Perlroth & The First (Zero-Day) Broker

I am currently reading “This Is How They Tell Me The World Ends” by Nicole Perlroth, only on page 60 in Chapter 5, so a long ways to go before completing the 471 page tome. I hit chapter 4, titled “The First Broker” and it was of specific interest to me for sure, prompting this (second) blog on the book. A broker is defined as “a person who buys and sells goods or assets for others” so I was never a vulnerability broker by that definition. I am not trying to claim to be the actual first broker of zero-days in that context at all. Instead, I would like to share a couple of my own stories that are adjacent to the topic. This is all to the best of my recollection, but my memory isn’t the best due to being a diabetic and not having it under control for several years. If anyone involved in any of these stories has a different memory please feel free to comment or reach out directly and I will update this blog accordingly.


First, I was someone who ‘brokered’ deals in the sense of trading zero-day vulnerabilities for a few years in the mid-90s. As a member of multiple hacking groups, some an actual member and some an honorary member, one of my roles in several of those groups was not writing the zero-days because I simply wasn’t a coder and did not have that skill. Instead, it was to barter and try to gain access to specific zero-days one group or member wanted and my currency was other zero-days we had. While I couldn’t code, my social network of hackers was sizable.

Some of what I was authorized to trade for was toward the goal of obtaining e.g. “any remote zero-day in $target operating system” while in other cases it was “trade anything and everything we have for $specific-zero-day“. I acted as a go-between for the groups I was in and a liaison to the general hacker scene. Many knew me to have a well-rounded vulnerability collection and we already traded more pedestrian exploits, some of which weren’t public, but definitely more circulated in such groups.

Back then it was just hackers and groups, not companies, so we didn’t have “duffel bags stuffed full of half a million dollars in cash to buy zero-day bugs” (p.49). Instead we had other zero-day bugs which were just as valuable between groups and acted as the ideal currency. Just like Perlroth describes in her book relating the story of “Jimmy Sabien” (p.43), not his real name, the vulnerabilities had serious value back then too. Some were very closely guarded, to the point of not being shared with their group. For example, Sally may have shared 99% of her exploits and zero-days with her group but held one back because it was so valuable. That one she would use sparingly herself so as not to burn it or authorize it to be traded for a vulnerability of equal value. In those rare cases I would know just enough about the vulnerability to try to arrange a trade on her behalf, sometimes never seeing the vulnerability myself.

There were rumors at the time that some hackers had sold vulnerabilities to specific agencies in European governments. There were also rumors that some were trading zero-day exploits to a European law enforcement agency as a proffer or part of a plea to avoid being charged for hacking activity. But those were just rumors at that point. To me, that was the precursor to the more financial based zero-day market.


Later in the 90s, I was one of the two founders of a startup called Repent Security Inc. (RSI or RepSec). We were three people and started trying to be a penetration testing shop. This was still early in the world of commercial penetration testing and we were going up against companies that either had an established business reputation like a couple of the ‘Big 5’ at the time, or companies that were pioneers in the game like The Wheel Group. We also created software for securely streaming logs over an encrypted tunnel so if a system was popped, you had the logs on a remote host with timestamps including your shell histories (which didn’t have timestamps natively). That software was partially outsourced to a renowned “InfoSec luminary” who had it developed by one of his interns on a compromised .edu machine and later essentially stole the software after RSI imploded. But that story is for another day because it isn’t part of the zero-day world, it’s part of the Charlatan and Errata world.

One thing RSI had of real value was the vulnerability database that I had been maintaining since 1993. It was first maintained for the hacker group I was part of (TNo) where it was originated by other members. When I took over maintaining it I worked on further organizing it, adding several points of metadata, and expanding it. After that group drifted apart I kept maintaining it while a member of w00w00 and honorary member of ADM, where I brokered some trades. I did not maintain the databases for either of those groups which were separate from mine, but I was privy to some of their exploits and shared some of what I had. Members from both groups would frequently ask me to check my database for exploits specific to an operating system or service they were targeting, as this was before Google and Yahoo! didn’t aggregate much in the big picture. Even though a majority of vulnerabilities were posted to Bugtraq, you couldn’t just skim it quickly to determine what was there that you could use for your purpose. Someone that had them all sorted in a database with metadata was fairly valuable. To this day, many friends and colleagues still ask me to do vulnerability lookups, now with VulnDB.

Throughout my hacker days I maintained that database, and then continued to as I transitioned into a career doing penetration testing. Like Perloth documents in her book about the early days of iDefense and the outfit that “Sabien” worked for, we all scoured Bugtraq for our information primarily. I had the benefit of several circles of hackers and hackers-turned-legit that still traded vulnerability intelligence (vuln intel). Essentially the grey market back when the currency was still vuln intel not those duffels of cash. By that point, the database that RSI had was unparalleled in the commercial world. This was initially created before and maintained during Fyodor’s Exploit World and Ken Williams’ Packetstorm. The RSI database came before the ISS XForce database, before BID, before NIST’s ICAT Metabase, and before MITRE’s CVE. More importantly, it was heavy on exploit code but light on proper descriptions or solutions, so it was geared toward penetration testing and compromising machines rather than mature vulnerability intelligence.

As RSI struggled to get penetration testing gigs and opted to work on the “Secure Remote Streaming” (SRS) product, we had taken a trip to Atlanta to talk to ISS about selling a copy of our database to their relatively new X-Force penetration testing team (I forgot who we met there, but I would love remember!). That deal did not happen and we soon found ourselves in talks with George Kurtz at Ernst & Young, one of the ‘Big 5’. While most or all of the ‘Big 5’ had penetration testing teams, their reputation wasn’t the best at the time. That was primarily due to their testers frequently being traditional auditors turned penetration testers, rather than being a ‘real’ tester; someone that came up through the hacking ranks.

It is also important to remind everyone that back then these companies “did not hire hackers“. They literally printed it in advertisements as a selling point that they did not hire and would not consort with so-called black hats. This was almost always an outright lie. Either the company knew the background of their team and lied, or they did not know the background and conveniently overlooked that their employees had zero experience on their resume around that skillset, yet magically were badass testers. Years of companies claiming this also led to what we see now, where many security professionals from that time still refuse to admit they used to hack illegally even 25 years later.

Anyway, back to George and E&Y. It made sense that a shop like that would want to get their hands on RSI’s database. If their testers were primarily from the auditor / bean-counter side of things they would not have had their own solid database. Even if they had hackers it didn’t mean they came with the same vuln intel we had. As best I recall, the negotiations went back and forth for a couple weeks and we settled on a one-time sale of the RSI database for $75,000 with the option to revisit selling ‘updates’ to it as we continued to maintain it. This would have become the first commercial vulnerability intelligence feed at the time I believe, in early 1999. Then, disaster.

The FBI raided the offices of RSI, which was my apartment. At the time that was a death sentence to a penetration tester’s career. Regardless of guilt, the optics were one of black hat / criminal hacking, and finding someone to trust you to break into their systems was not happening. RSI dissolved and I found myself struggling to find work of any kind. So I reached back out to George about the deal we had on the table that we were close to signing and said I was fine with the price, let’s do it. Suddenly, Kurtz had a change of heart.

He didn’t have a change of heart as far as doing the deal, his change was in the price. Instead of $75,000 he came back and said we could do the deal for $25,000 instead, just a third of what we had agreed to. He knew I was in a tight spot and needed the money and he took full advantage of that. This is someone who had a reputation of being a friend to hackers, someone that had bridged the gap between the business world and hackers to put together a reputable team at E&Y. He even had his name on a book about penetration testing, co-authored with names other hackers recognized. He was also very explicit that he knew I had no real power at that point and refused to budge on his one-third offer.

So when he had a chance to honor the deal we originally worked on, a chance to be a friend to a hacker, at no expense of his own? He opted to screw me. Since I was out of options and my limited savings were dwindling I had to accept the offer. That takes me full circle, via a meandering path I know, to likely making one of the largest vulnerability sales at the time. While it wasn’t a single exploit, a $25k deal that was originally set to be $75k is pretty impressive for the time. If RSI had made it, odds are we would have become a software (SRS) and vulnerability intelligence shop rather than a penetration testing shop.

Many aspects of how Perlroth describes the early days of iDefense and “Sabien’s” shop, we were already doing. With a lot fewer people than they claimed, but we were aggregating information from Bugtraq and other sources, writing exploits for some of the vulnerabilities, and then we began to try to sell that information. I guess it isn’t a big surprise I ended up in the vulnerability intelligence business eventually.

January 2021 Reviews

[A summary of my movie and TV reviews from last month, posted to Attrition.org, mixed in with other reviews.]


Soul (2020)
Medium: Movie (Disney)
Rating: 5/5 movie and music magic
Reference(s): IMDB Listing || Disney
Disney knows how to do modern cartoons and this is no exception. The story follows Joe, a school band teacher who seems to have lost his way. As he sees a spark of passion in one student’s musical ability and then lands the gig of his life, he has a mishap and finds himself at the pearly gates but refuses to accept that fate. In limbo Joe runs into an odd one known as “22” and finds himself on an adventure to help 22 find a spark so that they can live a life on earth. The movie has a great stride and flows very well with an amazing cast of vocal talent as well as some incredible music by an unlikely trio, Trent Reznor and Atticus Ross for the original score and John Batiste with original jazz songs. The movie brings the laughs and the feels and is perfect for all ages.


Kajillionaire (2020)
Medium: Movie (Netflix)
Rating: 4.5/5 stick with it
Reference(s): IMDB Listing || Amazon
This quirky movie is billed as a Crime/Drama but as far as modern movies go, that is about the farthest thing from what it really is. It’s more of a slow-play dry commentary on the nature of humans and how odd we can be, with a splash of low-end grifting, wrapped into a family-dynamic sleeper hit that also moonlights as a love-story. For me, it started out slow and confused as I couldn’t figure out what type of movie it was. About half-way through I was hooked as I realized it wasn’t trying to be any specific genre; it just did its thing with Evan Rachel Wood stealing the show. If you dig on off-the-beaten-path flicks, this one is worth a go.


Greenland (2020)
Medium: Movie (Multiple)
Rating: 2/5 the title is the most redeeming quality
Reference(s): IMDB Listing || Amazon
It must have been a few years since the last earth-snuffing porn, as we tend to get one movie like that every so often, although more recently in the form of plagues and zombies. Gerard Butler and end of the world, pretty much tells you what you need to know about this movie. All the stereotypical things from this genre of movie too; poorly manufactured explosions to tide you over before the real city-snuffing comes, impromptu gangs that make no sense, cell service outages for plot advancement, and really bad dialogue snippets. I definitely like I watched this so you wouldn’t have to.


Lupin, Part 1 (2020)
Medium: TV (Netflix)
Rating: 3.9/5 pas une série de braquages
Reference(s): IMDB Listing || Netflix
This 10 episode series is described as “inspired by the adventures of Arsène Lupin, gentleman thief Assane Diop sets out to avenge his father for an injustice inflicted by a wealthy family”. The first episode of five in part one sets the stage of a master thief and the heist of a 20-million dollar piece of jewelry. Unfortunately, we quickly learn that the main character is not really a master thief. While he has skill in makeup, blending in, and pickpocketing, there are no other grand heists involved. Instead, it becomes more of a drama around avenging his father’s death with the thief / con man / grifter components as a side piece to facilitate the main story. Overall it is fairly entertaining but entirely too predictable and not very thought-provoking. Great for falling asleep to.


News of the World (2020)
Medium: Movie (Multiple)
Rating: 3.5/5 bit of a slow read
Reference(s): IMDB Listing || Amazon
We follow Captain Kidd (Tom Hanks) as he travels from town to town reading the “news of the world”. Along the way he encounters a young girl, Johanna, played by Helena Zengel, who has grown up in an Indian tribe that was decimated by whites and speaks no English. Kidd decides to take her to the family she was going to before becoming stranded, and the story progresses. Given the movie stars Hanks and is a period piece, I expected an amazing movie. Unfortunately it just didn’t come together and became disjointed the farther it went. At almost two hours it still felt like parts ended up on the cutting room floor that might have tied some of the beginning to the end better. Worth a watch, wait for it to hit Netflix.


Freaks (2018)
Medium: Movie (Netflix)
Rating: 4/5 every single character is a freak
Reference(s): IMDB Listing || Netflix
This Canadian-made super-(anti)-hero movie is a different style than many movies of the genre. It starts out a bit slow and leaves you wondering what is happening and some of those questions go unanswered until very late in the movie. But it has a good slow buildup, good casting, a simple premise, and a solid conclusion. Slightly dystopian where anyone with any power is labeled a ‘freak’ and hunted by the government. This movie doesn’t spoon feed you a simple person with powers like most mainstream films of the sort. Worth a watch.


Joker (2019)
Medium: Movie (HBO Max)
Rating: 5/5 he’ll laugh, you’ll laugh
Reference(s): IMDB Listing || Amazon
I saw this in theaters, you know, just before the society-crippling pandemic robbed us of basic joys. I left the theater confused, not sure if I really liked the movie or really didn’t. By that night, after a discussion with Lyger, I realized that I really liked it. I re-watched it recently and still really enjoy it. The biggest factor is that it is a complete break from the DC universe as far as style goes. While we have seen Batman’s origin story, in one form or another, many times over, the villain’s origin stories are often relegated to fairly quick scenes (Suicide Squad) or not explored (The Dark Knight). Having an entire movie to see how Todd Phillips’ envisioned this iconic villain’s origin was worth the adventure. This movie leans a bit toward Nolan’s Batman trilogy as far as feel and is the polar opposite of other DC offerings like Superman, Wonder Woman, or Aquaman. Forget the DC universe when you go into this, just focus on this movie and Phoenix’s incredible portrayal of Joker.


Aquaman (2018)
Medium: Movie (Multiple)
Rating: 0.5/5 this movie s(t)inks
Reference(s): IMDB Listing || Amazon
For some reason, DC Comics has a problem making good movies with few exceptions, and this isn’t Nolan’s Batman or Wonder Woman. Instead, Aquaman had the feel of a franchise desperate to create the feel of a Marvel Universe movie. Every single thing was predictable, cliché, and boring. “There’s too many casualties!” But let’s stop for a sloppy wet kiss of course. Seriously, we need a new word for “overdone movie cliché”. They tried to make this by loading it with big names but as we often see, put that many big names together and they still can’t save a movie. Skip this, take a bath instead.


Prospect (2018)
Medium: Movie (Netflix)
Rating: 4.5/5 I dig it
Reference(s): IMDB Listing || Netflix
A sci-fi movie I hadn’t heard of that turned out pretty damn good, what gives? Oh, Pedro Pascal is in it and he has enjoyed a little attention recently. This movie has a small cast set on some distant world where brave adventurers go to prospect a part of an alien life form that requires some skill and finesse rather than brute strength. When a father / daughter duo touch down chasing the ultimate score, things go sideways. The movie is more of a thriller and sci-fi a vehicle to deliver the underlying story, which is compelling and well-done. If you can look past a few simple plot holes, you may find this movie really enjoyable like I did.


Rememory (2017)
Medium: Movie (Netflix)
Rating: 3.5/5 A bit forgettable
Reference(s): IMDB Listing || Amazon
Sam, the main character played by Peter Dinklage, injects himself into the life of a brilliant scientist who is brilliant, and the movie makes sure you know he is brilliant. The science is being able to record and playback memories, ala Strange Days. But for some reason Sam plays back mostly on a tiny screen in a briefcase that is the device. Anyway, he ends up in the middle of the life and murder of this scientist and decides to find out who did it, with this new technology being the central piece of the story. Ultimately, the movie has some neat ideas, good acting, but just falls short as it all doesn’t fully come together. It’s the kind where you can’t quite put your finger on it but just know something was lacking.

December 2020 Reviews

[A summary of my movie and TV reviews from last month, posted to Attrition.org, mixed in with other reviews.]


The Queen’s Gambit (2020)
Rating: 5/5 check it out mate
Reference(s): IMDB Listing || Netflix
This miniseries, based on a 1983 book with the same name, is a fictional story about a chess prodigy turned master. It has the feeling of a real story and the producing, sets, and acting strongly lend to this. The main character, played by Anya Taylor-Joy, does an epic job playing a character who has personality quirks and addiction issues. The story is set many decades ago and gives a good reminder of the expectations about women in society. While chess may not seem to be a good basis for a fast-pace drama, the series does a wonderful job maintaining a good pace. I highly recommend this series for everyone.


Tenet (2020)
Rating: 5/5 – Action-packed mind-fuck
Reference(s): IMDB Listing
OK, you have to see Tenet. I think i liked it a lot? But I won’t be sure until I see it a second time. At least. Maybe a third time? It is a very cerebral movie and it makes Inception look like a cartoon in some ways. There are several layers and I think on a second watch I will probably notice a lot of things that would have helped keep up / understand along the way the first time through. Things that are better revealed toward the end as the movie progresses and evolves that will potentially make it more enjoyable the second time around. Very neat movie; great casting, great acting, and it really draws you in.


Ted Lasso (2020) [Apple TV]
Rating: 5/5 better than a biscuit, which is a cookie
Reference(s): IMDB Listing || Apple
This comedy from Apple TV stars Jason Sudeikis as “Ted Lasso”, an American football coach recruited to coach a British football (soccer) team. It’s basically Gomer Pyle (Lasso) meets Major League (plot) to start and it delivers. Sudeikis does a wonderful job playing the always upbeat transplant assisted by coach Beard (Brendan Hunt) as they are immersed in a new culture and new sport at the same time. It’s not a sports show at all, it’s just about the people and interactions with goofy analogies and quick wit. Very light and well-done comedy, worth the watch.


Devs (2020) [Hulu]
Rating: 4.9/5 I have seen what perfection has wrought
Reference(s): IMDB Listing || Amazon
You think you have seen interesting or compelling tech company drama? You haven’t until you watch this, and you will. You will understand the concept of quantum computing before you start the show and you will embrace the many-worlds theory. You find this review confusing now but it will become clear, until it doesn’t again. And then you will find yourself the god in the machine while you ponder the implications of when computing power goes too far. You will then enjoy your new state of enlightenment and make better choices.

Described as a drama/thriller when mindfuck is more apt. This show does a great job of making you think about serious implications that quantum computing could bring. While it is certainly sci-fi in the level of computing power suggested, it creates a nice vehicle to let us have a glimpse into what “quantum supremacy” might mean.


Marauders (2016)
Rating: 4.5/5 But i’m a sucker for heist flicks
Reference(s): IMDB Listing || Amazon
Bruce Willis, Christopher Meloni, and Dave Bautista in a cops and robbers movie and somehow I completely missed this movie existed until I saw it on a Netflix scroll?! As a fan of the genre and generally not too critical of such movies, this one was surprisingly good. None of the acting stood out particularly but none of it was bad. A couple extra decent actors and the movie came together pretty well. Until halfway through I was wondering which way it would go as far as the “who done it” goes. The ending? Not how I would have played it out. If you like the genre, it’s worth a watch.


Fatman (2020)
Rating: 4/5 who let him make movies again?
This movie is a light-hearted take on Christmas and the failures of Santa, at least through the eyes of Walter Goggins’ character. This is kind of a comeback movie for Mel Gibson after his numerous personal failures, some that make it ironic with him playing a very Christian character while personally being a drunk and hating Jews / black people. Gibson’s last bit makes it all the more surprising that the amazing Marianne Jean-Baptiste would sign on to play his wife giving a modern interracial Claus family. Really surprising that despite his history that his career freeze has “thawed” as they say in the industry and that he is being given a second chance. While he can be a great actor, essentially bringing the same character “Porter” from Payback (1999) to play Santa, I have to wonder is Hollywood so hurting for actors that they would accept him back after his sordid history?

Oh sorry, enough of that shitbag that can act well. Fun movie, two great actors as main characters, fun and simple story, it really brings the true spirit of Christmas in my eyes. Think [generic assassin movie] + Toys + [cynical Christmas movie] and you know what are you in for. Worth a watch, but don’t pay for it which shows support for Gibson. Find another way to watch it for free and then find a way to support Baptiste and Goggins directly instead. Did I mention fuck Gibson?


The Midnight Sky (2020)
Rating: 2.5/5 The movie belongs on a fiery earth
Reference(s): IMDB Listing || Netflix
Based on a book I didn’t read, this movie adaptation brings some star power with Felicity Jones and George Clooney. Without spoiling, the movie screamed “this is not what it seems” from the beginning so the ending was not as impactful as it could have been. Earth on fire and nearly uninhabitable? Sure! A two (?!) year voyage to the nearest habitable planet outside the solar system? OK! Man losing supplies then falling into arctic water and surviving? Prepare to suspend disbelief in the worst way. Overall, I suspect this is a case where the movie just didn’t do the book justice and fell short.

[Update: @_pronto_ pointed out they traveled to a moon of Jupiter, not outside the solar system. But still, a new moon of Jupiter that we didn’t know about is a viable alternative to Earth and Mars apparently isn’t?]


2067 (2020)
Rating: 2.5 / 5 – Science friction is more like it
Reference(s): IMDB Listing
For fans of the sci-fi genre, I don’t know if I should recommend 2067 or not. On one hand I like near-term sci-fi and I like dystopian films, which this offers both of. On the other, there are quite a few annoying bits about this, primarily the cast. I didn’t give two shits about anyone and most were annoying enough that I wanted them to die. Throw in a couple completely illogical things to advance the plot, a sign of bad writing in my opinion, and it just didn’t mesh well. It was good enough that, a ways in, I was willing to stick with it just to see how it ended. Recommend for watching while working, doing a puzzle, or falling asleep to.


The Jesus Rolls (2019)
Rating: 2/5 between 7-10p split, don’t watch
Reference(s): IMDB Listing || Amazon
Did you know there was a spin-off to The Big Lebowski? Neither did I until recently. It follows a brief part of Jesus’ life, but not really his life bowling unfortunately. This is basically the story of two hapless and idiot guys on the lowest-end crime spree you can imagine. The humor is also some of the lowest-end too; there wasn’t that much to laugh about as the bit comedy was lacking overall. I’d pass on this and re-watch the dude. On the upside, we do learn the story behind the sex offender registry.


War Inc (2008)
Rating: 1/5 Disown the “spiritual cousin”
Reference(s): IMDB Listing || Amazon
John Cusack plays an assassin in this movie co-starring Joan Cusack and Dan Aykroyd … no, he does in this movie too. According to Wikipedia, Joan Cusack said, “.. in a way, it was a Grosse Pointe Blank 2” while John Cusack said it was a “spiritual cousin to Grosse Pointe Blank”. Sure, I can see that but it isn’t nearly as amusing. Intended to be political comedy & commentary (comedary?) it comes across as a cliché to other cliché films while borrowing from characters from the prior film. Rather than go with more subdued humor around a military presence in a fictional Middle Eastern country, they opted to go over-the-top and it really detracted from the potential. Skip this, (re)watch GPB instead.

Review Player Two

TL;DR

Ready Player Two is an enjoyable read that keeps the spirit and overall feel of the first book, with a few chapters in the middle that are a bit difficult to slog through. Worth a read though.

Summary

Ready Player Two is the aptly named sequel to Ready Player One. It picks up shortly after the end of the first book with four heroes ‘enjoying’ their lives to varying degrees, now as owners of the corporation that controls the OASIS. Similar to the first book, the sequel takes us on a new journey through an epic quest with even higher stakes. Instead of three gates now we’re faced with finding seven shards, each tied to a planet within the OASIS.

The main character and hero of the first book, Wade Watts, can’t find the first of seven shards and ends up paying someone a billion dollars for instructions to find it. The second comes after playing the ‘Sega Ninja’ arcade game in a specific place and completing the entire game. That takes us to the planet Shermer, a tribute to all things John Hughes. For this shard, rather than feeling like I was reading a well-written book, it felt more like reading a Wikipedia page with a vague plot instead. Factoid after factoid about John Hughes, his movies, characters in the movies, alternate scripts to the movies, and a lot of other pedantic details was poorly conceived.

The third shard takes us to Halcydonia, a planet designed to provide free education to any child in the world. After a lot of words for perhaps the easiest quest, the fourth shard bears the symbol of Prince and leads us to a planet ‘named’ in the same fashion. This becomes yet another Wikipedia page thinly disguised as a book chapter and bogs down the flow of the book. Even worse, the Prince quest drags on for several chapters. After an interesting battle with seven iterations of Prince, the next quest takes us into the world of Tolkien but not the more mainstream literature like the Hobbit or Lord of the Rings. With six shards in hand, Wade uses them to create the seventh shard and the actual plot continues. From here the rest of the story unfolds rapidly and is considerably more enjoyable.

Criticism

The books are set in the year 2045 and focused heavily on ‘retro’ culture, meaning us readers are well versed on many of the cultural aspects of the story like John Hughes, arcade games, Prince, and Tolkein. Since the story is set more than 20 years in the future, we’re given a good description of the technology that makes it possible and the state of the world. What is completely missing is any notion of anything cultural between the death of Prince and the time of the story. While I wouldn’t necessarily want to get distracted with a shard quest centered on a fictional piece of culture, I think the author has the writing chops to do exactly that and make it interesting, but does not.

Cline has been praised for his depiction of gender and sexuality in the book, and he deserves some credit for sure. During that bit, Wade tells us that with the new technology he had experienced sex as and with different genders and orientations. Cline should have made Wade decide to realize he is pansexual after his admitted experiences having sex with and as different genders. But that little bit about the technology’s ability to let one experience sex differently is mostly relegated to one page of one chapter and ultimately, the book falls on some common stereotypes in my eyes. The white girls knows all about John Hughes movies. The black girl knows all about Prince. The white boy and white girl know all about Tolkien. The Japanese boy knows the Japanese video game. Every main character has a hetero orientation except Aech, a lesbian. The only other character that suggests a different orientation, L0hengrin, is quickly glossed over. Even worse, she is potentially the most interesting new character of the entire book but is quickly put out of mind and used as a plot advancement point later with little fanfare.

Finally, while I really enjoy most of Cline’s writing style, there are small parts of the book that seem to break from the style of the first book and instead, are written as if they are lines from a movie script. In the board room when the four heroes meet the Low Five, they “run over to” greet them. In a board room with 10 people in it, there isn’t room to ‘run’. The main characters are treated as gods in the OASIS essentially, yet act like starry-eyed fans of someone that has already been written as a starry-eyed fan of them. This single scene had so many disconnects in my mind it stood out and made me wonder if Cline got distracted with notions of what the movie will look like.

Reference: Ready Player Two on Wikipedia.

Review: Kusters Yakuza

I don’t review books that often, especially not recently. While I read my share, they usually end up as side discussions with friends or a quick comment on Facebook. One topic that has always fascinated me is the Yakuza. I’ve read a variety of books on the subject over the years, including Confessions of a Yakuza: A Life in Japan’s Underworld, Tokyo Underworld: The Fast Times and Hard Life of an American Gangster in Japan, Yakuza Diary: Doing Time in the Japanese Underworld, and Tokyo Vice: An American Reporter on the Police Beat in Japan among others. One thing these books don’t come with is pictures. No surprise there, while the Yakuza is hardly a secret, their circles are of course closed.

A couple years ago I saw a post about a new coffee table photography book coming out, depicting the Yakuza. Reading the photographer/author description made it sound incredible:

YAKUZA is a personal visual account of the life inside an inaccessible subculture: a traditional Japanese crime family that controls the streets of Kabukicho, in the heart of Tokyo, Japan.

Through 10 months of negotiations with the Shinseikai, my brother Malik and I became one of the only westerners ever to be granted this kind of access to the closed world of Japanese organized crime.

With a mix of photography, film, writing and graphic design, I try to share not only their complex relationship to Japanese society, but also to show the personal struggle of being forced to live in two different worlds at the same time; worlds that often have conflicting morals and values. It turns out not to be a simple ‘black’ versus ‘white’ relationship, but most definitely one with many, many, many shades of grey.

A visual account” – “10 months of negotiations to be able to take the pictures” – “One of the only westerners to be granted this access” .. How could that be bad?! Of course I purchased the book, for something close to $50. I figure a unique look into Yakuza life was well worth that price. Disclaimer: I appreciate artistic photographs. That includes questionable focus, perspective shots, and more. I get that each picture has more meaning to the photographer, and that it doesn’t always translate. Five minutes leading up to the picture may carry a world of context lost to the subsequent viewer, but captured entirely in the eyes of the shooter.

However, when I finally received the book and flipped through it, I was disappointed. 197 pages of pictures (several being one picture across two pages), but almost no feeling that Kusters had more than casual access to the family he was with. Below is a list of my description of the pictures in the first half of the book. To emphasize the lack of content, I will italicize where a picture is blurry, and underline where there is any hint that the Yakuza are involved.

16: Blank (small text describing next page)
17: Full page picture of calligraphy “jump”
18-19: Distant shot of city/neighborhood
20-21: Random Tokyo block
22-23: Blurry shot of rain on window
24-25: Slightly blurry picture of 3 men in suits
26-27: Paper lantern
28-29: Cabinet in abandoned? building
30-31: Close-up through window of man driving car
32: Blank (small text describing next page)
33: Full page picture of calligraphy “learn”
34: Leather jacket clad shoulder/back of a man
35: Back of man in suit at security-laden door
36: Picture of security monitor, with leather jacket clad man on it
37: Japanese writing on wood wall
38-39: Intricate sealed letter in offered hand
40-41: Three men in restaurant, looking serious
42-43: Drinks and cigarette pack on restaurant table
44-45: Three men in suits waiting outside building (click for actual picture)
46-47: Slightly blurry picture of ~ 8 men walking down street, odd angle doesn’t show much of them
48: Blank (small text describing next page)
49: Full page picture of calligraphy “boss”
50-51: Slightly blurry picture of random highway (click for actual picture)
52-53: Close-up of chest and face of man in suit, sitting in car (click for actual picture)
54-55: Picture of highway signs
56-57: Nice park, tiny silhouette of man
58-59: Outdoor shot, slightly blurry man in lower corner on phone
60-61: Paper with Japanese writing and picture of a Federal Bureau of Prisons Inmate ID of Yoshimura Mitsuo
62-63: Random city block, group of men walking away
64: Blank (small text describing next page)
65: Full page picture of calligraphy “belong”
66-67: One blurry man, one more clear man, waiting by car
68-69: Close-up of heavily tattooed hands, one pinkie missing
70-71: Several paper lanterns
72-73: Blurry shot of three figures in a car
74-75: Blurry shot of landscape, perhaps out of moving car
76-77: Three cars outside of a residence?
78-79: Eight men seated around table
80: Blank (small text describing next page)
81: Full page picture of calligraphy “training”
82-83: Two men sparring in Karate, several sitting on floor around them
84-85: Four silhouettes sitting under beach umbrellas
86-87: Two men on beach swinging baseball bats
88-89: Man sitting on floor of residence (no ink on arms or visible chest)
90-91: Close-up of man practicing knife fighting
92-93: Four men drinking
94-95: Blurry shot of man walking into building at night
96: Blank (small text describing next page)
97: Full page picture of calligraphy “the way of the cherry blossom”
98-99: Lace window coverings
100-101: Blurry shot of building in distance
102-103: Close-up of two men, possibly in gym locker room
104-105: Very blurry shot of 3 men bathing, post gym?
106-107: Picture of dozens of men sitting on beach facing water (click for actual picture)
108-109: Blurry shot outside back of train window
110-111: Man with raised shirt, showing 1 tattoo on chest

In the first half of the book, there are only 44 total pictures. Of those, 12 are blurry and only 14 (some of them blurry) could be argued to be Yakuza-related pictures. That is not what was advertised by any means, and the rest of the book does not take a sudden turn for the better. In short, steer clear of this book.

Concert Review: Citizen Cope

Tonight I saw Citizen Cope for his first of two shows at the Ogden Theatre here in Denver. I’ve become a fan of theirs over the last two or so years. Something about the songs appeal to me on several levels, leading me to believe that the singer (Clarence Greenwood) was passionate about his music.

In person, it certainly seems as if he is as into his music as the crowd is. Most of the songs are performed with his eyes closed (or mostly so), hand gestures and dancing around that show his passion. At times, he is almost awkward with his movements, giving me the impression that he is desperate to share his music while also keeping pieces close to him. Incredibly thankful, he clearly appreciates his audience and performs for them. Watching Greenwood compared to more mainstream acts and you really see the distinction between a musician and an industry generated puppet singing as a business.

The show started a bit late, but ran a full two hours and then some. With one encore, Citizen Cope played more than 15 songs with some extended versions of the songs that you’d only hear in concert. For about $30, this was exactly the kind of concert I love; great music, small venue, long set and a crowd that was as into it as the band. Even the older lady behind me who had never heard one of their songs until this concert couldn’t help but dance to the music.

No opening band, so people were inside early and not waiting in a line outside. The music playing before Citizen Cope took the stage was good. A lot of songs I don’t think I’ve heard, including a few that had half the audience singing along. Heard one really good song with a female vocalist. While I heard some of the lyrics, it is extremely difficult to remember them through a two hour concert of a different band. Doh!

The Ogden is a pretty small venue. I try to get a railing spot on the first level above the pit, as you are eye level with the performer’s knees, but only 25 feet away at most. It gives the feeling of a very personal and up-close concert.

While waiting, a few drunk girls in front of me in the pit were amusing. One made me and the two guys next to me all promise not to ‘roofie her’. Apparently she had a bad experience with being slipped a roofie at a Wu-tang concert ten years ago. I promised, and kept my word.

The amount of pot being smoked at the concert was humorous. The three or four girls waving their bras all concert was silly.

Dancing for almost two hours was great, but my feet will regret it tomorrow no doubt.

Book Review: Photomosaics

Many years ago I grabbed books on various alternative art styles. One of the books, new and exciting at the time (think 10 years ago) was on photomosaics. In short, art made by computer that creates a montage of other images. One thousand images of donkeys can be used to make a picture of George Bush for example. One key point here is that they are computer generated. Some fancy algorithm determines the color of the image and makes it fit into a larger picture.

So I finally ended up reading “Photomosaics” by Robert Silvers and Michael Hawley (Silvers invented the concept/art style). Interesting enough read but very shallow, not really diving into the technical aspects of how it’s done. I was ready to pass the book on and mostly forget about it until the last page which included a small plastic magnifying glass so you could examine each small picture that makes up the larger image.

Uh, why? Looking at half centimeter images of stock photography is going to somehow give me insight into the artist or the picture? Please, don’t flatter yourself. Call me petty, call me weird, but that is the silliest thing I have seen in a while.

Review: High-Tech Crimes Revealed

High-Tech Crimes Revealed
Cyberwar Stories from the Digital Front
Steven Branigan
ISBN: 0-321-21873-6
Addison-Wesley, Copyright 2005

I found this book just after Christmas (Dec 2005) and grabbed it hoping for a decent read about computer crimes and sociology, backed by real world experience and first hand tales from the ‘digital front’. Instead, I got the worst collection of naïve and inexperienced crap I have read in a long time. After paying money for this book, I feel as if I have fallen victim to a lame phishing scam. It is important to note that this book is copyright 2005, and says the first printing was in August 2004. It puts the entire book into perspective and quickly makes you question the author’s credentials. In fact, if this book wasn’t written in the mid to late 90’s, shelved for almost ten years, and eventually printed, then Branigan should never claim any affiliation with the computer security industry/community.

Chapter 1 starts out covering “An Attack on the Telephone Network” by giving us the oldest, most sanitized and high level story you can imagine. The information presented, the wording and the terminology suggests the incident happened in 1995. Hoping for a slow start and a sharp curve for subsequent chapters, I keep reading. Chapter 2 covers “An Attack on an ISP” with another story from the author, supposedly based on ‘first hand’ experience in the case. Following the attacker between machines and trying to use this story as a way to teach us about high tech crimes is weak. The story makes it sound as if Branigan is completely new to the net and related technology. The writing is that of a rookie journalist given his first story not about a pig manure farm. The story is dumbed down and sanitized beyond belief, passing for sample crimes used in computer security classes ten years ago.

Chapter 3 brings on a new story called “If He Had Just Paid the Rent”. After the first two chapters, I was completely discouraged and this chapter didn’t help one bit. Yet another story from around 1995, and one that I think is more fiction than fact. According to Branigan, in 1996 police officers couldn’t tell the difference between a TV and a computer monitor, and actually thought they were “evidence of a crime”. If they didn’t know that a Sun monitor was, how would they know the computers were “potentially evidence of a crime”? Why were a couple networked computers “out of place” to the cops in this story? In fact, how would these cops even know that two computers with wires between them was or was not suspect? At the beginning of the story, the computers were described as “state of the art sun SPARC stations”. By the end of the story (five years later), Branigan tries to tell us that “none of the agents remembered how to operate such an ancient computer”. The holes in his story are as numerous as his reference to Sendmail being the favorite attack of hackers. If you think I am exaggerating this, you can read the entire chapter online for yourself.

Chapter 4 continues the misery with “Inside a Hacker Sting Operation…” The best quote of this chapter is when he mentions NetStumbler and adds a footnote: “NetStumbler is freeware. Why people write these things, nobody knows…” Nobody?! Branigan has supposedly been around for ten years, professes to have a clue about hackers and how they operate, consults for law enforcement, and says something so ridiculous? The core of this chapter revolves around the story of the Celco51 BBS, set up by federal agents to monitor cellular hacking at the time. Yes, another story from 1995 that is heavily sanitized and written from someone that doesn’t appear to have been involved in the operation. Branigan specifically says “[Susan] did not want to put the government in a potentially embarrassing position of knowingly facilitating the transmission of hacking tools” and “Fortunately, none of the hackers noticed that the tools were broken before the sting operation ended.” Branigan either wasn’t involved, is covering for some of the activity that really occurred, or not competent enough to factually say this. Celco51 offered working hacking tools and working ESN/MIN pairs.

Chapter 5 covers the hot topic of “Identity Theft”, and is the first chapter that didn’t make my stomach turn. A high level look at identity theft, some basic statistics on crime related to it, general observations and solutions for the end user.

Chapter 6 moves to the sociology of hackers, “Let’s Ask the Hackers…” Most of the chapter revolves around Branigan’s chat with a hacker he calls ‘Bob’ and seems to have the utmost respect for (technically). Bob used his own session hijacking software (“a very difficult piece of software to write correctly)”, and “had some of the earliest working copies of a buffer overflow attack that I had encountered”. This immediately calls the entire story into question since we’ve all seen a working overflow (ab)used in the Morris Worm (1988). Between 1988 and 1996, dozens more overflows had been discovered, exploit code written and eventually distributed. For Branigan’s hacker in this story to have some of the earliest working copies of overflow code, the events would have taken place well before 1995, or Branigan wasn’t reading anything from the security community at the time.

Chapter 7 promised to be disgusting given Branigan’s previous comments showing disbelief that someone would actually write a program like NetStumbler. “Why Do Hackers Hack?” quickly starts out claiming “We do not know much about what makes a hacker do what he does.” The only good sign in this chapter is the author finally moves out of the 90’s, and references a few cases of computer crime in the early 00’s. Chapter 8 is titled “Setting the Stage” and tries to give us a concise history of computing and how it lead up to where we are now. The chapter is essentially worthless when it comes to explaining high-tech crimes. This is the type of material that many authors have given up on explaining, expecting their readers to know it or read it elsewhere.

Chapter 9 (“High-Tech Crime”), 10 (“What Not to Do”), 11 (“How to Run a High-Tech Case”) and 12 (“What We Have Learned”) stay off the path started in Chapter 8. While each section is related to High-Tech crimes, they give no information to help “reveal” how it is carried out, or what is involved. It appears as if Branigan ran out of stories from the mid 90’s and couldn’t make up any new ones to hold our interest. The timeline on page 380 that lists some major computer crime incidents doesn’t go past 2002, further proving this book was outdated years before it was published.

Overall, this book does a horrible job ‘revealing’ high-tech crimes. The stories don’t come from the ‘digital front’, rather they come from fifth generation retellings originally based on a news article summing up a five year case. Branigan’s grasp of who hackers are and why they do what they do is non-existent. Everything he writes suggests he was involved in computer security and/or law enforcement for a very brief time, and brought in as a consultant because of an old boy’s network, not his technical expertise. His stories are devoid of any detail, even when they are clearly ten years old. Despite that, he still withholds details that would lend credibility and meaning, even when those same details have already been published in extensive detail. If you want a book that really goes into details and ‘revealing’ high-tech crime, check out The Art of Intrusion by Mitnick & Simon.


Other amusing quotes:

“The main set of backdoor programs for UNIX systems are collectively known as rootkit, and those for Windows-based systems are BackOrifice and Netbus.” – page 118

“Not ceasing to amaze me, Bob had some of the earlier working copies of a buffer overflow attack that I had encountered. This type of method had been discussed for a while, but many people thought that it was too complicated to be functional.” – page 175 (relating his conversation/investigation into a hacker he calls ‘Bob’)

“Why people write keygen software is not fully known, but it appears that the same things that motivate virus writers drive them.” – page 215

“We cannot yet predict who will hack and how they will do it, but we can use the position of a potential hacker relative to his or her target to determine the most likely intent of any attack.” – page 223

“This problem has improved over time, and sendmail is less insecure every day. (One day, sendmail might even become reasonably secure.)” – page 243

“The basic problem is a matter of trust, as sendmail believes the user will accurately reveal his identity in the message. The receiever of an email message has no way of ensuring that the sender is authentic, so we cannot and should not rely on the truthfulness of the sender of an email message.” – page 243

“I was working with a financial institution on a network security project recently. Having reviewed their network security, I was very impressed, because they clearly took it very seriously. [..] During the discussion, one of the network security technicians was lamenting the issues involved in cleaning up from the Melissa Virus. I was surprised; having no idea how the virus could have gotten into their network unless the virus writer was on staff, I had to ask. It turns out that the network got infected, because onf of their employees had decided to use a non-standard email service that was against corporate policy.” (Melissa appeared in March, 1999, yet Branigan says he ‘recently’ worked on a project where this came up?) – page 250

“Firewalls are not capable of looking at the contents of email messages and thus cannot screen out email viruses. A pity! Therefore, the most effective method today for screening email messages for viruses is at the email gateway, the point where email enters and leaves a company. A virus scanner is simply a pattern-matching program, looking for signs of a virus in the contents of each mail message.” – page 253

“If you estimate that a criminal breaks into 100 computers on average, then there might be 54,000 hackers out there. Of course, let’s hope that the actual number is much less than that! (Of course, we would need to not count a virus attack as a break-in for this number to be at all meaningful….)” – page 264

“Computer hacking is a direct attack on a specific computer or group of computers. For these attacks, the script-kiddie is the most common hacker. A “script-kiddie” is a hacker with very little skill that uses commonly-available hacking tools to disrupt publicly-available computers and networks. The script-kiddie will attempt to hack as many computer systems as possible — without caring who the owner of the system is. For example, common script-kiddie tools such as probe and nmap quickly search for vulnerable computers on a network in a target area. Using these tools to search for vulnerable systems is similar to taking a water hose and randomly spraying — whatever you hit gets wet, whatever you miss stays dry, and a ton of people notice.” – page 273

Review: Computer Security for the Home and Small Office

[The date of publication is not known.]

Computer Security for the Home and Small Office
Thomas C. Greene
Paperback – 405 pages (2004)
$39.99 – Apress ISBN: 1-59059-316-2
[Full Disclosure: I have been quoted by Greene for past articles in a friendly/professional capacity. He has also written articles that were accusatory to me and attrition.org in the past. Translated: I owe him nothing.]

The first and most obvious question that will come to some people is where an alleged hack from The Register gets off writing a book on computer security. After reading the entire book, you’ll understand that his last five years covering computer security and playing Windows solitaire has paid off. Just as he writes his news material in an “irreverent editorial style”, so shall I in this quippy review.

Computer security isn’t just for hackers or professionals, it’s something every computer owner and operator should be aware of. When we read about the worm-of-the-week, it is infecting and compromising tens of thousands of machines, often owned by you, the end user. How are the average computer users expected to protect their home systems when security is a discipline and career? In the past, they were expected to read web sites, trust Microsoft and possibly struggle through an overly technical book detailing the ins and outs of firewalls or other security technology. Some books came out to address this issue but ended up being dull, covering the absolute basics while ignoring serious issues, or contained more errors than facts. After all this time, one book seems to be ideal for the everyday user, and read to educate them on more than configuring a Windows machine or personal router.

Overall, the book favors the end Windows user in time spent explaining the gritty details of basic security. However, neophyte Linux users will be able to learn some of the basics as applies to them, as Greene considers both platforms when dealing out information. Using plain wording unencumbered by superfluous jargon, the lessons you need are easy to understand, well organized and well written. Fortunately for you, the book was technically reviewed by Robert Slade before hitting the shelves, and it shows. It’s a pleasant change of pace reading a book without sighing in disgust every few pages when the author typically proves they are better off working at McDonalds. The Greene/Slade combination is definitely worthy of Subway.

The last third of the book moves beyond configuring your computer and delves into the single most aspect of computer security: Common Sense and Awareness. Rather than continue on with tech tips, Greene opts to educate the end user about the security industry, which is a blessing in disguise. Later chapters warn you on FUD (Fear, Uncertainty and Doubt), how to avoid industry charlatans, and how to apply common sense toward keeping unwanted people out of your system.

Greene also delves into some of the great debates of our time, like open vs closed operating systems (Windows vs Linux). His journalistic experience shines through here and Greene delivers perhaps the single best summary of why Linux may be a better option for you than Windows. He dispels the myth that it is too complex, that it doesn’t run the programs you want, and the shortcomings of Windows.

The last section covers a wide variety of topics that move beyond the personal computer and into daily life, as computers may affect you. This is a nice touch as a large part of the population doesn’t follow technology news despite the drastic effects it can have on your life. By understanding what is looming around the corner, you can better prepare for changes that affect the Internet, your computer, and your security.

No review is complete without a little criticism! The biggest complaint I can direct at this book is the practice of lengthy and largely worthless Appendix. Starting on page 297 (Appendix B) and ending on page 392 (Appendix C), about half of the material would have been better left on Greene’s new website. Giving us long lists of trojan port numbers for example, isn’t the most helpful thing you could have filled those pages with.

All in all, if you are an average Joe when it comes to computers and security, grab a copy of this book. It will help you learn what you need to know, and it will make you realize that security is more than tweaking options on a computer configuration screen. That lesson is still hard to teach to some so-called security professionals, but one you will learn rapidly with this book.

Review: Cyber Crime

[The date of publication is not known.]

Cyber Crime
How to Protect Yourself from Computer Criminals
Laura E. Quarantiello
0-936653-74-4, Tiare Publications/Limelight Books

Part One:

Chapter One – ‘Terrorism On Line: Inside Comptuer Crime’: Chapter one opens with defining computer crime, and does a decent (and fair) job of defining why hackers hack. “In the end, it all comes down to one of those six reasons.”

Chapter Two – ‘Computer Criminals and their Crimes: Digital Outlaws’: Starting out with ‘phreaking’, the author gives a brief history of hackers and the phone systems. Unfortunately, a serious lack of research shines through in this chapter, where a list of “phreaker boxes” is quoted. It has been well established that a majority of these boxes never worked, and were little more than wishful thinking by hackers with little knowledge of the phone system. The rest of the chapter delves into different aspects of hacking and how hackers evolved.

Chapter Three – ‘Cyber-Sneezes: Viruses’: As with most computer security books, this is the token chapter on computer Viruses.

Chapter Four – ‘The Darkest Side to Computer Crime: Threats to Your Personal Safety and Property’: Chapter four begins by giving contrast between crime and virtual crime. One admirable feature is the clarification that not all online pedestrians will be mugged by cybercriminals. Unfortunately, a good portion of the chapter deals with ‘stalking’, pornography, and child pornography, which seems out of place in contrast with other sections.

Part Two:

Chapter Five – ‘Cyber Security: Foiling Computer Criminals and Staying Safe’: This chapter suffers the problem of trying to squeeze too much information into a small place. Writing about how to secure your systems should take books. Starting out with the idea of ‘weak links’, they abruptly end after two and move into other non-numbered categories. While a decent effort, it brings its failure upon itself by trying.

Chapter Six – ‘Cyber-Cops: Walking the Digital Beat’: Much to the dismay of law enforcement, this chapter paints a relatively accurate picture of the state of computer crime and law enforcement’s ability to deal with it. (Considering when the book was written). Toward the end of the section, contact info for CERT and the advice to call the FBI is given. The exact organizations the author found lacking.

Overview: For a 100 page, 1 hour read, this book does a better than average job of portraying computer crime. Despite the handful of errors, the author gives a fair overview of computer crime, hackers, and law enforcement.