Stalking me in Las Vegas…


I fly out to Las Vegas tomorrow for the trifecta of summer security conventions held in oppressing heat. BlackHat Briefings, BSides Las Vegas, and DEF CON 21. If you want to catch up to talk about, OSVDB, or anything vulnerability related, look for the disgruntled person likely wearing a squirrel-themed shirt. If you would like to stalk me down to catch up, chat about anything, or shank me, this friendly guide will assist you:


I will be at BSides in the morning to catch a few talks, mingle, and generally harass the BSides staff. Because they didn’t have enough going on putting together the entire convention. In the early afternoon I will make my way to BlackHat to register, visit a few vendor booths, and then give a presentation at 3:30 with Steve Christey in Palace 1 room. The talk is called “Buying Into the Bias: Why Vulnerability Statistics Suck”. Hopefully we will demonstrate how vulnerability statistics have sucked throughout the years, ways to improve them, and more. After the talk and any Q&A, I hope to stick around for the Pwnie awards and BarCon, before heading to either the Adobe or Tenable party.


I will be at BSides almost all day and hope to catch a variety of talks that sound interesting. Later in the evening I will be in various places for a dinner meeting, and then may swing by the Microsoft party to harass their security people before ending up back at BSides for the after party.


I will be at Defcon and Skytalks, likely lingering around the Skytalks room if nothing else going on. At 8P, the Defcon Documentary is showing, as well as Hacker Pyramid / Hacker Jeopardy.


I will be at Defcon and Skytalks, until 3P where I will present the Defcon Recognize Awards with Russ in Track 3. Come see who the charlatan of the year is, among other categories! That evening at 8P is the screening of the new movie “Reality Hackers” in Track 2. After that, probably doing vile things at the 303 party.


If you haven’t found me by this time, you failed.

Are we so desperate?

The current state of U.S. politics is beyond dismal and entirely depressing. Our society only follows the corporate controlled ‘news’ channels that stump for their party-of-choice. Our congress is laughably ineffective in doing their job. The bi-partisan House/Senate can’t agree on anything, and little gets done in the pathetic number of days these overpaid politicians get paid to work.

Long ago, I told people that I would never vote for anyone that wants to be elected for a given office. If John Doe is running for President, I will not vote for him. He wants that position for a reason, and it isn’t his altruistic nature. The money, the power, and the fame drive people to politics. Even the no-name positions that we don’t care about, they are stepping stones for bigger offices.

The last few weeks remind me of why I will never vote for someone who wants office. They also remind me that our political system is full of manipulative unethical criminals, and little more.

Do you remember Eliot “Client 9” Spitzer, then Governor of New York was caught in a prostitution ring? As the Daily Show notes, he is now very forthcoming about his past. Of course, when he was caught soliciting prostitutes, that led him to now admit he didn’t maintain the ethical standards expected of him and led to his resignation.

Do you remember New York representative Anthony Weiner getting caught sending pictures of his penis to a female via Twitter? When challenged, he lied and claimed his account was ‘hacked’. Ultimately, because of his lies and unethical behavior, he resigned in the wake of the scandal.

Disagraced politicians, a dime a dozen these days. The number of anti-gay Republicans caught in homosexual encounters is enough to fill a blog. The amount of peace-loving anti-big-government Democrats that don’t support everything they claim to support could fill another blog. [Insert sentence about third political party going against their claims… oh wait.]

So jump forward to 2013. The U.S. population is around 313.9 million people. Are we so strapped for people that want to hold office, that we would actually consider someone who has already proven they do not have the ethical merit in recent years? Apparently, we are. Is it the fact that the oath many take simply says to uphold the Constitution, which most of them have a history of going against, and does not say to be an unethical lying slimeball jackass? Does that absolve them of their past transgressions, and make them justified and righteous in the public’s eye? Apparently, it does.

Eliot “Client 9” Spitzer is running for office again. Insult to injury? Spitzer has not “filed an ethics report on time with the city Conflicts of Interest Board.” If that wasn’t bad enough, and apparently it isn’t, Spitzer’s primary competitor is Kristin Davis. Who is that you ask? According to her, the leader of the escort service that supplied Spitzer with the prostitutes. Personally, I think she is telling the truth. After all, why would you lie about that going into politics?

Anthony “show my junk on Twitter” Weiner is also running for office again.

Remember Mark Sanford of South Carolina, who lied about his extramarital affair, claiming he was hiking in the mountains? Yeah, he is back, and running again too.

So again, I have to ask. Are we so desperate for politicians that we’d happily take these unethical assholes back and let them hold public office? Apparently so. Some of them are ahead in the polls already.

If you ever wonder why I don’t vote, remember this. If someone wants political office, I don’t want them. If someone has proven themselves unethical, I don’t want them. Until I see an election between two relatively honest and ethical people, then I refuse to vote. In doing so, I do not give up my right to complain about the election or outcome. Telling me I have to vote for one of two lying assholes to ‘gain’ the right to complain, means you don’t understand what our country was founded on.

At this point, I will happily accept the Harrison Bergeron model of politics.


The Popcorn Thesis

During a recent email thread, a friend and I were comparing our local squirrels. She put forth that her Chicago squirrels did not eat popcorn, to which I expressed my disbelief. I couldn’t imagine a squirrel turning their nose up at it. I said I would have to test that theory.

I’ll be curious whether yours will eat it. Maybe the consistency of popcorn is too close to foam packaging peanuts, and my squirrels know not to eat foam peanuts based on prior unfortunate digestive disturbances? Dunno…

Maybe that hippie organic crap stuff you try to pass off as popcorn is the problem I say! Give them good old-fashioned regular popcorn and see what happens. I did! First, start with some plain old microwave popcorn:


Ensure it is nuked properly, and not burned:


Leave some out with the usual offering of almonds and townhouse mini-club crackers before bed:


The verdict? My squirrels are not food snobs. All three foods demolished by 9AM. Victory!


(I called this a Thesis because said friend is an academic, and figured it would resonate better.)

Exploding the Review

In the early 90’s, when I was moving in the world of computer bulletin board systems (BBS), it ultimately ended in my interest in phreaking. It started out reading t-files, moved into wardialing, and a few years later would result in PBX, voice mail, and switch hacking. While I got a late start in the phreaking world, it involved a world of reading including years of historical activity related to the phone system. Blue boxes were all but a thing of the past. Rumors of a switch or two still allowing you to seize a trunk floated around, but the time and effort of building a box based on rumor wasn’t so appealing, especially after some thirty years of it being the primary tool of the trade.

Red boxes still worked and were fun. Like the phreaks before me and my friends, we didn’t have many people to call, but it was fun using them. Something about that spoofed quarter signal, dee-dee-dee-dee-dee in rapid succession. From there it was the world of voice mail hacking. At first, just to see what the system were about. That quickly morphed into trying to find out which ones allowed outdial, putting me on the eternal hunt for diverters. At some point, enough information emerged about switches, and after a chance lesson from a veteran, a few of us learned the absolute basics of the 1AESS switch. Within a year or two, the Internet was taking a hold of our minds. Mind you, this was when DNS was still largely controlled via your own HOSTS.TXT file, before BIND was prevalent.

I offer this history because it heavily influences this review, and my enjoyment of a book.


Exploding the Phone gives a fairly comprehensive history of the origins of phreaking (phone system hacking). Written by Phil Lapsley, foreword by Steve Wozniak, the book was published earlier this year.

The book “Exploding the Phone” opens with a curious story of a classified advertisement in the Harvard Crimson student newspaper:

WANTED HARVARD MIT Fine Arts no. 13 notebook. (121 pages) & 40 page reply K.K. & C.R. plus 2,800; batter; m.f. El presidente no esta aqui asora, que lastima. B. David Box 11595 St. Louis, MO 63105.

This story is a launching point into the curious world of the early phone hackers, known as “phone freaks” that later became “phone phreaks”. After a brief history of the creation of the phone system, Lapsley takes us through the early world of blue boxing. By sharing the stories of several early phreaks that independently discovered the 2600hz signal and how it could give them free calls and the ability to explore the phone system, we see that an entire generation of what is now known as ‘hackers’ were in it for the love of system, nothing more. Because nothing can be that pure, we also learn of bookies in the 60’s that used phreak-made blue boxes for profit, by evading long distance bills for their numerous calls. Along with the phreaks are the stories of the phone company security and law enforcement that began to investigate them.

We get detailed stories of blind phreaks like Josef Engressia (aka The Whistler), Bill Acker, and Rick Plath. Instead of rumors and lore, Lapsley took extensive time not only researching them, but speaking with them when possible. The stories continue with the phone company struggling to figure out this new wave of people using the system in ways not intended. The reader enjoys some of the classic pranks pulled by phreaks, as they routed their calls all over the world, even to the Vatican. The history lesson continues with the tale of John Draper, aka Captain Crunch, who did not discover the cereal-box whistle blew the 2600hz tone (he was told that by phreaks that figured it out years before). As with all hacker culture, the drama of snitching and trying to evade serious punishment enters the picture. The book wraps up with more recognizable names like Steve Jobs and Steve Wozniak, and their founding of Apple based on selling blue boxes.

To anyone remotely interested in phreaking, or phone systems in general, I highly recommend this book. The author has done a wonderful job outlining the past through colorful stories, new details, and a great sense of what the culture was like.

T-Mobile’s Poor Implementation Works Against Amber Alerts

Just over a month ago, I received a pop-up alert on my Samsung Galaxy 3 (via T-Mobile) with a standard, and persistent, emergency broadcast noise…

Emergency alert
Longmont, CO AMBER Alert: LIC/245FLJ (CO) 2001 Blue Ford F350 Pickup truck
Type: AMBER Alert

The noise stopped briefly, then picked back up again until I tapped “OK”. This is a radical departure from the previous product behavior and service provided. Presumably this came with the latest Android update T-Mobile pushed shortly before (May 13).

No warning about this change, no indication where the alerts are coming from, no explanation on criteria for receiving (Longmont is almost 40 miles north of me, outside a metropolis of ~ 4.5 million), no indication of how often we receive them, a repeating noise that we have to acknowledge (as opposed to SMS that gives a noise/vibration one time only), etc. I’m not opposed to getting such warnings but I should be able to opt in and control the settings for how it is displayed.

One hour later, I received the same alert. That is intrusive and annoying. When it happened, I thought “if this shit happened at night, it would wake me up and force me to get up to ack the alert and turn off the phone” and just that happened. Wednesday early morning, at 5:20AM I received another. As I thought, it woke me, given the emergency sound and vibrating on my desk.


Looking at the SMS options that control this is also interesting. I now have to receive “Presidential Alerts” and cannot opt out of them. There are also Imminent Extreme alerts, Imminent Serious alerts, and the Amber alerts that I have received twice now. What are the others, and what differentiates them? When was the last time a Presidential broadcast was sent to everyone’s email address or home phone number? Absurd you say, why is it all of a sudden OK to send them to every subscriber’s cell phone?

What bothers me the most is that the Amber alerts, and presumably the others, do not adhere to the rest of my SMS settings. When I get an SMS, it vibrates once, makes an audible noise of my choice once, and sits idle until I check the phone. Amber alerts come up with a different sound; one that repeats until I acknowledge it.


This is ridiculous. I want to receive them, but on my terms. The current setup and being woken at five in the morning forced me to disable the Amber alerts. T-mobile’s crappy technical implementation has worked contrary to their intentions by annoying customers into disabling them. This works against the entire purpose of having the alerts pushed via cell phones.

Building a better InfoSec conference…

There is an abundance of information security conferences out there. While the industry is drowning in these conferences, a lot of them are producing more noise than value. Increasingly, people are realizing that even a moderate security conference is a profit center. We need fewer conferences that are more topical and offer more value, whatever the price. In addition to the frequency of conferences, most of them are doing the same exact thing. There is a serious lack of creativity and forward-thinking. It was only the last few years that saw a couple conferences dedicate entire tracks to defensive security.

I have been attending security conferences for almost 20 years now. Based on my experience, as well as being on several CFP review teams, there are many aspects I want to see in the future.

  • More talks or entire tracks dedicated to sociology and human sciences, as relates to the security world. We see this from time to time, usually in passing regarding security awareness or phishing. Attacker profiling is a stronger use, but most talks are over-simplified and don’t cover new ground.
  • Talks on law and policy are more frequent lately, but they don’t seem to do much good. In the recent DEF CON 21 CFP review, we received many talks that focused on law and/or policy. There was one trend that emerged between all of them; no practical information on how the average person can truly make a difference. Sure, write your congress critters, stay informed, and all the usual advice. That hasn’t worked in the past. What else do you have?
  • Heckling should be encouraged. Several years ago, DEF CON changed to where questions or comments were not allowed during talks. The years prior, if a speaker said something that was not factual, you could quickly call them on it. It gave the audience a chance to see the error with minimal interruption. Now, questions are done after the talk, in a separate room, away from the audience. If a speaker says something inaccurate, the audience leaves thinking it was factual. This is a disservice to the attendees. Speakers must be kept honest.
  • Continuing that theme, all talks should have a mandatory 5 minute Q&A session at the least. It is rare that a speaker is so decisive and thorough as to leave no questions. If an audience member wants to debate a point or call them on bullshit, they get an opportunity to do just that.
  • More lightning talks, with a twist! Having 3 presentations in an hour gives more researchers a chance to share their progress and ideas. It gives a brief platform for them to find others that may want to help, or get ideas for moving forward. The twist? A gong. If a talk is bad or going nowhere, don’t even give them their 15 or 20 minutes. Gong them off the stage and let the next lightning talk start.
  • Most conferences solicit talks (the CFP), have a review team decide which are worthwhile, and create a schedule. It would be nice to see conferences follow this process to weed out the crap, but then put all good talks up for community vote. Based on the feedback, use it to determine what the masses want to see and then build a schedule off the higher voted talks.
  • Speakers should not only explain why they are presenting, they should justify why they are the ones giving the talk. Not a general resume with 20 years of security experience either. What specifically have they done that warrants them giving this talk. Pen-testers with a few years of experience should rarely give a talk on pen-testing or social engineering, unless they truly have groundbreaking material. They should be required to make their slides available shortly after the convention. The slides should properly reference and footnote prior work, source images, and give credit to what influenced them.
  • Conferences should solicit feedback from the audience, and give it to the speakers so that they may improve their talks in the future.

These are but a few ideas for improving conferences. Have your own ideas? Leave a comment!

Saving the world, one dollar at a time…

From time to time, I am asked if I want to donate a dollar to $CAUSE. It happens in retail establishments like Whole Foods, Safeway, Regal Cinemas, and even gas stations. The causes range from charities fighting disease to helping my state recover from wild fires. In some cases, they don’t even ask for a full dollar. Instead, they ask if they can round up to the next dollar and apply the difference as a donation. When asked, I typically say yes, especially if I think the charity is worthwhile.

For many people, a handful of change or even a dollar is not significant. We routinely waste considerably more in various parts of our daily life. Leaving lights on, running the air conditioner, buying frivolous items we don’t need, and much more. Our entire society is one of extreme waste.

The idea of a business asking for ’round up’ change or a dollar for a purchase is brilliant. Charities that mail asking for $10, $25, $50 or more often have little luck because people don’t want to commit to that much, especially when the economy is not strong. However, being asked in public, face-to-face, often in front of other people… you don’t want want to be the asshole that says no to saving children or curing cancer.

For fun, what if every person donated that 1 dollar as asked. Perhaps every movie-goer in 2012 donated when asked. According to the MPAA, 1.36 billion attended movies last year. What would that kind of money do for a worthy charity? And if each of the 25.1 million Netflix customers gave a dollar? What of Spotify’s 5 million paying customers? And Blizzard’s World of Warcraft, with their 10.2 million customers?

Yep, that kind of money put in the hands of well-run charities could do wonders to feed the hungry, assist in research for curing all manner of ills, or do other amazing feats of good. Just think… what if we saw even 1% of Wal-mart’s 100 million customers a week give an extra dollar to charity?

[Update: Several years ago, I had asked various PetSmart employees about the charity they asked customers to donate to. It is done via the Credit Card terminal you swipe your card in, as part of confirming the transaction. After several times of asking, none of them were able to give me a good answer about the charity, just a generic line about helping animals. After publishing this blog today, Sean V. contacted me to provide a link to the PetSmart Charities web site that goes into a lot more detail. Looking at the charity on Charity Navigator, you can see that they operate with minimal admin overhead, and a majority of the money goes to support their stated purpose. Based on this, I will resume saying ‘yes’ to donating to their charity when I shop at PetSmart.]