innismir.net

It has finally happened. I can finally write a blog post about my two favorite subjects: Information Security and Ham Radio.

Chris Paget made some news this weekend at yearly DEFCON hacker conference in Las Vegas. Paget demonstrated the flaws of the GSM cell phone protocol by creating a simple device to intercept every GSM call in a small area. Chris did a lot of work making sure that he wasn’t violating anyone’s privacy by intercepting these phone calls, up to enlisting the help of the Electronic Frontier Foundation. When reading some of Chris’ preparations, I was impressed, but the first thing that popped into my head was “Wait, that’s nice and all, but what about FCC regulations?”

To take a quick detour into FCC regulations, most unlicensed devices fall under Part 15 of the FCC rules. They have to be tested and certified by the FCC before they are marketed and sold in the United States. Whenever you see your favorite technology blog talking about how some new device is being tested by the FCC, they’re talking about this testing.

So, when Chris was explaining his presentation I figured he was going to go one of two ways: Either he was going to unveil some kind of new FCC certified cell phone interceptor (unlikely), or he was going to put on an eye patch, raise the Jolly Roger and go full pirate. However, after the presentation was done, I was reading the coverage of the presentation and saw that he did it a way that I hadn’t considered: Chris, unbeknownst to me, had an amateur radio license, so he tried to classify his transmissions under Part 97.

Part 97 is the Amateur Radio section of the FCC rules. Amateur radio is classified as an “experimental” service. As I’ve stated in my “Why you should be an Amateur” presentation, amateur radio is “radio hacking.” Chris saw that part of the European GSM band overlaps with the 33cm amateur radio band, so he (and I!) have rights to transmit there. Seems like a perfect fit, right?

Unfortunately, no. While Chris did seem to catch the “no encryption” part of the rules, he didn’t realize that his transmissions were not legal under Part 97 either for other reasons. Part 97.111 and Part 97.113 establish but “authorized” and “unauthorized” transmissions of amateur radio stations, of which Chris, by my count, violated the rules 2 or 3 different ways:

1. Chris was using his Part 97 transmitter to communicate with Part 15 devices, not other Part 97 devices. (Violates Part 97.111(a))
2. Chris’ GSM cell site was beaconing to cell phones to let them know it’s there. That counts as a way transmission. (Violates Part 97.113(b))
3. Chris was impersonating a AT&T cell phone site. You can’t impersonate people on amateur radio. (Might Violate 97.113(a)(4))

Chris does get props for establishing a Morse Code beacon to ID himself every 10 minutes as defined by the rules, however, that is like a restaurant owner trying to convince the health inspector that his restaurant is OK despite the rats and roaches because his employees wash their hands after they go to the bathroom. Too little, too late.

I’m not trying to string up Chris here, I’m honestly worried for him. He’s admitted that he’s had conversations with the FCC regarding this presentation which he classified as “unproductive”. This, combined with the fact that the FCC enforcement bureau loves to hand out documents with “Notice of Apparent Liability” at the top and five figure fines on the bottom leads me to wonder if Chris isn’t headed toward a protracted legal battle with the Feds. Chris’ presentation shows a major shortcoming with the current FCC rules dealing with research. Chris should not have tried to find a loophole within the FCC regulations to do his research, it should have been legal for him to establish a low powered signal to do and demonstrate his research. We, as researchers, are running into another version of the same ostrich syndrome that prohibited users from listening to cell phone and pager traffic that were transmitted in-the-clear back in the early 1990s, and to a lesser extent, still are. With the expansion of data networks to mobile devices, it’s become even worse, as Chris’ presentation demonstrated. By not allowing research into these fields the FCC is keeping the sunlight out of the dark corners of our mobile networks and allowing the mobile phone companies to convince us that everything is OK when in reality someone with $1500 worth of equipment can intercept local mobile phone traffic is negligent at best, and criminal at worst.

While I disagree with Chris’ characterization of his transmissions being “cool” because he’s licensed as an amateur radio operator, I fully support his research and his efforts to do this research in a controlled environment. I also hope that the FCC will realize that this type of research only helps people and all the laws in the world won’t help bad people from doing this same type of activity in a malicious manner, as they already are.

So, a quick post about two things:

1st, I did a presentation to the Boston Chapter of the Association of Government Accountants for their monthly meeting as part of my day job. I’d like to think I did fairly well and there certainly was a fair amount of discussion afterward. In case any of them find their way here in an attempt to find my slide decks, I am happy to oblige:

• Information Security and You PPT (1.4MB)
• Information Security and You PDF (1.8MB)

2nd, I have been selected to speak at QuaghogCon in Providence, RI the weekend of April 24th and 25th. I’ll be departing from my usual “Information Security” speaking groove and instead will be evangelizing Amateur Radio. Sadly, this means I’ll be missing out on B-Sides Boston, but that’s the way the cookie crumbles. Registration is open now and I’ve heard rumors that attendance will be capped at 150, so even if you don’t want to hear me speak, buy a ticket; there are going to be some awesome presentations.

SOURCE Boston 2009 wrapped up last Friday. Once again, the SOURCE Advisory board did a bang-up job picking talks: Normally, during a conference there are “collisions” in which there are two talks I want to see that run concurrently. SOURCE had this, but it seemed that it happened almost every single talk. I was desperately switching my attention between the talk I was currently at and my twitter stream watching people live-tweet the other tracks. I constantly felt I was missing something great. SOURCE also improved the one complaint I had about SOURCE Boston 2009, lack of the ability to get to the venue via the MBTA. This year’s venue, the Seaport Hotel was easily accessible from the Silver line and the new digs were great.

My talk went as well as I could have hoped. Despite some minor issues with regards to what I could and couldn’t talk about and thus the presentation being much shorter then I wanted it to be, I felt I fielded all the questions cleanly and ones that I could not answer I made sure I got business cards so that I could follow up. For those of you interested in downloading my slide deck it is available here:

• Massachusetts Data Breach Laws, Regulations, and Responsibilities (PPT, 828K)
• Massachusetts Data Breach Laws, Regulations, and Responsibilities (PDF, 286K)

Some highlights of the conference:

• David Mortman‘s delicious bread, which he handed out if you asked questions during his talk. I got a slice because I was able to answer a question.
• Marcus Ranum‘s keynote. Despite being a presentation of “The industry is beyond repair, and here’s why…” gloom and doom, I was able to at least grab some good points out of it that will enable me to fight the good fight. He also made a great metaphor: “3D dancing pigs” meaning something which management wants and will try to implement despite any warnings.
• James Atkinson‘s counter-surveillance talk. Last year he did telephones and this year he did automobiles. Crazy stuff.
• L0phtCrack 6 information session. I can’t wait.

And these are just the ones I can remember off the top of my head.

SOURCE is a great conference and if I had the time and money, I’d seriously consider going to SOURCE Barcelona in September. If you have the chance in 2010, I would highly recommend attending.

This was brought to my attention via Jack Daniel and I nearly had to change my undergarments after heading over to l0phtcrack.com:

L0phtCrack is back! At a special information session at SOURCE Boston (Thursday, 10:15am), the team that brought you L0phtCrack will be releasing version 6 of the highly-acclaimed Windows password auditing tool. Come to the session to learn about this release, its new features and platform support, and the story of the product from the days of the L0pht, to @stake, Symantec, and finally back to the L0pht.

Expect this site to go live soon!
See you at SOURCE!

This is great news. L0phtcrack was an amazing utility (technically it still is, just a bit old) and it’s great to see development on it revived. I am pretty sure it will be a piece of every security person’s toolkit as soon as it’s released. I’m also sure that this session will be standing room only. I know I will be there.

SOURCE Boston officially let the cat out of the bag yesterday by posting their schedule, so I can now say what I’ve known for since about mid-December: I’m doing a talk on the SOURCE business track entitled Massachusetts Data Breach Laws, Regulations, and Responsibilities.

I’m excited to be a part of SOURCE. I attended last year and it was an excellent conference. A great mix of  secruity geeks and business types and everything just seemed to click. Not as “free-for-all-ish” as DEFCON or HOPE, not as stuffy as a business conference. This year, it’s shaping up to be even better: They moved the conference to a better location, and the schedule is even more impressive then last year. If you’re a security geek, you should definitely look into attending. It is worth every penny.

Of course there is an off chance that someone might make a grand entrance a touch early. I think everyone is hoping that doesn’t happen.

Stacy Thayer, one of the Security Twits that I follow, posted a blog entry regarding an encounter she had with some neanderthal at RSA 2008. Quite frankly, it made me shake my head. The idea of judging someone’s knowledge based on their body parts is far too common in some technical circles, and what drives me nuts is that it often happens to people who tout the “hacker ethic”.

As a brief side, the Hacker Ethic was a term coined by Steven Levy in his excellent book Hackers: Heroes of the Computer Revolution (If you haven’t read this book and are involved in IT, click the link and order it. Now. Go ahead, we’ll wait. Back? Cool.). One of the key points that I always feel is one of the great equalizers in computers is the fact that people are often accepted by their knowledge, rather then their position or their alphabet soup after their name. (However, they are not mutually exclusive)

HACKERS SHOULD BE JUDGED BY THEIR HACKING, NOT BOGUS CRITERIA
SUCH AS DEGREES, AGE, RACE, OR POSITION.

The ready acceptance of twelve-year-old Peter Deutsch in the TX-0 community (though not by non-hacker graduate students) was a good example. Likewise, people who trotted in with seemingly impressive credentials were not taken seriously until they proved themselves at the console of a computer. This meritocratic trait was not necessarily rooted in the inherent goodness of hacker hearts–it was mainly that hackers cared less about someone’s superficial characteristics than they did about his potential to advance the general state of hacking, to create new programs to
admire, to talk about that new feature in the system.

This is often a very common theme technical circles. Unless, of course, you seem to of the female persuasion at which point it seems to be thrown out the window. I really experienced this in college. The handful of women in our classes were leered at, harassed, and generally made uncomfortable by some of our more “vocal” geeks who probably thought that it was some part of the mating ritual. To be 100% honest, I was dismissive of some of them until I came to the conclusion they could hold their own. Since then, I’ve had the pleasure to meet and work with some talented women, some of who can kick my ass technically.

The computer industry is very male dominated. Conferences have booth babes and the likes of Vanna Vinyl, which I’m sure doesn’t encourage women to get involved in the field. However, shouldn’t people who subscribe to the hacker ethic start equally applying it equally to both sexes?

Also, since we’re on the topic:

Talented Women in Computers who’s weblogs I read, and so should you:

• Jennifer Jabbusch – http://securityuncorked.squarespace.com/
• Jennifer Leggio – http://mediaphyter.wordpress.com/
• Stacy Thayer – http://www.stacythayer.com/

As previously mentioned, I’ll be going to SOURCE Boston tommorow. I’ll be attempting to the conference on my somewhat shiny and new Twitter Feed. Per haps I may even, *gulp* “live blog” (Ugh. I feel dirty for saying that).

Truth be told, I’m not 100% sure what to expect. Most of my previous “security” conferences have been either DEFCON or HOPE, which I assume will be slightly more “low brow” then SOURCE. For example, I’m not expecting SOURCE to have A room full of hammocks you can crash on. But, from what I can gather, and from what the schedule says, it will be a pretty good time. It looks like it’s going to be a good mix of business types and security geeks, and it’s approaching the idea with the right attitude (Pub crawl anyone?). Another plus, any conference where I don’t expect the conference attendees to smell like week-old BO == Win. (Hooray!)

I’ll be staying mostly on the Security Technology track, with possibly heading over to the Application Security track if something over there catches my interest. I’ll be attending the pre-conference gathering tonight, along with the reception tomorrow night and the pub crawl on Thursday. If anyone of the four of you who read this want to meet up, IM, text, tweet, comment, or poke me at the conference.

One of the cool things about the new job, is that they are very pro-conference. Even better, they have a budget for conferences that cost money! Source Boston sounds really cool. While it may not be as cool as DEFCON or ShmooCon, it definitely has that “hacker-ish” feel to it. Of course, any conference with a pub crawl associated with it definitely gets the thumbs up from me.