Twitter’s crowd-sourced blocking idea good, implementation bad…

Yesterday I saw a few mentions of Twitter’s new method for “crowd-sourcing” user blocks. The idea is that one person may have blocked dozens of trolls, and you want to do the same without having to dig through a lot of Tweets. I read about how it was implemented, sighed, and moved on. Last night, someone I respect for his technical prowess over the years said it was “well done”, and I disagreed. He said I should post a blog with my idea, so your wish is granted.

welldonetwitter

The Twitter blog that outlines the implementation says some users “need more sophisticated tools.” Sophisticated, not convoluted and annoying to implement. There is a big difference. From the blog:

To export or import a list of blocked accounts, navigate to your blocked accounts settings on twitter.com. Click on the advanced options drop-down menu and select the action you want to take.

To download a list of your blocked accounts, select the export option and confirm the accounts you want to export.

The blog doesn’t even explain the next part for some reason, and I am curious why. Could it because the process starts looking more hassle than benefit? The next step is to host that block list somewhere, advertise you did so, have another user download it, then they go to twitter.com, and imports the list. Fast and easy right? Of course not; that is one of the most convoluted methods of using this type of feature. Your average Twitter user, especially the huge percent that only use it via mobile, simply will not go through this process (and cannot easily do it if they wanted to). Even sitting at my computer, having to do actions outside my Twitter client is annoying and this has too many steps.

How about integrate the functionality instead? Every client has a way to look up a user, or interact with them.

block-context

Just about anywhere on this context menu works nicely. “Add/Inherit @AlecMuffet’s blocks…” or “Block @AlecMuffet’s blocks…” or “Share @AlecMuffet’s blocks…”. One click and a confirmation box, and I could take any of his exported blocks and make them my own. That presents a smoother, more easily crowd-sourced model that is the intent here. If I have multiple accounts, it is three clicks as I choose which account (or all accounts) to add blocks to. Compare that 2 or 3-click method, with the one Twitter came up with. Designing the “User Experience” (UX) is an art, and not many companies do it well. It is often due to the disconnect between how the developers use a product or service and how their users or customers use it.

John Thomas Draper: Setting the Record Straight

It is almost a ‘fact’ that John Draper, also known as Captain Crunch, discovered that a toy whistle in a box of cereal could be used to make free phone calls. I say ‘almost’ a fact, because so many people believe it, and so many people have written about it as if it were fact. Even recently, a magazine known for intelligent geeky facts parroted this falsehood:

Not long after Engressia shared this information with the other phreakers, John Draper discovered that a toy boatswain’s whistle that was included in boxes of Cap’n Crunch cereal in the late 1960s could blow a perfect 2600Hz tone.

Even going back to 1983, a book titled “Fighting Computer Crime” by Donn B. Parker carried the myth:

A young man just entering the U.S. Air Force to serve as a radio technician was fascinated with telephony and took courses on the subject at college and discovered the whistle that catapulted him to crime, infamy, and misfortune.

Google around for tales of Draper and the whistle will find a variety of sites that say he discovered it. These include the Snopes message board, a telephone tribute site, high school papers, and other archival sites. And this isn’t limited to more obscure sites, this ‘fact’ is still repeated by mainstream media articles.

While some in the industry have had doubts or heard tale that Draper did not discover the whistle’s significant tone, it wasn’t until last year that we finally got a definitive answer and story. Phil Lapsley wrote a book titled “Exploding the Phone” that gives an exhaustive history of phone phreaking and is a must read for anyone interested in the topic. Lapsley’s research put him in touch with many players of the time, and the real story emerged:

Page 155: Several years earlier a Los Angeles phone phreak named Sid Bernay had discovered you could generate a nice, clean 2,600 Hz tone simply by covering one of the holes in the plastic toy bosun whistle that was given away as a prize in boxes of Cap’n Crunch cereal. Armed with their Cap’n Crunch whistles Fettgather and Teresi and friends would cluster around pay phones at the airport and go nuts. [..] With Draper in the club the whistle trips expanded.

Page 166: (late summer of 1970) It was on one of those conference calls that John Draper discovered a new identity for himself. [..] One day Draper and Engressia were talking about using a Cap’n Crunch whistle to make their beloved 2,600 Hz tone, Engressia recalls, when Draper suddenly said, “You know, I think I’ll just call myself Captain Crunch. That’d be a good name.” Engressia immediately liked it. “It just fit him somehow,” he remembers. “It was just a good name for him. We called him ‘Captain’ a lot.” Captain Crunch was born.

Given that most of Draper’s modern reputation is based on his ‘discovery’ of the whistle, something he has done nothing to dispel or come clean about, I feel it is important to help set the record straight. While he may be an iconic figure in lore, even if undeserved, it is important to better understand what kind of person he was during this time.

Page 245: And as a rule universally agreed upon within their group, they avoided John Draper and his friends like the plague. “I tell you,” [David] Condon says, “Draper was the kiss of death. He was asking for it, he was looking for trouble.

Page 313: All this did not sit well with Steve Jobs and the other managers at Apple, who thought the Charley Board product was a bit too risky and, besides, they disliked Draper to begin with.

In addition to being disliked, Draper had a growing criminal record that included seven counts of violating 18 USC 1343 (Fraud by Wire, when he used a blue box to Australia, New York, and other places) in 1972, violating probation later in 1972, arrested in California in 1976, and indicted on three counts of 18 USC 1343 while on probation. To this day, Draper maintains it was a conspiracy:

Page 287: To this day, Draper maintains that he was framed. [..] “Well, it turns out that he had arranged with the FBI to tap that phone,” Draper says. “he told the FBI that I was going to be making a blue box call at that phone at that date and time.” The result was that the FBI now had a blue box call on tape with Draper’s voice on it. [..] You see, the informant that the Los Angeles office of the FBI sent up didn’t arrive in the Bay Area until Tuesday, February 24. The blue box telephone calls that Draper was eventually busted for occurred four days earlier, on Friday, February 20. And on that Friday the Los Angeles informant was still in Los Angeles, enjoying sunny southern California weather or breathing smog or whatever it is that LA phone phreak informants do when they’re off duty.

But this wasn’t the end of his crime. In New Jersey in 1977 he was arrested and charged with possession of a red box, which was later dropped. He was again arrested in 1977, this time in Pennsylvania, which led to him agreeing to a plea deal in 1978 to one count of possessing a device to steal telecom services. He was sentenced to 3 – 6 months in jail with credit for 1 month served. That charge and plea also meant he violated his federal probation for earlier crimes, sending him back to California to spend time in prison as well. During all of this time, two psychiatrists observed that Draper “tend[s] to pass himself off as the victim claiming that he has almost no control over all of the troubles that now beset him” and that he had “numerous paranoid delusions of being especially picked out for persecution because of his power and knowledge”. Both psychiatrists agreed that a jail would not be a good place for Draper, leading a judge to sentence him to a furlough program for one year. Finally, in 1987, he was caught forging tickets for the BART system which lead to a plea bargain, resulting in a misdemeanor.

I offer all of this up, courtesy of Exploding the Phone, as a reminder that many people in InfoSec consider him a hero of sorts, and feel that his history was beneficial to the world of phreaking. In reality, it was not. He was just another phreak at the time, did not discover the Cap’n Crunch whistle, was caught during his crimes several times, and then somehow became a telecom legend. To this day, Draper still tries to use his reputation to get handouts from the industry. If you want to support him, just be sure you understand who you are supporting, and why.

Anatomy of a NYT Piece on the Sony Hack and Attribution

There is a lot of back-and-forth over who hacked Sony Pictures Entertainment. For a not-so-brief summary, here is an extensive timeline to catch you up. I am going to drill down on a single point as it is both fascinating and disgusting. Using a single article that is heavily influencing people around the world, and helping to polarize the InfoSec community on who hacked Sony, I want to show you exactly what you are quoting and reading. Why? Because people don’t seem to be reading past the headline or first couple of paragraphs. What seems like a strong, definitive piece, falls apart and begins to contradict itself entirely halfway through the article. The New York Times piece in question is titled “U.S. Said to Find North Korea Ordered Cyberattack on Sony“.

Consider what the headline says. First, it says that North Korea ordered the attack on Sony. Second, it says the U.S. has found out, meaning there is some body of evidence that led to that conclusion. Seems simple enough. But where does this come from?

American officials have concluded that North Korea was “centrally involved” …
Senior administration officials, who would not speak on the record …
Officials said it was not clear how the White House would respond.
Other administration officials said a direct confrontation with the North would provide North Korea with the kind of dispute it covets.

So how many officials are we talking about here? American officials? Senior administration officials? “Other” administration officials? Not a single one on record, which is very curious given named sources are the backbone of solid reporting. Are these officials part of the military? Law enforcement agency? Or just policy wonks that may or may not be getting briefed by someone with a clue?

The administration’s sudden urgency came after a new threat was delivered this week to desktop computers at Sony’s offices, warning that if “The Interview” was released on Dec. 25, “the world will be full of fear.”

Wait, so the Sony network is still entirely compromised weeks after it was publicly disclosed? That is an interesting angle, why haven’t we seen articles covering that? The company brought in to do forensics, are they losing this battle? Or did they mean the message was emailed to Sony employees, and the wording is confusing since the initial attack included actually replacing the desktop background on thousands of Sony desktops? Or was this a reference to the attackers posting that message on a public website (Pastebin)?

“Remember the 11th of September 2001,” it said. “We recommend you to keep yourself distant from the places at that time.”

This comes from the latest Pastebin post, since removed. I think that is the simple, logical explanation.

While intelligence officials have concluded that the cyberattack was both state-sponsored and far more destructive than any seen before on American soil, there are still differences of opinion over whether North Korea was aided by Sony insiders with knowledge of the company’s computer systems, senior administration officials said.

Wait a minute, the title is definitive, the U.S. says North Korea did it. Now even more unnamed officials say Sony insiders may have helped them? If you follow the whole “this is an act of war” nonsense, then any American Sony employee just committed treason, right? If it was a Japanese Sony employee, then Japan is in league with North Korea? I mean, we have to be careful on our rhetoric of war and blame, as these little comments can mean big things.

North Korea’s computer network has been notoriously difficult to infiltrate. But the National Security Agency began a major effort four years ago to penetrate the country’s computer operations, including its elite cyberteam, and to establish “implants” in the country’s networks that, like a radar system, would monitor the development of malware transmitted from the country.

So Newt Gingrich, Dave Aitel, and others are saying a North Korean attack on Japanese company Sony is an “act of war” against the U.S., but we openly admit that the U.S. government has been trying to penetrate North Korean computers for at least four years, and that isn’t an act of war? That doesn’t make sense. Either such intrusions are an act of war, or they aren’t. We can’t have this both ways.

It is hardly a foolproof system. Much of North Korea’s hacking is done from China. And while the attack on Sony used some commonly available cybertools, one intelligence official said, “this was of a sophistication that a year ago we would have said was beyond the North’s capabilities.”

So the definitive headline is now clouded by statements like these. We don’t know where the attacks originated, the tools were commonly available and had been seen in attacks years ago, but then the official says it is sophisticated? Not sure this ‘intelligence official’ has the same standards for the word ‘sophisticated’ as many in InfoSec.

But there is a long forensic trail involving the Sony hacking, several security researchers said. The attackers used readily available commercial tools to wipe data off Sony’s machines. They also borrowed tools and techniques that had been used in at least two previous attacks, one in Saudi Arabia two years ago — widely attributed to Iran — and another last year in South Korea aimed at banks and media companies.

Do we all know what a forensic trail is? This is a shaky list of circumstantial evidence at best. Given the use and history of the tools, making an assumption on who used it seems absurd.

But one of those servers, in Bolivia, had been used in limited cyberattacks on South Korean targets two years ago. That suggested that the same group or individuals might have been behind the Sony attack.

Again, do we not see how circumstantial this is? On one hand you claim the attackers are sophisticated, on the other you say they use a compromised computer for two years that would implicate them because of past attacks.

The Sony malware shares remarkable similarities with that used in attacks on South Korean banks and broadcasters last year. Those intrusions, which also destroyed data belonging to their victims, are believed to have been the work of a cybercriminal gang known as Dark Seoul. Some experts say they cannot rule out the possibility that the Sony attack was the work of a Dark Seoul copycat, the security researchers said.

Definitive headline, yet more doubt on who attacked Sony.

The Sony attack also borrowed a wiping tool from an attack two years ago at Saudi Aramco, the national oil company, where hackers wiped off data on 30,000 of the company’s computers, replacing it with an image of a burning American flag.

A public tool from two years ago, and this is influencing attribution? Investigators should be logical and skeptical. Actual evidence should be the guiding factor in their investigation and determining attribution.

Security experts were never able to track down those hackers, though United States officials have long said they believed the attacks emanated from Iran, using tools that are now on the black market.

So we couldn’t positively attribute the attack two years ago that used those tools, and now we want to use that tenuous link claiming it is some kind of ‘proof’ North Korea was involved? This makes no sense.

“It’s clear that they already had access to Sony’s network before the attack,” said Jaime Blasco, a researcher at AlienVault, a cybersecurity consulting firm.

I have given many a buzz-quote to the media, and I understand how they can be taken out of context. This is a great example. Blasco sounds like a total idiot, but I have a strong feeling he isn’t. What does this quote mean exactly? Getting access to Sony’s network requires an attack. Subsequent actions are part of that attack, or the fallout. Or does he mean “had access” in the context of a legitimate trusted employee? InfoSec people: be careful when giving buzz-quotes to journalists.

The cost of the assault was small: The attackers used readily available tools to steal data and then wipe it off Sony’s machines.

Once again, “readily available tools”, yet we are attributing this to a nation-state attack? Read between the lines and we have no real attribution at this point, at least not demonstrated by anyone. I doubt Mandiant is sharing their results with anyone publicly, leaving the rest of this to guess-work.

Representative Mike Rogers, the Michigan Republican who leads the House Intelligence Committee, said the hackers had “created a backdoor to Sony’s systems” that they repeatedly re-entered to send threatening messages to Sony employees.

Ya think? That is hacker 101 shit right there Mr. Rogers. Sophisticated malware to allow such access has been around for more than 30 years, and is trivial to get from thousands of web sites.

The North Koreans have half-denied involvement, but have left open the possibility that the attacks were the “righteous deed of supporters and sympathizers.”

Well played North Korea.

All in all, we have an article with a definitive title, “citing” between one and dozens of unnamed officials, that may be guessing like most of the world, giving as much “evidence” that it wasn’t necessarily North Korea, and it is whipping up a frenzy causing politicians and InfoSec professionals calling this war. I’ve said it for a week, and I must say it again. How about we wait for actual evidence. A public report outlining all of the forensics available, that can be peer-reviewed to some capacity, before we go rattling our saber at a country that may not be involved. Sure, North Korea is wonky on their statements implying it was them, then “half-denying” it, whatever that means (curious no one ever links to these statements, or are these more “unnamed officials” from their government?).

Remember, North Korea is the same country that threatened the U.S. with a nuclear missile earlier this year. They like to rattle their saber at everyone, but it doesn’t mean they actually did anything. Taking their implications or half-denials as fact isn’t prudent. I am not saying North Korea wasn’t involved. I am simply saying that this speculative circle-jerk is not helping anyone, and only serves to cause headache and grief. Level-heads must prevail. If you feel the need to comment on the matter, make sure you are educated about what has happened the last 30 days, and then try to be a voice of reason in this ugly mess.

e-MDs, Inc. Solution Series 7.2.1.634 Screen Lock Failure Information Disclosure

e-MDs, Inc. Solution Series integrated electronic health record and practice management software version 7.2.1.634 contains a flaw in the screen lock functionality. When a user locks the screen, under some circumstances, the screen will display the login box but fail to obscure any of the information displayed otherwise. As I discovered on March 21, 2014 at my doctor’s office, the screen not only displayed some of my information including name, account number, date of birth, phone number, and doctor notes, it also showed the same information for a second patient.

emds-solutions

BSidesLV, Charity, and a change of heart.

Read it all heathen! Teaser list of stuff in the charity box is included below.

As most reading this blog know, next week is the annual pilgrimage to Las Vegas to attend the ‘meta-con’. A mix of BSidesLV, BlackHat Briefings USA, DEFCON, and a number of other smaller sub-conferences, meet-ups, gatherings, and the ever present ‘hallway-con’. It is a week of chaos. Incredible opportunity always clashes with regrets, wishing you had checked out a talk, or met up with long-time friends, or run into new people you only know virtually. My first DEFCON was #2, twenty years ago, and it seems like both yesterday and a lifetime ago. I won’t go into a long analysis on how it is changed; just know it has changed drastically. Not saying for the better or worse either, because it is both.

Next week I am putting up an infamous attrition.org box-of-shit for charity at BSidesLV. I have done charity boxes at BSidesDEN in 2012 and 2014 that raised around $480 for the supported charities (usually EFF and/or HFC). Those were in addition to other charity auctions via eBay to support the Open Security Foundation, EFF, and the Concoctory.

You may notice a trend here. The last few years, I have made a big change to help support charities/NFP a lot more than I did before, including volunteering time as I can. Next week I will be working the registration desk at BSidesLV, and working as a volunteer for the Skytalks at DEFCON. Unrelated to security, I donate a fair amount of money and/or time to animal-related charities around the Denver area. I support a variety of humanitarian efforts to support research to cure ailments, fight hunger, and more.

Now, I want to do more, and I want more security professionals to do the same. As an industry, we make a ridiculous amount of money providing security services. As an industry, we fail miserably at doing so. Sure, we have our individual wins here and there chasing contracts. But as a whole? Digital security is at an all-time low. There is more computer crime, more breaches, published vulnerabilities are not dropping despite incentive not to disclose (if you even quote CVE and a ‘drop’ to me, get out of my industry), and a more fundamental lack of trust in anything related to computers. If we’re making stupid money providing inferior services while towing a favorable line, we need to look inward and re-examine our lives. It simply isn’t ethical to reap the rewards on the back of false promises. As an industry, we need to strive to do better (and we have proven we can’t), or start to give back to more worthwhile efforts.

I encourage you to consider this seriously. Look at how you can give back to the community in more ways than you are currently doing. Figure out more causes that could benefit from your time or financial support. Break away from the corporate high-dollar conferences run by non-security companies and support the home-grown community-driven conferences. Keep that in mind and bid generously on my two auctions.


box-teaser

Next week at BSidesLV, on Tuesday and Wednesday, you can participate in the silent charity auction and bid on this box-of-shit. Unlike previous boxes, I have worked to ensure this one is different, more interesting, and more valuable (which is subjective, I know). First, it has a limited edition attrition.org DEFCON 22 badge in the box. Only five were made this year! One is up for auction by itself right now, and it sets the stage for the box. Next, there is a hand-knit Lazlo hat made by J. Renee Worsing that comes with care instructions. Not only is the badge made by Make It Urz, there is an engraved Lazlo lapel pin in the box.

If you win this box, you are fully encouraged to embrace that badge. Walk around all of the conferences telling wild tales of your work with attrition.org. Spin stories about the other staff members, what you have endured, what para-military ops you have done on our behalf. This badge gives you creative license to social engineer anyone and everyone you meet. Flash that badge and you have a 0.3% chance of walking into any other party. Flash that badge at the 303 party and I will personally escort you in, even if the party isn’t open to the masses yet. Find me in a random bar, I will buy you a drink or three. ALL WEEK.

That is the tip of the iceberg! In addition to those fine items, the following is contained in the box. And yes, my wording is carefully chosen to keep you guessing, while being entirely accurate at the same time.

  • Collectible currency from 8 different countries.
  • A military challenge coin.
  • Certified piece of history circa 1989.
  • Original ‘FREE KEVIN’ bumper sticker.
  • Attrition.org bracelets.
  • A gift card. For a store, some amount more than a dollar.
  • DEFCOn 21 speaker badge.
  • Lockpicks.
  • A “pocket full of fun”. Make of that what you will.
  • Cold, hard cash.
  • Stickers, items from a jail, and “sparkle power”.

All of that is in addition to the usual box-of-shit stuff that is more questionable in value. This box was designed for fun, for you to enjoy as you open it up and dig through the contents. Nikita contributed a lot of the material found in this box, so you should buy her a booze next week. Not so much for the box, more for the amount of time, effort, and anguish she puts into making DEFCON happen. It isn’t entirely the ‘Jeff show’.

Remember that your money is going to worthwhile charities that help other people. None of this money goes to me. It will go to a fund that is divided up to support EFF, HFC, and Securing Change.

20140802_164721

Samsung Galaxy Phones Factory Reset Persistent Local Information Disclosure

A couple years back, I handed my Samsung Galaxy S1 down to a friend. When she got it she browsed the file system out of curiosity and noticed that it had retained private information; both from applications, as well as content I generated (e.g. pictures). While she promised to do a write-up of all the information left behind, she never did (flake!). This is obviously a problem for those who reset their phone thinking it is truly wiped clean, and then hand it off to a friend, sell it, or trade it in for credit.

The other day, a relative and I both upgraded our phones. Him from a Galaxy S2 to a S5, and me from a Galaxy S3 to a S5. So I figured why not check both out to see if they did the same. Cliff notes: The Samsung Galaxy S2 (model SGH-T989) ‘factory reset’ leaves a lot of personal information behind, while the Samsung Galaxy S3 (model SGH-T999) does not. It certainly does not delete your content.

Here is what I found left behind on the Galaxy S2. Directories for installed applications that did not get deleted, or deleted entirely:
\CamScanner
\foursquare
\gameloft
\Intsig
\Lazylist
\telenav
\data\flixster
\convertpad

files:
\telenav70\sdlogs\4\22\2014042208.txt
\telenav70\sdlogs\5\23\2014052320.txt
\Photo Editor\2014-03-30 19.11.22.jpg
(personal picture)
\lookout\log.txt
\Intsig\CamScanner\.log\log-2013-12-25_21-59-09.log
\DCIM\Camera
(55 personal pictures)
\contactBackup\contacts.csv
\contactBackup\contacts.pdf
(both contain full list of contacts: name and phone #. this is from an app that backed up contact info)
\Android\data\com.zynga.words\cache\FBImages
(three images, FB avatar pics of players)
\Android\data\com.facebook.katana\cache\.facebook_-372648771.jpg
(private image from FB)
\tmp_fsquare.jpg
\tmp_fsq
(a PNG thumbnail of avatar selected for the app)
tmp_fsquare

The Galaxy S3 (model SGH-T999) that I used pretty heavily, was much better after factory reset. I found the following left behind:

\Phone\Application\SMemo
(didn’t use this app despite installing it. files suggests private info may be available after reset)

All pictures, contact info, and information from applications is gone. So from the Galaxy S1 to the Galaxy S3, Samsung figured out the ‘Factory Wipe’ finally.

Screenshot_2014-07-03-20-26-56

Why I Love and Hate Presenting at Security Cons

Hate

I am not really a public speaker. I am nervous when I speak, even on topics I am very familiar with. Part of that is because I hold myself to a high standard for accuracy and ‘no bullshit’ given my history of calling others out on it. Just like I was right to do it to them, anyone in the audience is right to do it to me. My most recent talk has a ‘rule’ at the start that questions can wait until then end, but if I make a mistake speak up immediately. If you are right, I will correct it, apologize, and give you credit for holding me to such standards. If you are wrong, I will mock you. Seems fair! I hate dealing with AV, I don’t like dealing with cons and logistics and setup. This is partially due to past incidents where I am a registered speaker on schedule, and have to spend 15 minutes convincing the staff I am actually a speaker and have been attending that con for a decade just to get a badge (e.g. BlackHat). Every con does a different setup, where you aren’t sure if the speaker laptop will be ‘extending the monitor’ or ‘duplicating the monitor’. This matters for those of us using ‘presenter view’ in PowerPoint. I must have my speaker notes available in most talks as I tend to include dates, numbers, and details that I can’t otherwise remember.

Love

I also love presenting, because when I opt to do so, it is fairly interesting research or perspective. My talks are not technical, they won’t help you exploit a kernel or bypass memory protection. Instead, they are more in line with a historical and unique perspective in some cases (e.g. Anonymous, Cyberwar), or specialized to something I have focused on for two decades (vulnerability databases and related matters like statistics). I fully understand that some of my topics are not for everyone. Hell, they aren’t for most of the industry as far as a talk. While they likely use a vulnerability database, they certainly aren’t interested in the minutiae that goes with it. That doesn’t really matter to me. I’d rather have 20 people truly interested in the talk listening, rather than a ‘standing room only’ situation despite half the room not knowing the material past the first slide. For those handfuls of people out there, I know my presentations are improving on the common body of knowledge.

Hate, with a Twist

My most recent presentation, 112 years of vulnerabilities, has led me to develop a new kind of hate of presenting. The first time I gave the talk was in 2013 at BSidesDE. After the talk, I gave it twice more; once at a community college as a favor to a friend, and at a small boutique conference at a business school of a college. In doing the talk there, the conference organizer and a professor offered to try to get a copy of the ‘Repaired Security Bugs in Multics’ from 1973. What seemed like an impossible-to-find book ended up being a 7 page paper. But she managed to get a copy via inter-library request as a professor. With that simple gesture, the vulnerabilities in Multics I had cataloged jumped from 10 to 16. Thanks A.M.!

Six months later I get to spend some of my little free time going through more historic papers and find another dealing with Multics. Not only do I find more context around material in that presentation, I find that it is actually a lot more detailed and fascinating. The incident I describe actually happened twice, once in 1979 as I outline, and years before in 1974 with different results. The time spent digging into that came shortly after giving the talk to a security company on the east coast by request. Shortly after giving the talk, which extended to two hours with additional detail, Q&A, and a mix of discussion with them, I was approached about the electro-mechanical rotor cipher machines discussed. We got to talking for half an hour where he gave me pointers and information to later research. Before I left that day, he gave me two books on military cryptoanalysis from 1956 that were previously classified. Yep, just laying on his shelf, he had two tomes of incredible knowledge that might help me in cataloging the history of vulnerabilities. I’ve only had an hour or two to go through them so far. While I determined the first book had no usable information, the second is a treasure trove. A single appendix of that book appears to have information that will double the vulnerability entries I have on such machines and the compromise of their crypto systems. Thanks J.M.!

Every time I find such information, it makes me regret giving the talk. While the talks were given to show perspective and it was clear the history was incomplete, I hate that my audiences didn’t get all of the information. Doesn’t matter that I didn’t have the information originally, I feel that I should have taken more time to research all of this better. I’m both afraid and excited that every time I give this talk, someone else will come forward with a wealth of new knowledge. It is an absolute delight for the vulnerability historian in me, but an absolute dread for someone who can’t stand delivering less than a complete talk.

Moving Forward

Since the first time I delivered the talk, I have had several people tell me I should write a book on the vulnerability history I outline. There is certainly an abundance of material there, and boiling it down to a 45 minute talk has caused me to deliver the talk at a faster pace each time. Part of me wants to write such a book, and release it as a free e-book to the community. It would be fun doing so. On the other hand, it would also take months of dedicated research to finish a true preliminary overview of such history and time is a valuable commodity to say the least.

So to my previous attendees, I apologize. I certainly hope you enjoyed the talk, but I really hope you understand that this is work in progress. Work that I have been doing for a long time, and will continue to do. At some point, if I come up with a more complete work, I hope to be able to share all of it with you in some fashion.

You have a new security initiative? Great, here’s some advice…

I am getting frustrated with the never-ending stream of ‘new’ security initiatives being announced. Doesn’t matter if they are community driven, compliance-based, or ‘industry standards’. For twenty years, we’ve heard it over and over, yet things just aren’t changing.

Most of these initiatives flop. Some may make it months or even years, limping along with virtually no support. Even projects with hundreds of people involved or supporting represent such a tiny fraction on the InfoSec industry, let alone the general IT industry, to say nothing of the rest of the world. In a few cases, the ‘new’ idea might even make a slight improvement for 0.000001% of the world. At best…

Largely though, they are worthless. People sometimes even spend more time banging on the initiative war-drum than the end result. Worse, for every one announced that does any real and lasting good, another hundred end up wasting time and going nowhere.

So you want to announce a new initiative to save the world? Great! How about instead, skip the initiative name, the policy, the name, the graphics, and the rest of the things that take time from actually doing something. Don’t talk about the project day in and day out. Just do good.

If you really feel that a structured movement with lofty ambitions and a brand are required, then do good first. Show the world you are serious and capable. Announce your new initiative on the back of a big ‘win’ or change. That will demonstrate you have the drive and dedication. Come out of the gate on the back of something concrete, not fluffy bullet points that are indistinguishable from any for-profit security company or charlatan.

Yes, everyone knows you want to ‘help’ and ‘protect’ and ‘improve’ and ‘secure’. The exact same thing everyone else in the industry says, both good and bad. And like many of them, your new initiative may not deliver either.

Crossing the line on ‘appropriate’ response to a breach…

You have likely seen the news that eBay was compromised and disclosed on Wednesday the 21st, resulting in as many as 145 million customers being affected. eBay was quick to state that the criminals did not gain access to financial information, trying to allay customer concerns. Despite that, there are many aspects of the aftermath that concern people. Andy Greenberg at Wired and Madeline Bennett at The Inquirer are just two of many to write articles on “how not to handle a security breach”.

It didn’t take long for several US Attorney Generals and one official in the UK to start or express interest in a formal investigation. I think it is warranted given the slow response from eBay and given that there are no details about the incident available from the company. It took them several days to finally add a banner to their site warning users to change their password.

ebay-banner

What is disturbing is that four days later, I have not received an email from eBay warning me of this breach, while still receiving notices of random auctions ending that I am not watching. Getting notice of a breach for several days via the news, and not the company is bad form. In a comment made to BBC on Friday, the 23rd, eBay said:

EBay told the BBC that it was not aware of any technical problems with the password reset function on the site.
“The site is busy, but our secure password reset tool is working,” a spokesman said.

This caught my eye today as I read it just hours after seeing a Tweet from Kenn White in which he shows how ‘secure’ the password reset feature is:

ebay-passwd-snafu

Between the lack of response, slow action to get a visible password reset warning, not mandating that users change passwords, and not understanding what good password security is, I think it is time for the FTC to step in. Companies must be held accountable for the security of their customers.

Update #1: I received my breach notification letter and request to change password an hour ago, almost eight hours after posting this blog, four days after it hit the news.

Update #2: @miaubiz points out that the actual breach happened between late February and early March, leading to questions on why it took them so long to disclose.

Surprise! Guinea pigs… (the end of an era)

Almost 7 years ago (August 18, 2007), I returned from a business trip to find a guinea pig in my living room. My significant other at the time, Kay, had wanted to rescue a guinea pig or three. We had talked about it and I was willing, but wanted to talk about it more. She figured why wait. So upon returning home… surprise! Guinea pig. This turned into a steady stream of adoptions that led me to have a herd. This is an important distinction in the guinea pig world. One or two pigs can bond with their human if given a lot of attention. They will happily sit in their human’s lap and look forward to it every night. When you have more than two though, especially a lot more, they will revert to their more natural herd mentality. This is considered to be healthier by many people, but is not favorable to many owners. Why? Because pigs are prey animals, and you are perceived as a threat to them. You don’t get to bond with them and they do not enjoy being picked up. But, if healthier for the pigs, that is important so we had a herd. A few years later, Kay and I split and I decided to take the pigs. While they were her idea, it was clear that I was a better and more consistent provider for them. Even when given the opportunity to come over and help with cage cleaning, or even keep me company while I did it, she rarely showed. Eventually, she became a completely absentee parent, leaving me to care for the pigs. The following is a list of the guinea pigs adopted, in the order that they moved on. While I cared for all of them equally and to the best of my ability, two of the nine were ‘mine’ in some fashion.

The first was ‘Snickers’, aka A156576, a female Abyssinian adopted from the Boulder Valley Humane Society. One of my hesitations on adopting is because I had not taken the time to read up on them, but Kay had. Our first pig ended up not being the typical adoption. Only four years old, she had serious hair loss and complications due to a life of poor nutrition. Snickers reminded us that guinea pigs are frequently not cared for properly. I wrote a brief summary of her adoption and what was going through my head at the time. While she was not with us long, she opened the gates for more adoptions.

‘Pringle’, originally named Cerra aka A253868), a female American shorthair adopted from the Larimer Humane Society on March 9, 2008. Estimated to be around 4 years old, she was picked up and found to be extremely skinny (660 grams). She was surrendered to the shelter with no history other than “good with kids”. Based on her weight and appetite the first night, we’d guess she was not given hay or veggies very often. Once home, she took to most veggies instantly and slept by the hay bowl half of the night. By the next day she was energetic, standing on her rear feet wheeking happily for veggies and sleeping all over the cage. Better, she was already up to 730 grams. Her first vet appointment confirmed that she had mammary tumors which were removed successfully during surgery with a very fast recovery. After the surgery, she proved she was the perfect pig in temperament and demonstrated how pigs can recover from the worst of environments. Pringle passed on April 15, 2009 due to masses on several internal organs. She was also experiencing very minor weight loss and potentially had neurological issues (serious spasms when she slept sometimes). She went peacefully in her sleep, head on a pillow.

JuineaPig, originally Ginny aka A419947, was a female Abyssinian adopted from the Denver Dumb Friends League on December 29, 2007. When we went in, she was described as “problematic” and it took over 30 minutes for the staff to catch her because “she bites”. Given up for adoption for “recently starting to bite”, despite being almost two years old, once securely held she seemed to do fine. Due to her behavior, the DDFL had decided to pull her adoption information down and were going to declare her unsuitable for adoption. Once we gave the rundown of our current herd and ability to properly take care of her, they agreed that we could provide a good home for her. In the months after adoption, the only time she would bite is if she felt directly threatened, and even then, only warning nips. It was immediately clear that her previous owners had not given her any veggies as it took several months to get her to eat a wide variety. Since adoption, she was nothing but a sweet pig and clearly not a biter. JuineaPig passed on May 20, 2009 due to many internal complications including cancerous tumor, kidney issues, bladder stone, GI obstruction, and more. Her last two days were not very happy, but she fought as best she could.

snickerspringlejuineapig2

Figlet, originally Willow aka A762196, was a female Abyssinian (likely with a peruvian mix) adopted from the Humane Society of the Pike’s Peak Region on June 20, 2008. Originally down there to adopt another ‘female’, we found two large males with health problems. Despite correcting the shelter on the gender of the pigs, they didn’t appear to care or update the web page days later. Figlet was in a large cage by herself (good), but with half of it covered in water-soaked litter and no water in her bottle. Almost unable to hold her, we managed to get her in the carrier and bring her to the pig mansion. She integrated into the herd within hours (after quarantine) and did great. Clearly younger than advertised, Figlet was the most energetic and spastic pig we had. Even six months after adoption, she was almost impossible to hold for more than a few seconds as she tried to escape and find her own footing. Fearless doesn’t begin to describe her. Figlet passed on Oct 15, 2009 due to complications during surgery to remove a mass causing Hyperthyroidism, a rare condition in guinea pigs. A full write-up of diagnosing and treating her was created to share information about this rare condition in pigs. Figlet was ‘my’ pig and I spent a lot of time trying to figure out what was wrong, and went to great lengths to try to help her live a happy life. After losing her, that convinced me that I was not going to rescue any more pigs myself; rather, I would continue to support shelters and rescues.

Nugget, originally Nibbles, was a female American shorthair adopted from the Denver Dumb Friends League on November 2, 2007. They believed her to be about four years old but we suspected she was a bit younger. She was our first shorthair guinea pig with a great personality and strong love for hay and veggies. The DDFL said she was “surrendered because the previous owners couldn’t afford to maintain her” which is sad, as a pig is relatively cheap to house and feed. Nugget was hands-down the most mellow guinea pig and frequently ends up being a vet buddy when one of the other pigs needs to see the doc. Nugget passed on Oct 31, 2010 from natural causes. She was a senior piggy and lived a glorious three years with me. While I can accept that logically she had already moved on and was not aware of her surroundings or had any real mental faculty, the last 45 minutes of her life were spent in my lap at 3AM having spasms. That is very hard to deal with.

OLYMPUS DIGITAL CAMERAnugget

Zesty, unnamed aka A089150, was a female Abyssinian adopted from the Denver Municipal Animal Shelter (DAS) by Kay on September 7, 2007, one of three guinea pigs brought in that were apparently found near an auto repair shop, left to fend for themselves. The only female of the bunch, she was described by the staff as an ‘escape artist’ and estimated to be approximately one year old. We feared she was pregnant due to being housed with the two males she was found with, which was another reminder that despite the good intentions of shelters, guinea pigs simply aren’t well known. We soon learned that she was indeed an escape artist but fortunately not pregnant. She became the queen of the herd, and was certainly the most feisty guinea pig we had. Zesty passed on June 3, 2012 from natural causes. Based on her life history, she lived a long time all things considered.

Biscuit was a female Abyssinian adopted the same day as Zesty to provide companionship to the feisty beast. Oh, and she was ridiculously cute and mangled. Our third guinea pig at the time and first baby, adopted at only 5 weeks old, Biscuit knew no fear since she grew up in a happy home full of daily vegetable platters, endless hay, and a huge play pen to run around in. She was definitely the most tranquil pig, and knew absolutely no hardship in her life like the rest had. Biscuit passed on September 28, 2012. Sweetest of the herd, she lived a wonderful life.

zestybiscuit

Waffle was a female Abyssinian personal adoption taken in on November 16, 2007. She was ‘my’ second pig, adopted selfishly. Part of regrets that we got her from a pet store, but I wanted one guinea pig that we knew the absolute history on and who should have no health problems as compared to the hit-or-miss you get with shelter rescues. Despite that desire, she lived her life with some respiratory issues. It never affected her, but hearing her ‘hoot’ as if congested was a constant reminder of her being in the herd. Ultimately, she lived over 6 years and her frequent breathing issues had nothing to do with her passing. Waffle was the most distinct color we had seen, a great blend of white, grey, and black, giving a ‘peppered’ appearance. Her black feet were also quite distinct and made her stand out in the herd (and a pain to trim the black nails as we couldn’t see the quick). Approximately five weeks old when adopted, she seemed to live for fresh hay more than anything else. When she wasn’t bouncing around her home she would lay in one of the hay lofts for easy access to her precious hay. Waffle reached end of life on May 9, 2014 (today) due to an intestinal tumor.

At this point, it left me with a single pig (Tater) that had grown up in a herd and knew nothing else. When Biscuit passed, Tater did not handle it well. That point moved from three pigs to two, which is decidedly not a herd. After three weeks, Tater finally settled down and accepted the situation and fell back into a happy routine with Waffle. With Waffle’s passing today, I fear for the worst; that Tater will realize Waffle is gone (she hasn’t as of writing this blog) and freak out. Today, she has gotten a series of extra veggies, a cob of corn, and fresh hay. I have checked on her periodically to ensure she is doing alright. In the morning, I will be taking her to Cavy Care, the only all-guinea pig rescue in Colorado. I have visited the sanctuary several times over the years and love what they do. They treat their guinea pigs exceptionally well and screen adoptions to ensure it will work. Unlike pet stores who will sell pigs to anyone, even if it is not ideal for the animal, Cavy Care will make sure the would-be owners understand what they are getting into. Tater will be given a new friend, also a senior female piggy, to live with. While it isn’t the herd, she will have companionship like she has had for the last two years. As a now senior pig, it is hard to tell when she will move on. In the last few months, she has lost over 100 grams which is considerable for a pig, and a sign that health issues are happening. I hate to take a pig to a rescue that is already over-burdened, but they understand my choice, and Tater will come with a donation and all of my supplies to help the shelter. So more about Tater…

Tater is a female Peruvian Abyssinian Silky (longhair) personal adoption taken in on April 11, 2008. The runt of a five-pig litter, she was taken from a family that had pigs living in poor conditions and mostly neglected as they “didn’t have time for them any more”. If left in those conditions, she certainly would have been housed with mom, dad, and any brothers in her litter leading to a very early pregnancy. Said to be four weeks old, we believe she was much closer to two weeks old when we got her. It only took her a few days to become extremely lively, eat any veggie she was given, and develop a great personality. She integrated faster than any other pig had, likely due to being around many other pigs early on. She received hair cuts every couple of months as her coat was too long and bulky, dragging the cage and getting mucked up. While she whines during the trimming, she becomes considerably more energetic and seems much happier afterwards.

waffletater

For the last four to five years, I have been the only provider for my pigs. While Kay started the adoption spree, they lived a majority of their lives under my care. In that time I learned a lot about them. Everything from behavior quirks, to proper care, to treating odd conditions. I drove hours to ensure they received the best care possible. Every week for five years, I bought $20 – $40 of vegetables for them, special ordered Timothy Gold hay, and gave them a steady stream of chewable houses and items to keep them stimulated. I cleaned their cages every week when the herd was big, using bleach and vinegar to scrub down the ‘trays‘, washed their bedding, rotated their hay, and more. I adjusted my lifestyle and social availability to guarantee they got their vegetables about the same time every night. When traveling, they had in-home sitting most of the time, or twice-daily visits if not. When the air conditioning went out, I made sure someone was here to fix it within hours, as pigs can overheat easily. The temperature in my place very rarely crossed 76 degrees for their benefit. Every month or three, they got weighed to better determine they were healthy, as significant weight change is one of two ways to diagnose problems (the other being behavioral changes). I learned of common pig problems like cysts and little growths that can be removed, as well as common problems with senior female piggies like tumors, ovarian cysts, and unknown masses. When someone in a herd wheeks, I can identify it generally as it reflects on their emotional state. I have had to separate Zesty from the herd from going on a three-hour dominance mounting spree, ‘terrorizing’ the other pigs in her way. I have almost gotten kicked out of pet stores when I overheard a sales person spewing bullshit about guinea pigs. I have sighed casually and spouted back more disturbing facts than “you know some people eat guinea pigs?” to assholes trying to shock me (they were a lot more shocked than I was). Yes, I have read more books about guinea pigs than you have, about their history and indigenous lifestyle.

This is an end of an era in my life. Not having a huge guinea pig mansion in my living room, a few feet from where I spend a considerable amount of my life. Not hearing the happy wheeking, the frenzied wheeking as a pig tries to mount another, and the general chatter of guinea pigs day in and day out. Quarantining a newly adopted pig for 30 days before integrating into the herd. Bathing a guinea pig in some cases, no easy feat. No more setting up a play pen in the living room so they could run full speed, at least while they were young. No more watching Zesty jump over the guinea pig fence, and then laughing as Nugget observed Zesty and followed suit. I remember having to buy a new set of fences that were much taller to thwart the escape artists. Biscuit running in circles in the living room, entirely too fast for my camera to capture. The many nights I would take Figlet out of the cage and put her on the kitchen counter as I prepared veggies, giving her first shot to enjoy them without contest. The elaborate veggie platters I would make for the herd. Buying wheat grass for them to enjoy, because that was like crack to them. Cutting Tater’s hair, leaving a little sprout on her forehead because it amused me.

Despite the emotional turmoil in taking care of these critters, they were definitely worth it. If you have a bad day, you can look in the habitat and see the adorable guinea pig living their life. They have their own drama and dynamics, but ultimately it gives you perspective on your own drama. Picking up a guinea pig and getting nothing but an abject reaction reminds you they keep it real.

herd