Aug 25 2014

An American in London

Published by under Family,Personal

Almost exactly a year ago my family and I moved from Northern California to 20 miles west of the capital of the United Kingdom, London.  It was the start of an adventure that’s exposed us to a new culture, cut us off from most of our friends and family and made massive changes to how we see the world.  We’ve had to make huge adjustments in our expectations, our lifestyle and how we drive, but my wife and I both think it’s been worth it.  The children seem to disagree, if you believe their loud and frequent complaints.  But these seem to be fewer and fewer as time goes by.

The first few weeks we were living in an apartment a few miles from where we live now.  It was a good landing spot while we waited for our shipment to arrive.  But being a family of four in a two bedroom apartment was its own special level of hell when you’re used to having a little privacy from time to time.    Thankfully our stuff arrived in fairly short order and we got to move into the house we’re living in now.  Everyone has their own space, though my wife spends most of her time in the kitchen or her office, while the kids spend theirs on the computer in the reception room we designated their office and I spend mine in an office that was converted from half the garage.  It’s a good house, about 100 yards from the station, with two trains an hour into London’s Waterloo station.

Learning to drive on the other side of the road wasn’t difficult and we’ve only made the mistake of driving on the right side of the road a few times each, thankfully in parking lots for the most part.  Getting used to roundabouts was more of a learning experience and I know I got honked at more than a few times that first month.  Now I’m fully adjusted and wondering why they’re being used so badly in the US, when they really do contribute to traffic flows when used properly.  The biggest problem I’ve had adjusting has been the bathrooms here, with the light switch on the outside, separate hot and cold water taps and toilets that just don’t seem to work as well as I’d like.  There’s also the shopping, but over the last year we’ve managed to decipher the English equivalent of American products, even if it doesn’t always look or feel exactly like we’re expecting.  There are a few products we still can’t get, like proper stuffing and chocolate chips.  But my occasional business travel to the US makes those limitations livable if we’re frugal in using our resources.

The children are the one’s who’ve had the hardest time adjusting though.  School has been a step back for them, since the UK schools don’t seem to be equipped to deal with exceptional children and this has frustrated them greatly.  They miss their friends, which is sometimes harder because they can get on Skype and talk to them whenever their sleep patterns allow.  What they absolutely hate the most is when the wife and I say, “You’ll look back on this when you’re older and realize what a great opportunity it was.”  Tomorrow’s appreciation is for tomorrow, while today’s whining and complaining is for today.   What they don’t realize is that they’ve seen half a dozen countries in the last year, more than many Americans will ever see in their entire life.  I hope they don’t hate us too much until the light of appreciation dawns upon them.

This is the end of the first year in England, with at least two more to go, barring the unexpected.  We’re settled in as a family, I’m settling in more to the role I’ve chosen at work and at least the wife and I are glad we made the choice to leave the US and immigrate to England, at least temporary.   We spent a week December exploring Munich, my wife spent her 50th birthday visiting museums around Amsterdam and we took a train into London on Saturday to explore Brick Market and Old Spitalfield Market.  These are the kinds of experiences we came to Europe to have.  And this week we have both friends and family visiting from the States.  I hope I survive the experience.

We’ll always be outsiders in England.  But life here almost feels … normal.


5 responses so far

Aug 24 2014

Last Hacker Standing – Vegas Recovery Edition, Episode 5

Published by under Podcast

“This is not the Last Hacker Standing: Episode IV – Part II Revenge of the @k8em0 that you’re looking for!”

To fill the void in your lives before we release the epic that is Episode IV Part II we got the crew together to chat about hacker summer camp and our personal recovery plans… In a break from the norm (not sure we have a norm yet, but I’m gonna stick with that) we chat randomly about BlackHat, BSidesLV, DEF CON and the burning hell that is Las Vegas.

You may also note that we’ve got an RSS feed now… and we’re also on the iTunes!

If you like the show, make sure to click the “5 stars” on iTunes so less educated people can find us too ;)

Enjoy!


No responses yet

Aug 21 2014

“I’m proud of my ignorance”

It’s true, we don’t want little things like experience and a broad knowledge of the landscape of technology getting in the way of our policy makers, now do we?  Or at least that seems to be the way US White House cybersecurity coordinator, Michael Daniel thinks.  Why get lost in an understanding of the big picture when you can make decisions based on the information fed to you by consultants and advisers with their own agendas to push?

In a way, I understand what Mr. Daniel’s point is; it’s very important for someone in his position to be able to understand the in and out of policy, perhaps at least as important as understanding the technology.  I wouldn’t want most of the people I see at Defcon or a BSides event making policy decisions; they don’t have the understanding of the long term consequences policy has on the wider world.  But by the same thought process, someone who doesn’t understand the deeper aspects of underlying technologies he’s making decisions about can’t understand the long term consequences of his decisions either.  How can someone make informed decisions if they don’t understand the difference between a hashing algorithm and an encryption technology?

The cybersecurity coordinator role is a management role and most of us have worked with senior managers and C-level execs responsible for security with little or no security experience.  And we know how well that’s worked out.  In rare cases, you find a manager who knows how to listen to people and, perhaps more importantly, knows how to tell the difference between a trustworthy adviser and someone pushing their agenda forward without regard to the outcome.  Those people can be successful as non-technical managers of technical people.  But more often you get non-technical managers who don’t understand the landscape they’re expected to be responsible for, who don’t understand the decisions they’re being asked to make and who are easily led astray by those around them.  And having a non-technical manager with the understanding to communicate with the management team above them is nearly unheard of.

Willful ignorance is never a feature to be lauded or boasted about.  Being proud of your ignorance is a red flag, one that should be a warning to everyone around the individual that they are not currently mature enough for their position.  Better to say, “I’m ignorant, but I’m learning.” to say that you know your limitations but are willing to overcome them than to embrace your limitations and act like they’re really a strength.  Yes, your other experience can help you overcome the areas you’re lacking in, but you have to acknowledge the weakness and work to make yourself better.

As the Vox article points out, we’d never have a Surgeon General who didn’t have decades of experience in medicine, we’d never allow an Attorney General who wasn’t a lawyer and had spent years in a courtroom.  So why are we allowing a person who couldn’t even qualify for to take the CISSP test to advise the leaders of the United States on how to deal with information security issues?  Think about that for a moment: the person who’s advising the White House doesn’t have the experience necessary to apply to for one of the starting rungs on the information security career ladder.  Scary.

Update:  You might also want to listen to the interview with Micheal Daniel and the subsequent defense of his statement about his own ignorance.


No responses yet

Aug 20 2014

Heartbleed vs. Juniper

Published by under Firewall,Hacking,Privacy

The compromise of Community Health Systems (CHS) is being reported as the first major breach involving the Heartbleed vulnerability.  The details are slim, but apparently the vulnerability was exploited on a Juniper remote management console that hadn’t been properly updated.  Heartbleed is an OpenSSL vulnerability that allows an attacker to dump part of the memory from an vulnerable server.  The portion of memory is used by OpenSSL itself and often carries secrets, which in this case included a set of valid credentials for the CHS VPN.  From there, it was easy for the attackers to get into the rest of the corporate network and make off with 4.5 million healthcare records.

Juniper had released a patch to fix the Heartbleed vulnerability within days of its disclosure, so why was this health organization compromised for three months?  Because patching is hard, especially in organizations like healthcare, where security is often an afterthought, if it isn’t just considered a nuisance that everyone has to work around.  And when I say ‘hard’, I simply mean that it takes a lot of resources, especially time and planning, to make happen, something that’s scarce at every healthcare organization that I’ve ever talked to.  

I do find it amusing that Mandiant was called in to do the forensics on this case and found it linked to Chinese nationals.  Of course it was linked to China; everything Mandiant finds is linked to China somehow.  Or I could just be making light of a serious situation.


2 responses so far

Aug 19 2014

A swarm of cars

Published by under General,Risk

It’s a given that we will have ‘intelligence’ in our cars within the next decade.  Quite frankly, there’s no way it is avoidable, given the appetite of consumers for 

all things to be connected to the Internet and too each other.  In the case of cars, it actually makes sense for them to be talking to each other.  But there’s one question: what will the unintended consequences be?

Earlier this week the National Highway Traffic Safety Administration (NHTSA) revealed plans to implement vehicle to vehicle (V2V) communication technology that allows one car to communicate with another and transmit information about location, speed of travel and direction of travel.  Basically, 10 times a second a V2V car tell other V2V enabled cars its exact location, where it’s headed and how fast it’s getting there.  The theory is that this would enable your car to warn you when someone is going to run the red light in front of you or is merging onto the highway in an unsafe manner near you.  Presumably this would also integrate into smart car technologies, enabling them to better fend for themselves in high traffic conditions, since they’d no longer have to solely rely on their own sensors in the decision making process.

I have a host of security concerns about the idea of V2V cars, since most of the manufacturers who are creating the Internet of Things have shown that security is their last concern, if they even think about it at all.  I can imagine the V2V system being used to track individuals every movement in a way that makes Orwell’s 1984 look Utopian.  The privacy implications of having a car that’s constantly beaconing its location are pretty severe and in all likeliness the ability to track individual cars will be mandated by law. I can also imagine someone breaking into the communications systems to cause chaos, either by targeting an individual vehicle with false information or by disrupting a segment of the network that V2V relies on.  At least there is someone else who’s thinking about the security concerns of interconnected vehicles, mainly I am the Cavalry and their Five Star Automotive Cyber Safety Program.

But what I find interesting in relationship to V2V is work that’s being done in swarm intelligence, as it relates to the idea of cars.  Researchers at the Harvard School of Engineering and Applied Sciences have developed a swarm of tiny robots that can self-organize into a number of shapes without needing a central controller to manage them.  The tiny little robots, Kilobots have very little intelligence (meaning computing power) individually and they don’t know much about their position as compared to the whole of the swarm, yet they manage to communicate with their peers in order to create organized shapes when they receive a command from the researchers.  They know where they are in relationship to other robot near them and they use this information as to figure out what their role should be forming the shape requested, rather than having some sort of central program with an overview of the whole telling them what to do.  

The swarm research that’s being done at Harvard is directly relatable to the V2V technology that (NHTSA) is doing.  Even if there is never a centralized tracking program implemented with V2V (which I posit there will be, it makes tracking easier for the government) there will be swarm behavior from these smart cars.  Swarm behavior already exists on our roads, it’s just that instead of a computer program making decisions, it’s human beings with limited awareness of the world around them.  We make the same sorts of decisions that V2V cars would be making constantly; we call it ‘driving’.  Most humans don’t have an overall view of the roads and what’s going on, though a lot of work has gone on to develop apps to give us this awareness of traffic.

Part of what makes a swarm of cars interesting, and a little scary, is the concept of emergent properties, or the idea that the whole is greater than the sum of its parts.  This is exactly what’s going on with the Kilobots, the emergent properties of their intelligence means that the whole is able to figure out how to form shapes without an individual Kilobot having to be told exactly where it’s place is in the grand scheme.  It’s up to the individual to do it’s best to conform to the needs of the whole to create the shape.  But while the emergent properties of the Kilobots was the end goal of the experiment, what happens when you design a swarm of cars without an emergent property in mind?

We’re in the beginning stages of understanding how a swarm does what it does.  How does a flock of birds really fly and wheel in unison?  How does a school of fish form and stick together?  How does a swarm of bees operate?  Maybe over the next 5-6 years we’ll have a better understanding of what makes these things work like they do, but will this understanding be applied to our vehicles?  The implications of a system of cars that have some sort of emergent property concerning how they enter, exit and move through traffic could be pretty severe, unintentionally creating gridlock and other safety concerns.  It could also work to alleviate the same gridlock in unforeseen ways, which makes the technology worth pursuing.

And then there’s the sci-fi concerns, ala Maximum Overdrive.  Swarm behaviors plus smart cars could create a series of emergent properties that make our cars decide that the safest option is to not get on the road in the first place.  Or that it’s better to be in the middle of the swarm and keep driving instead of getting off at the proper exit.  Or a hundred other scenarios that science fiction authors have explored in depth multiple times.  It’s not that this sort of ending is a certainty, it’s more that it’s a possibility that has to be explored and prevented, rather than dismissed as an impossibility.


No responses yet

Aug 17 2014

Con flu, con crud and conxhaustion

Published by under Humor

I want to create a new word, ‘conxhaustion’.  That feeling you have halfway through the conference where you’ve been living on 3 hours of sleep a night and realize you have days more to go before you’ll sleep normally again. 

I love going to the conferences in Las Vegas every summer: Black Hat, Defcon and BSides.  But I hate Vegas itself and I hate it even more now that I have to travel from London to get there.  It was bad enough when I got half way through the week and was exhausted because of lack of sleep when I was in the same time zone. When you throw an eight hour time difference into the mix, even surviving a week in the desert is grueling task.  But it’s the only place I ever get to see many of my friends, peers and co-workers, so it’s a necessary evil, year after year.  I have to admit, RSA is just as tough, but at least it’s my old stomping grounds and a lot cooler, both physically and metaphorically.

Almost everyone who goes to Las Vegas gets their regular cycles and habits thrown off; it’s what the city is meant to do.  The light and temperature are always constant inside, so you have no way of knowing whether it’s day or night.  The water from the tap invariably tastes awful and anything you get in a bottle is probably going to cost an arm and a leg.  And eating in anything like your normal habits is difficult to say the least, especially since the amounts are huge and the calories are even huger (is that a word?  It is when referring to Vegas).  Keeping hydrated and properly fed becomes nearly impossible for anyone who doesn’t want to spend more time looking for a place to eat than actually eating.

And it doesn’t really stop once you get home, at least not for me.  If you’re relatively local, your schedule’s off because you’ve been staying up so many late nights and it takes a few days to recover.  If you’re coming from another continent, like me, you’d just gotten used to the Vegas time zone when you’re forcing your body back to its normal time zone.  Which, at least for me, takes another week to get re-adjusted. 

So you’re home, you’re dehydrated, you’re exhausted from the running around and the lack of sleep and you’ve had a horrible diet for the last week.  Which is why we all so often cap off conferences and conxhaustion with con flu and con crud.  Oh, did I forget to mention that all those handshakes and hugs introduced your body to tons of new germs and bacteria?  It’s not like people are their most hygienic during cons, since showers are optional and there’s always a line to get into the bathroom.  Why bother washing your hands?

So it’s no wonder we come home from a week in the desert and spend another couple of weeks recovering from the experience. 


No responses yet

Aug 03 2014

Last Hacker Standing, Episode IV – The Last Hope

Published by under Family,Hacking,Humor,Podcast

Well, I told you I couldn’t go that long without recording a podcast.  And a couple of weeks ago I got together with my friends Chris John Riley and Dave Lewis and started a new project, Last Hacker Standing.  In the inaugural podcast, we talk news (straight up, with a twist), alongside our wonderful guest Katie Moussouris from Hacker One.  I’m going to try to have fun with this one, not taking it too seriously.  Not that I ever took the Network Security Podcast all that seriously, of course.  Our format is going to be a podcast twice a month, with a guest who will join us to talk about news stories for the first half and talk about themselves for the second half.  We do reserve the right to change this format whenever we please.

Last Hacker Standing, Episode IV – The Last Hope

LastHackerStanding_singleFace


3 responses so far

Jul 30 2014

Russia says “Hand over your code.”

Published by under Cloud,Privacy

Well, this should be interesting.  The Russian Communications Minister suggested, rather strongly, that Apple and SAP share their source code with the Russian government so that it could be reviewed to make sure it wasn’t being used to spy on Russian citizens.  Yes, Russia is playing the privacy card to sneak a peek at the crown jewels of two of the biggest high tech companies in the world.  Who says Russian politicians don’t have a sense of humor?

On the surface, the request for source code review in order to protect the privacy of Russian citizens from US spying has some merit.  Since the Snowden revelations last year, I think anyone not familiar with Apple and SAP would be willing to entertain the idea that either or both companies might have backdoors in their software.  But anyone who knows these companies understands they’re big enough that they can and would strongly resist any effort to introduce spy technologies into their software, probably vocally.  Beneath the surface of the request, what Russia is more likely looking for is a way to compromise this software themselves and get access to company secrets in order to share them with their own corporations.  Historically speaking, there’s a fair amount of evidence to support this theory.  Or maybe I’m simply too cynical.

Irony aside, between recent laws requiring traffic to be logged inside Russia and additional laws requiring all Russian data to be stored in Russia, this shouldn’t be a surprising move.  In fact, I won’t be at all startled if the next move is a law requiring any software that’s being installed on hardware within Russia to require testing by the Russian government before deployment. The two current laws are already going to make any cloud deployment that relies on global distribution (meaning all of them) nearly impossible, but adding a code audit to those requirements will make doing business in that location unviable, to say the least.

Apple and SAP could make their source code available for ministry code review, but I find that idea extremely unlikely.  The difficulties of doing such code review in environment that is acceptable to both of these companies and the Communications Ministry is going to be next to impossible to create.  Apple is well known for how jealously they guard both their source code and their developing hardware and SAP isn’t all that far off the mark, philosophically speaking.  It’s unlikely either company would be willing to allow their software to be shared for review off of the company premises, or even reviewed in an environment that would allow for the reviewer to copy the code in some way.  And it’s unlikely that any Russian officials are willing to settle on the compromises that will be mandated by the companies before a review is allowed.

The Reuters article suggests that the code review that is being requested by the Russian Communications Minister is politically motivated and being done in response to the sanctions that are being put in place by the European Union and the US in response to the situation in the Ukraine.  While there might be an element of this in the timing, I believe that this request is part of a larger movement within Russia to tighten their control over all data within their borders instead.  So far, the disclosure of source code is merely a request, without force of law behind it.  But don’t be surprised if that request changes to a legal requirement within the next year and it encompasses any software being sold into Russia.  

This situation has layers of complexity that I’m not comfortable covering in a blog post, and in fact I don’t believe I have the background to understand many of the political implications involved.  Russia has made many moves recently that seem to be inherently opposed to the openness of the Internet and to any sort of Cloud deployment.  Both of these seem like self-limiting actions by the Russian government that will keep the country from prospering in the future.  How many companies will decide the market in Russia is simply not big enough to take the risks of sharing source code or storing information inside of the country?  And how long will the companies that do share code be able to keep it secret without it being shared with Russian companies?  

I strongly suspect both Apple and SAP are currently telling the Russian Communications Minister to go pound sand in very nicely worded, politically correct ways.  And that the Minister is calmly telling them both that his request will soon carry the force of law behind them, so they’d better play nice or there will be sanctions involved in the future.  I would not want to be an employee of either of these companies who works in Russia right now, that much I’m sure of.


No responses yet

Jul 29 2014

You’ve been reported … by an ad

Published by under Government,Malware,Risk

This looks like an interesting experiment; the City of London police have started placing ads on sites for pirated music warning that the visit to the site has been recorded and reported.  Called “Operation Creative”, this is an effort by the Police Intellectual Property Crime Unit (PIPCU) to educate people visiting sites that offer pirated music and videos that it’s illegal and could result in prosecution.  As if anyone who visits a pirate site didn’t already know exactly what they were doing and what the potential consequences are.  The City of London police call it education, though intimidation might be a better word for what they’re actually doing.

The folks over at TorrentFreak are concerned with the fact that they couldn’t get the actual banners to show up.  They created a story out of what they could get to, ads for music sites that have reached agreements with the RIAA and music labels.  While this is interesting, I’m more concerned with what the results of this type of ‘education’ will be.

Let’s be honest in saying that anyone who’s using a pirate site has a pretty good idea of what they’re doing.  So the police banners aren’t going to be educational, they’re attempts to make users believe that their IP addresses has been logged for future prosecution.  While they don’t come out directly with the threat, it is implied using the word “reported”.  And who’s to say that the ad network they’re using to supply the ads isn’t using a cookie to gather IP addresses as well as various other information as well.  This definitely sounds more like a threat than most forms of education I’m familiar with.

The problem I have with this PIPCU exercise isn’t the intimidation, but rather the unintended consequences of it.  Scary warnings that the user is doing something illegal aren’t new and in fact have been used by malware authors for a long, long time.  Scareware saying the FBI is going to come knocking at your door for visiting illegal websites is a common tactic, it’s just whether they’re telling you you’ve been to porn sites with underage models or pirate sites to download music that change.  I’m certain the same groups who send these notifications already have fake ads telling users to “pay a fine of $500 or we’re coming to your house”.  If they aren’t in the ad networks, they definitely send out spam to users with the same messages, often using the same exact graphics and messages as official police web sites.  

Rather than discouraging the average pirate site user from visiting the site, this police effort is likely to create the illusion that such scareware ads might be legitimate in the eyes of the user.  In other words, while there might be some impact on the number of people using pirate sites, it’s more likely this will increase the amount of fraud perpetrated against those same users, since it’ll be hard to tell if the warning is really the police or not.  The music companies are probably perfectly happy with this as an outcome, but I doubt the police will enjoy being used as a method for increasing fraud against anyone.

My second concern is less about the fraud and more about the futility of the exercise.  Brian Krebs recently wrote about services that allow an organization to click on banner ads in order to drain the money spent on those ads.  In other words, you pay a service to click on your competitor’s ads without giving them anything of value, using up the money they paid for those ads as quickly as possible, with little or no return.  I see no reason some of the more technically savvy users of pirate site wouldn’t create scripts to do exactly the same to the police.  How hard would it be to use VPN’s or Tor in order disguise IP addresses and hit the same ads again and again?  In theory there are likely to be defenses in place to stop this type of targeted ad attack, but it’s possible to overcome any defense if you have a motivated attacker.

I’m purposefully not addressing the ethics of pirating music, nor am I addressing the efficacy of an outdated business model such as the music industry.  I’ll leave it to someone else to argue both sides of that argument.  What I’m concerned with is the how effective the efforts are going to be and what the consequences of those efforts.  Does the PIPCU expect their ad campaign to have a direct effort on piracy or do they realize this is a futile effort?  Have they thought of the negative consequences their efforts will have with regard to fraud?  Or is this simply an effort to be seen as doing *something* by the recording companies and the public, no matter how negligible the positive outcomes might be?  

I’m not sure what would constitute an effective measure to stop piracy.  For the most part I think the ads we’ve seen in the past, both in movie theaters and online, have been heavy handed and annoyed most of the people they were targeted at rather than dissuade anyone.  This effort doesn’t seem much different, but it has the added disadvantage of making it easier for the authors of scareware to intimidate the public into giving up money for no good reason.  And that’s something that should be avoided whenever possible.


No responses yet

Jul 28 2014

“Your cons are just an excuse to drink and party”

Published by under General,Humor,Social Networking

I’m sure we’ve all heard it before when trying to get approval to travel to conventions:  “This is just a boondoggle and you’re going to party the week away!”  Many people believe that the only thing that gets done at security conferences is that a lot of alcohol gets consumed and people get silly at night.  If you go by some of the things we talk about publicly, it’s no surprise that managers might believe that.  While there’s a little bit of truth in accusations, the reality is that there’s so much more going on at conferences that we don’t talk about.  

There’s obviously the talks.  While I personally only attend two or three talks a conference, I know people who spend their entire day running from talk to talk and wish they had time to see more.  There’s a lot of research being revealed at Security Summer Camp, some of which is being seen for the first time there.  It’s valuable to know what’s up and coming, what’s new and interesting and what the trends are in the security field.  The talks given at conferences are one way to find out about all of these.

A second reason to attend conferences is the contacts.  Having connections amongst your peers is easily as important as having knowledge about your field when it comes to a career in security.  There’s too much going on to know everything, there are times when you’re going to need help, so creating and cementing the relationships that will help you over the course of a career are fundamental to your success.  This happens in the hallway track between sessions, this happens during lunches and dinners and this happens even more during the parties at night.  Conferences provide a means to be social with like minded individuals that simply doesn’t exist in many other venues.

And finally there’s the break from the daily routine to de-stress and relax a little.  We need to get away from the daily routine from time to time, it’s a fact of life and why we have vacations.  Conferences provide a similar function, but in addition they give us an opportunity to gain new perspectives on our routine and exchange ideas with others that can be incredibly valuable in dealing with the problems in our normal work environment.  That shift of focus can make all the difference in the world in how you tackle a problem when you return to the routine.

So, yes, the conference parties are what a lot of people think of when they hear us asking to go to a conference.  But they’re only a small part of what’s going on at the conference and even they serve an important role as a social lubricant.  Of course, that’s assuming that you’re safe and sane when drinking and don’t do something that’s going to get you in deep trouble back at the office.  There’s always a few people who don’t know when to stop at every conference.  Don’t be ‘that guy’.


No responses yet

Next »