Jul 09 2014

Civil disobedience against surveillance

Published by under Government,Privacy,Video

Last year I moved to the UK and spend a considerable amount of time in London.  Therefore I’m often on 10, 12, 16 or more cameras at any one time.  I dislike it intensely, but it was something I knew I’d have to be dealing with when I moved.  There’s no evidence that cameras prevent any serious crimes or even less serious ones, and there’s little evidence they’re very useful in catching perpetrators after the fact.  They do, however, cause a lot of innocent people to modify their behaviors slightly since they know they’re on camera.  It’s a subtle societal shift that most people will never even notice.

But one group has noticed and they’re very actively doing something about it.  It’s an anti-surveillance group called Camover that started in Germany and is working its way onto the global scene.  I’d never heard of them before yesterday, when Salon wrote a story highlighting their growth into the US.  I’m of mixed feelings about this group and their growth; part of me wants to work to change society through lawful means, while another part wants to join in on pulling down the cameras and destroying them where ever they intrude on my ever disappearing privacy.  No, I’m not of an anarchist bent at all, am I?

The part that bothers me is that while the members of this group probably see much of what they’re doing as a bit of relatively harmless vandalism, law enforcement probably paints them as felons and terrorists.  Yes, terrorists.  They’ll be painted as destroying the cameras that protect our freedoms and help catch terrorist.  And when they’re caught, they’ll be treated as if they are terrorists, with all the extra-legal, non-judicial treatment that surrounds that designation.  It won’t be a fun adventure for them, that much is sure.

I see a need for anarchists like this to rise up and show us that surveillance can be fought.  I think we need more people to be aware of exactly how our society is being rapidly turned into a state where our every move is watched and judged.  But I don’t think it’s worth risking disappearing into a detention center somewhere, with all of your rights suspended because an agent somewhere decided to label you as a terrorist.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jul 08 2014

What to see at Security Summer Camp

Published by under Hacking,Public Speaking

It’s coming, and there’s no avoiding it.  That week in Las Vegas when security practitioners from across the globe come together to attend Black Hat, Defcon and BSides LV.  We jokingly call it security summer camp, but if you set foot outside of the hotels and casinos in the heat of the day, chances are you’ll fry your brain and that lily white skin hackers, and people living in London, seem to cultivate so well.  It’s probably the biggest gathering of serious security professionals, less serious security practitioners and general troublemakers from nearly every country in the world and people come to see the talks, catch up with old friends, make new friends and party.  It should probably be called the security frat party, but that’d be even harder to get past bosses and accounting departments than it already is.

Personally, the social aspects of the event is why I go to conferences.  Not the parties, though I drink more at these events than I would normally, but instead the meetings with friends to find out what they’ve been up to, what they’re working on and what the tides of change have brought during the previous year or so.  I go to a few talks at each event, but the reality is between the podcasting and my social circles, if there’s a really good talk, I can probably arrange to talk to the speaker face to face.  And in most cases, you can too, if you’re willing to put yourself out there and treat the speaker with a modicum of respect while hunting them down.  Just don’t be too stalker-ish about it.   Most of the people who talk at these events are approachable, especially if you buy them a drink and treat them like people.

But I do try to make a few talks every event, simply because there are still some things that are better experienced watching a person present on stage.  I understand how a vulnerability works better if I can talk to the researcher, but seeing the narrative a storyteller develops, seeing the persona they project on stage is a totally different experience than talking to them once their energy level has resumed their normal steady state.  And a few people in the security industry are such showmen that it’s worth seeing their talk even if you can talk to them in person later.  Or maybe because of it.

In any case, here’s my short list of the talks I’m going to try to see during the week:

Black Hat, August 6th, 09:00 – CyberSecurity as Realpolitik, Dan Geer

Black Hat, August 6th, 14:15 – Government as Malware Authors, Mikko Hypponen

Black Hat, August 6th, 15:30 – Pulling Back the Curtain at Airport Security, Billy Rios

Defcon, August 8th, 14:00 – Defcon Comedy Jam – aka The Fail Panel – I’ve been helping on this one for a few years.  Expect bad behavior

Defcon, August 9th, 10:00 – Mass Scanning the Internet, Graham, McMillan, Tentler

Defcon, August 9th, 12:00 – Don’t DDoS Me, Bro: Practical DDoS Defense,  Self, Berrell

And one I can’t see because I’ll be headed to the airport

Defcon, August 10th 15:00 – Elevator Hacking, Ollam and Payne

I haven’t seen the BSides talk tracks yet, but I’ll update the post once I do.

 

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jul 07 2014

Intrusive Healthcare

Published by under Big Data,Privacy

Soon your doctor may be giving you a call to discuss your buying habits and what they mean to your health.  Carolinas HealthCare is starting a program that looks at your buying habits based on public records, store loyalty programs and credit card purchases.  Most of which was stuff we thought was supposed to be private and protected by law, but turns out to be accessible by anyone with enough money and the big data computing power to comb through it all.

On the surface, this effort is laudable.  Your doctor and your health care provider have a vested interest in helping you develop good habits such as exercise and taking your prescriptions regularly.  The better your health, the happier your life tends to be and the less money they have to spend on you overall.  It makes sense when you look at it as a long term trend to combat a nation that’s growing wider all the time and it’s an extension of trying to push for more proactive health care overall.  But the potential for abuse is simply staggering!

One of the examples used in the Business Week article suggests a asthmatic who’s in the emergency room, so the doctor checks to see if he’s been buying cigarettes, the pollen count where he lives, etc.  Why would giving a hospital and the doctor this level of access into a patient’s life ever be thought of as a good idea?  The number of things that could go wrong with this boggle the mind.  Yes, most doctors are ethical and wouldn’t take advantage of the data.  But it doesn’t take much for the temptation offered by this level of access into a patient’s life to blossom into a form of cyber-voyeurism. It wouldn’t take much self-justification to turn the best of intentions into intrusiveness that’s inappropriate at the best of times.  I don’t want to get a call from my doctor when I pick up an extra tub of Ben & Jerry’s Chocolate Fudge Brownie at the store.  (It was for the Spawn, honest!)

The potential for abuse by doctors is just one of the first direct problems I have with my data being shared to health care.  If doctors have access to my non-healthcare data who else is going to have access to it?  I’m sure the billing department would love to have a direct line to the information as well, so they could hunt me down if I was late making a payment or so they could vet me before authorizing an expensive procedure.  There’s also all the administrators of the systems and everyone who has access to those systems when they’re left unlocked around the hospital.  

The biggest worry I have though is actually the third parties who’d want the data.  Hospitals are already a tempting target for evil doers of all kind because of the data they have.  If we add credit card & loyalty card data to that mix, it becomes the ultimate treasure trove for identity theft and financial data.  While hospitals try to keep their networks secure, when it comes down to it, the ability of a doctor to access data in order to save a life trumps security by an order of magnitude, so security comes in a distant second.  So why would we think it’s a good idea to pool even more of our data in these facilities?

Final thought:  why are the credit card companies and store loyalty programs even allowed to sell access to this data in the first place?  Inquiring minds would like to know.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jul 06 2014

The dominoes of Internet Balkanization are falling

Published by under Cloud,Government,Hacking,Privacy,Risk

We knew it was coming; it was inevitable.  The events put in motion last June played right into the hands of the people who wanted to cement their control, giving them every excuse to seize the power and claim they were doing it in defense of their people and their nation.  Some might even say it was always destined to happen, it was just a matter of how soon and how completely.  What am I talking about?  The Balkanization of the Internet.  It’s happening now and with Russia entering the competition to see who can control the largest chunk most completely, it’s only a matter of time before others follow the lead and make the same changes within their own country.

Let’s make no mistakes here, there have been countries and governments that have wanted to circumscribe their boundaries in the virtual domain and create an area where they control the content, they control what the people can and can’t see and they have the ability to see everything everyone is looking at as long as the Internet has been in existence.  But prior to the last year, very few countries had either the political impulse or the technical means to filter what came into and out of their countries except China and a few countries in the Middle East.  China had this power because they’d recognized early on the threat the Internet posed to them and the countries in the Middle East have comparatively limited Internet access to begin with, so filtering and controlling their access is a relatively easy exercise.  In both cases though, the efforts have been coarse with plentiful ways to circumvent them, including the use of Tor.  Though it now looks like Tor was itself has long been subverted by the US government to spy as well.

But then Edward Snowden came forth with a huge cache of documents from inside the NSA.  And it turned out all the things that the US had long been shaking its finger at other governments about, things that the US considered to be immoral and foreign to individual freedoms, were the exact things that the NSA had been doing all along.  Sure, it was only foreigners.  Oh, and only ‘people of interest’.  And people with connections to people of interest.  Four or five degrees of connection that is.  And foreign leaders.  And … the list goes on.  Basically, the logical justification was that anyone could be a terrorist, so rather than taking a chance that someone might slip through the cracks, everyone had become a suspect and their traffic on the Internet was to be collected, categorized and collated for future reference, just in case.  Any illusion of moral superiority, or personal freedom from monitoring was blown to shreds. American politicians carefully constructed arguments to assume high ground and tell other countries what they should and should not do torn down and America suddenly became the bad guys of the Internet.  Not that everyone who knew anything about the Internet hadn’t already suspected this had always been going on and the that the US is far from the only country performing this sort of monitoring of the world.  Every government is monitoring their people to one degree or another, the USA and the NSA were simply the ones who got their hands caught in the cookie jar.

The cries to stop data from being sent to the USA have been rising and falling since June and Mr. Snowden’s revelations.  At first they were strident, chaotic and impassioned.  And unreasonable.  But as time went by, people started giving it more thought and many realized that stopping data on the Internet from being exfiltrated to the USA in the Internet’s current form was near unto impossible.  One of the most basic routing protocols of the Web make it nearly impossible to determine ahead of time where a packet is going to go to get to it’s destination; traffic sometimes circumnavigates the globe in order to get to a destination a couple hundred miles away.  That didn’t stop Brazil from demanding that all traffic in their country stay on servers in their country, though they quickly realized that this was an impossible demand.  Governments and corporations across the European Union have been searching for way to ensure that data in Europe stays in Europe, though the European Data Protective Directives have been hard pressed to keep up with the changing situation.

And now Russia has passed a law through both houses of their Parliament that would require companies serving traffic within Russia to stay in Russia and be logged for at least six months by September of 2016.   They’re also putting pressure on Twitter and others to limit and block content concerning actions in the Ukraine, attempting to stop any voice of dissent from being heard inside Russia.  For most companies doing business, this won’t be an easy law to comply with, either from a technical viewpoint or from an ethical one.  The infrastructure needed to retain six months of data in country is no small endeavor; Yandex, a popular search engine in Russia says that it will take more than two years to build the data centers required to fulfill the mandates of the law.  Then there’s the ethical part of the equation: who and how will these logs be accessed by the Russian government?  Will a court order be necessary or will the FSB be able to simply knock at a company’s door and ask for everything.  Given the cost of building an infrastructure within Russian borders (and the people to support it, an additional vulnerability) and the ethical questions of the law, how does this change the equation of doing business in Russia for companies on the Internet?  Is it possible to still do business in Russia, is the business potential too great to pull out now or do companies serve their traffic from outside Russia and hope they don’t get blocked by the Great Firewall of Russia, which is the next obvious step in this evolution?

Where Brazil had to bow to the pressure of international politics and didn’t have the business potential to force Internet companies to allocate servers within it’s borders, Russia does.  The ruling affluent population of Russia has money to burn; many of them make the US ‘1%’ look poor.  There are enough start ups and hungry corporations in Russia who are more than willing to take a chunk of what’s now being served by Twitter, Google, Facebook and all the other American mega-corporations of the Internet.  And if international pressure concerning what’s happening in the Ukraine doesn’t even make Russia blink, there’s nothing that the international community can do about Internet Balkanization.

Once Russia has proven that the Balkanization of the Internet is a possibility and even a logical future for the Internet, it won’t take long for other countries to follow.  Smaller countries will follow quickly, the EU will create laws requiring many of the same features that Russia’s laws do and eventually even the US will require companies within it’s borders to retain information, where they will have easy access it.   The price to companies ‘in the Cloud’ will sky rocket as the Cloud itself has to be instantiated within individual regions and the economy of scale it currently enjoys is brought down by the required fracturing.  And eventually much of the innovation and money created by the great social experiment of the Internet will grind to a halt as only the largest companies have the resources needed to be available on a global scale.

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jun 18 2014

Network Security Podcast, Episode 332

Published by under Podcast

We’d suspected this day would come for quite some time, but it’s time to make it official: The Network Security Podcast will no longer be a regular, weekly podcast, Rich Mogull and Zach Lanier will not be a consistent part of the podcast. The podcast will continue in some form, but it’ll be Martin doing any of the publishing.  Which isn’t really all that big of a change anyway.

Basically, all three of us have become incredibly busy in the last year.  Zach has a wedding to plan, a new job and has moved again.  Rich has more business and work than any time in living memory and has had to cut out anything not related to work or family.  And Martin moved to Europe and is on the road close to 50% of the time, further complicating everything.

There will still be microcasts and occasional interviews published through the podcast site, but for the most part we’re shutting down production.  It’s a sad day as we’ve been doing this podcast in one form or another for nearly almost 9 years.  We’ll miss talking to each other and our audience, but the needs of life have intervened and require our attention elsewhere.  You can catch all three of us at various conferences, either presenting or attending and know that we’ve always loved hearing feedback from you.

Keep an eye and ear open as there are already plans in process for what comes next.  You didn’t think Martin could stop talking, did you?

Network Security Podcast, Episode 332 – The End of an Era

Time: 50:58

 

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jun 10 2014

If you don’t enter, you can’t win

Let me start by saying Nikita is brilliant and should be showered for accolades for coming up with this, presumably on the fly.

Let me give you some background.  Today was the day the letters about who’s talks were accepted for Defcon 22 came out.  Additionally, all the rejection letters for those not lucky (or well prepared enough) to be chosen to speak came out today.  I know my limitations, and as such, I haven’t submitted a talk to Defcon, other than being on panels and being part of the Defcon Comedy Jam in years past.  I also know I’m a smart ass and I jokingly asked Nikita on Twitter (@niki7a) “Can I get a #Defcon rejection letter?  Even though I never submitted anything.”  And here’s the reply I got.  As a coworker put it “So your talk on not submitting and regretting it was rejected because it wasn’t submitted and the rejection was song lyrics about not regretting your actions with a statement on why they regret rejecting your non-submitted non-submital? Meta.”

Martin,

The review board has reached a decision for your submission. Unfortunately, we will not be accepting your talk, “I didn’t bother to submit, and other regrets in the Hacker scene”, for DEF CON 22. If you submitted more than one paper, it may still be in review. Individual letters are sent out for each paper.

Every year, I have to write a bushel of rejection letters, and it’s never easy to shoot someone down who has put together a CFP. I really respect the effort each applicant puts into their work. The work you do, and the willingness to share your knowledge with the community is incredible, and I appreciate the fact you submitted with us. In a perfect world, every submission would be accepted and it’s contents shared with the community. Each talk has the potential to be the building blocks for a new idea, the solution to someone’s headache, the itch that needs scratching, or the salve for someone else’s.

In the end, I try to provide feedback for you so that when a talk is rejected you can get some sense of why and take that feedback to build a better paper. Hopefully, you can use it to submit it again to another conference, or again with us next year. Either way, Thank you again for the hard work. I’ve put together your feedback from the review board below.

———————————————
 We had to reject simply due to the fact that you didn’t submit. Maybe you will think about that next time. I mean seriously, like, what were you thinking?  I’d like to give you the following feedback as a way to help you understand this oversight on your part, perhaps my words will motivate you to improve your position for next year.

“And now, the end is here
And so I face the final curtain
My friend, I’ll say it clear
I’ll state my case, of which I’m certain
I’ve lived a life that’s full
I traveled each and ev’ry highway
And more, much more than this, I did it my way

Regrets, I’ve had a few
But then again, too few to mention
I did what I had to do and saw it through without exemption
I planned each charted course, each careful step along the byway
And more, much more than this, I did it my way

Yes, there were times, I’m sure you knew
When I bit off more than I could chew
But through it all, when there was doubt
I ate it up and spit it out
I faced it all and I stood tall and did it my way

I’ve loved, I’ve laughed and cried
I’ve had my fill, my share of losing
And now, as tears subside, I find it all so amusing
To think I did all that
And may I say, not in a shy way,
“Oh, no, oh, no, not me, I did it my way”

For what is a man, what has he got?
If not himself, then he has naught
To say the things he truly feels and not the words of one who kneels
The record shows I took the blows and did it my way!

[instrumental]

Yes, it was my way”

Thank you for your time, I can’t tell you how much I appreciate the opportunity you’ve given me to berate you over electronic medium, I can’t wait to see you at the show!

Please consider submitting or not submitting again in the future, and I hope that you enjoy DEF CON this year.

———————————————

Thanks,
Nikita Caine Kronenberg

There may be material here for a submission to Defcon 23.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jun 03 2014

Well done, HITB, well done

Published by under Hacking,Personal,Public Speaking

One of the advantages of having moved to the UK from California last year is that I often get the chance to attend conferences I never would have dreamed of attending otherwise.  Thanks to this, last week I was able to attend one of the events I’d never hoped to be able to see otherwise, Hack in the Box Amsterdam.  And I’m very glad I did, as are my children, aka the Spawn.

One of the unique things about this year’s HITB was their choice of keynote speakers, which were all women.  None of them were asked to speak about “women in infosec”, nor were they discouraged from the topic.  But they were all women who are recognized as having accomplished great things in the security field.  Katie Moussouris opened up the conference talking about how the security community is finally at a point where we actually have the influence we’d always wanted, now we have to do something with it.  That and announcing her new role as the Chief Policy Officer for Hacker One, a bug bounty company.  The second day was opened by Jennifer Steffens, CEO of IOActive who called bullshit on the security community for being such a bunch of emo posers and pointed out what a wonderful time it is to be in security as well as illustrating some of the exemplars  in our field.  Both of these security professionals gave keynotes worthy of nearly any conference in the world.

The Haxpo, or vendor area as we generally call it, alongside the conference was also well worth the visit.  TOOOL was in evidence, as were a number of the local hacker spaces, but my favorite part of the show floor.  I picked up a HITB badge, Spawn0 got a TV-B-Gone and we both went to town with soldering irons.  Spawn0 was more successful than I was, as his TV-B-Gone worked while my badge didn’t, most likely due to lack of soldering skills on my part.  He’s just waiting for football (aka soccer) season to get into full swing to test it’s full capabilities.

Will I attend HITB again?  It depends; I’d just come off of two weeks of intensive travel and probably could have used downtime as much as I wanted to see this event.  But I’m very glad I went and got to meet additional members of the European security community.  Maybe next year I’ll try to avoid having so much travel leading up to the event.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

May 06 2014

Network Security Podcast, Episode 331

Published by under Podcast

It’s been a while since we could last record a podcast, but at least we were able to get Rich and Martin together this week.  Zach was supposed to join us as well, but got called away to fight a fire at the last minute.  Such is life sometimes.  But we got this episode recorded, so let’s celebrate the small victories.  We don’t know when we’ll have the time for another one as most of the hosts are galavanting around the world and having fun.

Network Security Podcast, Episode 331, May 6, 2014

Time:  38:05

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

May 01 2014

Thank you

Published by under Podcast

This week was the InfoSecurity Conference and BSides London, and along with them the EU Security Bloggers Meetup and Awards.  It was a good week to be in London, despite the Tube strikes, but the highlight obviously had to be Wednesday at the Meetup: we, the hosts of the Network Security Podcast, were recognized as the Best Security Podcast at the EU Security Bloggers Awards for 2014.  Thank you to the listeners who voted for us and the judges who selected our podcast as the winner!  I think I can speak for my cohosts when I say that we’re truly honored to be picked for this award.  All I had to do was move from California to the London area to make it happen.

When I started the Network Security Podcast in November of 2005, it was with a really cheap microphone and simple mission in mind.  I had a lot of opinions on the news in the information security industry; talking through them into a microphone was a good way to clarif2014-04-30 19.42.28y those opinions and share them with others.  When I enlisted the aid of Rich Mogull, it was to give me another person to discuss those opinions and have someone to expose the weaknesses in my logic.  Adding Zach Lanier to the mix brought someone with a much more technical background to the table.  We’ve continued podcasting so long because we enjoy the discussions and learning that a podcast creates.  But the most important thing that keeps us coming back again and again (though less often than before) is the feedback we get from listeners telling us that they’ve learned and enjoyed listening to the podcast.

The Network Security Podcast has never been something that we’ve done so we can earn an award or gain recognition, though those things never hurt a person’s ego.  We’ve done it because we enjoy having an excuse to get three people together on a semi-regular basis and hashing out a lot of the ideas we have circulating through our collective heads.  We use the stories that are happening to give us something to focus on, but it’s really the exchange of viewpoints that we value.  Equally important is the fact that other people in the security community find the interchange to be valuable and keep coming back episode after episode.  There aren’t too many events that we go to that someone doesn’t come up and say they’ve been a long term listener, something that happened to me at least five times at BSides London.

ZombieMartinBigThe EU Security Blogger Meetup and Awards couldn’t happen without the sponsors, especially Tripwire and Tenable, nor could it happen without the efforts of people like Jack Daniel, Brian Honan and Cindy Valladares (who’s responsible for the Zombie Martin picture to the left).  I’m sure there are a number of other people helping that I’m completely unaware of, and I’m sorry I can’t recognize them as well.  I’d like to congratulate the other winners of the EU Security Blogger awards.  It’s an amazing thing to be recognized not only by your audience but also by your peers and the people you respect.  I look forward to seeing everyone there again next year.

A closing thought:  the Network Security Podcast has been harder and harder to record since I moved to Europe.  Zach, Rich and I all have very hectic travel schedules and we haven’t been able to coordinate in order to record a show as often as we’d like.  While I don’t have any plans for the show to go away, we’re all aware that even going to an every two week publishing schedule hasn’t been as effective as we’d hoped and something has to change.  We don’t know exactly what that will be yet but we will let our listeners know as soon as possible.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Apr 06 2014

NSP Microcast – BSides London 2014

This afternoon I had a chance to talk to two of the main organizers of one of the biggest security events of the year, BSides London.  Paul Batson and Thomas Fisher have been working tirelessly (or maybe tiredly) for months to bring together all of the disparate elements required to make a conference come together.  And it’s no mean feat when the people you’re working with are all volunteers and the money comes from sponsors, both of whom believe in your cause.  This year will be my first chance to go to BSides London (this is the fourth) and I’m really looking forward to it.

-Martin

NSPMicrocast-BSidesLDN-2014
Time: 18:00

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

« Prev - Next »