innismir.net

Tuesday, work had some training for some $FAIRLY_EXPENSIVE_SECURITY_SOFTWARE. Training required us to install one of the desktop versions of their product (which was passed around on a USB stick. </facepalm>)  and required a license key. The trainer walked around to my laptop and set up a key. My paranoia is peaked when someone uses an computer with my account, so I watched him log in to the webpage with the key generator (OK, I averted my eyes when he typed his password, that’s a common courtesy), generate the key, made sure it worked, and moved on the the next laptop.

Did you notice the missing step? Allow me to show you what was still up on my screen behind the software (censored to protect the guilty):

Click for Larger

Click for Larger

License Keys anyone?

Being the upstanding citizen I am I took my screenshots and logged out. I could have, however, generated a nice stretch of license keys for the next few months for my own personal use. Considering the amount of money the software costs, these keys would would have saved me a pretty penny.

There were four mistakes here, all small, two of which could have been fixed in the design phase of the application, two of which were the trainer’s fault.

1. Trainer using a unknown laptop to log in to a secure site. Good thing I didn’t have a keylogger or something.
2. Application not having a some kind of system that would allow me to submit for my own key and have the trainer approve it.
3. Trainer not paying enough attention to log out.
4. Application not having some kind of oversight so that if I…. uhhh… I mean someone… did compromise the trainers account, I… er… he couldn’t create a bunch of keys.

I will give credit to them for some restrictions that kept this from being an epic fail:

1. 30 days was the longest period I could generate a key.
2. It would likely had my fingerprints all over it.
3. I believe the key could be revoked on their end.

That being said, it’s still an interesting example on how a series of small mistakes can cost an organization. Not that it did in this case, but how often do we hear about a bad system allowing a breach of sensitive data? A secure system requires both proper design and diligence of the users. In this case, unfortunately, they all clicked to allow the possibility of someone making off with the goods.

This floated across my Twitter stream yesterday: Internet Lawyer Take: DEFCON Spinning Out of Control? Watch out, you might want to make sure you’re caffeinated and sitting down while you read it.

Where do I begin?

Typical DEFCON attendee in Mr. Dozier's Mind

• Basing the criticism off two anonymous people’s complaints? Check
• Vague complaints about evil hackers trying to deface his website during Defcon? Check
• Suggestions about a possible Oracle genocide because of DEFCON? Check.
• DEFCON is all about 15 year old kids learning to do l33t h@x? Check.
• Sensationalizing various happenings without going into detail as to what happened? Check. Check. Check.

Dozier seems to be of the opinion that DEFCON is a cespool of high school students who sit around their laptops trade mad hax and attempt to knock power grids offline all weekend. As anyone who has attended DEFCON knows, this is a complete load of horse puckey. DEFCON is essentially a Black Hat after party in which you get to kick back, enjoy Vegas, talk shop with other InfoSec people, and essentially spend most of the convention in an inebriated state (provided you’re over 21). I thoroughly enjoyed both times I attended.

Mr. Dozier seems to really dislike anonymity. He goes to suggest that DEFCON get full details on every attendee to flush out the less desirable elements. I’m sure Mr. Dozier would be aghast to know that when I spoke I used a pseudonym. Why would an upstanding citizen like me choose to be anonymous even when I was speaking about an relatively innocuous topic? Because I enjoyed keeping my identity somewhat under wraps and more people knew me under my pseudonym rather then my real name.  When you deal with random people on the Internet, it’s very common to associate an e-mail, Twitter name or forum handle more easily with them rather then a full name. This has been the case since the early days of networked computing, as evidenced in Guy Steele’s “Confessions of a Happy Hacker” from The New Hacker’s Dictionary, 3rd edition. (Aside: If you like Hacking History, get this book.)

…when Barbara and I got married, we sent out wedding invitations of the usual sort without considering the consequences. One hacker friend was completely puzzled: “Barbara Kerns … Guy Steele … Who are these people???” His girlfriend looked over his shoulder and said, tentatively, “Guy Steele … isn’t that Quux?” This was someone I knew quite well, but he knew me only by that handle.

The statements on Oracle really have me scratching my head. Mr. Dozier seems to be confused about the cause and effect of things. In his train of thought, any kind of Oracle breaches from here on out are solely the fault of DEFCON and the MetaSploit project. Never mind the fact that all of the exploits have existed in the wild for quite some time, or the fact that they will be used by people such as myself to demonstrate to non-technical people that their Oracle server is doomed. These tools will only be used by 15 year olds who will deface websites, steal identities, and use their ill gotten gains to fuel their $1500 a day XBox Gamer Point habit.

As for “embarassing [sic] the federal authorities” everyone who goes to DEFCON is well aware of the “Spot the Fed” competition. Every time I saw a “Fed” “spotted” it was very non-adversarial and amusing for all parties involved. If his “exceptionally talented and knowledgeable government security types”  have a problem with this they need not attend, which they don’t. I also think that they need to develop a touch thicker skin.

Finally this leaves me shacking my head:

Is there a Free Speech right, protected by our First Amendment, to describe in detail ways to hack into computer systems when it is a federal and state crime to hack into a protected computer? At Dozier Internet Law we know this issue is yet to be fleshed out fully but we expect that criminal conspiracy laws could come into play at some point.

Mr. Dozier better get his lawsuits warmed up. I hear there are also conferences where people talk about things like guns and ones that talk about cars too. People get killed by cars and guns EVERY DAY! Surely this needs to stop!

One thing I will give him credit for is his web design: I think I’m start calling myself an “Internet Security Engineer” and rename my weblog to “Ben Jackson, Internet Security Engineer for the Commonwealth of Massachusetts, GIAC Certified Intrusion Analyst, Author of “Asterisk Hacking”, FCC licensed radio amateur, subject of an article in Infoworld, and stunningly handsome offers and Internet Security Engineer perspective on the web, Amateur Radio, and his life” — Instant credibility.

This just showed up in my Twitter stream: A great article by Diana Eng, KC2UHB, on the MAKE blog regarding working Amateur Radio satellites.  Diana is part of NYC Resistor, a hacker space based out of (you guessed it) New York City. I am glad to see that NYC Resistor does it’s fair share of Ham Radio projects, as I write this an article about the 2009 Flight of the Bumblebees is on their front page. It almost offsets the the like of QRZ and it’s ilk. (Speaking of which, check out K3NG’s article regarding QRZ and the possibility of starting an alternative.)

David Rice wrote a response about my last post regarding a Secure Software Reality Check and makes some good points.

But people’s “wants” do not exist in a vacuum. The “wants” live within an incentives framework that either promotes or inhibits certain behaviors. In fact, because of relatively low U.S. gas prices (in comparison with the UK, for instance) and tax incentives for purchasing trucks or SUVs over a certain weight, the “want” of a big vehicle is promoted in the U.S. while inhibiting the ”need” for low-emissions subcompacts.

I don’t disagree with the idea of people’s wants not living in a vacuum. The ads on TV demonstrate otherwise. However, most people’s wants live within their own bubbles. For example, While don’t give a crap about torque, horsepower, etc, I do give a damn about 4 wheel drive due to my winter commute down some crazy back roads to the commuter rail. One of my other wants is downright “strange” when compared to the mainstream: I am one of the few people who look for cars with a smaller central console due to my other hobbies, which is a pretty strange “want” to have when you look at the mainstream, but it makes perfect sense within my bubble.

In other words, it makes more sense from a buyer’s perspective in the US to buy a bigger vehicle because the incentive structure rewards that behavior. If gas prices were allowed to rise to $10/gallon and a broader tax burden was placed on all non-subcompacts (much like the gas-guzzler tax on the Hummer, only more general), the incentive to “buy big” would gradually ebb. So the “want” for a big vehicle would be partially transformed into a new “want” for smaller, more fuel-efficient cars (so long as people felt they were better off for buying the smaller car). And it just so happens this “want” would be more aligned with the “need” for reducing the social and environmental costs (known as negative externalities) of car ownership.

I disagree with the current gas prices “reward” buying a larger vehicle. They simply allow for buying a larger vehicle. Do consumers by a Hummer when a Impala would suffice? I’d be stupid to suggest that they don’t. But by creating an external force (i.e. a tax) in order to to “discourage” certain “behaviors” you’re doing nothing to stop the “want” you’re just trying to force people to do something they don’t want to do. You’re treating the symptom (low MPG cars) rather then treating the disease (bad driving habits).

What does this have to do with secure software you may ask?

In the context of software then, there is no incentive to reduce “vulnerability emissions” by software manufacturers nor is there an incentive for buyers to avoid purchasing software with plenty of bugs and defects. Buyers want “big” software; that is, software with a bevy of features even though this dramatically increases the likelihood of latent defects and vulnerabilities. Because of this demand for “big” software, software manufacturers are happy to supply it. There is no incentive to do otherwise.

There is an incentive to do otherwise and I think this is where the MPG analogy breaks down. Every so often Microsoft has some major bug that gets exploited enough that it makes the news cycle. Microsoft’s response to this has been nothing more then a “Whoops! Our Bad. We have a patch.” They then wash their hands of it. This is the equivalent to Ford Motor Company dealing with the Cruise Control issue back in 2003 with “Whoops! Our Bad. We’ll replace it.” However, their are now multiple class action lawsuits from people who were affected by this problem. Why does Microsoft get away scot free yet Ford has to pay the piper? I think one of the reasons is because people haven’t realized that they can make money off of software defects and the other is that people haven’t made a connection yet between physical loss and virtual loss.

Aunt Ethel and Uncle Mortimer, while they don’t give a crap about how many critical bugs their operating system had this month, they do care if their computer gets owned. What needs to be done by us as a  community is teaching them that B is directly related to A. If people start understanding that because some coder at Microsoft didn’t check his buffer size correctly their credit card numbers are now floating around Romania, we’ll start seeing people crying bloody murder. The sooner they do that, the sooner we’ll get vendors who take security seriously, and the sooner that happens, the sooner we’ll all be better off. No laws needed.

Chris Wysopal, aka “Weld Pond” wrote about the recent DDoS attacks against South Korea and the root cause being that we have an insecure software ecosystem. Chris is spot on with this statement and he brings up an interesting analogy:

There has been no global cooperation to date to help the average computer user keep his or her computer secure. Yet we talk about keeping car emmisions down. But the effect of both is similar. In a shared environment, be it the water and air or an information infrastructure. Each individual user contributes to the health of the system.

Each insecure computer is much like a polluting car. By itself there is little risk of harm. But when the software on that computer is compromised and taken together with all the other computers with that software, the risk builds up until it reaches a critical mass. We see that critical mass when groups, nation state sponsored or simply criminal, are able to destroy network connectivity for their targets using these compromised computers

I think the analogy he uses is great, but not for the reason he uses it for. We talk a lot about “keeping emissions down” and the government pushes lofty goals about reducing so-called “carbon footprints”, but the main reason we don’t see everyone driving subcompacts that get 35 miles per gallon is because very few people want them. The public, as a whole, wants their 6000 SUX that looks dead sexy and has a top speed of $BIGNUM MPH. 8.2MPG? Runs on baby seal blood? Who cares?

This is exactly the same with computer security. We talk a lot about “securing cyberspace” and the government pushes lofty goals about treating our “digital infrastructure… as a strategic national asset” but the it’s exactly the same. Most people don’t want to have secure software. They want to have their Bonzi Buddy and their 3D Dancing Pigs on their website. The software has a horrible security track record? It requires tons of security settings to be disabled on the computer? Your entire HR system uses Microsoft Access as a back end? Who cares?

Chris is right. We need to make EVERYTHING secure. Every operating system, every application, every library. This is nowhere near an easy fix. Ideally we need to start the software industry at tabula rasa and start everything from scratch. It is possible: Just look at OpenBSD. However, we are not going to be able to convince anyone to start taking these steps until we start making a gigantic culture change starting from the ground up. Aunt Ethel and Uncle Mortimer need to start understanding that they are doomed in the current environment and start demanding their software be secure. Companies need to stop dealing with vendors that have repeated security problems. In house staff need to be trained in secure computing practices. Computer science students need to be taught about secure coding methods. This needs to be EPIC. However, until then, we are all going to be stuck on the hamster wheel of pain by dealing with massive botnets, scrambling to patch zero day vulnerabilities, and holding our breath waiting for the next “big one.”

How do we make it so we can escape? I have no clue and I doubt anyone else does either. The only thing I could see possibly breaking us out is everything going up in a giant cloud of smoke. All the cyberwar pundits are correct and we have a massive attack on our infrastructure. Blackouts! ATMs Jackpotting! Computers turning into Bombs! Dogs and cats, living together! Mass Hysteria! Only then will we learn the error of our ways!

Of course the pessimistic side of me says that we’ll still want our Bonzi Buddy and 3D dancing pigs.

(On a tangent, did you know Weld Pond was 43? I feel old now.)