Archive for the 'Hacking' Category

Jul 17 2014

Root my ride

Published by under Government,Hacking,Risk

If you’ve never watched the anime Ghost in the Shell(GITS) and you’re in security, you’re doing yourself a great disfavor.  If nothing else, watch the Stand Alone Complex series as a primer of what we might expect from Anonymous in the future.  I know my friend Josh Corman tries to sit down to watch it every year or two in order to refresh his memory and help him understand what might be coming down the pipeline from chaotic actors.  And the authors of the manga/anime have a impressive understanding of what the future of hacking might bring in the long term.  Probably a better idea than the FBI does at least.

Earlier this week the Guardian got a copy of an unclassified document the FBI had written up exploring the future of driverless vehicles and the dangers they pose to the future. Their big revelation is that driverless cars could let hackers do things they couldn’t do while driving a normal cars.  In other words, since they wouldn’t have to actually be driving they could hack while the car drove itself.  Which ignores the fact that it’s already pretty easy to get someone else to drive a car for you, presumably much better than a driverless car will be able to do for many years.  If I’m going to commit a crime, I’d rather have someone I can trust at the wheel, rather than take my chances that the police might have a back door (pun intended) into my car’s operating system.

The Guardian story also hints that the FBI is concerned about driverless cars being hacked to be used as weapons.  I have to admit that this is a concern; hacking a target’s car to accelerate at the wrong time or muck with the car’s GPS so that it thinks the road goes straight when it should follow the curve of the cliff wouldn’t be a massive logical stretch.  Also doing the same to use a car to plow into a crowd or run over an individual is a possibility.  However, both of these are things an unskilled operator could do with a real car by cutting the brake lines or driving the car themselves, then running from the scene of the crime.

I think it’ll be much more interesting when driverless cars start becoming common place and young hackers decide they don’t like the feature set and/or controls that are present in the car.  It’s a logical extension to think that the same people who root phones and routers and televisions will eventually figure out how to re-image a car so that it has the software they want, to give the vehicle the capabilities they want.  I know that the Ford Focus has a whole community built around customizing the software in the vehicle, so why will it be any different for driverless cars in the future.

The difference with the driverless car will be that I could strip out many if not all of the safety protocols that will be in place, as well as the limiters on the engine and braking systems.  I want to pull off a robbery and use a driverless car for the get away?  Okay, ignore all stoplights, step on the gas and don’t break for anything.  You’d probably be able to rely on the safety features of other driverless cars to avoid you and you wouldn’t have to worry about the police issuing a kill signal to your car once they’ve read your license plate and other identifying codes.  I’d still rather have an old fashioned car with an actual driver, but at some point those might be hard to get and using one would cause suspicion in and of itself.

On the point of a kill signal, I strongly believe this will be a requirement for driverless cars in the future.  I’m actually surprised a law enforcement kill switch hasn’t already been legislated by the US government, though maybe they’re waiting to see how the public accepts smart phone kill signals first.  Around the same time as the kill switch is being made mandatory, I expect to see laws passed to make rooting your car illegal.  Which, of course, means only criminals will root their cars.  Well, them and the thousands of gear heads who also like to hack the software and won’t know or care about the law.

The FBI hasn’t even scratched the surface of what they should be concerned with about driverless cars.  Back to my initial point about Ghost in the Shell: think about what someone could do if they hacked into the kill switch system that’s going to be required by law.   Want to cause massive chaos?  Shut down every car in Las Angeles or Tokyo.  Make the cars accelerate and shut down the breaks.  Or simply change the maps the car’s GPS is using.  There are a lot of these little chaos producing tricks used through out the GITS series, plus even more that could be adapted easily to the real world.

Many of these things will never happen.  The laws will almost definitely be passed and you’ll have a kill switch in your new driverless car, but there’s little chance we’ll ever see a hack of the system on a massive scale.  On the other hand, given the insecurity we’re just starting to identify in medical devices, the power grid and home networks, I’m not sure that any network that supports driverless cars will be much better secured. Which will make for a very interesting future.

No responses yet

Jul 16 2014

Patching my light bulb?

Published by under Cloud,Hacking

You know things are getting a bit out of hand when you have to patch the light bulbs in your house.  But that’s exactly what the Internet of Things is going to mean in the future.  Everything in the household from the refrigerator to the chairs you sit in to the lights will eventually have an IP address (probably IPv6), will have functions that activate when you walk into the room and will communicate that back out to a database on the Internet.  And every single one of the will have vulnerabilities and problems with their software that will need to be patched.  So patching your lights will only be the start of the wonders of the Internet of Things.

We already know our televisions are tracking our viewing habits.  Not just what we watch from the cable boxes, but what shows we stream, what content we download and they’re enumerating all the shares on our networks to find what’s there as well.  For each new device we add to the home network, we’re also adding a new way for our networks to be compromised, to allow an outsider into our digital home.  How many home users are going to be able to set up a network that cuts these digital devices off from what’s important on the network?  How many security conscious individuals are going to bother?

It’s interesting to watch the ‘what we can do’ run amok with little or no regard for ‘what we should do’.  Ever since the first computers were built we’ve been fighting this battle.  But as it moves from the corporate environment as the battlefront to the home environment, it’ll be interesting to see how the average citizen reacts.  Will we start seeing pressure for companies to create stable, secure products or will we simply continue to see a race to be first to market, with the mentality that “we’ll fix it later”?

One response so far

Jul 08 2014

What to see at Security Summer Camp

Published by under Hacking,Public Speaking

It’s coming, and there’s no avoiding it.  That week in Las Vegas when security practitioners from across the globe come together to attend Black Hat, Defcon and BSides LV.  We jokingly call it security summer camp, but if you set foot outside of the hotels and casinos in the heat of the day, chances are you’ll fry your brain and that lily white skin hackers, and people living in London, seem to cultivate so well.  It’s probably the biggest gathering of serious security professionals, less serious security practitioners and general troublemakers from nearly every country in the world and people come to see the talks, catch up with old friends, make new friends and party.  It should probably be called the security frat party, but that’d be even harder to get past bosses and accounting departments than it already is.

Personally, the social aspects of the event is why I go to conferences.  Not the parties, though I drink more at these events than I would normally, but instead the meetings with friends to find out what they’ve been up to, what they’re working on and what the tides of change have brought during the previous year or so.  I go to a few talks at each event, but the reality is between the podcasting and my social circles, if there’s a really good talk, I can probably arrange to talk to the speaker face to face.  And in most cases, you can too, if you’re willing to put yourself out there and treat the speaker with a modicum of respect while hunting them down.  Just don’t be too stalker-ish about it.   Most of the people who talk at these events are approachable, especially if you buy them a drink and treat them like people.

But I do try to make a few talks every event, simply because there are still some things that are better experienced watching a person present on stage.  I understand how a vulnerability works better if I can talk to the researcher, but seeing the narrative a storyteller develops, seeing the persona they project on stage is a totally different experience than talking to them once their energy level has resumed their normal steady state.  And a few people in the security industry are such showmen that it’s worth seeing their talk even if you can talk to them in person later.  Or maybe because of it.

In any case, here’s my short list of the talks I’m going to try to see during the week:

Black Hat, August 6th, 09:00 – CyberSecurity as Realpolitik, Dan Geer

Black Hat, August 6th, 14:15 – Government as Malware Authors, Mikko Hypponen

Black Hat, August 6th, 15:30 – Pulling Back the Curtain at Airport Security, Billy Rios

Defcon, August 8th, 14:00 – Defcon Comedy Jam – aka The Fail Panel – I’ve been helping on this one for a few years.  Expect bad behavior

Defcon, August 9th, 10:00 – Mass Scanning the Internet, Graham, McMillan, Tentler

Defcon, August 9th, 12:00 – Don’t DDoS Me, Bro: Practical DDoS Defense,  Self, Berrell

And one I can’t see because I’ll be headed to the airport

Defcon, August 10th 15:00 – Elevator Hacking, Ollam and Payne

I haven’t seen the BSides talk tracks yet, but I’ll update the post once I do.



One response so far

Jul 06 2014

The dominoes of Internet Balkanization are falling

Published by under Cloud,Government,Hacking,Privacy,Risk

We knew it was coming; it was inevitable.  The events put in motion last June played right into the hands of the people who wanted to cement their control, giving them every excuse to seize the power and claim they were doing it in defense of their people and their nation.  Some might even say it was always destined to happen, it was just a matter of how soon and how completely.  What am I talking about?  The Balkanization of the Internet.  It’s happening now and with Russia entering the competition to see who can control the largest chunk most completely, it’s only a matter of time before others follow the lead and make the same changes within their own country.

Let’s make no mistakes here, there have been countries and governments that have wanted to circumscribe their boundaries in the virtual domain and create an area where they control the content, they control what the people can and can’t see and they have the ability to see everything everyone is looking at as long as the Internet has been in existence.  But prior to the last year, very few countries had either the political impulse or the technical means to filter what came into and out of their countries except China and a few countries in the Middle East.  China had this power because they’d recognized early on the threat the Internet posed to them and the countries in the Middle East have comparatively limited Internet access to begin with, so filtering and controlling their access is a relatively easy exercise.  In both cases though, the efforts have been coarse with plentiful ways to circumvent them, including the use of Tor.  Though it now looks like Tor was itself has long been subverted by the US government to spy as well.

But then Edward Snowden came forth with a huge cache of documents from inside the NSA.  And it turned out all the things that the US had long been shaking its finger at other governments about, things that the US considered to be immoral and foreign to individual freedoms, were the exact things that the NSA had been doing all along.  Sure, it was only foreigners.  Oh, and only ‘people of interest’.  And people with connections to people of interest.  Four or five degrees of connection that is.  And foreign leaders.  And … the list goes on.  Basically, the logical justification was that anyone could be a terrorist, so rather than taking a chance that someone might slip through the cracks, everyone had become a suspect and their traffic on the Internet was to be collected, categorized and collated for future reference, just in case.  Any illusion of moral superiority, or personal freedom from monitoring was blown to shreds. American politicians carefully constructed arguments to assume high ground and tell other countries what they should and should not do torn down and America suddenly became the bad guys of the Internet.  Not that everyone who knew anything about the Internet hadn’t already suspected this had always been going on and the that the US is far from the only country performing this sort of monitoring of the world.  Every government is monitoring their people to one degree or another, the USA and the NSA were simply the ones who got their hands caught in the cookie jar.

The cries to stop data from being sent to the USA have been rising and falling since June and Mr. Snowden’s revelations.  At first they were strident, chaotic and impassioned.  And unreasonable.  But as time went by, people started giving it more thought and many realized that stopping data on the Internet from being exfiltrated to the USA in the Internet’s current form was near unto impossible.  One of the most basic routing protocols of the Web make it nearly impossible to determine ahead of time where a packet is going to go to get to it’s destination; traffic sometimes circumnavigates the globe in order to get to a destination a couple hundred miles away.  That didn’t stop Brazil from demanding that all traffic in their country stay on servers in their country, though they quickly realized that this was an impossible demand.  Governments and corporations across the European Union have been searching for way to ensure that data in Europe stays in Europe, though the European Data Protective Directives have been hard pressed to keep up with the changing situation.

And now Russia has passed a law through both houses of their Parliament that would require companies serving traffic within Russia to stay in Russia and be logged for at least six months by September of 2016.   They’re also putting pressure on Twitter and others to limit and block content concerning actions in the Ukraine, attempting to stop any voice of dissent from being heard inside Russia.  For most companies doing business, this won’t be an easy law to comply with, either from a technical viewpoint or from an ethical one.  The infrastructure needed to retain six months of data in country is no small endeavor; Yandex, a popular search engine in Russia says that it will take more than two years to build the data centers required to fulfill the mandates of the law.  Then there’s the ethical part of the equation: who and how will these logs be accessed by the Russian government?  Will a court order be necessary or will the FSB be able to simply knock at a company’s door and ask for everything.  Given the cost of building an infrastructure within Russian borders (and the people to support it, an additional vulnerability) and the ethical questions of the law, how does this change the equation of doing business in Russia for companies on the Internet?  Is it possible to still do business in Russia, is the business potential too great to pull out now or do companies serve their traffic from outside Russia and hope they don’t get blocked by the Great Firewall of Russia, which is the next obvious step in this evolution?

Where Brazil had to bow to the pressure of international politics and didn’t have the business potential to force Internet companies to allocate servers within it’s borders, Russia does.  The ruling affluent population of Russia has money to burn; many of them make the US ’1%’ look poor.  There are enough start ups and hungry corporations in Russia who are more than willing to take a chunk of what’s now being served by Twitter, Google, Facebook and all the other American mega-corporations of the Internet.  And if international pressure concerning what’s happening in the Ukraine doesn’t even make Russia blink, there’s nothing that the international community can do about Internet Balkanization.

Once Russia has proven that the Balkanization of the Internet is a possibility and even a logical future for the Internet, it won’t take long for other countries to follow.  Smaller countries will follow quickly, the EU will create laws requiring many of the same features that Russia’s laws do and eventually even the US will require companies within it’s borders to retain information, where they will have easy access it.   The price to companies ‘in the Cloud’ will sky rocket as the Cloud itself has to be instantiated within individual regions and the economy of scale it currently enjoys is brought down by the required fracturing.  And eventually much of the innovation and money created by the great social experiment of the Internet will grind to a halt as only the largest companies have the resources needed to be available on a global scale.


One response so far

Jun 10 2014

If you don’t enter, you can’t win

Let me start by saying Nikita is brilliant and should be showered for accolades for coming up with this, presumably on the fly.

Let me give you some background.  Today was the day the letters about who’s talks were accepted for Defcon 22 came out.  Additionally, all the rejection letters for those not lucky (or well prepared enough) to be chosen to speak came out today.  I know my limitations, and as such, I haven’t submitted a talk to Defcon, other than being on panels and being part of the Defcon Comedy Jam in years past.  I also know I’m a smart ass and I jokingly asked Nikita on Twitter (@niki7a) “Can I get a #Defcon rejection letter?  Even though I never submitted anything.”  And here’s the reply I got.  As a coworker put it “So your talk on not submitting and regretting it was rejected because it wasn’t submitted and the rejection was song lyrics about not regretting your actions with a statement on why they regret rejecting your non-submitted non-submital? Meta.”


The review board has reached a decision for your submission. Unfortunately, we will not be accepting your talk, “I didn’t bother to submit, and other regrets in the Hacker scene”, for DEF CON 22. If you submitted more than one paper, it may still be in review. Individual letters are sent out for each paper.

Every year, I have to write a bushel of rejection letters, and it’s never easy to shoot someone down who has put together a CFP. I really respect the effort each applicant puts into their work. The work you do, and the willingness to share your knowledge with the community is incredible, and I appreciate the fact you submitted with us. In a perfect world, every submission would be accepted and it’s contents shared with the community. Each talk has the potential to be the building blocks for a new idea, the solution to someone’s headache, the itch that needs scratching, or the salve for someone else’s.

In the end, I try to provide feedback for you so that when a talk is rejected you can get some sense of why and take that feedback to build a better paper. Hopefully, you can use it to submit it again to another conference, or again with us next year. Either way, Thank you again for the hard work. I’ve put together your feedback from the review board below.

 We had to reject simply due to the fact that you didn’t submit. Maybe you will think about that next time. I mean seriously, like, what were you thinking?  I’d like to give you the following feedback as a way to help you understand this oversight on your part, perhaps my words will motivate you to improve your position for next year.

“And now, the end is here
And so I face the final curtain
My friend, I’ll say it clear
I’ll state my case, of which I’m certain
I’ve lived a life that’s full
I traveled each and ev’ry highway
And more, much more than this, I did it my way

Regrets, I’ve had a few
But then again, too few to mention
I did what I had to do and saw it through without exemption
I planned each charted course, each careful step along the byway
And more, much more than this, I did it my way

Yes, there were times, I’m sure you knew
When I bit off more than I could chew
But through it all, when there was doubt
I ate it up and spit it out
I faced it all and I stood tall and did it my way

I’ve loved, I’ve laughed and cried
I’ve had my fill, my share of losing
And now, as tears subside, I find it all so amusing
To think I did all that
And may I say, not in a shy way,
“Oh, no, oh, no, not me, I did it my way”

For what is a man, what has he got?
If not himself, then he has naught
To say the things he truly feels and not the words of one who kneels
The record shows I took the blows and did it my way!


Yes, it was my way”

Thank you for your time, I can’t tell you how much I appreciate the opportunity you’ve given me to berate you over electronic medium, I can’t wait to see you at the show!

Please consider submitting or not submitting again in the future, and I hope that you enjoy DEF CON this year.


Nikita Caine Kronenberg

There may be material here for a submission to Defcon 23.

No responses yet

Jun 03 2014

Well done, HITB, well done

Published by under Hacking,Personal,Public Speaking

One of the advantages of having moved to the UK from California last year is that I often get the chance to attend conferences I never would have dreamed of attending otherwise.  Thanks to this, last week I was able to attend one of the events I’d never hoped to be able to see otherwise, Hack in the Box Amsterdam.  And I’m very glad I did, as are my children, aka the Spawn.

One of the unique things about this year’s HITB was their choice of keynote speakers, which were all women.  None of them were asked to speak about “women in infosec”, nor were they discouraged from the topic.  But they were all women who are recognized as having accomplished great things in the security field.  Katie Moussouris opened up the conference talking about how the security community is finally at a point where we actually have the influence we’d always wanted, now we have to do something with it.  That and announcing her new role as the Chief Policy Officer for Hacker One, a bug bounty company.  The second day was opened by Jennifer Steffens, CEO of IOActive who called bullshit on the security community for being such a bunch of emo posers and pointed out what a wonderful time it is to be in security as well as illustrating some of the exemplars  in our field.  Both of these security professionals gave keynotes worthy of nearly any conference in the world.

The Haxpo, or vendor area as we generally call it, alongside the conference was also well worth the visit.  TOOOL was in evidence, as were a number of the local hacker spaces, but my favorite part of the show floor.  I picked up a HITB badge, Spawn0 got a TV-B-Gone and we both went to town with soldering irons.  Spawn0 was more successful than I was, as his TV-B-Gone worked while my badge didn’t, most likely due to lack of soldering skills on my part.  He’s just waiting for football (aka soccer) season to get into full swing to test it’s full capabilities.

Will I attend HITB again?  It depends; I’d just come off of two weeks of intensive travel and probably could have used downtime as much as I wanted to see this event.  But I’m very glad I went and got to meet additional members of the European security community.  Maybe next year I’ll try to avoid having so much travel leading up to the event.

No responses yet

Apr 06 2014

NSP Microcast – BSides London 2014

This afternoon I had a chance to talk to two of the main organizers of one of the biggest security events of the year, BSides London.  Paul Batson and Thomas Fisher have been working tirelessly (or maybe tiredly) for months to bring together all of the disparate elements required to make a conference come together.  And it’s no mean feat when the people you’re working with are all volunteers and the money comes from sponsors, both of whom believe in your cause.  This year will be my first chance to go to BSides London (this is the fourth) and I’m really looking forward to it.


Time: 18:00

No responses yet

Apr 05 2014

Hack my ride

Published by under Hacking,Risk,Security Advisories

Important:  Read the stuff at the end of this post.  I got a lot of feedback and I’ve added it there.  Unlike some people, I actually want to be told when I’m wrong and learn from the experience.

I don’t own a Tesla S and probably never will.  They’re beautiful cars, they’re (sort of) ecologically friendly, and they show that you have more money than common sense.  I use a car to get my family from point A to point B and showing off my wealth (or lack there of) has never actually been part of the equation in buying a car.  And one more reason I don’t think I’ll ever buy a Tesla is that I’m beginning to think they’re as insecure as all get out, at least from the network perspective.

Last week hacker* Nitesh Dhanjani wrote his experience with exploring the remote control possibilities of the Tesla Model S P85+.  It starts with being able to unlock the doors, check the location, etc.  And it ends with a total lack of security for the site and tools needed to control the car.  The web site for controling your new Tesla has minimal password complexity controls, six characters with at least one letter and one number.  I have no idea if it’ll even let you use symbols, but I’m guessing that’s either not supported or only a minimal subset of symbols are available.  Which means password complexity is very low by almost any standard.  Then there’s the fact that Tesla doesn’t have rudimentary controls around the web site, such as rate limits on password guesses or account lock out, which they’ve hopefully changed by now.  Which gives you an easily guessed password combined with a site that allows unlimited guesses, making the possibility of brute forcing the password very real.  That’s not even including the fact that so many people reuse account names and passwords, so there’s a good chance you can find a compromised account database with the owner’s details if you search for a little while.

That’s great so far.  Now let’s add to this the fact that your Tesla S has wifi/4G wireless access.  And there’s also a 4-pin connector in the dashboard that leads to the network inside your car.  It’s running all sorts of wonderful things in that network too, none of which could possibly be vulnerable to outside attacks, right?  SSH? Check.  DNS? Check.  Web Server? Check. Telnet?  Check.  Wait, telnet?  Seriously?  Oh, and “1050/tcp open java or OTGfileshare”.  Yes, I really want either java or an open file share running in my car.  At least one person was able to get Firefox running on the console of their Tesla, [Correction: x-11 forwarding misconfiguration, not running on the Tesla]  even if was flipped on its head for some odd reason.  Any or all of these services running on the car’s internal network could have vulnerabilities that allow configuration change, remote code execution or even full root access to the system.  Or maybe they just allow for the systems to be rebooted, not something you really want when your driving on the winding coastal roads of California. [I've been told it's just the displays that would be affected, none of the handling characteristics would change. Still disconcerting]

So now we’ve got two fairly egregious methods of connecting to your Tesla with minimal security standards.  The first is remote and allows for control of doors, sunroofs, braking and suspension profiles.  The last two should concern everyone.  While there are probably physical controls in place to keep the profiles of brakes and suspension from getting too far outside of the range of acceptable usage, I wouldn’t be willing to bet on it, given the otherwise lax security measures on the remote controls for the car.  The second method of connecting to the Tesla does require physical access, but it sounds like this is built for the engineers and technicians who work on Teslas [Correction:  The connection only allows for access to the entertainment system and there is an airgap between that and the CANBUS systems.  However, I don't trust airgaps], and is likely to allow much greater control of the car and the various parameters of its design.  Even less technologically advanced cars have the ability to make fairly advanced modification of the functioning of a car once you have access to the software, so Tesla probably has extremely advanced configuration capabilities.  Meaning everything from how the car charges when plugged in to what shows up on the dash as you’re driving to manipulating acceleration and braking are within the realm of possibility.

As the Internet of Things becomes our daily reality, this sort of lax security on something as potentially deadly as an automobile is inexcusable.   It wouldn’t take much of a tweak to the normal operation of a car to make it uncontrollable in the wrong situation.  We haven’t seen anyone killed by having their car hacked yet, but it’s only a matter of time if companies aren’t willing to take the time to properly secure the systems that go into making the car run.  While it’s important in the current marketing environment to make every device as configurable from you phone as possible, there have to be sufficient controls in place to make that configurability safe and secure as well.  Yes, it might mean that you, Tesla, have to make your users go through two or three more steps in order to set up their systems for control, but it’s worth the effort.  After all, who will be liable, who will be in the courts for years when the first person claims that their car was hacked, which is what caused the accident?  Even if having a car hacked isn’t the cause of an accident, it can’t be too long before someone uses that as their defense and still costs the company millions in legal defense.

Let’s end this with a little thought experiment.  The four pin connector in the Tesla has a full TCP stack and runs on a known set of IP’s,  Say I grabbed a Teensy 3.1, with built in wi-fi capabilities, and added an ethernet shield.  With the current arduino libraries, I can create a wi-fi receiver that takes my traffic and routes it to the wired network, which just happens to have an accessible network inside the Tesla.  Now I have a device that’s a small portal directly into your car that I can connect to from several hundred feet away, farther if I want to make myself a high gain pringles can yagi antenna.  We’re not talking high technology spy gear, we’re talking about a weekend project I could do with my kids that would result in a package no bigger than a pack of cards.  I could put this in the glove box with a single cable leading to the car’s ethernet port.  Anything a Tesla engineer could control on the car, I could control remotely.  Suddenly I have the biggest remote control car on the block, which just happens to be the Tesla you’re sitting in.

This is why we have to secure the Internet of things.  If I can imagine it, you better believe there’s already someone else out there working on it.

* Hacker == someone who makes technology do things the engineers who designed it didn’t intend it to do.

Added, 9:15 GMT:  So I got some feedback very quickly after posting this.  And I admit a lot of what I’m saying here is based on guesswork, assumptions and third party statements.  It’s my blog, I get to do that.  Both Beau and the Kos have a lot more to say about why many of my assumptions are wrong.  And they probably know more about cars than I do.  So teach me.  There will be follow up.

Thanks to @chriseng for basic spell checking.  I do indeed know the difference between ‘break’ and ‘brake’, just not before breakfast.

@beauwoods: “Infotainment network and CANBUS are separate. The other issue is the equivalent threat model of a big rock to a window.” In other words, there’s a very real airgap between the two systems and it’d be impossible to control one from the other.

@theKos called my statement about the password limitations silly, stated that running Firefox on the system was a x-forward misconfiguration, that rebooting the displays won’t affect the running of the car, and that all products have vulnerabilities.  I really have to challenge the last statement as a fallacy: knowing that all products have vulnerabilities doesn’t make them more acceptable in any way.

3 responses so far

Mar 18 2014

NSP Microcast – RSAC2014 – Utimaco

I spent a few minutes with the CEO of Utimaco, Malte Pollman at RSAC this year.  Malte explains why Hardware Security Modules are important to the web of trust of the Internet, why lawful interception is a not in conflict with that web of trust.  As with all my interviews at RSAC, I asked Malte how the last year’s worth of spying revelations have affected his company and him personally.  Also, I have a problem pronouncing the company name, which for the record is you-tee-make-oh.


No responses yet

Mar 15 2014

NSP Microcast – BSidesSF with Trey Ford

I caught Trey Ford right after his talk at the BSides Conference in San Francisco last month to talk about the efforts he’s making on behalf of Rapid7 and the security community.  It may be a sign that we’re a maturing industry when we’ve got folks like Trey traveling to Washington, DC in order to talk to lawmakers about how what they’re doing affects our lives.  And, as with all my interviews this year, I ask Trey how revelations about our government has affected his personal as well as professional life.  Check out his site at

NSPMicrocast – BSidesSF – Trey Ford

No responses yet

Next »