innismir.net

… or, how selective prosecution of computer crimes is causing more problems then it’s solving.

Allow me to introduce you to two script kiddies: David Kernell and Michael Mooney. One of which is currently on trial for accessing computers in an unauthorized manner, the other is currently scott free for doing the same. Why is one being prosecuted for his crimes while the other is not? I think it’s a symptom of a larger problem in the legal system in the United States.

First off, a little background: In 2008, David Kernell aka “rubico” correctly guessed then Alaskan Governor Sarah Palin’s password reset question on her Yahoo mail account using public information sources such as Wikipedia. Kernell then proceeded to post the screenshots and other bits of information found in the account in a public forum on the Internet. A few months later, Michael Mooney aka “Mikeyy” found a security hole in the Twitter service which allowed a user to post Javascript in their “Bio” section. Mooney then decided that instead of doing the responsible thing and reporting this to Twitter, he should instead use the hole to hijack people’s Twitter account to at first promote a site he ran, then to sing his praises. You may remember me writing an article about what unfolded next, but that’s another discussion entirely.

Now, today, Kernell is currently awaiting trial for his crimes in a Federal court in Knoxville. Mooney would have long faded into obscurity in my mind, but he decided to do some Google vanity searches on himself, came across my article, and decided to convince himself that I was somehow jealous of his… hmm… nope, not sure on that one, but anyway… After telling him in no uncertain terms about what I thought of him, we got in a classic Internet argument.

After dealing with his inane ramblings and him trying trying to convince me that despite him admitting what he did broke the law what he did wasn’t illegal (Obviously, Mooney retained Erwin Schrödinger as counsel), I got to wondering why is Mooney free to drink Martinis, watch the sun rise, and fancy himself as some kind of security consultant, while Kernell is currently staring down a sentence in FPMITA prison? I understand that the Feds don’t have the time and inclination to investigate every little event, but the facts that Mooney admitted to doing it, his information is publicly available (Heck! Check his Twitter stream or his website and find his mobile number!), and that he’s admitted to breaking the law, the Feds are saying that while it’s not OK to break into a Vice Presidential candidate’s e-mail, you can hijack thousands of user’s computers to promote your website and get away with it, provided you don’t  do anything really nasty.

Something that has always concerned me is the selective prosecution of one computer crime and not of another. As someone who deals with the endless streams of attacks and scans coming down the SuperInfoBahn, “getting the bad guys” is a all too infrequent event. When incidents like the Mikeyy worm go un-prosecuted I feel that we are continuing to send the message to people that compromising a computer, website, or whatever, is fine provided that, you know, don’t do anything really bad, whatever that means. I think we’re essentially already looking at the Fixing Broken Windows theory at work: we’re not going after the crimes when their small, and thus, we’re continuing to see problems escalate. While I’m not suggesting that if we go after the small crimes we’ll see ZeuS drop off the face of the planet next week, it might start to take a bite out of younger people trying to compromise each other via Rouge Neopets Paintbrush Generators.

I don’t know how it’s come to be that Kernell is being prosecuted while Mooney is not, I’m sure going after such a high profile target under USSS protection definitely made it hard for Kernell to slide back into obscurity. I’m not suggesting that Kernell be let off  the hook for his crimes, but, I don’t think anyone can disagree that it’s fair that Mooney isn’t being held responsible for his crimes, while Kernell is.

First off, let me thank Jeff, KE9V, for bringing this to the front burner in my mind. It’s been simmering in the back for a while but I’ve never sat down and wrote about it. Jeff shot me a message today telling me that I should write and entry about it as the “lead Twitter-Ham” (Mental note: Get that on a business card.)

The problem is simple. On twitter there are two ways to reference another twit, a reply and a mention. The difference is subtle, but it’s kind of important. First, if I start off my message with an @ and a username, it’s a reply. Twitiquette states that replies are usually used when addressing someone directly or replying to something they said via the reply feature on Twitter. For example:

@kd0bik Loved this week’s Practical Radio Amateur podcast!

A mention on the other hand is usually just a reference to someone inside a mention, not a message directly to them, but something that they may wish to know about:

Received an interesting e-mail from @ke9v discussing Twitter replies versus mentions.

Now, why are replies an mentions important? By mentioning someone in a message, that message gets displayed on their replies page or depending on if they’re using a 3rd party client, highlighted someway. For example, I use twhirl, and when someone does a reply or mention, it alerts me with a different sound and it highlights the tweet.

Now, why are replies and mentions different? Simple. Twitter has certain rules when displaying replies for your followers. If I do a reply to @ke9v, it will only show up in the stream, aka that list of tweets on your homepage of twitter, of people who follow @ke9v. If people aren’t following Jeff, it won’t show up. No big deal right? Well, for the most part, yes. However, this has interesting implications consider the following tweets:

@ke9v @ka3ddr @kd0bik #followfriday

@kd0bik has a great podcast! Everyone interested in Ham Radio should listen to it!

What’s wrong with those? Normally, I would want both these messages to go out to everyone that follows me. However, because I prefixed it with a @ and a username, it will only show up to people who are already following that user. Whoops. However, these are both simple to fix:

#followfriday @ke9v @ka3ddr @kd0bik

Wow! @kd0bik has a great podcast! Everyone interested in Ham Radio should listen to it!

These are just two examples, however, it’s a good rule to be mindful of when tweeting: If you’re not replying to someone, you should try to stay away from starting your message with a @ and a username, otherwise, it may not reach as many people as you want it to.

Wow. That was quick. Of course, this isn’t a copycat attack, but holy crap, is this kid’s 15 minutes up already? Sadly, Mr. Rowland is now learning the hard way that he may not have thought his cunning plan all the way through:

And, of course, Chris Boyd comes up with the most direct worm prevention technique.

So, over the weekend Twitter was hit with not one, but two worms. “Mikeyy Mooney” wrote a worm to deface people’s profiles and cause compromised accounts to first promote his website, then promote himself. A bad weekend for Twitter indeed, but it has possibly turned into something worse for the Internet as a whole.

Word came out today that Mike (I refuse to call him by that insane double “Y” name) was hired by Travis Rowland, owner of a small company out in Oregon call exqSoft. Allegedly he’s going to be doing web development for them, but this move sends EXACTLY the wrong message: Do a sufficiently splashy compromise, and get yourself a job.

I have no beef with Mr. Rowland as a person, nor do I disagree with his assertion that Mike could have done something a lot worse. However rewarding this behavior is going to encourage copycat attacks and that helps no one. Already there is a prevalent attitude among youths involved in computing that in order to get a job in Computer Security later on in life, you need to be a l33t h@x0r and pwn people. Chris Boyd (who’s weblog you should definitely be reading) has done some work in investigating these attitudes and they are quite scary. There are thriving communities of kids who are scamming people out of HabboHotel and RuneScape credits and not only seeing nothing wrong with it, they kind of see it as getting experience for later on in life. (Sadly, Chris’s archives seem to be wiped out, so I can’t provide links). Some of Mike’s statements even reflect such an attitude:

“I’m really getting a bad reputation from it but at the same time people are taking into consideration that even though I did some harm I didn’t cause any damage,” he said.

When did it suddenly become “OK” to hijack people’s accounts? Have we really slid down the slippery slope enough that taking control of someone else’s “property” is fine as long as you don’t do anything *really* malicious? Also, whether or not “damage” was done is another thing entirely. How many non-security-savvy people completely freaked out over the weekend when they saw their Twitter account was posting random things? How many man hours were wasted not only of the Twitter staff, but the thousands of people who were compromised and had to clean up their account in addition to making sure they weren’t compromised in some other fashion? How would Mike like to recieve a bill for that?

Now, Mr. Rowland sees his hiring as a way of providing Mike a safe place to use his talents. You know, sort of like an online YMCA. At one point in my life I did agree with this sentiment as there was no easy way to “break” things. However this is not the case anymore. I am amazed at some of the utilities available today specifically designed to hone peneration and security skills. I see it as upping the ante for these groups. Seeing Mike get hired after he exploited Twiter is probably going to get a lot of gears turning and cause thinking of “Geez, if I do something similar to YouTube/Facebook/Hi5/MySpace” maybe I’ll get a job as well!”

When I finally made the decision to try to make a jump from an Information Security hobby into an Information Security career, I did have a similar conundrum: How do I get some, for lack of a better term, “street cred?” I’ll admit I started poking at websites looking for similar holes as the ones Mike found in Twitter and finding them in the process. HOWEVER, and this is the key difference, I worked with the websites to fix the holes, rather then attempt to make the front page of the Technology section of ABC’s website. Closest I ever got to that was an article in InfoWorld about an anti-phishing application I wrote in my spare time. Not as exciting? Nope. A lot of work? Yup. Did it work? My current place of employment says “Yes”.

Of course, it isn’t all sunshine and puppies for Mike as he also got himself reamed a new one by a group who posted all his personal information online to Full-Disclosure. This might temper the rush of script kiddies trying to get their name in the press. However, I’d be willing to make a bar bet that we will see an uptick in “harmless” attacks against social media services like Twitter due to Mike’s hiring.

Link many other Twitter users this weekend, I got the following DM from someone I followed:

Hey, i found a website with your pic on it… LOL check it out here <link>

As soon as it arrived, my spidey sense went off:

• Unsolicted? Check.
• Vague message? Yup.
• Wants me to click on a link? Indeed.

This  instantaneously causes me to think “Bad link! Do not click!” and I quickly tweeted my concerns. Thankfully many people did the same which probably saved more then a few people from clicking the link. It did garner a fair bit of attention since this was the first-ever phish that came via DMs on Twitter and some people are seeing strange activity on certain accounts, but for the most part it has faded back into the noise of a usual Monday morning on Twitter.

This was bad, and I feel it was the opening salvo in a major change in the way spammers operate on Twitter, but I think the worse may be yet to come. For those of you not on Twitter, the way spammers have been operating is by setting up an account, following a lot of people, then waiting for the unsuspecting users to follow back. Once they feel that enough people have started following them, they start spamming their links. Now, with the phishing attempts, they can cut out the middle man and start spamming your follower lists with their links. Ruh Roh Shaggy…

Now, lets ratchet this up to the next level. Imagine if the phishing page had some kind of exploit embedded into it? Let’s say @britneyspears posts “Hey guys, check out my new track at (link)!” Thousands of devoted Britney Spears fans clamor to hear their idol’s screeches talents and are directed to a page telling them to log in with their twitter ID. That page exploits their browser and assigns them to a botnet. The few who think Twitter is trustworthy fork over their credentials, at which point a PHP script logs into their Twitter account and DMs all their friends the same link with a random headline.

Lather.
Rinse.
Repeat.

Congratulations! We now have the first Twitter worm! With Twitters somewhat notorious instability under high load, at which point would we see a Twitter DoS?

This Twitter phish was bad. However, I think the community dodged a bullet and we may not be so lucky next time. Many people think Twitter is a safe sandbox on the Internet and not the same as their e-mail or IM. The million dollar question is how can we teach people that Twitter can be a nasty place before “the big one” hits?

Steve, K9ZW, has asked What’s the Worth of Twitter?

I’m slowing my Twitter “Tweets” and following of Twitter based on a difficult to use Signal/Noise Ratio.

…

One very active Twittering Ham has a goal of posting 10,000 Tweet posts during the year.

If everyone of those Tweets takes but a second or two out of my attention, that is asking me as a Twitter Follower to give up 5-6 hours of accumulated time.

It’s simply not going to happen.

This was followed up by N0HR’s Twitter Overload post:

Steve notes that one ham has a goal of “tweeting” 10,000 times in a year. Yikes. What possible value could that have to anyone? I could see some value in group using Twitter to meet at the Dayton Hamvention – when you’re all trying to meet you’d know that Frank’s at Denny’s having breakfast, Chuck’s in the flea market and Stan is lugging a boat anchor to the car. That’s about it though.

First off, let me state for the record that I am the said “active Twittering Ham”, but I do not have a “goal” of having 10000 tweets in a year. I did wonder if I’ll hit that number which is looking more and more likely now that I’m less then 50 shy of 9000, but I wouldn’t consider it a goal. Next off, I’m not pissed at Steve for unfollowing me at all. I did mention it in a tweet, but I am not saying that I am sad, angry, or disappointed in Steve.  I am very much in @mediaphyter’s corner regarding following:

…let me make a list of what Twitter is not:

1. A venue for a popularity contest
2. An obligatory mutual instant message system
3. A place where anyone has anything to prove

Exactly. Twitter is different things to different people. Suit your follow list to what you want to see. I’ll be the first to admit that I am a prolific tweeter. My sister never added me to her phone because it she was overwhelmed by texts. I tweet about Ham Radio, InfoSec, the MBTA not working, and any other completely random thing that floats into my head. A lot of my friends are the same. However, I know that this does not suit everyone. I have no problems with someone unfollowing me because I tweet so much, if you’re not going to follow a smaller group of people, I’m going to quickly overwhelm your “stream” on your page, likely providing more signal with noise. There are ways to sift through volumes of tweets, but a lot of people have neither the time or inclination to do so.  Don’t feel the need to follow anyone because “everyone else does it” or if they’re following you. Only follow the people that tweet topics that you’re interests and tweet at your pace. Also, look at the option of turning of

If you’re on Twitter, don’t think you’re going to hurt someones feeling by unfollowing them. I occasionally go through my lists and “purge” people that no longer interest me. If I no longer intrest you, unfollow me! Please! If I follow you, I’ll still reply when you say something I want to comment on and it will still show up in your stream.

Steve, I’m still following you, as you’re one of the Hams who’s tweets I always enjoy. I hope to see you around, and I look forward to you live-tweeting Dayton.

Over the weekend, the Federation of the American Scientists posted a presentation by the Army’s 304th Military Intelligence Battalion. This presentation went over a few things, focusing on the use of mobile technology and the possible use of Twitter by Terrorist cells for either Open Source Intelligence gathering (OSINT) or a Command, Control, Communication, Computers and Intelligence (C4I) tool.

Needless to say, most of the population of Twitter has basically taken the report to mean “Oh my god, the Army thinks Twitter is a Terrorist tool!” and has dismissed the report out of hand. Even some security weblogs I read have been fairly dismissive of the report. After reading up on the report, I completely agree with it’s findings. I’ve had similar concerns floating in the back of my mind since for a while now.

Twitter is a great tool for distributing information quickly, and while that is a good thing, it can also be used for not-so-good things as well. Twitter, with it’s mobile integration and the fact that everyone has a mobile device make it ideal for a distributed intelligence network. The report mentions that this was used with great effect during the Republican National Convention by dirty hippies activists in avoiding apprehension. The report looks at these uses and proposed three scenarios:

Scenario 1: Terrorist operative “A” uses Twitter with (or without) a cell phone camera/video function to send back messages, and to receive messages, from the rest of his cell… Other members of his cell receive near real time updates (similar to the movement updates that were sent by activists at the RNC) on how, where, and the number of troops that are moving in order to conduct an ambush.

Scenario 2: Terrorist operative “A” has a mobile phone for Tweet messaging and for taking images. Operative “A” also has a separate mobile phone that is actually an explosive device and/or a suicide vest for remote detonation. Terrorist operative “B” has the detonator and a mobile to view “A’s” Tweets and images. This may allow “B” to select the precise moment of remote detonation based on near real time movement and imagery that is being sent by “A.”

Scenario 3: Cyber Terrorist operative “A” finds U.S. [soldier] Smith’s Twitter account. Operative “A” joins Smith’s Tweets and begins to elicit information from Smith. This information is then used for… identity theft, hacking, and/or physical [attacks]. This scenario is not new and has already been discussed for other social networking sites, such as My Space and/or Face Book.

There a real-world examples of people using Twitter for things similar to Scenario 1 and 3 today and while Scenario 2 is the most far-fetched, it is still in the realm of possibility. While I don’t think that there are currently terrorists actively designing operations with Twitter in mind, I do believe that it has registered with them. I’m also sure that information on Twitter is going to be mind by both sides, so it is important to make sure that the “good guys” know that how it can be used against them and also how it can be used against the “bad guys.”

Figuring out your opponent’s next move is key in strategic battles and researching all the options is key. The report came up with a few not-so-far-fetched scenarios in which Twitter plays a key role. Coming up with these scenarios allows people to plan to combat them. While it’s easy to dismiss the report as paranoia and think as Twitter as 100% Sunshine and Puppies, it is important to realize that like any tool, Twitter can be used for good things and bad.

Well, I guess the best way to revive a project is to announce that it is almost dead… Ham Twits, since that post, has been growing by leaps and bounds and now boasts a membership of over 50 twits!

Growth is always a good thing, but, it quickly came apparent that the list, maintained as HTML in my CMS, was not the easiest thing to maintain. So, I contacted Peter Goodhall, M3PHP (aka magicbug) and asked him to help me come up with a design for a new website. That, combined with the generous donation of the HamTwits.com domain name by Dan Dawson, KI6ESH (aka DanDawson), allowed me to design a good looking, database driven website for the Ham Twit list.

Check it out at www.hamtwits.com

I am still working on it, but the basic features are there. Twits are classified under their DXCC entity and are currently sorted by region. I’ve also added the QTH and the FriendFeed name of those twits who have accounts there.I’ll be working expanding the information gathered and adding sorting and the ability for twits to update their own information. Not quite there yet, but as I believe in releasing early and often, I have opted to unleash the site in it’s fully-baked-but-still-nice-and-chewy-in-the-middle state.

As always, if you would like to be added, shoot me a e-mail, DM, or an @, and I’ll be happy to add you!

Share and Enjoy!

I’ve received some nice feedback on yesterday’s post and it has caused me to renew my effort into Ham Twits. I’m going to start going after Hams on twitter to see if they’ll let me add them, and as a community as a whole, lets see if we can’t get more Hams to sign up for twitter.

Corey, KB9JHU (aka cshields) posted a great comment that linked to his University Club’s website. Now, *that* is what a Ham Radio club website should look like! CMS! RSS! Clean interface! Brilliant! Thanks Corey!

Well. I must say, Ham Twits is on life support. Partially because I haven’t been pushing it hard enough, hoping that it would have a little bit of “if you build it, they will come” approach, and partially because of the regular downtime that Twitter has been experiencing lately.

The downtime has caused a bit of a chain reaction across the entire Twitter community, and the Hams are no exception. Some people have stopped tweeting altogether, others have severely curtailed their usage, and a couple of prominent people who have jumped ship to other services. The resultant landscape has left me scratching my head and pondering as to if there is any way to sucessfully leverage these services into Ham Radio.

The social web seems to be here to stay and it is starting cross the chasm into the mainstream. I looked at the Ham Twits list as a way of trying to get Hams onto Twitter and quickly find like-minded individuals. However, with the recent splintering of the landscape makes me wonder if trying to leverage such tools on the Ham Radio community is a foolhardy venture.

Ham Radio operators, for the most part, can be rather geeky, but are still a bit behind the curve on the computing side of things. While there are some bright people out there, just simply look at any Ham Radio club’s webpage and you’re treated to a trip back to the late 1990s/early 2000s. More often or not, the home page of your organization is your face on the web. Having it look like something straight out of the dot-com era does not help Ham Radio look “cutting edge”, which seems to be something that most Hams try to pass the hobby off as.

When I started to try to get Ham Twits off the ground, I pictured it as the first step in trying to get more Hams onto the social web. After I compiled a sizeable list, I was going to try to start talking up Twitter in various ham radio related venues. However, now that some of the more active community members have gone over to FriendFeed, Jaiku, or identica, it kind of torpedos the idea of trying to market a single service as a way to communicate with fellow hams. It’s easier to say “Hey! Twitter is easy to use! Look at some of the cool stuff we discuss!” rather then saying “There is some cool stuff on this social web thing! Sign up for Twitter. Oh, and Jaiku if you want to talk to these guys over here, oh, and FriendFeed if you want to talk to those guys over there.” It makes it less likely to sell people on the benefits.

Some people are taking a different tack and trying to make Ham Radio specific socail websites. Chris Matthieu has set up 73s.org and a group of Ham Radio operators in the UK is working on DXAnywhere. Both seem to be solid, good coded websites. However, I think the strongest plus of using existing social networks is that non-Hams use it as well. If we provide Ham Radio with good exposure, we can help shake off the stoddy image of Ham Radio being a dead technological area. I stirred up some interest when I posted my SEEDS Captures on Twitter and quite enjoyed explaining to people how simple it was. Stuff like that is great PR! We should be doing it more often!

In conclusion, I don’t know where Ham Twits is going. I also don’t know if trying to leverage non-Ham-Radio-specific social web services to Hams is a good idea at this point. I wouldn’t be surprised if in six months we’ll see everyone on a new twittagsocialblogcloudweb2.0-thing anyway…