Archive for October, 2010


October 28, 2010

I assume it’s been obvious from the beginning that Johnny Cocaine was a quasi-fictional persona. No one’s last name is really Cocaine, is it? Certainly I’ve regularly mentioned the fact that I lie sometimes, in various ways, in order to spread disinformation, make it harder to recognize me, or just get more followers (thanks for the praise, but I really am male and don’t have nice cleavage.)

I “invented” Johnny for a few reasons. I wanted access to the “hacker underground” – web sites, IRC channels, private trackers, etc., in order to gather intelligence. I wanted to do a bit of a social experiment a la Robin Sage. I wanted a place to be un-censored, without it reflecting on my employer or being seen by future employers. And it was damn fun. Plus, though I didn’t know it at the time, I was going to meet a lot of cool people.

The truth is I haven’t done illegal drugs in a long time; even cigarettes are only an occasional vice. (I do however enjoy fine wines, craft beers and expensive liquors.) I’ve never really committed any crimes other than past drug use; I’ve never even been arrested, let alone done time. I rarely make it out to nightclubs or rowdy concerts these days; I wish I had more time to do so.

Much of my real personality and a lot of my real interests did come through. I’m opinionated, sarcastic, distrustful of authority and unthinking obedience, generally libertarian and interested in many of the stereotypical geek hobbies. I have been involved in hacking, both as a culture and activity, for many years; I cut my teeth downloading cracked games from BBS’s for my Commodore 128. By this you can tell that I’m closer to age 40 than 20, although I’m often told i don’t act it. I don’t consider that a bad thing.

I really am an infosec professional; I do pen testing, security assesments, and yes even compliance stuff, as well as security architecture and engineering. My salary gets paid by tax dollars; I won’t say publicly who I work for. I’m not a cop or a spy, although I work regularly with LEOs and counterintelligence groups and have been known to prepare briefings for people whose titles include the words “White House” or “Secretary”.

If you haven’t guessed it already, I’m based on Pittsburgh but travel regularly; this fact will do little to help you find out who I work for. If you do figure it out, more power to you; in fact, contact me, maybe I can get you a job. 🙂

I’m killing off Johnny because I want to live as myself again. I’ll still be at security and hacker cons regularly; I’m just putting the finishing touches on a paper I intend to submit for Shmoocon under my own name.

I don’t want to lose touch with you all, but I’m also not quite ready to publish my full name or employer to the whole world. I’ll probably re-follow a lot of you from my “real” twitter account, which is much more boring. If you want to keep in touch, DM me or email me at johnnycocaine -at- and give me some kind of contact info; if you’re in the industry I’ll probably be willing to connect on Linked In. It’s not a disaster if my real identity becomes known, but I’d rather not have people google my real name and find Johnny in the first few results.

I hope you’ve had half as much fun following me as I’ve had making shit up and reading your tweets. I’m going to do a final Follow Friday and try hard to include all the twitterers who have made this experiment such a blast.

So long, and thanks for all the sploits.

/me plunges a wakizasha into his virtual belly



The Mysterious Disappearance

October 21, 2010

Legendary computer hacker Johnny Cocaine was reported missing this morning after a series of unusual events the previous evening. He was last seen in his girlfriend’s condo in downtown ———. His girlfriend, who goes only by the handle @razor_girl, claims he was sitting beside her on the bed using his laptop when she fell asleep.

“When I woke up this morning, the laptop was still open on the bed, but he was gone. So was his Heat bag. That’s his travel bag, so he’s ready to go in 30 seconds. The laptop had frozen, but I could still see part of an email that read ‘could be a threat to the very fabric of the Internet.’ I rebooted it but Firefox couldn’t recover.”

Police say they questioned the girlfriend, but she is not suspected of any wrongdoing. “She didn’t kill him,” reports Det. Lopez, “but she might if he doesn’t call her soon.”

A neighbor, John Hegendorf, claims he saw several black SUVs parked in front of the building yesterday afternoon, but didn’t notice anything else unusual except the sound of helicopters overhead in the middle of the night.

“I hope he’s okay. He always throws the best parties. Maybe he posted something online about where he went. He’s always disappearing, anyway. Are you sure you’re from CNN?”

New Show

October 19, 2010

So I have an idea for a new web show about infosec but it might require me to reveal my identity. I think a lot of y’all might really like it, although I don’t want to spoil the surprise yet. However, it would require the cooperation of “suits” – or at least real people who work for real companies. It would not be possible to entirely anonymize them. So I think it’s unlikely they’ll be willing to work with “Johnny Cocaine”, especially if they take all my tweets as literally true. I mean security vendors, Valley startups, tech and entertainments companies – they’re less risk averse than, say, Chase, but I’m not sure they want to share screen time with me. The word cocaine elicits some strong responses.

On the other hand, I think the videos would be more entertaining with a colorful personality using a controversial moniker. Who wants to watch a video about “Arnold McFadden”? (Sure it’s my real name. Go on, Google it.) It would be like going to see a concert by Brian Warner instead of Marilyn Manson.

So: I could attempt to do it as Johnny, hope enough people / organizations will cooperate, and try to stay anonymous as always. Or I could do it under another pseudonym, which people would quickly realize was Johnny from seeing the vids, but which would at least not be blatantly associated with Johnny.

Or I could do it under my real name and hope that infamy helps my career a la Kevin Mitnick. I’m reasonably sure I haven’t left any damning evidence laying around. Unfortunately a lot of people in the infosec industry don’t have much of a sense of humor. Present company excluded, of course. Of course, if I did that Johnny would probably disappear in to the hazy mist of hacker lore.

What to do, what to do….?

Johnny’s Startup

October 18, 2010

poweron at 08:58:13 10/18/2010
running Power On Self Test
CPU diagnostic check: scanning 1xE11 processor cores
98% passed
WARNING: 2% failed – alcohol errors detected
Checking memory…. hazy.
Memory segments 00000000 to Day 9,131 fragmented
Initializing kernel… last updated at Age 16.
Recommend upgrade behavior immediately
Testing primary storage:
Reiserfs detected: Quarantined to prevent homicidal behavior
Testing secondary storage:
WARNING: Unknown eigenvalue, please observe
Quantum computer activated
Loading modules:
lsmod: CRITICAL ERROR: caffeine.ko not found
Please insmod caffeine immediately!
Running cleanup routine…
cat /var/log/memories/last_night
File not found!
Replaying journal
Illicit activity detected.
Copying all logs to /dev/null
Testing I/O:
Audio: Industrial music detected. [OK]
Visual: Screen resolution no longer blurry. [OK]
Olfactory: Freshly lit cigarette detected. [OK]
Taste: Mmmmm, donuts. [OK]
Touch: [REDACTED] [OK]
Loading external data feeds
RFC 1149…
Loading output filter
Boot sequence complete
Welcome to HumanOS version 0.999
johnnycocaine login:

Ethical(?) Hacking

October 6, 2010

Infosec is an interesting industry. It’s a common assumption that to be a good security practitioner you have to be conversant with the methods an adversary might use against you. Or to overly simplify, the “good guys” have to learn some of the same skills as the “bad guys”. This is only true to a degree. Certainly a security analyst should be able to look at a code fragment like perl -e ‘{print “A”x”255”}’ and recognize that it’s probably a buffer overflow. However, in many cases, analyzing malware and creating signatures is outsourced to A/V or IDS companies; analysts only have to recognize an attempted intrusion, determine if it was successful and maybe do forensics.

This need for the white hats / defenders to learn offensive skills must bother some people because ethical standards seem to have a more prominent place in the industry than in many others. There’s the Certified *Ethical* Hacker credential, a strong ethical component to the CISSP, etc. Obviously some other professions have these: doctors, lawyers, CPAs, etc. There are, however, many more that do not, even if their particular circumstances or skill set could be used for unethical behavior. Your phone guy could be tapping dozens of phones a day for example. Your mechanic could be (and probably is) sabotaging your car so you have to get it fixed more often. Don’t even get me started on politicians, the entertainment industry, or so called “business leaders”.

Why this focus in infosec? My hypothesis is because non-techies are scared of what “hackers” (of any color hat) can do. The security pros, therefore, voluntarily adopted these codes of conduct primarily for PR reasons, as they have little punitive force against anyone who is willing to violate them in the first place. It’s like the wizards in certain fantasy books who have taken strong oaths so the general public won’t resent / fear / lynch them. The fact that “wizard” has often been used to describe someone who is very computer savvy is, I’m sure, a coincidence.

Why do I say this? It’s pretty obvious, huh? There are “black hats”, who try to break in to systems, and “white hats” who are the defenders. It’s like the Alamo (with approximately the same odds, but hopefully a better outcome for the defenders.) The only gray area are those misleadingly named “penetration testers”, who are sort of like undercover cops without the corresponding oversight. (This is not a judgment, just an observation.)

What I’m interested in is people’s opinions on other “gray” areas. I’m not saying whether I have or have not done any of these things, nor am I defending any of my own actions (which are, of course, always above reproach.) I’m just curious what people think about them. Think of it as a game of infosec “Scruples”. Remember the question is, Is it (or can it be) ethical? Not, Is it legal? which isn’t the same question in most moral systems.

– Can an intelligence agency break in to other countries’ computers for general intel gathering?
– Can they break in to computers if they believe the information is vital to national defense?
– Is offensive cyberwar as part of a physical conflict acceptable (i.e., hack comms systems.)?
– How about corporate espionage?
– Should local laws and mores be taken in to account?
– Can undercover cops hack machines of suspected criminals? Can they hack to prove themselves to criminals (similar to doing drugs in front of a drug dealer to prove you’re not a cop.)?
– Are “hacktivists” who break in to computers of suspected criminals like child porn dealers acting ethically?
– What if they break in to third party computers to catch the criminals?
– What if it’s not criminals at all but people or organizations that they believe are “wrong”)? Like if PETA was to hack in to a Japanese whaling company’s servers.
– What if it’s a person who is harassing / stalking / threatening / inciting hate against someone else?
– What if the someone else is a friend or family member you want to help?
– Is it ethical to help a friend access their spouse’s email if they suspect adultery?
– What are other gray area you can think of?