Some more thoughts on the infosec culture

Hey, time to dust off this old blog. I don't use it very often, except in cases like this one. The following post is expressing my own personal views and is not in any way connected to or representative of the views of my employer. Okay, that's out of the way. Let's chat.

A few months ago, Rob Fuller wrote a blog post entitled "Go Home InfoSec, you're drunk" . I was not aware of this blog post until last night. A friend of mine told me about the post at a party, and said that I should read it because it would make me "hate [him]".  I consider Rob a friend, and I have a great deal of respect for him both professionally and personally. So yes, I am biased in what i'm going to say. This morning, while recovering from a hangover, I read this post. I did not find myself getting mad at Rob at all. One of my first thoughts was actually how proud I am that I'm friends with him. My second thought was promptly "aww crap, I'm part of this problem."

I have been doing a lot of thinking about our InfoSec community lately. We use that term a lot, but don't often take full stock of what it means. Being a community means, among other things, looking out for each other. It means having dialogues where we discuss the issues we are facing together. I am somewhat disturbed by the trend of hostility towards people who try to open these dialogues. Whether you are talking about drinking, like Rob, or drugs, or sexism, or general bad behaviour. The people who try and stand up and say "I think we have a problem. We need to address this" often get attacked. If you haven't noticed, it go back through some of the discussions about the environment t InfoSec conferences.

A common theme that appeared in the response to Rob's blog post was "Every conference is like this, it's not just InfoSec". That is about the worst argument you can possibly make. It's not even an argument. That's the sort of thing you tell your children is stupid. "Yeah but Billy did it". How does that excuse, or in any way make your behaviour more acceptable? It doesn't. I don't care what Billy did, I care what you did. Well, I don't care what they do at other conferences, or in other Industries. We are talking about OUR conferences, OUR Industry, and OUR community. Because we are not just an Industry, we are a community with all that entails. Let's stop shifting the conversation.

Yes, these problems are much larger than our community, but this is where we can start changing them. We have a slice of society here that is all our own. We are shaping it right now. We have incredible power and control over it, and who cares what outsiders do.  There's still tons of sexism out there. There is still racism, and prejudice against sexual orientation, gender identities, religion, and every other stupid thing people can come up with to divide "them and us".  We seem almost biologically compelled to create these seperations. Fine. Let's do it. Let's define the boundary.  Are you ready:

Us: Hackers. Every kind of Hacker. I don't care what you do, if you think you're a hacker and you are passionate about it, and love it, and want to geek out with other hackers, then you are a hacker. You are one of "Us". Done.

Them: Everyone else.

There we have a dividing line now. I don't care what race, gender, orientation, religion, political view, or anything else you are. If you're a hacker, you're just like me. If you're not, I don't care what you've got going on right now for the purposes of this blog.

So, now that I have magically solved our inclusion problems, let's get back to the alcohol thing. Rob is not attacking people for drinking. He's not asking for everyone at cons to stop drinking. What he's asking is for people to stop and reevaluate the choices they are making. Try going to a con without drinking. How was your experience different? Were you still able to enjoy it? If the answer that question is no, then we have a big problem. Rob suggests conference organizers try and add features that help build inclusion for non-drinkers or people recovering from addiction to alcohol(or any other substance). Let's not have a cycle of co-enablement that sends us down spirals of self destructive behaviour. Rob never says "don't drink" and I don't advocate that either. However, If we are honest with ourselves, can't we admit that we go too far sometimes? Is it necessary for us to get so drunk that we feel awful and useless the next day. I ask you this as I recover from a hangover in Vegas. I am not sitting here preaching to anyone who reads this. I do not have some sort of moral high ground here. I am writing this from someone who is thinking "crap, I'm part of the problem".

I don't have the solutions to our problems, I'm not that guy. I o think though, that we need to open more dialogues. We are a community. We need to band together. Look at the past few years. Think of some of the people we have lost. Not just to substance abuse, but any other problems, such as depression. Think of the people we know and care about who are currently struggling with those issues. We are a community, and we are hurting right now. So, if you are reading this while in Vegas, here's my call to action:

Keep an eye on your fellow hacker, whoever they might be. If they need help, be there for them. If they are drinking too much, at the very least be there to make sure they stay safe. You don't have to stop them from drinking, just look out for them. If you see someone struggling with anxiety or depression, talk to them. Listen to them. You never know just how much of a difference that can make.

Keep an eye on yourself. Stop to think about how you are acting from time to time. Ask yourself, is this really the way I want things to be? Is this how I want people to think of me?

Include people no matter who they are. If you see someone looking lost and lonely at the conference, reach out. It can be very hard to be new in this community. Having someone take you under their wing and introduce you to people is the most amazing thing that can happen. It affects you personally, fills you with pride and self confidence. It improves your professional life, and can be a launching pad for you to do great things. Give that gift to someone every chance you can!

Be better than "them". I defined out Them and Us. Well here's a secret, I don't like alot of "Them". Let them rot for all I care. I care about us. So stop using any of "Them" as an example. Let them go do what they will do. We will prove we are better than they are. We will make our community a shining example of what can be. Let's make them all say "Why can't we be more like the hacker community?"

Well that's it. that is my long rant for now. You can argue with me, you can attack my points. You can attack me if you really want. Just please, don't dismiss it and ignore it. We need to open a dialogue. Thanks for reading.

- David "thelightcosine" Maloney

Women in Gaming/Tech

(Disclaimer: The views expressed here are entirely my own. They do not reflect the views of my employer, or anyone else. They are mine and mine alone)

Every day I am confronted with an overwhelming theme in the snippets of social dialogue of which I peruse. I am probably what Ryon Day would call a spiritual window-shopper (http://ninjaloungehouse.wordpress.com/2012/08/09/felicia-day-ruined-videogaming/#comment-84) in a lot of ways. I sit here comfortably watching the discourse flow by. Often I am just not mtoivated anymore to take part. Other times I am paralyzed by rage, unable to find a meaningful or impactful way to contribute. Our discourse as a society has become shattered and we now fight each other with vehemence and vitriol over the small peices of the puzzle. But, I digress.

Lately I keep hearing/reading about the plight of Women in Tech. Or women in the Games culture. The more I see this come up though, the more my reaction has started to turn to anger. That's right, I am angry at the people who say "women are treated badly in the tech field" or "women are treated badly in the gaming world".  To these people I say this now, being as frank and clear as I possibly can: "Women are treated badly EVERYWHERE". The problem is not with gaming or tech, or any other sub-culture. The problem is with our culture! Why limit this even to women, though? They hardly have a monopoly on this phenomenon? What about Homosexuals? Bisexuals? Transgenders? Transvestites? What about anyone who is not a White Hetero Male, essentially?  As a White Hetereo Male of the fairly standard European stock, I am amazed at what I see. I have had conversations with people who I respected and found to be very intelligent when a bombshell comes out of their mouth like "it's all part of the gay agenda" or some other suitable piece of toxic mind-poison.

When rabid pro-whatever people start causing a ruckus, we find the corners of our mouth tugging in distaste. We say to ourselves "why can't they just be a little more reasonable?" I am surely guilty of this, just as I am surely deserving of someone telling me to shut up for it. The fact is us White Hetero European Descent Males have held a majority of the power across the world for quite a long time now. Yet, no one cries more shrilly when they feel threatened. If you don't beleive me, just turn your attention to politics here in the US for five minutes. There's an entire sect of the Republican Party polarizing around their pride at being White Hetero Christian Males who want to make sure that people like homosexuals stay in their place(although I think some of them would like even more drastic measures).  When women come forward about being marginalized or worse yet, sexually assaulted, they are spewed on from a firehose of filth. On the internet we have come to expect a certain level of verbal sludge spewing forth in our direction whenever somebody says something we don't like. What these people face is a whole different level though. This level comes with threats of violence and sexual assault on a routine basis. Let me just reiterate: we as a culture seem to be okay with the fact that, if somebody doesn't like what you have to say they can threaten to rape and kill you. Maybe i'm overreacting, but that seems like a few steps down the path to essentially condoning crimes of murder and rape. There should be nothing funny or acceptable about this behaviour. If anyone reading this has engaged in this behaviour, let me just say this "You are the one who should be treated as subhuman. Not women, not gays, not transgenders. You! You are contemptible and despicable, and I feel sick to think we are even from the same species."

So, now I have rambled in an irate manner for a while. I'm going to wrap this up. Anytime you start to rationalize dehumanizing another person because they are different than you, you're on a dangerous path. We need to stop focusing on our myopic sub-cultures, and realised there is something fundamentally broken within our society.  As long as things like this: http://www.kansascity.com/2013/10/12/4549775/nightmare-in-maryville-teens-sexual.html can continue to happen, I will feel sick inside.

That's my two-cents.

Wake up Geeks: We Won

It has been a long time since I have posted on here. If I look back at the posts on this blog, I'll probably shake my head at old me. However, I needed a venue to talk about something, and this is the best one I have.

There has been a lot of discussion in the InfoSec community about sexism, and attitude towards women. This is something, that I think, we are all aware of. This discussion isn't just happening in the InfoSec community though. It is across the 'Geek' community writ large. There has been a backlash against the so called 'fake geek girls' or 'fake gamer girls'. This image http://imgur.com/KTVGeCL is the most recent example of this dialogue, and it made me smile a bit.

The "Fake geek Girl" thing has been going for a while now. One of the more notable examples is the attacks on Felicia Day. If Felicia's not a real geek, then I don't know who is, but let's not focus too much on specifics. There is obviously a fair bit of misogyny floating around out there, which fuels part of this. Some of it can be chalked up to immature people being unable to handle smart attractive females in their community. I think it goes deeper than that. While I did not grow up female, I am married and have four daughters, so forgive me the hubris of discussing a bit of growing up female.

Men , as we grow up we are expected to behave a certain way. There are consequences if we fall outside those norms. Mostly though it comes down to the simple forms of bullying we all remember. We might get picked on, or even get into fights. Girls often seem to have a different experience. The expectations on their behaviour and conformity are, for whatever reason, much stronger and more constricting. Girls are often ostracized for being geeky or nerdy. They are verbally and mentally abused on a much more profound level. As children, it seems like girls are much more social than boys. That is not to say that boys do not fall into groups, or that the group dynamic isn't important. However, the 'loner' persona is still some degree of acceptable for boys. A girl who is loner is just further ostracized by people around her. Why is she a loner? she must be weird. There must be something wrong with her. There is an awful downward spiral that seems to exist there. The point I am driving at, is that it is much harder for girls to be openly geeky growing up than boys. That's the way it seems to me anyways. Maybe I am wrong.

One final note before I move on. Even if you found one of these 'fake geek girls', so what? First of all, how does it possibly hurt you? Secondly, why do you think they are doing it? Does it not stand to reason that they must see some inherent value in the things you also value? Maybe they identify with the culture, but don't understand how to be a part of it yet. Maybe they feel trapped on the outside trying to get in. Why shun these people, when you could help them? If they need a hand 'really' getting into the culture. Help them. Show them things they might like, talk to them about stuff. I've got news for you: there is no grand conspiracy of attractive women trying to infiltrate ComicCons in order to destroy them forever. We can only win when we convert new people.

Let's talk about this concept of feeling trapped on the outside a bit more. I think this gets more to the heart of the matter. time to leave gender at the door. I've had a long running theory that we hackers have a common thing binding us in some way. Look around the hacker/infosec community. We are a diverse lot. The same goes for gamers, comic fans, otaku, or even punk rock. I asked myself what explains why such vastly different people all ended up with the same love. My theory is this: a feeling of being powerless.

I believe that most, if not all, hackers have had a period in their life where they feel powerless. That is a horrible feeling, and it can do horrible things to you. Getting into hacking gives you a world where you can feel powerful. It is a world where your drive and your intellect determine just how powerful you really are. I think this same theory extends to a lot of the other 'geek' areas. Gaming ( D&D, board games, video games, doesn't matter), comics, sci-fi and fantasy novels, even Punk Rock. Hell Punk Rock is an easy one. The entire Punk attitude is about feeling stepped on and powerless and trying to take back some of that power by raising your voice.

When we were growing up, we felt that powerlessness, and we looked for avenues to not feel that way anymore. We clung to these things. Maybe liking some of these things is what set us apart in the first place, but that just reinforced how much we needed that part of ourselves. Fellow children of the 80s, I think, will feels this especially.

Fast forward to the modern-day though. Punk Rock music is pretty mainstream, and has influenced the newer genres of music. People in their 30s and 40s go around listening to the Misfits, or the Ramones, or the Dead Kennedys etc. ComicCons are everywhere and have massive attendances. DefCon had ~15,000 people in attendance this year. There are more Hacker/InfoSec conferences around the world than I can count anymore. The Lord of the Rings movies were some of the highest grossing movies ever. Some other box office favorites include practically every comic book movie made in the past 15 years. Video Game sales are off the charts and millions of people play things like Magic the Gathering every day. Rel1k is going on news programs to be interviewed as an expert, instead of 'scary hacker guy'.

Wake up Geeks, we won!

The things we like are everywhere. They are doing better than ever. Our sub-cultures are flourishing. New people want in. They like what they see. In other words: we now have the power.

So what are we doing with that power? Well, some of us are doing the same exact things that we hated when we were young and powerless. We are becoming elitist, and exclusionary. We are using our power to feel big, and make other people feel small. In the end, that behaviour makes us small though. Some of us are squandering our power and influence when we could be doing so much with it.

I say some of us, because there are plenty of people who aren't doing this. Wil Wheaton often says something I really like. I don't have a direct quote handy, but it goes something like "Being a Geek isn't about what you love, it's about how you love it". He goes on to talk about bonding with people who love other cool things the way you do.

I mentioned Punk Rock earlier, because i think it fits in with this same model. There are two great articles written by Greg Graffin, the lead signed of Bad Religion. I cannot find the originals anymore, but copies can be found at  http://punkhistory0.tripod.com/punk/id2.html and http://www.spunk.org/texts/music/sp001774.html . The second one is especially important to me, and really relevant to this discussion.  He talks about how Punk was supposed to be about having an inclusive community of people who were different from the norm. It quickly turned into just another group to exclude people from. It just changed who got to do the excluding.

You can choose to disagree, or even disregard me. Take a look around though. Whether you are a Punk, a Hacker, a Comic Geek, Gamer, Otaku, or whatever.  You have power now. Your culture has value, and influence, and so do you. Use it to change things. Don't repeat the same crap that probably made your childhood hard or unbearable. Let's make life for the next generation better than it was for us. If you see someone struggling to fit in to your community: help them! Show them around, introduce them to people. Introduce them to things you like, find out what they like. Chances are, both of you will grow from it.

Security-Bsides Austin Texas

I am proud to say that my talk has been selected for B-Sides Austin TX this year.  Check out the Abstract below if you're interested.

Name: David Maloney, @thelightcosineTitle: Don't Pick the lock, steal the key
Length: 45 minutes
Abstract: You've got a problem. You're running a pentest and the only vulnerable box is some shmuck's desktop. Is it game over? wait, what is this WinSCP application on his machine? don't give up just yet. The wonderful world of fail that is password storage is about to save your butt. In this talk we will break down how Windows applications store their password. Where they store them, how they encrypt or obfuscate them, and how we can attack them. Then we will follow up with some real world examples from the Metasploit Framework, and show how you can turn one workstation into total network compromise in a very short ammount of time.

Some facts on the First State Superannuation Issue

Some blogger, has recently written a somewhat uninformed post on the whole Patrick Webster FSS issue. The author seems to be under some misapprehension about how these sorts of things work. Which is cocnerning for someone who claim to be a Web Application Security person, and is taking the pulpit to preach on the issue. Then again, why should we expect anything less from the Internet right?

In his post the author states: " It should go without saying that at this point that he could, just by the actions he had taken up to this point, be in violation of any number of data privacy laws."

Really, goes without saying? Actually it doesn't. Let's take a look. The first statue they claim he is in violation state the following:

308H   Unauthorised access to or modification of restricted data held in computer (summary offence)

(1)  A person:
(a)  who causes any unauthorised access to or modification of restricted data held in a computer, and
(b)  who knows that the access or modification is unauthorised, and
(c)  who intends to cause that access or modification,
      is guilty of an offence.
Maximum penalty: Imprisonment for 2 years.

(2)  An offence against this section is a summary offence.
(3)  In this section:
restricted data means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.


Let's look at the other statute that is referenced:

478.1  Unauthorised access to, or modification of, restricted data
             (1)  A person is guilty of an offence if:
                     (a)  the person causes any unauthorised access to, or modification of, restricted data; and
                     (b)  the person intends to cause the access or modification; and
                     (c)  the person knows that the access or modification is unauthorised; and
                     (d)  one or more of the following applies:
                              (i)  the restricted data is held in a Commonwealth computer;
                             (ii)  the restricted data is held on behalf of the Commonwealth;
                            (iii)  the access to, or modification of, the restricted data is caused by means of a carriage service.
Penalty:  2 years imprisonment.
             (2)  Absolute liability applies to paragraph (1)(d).
             (3)  In this section:
restricted data means data:
                     (a)  held in a computer; and
                     (b)  to which access is restricted by an access control system associated with a function of the computer.



Look closely at (3) in both statues. This can only apply if an access control was circumvented. Insecure Direct Object Reference is not bypassing an Access control. It is a complete lack of an Access Control. I may not be a lawyer, but I suspect that this charge would have a VERY hard time standing up in court.

It really is not hard to look up these statues online. I would suggest that people actually read up on the subject matter.  all and all, I would be surprised if this whole matter doesn't blow over. The worst that I suspect will happen is that they make Webster sign that agreement on page 2 of their letter or refuse him any further online access. They could, theoretically, even drop him as a customer I suppose. I doubt any serious legal action will occur, but I could be wrong.

Mr Webster,  I am behind you, and i am sure many others are too. Good luck.

When even Responsible Disclosure Fails

Disclaimer: The opinions expressed in this blog are my own, and do not reflect the views of anyone but myself.

In the latest incident, Patrick Webster of OSI Security, is under threat of legal action. This threat comes after he disclosed a vulnerability to First State Superannuation . The vulnerability was a case of direct Object Reference. By manipulating a GET parameter , Webster was able to access the statements of other customers. The legal threat is based around the idea that Webster violated Australian computer crime laws, and bypassed a security measure. Direct Object reference is not bypassing an access control. It is, by its very nature, the lack of an access control. Webster did not go public with this information, but rather went directly to the company to notify them of the flaw. On one hand, the company thanked him for his help. On the other hand they sicked the police after him and are trying to hold him responsible for the cost of fixing the flaw. Customers of First State Superannuation should be outraged at this. The company, which is responsible for protecting their customers' information has failed to do so. When one of these customers showed this failing, they held him responsible for it. The fact is, FSS has been negligent in providing proper security for their customers. They should be held accountable for this failing. Let's make a hypothetical analogy:

A customer walks into his bank, and asks to access his safety deposit box. They ask him his box number, and he tells them the wrong box number by accident. They bring him another person's box without verifying his identity. When he explains the mistake to them, they call the police and have him arrested.

If you read about this scenario in the newspaper you would be outraged. Why should it be any different in this case?

What is even more deeply disturbing, is the fact that this is far from an isolated incident. In the past year, there have been at least 2 other cases just like this. Earlier this year, a security researched by the handle of Acidgen disclosed a buffer overflow vulnerability to German Software company Magix. Acidgen contacted the company with the information, and had supposedly amiable communication with them. During the course of his conversation, he supplied them with a Proof of Concept that opened up calculator when run. He asked the company to let him know when it would be patched so he could release the details after it had been fixed. This is when Magix began threatening legal action against Acidgen. Among their claims, are the claims that sending the PoC to them constituted distribution of 'hacking tools'. They also claim his intent to release the details after a patch constitutes extortion.

Another example is the PlentyofFish.com dating site hack. Security researchers discovered a vulnerability in the site that allowed access to customers' private data. The researchers claim that they simply informed the operators of the site of the vulnerability. In a bizarre twist, the owner of the site posted a bizarre rambling blog post where he claimed that the researchers attempted to extort him. His story was bizarre in the extreme indicating Russian Mob involvement, extortion, and even originally implicated journalist Brian Krebs in this scheme.

What I see here is a very alarming trend. Companies are trying to redirect all blame for their own failings to the very people who are trying to help make them more secure. If this trend continues, researchers will simply stop practicing responsible disclosure to most of these companies. In some cases the disclosure will go back to Full Disclosure practices. Otherwise, some researchers will just keep silent.

So what would First State Superannuation say if Webster had kept silent. Then a month later someone far less scrupulous exploited this vulnerability to attempt to make a profit. FSS should be thanking Webster for saving them all the embarrassment and possible repercussions of their irresponsible 'security' practices. These companies need to wake up and work with the community to help protect themselves, or things are only going to get worse.

DerbyCon Retrospective

Rel1k recently posted his thoughts on how DerbyCon, and I thought I would share my own. I have not exactly made a secret of how I felt about DerbyCon. The speaker lineup was simply amazing. There were very few spots where I didn't have a talk I wanted to see. I unfortunately had to make some hard decisions between talks that were going at the same time.

When I go to conferences, I often find myself wandering aimlessly for periods. I'm not interested in the talks that are on at that time, and I don't really have anyone to talk to. So I wander about until I find someone I know. Every time I started to wander at Derbycon, I would run into someone who wanted to talk about something. I had no real "down time" the entire conference.

I spent time hanging out with, or at least talking to, people who have been something of heroes to me. I have followed some of these people for years, and getting to talk to them was great. What was even more amazing was that many of them knew who I was! Shaking hands with Chris Gates for the first time was surreal for me. I have followed Chris since I started in security. I tracked dookie2000ca down and finally got him to sign my copy of  Metasploit: A Penetration Tester's Guide.I got to spend time hanging out with jduck, corlanc0der, and sinn3r.  Everywhere I went, I felt not jsut like an equal, but like we were all friends. The most telling thing about the Information Security community is that we call it the Community, not the Industry. DerbyCon embodied this spirit. The entire weekend felt more like a family reunion than a conference, and I was sad to leave.

I was privileged to get to take the CoreLan Exploit Dev bootcamp. This training class was intense. We went from 1600-0200 both days, and didn't make it through everything. Peter Van Eeckhoutte (corelanc0d3r), took a class of 30 people from different backgrounds and walked them through windows exploitation. Some people in the class had absolutely no experience in exploitation. Despite this, Peter kept the entire class moving along, and as far as I could tell, nobody was lost. It was a shame that I had to miss parts of the conference for this training, but I would make the same choice again.

Brandon Perry and I wandered into the CTF room out of curiosity at one point. I had no plans to enter the cTF, so I hadn't really brought any tools with me. We decided to start playing around, not to seriously compete, but to have fun. We shared things we found with each other, and were just having a good time. Before we knew it, we were on top of the leaderboard. The organizers came and asked us to either be scored as a team, or to stop working together. I closed my account out and we kept working together under Brandon's. I was tied up with training for most of the conference, so Brandon spent a lot more time on the CTF than I did. In the end, we ended up in 5th place. I think if we had gone in prepared from the start, and I had the time to focus on it, we could have won. See Brandon's writeup on the CTF efforts here.

A few weeks before Derbycon, I started trying to put together a #metasploit meetup. I wanted to get everyone from the metasploit IRC channel together to hang out for a bit, have some drinks and just have fun. Mubix came up with the idea of throwing a birthday party for ms08-067, so the two ideas merged naturally. Mubix got it all organized and pulled off a great event. There was a big cake  and we all sang happy birthday. Then HD started handing out Redbull and Vodkas to EVERYONE at the party!

So I have ranted for long enough, I guess. The summary is this: Derbycon was probably one of the best experiences I have had. I felt at home the entire time I was there. The entire weekend made me more certain than ever that I am where I belong doing what I am meant to do. I can't possibly thank everybody enough, but thank you conference organizers, Rel1k, HD, Jduck, Corelanc0der, sinn3r, nullthreat, lincoln, bperry, Red, and everyone else I hung out with this weekend.