Bad Penny » Politics

Secrets, Wikileaks, and Hacktivism

Ian Gorrie — Fri, 18 Jun 2010 21:48:30 +0000

Current events have put into keen focus the balancing act between privacy, data controls, the reason secrets are kept, and ethics.

So if you haven’t had an interest in Wikileaks, related individuals, the classified information that was leaked to them, and the people that did it, let’s get you caught up.

First, I would suggest the long New Yorker piece on Julian Paul Assange, the ambassador and frontman of sorts for Wikileaks.

Then perhaps you can review the breaking news threat in Wired here, here, here, and here.

The 2600 Magazine synopsis here.

The Wikileaks video from 26c3. My commentary about those conference talks is here.

Really what’s happening here is a conflict of principals. Lamo informing on Manning to the feds is an interesting character distinction in a difficult situation.

This has moved from an example of the tipping of a balancing act between the two separate philosophical ideals of do no harm and that information should be free to one of polarizing schools of thought last weekend. When Manning told Lamo that he was hoovering up compartmentalized information in bulk and throwing it to Wikileaks (I paraphrase), Lamo seemed to reach his tipping point and turned him in.

I have respect for both ideals at play in the 101 write-ups already up about this, a lot of the reactions to it smacks of confirmation bias and radical honesty which prevents me taking some of it’s points very seriously. Taken to an extreme, my view is that these notions undermine diplomacy, privacy, free enterprise, and the rule of law.

Risky Business made an interesting characterization on their podcast that Wikileaks is not a journalistic organization. “You can be an activist or a journalist, but you can’t be both.” The concept of a shield for whistleblowers and journalists is an interesting one and one that I find appealing about Wikileaks. Being a hacktivist is also interesting but is rarely legal. Based on Manning’s chat logs, it’s clear that he went out of his way to gather sensitive data stored places where he did not have ready access and send it to unknown persons overseas.

The uncertainty of who processes that data at Wikileaks is part of what raises concern about the organization to Lamo and to United States agencies if I read the tea leaves correctly.

Interestingly enough, people like Assange feel entitled to picking and choosing what rule of law they follow. I would like to hear which set of laws that he and his organization feel are applicable to them.

The hacker culture ideal of “no more secrets” is great until you realize that it’s hard to have a meritocracy. Maybe it’s impossible.

Will Gragido and myself are going to give a talk sometime about our vision of the ideal natures of our industry. He, speaking about his ideal of a sort of modern bushi, and my taking the other side of the coin of the measured agitator. Samurai vs ninja; mod and troll.

These two archetypes, the one of honor and responsibility and one of instigator and agitator for change are what I see as being the key roles for success. The philosopher warrior and the maker of effective change; innovator and practitioner.

—

The individuals with our skillset in our industry are usually tasked with safeguarding of data people think is important.

Because of who we are and what we do on a daily basis, most people in this industry develop a highly refined sense of risk and of others maturity for dealing with risks and secrets. Would you ever want to employ someone to keep your secrets that wears one of these t-shirts?

I’ve only read my clients email when they have specifically requested that I do so. Why? Because I’m not a prick who betrays the responsibility that has been entrusted to me. It is my job to secure and safeguard data, not be entertained by it or share it irresponsibly or indiscriminately.

In the end, Manning betrayed the trust and oaths that he took to his employer and nation, the United States. Did he do this to serve what he perceived as a greater purpose? I guess I’ll look forward to learning his answer in court documents and in his lecture series and book on the subject when he pulls a Mitnick later on when he gets out of prison.

Meanwhile, Lamo continues to entertain the whirlwind. It should be an interesting HOPE and Defcon this year.

Software liability

The Politics of Respect

Ian Gorrie — Fri, 12 Feb 2010 16:00:00 +0000

There is a lot of perennial talk of social engineering and direct project/resource management. Attempts to solve complicated political situations with manipulation or a slick widget tend not to work very well over time. They are not addressing the underlying issue.

The wedge of compliance or a mandate from a framework may get some base requirements moving. However, in order to get people; chief executives and influential management, towing the line for a healthy risk and security governance program, it will take something more. It takes a bidirectional respect for the people involved and bringing the conversation to them in terms that they, your audience, understands.

In short, technology risk in general is not well understood by many practitioners. Outside of direct practitioners it is barely understood at all. Technology risks to business can be so complicated to understand that it needs to be interpreted and put into well understood terms that everyone understands, such as dollars.

Fostering a climate of respect and reward of long term goals instead of a short-term win is key to the success of any real life security governance program.

I have some thoughts on how to begin.

Respect your audience:

Present in terms they understand.
To foster long term success, win by soft persuasion to the right path and finding of common goals. Not with a compliance beatdown or audit hammer.

Respect peoples time:

Have an agenda for your meetings and stick to it. Get through your agenda, keep it focused, and conclude your meetings quickly. Make effective use of everyones time.
Focus your presentations. Have the subject matter you are presenting be relevant and interesting to your audience. “If your numbers are boring, then you’ve got the wrong numbers” said the esteemed Edward Tufte. Keep in mind his criticism of PowerPoint.
Realize that you must effectively communicate organization needs and concerns in a language and context so that it is understood. This will enable the organization, and individuals, to form a measured and concise response.

Respect your resources:

Project management often overtasks. Assume and extol good will and respect and express it to those with whom you work. When performed correctly, you should find a net productivity gain. This is especially true with your indirect reports. Trust but verify, comrade!
Slow down your initial reaction to assign blame when priorities collide. Make a measured response that will be constructive to your resource, manager, executive, or business partner. Enter the conversation with at least the appearance of malleability and an open mind. The respect of at least entertaining the feedback, advice, and input of others into the decision making process earns good will and political capital.

Respect the constraints of your organization:

I can’t tell you the number of encounters I have had with peers who understand the role of a security engineer but do not understand risk management. An information security professional is very rarely tasked with eliminating all risks inherent in a system. Most often it is reducing risk and exposure to amounts that are acceptable to the organization for a cost they can tolerate. The biggest challenge that an information security professional has is communicating in relevant terms the unmitigated risks and exposures to the organization they are working within. Don’t take it personally when the perfect ideal is not made a reality. Optimize, compartmentalize, and reduce exposure. Getting this fit right is done by putting risk in terms everyone can understand, maturing an organization, and identifying exposures at an early stage of development.
Because of the vast differences in organizations, there is almost never a silver bullet solution to risk. Everything must be right-sized both at the design table and where the rubber meets the road. Often timetables for change will be longer than desired. The important part is that change is happening. The schedule can change as the landscape, challenges, and risks change.

Too often I hear other fellows in the trade using harsh words to begrudge people who do not understand risk management instead of lamenting their inability to express it in terms that they will understand. Too often problems arise in not communicating effectively and in not earning or giving respect. This failure in communication was what I read into this CSO Online article about a $10M raise in budget after a showboaty penetration report.

Ira says “grab by the balls.” I say “communicate effectively and with respect.”

On hackers, maturity, and the international market

Ian Gorrie — Thu, 06 Aug 2009 21:10:43 +0000

There has been several published works on the what the media calls hackers, the hacker underground, the information security industry, and the technorati class in general lately. Here are a few:

Phrack #63 section 13 The death of the underground
Zero For 0wned The “Industry check” section
H Security All Around My (Black) Hat
CNN Technology Hanging with hackers can make you paranoid

In order of relevance, naturally.

The topic of the increasingly organized crime aspects to the commons of technical adversaries and quality of technical achievement has been an ongoing and frequent discussion piece with nearly everyone clued that I know in the industry.

The truth of this is debatable, but the facts are not. The average technical practitioner, the opposite of the paper credentialed individual, is getting older. Skill sets, in general, are getting shallower.

My take on this is that the level of interest from the industry at large has shifted from one of the hacker mindset of wanting to know how things work and looking for elegant solutions to complicated problems to one of functionality and bad practice engineering.

Functionality and not structural integrity:

Why debug a system or application when you can reboot?
Why use hard proven technology when you can make a Web 2.0 AJAX application that has no native trust model?

Some of the heavy handed moves driven by the DMCA pose a question. What is gained by legislation effectively outlawing security research and reverse engineering by imposing enormous civil and criminal penalties?

I say that the answer is nearly none at all.

Banning of cloning research merely relocated the innovation centers overseas. It didn’t stop the development of that line of research, it just assured that those in the United States would not be a part of it.

Instead of reacting to problems by fixing the cause of the problems, it seems many corporate entities, and their friends in Washington, respond by lobbying for legislation outlawing practices that threaten their business as their answers and writing fraud off as the cost of doing business.

This is where your increased credit card fees are going as fraud dollars are funneled overseas and identity theft runs rampant.

Instead of focusing on hard problems that need elegant solutions, we’re making examples of kids who modify consoles. The laws of the United States have limited influence to those who live outside its borders.

Where are we left when the innovators are Russian criminals and it’s left to academics to study their malware? Are we just left to study the malware left in crime scenes and the trash after their parties?

Let’s look at a real world example. Germany.

From Phenoelit’s .de webpage:

In June 2007, the German parliament passed changes to the computer crime laws, including §202c StGB, which states (unapproved translation):
Whoever prepares a crime according to §202a or §202b and who creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to

passwords or other access codes, that allow access to data or

computer programs whose aim is to commit a crime

will be punished with up to one year jail or a fine.
Additionally, this new section is interwoven with other laws, including the ones covering terrorism. The current interpretation includes the acceptance of others committing a crime using your (or our) material as violation of §202c.

What did they, and THC, and others do? They left Germany. The JAP project was undermined. Tools, content, and discussion were sent beyond their borders. Oversight of them went along with them making sure that only seasoned criminals and not security professionals would work with them in Germany. I’ll look forward to the future release of case studies of breach disclosure and its relation to this legislation over time as several consultancies do not want to take their chances in providing penetration test work product there.

I’m really disappointed that a wake-up call has not gone out. The problem here is not full disclosure, free bugs, or video game console mod chips. It’s that we’re addressing the easy symptoms of a difficult cure.

Channeling this passion and genius to solve problems instead of outlawing and leaving it to criminals is ideal. I’m not going to try to wage the Fair Use war that Lessig and Change Congress are engaged in fighting, but I am advocating that we approach the right problem and not just attempt to wish it away.

Jail penalties larger than murder for jailbreaking iPhones or chipping an xbox strikes me as ineffective. Let’s get real about what is in the best interest of society here. I submit to you that the present course is not it.

Software liability

Ian Gorrie — Sat, 22 Dec 2007 16:17:11 +0000

Another perennial topic that seems to come up whenever I am speaking to someone who is a consumer of technology. If they are one of the people that I actually bore with some of the details about what I do, it isn’t uncommon for me to talk about their individual concerns about internet security and identity theft.

Usually what they express to me is how they feel they have to be internet security experts to feel comfortable using the typical consumer computer configuration and going on to the internet to do anything. They feel that the industry has failed them in that no real concern is given to safety in products, but the focus is on selling the Next Great Innovative Feature Packed Product.

When industry experts get together, they tend to talk around the real issue and blamestorm about who should be left holding the bag. Usually, and strangely to me, this is the same people, or those next down stream from those people, who they are selling their products. Blaming their customers for buying their products? Interesting thinking there.

Therefore, as I’ve stated elsewhere, I have found it encouraging that the House of Lords published a report on personal internet security in which they preface with the following:

The Government have insisted in evidence to this inquiry that the responsibility for personal Internet security ultimately rests with the individual. This is no longer realistic, and compounds the perception that the Internet is a lawless “wild west”. It is clear to us that many organisations with a stake in the Internet could do more to promote personal Internet security: the manufacturers of hardware and software; retailers; Internet Service Providers; businesses, such as banks, that operate online; the police and the criminal justice system.

We believe as a general principle that well-targeted incentives are more likely to yield results in such a dynamic industry than formal regulation. However, if incentives are to be effective, they may in some cases need to be backed up by the possibility of direct regulation. Also, there are some areas, such as policing, where direct Government action is needed. So Government leadership across the board is required. Our recommendations urge the Government, through a flexible mix of incentives, regulation, and direct investment, to galvanise the key stakeholders.

There is also an interesting method of encouraging public discourse on the subject and one of the advisors to the council has a commentary about the whole process.

Interesting talk here, but there is a large degree of opposition. After all, it is features that sell software and not safety or quality; it is utility. When bad things happen, it is blamestorming and not pragmatism that prevails.

At least, that is how it has been until recently. Many people I know use the TJX breach as a case study for the PCI industry. Certainly it is interesting for a variety of reasons and has more than enough blame for each party involved.

Because of the invisibility of the problem caused by the reluctance of private firms to report on breaches unless they are caught and the technical adversaries aversion to attention, it is hard to address the problem for lack of quality data. This has every indication of changing in the future if California’s example is made federal.

For the most part, the feds in the USA are out to lunch and ineffective:

Limited resources. Current and former agents contend there are too few federal cyberinvestigators, and that too little is done to retain detectives with advanced technical training. Budget numbers appear to support the critics’ complaints.

Fractured responsibility. A half-dozen federal agencies fight organized Internet crime with overlapping programs, and at times are barred from sharing information. One private security consultant described having to act as a go-between, linking information between two agencies unable to talk directly.

An unfamiliar threat. Traditional crime-fighting techniques are often useless. And there are indications that top government officials still do not appreciate the scope or danger of the Internet fraud menace.

The great freedom that companies have with selling and sharing customer information and the limited and largely ineffective ability for those consumers to opt out of their practices is, in my opinion, one of the largest reasons for the identity theft epidemic.

Politics in system security

Ian Gorrie — Wed, 19 Dec 2007 16:20:58 +0000

I’m surprised that some of these behaviors that I mentioned a year ago haven’t changed.

Yesterday many Apple users were installing a system security update. Depending on what article you read, this was either a really huge deal involving “monsters” and giant failures or a snoozefest of local vulnerabilities and not much of an issue at all except for the issue with preview.

What seems clear is that a lot of people take Apple super seriously. I’m pretty unclear on why.

I understand why my kool-aid drinking friends at The Empire are down on Apple. It comes with the territory. What I don’t understand are why some of the more level headed open source coders freak out about it. This vulns are largely open source local exploits. OSX threat vectors do not currently involve:

no usb autorooters
cdrom pwnkits
no real self propagating malware (yet)

Apple definitely has some interns writing code over there and it has shown on occasion, but I still think they’re ahead of the pack. Most of the complaints when the SANS FUD was brought up surrounded “well mac users are clueless” which is generally a valid point when it comes to common good practices. After all, types like me are always going to be in the minority. Why? Because people should not have to be hotshot information security experts to read their email or buy a book online.

Even though the drum is being thumped as much as possible trying to express “look! they’re just as bad as we are or maybe worse!” it isn’t playing out if you understand that open source software is easier to audit than proprietary software that needs to be beat on with fuzzers to prospect for quantitative results. Historically, every high or medium exposure will have malcode floating around in short order for Windows. So far it’s not easy enough to weaponize or just not worth the trouble of doing so for OSX.

I feel more comfortable about a fast disclosure and remediation cycle than a secret one where patches are only issued if there is exploit code in the wild and it can’t wait for the next service pack release to quietly fix the problems without attention from the nerdly public. It is a more honest and forthright policy which leads to building trust and more meaningful risk forecasting.

I think everyone that has been in my industry for a while has many examples of where embarrassing flaws and proof of concept code has shown what has been labeled as “purely theoretical” or “just a ipv6 bug” was anything but. Remember these lessons in your travels forward. Especially when companies like Cisco are going to put a bunch of features in IOS after unifying their target platform for heap overflows after denying their existence.

The more things change, the more they seem to stay the same in this game.

fud, sans, zdnet