me, that isn’t the case. Their overboard attempts to portray a fun and friendly atmosphere are insulting and a waste of time. Throughout the week, I was assured that they were there to help and resolve my issue, while not reading the prior messages, not understanding the issue, and bouncing in and out of my ticket to the point it was difficult keeping up with them. The phrase they loved to over-use, “I will be your #MagentaExpert!” is a joke. Seven days to figure out my problem, and they never did, I had to. Other phrases they love to say, adding fluff and not actual support, while not reading the thread and repeating the same things over and over:

  • I absolutely want to be able to help you in any way that I can!
  • It’s great seeing you here today. I hope you are having an amazing day.
  • That is an awesome question and definitely not something I am familiar with, but we can definitely work together to look into it!
  • I honestly want the best and fastest resolution for you!
  • Thank you for taking time out of your day on this!
  • Here at T-Force, we value customers time and always want to get them the best resolution possible without wasting their time.
  • We’ve got your back! (T-Mobile needs to remove this from their playbook, it is insulting.)
  • I really appreciate you reaching out and working with T-Force today.

Overall, I need a lot less of this fluffy wording, and a lot more I didn’t quote, and more actual support. If you have to keep telling me you “have my back” and want to give me the “best resolution possible”, you are convincing me you aren’t good at your job. We expect customer support to do that already.

Apr 3 (Joel) – “If you prefer to not do that, then you always have the option to back up the device and reset the software completely.”
Apr 3 (Zach) – “Can you please tell me if you’ve completed a master reset on the device since the update?”
Apr 3 (me) – “If a ‘master rest’ means a ‘factory reset’, that may be a deal breaker.”
Apr 3 (Zach) – “Typically, if there are any bugs that come across after an update, which this one may just be, a factory reset would be the best possible solution, as inconvenient as it can be to set everything up again.”
Apr 3 (Kimmi) – “In those instances the only fix I’ve been able to locate based on user feedback is a factory reset of the device.”
Apr 3 (Kimmi) – “Unfortunately the only option we have at this time is to complete the reset.”
Apr 3 (Victor) – “The master reset would be a great way to fix the issue in case it’s just some sort of temporary issue. ”
Apr 7 (Reggie) – “By no means do I want to tell you that you absolutely must do this, but in the end I want to respect your time and I feel like at this point the Master reset might fix the issue permanently whereas what we have done has demonstrably had no effect on the issue at hand.”
Apr 7 (me) – “If a factory reset is the answer, then I walk from Tmobile and go on a social media campaign to dissuade people from using Tmobile, because that is just sloppy programming and a complete breakdown of tech / customer support.”
Apr 8 (Marva) – “I know Reggie mentioned a master reset and that seems to be the only thing we haven’t tried up until this point, is that correct?”
Apr 8 (me) – “Safe mode has not been tried, and a reset, the nuclear option, is out of the question.”
Apr 8 (Sora) – ” I know that you do not want to do a master reset … I totally follow your logic; I do want to mention that if the software update is giving this error, then a master reset does allow the software to be restored on your phone properly.”
Apr 8 (Marva) – “The next step in troubleshooting is to complete that master reset.”
Apr 8 (Kate) – “The Master Reset sounds nuclear, but truly is the faster and cleanest resolution available.”
Apr 8 (me) – “As I said earlier this week, a factory reset means I will no longer be a T-Mobile customer, and will blog about this entire mess, that T-Mobile sent faulty software and could not debug it, and now is pressuring me to go that route while ignoring my direct questions about Samsung Health buginess, that icon that shows sometimes, and my desire to explore that route. That said, do you still think a factory reset is the right option instead of pursuing valid leads that may fix this without a reset?”
Apr 8 (me) – “From there, process of elimination can tell likely tell us which app is causing them. No safe mode, no factory reset. Please add this to your CS playbook.”
Apr 8 (Eddie) – “With the awesome software that we have nowadays, a master reset is the best option since there’s a high chance the bug will be deleted, and your information will be downloaded onto your phone within less than one hour if it’s backed up”
Apr 8 (me) – “Ugh, STOP. Do not recommend a factory reset to me again. I just gave a viable option to better figure this out that will take a few hours, and you go back to factory reset, after I have REPEATEDLY said that is a nuclear option and I a) will not do it OR b) do it and no longer be a tmobile customer.”
Apr 8 (Eddie) – “I just wanted to assure you that we are going to be here for you until we get a resolution. Never wanted to tell you that you should do a master reset.”
Apr 8 (me) – “I mentioned I found a new solution to this kind of problem, to add to your play book. And you immediately recommend a factory reset despite me REPEATEDLY saying ‘no’. You understand no means no right? I am tired of being told why a master reset is the option, and I am *more* tired of Tmobile reps not reading why it is NOT necessarily the right option, why it is NOT a guarantee it will fix anything.”
Apr 9 (Alex) – “If so, have you installed them and reinstalled them? Those are the first two steps, so let me know how that goes!”
Apr 9 (me) – “Two? There were *19* people on the Tmobile side during the course of this investigation, all of who gave up and told me to factory reset.”
Apr 9 (Alex) – “Now, I know we mentioned a master reset was something we should try.”
Apr 9 (me) – “Pretty much confirmed, “Weather & Clock Widget for Android” by http://Devexpert.NET is the one causing the phantom notifications. Uninstalling and re-installing it to start.”
Apr 9 (me) – “Uninstall & Reinstall did not fix it. So there is some weird issue between the app and the Oreo update. I can get around this by disabling notifications for that app, which only makes it so I don’t get the temperature in my notification bar. With that, I have figured it out after 6 days, and without a factory reset, which half a dozen or more of your agents kept telling me to do, over and over and over…”
Apr 9 (me) – “I also explicitly said last night to STOP telling me to factory reset.”
Apr 9 (me) – “I have asked half a dozen times and every single one of you jerks ignore me. Focus on THAT problem instead of a factory reset.”
Apr 9 (me) – “With that, I have figured it out after 6 days, and without a factory reset, which half a dozen or more of your agents kept telling me to do, over and over and over…”
Apr 9 (me) – “At this point i am 99.99% sure I have this resolved, again, without a factory reset.”
Apr 10 (PoxMaphixat) – “Resetting the device and processing a warranty exchange is our last resort. Which would result in a device that is fully reset as well. This might be the thing we would need to do since we’re not able to resolve this phantom issue.”
Apr 10 (me) – “Not only have i solved the issue, I have said repeatedly NOT to recommend a factory reset to me, and you assholes keep doing it. NO MEANS NO.”
Apr 10 (Kyle) – “We can see that you’ve invested a lot of time with these issues on your phone and wanted to avoid going through the previous steps that’s you’ve already done, which is why we were looking at the master reset as a last resort … So our troubleshooting steps would basically be the master reset as well though I Samsung may have more support on what’s going on with this app.”
Apr 10 (me) – “Seriously? You suggest a master reset AGAIN when I have said over and over NOT to tell me that? I solved the phantom notification issue without a reset,”
Apr 10 (Kyle) – “I would reach out to Samsung as I completely understand your concern regarding the reset and they would be able to support the app even further. Does this make sense, Brian?”
Apr 10 (me) – “You said ‘reset’ again. How can I be any more clear here? Never, EVER, not a single time, EVER tell me to factory reset my device. Don’t even mention the word ‘reset’, let alone ‘master reset’ or ‘factory reset’. I honestly feel like there is a den of rapists and molesters working at Tmobile, who don’t understand what the word ‘NO’ means. Does this make sense, Joel / Harley / Ruben / Dee / Zach / Kimmi / Victor / Lauren / Pete / Marva / Kate / Meghan / Eddie / Scott / Ray / Mike / Alex / Zach / PoxMaphixat / Kyle?”

After this? Scott said ‘reset’ once more shortly after my last message. This is the text-book definition of the worst customer support that can be offered. A customer specifically says, over and over, not to recommend a bad support option (the factory reset). Yet, T-Mobile kept recommending it every single time. It gets to the point where it is a trigger word for me, because it clearly shows the support person didn’t read the prior messages. It means that the support staff didn’t leave a message for the next person not to bring up a factory reset. Worse? I SOLVED the technical issue, without a factory reset, and said as much. T-Mobile’s solution? Keep recommending a factory reset anyway, when it was clearly not needed. This is hands-down the worst customer service you could possibly offer, and completely insensitive to a customer. I don’t really care where the breakdown happened, other than it happened half a dozen times, but when a customer says “do not do $thing“, you should NOT do $thing. No questions, no arguments, no equivocation. Yet T-Mobile ignored that basic point, that basic understanding of the tenets of customer support. 18 separate times, reset was their answer, three times after resolving my issue.

My next advice for T-Mobile is to embrace an old classic of customer service. Over six days, interacting with 21 different support people, after repeated complaints about many of them, no manager stepped in. At least, no one identified themselves as a manager, no one exhibited any signs they were a manager, and absolutely no one made it a point to get me a resolution other than the empty “we’ve got your back” lies. Imagine going into a Taco Bell and talking with 21 employees trying to resolve a problem, that your Mexican Pizza was missing ingredients or not cooked, and that entire time no manager stepping in to ensure you got a properly prepared and cooked food item. To me, the customer, those scenarios are no different.

Finally, the bigger picture. I engaged support for one problem, the phantom notifications, which I eventually resolved myself. During the process, T-Mobile asked me questions that highlighted other problems. Despite figuring out the original, I left the engagement with two additional problems that they did not resolve. First, I asked how to disabled ‘Bixby’ completely, and they couldn’t help. Like so many other things, they didn’t understand the software, and/or their documentation wasn’t updated. I had to tell them to disable it per their instructions, it required creating a Samsung account. You actually can’t access the real settings of that malware without creating an account. That is atrocious and just bad design. Second, when we went down the road of the occasional phantom notification icon that I saw, it led us to the ‘Samsung Health’ feature within ‘Activity Zone’. On my phone, it says “tap here to get started” and tapping there does nothing. T-Mobile never helped with that, and after specifically asking them to half a dozen times, they told me to talk to Samsung.

Two more bonus observations, that came up during this ordeal. First, the T-Mobile software update downloaded over 4G, not WiFi. It used to prompt you if you wanted to wait for WiFi and this time it did not. Second, I mentioned that T-Mobile was still sending SMS notifications to me before 9 AM, and one of the support people were gung-ho saying that was not right, they would take my complaint to the top! Well, good luck there, since the last time I brought that issue up on Twitter it did go to the top, all the way to the office of the executives. Nothing ever came of it and I still get text messages from them before 9 AM. If you are going to grab that flag and head on a crusade on my behalf? Maybe consider better helping fix my original problem first.

So, T-Mobile, I have given you a wide variety of ideas for improving customer support. It is in the context of a support case you can easily reference. These ideas are very much in line with many other support services offered by similar services and companies. It’s time for you to up your game.

Advertisements

Ad-hoc Charity Type Things

Last month, I decided to an ad-hoc charity drive via Twitter. I did it figuring I might get a handful of donations between $5 and $25 dollars and would help out some animal charities. Boy was I shocked.

Right out of the gate, Steve Syfuhs donated $35 to the ASPCA for directly helping them previously. Almost at the same time, Steve Ragan donated $130 to Greenwood Wildlife Rehabilitation to help over 3,000 wildlife they get there a year. Wildlife rehab shops are vanishing around the U.S. as they don’t receive any state or federal funding, and rely entirely on donations and fundraising. Along with Ragan’s donation, ‘Priest’ (@imyourpriestt) donated $75 to the Georgia Society of for the Prevention of Cruelty to Animals.

With the ‘Steves’ quickly donating, I decided that at least three people would receive something from me in return for their generous donations. Before that Tweet could land, Doc Panda showed that he donated $50 to the Tiny Paws Pug Rescue, which is epic because Pugs are epic. By this point, I was working on expanding the rewards and decided that first place would get a box, not an envelope, and kept baiting for more donations. Then it hit, someone donated over $300 to a charity as part of this ad-hoc contest.

That donation to Cavy Care is amazing, because it is run by two people out of their house, with help from volunteers on weekends primarily. In the past, they have had as many as 150 guinea pigs that needed care for various reasons, usually because they are adopted as a pet for children, and they aren’t suitable for kids despite that notion. Guinea pigs are rarely adopted from animal shelters as they tend to be adults with unknown provenance or age. Cavy Care provides a sanctuary for these guinea pigs, and adopts them out very cautiously to ensure that the gpiggie finds a forever home. Cavy Care was pleasantly surprised at the sudden huge donation!

One Friday night, five amazing people, and $623 donated to charity in exchange for stickers originally. I think I sent out three boxes of stuff to the top three, and large envelopes to the other two. I cannot thank these people enough, and I hope that more will follow in these footsteps. InfoSec tends to draw large salaries. We all love our toys and our lifestyles, me included. But I think it is important that we stop a few times a year and look to help others that could benefit from our generosity.

(Disclaimer: Lebowski was not included. I would not ship that glorious beast.)

Before you publish your end-of-year vulnerability statistics…

TL;DR – The CVE dataset does not allow you to determine how many vulnerabilities were disclosed in 2017.


I’ll try to keep this fairly short and to the point, but who am I kidding? Every year for a decade or more, we see the same thing over and over: companies that do not track or aggregate vulnerabilities decide to do their own review and analysis of disclosures for the prior year. Invariably, most do it based on the publicly available CVE/NVD data, and they do it without understanding what the dataset really represents. I know, it seems simple on the surface, but the CVE dataset is not easily understood. Even if you understand the individual contents of the export, you may not understand how it was created, what shortcomings there are, what is missing, and what statistical traps you face in digesting the data. Just doing the basic parsing and automated ‘analysis’ of that data via your tool of choice (be it grep or something fancier) means very little unless you can disclaim and properly explain your results. Either way, follow along with the advice below before you publish your ‘vulnerability stats for 2017’ please!

So let’s start with the basics of CVE data analysis. Begin by grabbing the latest CVE dump, a gzipped CSV file, that represents MITRE’s CVE dataset. Note, this is different than the exports NVD offers and welcome to the first hurdle. While the base vulnerability data is 100% equivalent between the two, NVD does additional analysis and creates metadata that is useful to many organizations. NVD provides CVSS scoring and CPE data for example. The relationship between CVE and NVD is interesting if you observe it over time, where it used to be a clear ‘MITRE publishes, a day later NVD publishes’ relationship. For the last year or two, NVD will sometimes open up a CVE ID before MITRE does for various reasons. This also gave way to Bill Ladd observing and writing about how the Chinese National Vulnerability Database (CNNVD) is actually opening up CVE IDs faster than both NVD and MITRE. Consider that for a minute and understand that the relationship between these three entities is not straightforward. Then consider the relationship between many other entities in the bigger picture, and it gets even more convoluted.

See? You start by grabbing a data dump, a paragraph later you have the start of disclaimers and oddities as pertains to the larger CVE ecosystem. Next, decompress the CVE dump so you have a CSV file to work with. Now, before you eagerly start to parse this data, stop for a moment. Did you do this same analysis last year? If so, great! Do you understand what has changed in the last 18 months with regards to CVE and more specifically MITRE? If you can’t quickly and readily answer that question definitively, the kind of changes that are the first in almost 19 years for the program, reconsider if you should be commenting on this data. In case you missed it, Steve Ragan published an article about MITRE / CVE’s shortcomings in September of 2016. The article pointed out that MITRE was severely deficient in vulnerability coverage, as it has been for a decade. Unlike other articles, or my repeated blogs, Ragan’s article along with additional pressure from the industry prompted the House Energy and Commerce Committee to write a letter to MITRE asking for answers on March 30, 2017. When a certain board member brought it up on the CVE Board list, and directly told MITRE that their response should be made public, MITRE did not respond to that mail in a meaningful manner and ultimately never shared their response to Congress with the CVE Board. It is important for you to understand that MITRE operates CVE as they wish and that any notion of oversight or ‘Board’ input is only as it is convenient to them. The board has little to no real influence over many aspects of MITRE’s operation of CVE other than when they set an official vote on a given policy. Additionally, if you point out how such a vote that impacts the industry is not adopted by certain entities such as CNAs, many years down the road? They don’t want to hear about that either. It’s up to the CNAs to actually care, and fortunately some of them care very much. Oh, you know what a CNA is, and why they matter, right? Good!

OK, so you have your data dump… you better understand the state of CVE and that it is so deficient that Congress is on MITRE’s case. Now, as experienced vulnerability professionals, you know what this means! The rubber-band effect, where MITRE responds quickly and disproportionately to Congress breathing down their neck, and their response impacts the entire CVE ecosystem… and not necessarily in a good way. So welcome to the second half of 2017! Because it took roughly a year for the Congressional oversight and subsequent fallout to strongly influence MITRE. What was their response? It certainly wasn’t to use their abundant taxpayer funded money to directly improve their own processes. That isn’t how MITRE works as I far as I have seen in my career. Instead, MITRE decided to use their resources to better create / enhance what they call a “federated” CNA system.

First, spend a minute looking at the ‘federated’ term in relation to CVE, then look at the use of that term in the recently edited CNA Rules. Notice how the use of ‘federated’ in their context appears to have grown exponentially? Now check the definition of ‘federated’ [dictionary.com, The Free Dictionary, Merriam Webster]. While sufficiently vague, there is a common theme among these definitions. In so many words, “enlist others to do the work for you“. That, is quite simply, what the CNA model is. That is how the CNA model has meant to work from day one, but this has become the saving grace and the crutch of MITRE as well as the broader CVE ecosystem in the last few months. On the surface this seems like a good plan, as more organizations and even independent researchers can do their own assignments. On the downside, if they don’t follow the CNA rules, assignments can get messy and not as helpful to organizations that rely on CVE data. One thing that you may conclude is that any increase in CVE assignments this year may be due, in part, to the increase of CNAs. Of course, it may be interesting to you that at least two of these CNAs have not made a single assignment, and not disclosed any vulnerabilities in prior years either. Curious why they would be tapped to become a CNA.

OK, so you have your data dump… you know of one potential reason that there may be an increase in vulnerabilities this year over last, but you also know that it doesn’t necessarily mean there were actually more disclosures. You only know that there are more CVE IDs being assigned than prior years. Next, you have to consider the simple numbers game when it comes to vulnerability statistics. All CVE IDs are created equal, right? Of course not. MITRE has rules for abstracting when it comes to disclosures. Certain criteria will mean a single ID can cover multiple distinct vulnerabilities, and other VDBs may do it differently. It is easy to argue the merit of both approaches, so I don’t believe one is necessarily right or wrong. Instead, different abstraction rules tend to help different types of users. That said, you will typically see MITRE assign a single CVE ID to a group of vulnerabilities where a) it is the same product and b) it is the same type of vulnerability (e.g. XSS). You can see an example in CVE-2017-16881, which covers XSS vulnerabilities in six different Java files. That is how they typically abstract. Search around for a couple minutes and you will find where they break from that abstraction rule. This may be due to the requesting party filling out separate requests and MITRE not adhering to their own rules, such as CVE-2017-15568, CVE-2017-15569, CVE-2017-15570, and CVE-2017-15571. Then you have to consider that while MITRE will largely assign a single ID to multiple scripts vulnerable to one class (e.g. CSRF, SQLi, XSS), their CNAs do not always follow these rules. You can see examples of this with IBM (CVE-2017-1632, CVE-2017-1549) and Cisco (CVE-2017-12356, CVE-2017-12358) who consistently assign in such a manner. If you think these are outliers that have minimal impact on the overall statistics you generate, reconsider that. In keeping with their abstraction policy, IBM issued two advisories [#1, #2] covering a total of nine CVE IDs for unspecified XSS issues. If MITRE had assigned per their usual abstraction rules, that would have been a single ID.

OK, so you have your data dump… and now you are aware that parsing that dump means very little. MITRE doesn’t follow their own abstraction rules and their CNAs largely follow different rules. So many hundreds, likely a thousand or more of the IDs you are about to parse, don’t mean the same thing when it comes to the number of distinct vulnerabilities. That is around 10% of the total public CVE IDs issued for 2017! OK, forgetting about that for a minute, now you need to consider what the first part of a CVE ID means. CVE-2017-1234 means what exactly? You might think that 2017 is the year the vulnerability was disclosed, and the 1234 is the unique identifier for that year. Perhaps. Or does 2017 mean the year the vulnerability was found and an ID requested? The answer is yes, to both, sometimes. This is another aspect where historically, MITRE made an effort to assign based on when the vulnerability was discovered and/or disclosed to a vendor, not when it was published. Under the old guard, that was an important aspect of CVE as that standard meant more reliable statistics. Under the new guard, basically in the last two years, that standard has disappeared. Not only do they assign a 2017 for a vulnerability discovered and disclosed to a vendor in 2016 but published in 2017, but also they assign a 2017 ID for a vulnerability discovered and disclosed in 2017. Worse? They are also now assigning 2017 IDs to issues discovered and disclosed in previous years. If you need examples, here are MITRE-assigned (as opposed to CNAs that do the same sometimes) 2017 CVE IDs for vulnerabilities disclosed prior to this year; 2016, 2015, 2014, 2013, 2011, 2010, 2008, 2004, and 2002. Notice the missing years? Some of the CNAs cover those gaps! Note that there are over 200 cases like this, and that is important when you start your stats. And we won’t even get into the problem of duplicate CVE assignments that haven’t been rejected, like the first two assignments here (both are invalid assignments and that CNA should know better).

OK, so you have your data dump… you’re ready! Let loose the scripts and analysis! While you do that, I’ll save you some time and math. As of December 24, 2017, there are 18,251 CVE identifiers. 7,436 of them are in RESERVED status, and 133 are REJECTed. As mentioned above, 238 of them have a 2017 ID but were actually disclosed prior to 2017. So a quick bit of math means 18,251 – 7,436 – 133 – 238 = 10,444 entries with 2017 CVE IDs that were disclosed in 2017. This is an important number that will be a bit larger if you parse with Jan 1, 2018 data. This should be your starting point when you look to compare aggregated disclosures, as captured by CVE, to prior years. Based on all of the above, you also now have a considerable list of disclaimers that must be included and explained along with whatever statistics you generate. Because MITRE also stopped using (1) consistent (2) formatting to (3) designate (4) distinct (5) vulnerabilities in a CVE ID, you have no way to parse this data to actually count how many vulnerabilities are present. Finally, know that Risk Based Security’s VulnDB tracked 7,815 distinct vulnerabilities in 2017 that do not have CVE coverage.

Cliff notes? The CVE dataset does not allow you to determine how many vulnerabilities were disclosed in 2017. Hopefully this information helps with your article on vulnerability statistics!

John Thomas Draper: Setting the Record Straight re: Blue Box

The tl;dr cliffnotes: John Draper was not invent the Blue Box.


In April of 2015, several years after Phil Lapsley published “Exploding the Phone” giving a detailed history of the early days of phreaking, I wrote a blog largely based on that book to clear up long-standing rumors and mistakes in a variety of publications. John Draper, despite reputation, had not been the first to discover the whistle in Cap’n Crunch cereal boxes in the late 1960s. Recently, an article by Kevin Collier stated that Draper “invented the ‘Little Blue Box,’ an electronic device to better imitate the signal. In 1971, Draper showed his design to two fans, Jobs and Wozniak, who, with Draper’s blessing, began selling an improved version.

Other articles and publications have varying takes on this, some more neutral and accurate, some even more outlandish. For example, recent articles covering John Draper’s sexual misconduct mention his history and why he is well-known. Ars Technica says that he “helped popularize the ‘Little Blue Box'” and the BBC says he “went on to create a ‘blue box’ that generated other tones“. In the case of Ars Technica, that is certainly accurate historically. In the case of BBC, the wording may be taken to some that he created it, as in he was the first to do so. Another example of wording that implies Draper was the first can be seen in a Computer World article from 2011, that says he “then built the phone phreaking tool called blue box that made free calls by making phone calls appear to be toll-free 800-number calls.” Interesting, to me at least, Wikipedia gives a general history of the device, but does not definitively say who invented it.

Perhaps worse, books about computer crime and security get it wrong, and worse than wrong. In “Cybercrime: Investigating High-Technology Computer Crime” by Robert Moore, he clearly states the blue box was “invented by John Draper“. Perhaps the worst example I have seen is in the book “Mobile Malware Attacks and Defense” by Ken Dunham in which he attributes not only the blue box to Draper, but also all of “telephone hacking” when he built it.

Like my blog two years ago, I turn back to ‘Exploding the Phone‘ by Phil Lapsley, a book that I cannot speak highly enough about. Through his extensive and exhaustive research, along with years of interviews, his history of phreaking is comprehensive and fascinating. By using a few key bits from the book, we can quickly see the real history and origin of the blue box. It also makes it crystal clear that John Draper did not invent the blue box. Like the whistle, he did it years later after friends told or showed him the basics.

From page 51, the start of a chapter titled “Blue Box”, it tells the story of a then 18-year-old named Ralph Barclay who read the November 1960 Bell System Technical Journal which contained an article titled “Signaling Systems for Control of Telephone Switching”. After reading the article, Barclay figured out that it had all of the information required to avoid using a pay phone to make a call, and that it could be done “directly”. By page 56, Lapsley describes how Barclay build his first box over a weekend, in an “unpainted metal enclosure about four inches on a side and perhaps two inches deep.” Barclay realized fairly quickly that he needed the box to do more, and as described on page 57, he built a new box because he “needed multifrequency“. “His new device was housed in a metal box, twelve by seven by three inches, that happened to be painted a lovely shade of blue. Barclay did not know it at the time, but the color of his device’s enclosure would eventually become synonymous with the device itself. The blue box had just been born.” This was in 1960 or 1961 and represents the origin of the blue box.

On page 87, Lapsley tells the story of Louis MacKenzie who also spotted the vulnerability based on the 1960 Bell Systems article. MacKenzie went to AT&T and offered to tell them how to fix the ‘blue box’ vulnerability, for a price. When AT&T declined, “MacKenzie’s attorney appeared on the CBS evening news, waving around a blue box and talking about the giant flaw in the telephone system.” By that point, advertisements for blue boxes could be found in some magazines, including the January 1964 issue of Popular Electronics. Thanks to AmericanRadioHistory.com, old issues of Popular Electronics are available including the January 1964 issue! On page 115, we can see the advertisement:

Further along in the history of phreaking, Lapsley covers John Draper’s story related to the blue box. On page 151 it sets the time frame: “Now it was 1969 and he was John Thomas Draper, a twenty-six-year-old civilian.” Page 154 tells the story of when Draper was asked by friends who had already been ‘blue boxing’ by using an electronic organ, to build them a box.

Teresi and Fettgather wanted to know if Draper could build them a multifrequency generator – an MFer, a blue box, a portable electronic gadget that would produce the same paris of tones they were making with Fettgather’s electronic organ. Draper said he could.

He returned home in a state of shock. “I had to build a blue box,” Draper recalls. And that night he did. It was a crude first effort that was difficult to use. It had seven switches: one for 2,600 Hz and six to generate the tones that made up multifrequency digits.

Draper’s first blue box was built in 1969, around eight years after Barclay had built his first unpainted ‘blue box’, and his second box that was actually “a lovely shade of blue“, giving the phreaking tool its iconic name.

Bonus:

To further set the record straight, Lapsley tells the story (p220 – 221) of Steve Wozniak, who “had his [blue box] design worked out” and “was particularly proud of a clever trick he used to keep the power consumption down so the battery would last longer” in 1972. After Wozniak had built his own blue box and refined it, he and Jobs then met John Draper for the first time. While the three traded “blue boxing techniques and circuit designs”, Draper did not show them how to do it, did not show them their first box, or introduce them to the concept.

New attrition.org stickers! [Big Update!]

2017-10-12 Update: A kind benefactor and generous soul in the industry has sent $126 to me, to cover the cost of the entire sticker batch. Pretty sure this was their way of saying “you write too much, not reading your stupid blog”. In return, I am sending them an unsolicited envelope or box of shit (their address was part of the conditions of me accepting the money). Per their wishes, I am also now giving away the next ~ 100 stickers. I had already sold 33 and sent out an additional 26 to long-time supporters and friends. So… to share someone else’s wealth; email me your address if you’d like a sticker. Just one of the new attrition stickers, and I will probably throw in some other random sticker or two. First 100 or so to mail get them. email jericho@ my domain / twitter handle. If you can’t figure that out, no sticker for you.


In the last few weeks, I randomly poked Twitter to see who wanted stickers. A day later, I sent ~ 25 people an envelope of stickers, including an original Attrition sticker I made… 5 years ago? And a lot of hot new stickers from Risk Based Security. Long time fan of Attrition, Ming Chow, received an unsolicited Box of Shit. Once he received it, he posted a great video and some pictures of the unboxing so you can experience it too! I sent envelopes to Canada, the United Kingdom, Germany, Ethiopia, Australia, and Zimbabwe even! I also sent a large envelope of random flat junk to a con organizer in India, so he had a few give-aways for the attendees. That night of “i’ll mail a few stickers out…” ended up being ~ $70, but I am sure it brought a world of joy to the recipients! Long story short… the original stickers are finally gone.

So… I figured it was time to create a new batch, a better batch. Like last time, a somewhat limited batch, of only 300 stickers. I think the original batch was maybe 1,000 stickers, but B&W, so they lasted. This batch is smaller, but color (SCIENCE)! Due to recent changes in my life, I can’t throw money at drugs, hookers, and stickers so flagrantly. As such, I will be selling off part of this batch to recoup the cost of making them. This is good for everyone, especially me, but also means that if they go fast I am more likely to do this again. My goal is not to profit on this really, just to offset the cost so that I sell some and am free to give away the rest… likely five years down the road in a rum-fueled Twitter night. If you really want a sticker, best to grab one now. The last sticker give-away was over a couple hours one night, and many replied a day later “hey wait, I want some!” This is where you Google “race condition“.

In the interest of transparency, here are the numbers. You can figure out if this is a scam or if the stickers are overpriced.

300 Stickers
126 Base Cost (USD)

0.42 per sticker
0.03 per envelope
0.49 per stamp (domestic)
1.10 per stamp (international) =
0.94 base cost to mail one sticker domestically, or 1.55 to mail one sticker internationally

Like any legitimate retailer, I get to add “shipping and handling“! Since shipping costs are above, the ‘handling’ fee is where I get my real markup or something. If I sell 150 stickers for $2 each, then I will make $113 if half are domestic and half are international. Pretty sure more will be domestic, meaning I am closer to the $126 base cost of the stickers. To make this easier on me, since I still have to write out the envelope, get stamps, and curse you while doing it all… bottom line? I will sell 150 stickers at the following price points:

$2 for one new attrition sticker (domestic)
$3 for one new attrition sticker (international)

If you want additional stickers, I will do up to three per person, but each additional sticker is $1 though (greedy mofos). I’ll make a few bucks this way, but maybe not even enough to recoup the cost of sending out the last batch of stickers, boxes, and uber-envelopes. I’ll also be more prone to create a new batch of stickers in the future if this works. No promises. If you are still reading, then you get the information you really need! If you want new stickers, pictured below, here is the price guide:

$2 for one new attrition sticker (domestic)
$3 for two new attrition stickers (domestic)
$4 for three new attrition stickers (domestic)

$3 for one new attrition sticker (international)
$4 for two new attrition stickers (international)
$5 for three new attrition stickers (international)

If you are still interested, send the money to paypalus_at_attrition_dot_org with some indication this is for ‘stickers‘ as opposed to “hot cyber 1993 style“, and include a shipping address. If you are still concerned that I might make a few bucks, consider I also donated over $10,000 USD to charity in the last four years, so fuck you. Finally, if you do purchase any, they will get mailed out fairly quick, but I won’t be in line at the post office at 8am like a savage. Since I have no way to control this via a blog and Paypal, and I am too lazy to do this via eBay, if you are too late in ordering and I have already sold the first 150, I will refund your money. I’ll also try to update this blog to indicate the status of sales. If enough of you are crazy and I come home tomorrow night to way more than 150 stickers sold, I’ll probably send them all out and just order a 2nd batch of these.

I wanted to support the Red Cross during Harvey… (but I can’t, so I need alternatives…)

File this under “blogs I didn’t expect to, or want to write tonight”.

With hurricane Harvey causing incredible damage and distress to Texas, many of us are looking for ways to help. I’d love to be down there in a boat rescuing animals or humans, bringing free bottled water (as opposed to the horrible alternative), or other forms of support. For those not able to make that commitment, we fall back to supporting charities that are on the ground helping. Tonight started out simple enough:

08-29-2017 21:43:38 Lyger: have you donated anything to any hurricane relief fund?
08-29-2017 21:44:09 jericho: not yet
08-29-2017 21:44:17 jericho: if i do, likely Red Cross
08-29-2017 21:44:38 jericho: may do ASPCA, looks like they are doing relief efforts specifically for animals
08-29-2017 21:44:50 Lyger: was wondering about both of those
08-29-2017 21:45:03 jericho: RC is kind of ‘old faithful’ in that regard
08-29-2017 21:45:03 Lyger: let me know if you do. if reasonable, i’ll match

First, know that I am not only one who donates to charity who is careful where we donate, but I have learned the hard way that not all charities are created equal. I’ve also pointed out how so many of them waste considerable money trying to solicit more donations. I’ve advocated for everyone who will listen to tap into Amazon’s excellent program for giving to charity via your own purchases. I’ve also considered this at a slightly more abstract levels, on smaller amounts, because I really believe that people in a position to help should do so. Please, before you come down on me for warning someone away from charity or Red Cross specifically, I have been very clear it is about supporting charities doing the work you support. In this case, I just wanted to find which charities are specifically helping hurricane Harvey victims, and how.

I started by showing Lyger what Red Cross looks like under Charity Navigator, which is a 501c3 that I support too. With 90% going to program expenses, that is excellent, despite a 3/4 star rating (the CN star rating is more nuanced).

However, things went downhill after that. Start by Googling for “red cross harvey” and you get somewhat expected results:

Follow the links and you get the Red Cross donation page for Harvey:

Unfortunately, this is basically “give us money” with no supporting evidence for what they are doing during Harvey specifically. On the side bar we get a video though! Ignoring the culturally insensitive message suggesting that Hispanic kids have to read a book to figure out who their mother is, we see a building with cots and displaced families, but not a single Red Cross volunteer (the person speaking is almost certainly not a volunteer, as is the person filming them). The blankets and shots are strategic showing a good mix of people, Red Cross branded blankets, and… not much else. The man they briefly interview, I personally don’t think he fully understands if the person that saved him or his family were affiliated with the Red Cross, just that he is grateful that his family was rescued.

At the end of the video, the nice lady encourages you to visit their web site (see screenshot above, that is all the info I could find), or call 1-800-RED-CROSS (800-733-2717). Ignoring the web site issue, and I didn’t pay attention to the number, I called the first number I found on their site: 1-800-HELP NOW (1-800-435-7669). Since I called the ‘Help Now’ number, it wasn’t the intended line to find out more information on how Red Cross is helping during Harvey, which is my fault. But I called, and the nice gentleman I talked to tonight was confused why I would ask about the Red Cross relief efforts (?!). Once I explained and he understood, he told me to call their ‘main line’, 1-800-733-2767 (RED-CROSS). I called that and got an interesting voicemail/routing lineup:

1. Opens with ‘call 911’ or call Houston coast guard if in life threatening situation
2. If experiencing flooding, they give advice to avoid attics, etc.
3. If calling from TX visit redcross.org/shelter or press 1
4. if calling from LA ..
5. To continue in español ..
6. Press 0 for all other inquiries
A. If you are calling about a blood donation, press 1
B. If inquiring on training and certification, press 2
C. To make a financial donation, press 3
a. For all other inquiries press 0 and you will be connected with to the next available representative, you can also visit redcross.org for more information
b. press 0
c. Options for Red Cross / Armed Forces liason
d. Disaster Assistance
e. Else, call back during regular hours

I spent the time trying to find out what the Red Cross is doing during hurricane Harvey, and I am left confused and wanting more information. Again, before you start telling me that of course they are good, wait a minute. The Red Cross took in over half a billion dollars in 2015 via “Contributions, Gifts & Grants“, and ultimately $2,726,672,619 dollars total. That is 2.7 with a B.

I am not saying the Red Cross doesn’t do amazing work, I know they do. I have done the same level of digging tonight in prior years for other disasters and been content they do good things. I have seen videos, first-hand accounts, and a wealth of information showing how they helped. What I am saying is that the Red Cross has completely failed in their social media campaign during Harvey. They are letting down the people they are helping, their countless volunteers who do wonderful work, and their supporters looking to make sure that money donated today goes to help the crisis we’re facing today.

My advice is that Red Cross continue helping during Harvey, but seriously re-evaluate their social media and fundraising efforts afterwards. Consider that my go-to charity to learn about charities, gave a pop-up about how to support during Harvey. And if you scroll down any given page, when the pop-up appears, it shows how you can help in their eyes based on data:

This is clever and helpful and I honestly wish this was a banner at the top of their site right now. That said, clicking on it is revealing in the context of the above. Consider the charities they recommend and where Red Cross places on that list. Of course, verify those other charities ranked higher are actually helping the crisis we face today, just as I tried to do with the Red Cross tonight. Please… make sure that if you donate, your money goes as far as possible. Doesn’t matter if it is $1 or $1,000, just make sure it counts. In the mean time, I am going to keep researching to find a charity I feel will deliver the most good during this incredible time of need, and look to donate tomorrow. Thank you.

20 Seconds to Comply; 17+ Years to Get It Wrong. From “Roboguard” to “Steve”!

Recently, news broke of a robot security guard lovingly nicknamed “Steve” who drowned in a fountain in the lobby of the building he was sworn to protect. The various Tweets and news articles jumped all over it, with articles anthropomorphizing Steve and headlines such as “Security guard robot ends it all by throwing itself into a watery grave“.

No surprise, but workers in the building set up a “touching” memorial for Steve on his charging plate, further anthropomorphizing him. It’s hard not to care for and feel sorry for poor Steve, who likely roamed an empty building with modern access controls and no real threat, other than a wayward janitor who lost his RFID badge.

While the Internet is enjoying and mourning poor Steve, everyone seems to forget about old ‘Roboguard’! Unfortunately, like most media outlets, even “New Scientist” doesn’t preserve links and evidence like a scientist would. These asshats don’t even clearly list a date on their articles (posted to ISN on Aug 31, 2000). Thanks to the Internet Archive, if we go back far enough we see the article but without pictures, likely because “New Scientist” didn’t want to preserve anything back then, like they don’t today. I don’t think “science” means what they think it means.

Not sure if Asimov would be laughing or rolling in his grave.

A View Into DEF CON 25 CFP…

First, this post is not sanctioned by DEF CON in any way. I am a member of the CFP team who decided to keep some rudimentary statistics on the submissions this year. I did this to give the team a feel for just how many submissions we got, how many talks we accepted, and primarily to track the way we voted. This greatly assists the powers that be (the amazing Nikita) to more quickly determine which talks are well-received. Every day that I kept up on the spreadsheet, the more ideas I had on tracking. Other team members said “you should track…”, and I typically did. So this blog is to give some insight into the entire CFP process, with a solid slant on statistics about the submissions.

First, a few basics:

  • DEF CON 25 CFP opened on February 01, 2017
  • DEF CON 25 CFP closed on May 01, 2017
  • 17 talks were submitted after closing date and were considered for various reasons
  • We received 536 submissions
  • Three of the submissions were retracted by the end of CFP
  • BlackHat received 1,007 submissions this year for comparison

Next, who are we? There were technically 31 DC CFP reviewers this year, and you can read their fun profiles now (mouse over stuff here and there, call it an Easter egg)! Ten of them are considered ‘specialty reviewers’, where they typically review talks on a very specific topic such as ‘social engineering’ or ‘legal’. These are generally topics where the submissions are either too numerous and potentially murky to figure out if they are worth accepting (social engineering), or a topic that most of InfoSec aren’t really experts on, even when some of us are the #1 armchair lawyer in InfoSec. The specialty reviewers are expected to review their topic only usually, while a few are open to review multiple topics. That means there are 21 reviewers who are expected to review ‘as many talks as you can’, understanding that we may DEFER on a given submission if we feel it is out of our wheelhouse, and remembering that this is extremely time-consuming and we all have day jobs. Some of us have night jobs, and some of us have social lives (not me).

Every year we come up short on reviewers who are truly qualified to give solid feedback on a given topic. This year DC CFP put out a call for more volunteers and we hit a bit of gold, getting several new reviewers who are quality and put in a crazy amount of time. Next year? We know there are topics we need help on, so if you are sharp, kind of special(ty), or the top of your game in a popular field… come join us. I can’t stress how important this is. Instead of just working on a talk or doing a thing, you have the ability to help influence the presentations given at a conference with some 20,000+ attendees. That is a lot of power, a lot of influence, and the potential to do a lot of good. Personally, that is why I still sacrifice the incredible time I do.

Shout outs! The only way to start this paragraph is to call out Nikita for handling almost all CFP submission related emails. Incoming submissions, replies saying “you didn’t follow directions”, second-attempts, replies saying “no really you ‘brilliant hacker’, you didn’t read our guidelines”, posting them to the CFP platform, watching for the CFP team to say “I have questions” and us largely forgetting to flag it back to her, her following-up with the submitter, repeating several times in some cases, posting their replies, looking for the CFP team to ask more questions… hopefully you get the picture. The amount of work she fields in a three-month span, just related to CFP, is insane. I say that as someone who has worked more than 80 hours a week in this industry for the last twenty years. Oh, did I mention that she also voted on 60% of the talks? While five ‘full’ reviewers voted on less talks than her.

A plea! If you didn’t see the numerous Tweets and requests to get your talks in early, I cannot emphasize how much it benefits you, more than us. When a talk comes in during the first few weeks, it gives us plenty of time to not only review and ask questions, but to give feedback in the way of suggestions. In some cases, one of the team will break away from the board and work with the submitter to improve their submission. This year, I did that once with someone who’s original two submissions garnered a single yes vote. After working with them and giving feedback on how to combine the talks and hone in on the areas of interest, the re-submission received 12 yes votes and zero no votes. In an ideal world, that would happen for every submission, but a significant number of talks are submitted the last two days.

Meaningless numbers! Because our industry loves to work with statistics that they don’t fully understand or have little meaning without serious caveat and disclaimer (PPT), let me throw out a few. For the 536 submissions we received, the CFP team voted yes 1,223 times, no 3,555 times, maybe 186 times, deferred 945 times, and abstained 54 times. Again, we defer if we feel that a topic is not one we can fairly judge based on our expertise and rely on the rest of the team to review. We abstain when there is a potential conflict of interest: if we work with the submitter, we contributed to the submission, or have a negative personal past with the submitter.

Meaningful numbers! We requested feedback from the submitter 125 times and changed our votes 61 times. Working with us to answer our questions, willingness to accept our feedback, and work with us to build a better presentation benefits everyone. As Nikita tweeted, more than 60 of the accepted talks were from first-time DEF CON speakers. Given there were ~ 110 accepted talks (and 422 rejected), that is quite a lot. It is encouraging to see this many new speakers given some of the past submissions from egotistical industry veterans that felt they deserved a speaking slot on the back of a weak submission, simply because of “do you know who I am?!”

More meaningful numbers! Of the 536 submissions, 185 (34.77%) said they would release a new tool. Only 56 (10.53%) of those submissions said they would release a new exploit, and some of those claims were questionable. It is common for people submitting to DEF CON to also submit to BlackHat and/or BSidesLV. This year, 218 (40.98%) of those submissions were also submitted to BlackHat and 65 (12.22%) of them were also submitted to BSidesLV. For various reasons, often around the ability to get to Las Vegas, some submitting to BlackHat will submit to DEF CON but say that acceptable at DEF CON is contingent upon acceptance at BlackHat. This year, 36 (6.77%) talks were submitted to us with that caveat. In a somewhat arbitrary categorization, overall I felt that 200 (37.31%) of the talks were ‘red’ (offensive), 88 (16.41%) were ‘blue’ (defensive), and 38 (7.09%) were ‘black’. By ‘black’, I mean that the topic really had little merit or benefit for red-teaming and were really in the realm of criminals.

Even more meaningful numbers! Some of the most basic stats that can be generated for your ocular pleasure. First, these are arbitrary categories that were developed as we received submissions. Nothing formal and some talks were hard to classify:

From there, I broke it down further by some topics that aren’t necessarily specific to the red or blue domain. Again, kind of arbitrary and based on seeing the submissions as they came in and note that one talk may have been flagged as more than one topic:

When building a schedule over four days and across five tracks, while considering if it is better to suggest a talk for a village or alternative venue (e.g. Skytalks), Nikita has to play Tetris of sorts based on the accepted talks, the requested time, and the schedule. This is what she had to work with:

One of the more popular questions this year after an increased awareness and public discussion around diversity in InfoSec, is the gender breakdown for submissions:

Finally, a general picture of the submissions by month. Recall what it looked like for the April breakdown above and you once again get a good idea why we would like more submissions earlier in the process:

Finally, a quick note on a common perception for InfoSec conferences and talks in general. Given the drastic rise in the number of conferences popping up, there is a saturation that demands more submissions to fill the schedules. That means that veteran speakers can typically shop their talks around or be selective in where they submit based on the venue they find appealing. That also means more new speakers are submitting which results in a wide range of topic and quality of submissions. That led me to argue this Tweet and remind people that a conference can only work with what is submitted. Personally, I feel that the overall quality of submissions to DEF CON (and a couple other conferences I review for) have gone down this year and last. That means that DEF CON ended up accepting some talks that I personally did not care for.

Bottom line? If you are researching a cool topic, submit a talk on it. Have a unique perspective or done more digging on something? Share your work. Never submitted before? Submit early and let us work with you if you need it. If a security conference is lacking, it is due to the community as much as anything else.

It’s 2016, why is rotating a video such a pain?

How many times have you quickly shot a video on your phone and not rotated it for landscape? It happens too often and we see these videos all over social media. I sometimes forget to do it as well, or portrait is more in line with what I am shooting. So, I want to quickly rotate a video 90 degrees sometimes. Should be easy, right?

I’ve asked friends and social media before, but I asked again last night and got a lot of great input. My criteria were very simple, but I did not specify platform; I want to load an MP4 video, rotate it 90 degrees, and save it. I didn’t qualify it, but my expectations are that it would not lose quality, it would keep the original MP4 format, and that the process was “one-click” (or close). While I have plenty of history using Linux, going back to CLI graphics tools to do this is not ideal for me, but I considered those options.

  • @cl suggested Windows Movie Maker – It will rotate trivially, but saves your MP4 as WMV and the quality drops noticeably.
  • @TCMBC suggested mencoder – A command line utility, part of MPlayer. So it is not trivial (download, configure, compile, figure out CLI syntax), but it does rotate. Yet, the quality drops noticeably.
  • @viss suggested ffmpeg – A command line utility and graphics library, not so trivial. It did rotate, but the quality drops noticeably.
  • @viss suggested The ‘Rotate My Video‘ web site – It is a bit slow for file upload and conversion, but very easy to use. It played the video correctly in my browser, but when I saved the video the final copy was not rotated.
  • @DeviantOllam suggested (in DM) the Rotate Video FX app for Android – I thought the UX wasn’t intuitive for starters. It did rotate the video for immediate playback, but no apparently way to save the new video back to the device. Sharing it brings up the usual Android options, but uploading the video to google drive and the video was not rotated.
  • @elkentaro suggested Apple’s QuickTime Player – Even with his reference which is outdated, there is no apparent rotation function. Even the ability to save a file is now ‘Pro’ only.
  • MegaManSec suggested ImageMagick ‘convert’ utility – this didn’t work and gave me a nice reminder of the old ‘terminal flash attacks’ from the early 90s.
  • @DeviantOllum suggested Virtual Dub but warned me that some versions handle MP4 and some don’t. Thus, I didn’t try it.
  • @Grifter801 suggested VLC but qualified it “just for viewing”.
  • @mehebner suggested Open Shot Video Player but said it is Linux only, which isn’t convenient.
  • @cl suggested iMovie but it is Mac OS X only, which isn’t convenient.
  • @cl suggested Facebook but he isn’t sure you can save after. I am fairly sure you lose quality though.

The final recommendation, and the one that worked the best for me, is Handbrake suggested by @bmirvine. The upside is I had it installed (but an old version) and am familiar with it to a degree. The best part about conversion is that the video does not lose any quality. The downside is trying to figure out the ‘Extra Option’ argument to rotate is a raging mess, as seen on this thread. I found that using “, –rotate=4” as the extra option worked for version 0.10.5.0 64-bit (latest as of this blog). The only other annoyance is that Windows won’t show a thumbnail of the newly saved video for some reason. [Update: with a newer version of the K-Lite codec pack, the thumbnails render fine.]

There are my quick testing results. I hope it helps. I’d like to give a big round of thanks to all who contributed ideas late night. Reminds me that Twitter has some value and isn’t a cesspool of insipid political tripe. =)

The Problem with Facebook…

Maybe that was a bit of a ‘clickbait’ title, since the list of problems with Facebook is epic, tragic, and depressing. So let’s go with, “tonight’s example of an ongoing problem with Facebook”.

One of my biggest gripes about the social media platform is that after all this time, they still do not give us a simple way to view posts chronologically. At some point in the past, they introduced an option to supposedly to that, but it was done via a URL argument and not a user-friendly GUI widget. I’ve used that option to view Facebook to this day, and it is still horrible. Why? Because as you think you finally get the holy grail of simplicity, it is still weighted… just less so. Meaning you are more annoyed when some crappy post pops up four times that day.

OK, so they want weighting and control to deliver the posts your friends make, as they see fit. That means you never see some posts you absolutely want to see, while seeing other posts multiple times a day. Their algorithm has nothing to do with standard weighting, and everything to do with their weird formula that no one can seem to figure out. OK, fine…

Facebook has also been on a tear about ‘honesty’ in the form of user profiles. The last few years have seen nothing but drama and turmoil as Facebook tries to enforce their ‘real name’ policy. A policy that the Chief Product Officer at Facebook apologized for, ensnared a former employee or seven, unfairly targets the LGBT community, and has caused enough headache to warrant a Wikipedia entry. Oh, of course, that the “noble and charitableMark Zuckerberg defends. So… integrity and honesty and clarity is important, right?

That sets up the easiest of questions. Why is Facebook targeting their user base, who they profit off, regardless of a real name attached? Sure, they may make a few more pennies on the dollar if a real name is attached over a pseudonym, but still profitable. For years, it let them defend their absurdly high user count on top of the obvious ploys of ignoring idle accounts and such. Now, jump to tonight, which set up a perfect example of where Facebook shows they don’t care. A rather simple example, but one that should be trivial for them to programatically notice and warn against, in a variety of methods. If a single user is posting something that may be fraudulent, contradictory, or a basic scam (e.g. how many times have you been tagged in an image for Oakley sunglasses, even in 2016), why isn’t there a warning? Even when the account isn’t compromised, the user isn’t warned. When the same image of knock-off sunglasses is posted to hundreds of ‘friends’ from a compromised account, it comes with no warning, either from the subject matter, or the break from the normal behavior (e.g. that user with 87 friends tags one photo with 87 names, when never tagging more than 2 people the last 5 years). We’re not talking AlphaGo or Microsoft Tay, we’re talking a couple decades behind them as far as computer intelligence goes. The fact that one was an amazing success while the other was an amazing failure, speaks to my point. They are cutting edge, trying to solve ‘problems’ that are are incredibly complicated. Meanwhile, Facebook can’t figure out what boils down to mid 1990’s email spam patterns, implementing the most basic of statistical filtering.

That said, I would love to see Facebook answer how the following two posts, from the same user, within 40 minutes of each other, could be posted without a warning to them AND me. Compare them posts carefully, not that there is much to go on as far as the end-user sees. At some level, this is stupidly trivial and any half-assed program should notice. No, it isn’t trivial or worth ignoring, that such articles get posted with such discrepancy. That is how we end up with stupid rumors and lies spread around as if they are fact, and fundamentally why our political climate is like it is. When you stop ignoring the details, especially the obvious contradictions, you are buying into a system that doesn’t serve you; rather, one that only exploits you.

sf-box-2

sf-box-1