Anonymity loves company...

Today i did a brief interview with E-TV news on "Anonymity Systems". Interestingly enough, the journalist started the interview determined to go down the "Anonymity is Evil!" route.

I must confess to being slightly surprised by the thought. I didn't expect such strong support for the "Anonymity allows Child Pornography" point of view. The snippet of the interview that was aired was probably only a few minutes long (I have not seen it yet), but i thought it was probably worth it to note a few simple thoughts on Anonymity systems.

Very few people, (if any), would question the necessity of allowing anonymity for people who suffer from victimization. Dissidents of a tyrannical regime, or victims of crime need a platform that will permit them to speak out without fear of further victimization. The problem is that "anonymity needs company".

This simply implies that it's really difficult to be anonymous alone.

Signals Intelligence operators have long established that merely knowing that Alice spoke to Bob is worth a lot, even if we are unable to examine the content of their discussion. If the only people using an anonymity system are government dissidents, then finding the dissidents is as simple as rounding up the people using anonymity systems. For the system to work, we need people using the system beyond simply those who today "have something to hide." [1]

A natural side-effect of providing an Anonymizing system, is that this system will also be used for evil. (It is very much like) A side effect of us being able to have encrypted conversations is that terrorists can have conversations that can't easily be intercepted by law enforcement. It's ridiculous to deny the privacy benefit to everyone, in the hope of maybe helping to catch a few criminals. Terrorists have no problem finding other channels of communication that are less susceptible to interception. Forbidding crypto hurts the rest of us. Viewers of kiddie-porn are able to share their wares without anonymity systems. Stopping online anonymity wont slow them down at all..

Convincing people who think "they have nothing to hide", that anonymity (and encryption) are good things is sometimes difficult, but recent events should convince most that even governments we elect into power, might not always have our best interests at heart. It's probably over used, but one is forced to remember the words of Pastor Niemöller, who commented on the inactivity of German intellectuals during the Nazi rise to power:

"They came first for the Communists,
and I didn't speak up because I wasn't a Communist.

Then they came for the trade unionists,
and I didn't speak up because I wasn't a trade unionist.

Then they came for the Jews,
and I didn't speak up because I wasn't a Jew.

Then they came for me
and by that time no one was left to speak up."


[1] It is interesting to note, that some governments who say "You don't need anonymity unless you have something to hide" are the same people who feel outraged by WikiLeaks.

ZaCon2 & Fig Leaf Security

This weekend we held our 2nd ever ZaCon, The Conference in need of a tagline! ZaCon aims specifically at growing the South African InfoSec Research scene by giving locals a place to teach, learn and grow.

The talk had people flying in from Durban, CapeTown and even Grahamstown, and almost doubled last year's attendance. If nothing else, The coffee service was an unmistakable win!

My talk this year was called "Fig Leaf Security", and was aimed at saying some of the things that we generally dont like saying (about the industry in general, and about ourselves in particular).



You can catch the talk [here] and can watch the rest of the ZaCon Album [here]

I went into the talk expecting it to generate some hate, but most of the feedback so far has been really positive [1|2|3]. Feel free to drop me an email or msg @haroonmeer on twitter to let me know why im wrong..

/mh

[1] @nitesh_dhanjani: Watch this talk by @haroonmeer if you are in the infosec industry and feel like growing up
[2] @narvanitis: Absolutely essential viewing
[3] @craigbalding: RT @haroonmeer: How to lose friends and alienate ppl: http://vimeo.com/15755087 (my #ZaCon 2 talk on the lies we tell ourselves)< watch this

Cute (if nothing else) OSX Application..

iTried is a quick little utility I wrote while testing something. It sits on your menubar, and shows you the photograph of the last person who disturbed your screensaver (ie. tried to login).



You can read more about it (and download it (free)) [here]

You have to love attention to detail...

It's pretty common for people to hate Apple and to pick on the apple-tax, but then you spot something like this and you just have to smile (that special blend of fanboy smile!).

The standard icon for textpad is clearly a text pad with a pen. I was looking into icons, and ended up maximizing the text pad icon. (click for full size)



The quote was heavily used during early Apple commercials, but like many things Apple, it's just the attention to detail thats awesome!

Capital Magazine Article (in German)


Nils Kreimeier wrote an article for Capital Magazine on cyber-war based on interviews he did at the CCDCOE conference earlier this year. The article is in German but does feature exciting Atari style graphics superimposed on scary looking hackers. [Grab a copy here]

Why Intel's purchase of McAfee is a good indicator for Africa..

The Internet lit up last week with news of Intel's purchase of McAfee. Every analyst (and his dog) has chimed in on what it means, from "Anti Virus on a chip", to just "a national security disaster". I think it has a subtler implication that bodes well for developing nations. - In the ongoing competition between hardware and software, hardware just flinched.

Watching Intel spend almost a years worth of profit on McAfee made me think of Professor Clayton Christensen (of "The Innovators Dilemma" fame) and his "Law of Conservation of Modularity / Law of conservation of Attractive Profits").

(If you have not yet read the book, you can catch a good overview of the content from his talk titled "Capturing the Upside".)

Professor Christensen regularly cites his conversations with Intel's Andy Grove, and it is clear that Intel took cues on strategic direction from him in the past. (First, some background)

The Law of Conservation of Modularity:
Professor Christensen holds that early on in a technology cycle, a huge premium is placed on the technology/development cycle, since this is the problem that needs solving (and so requires the most skill). Essentially, the other players in the market settle for smaller profits while the dominant players in the "hard to solve" space consume the lions share of the profit.

He then holds, that at a point, that particular difficult problem gets solved, and by following the same growth trajectory, the market becomes over-served, and higher profits flow to other players in the chain who become greater deciders of value.

In other words:

(It's hard for me to consider the topic of a market getting over-served, without considering for a moment that my parents really don't need the multi-core processing beasts churned out by intel these days).

The fact that Intel drinks the Professor Christensen kool-aid is clue #1, and the fact that they have historically shown themselves to be willing to make huge transformations when necessary is clue #2. (Intel were "memory guys" till they shifted focus to processors). It seems as good a time as any to shout "technology inflection point".

There is a recurring theme in technology of the battle for dominance between hardware and software. The early years of computing were dominated by hardware guys (mainframes and minis), till hardware was commoditized (thanks to pc's and Microsoft) and then hardware made a huge comeback. Smartphones, storage appliances and consumer devices like the iPod had pundits proclaiming that the last round belonged to hardware and the future was in silicon.

But, the wheel (almost) always turns.

Cloud computing makes hardware purchases seem less attractive and money that was spent on hardware will be spent on SLA's for software agreements. Netbooks have been great for consumers, but the market has been a race to the bottom for the hardware players. Increasingly, outstanding consumer devices (like the iPhone) are becoming heavily dominated by the software experience. (Companies like Apple choosing to use their own processor, cant make processor manufacturers (like Intel) feel too warm and fuzzy either.)


And so ?
One of the memorable lines from "Capturing the Upside", is the quote from Hockey Hall of Fame'er Wayne Gretzky who is famously reported to have said: "I don't skate to where the puck is, i skate to where the puck is going to be". One of the biggest players in the hardware game is making huge investments in software and services, i think an indication of where they think "the puck is going to be".

The implications for developing economies is clear. If hardware becomes commodotized (or abstracted away), the lions share of the profit will shift to software.

It takes a huge capital investment to compete successfully in the hardware game (which largely precludes developing nations from taking part), software has a lower barrier to entry. What the developing nations need to do however, is invest in the skills needed to capitalize on this. We need to make sure that we don't simply go from buying foreign hardware to buying foreign software instead.

/mh



BlackHat 2010 - Slides / Paper / Rest..


BlackHat this year passed in a blur. In retrospect staying in Vegas for only 3 nights was probably a bad idea. (This is especially obvious when you consider that the round trip involves about 60 hours of travelling time)

I got in and mostly hid in my room working on the talk. I did the talk, and promptly hid in my room feeling sick till it was time to fly home. (this means that i failed completely to participate in teamZA's magnificent #hackcup football victory)

In 2009, our "Clobbering the Cloud" talk squeezed in about 138 slides into 70 minutes.
This year my talk was 50 minutes long (i wasn't convinced that the topic could hold interest for longer periods), and my keynote deck was made up of 38 slides. But, the presentation used both the 38 keynote slides, and a prezi presentation (with about 170 transitions).

This means there was never a chance of finishing the presentation in the allotted time. I was aware of this going in, and decided that a solution would present itself while i was on stage :>
(in truth, i didn't have the heart to leave out any of the points in the prezi. I had already whittled down tons of events from the timeline, and these ~170 _had_ to be included)

The talk went well.. and live tweets [2] on the talk were complimentary:


I was going to upload a picture of the beard here, but instead i'll add the actual presentation materials. The talk was recorded and i'll paste a link here as soon as the video is made available.




[the paper][the slides*]
[prezi (stand-alone)*]prezi
(online)
*
* This year i made use of the awesome prezi for my timeline visualization. They rock!

Some interesting additions have been made to the timeline since the talk, with some input from gera@core being particularly insightful.


[1] "Hang Over" reference added as akwardly as Allan's laughter to fulfill a promise

Viva las Vegas?

July in information security means Vegas heat, dark t-shirts and "BlackHat". Over the year there have been many new infosec conferences, but BlackHat remains the premier event for the infosec community.

In a few minutes, i'll start the >24hour journey towards the insanity^2 (Vegas is crazy, and the injection of the Defcon crew just dials up the crazy-meter).

My talk this year turns me into infosec historian:

"Memory Corruption Attacks: The (almost) Complete History...

Buffer Overflows, Stack Smashes and Memory Corruption Attacks have been the info sec headline stealers for the better part of 3 decades. Sadly, poor record keeping (and dismal regard for attribution of prior research) has resulted in huge gaps in our "hacker folklore". It has also resulted in several re-inventions of the wheel.

This talk traces the history of memory corruption attacks and defenses, from the Morris Worm of 1988 to the awesome Pointer Inference work published by Blazakis in 2010. We will demonstrate with code samples, live demo's (and pretty pictures) the progression of these attacks, how they work, when they first came to light, and the mitigations that have been developed and deployed to thwart them."

I'll post the slides and paper here when the conference is over, but if you are in Vegas, say hi... (or pop by to throw something at us during the 'hackcup')

Conference on Cyber Conflict - Slides..

The CCDCOE (Cooperative Cyber Defence
Centre of Excellence) held its Conference on Cyber Conflict in Tallinn, Estonia.

It was an interesting opportunity to see some of the issues that lurk beneath the "CyberWar" banner.

Charlie Miller (of pwn2own fame) and i were invited to talk about things from an attackers perspective. Both our talks avoid the question of "Is the threat real?" (Which i think was answered awesomely by the talk given by Bryan Krekel and George Bakos of Northrop Grumman), and instead focused on "stuff we know!"

I had 30 minutes (which isn't really enough to go too deeply into a topic). My slides (with some notes) can be found here.

/mh

200 Young South Africans you must take to Lunch

The Mail & Guardian published their 2010 list of "200 Young South Africans you must take to Lunch". According to their page: "These are young people who will shape our country in the decades to come, in the sporting arena, in public life and in business."

I made the list under Technology, which was really quite flattering. (thanks M&G, @singe)

Deels forced me to attend the lunch (which i would normally have found an excuse to avoid), and i was genuinely glad that she did. Making the list was flattering, meeting some of the other candidates was absolutely humbling.

Guys like Marlon Parker (who's software is really saving lives), or guys like Eusebius McKaiser (who are clearly future thought leaders in .za politics) make one realize both how much potential .za has and how much more i should be doing with my life.

Memory Corruption and Hacker Folklore

A while back i thought it would be nice if we had an authoritative source of memory corruption attacks (and mitigations) in a single document.

I resisted mainly because:
  • It seemed like a lot of drudgery for something we have been able to do well without,
  • It steers towards the word "taxonomy" [1]
  • I was a little lazy.
[1] Dave Aitel has posited that "people who thing (sic) of things as "Taxonomies" are always
headed in the opposite direction from correct"

Late last year i ran some scripts (and waded) through OSVDB's database, to see if we could pull through some numbers on memory corruption bugs (through the ages) and their disclosure rate compared to other bugs. (theres actually a wealth of fiddling in these numbers too, that ill get around to at some point).

I figured it would be nice to see a timeline of memory corruption exploitation techniques along with the mitigation steps introduced plotted along-side the bug counts (but still lacked the real motivation).

Late last year, HalVar tweeted
"Walking down memory lane, reading old exploits from '99 -- can someone write a history of code exec '95-2009 ?"

@benhawkes did a fine job of presenting this at kiwikon, and over the years a few people have written papers / done presentations which covered some of this ground [A brief history of Exploitation Techniques and Mitigations on Windows][Generic Anti-Exploitation Technology for Windows][A Comparison of Buffer Overflow Prevention Implementations and Their Weaknesses].

The recent "Return Oriented Programming" / advanced ret-2-libc discussions revived these chats.

The incomparable @silviocesare said:
"A text file on google is transient, not officially archived, and generally academically untrustworthy." and "..Citing a URL which will be offline in 10 years time is not good."

This is true, but tragic if it means that techniques discovered in the 90's are not credited when re-introduced into academia today..

or as Halvar said
"The ROP discussion is amusing in the sense that our folklore gets republished, and then we are asked "what papers have you published" ? :)"

Being a closet academic (or at least trying to look like one), it seems the natural thing to do then is to actually see if we can get a good handle on our "folklore". Im hoping that if we can add a reasonable amount of rigor, it can also pass as academically submittable ensuring that its read into the rolls..

Tim Kornau over at Zynamics waded through some of the history in his
post on return-oriented programming and prefaced his post with the following disclaimer: "I will also take some of the recent discussions on Twitter into account which showed that even though I thought I did my history research pretty well, there were still some mailing list post missing from my time-line."

It's clear that doing this alone will miss huge chunks of data (and no doubt offend some people terribly). The simple answer is to experiment with a buzz-word, and try to "crowd-source" it.
I have put up a simple google-doc spreadsheet, which ties back to the eye candy visualizations you can see here: [index] and here: [combo]
(The combo page uses a Google visualization that needs flash, so you can skip it)

The important bit however is this.. Use the form to add events that you think need adding.. If you have it with a good link and/or reference, thats perfect, but even if you dont, add it anyway.. Our budding group of eager researchers (me), will chase it down and make sure its slotted in the right place.

Vicarious Success


With the champions league reaching it's crescendo, and 2010 being a world cup year, it's hard to get away from sports mania.



I can understand national pride and I can even understand the joy of a good match. (I was sport crazy through high school/university and sometimes played up to 3 organized football marches per week (for different teams in different leagues)).


What I don't get is the insanely fanatical talk of "my team did X" or the even stranger "we won!".
I used to think that this was just a harmless figure of speech, but listening to conversations during the champions league really leave me dumbfounded. It's not the screaming at the television (which I can understand), but the vicarious sense of achievement people seem to eek out while watching "their" team playing.

In a world where we outsource everything we can, it seems as if many people follow sporting teams in an attempt to outsource achievement too. All of the high of winning, none of the cost of the training..

It seems dangerous to me, because it seems crazy to have my spirits (and it seems, my self image) tied so closely to something so far beyond my control.
"We were robbed", "we beat united!", "we really deserved last nights win!".
No you didn't! At least the players on the losing team got some exercise. All you got was a little bit of distraction..

Claiming victory (or bemoaning defeat) vicariously just reinforces the belief that life happens to you, and events are beyond your control. Earn your own victories.. They will taste so much sweeter..

"Your submission for Black Hat USA 2010 was accepted"



It doesn't matter how many conferences you present at, or how much you hate LasVegas, around this time of the year those are very happy, welcome words.

I'll pop more details on the talk here in a few days (especially since I'm hoping to co-opt some of you).

Interestingly enough, despite almost a decade of Blackhat/Defcon's, it's the first time I'll be free to take a training class. I'm pretty stoked!

/mh

(YaTT) Yet another Twitter Tool ?


I wanted to play with Django, so built this "toy" project to kick the tires. If you are on twitter (and don't protect your tweets), check out http://fun.thinkst.com/land.
It's a very simple application that will grab a list of the people you follow, then grab the list of everyone they follow, to give you the top n% of people they follow that you dont.
My favorite feedback on it so far was:
@narvanitis: wow i dont follow @mdowd

Reason enough for me to call it a success :>

Cargo Cult Startups


While talking to someone on IRC today, i mentioned that lot's of young companies (and some old ones) are Cargo Cult Startups.. I was asked to explain (which is a sure fire sign that someone hasn't been reading their Feynman), but figured i could probably elaborate.

In his commencement speech at CalTech (and in his book "Surely You're Joking Mr Feynman") RPF talks about Cargo Cult Science. He was referring to Pacific Islanders, who having seen the planes landing from the sky bringing provisions during the war, built hats with coconuts and erected runways, replicating marching drills (after the war) trying to get the provisions to land once more. The islanders were replicating the observed behavior without understanding the true nature of the tasks..

Now Feynman famously likened this to people performing the superficial motions of scientific experiment, without truly understanding the core of it, and if you look around today you will see lots of this disguised as "startup culture". Many managers have taken to colorful beanbags and foosball tables in the hope that this will result in another Google. In many of these cases, the chances of success are up there with the cargo plane landing near the islanders.

This would not be so bad, if it were not so abused. I.e. if managers want to give their staff 20% time, how bad can it be? The truth is, it is sometimes downright horrible.
I have seen managers drag technical staff into pointless meetings all day, create ridiculous arbitrary hierarchies in tiny companies (mostly so they can play "Wall Street"), have draconian rules on leave, yet still firmly believe they have a unique culture, because they have nerf balls on the floor.

Startup culture is unique and awesome for many reasons, but probably the closest to my heart is how quickly incompetence / free-riders are exposed in a real startup. There is little room for the "blue-sky-engineer" or even fancy titles, and Alpha-geeks shine.. Until it changes (and it might), it's a beautiful, meritocritous achievement oriented Nirvana.

In a way, the Googly office has become a crutch, and a "startup vibe" is too often used to disguise serious management deficiencies. Does it mean that an office that looks too Googly is a danger sign? No.. But it does mean that it probably isn't as positive a sign as you think.. Bean bags are pretty cheap..

37Signals, ReWork, and ReThink..

I just finished the new book from 37Signals - "ReWork", and it was a reasonably enjoyable read. (It was actually the first book i read through the iPhone Kindle App, which is incredibly cool)(Would love to see that discussion at Amazon, deciding if they should support the iPad to sell books, or try to starve the iPad to sell the Kindle?.. but i digress..)

There are many, many 37Signal fanboys and signal vs noise has to be one of the more popular geek blogs out there.. but.. its really hard not to notice that what the 37Signal guys understand, more than almost anything is how to market to the current geek-hackernews-entrepreneur crowd. They hit all the right notes to appeal to their target demographic every time.

There are obviously many times when you disagree with them, (like saying that long hours at work is "making up for intellectual laziness with brute force", or their take on formal education, or the SalesForce.com bashing you often hear DHH talk about) but whats clear about all these times, is that they are still marketing.. picking a position, and hitting the headlines..

The Jason Calacanis, DHH interview that showed recently on "This week in Startups" was pretty cool (even though it seems like DHH fans hated it), and my favorite Calacanis discussion point was around the often touted "work fewer hours.. under-do your competition to win" line of thinking. (at around 1:27:31)
  • JC: If your strategy is to make the simple version of things, then you dont have to work as hard, but if you are going up against a big problem, like "im going to build a car company like Tesla" and go against the big boys, you not working 30 hours a week and taking fridays off cause you will get your ass kicked by the people who are, and thats where your logic breaks down.."
  • ...
  • DHH: Do you think Google succeeded because somebody worked 80 hours a week?
  • JC: Absolutely! 120.. they busted their asses.. Sleeping under their desks.. thats how Yahoo was built, thats how Google was built, thats how Microsoft was built.. Do you know the work ethics of these people?
Theres no doubt that they are smart guys.. but its mildly annoying to see the startup echo chambers treat their word as gospel, cause sometimes.. it just isnt so..

Portswigger rocks..


If you didnt figure that portswigger rocked for his elite "The Web Application Hacker's Handbook", or for managing to put out a tool ive never heard anything bad about (in an industry full of people who dont hesitate to say bad things..), you have to give him +1 for having the coolest ad that ever graced an infosec magazine..


BURP SUITE PRO v1.3
NOW* AVAILABLE

  • New features
  • Same logo
  • More expensive


http://portswigger.net

*Product not available at time of print. Actual release date depends on the motivation and morale of Portswigger's helper monkey, but it will probably be before Christmas (2009)


The Passing on of a Legend..

On Friday my great-aunt passed away. She was an amazingly wonderful, warm lady who's work and efforts have touched the lives of many.

When you remember her as the soft spoken, self effacing granny figure at family functions, you tend to forget just how remarkable a person she was.

Rhodes University published the following tribute penned by Paul Maylam. It's the sort of tribute that makes you recognize the difference between regular people (like us) and legends like her..

The world is truly poorer for her passing..




And now for something a little different...

Welcome to thinkst thoughts, my new blog home. There is a good chance you got here from the SensePost blog, where I've been pondering, posting & prognosticating for the past few years.

Add us to your RSS reader.. (aka. the elevator pitch!)

There is much broken in the info-sec industry, and there is much broken in general. There are answers waiting to be discovered, brand new questions waiting to be asked, and really important problems waiting to be worked on.

Thinkst Thoughts will be the home of such thoughts, tirades, tips, tricks and tech. tid-bits..

and so it begins...

/mh

PS. if you subscribe to the RSS feed, ill even promise to stop the annoying alliteration already..