Neal Stephenson put it best in Snow Crash that “Until a man is twenty-five, he still thinks, every so often, that under the right circumstances he could be the baddest mother&^%#er in the world.” I think that deep down in every InfoSec professional’s heart, we want to be that mother&^%#er. We think, every so often, that we could go rogue, drop off the radar, and launch a one man war against the script kiddies, mafia types, and general ne’er-do-wells that inhabit the Internet. I think that’s why some of us are having a tough time reconciling th3j3st3r’s actions within their own moral code of being one of the “good guys”. I think everyone agrees that the sites being attacked are “bad” in the incredible sliding scale of morality. The question that comes up is: Does leveraging methods such as DoS attacks against “bad” sites result in a “bad” or “good” outcome?

I think that this question can be answered by one of Hollywood’s legendary bad mother&^%#ers, Harry Callahan. In the 2nd film of the “Dirty Harry” series, Magnum Force, the plot revolves around a group of cops that have “gone rogue” and are taking out criminals in San Francisco. Now, anyone who has watched the “Dirty Harry” series (You have, haven’t you? If not, go order it on NetFlix and watch it. Go Ahead. I’ll wait… Back? Good, huh?) know that Callahan is a cop who gladly tosses out the rulebook when it gets in his way of getting the bad guy. While trying to reconcile the rogue cops methods against his own playbook, there is an important quote by Callahan: “I hate the goddamned system, but until someone comes along with changes that make sense, I’ll stick with it.” This should be the mantra of every information security professional who deals with the scum of the Internet day in and day out. There is a system that we use, such as takedowns and working with ISPs to get bad material removed, and while it fails on a regular basis, it’s what we have to work with. I know how difficult it can be, as I have been on the front lines desperately trying to work with ISPs to take down a phish or a piece of malware from their servers and running into stone wall after stone wall. I’ve often wished for some kind of more effective system. While I don’t think anyone can debate the effectiveness of th3j35t3r’s tactics, I feel they cross a line that should not be crossed. While I feel that the removal of such sites is a good thing, the methods in which it is accomplished is not.

The question of morality aside, no one knows exactly “how” th3j35t3r is DoSing these sites, th3j35t3r says it’s “like a DDOS attack, except without the first ‘D’. There is nothing ‘distributed’ about this. It is possible with very low bandwidth and a single low-spec linux machine.” While judging from his description I have an idea of what his tool of choice may be, we likely won’t know due to the sites he’s choosing since they aren’t the ones who are likely going to run to the authorities. The ones that are talking are making their own assumptions and are mostly conjecture. So, it’s likely we won’t know any time soon exactly what he, or she, is doing. Does it affect other sites on the same network? Could it be disrupting critical services hosted on the same netblock? Are the attacks being pivoted across systems that did not give permission to be involved? Is there any collateral damage? Until we know exactly what’s going on, we can only guess.

There’s another quote from Magnum Force that I want to toss out here. The quote is “A man’s got to know his limitations” and I feel sums up the debate correctly. I think that, at least in my case, I know my limitations, and I think that DoSing sites, no matter how bad they may be, is beyond my limitations ethically.

UPDATE: Shouts to @Shpantzer for pointing out my ability to make “people operating outside normal or desirable controls” into “red or pink cosmetics for coloring the cheeks or lips” with a single typo.

“Son, we live in a world that has firewalls, and those firewalls have to be administered by people with a clue. Who’s gonna do it? You? I have a greater responsibility than you could possibly fathom. You weep for your Internet access, and you curse the security admins. You have that luxury. You have the luxury of not knowing what I know. That the firewall rule set, while convoluted and not perfect, probably saved data. And my existence, while grotesque and incomprehensible to you, saves data. You don’t want the truth because deep down in places you don’t talk about at parties, you want me on that firewall, you need me on that firewall. We use words like “high availability”, “cloud”, “ISO 27001 compliance.” We use these words as the backbone of a life spent defending something. You use them as marketing fodder. I have neither the time nor the inclination to explain myself to a man who surfs and e-mails under the blanket of the very security that I provide, and then questions the manner in which I provide it. I would rather you just said thank you, and went on your way, Otherwise, I suggest you install an IDS console, and stand a post. Either way, I don’t give a damn what you think you are entitled to.”

“Did you block Facebook access from the company?”

“I did the job I…”

“Did you block Facebook access from the company?“

“You’re Goddamned right I did!“

Not up to the same level of Hoff’s creativity, but I found it amusing…

1st, I did a presentation to the Boston Chapter of the Association of Government Accountants for their monthly meeting as part of my day job. I’d like to think I did fairly well and there certainly was a fair amount of discussion afterward. In case any of them find their way here in an attempt to find my slide decks, I am happy to oblige:

• Information Security and You PPT (1.4MB)
• Information Security and You PDF (1.8MB)

2nd, I have been selected to speak at QuaghogCon in Providence, RI the weekend of April 24th and 25th. I’ll be departing from my usual “Information Security” speaking groove and instead will be evangelizing Amateur Radio. Sadly, this means I’ll be missing out on B-Sides Boston, but that’s the way the cookie crumbles. Registration is open now and I’ve heard rumors that attendance will be capped at 150, so even if you don’t want to hear me speak, buy a ticket; there are going to be some awesome presentations.

When we say that our “ham radio political leaders” should remain vigilant against possible spectrum reallocation, I think that we are shifting the responsibility (and in the future, likely the blame) to them, when the responsibility really lies with us. We as radio amateurs are simply not doing enough to justify our use of UHF+ spectrum. When we rely on political action committees to justify our use of this valuable public resource, we should be working hard to provide them with every possible justification that they can use. It isn’t Congress who is placing these frequencies in peril: it is our own inactivity which does so. If we lose 1.2GHz, or 220Mhz, or any of our other allocations, it will be because we frankly aren’t using them enough. If I thought that these frequencies could be effectively used to give Internet broadband to millions of underserved Americans, I’d have to say “take those frequencies, we will miss them, but we had our chance with them”.

Mark hits the nail right on the head with this statement. If we lose any bands it’s our own fault for lack of activity on them. While I don’t think 70cm (think PAVE PAWS) and below are in danger, everything else is fair game, and this includes my beloved 33cm. I am very much a “life begins at 50MHz” kind of amateur and I wish we would see more use of the GHz bands, especially 12cm (2.4GHz) but I realize that most Hams hardly venture above 148MHz, and 95% of the experimentation in the community is below 30MHz. What does this mean when the Feds come knocking on the ARRL’s door asking for spectrum?

Game Over Man! Game Over!

Amateur Radio, in its current state, cannot justify the spectrum it’s given. Period. Full Stop. No amount of wharrgarbling about public service or what kind of value we provide is going to change that. Go ahead and read the ARRL’s Frequency Allocation page and ask yourself how many bands you’ve used in the past week, month, or year. Heck, even go back five years. I bet that most of you have never gone above 2M. Anthony, K3NG, takes an even more dower view in the comments section which I have a hard time disagreeing with:

Even if we would start using these bands more, I’m not sure that would be enough to keep them from being reallocated, even if we could get 50% of our active amateurs on them. If we calculate how many bits/hertz are currently being used in our spectrum versus what would be used if reallocated, and perhaps even take it a step further to model the geographical aspects and frequency reuse, it’s hard to objectively argue against mobile wireless use of these bands. Unfortunately we’re not going to be able to depend on the classic defense based on emcomm use or experimentation; the potential public benefit is just too great…

So, the question is, what can we do? I think we have two options, both of which, if they happen, will cause lamentations the like we have never seen across QRZ and eHam.

#1 Roll over – This is obvious. We lose, they win their spectrum, and we’re further sidelined into obscurity. While I don’t think this will happen and I’m sure that many of you agree, there is a distinct chance that the FCC will make a power grab for the “greater good” and legislate some of our bands out of existence without giving us a second look. Why? Because the amount of people served by expanded wireless service is pretty much a “no brainer” kind of decision. Since everyone on the federal level is hopping on the “broadband for everyone” bandwagon, passing off this kind of action will easily pass the “public approval” sniff test.

#2 Play lets make a deal – We play the cards we’ve been given and we proactively start making plans to give up bands and if we see the writing on the wall, we proactively approach the FCC with options. While, yes, you are correct, this approach did not work out well for Neville Chamberlain (Please note, I am *not* comparing the FCC to Hitler) we might be able to salvage concessions that guarantee the future of the hobby and bands. Give up 1.25M, 23cm, and 3300-3500 MHz for a law or something to guarantee the rest of our spectrum? I’d be OK with that.

These are not going to be easy decisions that are forthcoming if the Feds start scrounging for spectrum. I am pretty sure we’re going to lose any battle that comes to it. I think we as a hobby need to start figuring out what we are going to do now rather then run around like chickens with our heads cut off when the tax man cometh.

The other obvious part to this is that we should also start pushing the use of more of our spectrum. Why am I not seeing the ARRL start pushing for simple 2.4GHz data projects? With the demise of packet radio beyond APRS and the HUGE FREAKING SWATH OF IPv4 ADDRESS SPACE we have why don’t we see a organized effort for creating low cost homebrew builds? Instead, the ARRL is focusing on 40M while the HSMM page is so old it has dust on it. Way to go ARRL.

After messing about with the examples for a while, I decided to see if I could whip something up from scratch. I had bookmarked Mark, K6HX’s entry about an Arduino based Morse Code Beacon and decided to take a crack at it. My code is a bit of a kludge, but it does work:

Now, to get this hooked up into a radio to make sure it can do more then blink an LED…

UPDATE: Uhhh… Yeah, so I guess Mark updated his beacon and did some pretty impressive stuff, making my implementation look like a Pinto while his is a Corvette. Oh well. It was a learning experience.

• Part 1
• Part 2

Hear me discuss cigars, G. Schneider & Sohn beer, and decoding digital signals.

When the stream goes live you can check out

• PaulDotCom Live Video Stream
• PaulDotCom Live Radio Stream

If you’re interested in making fun of me while I am live on the air feel free to join the PaulDotCom IRC channel during the stream. Point your client to irc.freenode.net #pauldotcom.

For those of you who not be familiar regarding this case, a Boston University student, Joel Tenenbaum, was caught by one of our favorite four-letter associations, the RIAA, sharing about 30 songs on his P2P client Kazaa. Joel was served and the RIAA began legal proceedings against him giving him the option to settle or go to court. The twist of fate came when Charles Nesson, a legal professor from Harvard University, offered to represent Joel pro bono and fight the case in court. Joel decided to spin the wheel o’ justice and take his chances with a jury.

This is where everything goes crazy. A few weeks before the trial, Tenenbaum, Nesson, and his legal team, apparently after a long night of sipping the “information needs to be free” Kool Aid (that I presume was sent to them straight from RMS’s secret stash) decided to admit he was sharing the files, make the claim that file sharing was completely legal and that US copyright law was wrong.

Needless to say, this flew like a balloon fabricated a two inch thick plate of steel.

The trial was covered fairly well in various media outlets and various expert witnesses were called to aid Joel’s defense. Long story short, Joel lost, has to pay $675,000 worth of damages, and what could have been a giant step forward for the legal rights of file sharers turned into another reaming of a defendant by the RIAA. I can’t say I was following the trial as much as other folks, but I was keeping an eye on things as it was just such an interesting Hail Mary play. However, as I was watching throughout and after the trial, the statements released by the defense on their website and the in-courtroom drama left me scratching my head. I kept looking at what the defense team was doing and as an armchair lawyer I was often wondering “What are they trying to do? Defend their client to the best of their ability or push for the slight chance that they’ll win and set a legal precendent that torpedos copyright law?” Today it looks like we have our answer.

In her footnote, Judge Gertner said that she was ready to accept a wide array of legal defenses that would have greatly expanded the legal definition of “fair use” and allowed Joel to skate:

“As it made clear previously, the Court was prepared to consider a more expansive fair use argument than other courts have credited — perhaps one supported by facts specific to this individual and this unique period of rapid technological change. For example, file sharing for the purposes of sampling music prior to purchase or space-shifting to store purchased music more efficiently might offer a compelling case for fair use. Likewise, a defendant who used the new file-sharing networks in the technological interregnum before digital media could be purchased legally, but who later shifted to paid outlets, might also be able to rely on the defense.”

Yup, you read that right, Judge Gertner just said that she would have not only been OK with downloading music before Joel bought it or ripping CDs for storage, but she would have granted Joel a tabula rasa if he made an effort later move on to a legal way of downloading music. But, for reasons unknown, Tenenbaum, Nesson, and the legal team that apparently needs to go back to law school decided to make claims so overreaching that a Judge /sympathetic to their cause/ had no choice but to dismiss them.

Rather than tailoring his fair use defense to suggest a modest exception to copyright protections, Tenenbaum mounted a broadside attack that would excuse all file sharing for private enjoyment. It is a version of fair use so broad that it would swallow the copyright protections that Congress created, defying both statute and precedent… In his view, a defendant just needs to show that he did not make money from the files he downloaded or distributed — i.e., that his use was “non-commercial” — in order to put his fair use defense before a jury. And every non-commercial use, to him, is presumptively fair. Beyond that threshold, the matter belongs entirely to the jury, which is entitled to consider any and all factors touching on its innate sense of fairness — nothing more and nothing less… Defendant’s version of fair use is, all in all, completely elastic, utterly standardless, and wholly without support.

To add insult to injury, in a footnote to her memo Gertner makes mention that Nesson “repeatedly missed deadlines, ignored rules, engaged in litigation over conduct that was plainly illegal…” Wow. This guy is a first string Harvard attorney? Remind me if I am taking on an organization that has vast armies of lawyers, the law on their side, and out for blood if I choose a lawyer who’s slightly crazy, it will be one that won’t piss off the Judge. That, or one that will do so in a slightly jovial and entertaining manner with a bevy of snappy one liners like Denny Crane or Alan Shore.

Some have pointed out that this defense may work in other cases. They’re 100% right. However, thanks to Joel blowing it, how many more people are going to take a shot at tripling the money they own for the slight chance that they may get to skate? Also, what are the chances that the case will get another sympathetic judge? I’d say slim. This was, what I would consider to be a fairly rare “perfect storm” of events and I wouldn’t venture to guess if or when it may happen again.

Thanks Joel, I’m sure you’re angry that you pissed away a great opportunity to possibly being able to get off scott free and instead have to pay over just over 13 years of my salary for 30 some odd songs. But just remember, thanks to your legal antics, we’re all pissed that you looked a gift horse in the mouth a blew a great chance to shoring up the rights of millions to use the music they bought legally.

again we take the responsibility of securing devices and systems away from responsible party (the admins and owners) and blame the bad guys with the “think of the children” argument.

why dont we start blaming the jackasses for allowing theirselves to be hacked and not the bad guys who do it. can you really blame the guy that steals the “whatever” out of the unlocked car? really?

This easily carries over into the cyber war arena. lets stop pointing our fingers at the guys breaking in and instead point our fingers at the organization who allowed it to happen.

Wow. I understand where Chris is coming from. When an breach occurs, it’s often followed up by incident handlers like Chris or myself looking at the server and muttering “What in God’s name were they thinking?” As someone who, for the increasingly-rare insightful commentary, still listens to Off The Hook on my iPod every week, I hear statements similar to Chris’ a lot. Every time some company gets attacked and releases a statement “Teh H@x0rz did it!” they rail on the company and blame them for having insecure computers in the first place.

It doesn’t matter if the admin decided to toss Windows 2000 without any service packs on the Internet. Yes, he or she was stupid, probably violated about twenty different policies, and should be given fifty lashings with a wet noodle. There would not have been an issue if the silly script kiddie from Eastern Estonia didn’t compromise the box.

Another interesting thing about the “Blame the Admins!” advocates were that they seemed to be guilty of the same things that the Admins were. They were blaming someone else. Admins were blaming the attacker while the security guy blames the admin. When someone gets compromised at my job, I’ve failed as the security person. It’s partially my fault.

• Why didn’t I notice traffic going to computer?
• How did I not notice when that computer went online?
• What didn’t I do to make sure that computer wasn’t part of the patch cycle/AV/IPS/IDS etc?

We can make excuses all day, blame the admins, blame our tools, blame the lack of support from business owners, the issue is that are we men, or women, enough to say that the buck stops with us and we missed something along the way. Do we fall back into our regular routine after the crisis passes or do we try to take steps to ensure that we aren’t caught with our pants down again?

While I am not saying the admins or the maintainers of the data are completely blameless during an incident, I think Chris’s and OTH’s statements reveal a very scary shift in thinking regarding InfoSec. We are essentially saying that we’ve lost not only the battle, but the war, and we are being overrun. We’re admitting that we can no longer protect endpoints and that it’s a crap shoot if you go out onto the network. But don’t blame us if you get compromised, it’s your own damn fault.