Customer Service; Why I am mad before we start talking…

Back in the early ’90s, as part of my interest in phone systems and BBSs, friends and I looked at creating our own voice mail system. Back in the day, voice mail was still a developing technology. It wasn’t just about calling a number and leaving a message if no one answered. Hackers and phreaks used voice mail for diverting (via their outdial features), trading information (hijacking legit voice mail), and setting up their own hacker voice mail systems with menu systems that led to current information about phone hacking information. These systems could understand DTMF and had fairly simple, if not deep menu systems.

Jump to today with elaborate phone support systems that tie into databases, transfer calls across continents within seconds, and offer a variety of features. From 1993 to 2013, that gives 20 years of advancement and innovation. When a current support system has issues, it pisses me off. I get that today’s systems are more advanced, but we were already doing some of that functionality as a hobby 20 years ago. Largely, the issue is the standard Quality Assurance (QA) issue; the company does not test the system from the customer perspective.

To illustrate this, and to explain why I am frequently pissed off beyond words by the time the nice support representative says “hello”, I will use CenturyLink tech support (800-247-7285) as an example. While there are variations between support lines, this one is indicative of the problems that routinely set me off.

The Call

Welcome to Centurylink… For English please stay on the line… [Spanish]… pause

What happened to giving native speakers a ‘1’ to bypass this? Don’t make me wait for a secondary language message.

I have your phone number as… (identify my #) … one moment while i retrieve your account

The first time I enter my phone number. From here, the system accesses my account and has all of my information. They provide my phone service, long distance, and Internet connection.

Next, I am given options and select ‘Internet Repair’.

I have your account information… please hold while I evaluate your service… there doesn’t appear to be any open repair tickets. If you can’t connect to the Internet, press 1.

Next, it gives me an option to perform some automated tests via the voice prompt system, or I can choose a representative, which I do.

Please enter your phone number where you can be reached.

The second time I have to enter my phone number. I am glad systems ask for a call-back number in case of disconnection, but the phone company knows my number.

You can quickly chat online from a computer with a representative by using

I just selected “Internet Repair”, and the first advice they give me is a web site I can’t access because I have no Internet service.

Your account information is confidential and protected by law. Advise our agent if you prefer we don’t use it to market the products OR repair service. This has no effect on the service or offers we’ll provide.

What does this mean exactly? That if I don’t want them to “market the products” to me, then I also don’t get my service repaired? Yet, it has no effect on the service they will provide? This level of double-speak is infuriating.

While on hold waiting for a representative…

There is no limit to what you can do with high-speed internet from Century Link. Imagine an Internet up to 40 megabytes, now they can be yours…

Seriously? Not only am I calling because my service isn’t working, you taunt me with this? For the lat 10 years, I have had 7mb service with a whopping 0.8mb upload speed. Every six months, I call and ask if they can offer faster. When CenturyLink put up billboards advertising up to 40mb two miles from my place, they still did not offer it. Years later, when a friend that lives 100 yards from me can get it, I still can’t. I have asked for a business connection and offered to pay more, still nothing.

After several minutes and the repeated frustrations above, you finally come on the line. You greet yourself, then promptly ask me for my name, phone number (third time), billing address, and last four of my social security number.

That, is why I am always mad when I speak to you.

My Penguin Encounter

Yesterday, I went to the Denver Zoo to attend one of the new Animal Adventures. For 90 minutes, we got a guided tour of the Bird World exhibit, as well as behind the scenes access to the kitchen, and private time with a penguin (the real reason to go). We sat down in the visitation room, and shortly after, Mattie (Matty?) walked in! She is a 5 year old penguin, and the only one the zoo staff considers suitable for in-person viewings like this, because she was raised from a chick by zoo staff. The other penguins they consider safe, but slightly unpredictable, so they don’t allow them for visitation.

Mattie the penguin

Penguins are clearly a threat to security, and they get checked for weapons frequently. OK, not really. Stupid humans like to throw shiny coins into zoo exhibits with water (e.g. penguins, seals), and don’t consider that the animals are curious or may mistake it for food. The zoo staff keeps this metal detector wand on hand to periodically check the penguins for coins in their stomach. If the penguins can’t pass the coin naturally, they have to be taken for surgery.

penguin and metal detector

Penguins are very curious creatures. Mattie did laps around the room investigating everything and everyone. It is pretty easy to get her attention with the right noises, or colorful objects like the wristbands we wore. She enjoys being scratched under her chin, and despite the menacing beak, does not bite hard at all. By this point, I was seriously considering my odds for picking her up and bolting for the exit.

me and a penguin

A larger gallery of images is available on

My kind of reality TV…

Reality TV has become a staple for U.S. television. We all know that a majority of the shows are complete trash, and yet millions tune in religiously to watch them. In some cases, it is no different than watching a car wreck or a scene of utter amazement. Almost everyone who watches TV has at least one reality show they watch, even if it is a guilty pleasure. I certainly have a few.

Survivor used to be an entertaining show, but went downhill over the years as their attempts to inject a fresh angle were poorly executed and simply not creative. Hell’s Kitchen is entertaining, but primarily because Gordon Ramsay delivers a level of verbal abuse that would make some drill sergeants nod in respect. COPS has become routine, but I still enjoy it when a dumbass shows the textbook way to get tased. Ninja Warrior (Japan more than US) is entertaining, as it demonstrates a level of physical ability that few will ever know. I watch these shows because of the entertainment value, but also as background noise while working. They simply aren’t engaging enough on their own to warrant full attention.

There are two reality shows that stand out to me, as they went in a different direction. Instead of throwing people into a scripted and absurd situation before calling it ‘reality’ (e.g. Big Brother, Jersey Shore), some shows throw people into a very different situation for our entertainment, and education.


From Wikipedia:

Solitary is a reality show on the Fox Reality Channel whose contestants were kept in round-the-clock solitary confinement for a number of weeks with the goal of being the last contestant remaining in solitary…

And that is the beauty of this show. For most competitions determining elimination, contestants were competing against themselves. Confined in their rooms, with only a robotic voice giving direction at times, they would keep doing a given task that got more difficult until they could take no more. At that point, they would hit a buzzer to indicate they were done. Each time they hit the buzzer, they had no knowledge of the other contestants so they never knew if they were the first to buzz out. As such, each contestant gave it their all. In addition to the eliminations via contests, some physical, some mental, they were participating in a larger contest every minute. When the pressure of being alone after having their identity stripped (they were only referred to as a number by the computer voice) was too much, they could buzz out of the entire contest.

No social game, just a test of self determination to see the extent a person can persevere.

The Colony

From Wikipedia:

The Colony is a reality television series that is produced by the Discovery Channel. The program follows a group of people who must survive in a simulated post-apocalyptic environment.

Season 1 is set in a post-apocalyptic Los Angeles, with 10 people living in an abandoned warehouse. While food and water is a daily struggle for them, the group is well-stacked for creativity and ability. Handyman, carpenter, machinist, computer scientists, and more. By the end of the show they have solar power, lighting, a shower, working radio (transmitter and receiver), and a lot more in the way of living. The group is put through many tests, often in the form of raiders, or other survivors begging for food and water to test the group’s unity. After surviving for almost sixty days, and losing one group member to an unknown incident, they are given a chance of escape and do so. The simulation is pretty well done and gives a rough idea of what life might be like. It shows how each person copes, how the group bonds as well as fights, over the smallest things. Commentary from an engineer, psychologist, and disaster consultant give insight as to what they are building, their mental state, and what options they have given the landscape.

Some of my gripes about season 1 are addressed early in season 2. Instead of attackers that push, shove, and menace, the colonists in season 2 are instantly pepper sprayed by the first large band of marauders. This forces them to use precious supplies like milk to neutralize the stinging. Season 2 also carries more dead weight; not everyone has life training in a discipline that has immediate use. A 22 year old model and a 70 year old man are in the group, giving a better spectrum of who may survive. Set on the edge of the bayou, this colony simulates a viral outbreak where every encounter with marauders must be done with masks and the threat of exposure. If possibly exposed during the struggles, they must self-quarantine themselves for 12 hours, and are only allowed to rejoin the colony if there are no signs of infection (e.g. fever, vomiting). In each case, while simulated, it gives a good glimpse into what a lack of society looks like. It shows how our minds work and how we can quickly descend into the types of people we looked down upon weeks earlier.

Know of any other reality shows along these lines? Let me know!

Local File Inclusion vs Arbitrary File Access

[This was originally published on the OSVDB blog.]

Notes for this blog have been lingering for over three years now. In the daily grind to aggregate vulnerabilities, the time to write about them gets put on the back burner frequently. Rest assured, this is not a new issue by any means.

Back in the day, we had traversal attacks that allowed an attacker to ‘traverse’ outside an intended directory to access a file or directory that was not intended. The most basic example of this known to most is a web application traversal attack such as:


Making this request would direct the script to traverse outside the web server document root (DOCROOT) to access the system password file (/etc/passwd). For years, these attacks were simply known as “directory traversal” attacks. For limited traversals, CVSSv2 scoring would be 5.0 and look like (AV:N/AC:L/Au:N/C:P/I:N/A:N). If the application is running with full privileges and could access any file on the system, it would score a 7.8 and look like (AV:N/AC:L/Au:N/C:C/I:N/A:N). Note that such an attack only allows an attacker to read the contents of the file, not write to it or execute it as a script. To help distinguish this, such attacks are usually qualified to “traversal arbitrary file access”.

Local File Inclusion (LFI) attacks go back to around 2003 and often exhibit the same trait as directory traversal attacks, as outlined above. Like the traversal, the attack typically involves a relative (e.g. ../../) or absolute path (e.g. &file=/path/to/file) to call a specific file on the system. The difference is in how the application handles the request. Instead of displaying the contents of the file like above, it will include the file as if it is an executable script. This means that arbitrary code, but limited to what is already on the file system, will be executed with the same privileges as the web application and/or web server. Using a combination of real-world common issues, this can be leveraged into full arbitrary remote code execution. For example, if you can access an incoming directory via FTP to write your own .php file, the local file inclusion vulnerability can be used to call that custom code and execute it.

Visually, these two vulnerabilities may look identical:


Despite appearances, these are two very different attacks. If the first is a traversal arbitrary file access issue, the contents of shell.php will be displayed. If the second is a traversal local file inclusion, the contents of shell.php will be processed as PHP code and executed.

Even with this simple concept, more and more researchers are unable to make this distinction. Arbitrary file access and local file inclusion are not only getting blended together, but traversals that allow for file manipulation (e.g. append, delete, overwrite) or even file enumeration (e.g. determine existence of file only) are also getting lumped in.


Specto Local File Inclusion by H4ckCity Security Team gives a PoC of:

This is clearly not a local file inclusion as the file being included is the standard text file containing password information. Instead, they show an absolute path file disclosure.

OneFileCMS v.1.1.5 Local File Inclusion Vulnerability by mr.pr0n gives a PoC of:

Again, calling a text file, this time via a standard directory traversal. If this is really a LFI, then the PoC does not show it.

Pollen CMS 0.6 File Disclosure by MizoZ gives a PoC of:

First, this is a bit suspicious as the parameter ‘image’ implies it will handle images such as JPG or PNG. Second, the [LFI] string doesn’t show if it is an absolute path or traversal. How could the researcher find it without knowing this? Third, and most important, their disclaimer:

The script only verifies the existence of the given file.

Sorry, not even close to a LFI.

Mobile Devices and Exploit Vector Absurdity

[This was originally published on the OSVDB blog.]

The last few days has seen several vulnerabilities disclosed that include serious gaps in logic with regard to exploitation vectors. What is being called “remote” is not. What is being called “critical” is not. Here are a few examples to highlight the problem. We beg of you, please be rational when explaining vulnerabilities and exploit chaining. The biggest culprit in all of this is the “need for a user to install a malicious app” to then allow a vulnerability to be exploited. Think about it.

Number One

We start with an H-Online article titled “Critical vulnerability in Blackberry 10 OS“. First word, critical. In the world of vulnerabilities, critical means a CVSSv2 score of 10.0 which essentially allows for remote code execution without user interaction. Consider that standard and widely accepted designation, and read the article’s summary of what is required to exploit this vulnerability:

As well as needing Protect enabled, the user must still install a malicious app, which then compromises a Protect-component so that it can intercept a password reset. This password reset requires the user, or someone who knows the BlackBerry ID and password, to go to the web site of BlackBerry Protect and request the password. If the attacker manages that, then the Protect component, compromised by the earlier malicious app, can let the attacker know the new password for the device. If he has physical access to the device, he can now log on successfully as the actual user. Otherwise, the attacker can only access Wi-Fi file sharing if the actual user has activated it.

The only thing missing from this exploit chain are the proverbial chicken sacrifices at midnight on a full blue moon. Want to get the same result much easier? Find your victim and say “Wow, that is a slick new phone, can I see it?” Nine out of ten times, they unlock the phone and hand it to you. Less work, same result.

Number Two

There were a few disclosures out of Japan’s JVN system, run by JPCERT. Two examples, both the same fundamental vulnerability, are summarized below:

#1 – CVE-2013-3643 (NVD Entry) – JVN 99813183 / JVNDB-2013-000056
#2 – CVE-2013-3642 (NVD Entry) – JVN 79301570 / JVNDB-2013-000055

#1 – The Galapagos Browser application for Android does not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application.

Despite all these references, users are left with either incorrect or very misleading information. First, CVE says “an attacker” instead of qualifying it as a local attacker. I only call them out because they are historically more precise than this. Second, NVD calls this a “context-dependent” attacker via the CVSSv2 score (AV:N/AC:M/Au:N/C:P/I:N/A:N), saying it can be exploited over the network with moderate user interaction. NVD also says this affects confidentiality ‘partially’. JVN goes so far to say it can be exploited “over the Internet using packets” with “anonymous or no authentication”.

The Reality

The reality of these vulnerabilities is that they are not remote. Not in any form under any circumstances that the vulnerability world accepts. For some reason, VDBs are starting to blur the lines of exploit traits when it comes to mobile devices. The thought process seems to be that if the user installs a malicious application, then the subsequent local vulnerability becomes ‘remote’. This is absurd. Just because that may be the most probable exploit vector and chaining, does not change the fact that getting a user to install a malicious application is a separate distinct vulnerability that cannot have any scoring weight or impact applied to the vulnerability in question. If you can get a phone user to install a malicious application, you can do a lot more than steal ‘partial’ information from the one vulnerable application.

Let me put it to you in terms that are easier to understand. If you have a Windows local privilege escalation vulnerability, it is local. Using the above logic, if I say that by tricking a user into installing a malicious application it can then be exploited remotely, what would you say? If you have a Linux Kernel local DoS, it too can become remote or context-dependent, if the root user installs a malicious application. You can already spin almost any of these local vulnerabilities into remote by saying “remote, authentication required” and assuming it can be done via RDP or SSH. To do so though, devaluates the entire purpose of vulnerability classification.

Any doubts? Consider that CVE treats the exact same situation as the mobile browser vulnerabilities above as a local issue in Windows, even when a “crafted application” is required (see IDs below). The only difference is if the local user writes the application (Windows), or gets the user to install the application (Mobile). Either way, that is a local issue.


Why Squirrels…

LazloI get that question frequently, for obvious reasons. Not only is the mascot a demented angry squirrel named Lazlo, but I seemingly have a serious fixation on squirrels if you read my Twitter stream. For over two years, I have been feeding squirrels that made their way up to my balcony, some that come from a block away across a large parking lot. As a break from work, I will go to Denver’s City Park and feed the squirrels there. While part of my obsession of squirrels is sincere, part of it is for show because it is fun.

The core of the squirrel fandom comes from reading about and observing them. While some people see them as pests, in reality they are a great animal that exhibits traits our society could use more of. Sure, some of their traits are amusing and suggest they aren’t bright animals. For example, it is sometimes reported as ‘fact’ that squirrels forget where they bury half of their nuts. For every ‘fact’ such as this, you can find research that will contradict this in both directions. Quite simply, there are too many factors at play to really gauge this (e.g. other squirrels finding a stash, re-caching, wet conditions letting smell find a cache and dry conditions forcing them to use memory, etc). There is still debate if squirrels use their memory, smell, or a combination of both to remember where their caches are. Regardless of the answer to that question, in reality, squirrels demonstrate great intelligence in many ways; enough to keep people glued to Youtube watching their cleverness.

Turning to relative experts on squirrels, we see examples that set them apart. As summarized in this NYTimes article:

In their book “Squirrels: The Animal Answer Guide,” Richard W. Thorington Jr. and Katie Ferrell of the Smithsonian Institution described the safe-pedestrian approach of a gray squirrel eager to traverse a busy avenue near the White House. The squirrel waited on the grass near a crosswalk until people began to cross the street, said the authors, “and then it crossed the street behind them.”
Reporting in the journal Animal Behaviour, the Steele team showed that when squirrels are certain that they are being watched, they will actively seek to deceive the would-be thieves. They’ll dig a hole, pretend to push an acorn in, and then cover it over, all the while keeping the prized seed hidden in their mouth. “Deceptive caching involves some pretty serious decision making,” Dr. Steele said. “It meets the criteria of tactical deception, which previously was thought to only occur in primates.”

Squirrels don’t only learn from us humans, they have demonstrated that they even learn from each other. You call it crime, they call it survival! Still think squirrels are stupid? Consider that squirrels masturbate to avoid sexually transmitted diseases. This is the tip of the iceberg! Even casual behavior can have unexpected consequences. Some 30,000 years ago, squirrels buried fruit seeds in the Siberian permafrost, that were only recently found and regenerated into flowering plants, described as “the most ancient plant material to have been brought back to life“.

Finally, in the theme of cleverness, consider what a squirrel can figure out to get to a safe and renewable food supply:

For some reason, humans will frequently consider squirrels a pest while feeding and watching boring birds. Sure, they are colorful, but yawn! In fact, some people will go to great lengths to try to keep squirrels out of the bird food. Despite that, squirrels are dedicated and tenacious, which can also be provide amusement for us because we know they will move on to another food source if needed:

Like many animals, including humans, squirrels can be extremely fierce and protective if their young are threatened, or even when predators try to descend on their fallen comrade.

In summary, squirrels are cute, fun to watch, have great tails, and are intelligent little creatures. They exhibit many great traits like cleverness and have been around as long as, if not longer than, us humans. Honestly, what’s not to like?

Would you like to know more?

Finally, if you don’t accept my reasons or like squirrels, here is some advice for you!

lazlopissed - wordpress

Until then, I guess squirrels are my spirit animal.

A Personal Challenge

A personal challenge, as in, the kind where i challenge myself. Last year, I got my friend Tamba a birthday gift of entry into the Tough Mudder Colorado. Since I was not in appropriate shape, I signed up as a spectator and ended up photographing the event. Two nights before the event, Tamba broke his ankle. Undeterred, he iced it on the drive up, wrapped it, and ran the race. After seeing that, I figured I should challenge myself.

This year, I got him the same present and signed up myself to participate. If you aren’t familiar with the Tough Mudder, or similar events, it is designed to test your endurance and physical ability. It isn’t enough to run the course, which is 11 – 12 miles in Colorado. You face 20 or more obstacles, some of them quite brutalchallenging.

This morning we got out of Denver on time but ran into a slight problem. During our philosophical discussion of post-apocolyptic planning and survival options, we missed our exit. Before we realized it, we had overshot by some 25 miles (the next exit happened to be many miles from the last). Our 1:20P start time was looking grim. By the time we turned around, parked, took the shuttle, checked in, and dropped our bags, we joined the final starting group of the day at 2:00P. This was a concern to me because the Mudder has a ‘cut off’ time (4:30P this year) where you may get sent down the mountain a much quicker way, out of the event. This meant I had to do about 5 miles of uphill, from 7,400 feet to a summit of 9,600 feet, in 2.5 hours. Given my asthma, that didn’t look feasible. Having been sick the entire week with a bad cough and serious congestion, that didn’t bode well either. This also meant that I started the race on about 350 calories, as we didn’t have time to get a bit more food in Avon, CO as planned. Doh! Clearly not my ideal circumstances for running the Mudder, but I didn’t have any other option.

This year’s course:


Of the 11 miles, I ended up doing about 9.5 of them. At the top of obstacle 6 (The Gauntlet), because it was right at 4:30, we barely made the cutoff (or were minutes late). Instead of cutting us off, we got moved directly into the downhill part of that obstacle, going over huge snow/ice ‘ramps’. These were rough as the ice was jagged and cutting many hands trying to slide down them. Upon reaching water station 3, I was dizzy and light-headed, and it didn’t go away with rest and water. Over ten minutes later, it was clearing up a tad but not going away completely. I sent Tamba up a brutal half mile+ uphill while I cut over to where water station 4 is (but it wasn’t really there). This gave me another 20 minutes to recover so I could continue the course. While we were only at ~ 9,000 feet, the lack of oxygen was affecting me and I am sure it was mild altitude sickness as well as dehydration. By the time Tamba got around that loop, I was ready to go on. From water station 5 to obstacle 15 was the final uphill push of the course, or so I thought. I slowly made it up that one, but didn’t have the energy for the very last uphill between obstacle 17 and 18. From just past 17, I took the access road down to obstacle 19 before finishing the course.

Ultimately, the lack of food as well as the amount of uphill (more than last year) sapped me completely. My legs were a constant dull pain by halfway through the course, and my back had a sharp pain from mile 2. Usually a solid hike does not hit my back at all, even in similar trail conditions. While I didn’t quite do the full course and had to skip some obstacles, we were on the course for over 4.5 hours.

Starting at 2P, we were able to catch up to the other 2 people running from Tamba’s gym (Amy and Lecia) who started at 1:20P as planned. Despite my very slow pace on the uphill, we ultimately passed some people and finished about an hour before the final person. While recovering, we also watched as an 80-year-old man crossed the finish. That is hardcore. Team Up Gym:


An exhausted, hungry, bruised, and sick me:


The one upside to all this? Post-Mudder dinner! This was the first time I was able to eat a plate of Nachos without Tamba yelling at me about fat and calories. The other thing? Biggest plate of nachos i’ve seen in my life, from Dillon DAM Brewery (note the fork for size reference):


Security, Ethics, and University

[This was originally published on the OSVDB blog.]

In the U.S., you are expected to know and live by certain ethical standards related to school. You are taught early on that plagiarism is bad for example. You are taught that school experiments should be done in a safe manner, that does not harm people or animals. Despite this, most colleges and universities maintain a Code of Conduct or a Code of Ethics that applies to both students and faculty. In the security industry, integrity is critical. Part of having integrity is behaving ethically in everything you do. This is important because if a researcher or consultant is questionable or unethical in one part of their life, there is no guarantee they will be when performing services for a client.

In the last week, we have seen two incidents that call into question if university students understand this at all. The first was a PhD student from a university in the U.S. who was not pleased we wouldn’t share our entire database with him. While we try our best to support academic research, we do not feel any academic project requires our entire data set. Further, many of the research projects he and his colleagues are working on are funded by the U.S. government, who may have contract language that means all data gets handed over to them, including ours. Instead of accepting our decision, he said he could just scrape our site and take all of our data anyway. I reminded him that not only does it violate our license, but it violates his university code of conduct and jeopardizes any government funding.

The second instance is outlined in more detail below since a group of three students posted multiple advisories yesterday, that call into question their sense of ethics. Note that the idea of “responsible” disclosure is a term that was strongly pushed by Scott Culp and Microsoft. His article on the topic has since been removed it seems. The term “responsible” disclosure is biased from the start, implying that anyone who doesn’t play by their rules is “irresponsible”. Instead, a better term of “coordinated disclosure” has been used since. Of course, the time frames involved in coordinated disclosure are still heavily debated and likely will never be agreed on. The time given to a vendor for them to patch a flaw cannot be a fixed length. A small content management system with an XSS vulnerability can often be patched in a day or week, where an overflow in a library of an operating system may take months due to testing for compatibility and regression. If the vulnerability is in a device that is difficult (or basically impossible) to upgrade, such as SCADA or non-connected devices (e.g. a pacemaker), then extra caution or thought should be given before disclosing it. While no fixed time can be agreed on, most people in the industry know when a researcher did not give a vendor enough time, or when a vendor seems to be taking too long. It isn’t science; it is a combination of gut and personal experience.

Yesterday’s disclosure of interest is by three students from the European University of Madrid who analyzed IP video cameras as part of their final project of “Security and Information Technology Master”. From their post:

In total, we analyzed 9 different camera brands and we have found 14 vulnerabilities.

**Note that all the analysis we have done has been from cameras found through Google dorks and Shodan, so we have not needed to purchase any of them for our tests. Everything we needed was online.

First, the obvious. Rather than purchasing their own hardware, they used Google and Shodan to find these IP cameras deployed by consumers and businesses. Devices that did not belong to them, they did not have permission to test, and ran the risk of disabling with their testing. If one of the cameras monitored security for a business and became disabled, it further posed a risk to the company as it created a further gap in their physical security.

Second, given these devices are deployed all over the world, and are traditionally difficult or annoying to upgrade, you might expect the researchers to give the vendors adequate time to verify the vulnerabilities and create a fix. How much time did the vendors get?

Airlive6 days
Axis16 days
Brickcom11 days
Grandstream11 days for 1 vuln, 0 days for 2 vulns
Samsung0 days
Sony17 days
TP-LINK11 days

Shortly after posting their advisory, others on the Full Disclosure mail list challenged them too. For the vendors who received 16 and 17 days, many researchers would consider over two weeks to be adequate. However, for the two vendors that got less than 24 hours warning before disclosure, that is not considered coordinated by anyone.

Every researcher can handle disclosure how they see fit. For some, they have not considered the implications of uncoordinated disclosure, often in a hurry to get their advisory out for name recognition or the thrill. For others that have been doing this a long time, they find themselves jaded after dealing with one too many vendor who was uncooperative, stalled more than 1000 days, or threatened a lawsuit. In this case, they are students at a university and likely not veterans of the industry. Despite their own beliefs, one has to wonder if they violated a code of conduct and what their professor will say.

A Directionless Panel Paid Off…

Recently at BSidesDenver 2013, I moderated a panel called ‘Everything is Pwned’. Or at least, that is what I posited. I had loose guidelines to qualify that, and one panelist called me out for not being as specific as I should have been on them. He also called me out because I didn’t have a direction and I wasn’t following a narrative. However, that was for good reason.

While I believe in what I posited, I don’t think it is specifically a new idea, and it doesn’t solve anything. My direction was establishing and agreeing on the fact that everything worth owning is owned, or will be. After some debate over that premise including several points dancing around the issue, Nickerson eventually responded “so what?” and that is where the panel turned around and found direction.

Johnson mentioned the companies he consults for fly under the radar, and believe they are safe through a combination of moderate to good security, along with “attackers not being interested in them”. I don’t doubt that the companies believe that, but otherwise I don’t think that is true at all. There are a metric butt-load of automated scanners and malware that are out there attacking everything all day long. This rogue software doesn’t see “Company X”, instead they see “a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.” Add to that the bad guys that are interested in you. The dreaded “APT1” isn’t just about the big guys, they want other computers to proxy through, other computers that may have a trust relationship they can exploit, or information that may be of some value. Meanwhile, lower end attackers are looking for web servers to deface, servers to host phishing pages, and a wide variety of other shady or criminal activity. I don’t think those companies are flying under the radar; I think they too are owned, and just don’t realize it.

Before the panel, I believed everything is owned. I didn’t know what it meant or the full implications, other than the security industry has failed us. If so many resources have been compromised, and we can’t uproot an embedded attacker even after reinstalling entire networks, what hope do we have? I was already thinking in the direction Nickerson took us on the panel, but he found the words and pushed me over the hill in my own thinking.

So what if everything is owned? Nickerson argued that ultimately, it doesn’t put the company out of business. If it posed a real risk, they would designate resources to fix it. Even after all these breaches, all these loss of credit cards, stock dips, and more, the number of companies that actually go out of business is negligible. Corman reiterated that point when he reminded everyone that a credit card number is of virtually no value on the street, is easily replaceable, bears no liability on the end consumer, and will continue to be that way moving forward.

With the number of breaches and signs of compromise out there, I still believe everything worth owning, is. After the panel and further thinking, I think Nickerson and Corman make good points. If a common target of a breach is credit card data, which is easily replaced and has almost no financial impact on the company or consumer, why does it matter? Hundreds of big companies with incredible security budgets have been popped, it isn’t about reputation any more. If Google and Microsoft can’t keep their networks safe, why would we expect a smaller company with the fraction of the budget and expertise to?

Ultimately, that is about where the panel ended. Operate under the assumption that your network is compromised. Quit spending so much money trying to defend everything; that is like trying to put a fence around a national park. Focus on trouble areas, or those of the greatest concern, or that mean the most impact if something goes wrong. Quit thinking of your network as a castle, when the attacker has mortars and missiles. If you are losing the war, and losing most battles, at least try to protect your most valuable assets as best you can.


So you want to present…

I’ve been attending InfoSec conferences since DEF CON 2, in 1994. Add up all the conferences I have been to, and all the presentations I have seen (in person or video later); quite a few to be sure. In the last year, I have been part of several CFP teams, where we review proposed presentation submissions for possible inclusion in a conference. This includes small conferences like BSides, regional conferences like RVAsec, and the longest running hacker conference, DEF CON. Having the perspective that includes the submission process, as well as talks at a wide variety of conferences, it gives me good insight into the process. After attending or listening to too many bad talks, I eventually took a few notes for an article on giving advice on the topic. Due to time constraints, like many other article ideas, it sat idle for several years.

Earlier this year at THOTCON in Chicago, I saw a very boiled down version of an 8 hour workshop James Arlen (aka @Myrcurial) gives. It is titled “Communication 4 Hackers” and covers a wide range of presentation tips ranging from creating slides to addressing the audience. After the con, I told several people it should be required attendance for anyone in our industry.

Jack Daniel recently posted a blog about the BSides “Proving Grounds” track, in which more experienced speakers mentor newcomers that are new to public speaking. Note that it doesn’t necessarily mean the people are new to the industry, they just haven’t taken the time to give public presentations. After a recent call from Banshee saying three more Proving Grounds speakers needed mentors, I volunteered.

There are a lot of forms of bias in our industry when it comes to talks. Some people think that the popular name will bring a good talk (often not true). Some people think that first time speakers are new all around, not realizing they may just be new to speaking. Some in our industry think that those who speak the most must be good. Others think that the highly technical talks are the best, even when they are over the heads of 95% of the attendees. Regardless of bias, new speakers need to have a shot in a friendly environment, absent the heavy criticism and skepticism that comes with most talks.

All of this factors in to my old notes about speakers. Instead of going over what Arlen covers, or speaks to the point of new speakers like Daniel and Banshee do, I will ask a few questions and give some thoughts. If you are speaking at a security conference, ask yourself these questions. Remember that others got passed over for you to speak. If you don’t deliver top notch material in an entertaining and engaging manner, you have done a disservice to your colleagues. Finally, just because you get a round of applause at the end of your talk, doesn’t mean you did good. The last keynote I attended that was an absolute bomb, yet received a solid round of applause. Given the crowd was full of smart people, I know it was applause signalling appreciation that he actually showed up sober and stayed awake for 45 minutes, nothing else.

Are you an expert?

Are you at the very least an authoritative source? Do you have more than 5 7 years doing whatever you do? Will more than 51% of your audience actually learn from you (as opposed to “enjoy your stories“)?

We all have amusing and informative stories, but they don’t warrant an entire presentation people pay to attend. If you just want entertaining stories, drop 30 bucks and order beer all night at your local comedy club or bar. My stories are just as amusing as yours, and quite different. Yet, 15 years apart and they still teach us the same lessons. You convinced a company in Vegas at DEF CON to give you entrance because you are a customer? That isn’t social engineering, that is how fucking sales works. Who do you think runs these parties? You can take someone else’s scripts, and run them in front of an audience? Great. Doesn’t mean you should. Especially when you don’t know how they work, if they involve overflows, or anything else about them.

Is the talk tailored to your audience?

Personally, I have a rule; I give any talk I do no more than two times. In addition, I only do it twice if they are very different audiences. For examples, the Cyberwar talk I did with Josh Corman at Brucon 2012, we also gave at THOTCON 2013. Not only was the talk updated to reflect new information and references, the audiences were very different with little chance of overlap. It also had little variations in the way it was presented spoke to the European crowd, even when the presentation was US-centric.

Other speakers often do not realize or account for this. Some will give the same talk, with very little variation, half a dozen or more times. I understand why; same talk, “different” audience, often free travel to different venues and more name recognition. Thing is, that is all about you, not the audience. Repeating the same talk to vastly different audiences can backfire in amusing ways. Well, amusing to us who didn’t give the presentation at least. For others, they realized the mistake of joking about the Spanish Inquisition to a largely Spaniard audience a bit late, or the falacy of calling the almost entirely Asian audience “too polite”.

Recycling talks for vastly different locales is fine, but at least tailor it to the audience and remember who you are speaking to. Most importantly, update the presentation between deliveries. If it has been six months since your last talk, and you have nothing new to add, then you aren’t learning or advancing your profession. If your content is getting stale, or you can’t figure out how to update it to keep it relevant, reconsider if you are a good candidate to give this talk.

New Doesn’t Always Warrant a Presentation

Some topics have been covered extensively the past decade. While little in security is set in stone, many things simply do not evolve quickly or much at all. They don’t have major breakthroughs; they limp along with variations and tweaks, or new tricks to make them more effective. For example, Cross-site Scripting (XSS) has been beaten into the ground. Despite that, there were three or four XSS-based talks at a single DEF CON in the past, as well as three SQLi talks at a BlackHat Briefings. Your trivial trick or variation is great, but it isn’t worth an hour-long slot at a conference.

Miraculously, researchers can take a five minute trick and leverage it into a new talk. Getting past a CFP team often requires inflating the claims and using a new bullshit marketing term. The actual presentation turns into a five minute intro with bios, ten minutes of history, five minutes setting the stage for the new gimmick, five minutes explaining the gimmick, a ten minute demo that is drawn out as filler, some parting thoughts about how it can be used, and the rest of the time for Q&A. All said and done, it is still a five minute talk with fluff.

It takes a significant jump to justify a talk on some topics. Any single web-application vulnerability (e.g. XSS, SQLi), social engineering, or most other topics that are part of daily InfoSec life are like this. Did you find a clever new method for an attack, only to demonstrate it on a specifically vulnerable application you wrote? Why not demonstrate it on a real application, even if older and currently fixed? That sends warning signals to CFP teams and audiences alike.

Look, I know there are a ridiculous number of security conferences out there. They need good speakers, and some conferences have lower standards. That doesn’t excuse you for giving a sub-par presentation. Just because you can present on a topic you aren’t qualified for, doesn’t mean you should. Remember, not only are you doing a disservice to your audience, but possibly many more down the road. The fact that you spoke at one conference does help you when submitting to the next. CFP teams like to see prior speaking experience, and we don’t always have the time to watch previous presentations, or find reviews and comments on it.

Questions CFP Judges and Attendees Should Ask

  • Is the talk being recorded? If so, is the video of just the presenter? Is it of both you and the slides?
  • Are your slides available after the talk without video?
  • If I read your slides later, will it be sufficient to learn your material? If not, do they come with a white paper, blog, or additional material?

In short, can someone get the full value of your presentation days or weeks later? While people mock PowerPoint, if done well, it serves its purpose. If PowerPoint is done poorly, it is worthless without the audio component. I know Presi looks slick, but it is utterly worthless without the audio to go with it. Even with audio, it forces someone to go through the talk and have no notes or additional information.

Yes, presenting puts you in the spotlight. It gives you good resume fodder, makes you popular, gets you free entry into cons, and other cool things. That said, it doesn’t mean you should throw a bunch of shit at the CFP wall to see what sticks. Sometimes, there is a lot more value to the industry by focusing on other endeavors, and more people need to realize that.


Tips from a CFP Reviewer

Finally, for those who are submitting talks to conferences, let me give you advice. This comes not only from my own submissions, but from someone who has been on several CFP review boards. Watching and participating in the process for the DEF CON CFP review has been educational on several levels. I hope that these tips will help you to submit better talks, that in turn better help the industry.

  • Five presenters for a 45 min talk? No, that is clearly milking the free entry.
  • If the CFP calls for a “detailed” abstract, and yours fits on a bar napkin? It isn’t detailed. If your bio is longer than your abstract or outline? Also not detailed.
  • I don’t care how important or busy you are. Never have your corporate PR person submit your talk. If you don’t have time to do it, why do we think you have time to properly research your topic?
  • If you can’t follow the simple CFP directions of “fill out this form”, why do you think we trust you to explain more difficult concepts to an audience?
  • If you fail on the above and have to send in a PDF instead of plain text, don’t name it “$convention.pdf”. At least put your last name in the file name, because you can be sure other morons couldn’t figure out the plain text requirement and also sent in a PDF with the same name.
  • Just because you have APT1 or Cyberwar or $currentbuzzword in your title doesn’t assure acceptance.
  • If you phone a submission in, it shows. Really, it’s blatantly obvious to us.
  • Don’t wait until the last minute to submit, especially for a big con. After reviewing hundreds of submissions, those last ones are more and more grueling.

Have questions about submitting to a conference? Want a quick look or feedback before you do? I am willing to help out, time permitting.

Some additional comments from another CFP reviewer, Chris (Suggy) Sumner:

  • A bio is where you list your actual experience, relevant to your talk topic. It isn’t to list all the news outlets you spoke to or unrelated certifications you obtained.
  • I value abstracts which provide a summary of the main result(s) so that attendees can make an informed choice to attend or not. i.e. they can see whether the results rock the world, or are merely interesting. A one line conclusion is always handy too.
  • Outline slides (meaning nearly finished, not just bullets) go a long way for me too. My guess is that many people don’t think about CFP far enough in advance.  I had most of the work ready in February and it took a lot of stress out and meant I could get the submission in early and answer feedback.  Even if research isn’t complete, it should (in most cases) be possible to begin building a nice template.
  • Another niggle is the introduction. I like it when speakers keep it mega brief.  If people want to know more, they’ll read your bio and find you. Odds are, they already read your bio.
  • Perhaps my main observation from this and other cons are that too many people provide little or no detail.  This amazes me. It’s the speakers single opportunity to sell their talk and yet they don’t.  I’m sure this leads to potentially excellent talks getting kicked back.
  • If you get rejected, be sure to bitch about it on Twitter, everyone loves that  😉

Chris brings up a great point. You will get rejected by a CFP team at some point in your life. It sucks, it is discouraging, we all agree. However, if you haven’t been told why you were rejected, don’t bitch in a manner that is negative toward the conference. It may have been as simple as too many good talks, so that other good talks had to get cut. Perhaps that CFP submission you sent in never arrived (as happened with me recently).

More references and advice from Nikita, overseer of the DEF CON review process:

Finally, she gives us this talk by Strom Carlson:

The last thing Nikita wanted to emphasize: simply follow the CFP directions please! Watching the level of crap she had to deal with due to people sending in weird formats instead of plain text, sending in PDFs that didn’t allow for easy copy/paste, or not filling out all of the fields are a royal headache.