Sunday, August 24, 2008

Security Twits Road Trip

It was a joke.  At first.  For several days Twitter was filled with comments complaining about the general and specific failures of modern air travel as people made their way home from Black Hat and DefCon- then it was my turn.  Upon arriving in Manchester, NH after a red-eye from Vegas to Cleveland and the early morning hop from Cleveland to Manchester, I commented that I would never fly again and suggested driving ROAD TRIPS for all future conferences.

It is happening.  The Security Twits road show begins.


ToorCon is too soon and too far for a first run. Sec Tor is very promising, but the thought of a border crossing (they act like Canada is a whole other country these days!) makes that a bit tricky.  Day-Con, however, has potential.  Ohio is another world compared to the East Coast, but there are no tricky border crossings.

I am shopping for a conversion van/minibus/motorhome rental for the trip and a few hearty souls to make the trip with me.  The nice folks at work (Astaro) have offered to help with the expense of the inaugural trip.

Day-Con's main program is on Saturday, October 11- with some pre-con presentations on Friday night.  Google Maps claims that with bladders of steel and no fuel stops Dayton is about 13 1/2 hours from Boston.  Depending on who wants to join the trip and where, we may need to start Thursday evening. Sunday is a recovery and travel day, so we should be able to get everyone back to their northeast starting points by that night.

A few brave Security Twits have stepped up, we need a few more- and then some input on scheduling and routing.  Any more Security Twits interested?  Let me know.

And stay tuned for more road trips- Shmoocon [February 6-8] and SOURCE Boston [March 9-13] could be next, and then...



Premier (Diebold) admits what everyone already knew

The Washington Post article "Ohio Voting Machines Contained Programming Error That Dropped Votes" notes that Premier Elections Solutions (formerly Diebold) finally admits that they have some problems.  Premier has already started downplaying the significance of losing votes- but this is still a big step forward for them to admit anything. From the story:

"A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges."

Hmm, is that a problem? Still, it is progress, because:

"As recently as May, Premier said the problem was not of its making but stemmed from anti-virus software that Ohio had installed on its machines."

Which led to this xkcd comic on that topic.  One of the heroes in this story is Ohio Secretary of State Jennifer Brunner, she sought out expert help on the issue and listened to what she was told. (Shmoocon has been an outstanding source of info on this topic, including this year's presentation by the Penn State team consulting with Brunner).  But at least we've gotten this out of Premier:

""We are indeed distressed that our previous analysis of this issue was in error," Premier President Dave Byrd wrote Tuesday in a letter that was hand-delivered to Brunner."

Great! They've admitted there's a problem, and the jurisdictions using these systems have a couple of months to test and deploy patches to fix the problem before the upcoming presidential election. Right? C'mon, tell me I'm right. No, huh?

"Unlike other software, the problem acknowledged by Premier cannot be fixed by sending out a coding fix to its customers because of federal rules for certifying election systems, Rigall [Chris Riggall, a spokesman for Premier Election Solutions] said. Changes to systems must go through the Election Assistance Commission, he said, and take two years on average for certification and approval -- and that is apart from whatever approvals and reviews would be needed by each elections board throughout the country."

I guess I kinda get that. But, wait a minute! Isn't this the same rubber-stamp process that certified the crappy systems in the first place, missing multitudes of problems?  So much for my fleeting moment of hopeful naivete.



Saturday, August 23, 2008

The wisdom of Trolls

On a recent evening the infamous Bill Bilano, noted Internet troll, made an oddly insightful set of posts on Twitter:bill-mangay

  1. I think I am going to fuzz twitter.
  2. A
  3. AA
  4. AAA
  5. Hell with it, booring. This is secure. On to the next web app!

Amazing as it is, I think he may have captured a pretty realistic look at a big chunk of the IT world. The reality of security is that there's a lot of tedious work that has to be done, it isn't all sexy hacks and Internet fame- and many people just aren't up to the task.

[Note, my dear imaginary friend, Mr. Bilano, has called me out for some errors and omissions. To be clear, "troll" in this context refers to his alleged online behavior, it is in no way meant to malign his rugged good looks.  If you are interested in the wit and wisdom of Mr. Bilano carefully click here to see his "bloglog". Not for the faint of heart.]


Monday, August 18, 2008

DefCon 16 Badge

Originally uploaded by jack_a_daniel
OK, they are cool badges, and I did finally get one of my own (with ~8,500 people at DefCon this year, some were left out).

But I got tired of waiting and made my own hackable badge...

A couple of interesting articles via Techdirt

Neither of these is new, but I just wandered into them-

First, Japan has no laws against writing viruses. In 2008. I can't even begin to fathom that, but they managed to arrest a virus writer- for copyright infringement because he used copyrighted animation clips in his death-threat laden anti-peer-to-peer virus campaign. That's right folks, copyright-violating anti-P2P death threats were in his viruses. Go ahead and sit down, I can't take it either. I expect the druglords to get involved in this case- if reality is this screwed up, who needs their products?

That led to this gem, a new twist on the insider threat- a disgruntled computer tech (is there any other kind?) in Liechtenstein ( yes, it is a real country) who used his access to banking records to expose tax cheats to their home countries and reap substantial rewards for his efforts. It is reported that the Germans alone paid him "somewhere between $6 million and $7.3 million for the info". There's one to tweak the old ethics-ometer, the thief v. the uber-rich tax cheats.


Friday, August 15, 2008

xkcd on Premier Voting machines

Having ranted about voting systems for years myself (often triggered by the outstanding presentations on the topic at the last few Shmoocons), I now present xkcd's take on Premier (fka Diebold):

Thursday, August 14, 2008

Grown yes, but matured?

Like many people, I often find myself thinking some people should "just grow up". I sometimes even find myself thinking that about the entire "security industry".

<tangential rant> The fact that we need a ginormous security industry just proves the software industry needs to grow up. </tangential rant>

This week at BlackHat USA 2008 and DefCon16 there was a lot of childish behavior- here's a little sample:

By individuals:dc-16-logo

  • The guys who got arrested trying to break into the computer room at the Riviera.
  • The guys who got arrested for hacking the casino comp cards.
    • That's gaming fraud, which means the Gaming Commission- if convicted, those folks may be in Nevada for a while.
  • The French journalists who sniffed the wireless in the BlackHat press room and tried to get captured credentials listed on the "Wall of Sheep".
  • The people who hijacked, defaced, and later redirected Alan Shimel's blog and posted his private information to the Full Disclosure list.
    • Be aware that Alan's site was redirecting to graphic pornography as I write this.

By quasi-government agencies:

  • The MBTA (Massachusetts Bay Transportation Authority) for trying to suppress research into their failures to secure the "Charlie Card" fare system.
    • They got a restraining order and stopped the talk, but the presentation slides were already out on the Internet.
    • The MBTA's attempt to suppress the information backfired as the story was picked up by a multitude of news sources.

By security vendors at BlackHat:

  • Two words: Booth Babes. The Booth Babe thing is bad enough at the auto dealer convention (past life issues, still in therapy over it)- but at BlackHat?
    • Fortify Software gets a special mention here for gross lack of taste AND setting up their booth so that they added to significant traffic jams in the halls.
    • Fortify also gets clueless points for showing up at a security event and offending people just weeks after publishing a FUD "White Paper" on the dangers of Open Source software.

So here's where it gets weird- after this week I feel pretty good about the industry's maturity. Most of the people walking the halls, sitting in (and leading) the sessions, and participating in the competitions- they spend their days working to make the world's systems and networks more secure. From the C-level executives to the hobbyists to those of us in the trenches, almost all of these people are on our side. Sure, there are some disagreements on the best way to do things, and more than a few oversized egos- but we can work on that.

Of course there were some bad people there, and more than a couple of idiots- but in any group of ~8500 people you will get a few folks you would rather not be around.


Monday, August 11, 2008

Anatomy of a Subway Hack - Banned in Boston!

Ben Jackson has posted an excellent article on the MBTA's latest bit of stupidity on his blog at check it out at: Anatomy of a Subway Hack - Banned in Boston!

If you hadn't heard, the MBTA (Massachusetts Bay Transportation Authority), the folks who run public transit in and around Boston got a temporary restraining order against three MIT students who were going to present their findings about vulnerabilities in the MBTA's "Charlie Card" fare system at DefCon16.  So if researchers don't talk about a problem, it doesn't exist?  That's like a two year old playing hide and seek; cover your eyes and you're gone (I apologize to any two year olds I may have offended by comparing them to the MBTA).

Read the EFF's (Electronic Frontier Foundation) response here:


Friday, August 8, 2008

BlackHat, DefCon, and stuff

BlackHat 2008 has ended and DefCon 16 has begun.  Logical (and happier) thoughts will appear in later posts, but I want to throw some ideas out while they are fresh in my mind.

I have come to the conclusion that big cons are a necessary evil- but they really shouldn't be this evil. Mistakes are always made, things always go wrong, but we know that before we start. (We work in IT and security, we have jobs because things go wrong).  Apparently big conference organizers are not familiar with contingency planning.  Nor do they consider how attendees actually use the con and feed that back into the following year's planning.

DefCon's badge disasters are legendary, this year's may be the worst yet.  On my last trip through the lobby, there were untold hundreds (thousands?) of people in a line snaking throughout the entire conference center end of the Riviera- all of them already registered, but in line to trade in their temporary paper badges for the real badges. The real badges arrived late again this year, and so almost everyone effectively has to go through registration twice.

Neither con (nor their venues) seems to have given much thought to traffic flow. People have been wandering along in crowds for at least a few thousand years, we could try to learn from that.  Blocking half of the hallway to give the vendors prime space at BlackHat was great for vendor exposure (vendors and "exposure" is another rant- can we please get beyond booth bimbos, please?) but no so good for getting thousands of people in and out of the conference rooms.  For a "security" con, they largely forgot personal safety- there was no way to quickly evacuate BlackHat if it had been needed. (No way Jack, hypocrisy in our industry?)

Note: While BH/DC certainly have these issues, this is generally true of any large conference or convention.

Now, to quit whining and offer a suggestion beyond the overly obvious:

Every con is largely about the connections and side conversations, embrace this and support it.  PodCamp Boston 3 did this perfectly, there was plenty of space with tables and chairs for side conversations- continuations/follow-ups of presentations, impromptu demonstrations, etc.  This promotes conversations and helps keep side-conversations out of other presentations.

SOURCE, Shmoocon, Day-Con, ChicagoCon and many other smaller events look better all the time.  And, if you have any interest in social media/new media, go to a PodCamp.  I passed on The Last Hope so that I could attend PodCamp Boston 3, and it was great.