I wish the news media would stop romanticizing hackers. There are two kinds of hackers. The first variety are thieves, the second variety are juveniles of all ages with a roaring case of Asperger's, or as they are sometimes known, basement dwellers.
The news media labels certain hacker groups as "hacktivists," Anonymous being the most well-known. Anonymous is best known for breaking into Sony's Play Station Network a couple of years ago and stealing millions of credit card numbers. They were romanticized as some kind of geeky David taking on the evil corporate Goliath, Sony. Stupid. They didn't steal from Sony, they stole from us. In that, they are no better than a common burglar. They are lesser known for taking down Freedom Hosting on TOR last year. Freedom hosting was home to a huge amount of illegal pornography. Their aim appeared to be noble, but who made them the Internet police? Their motto is, "We do what we want because we can." Their avatar is the Guy Fawkes mask from the movie "V." Not noble. Just belligerent.
This past weekend a group calling themselves, "Lizard Squad" launched a DDOS attack on the Sony Play Station Network and Microsoft's XBox Live. They also twittered a bomb threat against the President of Sony. This group is of the second variety. Their attack had no purpose other than to gain bragging rights. They didn't hurt Sony or Microsoft, and as far as anyone knows, they weren't able to steal anything. The only thing they did was annoy a bunch of gamers. So they were just a bunch of jerk-offs with too much time, and probably money on their hands. An attack that size is more than you can do with a PC botnet. These guys had to have some serious server horsepower and big network pipes.
Hackers aren't cool. They aren't mysterious or exotic. They aren't even very tech-savvy. They know a few things about system weaknesses and how to exploit them. They have about a half-dozen hacks in their bag of tricks, and all they do is put them together in various ways. Think about it. Their number one tool is called a brute force attack, which consists of trying as many passwords as they can until they find someone who used their grandmother's birthday or the name of their cat. Not elegant. Not exotic. Just brain-dead thumping and taking advantage of something stupid someone else did.
Monday, August 25, 2014
Thursday, August 14, 2014
Makes Me Wonder
As I wander around in security and crypto land, I become more and more aware that even the people who know something about computer security and try to do things to enhance it are possibly living in a fool's paradise. (I can't think of that phrase without bringing to mind the old lady with the Yankee accent in the Swiffer commercial.)
Many (most?) people know about HTTPS. Even if they don't know it by name, they have been educated to some extent to look for it in their browser location bar, or to look for the helpful lock icon on Firefox and IE, or the key icon on Chrome. If you didn't know about it before, you do now, so no excuses. All of those things should be present when someone enters personal information, especially credit card information, online. I'm going to try not to fall too far into acronym land, but all of that kind of online security is based on SSL and its successor, TLS. They are techniques to encrypt everything that goes over the wire from your computer to the web server. Anyone eavesdropping on that wire would see nothing but gibberish. Well, maybe. There are something like a couple dozen vulnerabilities and exploits associated with SSL and TLS. Granted, your garden variety hacker isn't going to have the tools, and there are much easier ways to steal your credit card info. However, with computer capacity and capability expanding at a breakneck pace, it's not hard to imagine some neck-bearded basement dweller having the ability to exploit those vulnerabilities in the near future.
By the way, if you think you can safeguard your credit card information by avoiding online purchases, you are living in a fool's paradise. Your credit card is online, whether you want it to be or not. Like I said, there are much easier ways to steal your credit cards than to eavesdrop on your browser.
Many (most?) people know about HTTPS. Even if they don't know it by name, they have been educated to some extent to look for it in their browser location bar, or to look for the helpful lock icon on Firefox and IE, or the key icon on Chrome. If you didn't know about it before, you do now, so no excuses. All of those things should be present when someone enters personal information, especially credit card information, online. I'm going to try not to fall too far into acronym land, but all of that kind of online security is based on SSL and its successor, TLS. They are techniques to encrypt everything that goes over the wire from your computer to the web server. Anyone eavesdropping on that wire would see nothing but gibberish. Well, maybe. There are something like a couple dozen vulnerabilities and exploits associated with SSL and TLS. Granted, your garden variety hacker isn't going to have the tools, and there are much easier ways to steal your credit card info. However, with computer capacity and capability expanding at a breakneck pace, it's not hard to imagine some neck-bearded basement dweller having the ability to exploit those vulnerabilities in the near future.
By the way, if you think you can safeguard your credit card information by avoiding online purchases, you are living in a fool's paradise. Your credit card is online, whether you want it to be or not. Like I said, there are much easier ways to steal your credit cards than to eavesdrop on your browser.
Sunday, August 3, 2014
Run a Darknet
More people should run darknets, even if they don't use them. The more darknet nodes that are running, the less unusual it is to see one. The less interesting it is to those who spy just because you use one.
Ever since Silk Road and Freedom hosting were taken down last year, Tor has been taking a beating. It can use the help. One group claims to be able to break it for less than $3,000. So far, no one has substantiated their claim. The more Tor routers that are running, the less likely that is. No one has made that claim about i2p, but it's probably only a matter of time. From a security perspective, i2p is a bit sturdier than Tor. It's a small network right now. An increase in routers would only harden it more.
The two major darknets, Tor and i2p, are easy to install and run. Using the Tor browser bundle is no more difficult than installing and running any other browser. It isn't as helpful as running a router, but every little bit helps. Even if you don't want to take a public stand on privacy, you can take a private one.
tl;dr
I've been thinking that my posts are too long and pedantic. I think it comes of not posting often enough. I wait weeks to post something and then it ends up being a brain dump.
I promise to do better.
I promise to do better.
Saturday, August 2, 2014
Brain To Paper
For those of you keeping score, I have been wandering around in the world of cryptography lately. It is a brain-melting endeavor. The people who come up with cryptographic methods have my deepest respect. That is, my deepest respect when it come to thinking this stuff up. When it comes to their ability to tell the rest of the world what they thought up, well...
Some of them don't do a bad job considering what they are up against. Cryptography is hard. It's hard on purpose. Making it hard for the bad guys to figure out what you're doing is pretty much the purpose of cryptography. If it was just a matter of jumbling up all the letters and rearranging them, it would take the processor in your watch less than a second to decipher any message. Cryptography consists of complex algorithms applied to a wide variety of data.
One of the methods cryptographers use to publish their brain droppings is called a Request For Comments (RFC). This mechanism was set up by the Internet Engineering Task Force (IETF). It's as old as the Internet itself. The most basic protocols for getting information from one end of the net to the other are described in RFCs. It was envisioned as a mechanism for people to propose standard behavior on the Internet and get peer feedback. For the most part, it works. Almost all of the early RFCs have been revised based on incoming comments and questions to the originator(s) of the RFCs.
One of the things I recently did was to implement the CAST5 cipher. I won't go into the details of it, but it only took me a couple of evenings to code it, and another couple of evenings to test and debug it. The cipher is described in RFC-2144. While it is far from perfect, it is coherent enough to translate it from a mathematical function to a computer function. I am currently wading through RFS-2437, which describes the RSA encryption system. It is a heavy load, mathematically speaking, but following it isn't that hard. RSA is the basis for secure protocols like HTTPS which is the way that Amazon (and others) keeps the bad guys from being able to see your credit card number when you are ordering your yoga mats and Cryptography for Dummies book.
This brings us to the RFC for Open PGP. PGP, which stands for Pretty Good Privacy, is a very strong cryptography system (note the irony on "pretty good"). It gives the NSA fits. Imagine you wanted to let your Uncle Bob into your house when you're not home. You could leave the key under the mat, but then any old bad guy could come along and look under the mat. So, to prevent this, you hide the key in plain sight in such a way that it doesn't look like a key and no one who doesn't know how to look for it can see it. But, you need to let Uncle Bob know how to figure out where it is, so you send him a message in a secret language that only he knows how to read, telling him that the key is hanging on the third rhododendron bush from the left, 11-1/2 inches from the ground. The bad guy could technically find the key, but he wouldn't know where to start looking and he would have to get lucky to find it in any reasonable amount of time.
Open PGP is described in RFC-4880. The number is burned into my brain. It is the godawfulest mess I've ever run across. Imagine your autistic nephew trying to write instructions on how to build a house. He could probably build the house, but it would be nearly impossible for him to tell you how he did it. Everything is Open PGP happens in packets. One of the things that would be nice to know is how big are the packets. It starts off well enough, telling you that the first thing in the packet is a number telling you what kind of packet it is, and another number telling you how big the packet is. It goes straight to Hell in a handbasket from there. They use something called partial packet body lengths. Yes, that's right, a number that tells you that here is a number that represents how big the packet is, maybe. Well, it's at least this big, but it might be bigger. And there might be more packets hiding inside this one, but we can't tell you where they might be:
In another part of the RFC, they made a decision to use a bastardized version of a cipher called Cipher Feedback (CFB). It turns out that this bastardized version ended up being a vulnerability that no one has fixed. But I don't know how anyone would be able to figure that out from the RFC. Worse yet, the RFC describes how this mode works for encryption but is silent on decryption. Isn't that helpful? I think the authors need to either back up and take another shot at it or hire a ghost writer.
Well, I've bitched about this enough to get it off of my chest. Thanks for listening.
Some of them don't do a bad job considering what they are up against. Cryptography is hard. It's hard on purpose. Making it hard for the bad guys to figure out what you're doing is pretty much the purpose of cryptography. If it was just a matter of jumbling up all the letters and rearranging them, it would take the processor in your watch less than a second to decipher any message. Cryptography consists of complex algorithms applied to a wide variety of data.
One of the methods cryptographers use to publish their brain droppings is called a Request For Comments (RFC). This mechanism was set up by the Internet Engineering Task Force (IETF). It's as old as the Internet itself. The most basic protocols for getting information from one end of the net to the other are described in RFCs. It was envisioned as a mechanism for people to propose standard behavior on the Internet and get peer feedback. For the most part, it works. Almost all of the early RFCs have been revised based on incoming comments and questions to the originator(s) of the RFCs.
One of the things I recently did was to implement the CAST5 cipher. I won't go into the details of it, but it only took me a couple of evenings to code it, and another couple of evenings to test and debug it. The cipher is described in RFC-2144. While it is far from perfect, it is coherent enough to translate it from a mathematical function to a computer function. I am currently wading through RFS-2437, which describes the RSA encryption system. It is a heavy load, mathematically speaking, but following it isn't that hard. RSA is the basis for secure protocols like HTTPS which is the way that Amazon (and others) keeps the bad guys from being able to see your credit card number when you are ordering your yoga mats and Cryptography for Dummies book.
This brings us to the RFC for Open PGP. PGP, which stands for Pretty Good Privacy, is a very strong cryptography system (note the irony on "pretty good"). It gives the NSA fits. Imagine you wanted to let your Uncle Bob into your house when you're not home. You could leave the key under the mat, but then any old bad guy could come along and look under the mat. So, to prevent this, you hide the key in plain sight in such a way that it doesn't look like a key and no one who doesn't know how to look for it can see it. But, you need to let Uncle Bob know how to figure out where it is, so you send him a message in a secret language that only he knows how to read, telling him that the key is hanging on the third rhododendron bush from the left, 11-1/2 inches from the ground. The bad guy could technically find the key, but he wouldn't know where to start looking and he would have to get lucky to find it in any reasonable amount of time.
Open PGP is described in RFC-4880. The number is burned into my brain. It is the godawfulest mess I've ever run across. Imagine your autistic nephew trying to write instructions on how to build a house. He could probably build the house, but it would be nearly impossible for him to tell you how he did it. Everything is Open PGP happens in packets. One of the things that would be nice to know is how big are the packets. It starts off well enough, telling you that the first thing in the packet is a number telling you what kind of packet it is, and another number telling you how big the packet is. It goes straight to Hell in a handbasket from there. They use something called partial packet body lengths. Yes, that's right, a number that tells you that here is a number that represents how big the packet is, maybe. Well, it's at least this big, but it might be bigger. And there might be more packets hiding inside this one, but we can't tell you where they might be:
Wut?Each Partial Body Length header is followed by a portion of the packet body data. The Partial Body Length header specifies this portion's length. Another length header (one octet, two-octet, five-octet, or partial) follows that portion. The last length header in the packet MUST NOT be a Partial Body Length header. Partial Body Length headers may only be used for the non-final parts of the packet. Note also that the last Body Length header can be a zero-length header.
In another part of the RFC, they made a decision to use a bastardized version of a cipher called Cipher Feedback (CFB). It turns out that this bastardized version ended up being a vulnerability that no one has fixed. But I don't know how anyone would be able to figure that out from the RFC. Worse yet, the RFC describes how this mode works for encryption but is silent on decryption. Isn't that helpful? I think the authors need to either back up and take another shot at it or hire a ghost writer.
Well, I've bitched about this enough to get it off of my chest. Thanks for listening.
Subscribe to:
Posts (Atom)