Fashion Week

September 9, 2010

An Open Letter to Julia Allison:

Dear Julia Allison,
I NEED NEED NEED to go to one or more Fashion Week shows. Why? Because I am the one computer geek – in the whole world – who actually cares about the fashion world, wears designer labels, and knows what couture really means. By attending Fashion World, I would be standing up for poorly dressed nerds everywhere and defying stereotypes. I could also help the models work their Blackberries. I’d love to see Rodarte, and of course for men, Armani… although I normally wear boutique designers from California.

Even the women’s fashions are useful to me. As you may know, if you follow me on twitter @johnnycocaine, and I’m sure you do, my “job” is to sneak in to… places… and take over their computer systems. Sometimes this involves dressing as a woman, so knowledge of women’s fashion helps. Fortunately, this job pays very, very well so I can afford designer clothes, too. As long as no one asks where the money came from.

Finally, you are my hero for how you became an Internet celeb and master of self branding. I’d actually rather meet you than any of the designers or models.

Peace,
Johnny Cocaine

OSINT

August 10, 2010

So the other day I somewhat audaciously tweeted that I disagreed with @marcusjcarey and @itza11hYp3 regarding the statement that OSINT (open source intelligence) was basically a new name for something intelligence analysts have always done. I say audacious because I am not, in fact, an intel analyst by trade, whereas they have a stint at NSA and long experience in the federal sphere, respectively. Now, I know a lot of people have theorized that I work for the NSA – and I am quite proud of my hat, which came straight from the (classified!) gift shop at Ft. Meade – but I don’t. My skills are focused on obtaining information rather than analyzing it.

Still, I think there are a few reasons why modern OSINT is different from traditional methods. Whether that qualifies as something really new or not is semantic. To clarify, OSINT refers to gathering intelligence from “open sources” – newspapers, court records, web sites, etc. Certainly, analysts have always done this, and obviously it has gotten easier since PCs and the Internet became more widely used. Not only can you search a lot of archives from a distance, and quickly, but also people and organizations are just publishing more information about themselves.

The first reason why I think it’s substantially different is the collection method. It’s not just a matter of reading online versus reading paper. Part of it is being able to Google well (and use Lexis / Nexis, etc.) but part is being able to find relevant information in a very large haystack without wasting time on false positives. The only way to do this in a timely manner is algorithmically. The only way to implement such complex algorithms is in software. Example: say you have a suspected domestic terror group whose known members have purchased warehouse space in 3 cities. It might be useful to search all the real estate purchases in the U.S. for other purchases matching similar criteria to ferret out other cells. Given the amount of real estate transaction data available online, this should be doable, but the analyst is going to have to be able to carefully delineate the parameters for such a search – not just what to look for, but what to exclude. Or, perhaps, more likely, they’ll explain the general idea to an IT person who will codify it.

Reason 2: Correlation. A big benefit of having so much digital data available is being able to correlate it. Forget those scenes in cop shows where they have all their clues written on pieces of paper and tacked to a cork board. I’d be spidering craigslist, twitter, etc., and running the data through something like Splunk to look for unforeseen correlations. Merely by doing math, software can point out possible correlations that might never occur to a human. Given the number of job postings at NSA for people with experience in data mining over the past decade, you can be sure this is happening. (Hey, I just deduced what the NSA is doing from their public job postings. OSINT!)

Reason 3: Meta-data. Analysts are no longer limited to the “published” data in a record. We’ve all heard the stories of info being leaked in the meta-data of a Word doc, EXIF data in an image, geo data in a tweet, ID3 tags in MP3s, whatever. Being able to access, search and understand this information is critical and, again, requires either a technically minded analyst or a resident techie to write the tools.

Reason 4: The so-called “deep web”. Not every bit of information on the Internet is indexed by Google; in fact, a great deal of it doesn’t even use HTTP. Even “innocuous” protocols like ICMP and DNS can transport extra data around. If nmap can figure out an operating system by looking at administrative data, what can we figure out at the semantic level. E.g., if you’re monitoring a server that you suspect of storing malware being used by a certain group, and every time one of the group members walk in to a cafe with a laptop, the ping time to that server increases, it stands to reason that they’re doing something that’s increasing the load on the server.

Fifth and final reason: There are more different types of data now: pictures, videos, audio, etc., due to the advent of cheap digital cameras and other devices. I know for a fact that certain (probably all) intelligence agencies examine the pictures that suspected terrorists post on Facebook, Flickr, etc., to try to identify their location, associates, etc. In the past, pictures and video were generally only available if a HUMINT operator was surveilling the suspect already. Of course, all of the aforementioned reasons also apply to multimedia, too.

I’m not writing this to defend my position or anything, just to point out things I find interesting about the process. Certainly, as someone who doesn’t want “Johnny Cocaine” to be associated with his real identity, I consider these avenues of attack and attempt to mitigate them, as I’ve discussed previously. Not that I need to keep it secret from nation-state level adversaries – although I feel confident that I could do so – but it’s just fun. Anyway, hats off to @marcusjcarey and @itza11hYp3 for making me think about this and replying to me. I’ll buy you guys a drink at the next spook convention.

The social engineering dust up

August 3, 2010

And while we’re on the subject of corporate rights being somehow more important than individual, I have thoughts on the social engineering contest and the minor furor it created. So companies and even the FBI, were worried that people at DefCon were trying to social engineer them? I mean, first of all, maybe you should be worried about the real bad guys who are trying to do it, not people at a con who are acting under certain rules.

Second, HELLO? How many times has some telemarketer called you and tried to trick you in to divulging information and even buying crap, often under false pretenses? Not just telemarketers: sales people, snail mail, web sites, service personnel, customer support – most companies are less than honest when they’re trying to make sales. Indeed, many of them have lying as their primary business model. They depend on riding just on the legal side of fraud to get you to buy something and depend on their byzantine phone trees and laborious return procedures to get you to keep it. Who cares if you swear to never buy from them again, as long as they meet their numbers for this quarter? By the time your contract expires or your gadget needs replaced, the officers will have moved on to a new company anyway.

So I don’t feel too bad when people try to trick them back.

Yes, I’m grouchy. I need a smoke.

Security Pro Hypocrits

August 3, 2010

Well, we all know that last week was the 18th revision of the largest “hacker” conference in the world, DefCon, and its spin-offs Black Hat and BSides. I had a great time and met a lot of awesome people. And, as I’ve mentioned, lined up 3 new jobs. 🙂 But, I have an issue.

It won’t be news to anyone who’s been going for a while that DefCon has gotten more, well, corporate, especially since the inception of Black Hat. More and more of the speakers are well groomed “security researchers” from various software companies who are trying to drum up business. More and more of the attendees seem to be the type that do their 9-5 job and go home to watch a ball game rather than spending all night coding or using a soldering gun. That’s okay; I want anyone who is interested, in the tech or the culture, to be welcome.

But with the shift comes an apparent shift in, well, philosophy that disturbs me. To whit: all these corporate and government folks go on and on about how to Assure the Confidentiality, Integrity and Availability of their employers’ data, while openly claiming that individuals have no right to or expectation of such protection.

I can’t tell you how many times I heard speakers claim that “Privacy is dead” or “If you put anything on a social network, you should assume it’s public” or “Allowing anonymity is too dangerous.”

What. The. Fuck.

So it’s perfectly okay – indeed, expected (“due diligence”) – for big companies to keep what they’re doing secret, but practically a crime for individuals? Standard practice for a corporation to rely on authorization / access controls, but too much of a burden for a consumer service? A horrendous crime to copy a Lady Gaga song without permission, when people assume they have carte blanche to copy others’ images, blog posts, tweets, or documents and put them in their Power Points for Black Hat?

One speaker – it won’t take you long to figure out who – spoke of the dangers of using so-called “darknets”, including Tor. (In fairness, he mentioned that Tor was not technically a “darknet”, whatever that is, but he applied all the same lessons to it.) It’s true – using Tor or P2P or mesh networks, etc., has risks. There’s the risk of being pwned, or DL’ing malware, etc., and the risk of legal action, both for what you do and what you enable others to do. His conclusion? “Don’t use them.” Essentially, he seemed to think they were only for bad guys.

Oh, and his reason for believing this was partly based on having examined the traffic on Tor exit nodes, which is pretty clearly a violation of federal wiretap laws.

That aside, did he ever think there were legit reasons for using Tor? Like, journalists / activists? Legally gathering corporate intelligence? Law enforcement and counter terrorism? To get around national censors in countries like China and Iran? To not get harassed? Keeping controversial viewpoints from being associated with, say, your LinkedIn account? And what about penetration testing?

The same goes for Bit Torrent, Freenet (why were you surprised that I’d heard of Ian Clarke, dude??), Gnu Net, etc.

People: information security is not only the right of wealthy corporations (I include most governments in that class). It’s the right of anyone who chooses to take advantage of it (like any right). Frankly, I think a neo-con government data mining everyone’s email is a bigger threat to our democracy than a hacker joy riding a corporate network.

The problem is that A) few people are paying infosec pros to protect the data of individuals and B) it’s hard. If an employee violates rules on protecting data, you can fire, sue or jail them. What are you going to do if a Facebook friend reposts one of your pictures? At most, you’ll ask them to take it down – by which time it’s probably been shared, Liked, downloaded, saved, emailed and cached a million times.

That doesn’t mean we should just write it off.

This week’s Gothic Babe Of The Week

July 22, 2010

My DefCon packing list

July 21, 2010

OK, this is pretty much my packing list for any trip, but with shorts instead of long pants. 🙂

  • A heavily hardened laptop (the software on the laptop is a whole other post)
  • Smartphone (ditto)
  • Sports watch with timer / multi alarm / chronograph (redundancy)
  • Cargo shorts, t-shirts, and a set of nice clothes for social engineering
  • Comfortable shoes, dress shoes and lots of socks
  • Hat and jacket (Caesar’s conference rooms are always FREEZING)
  • Several pair of shades
  • Light gloves (so I don’t leave fingerprints, duh!)
  • Bandana and, of course, towel
  • Microtech knife
  • Multi tool
  • Crimper
  • Cat 5, data tap
  • Wireless cards
  • Misc. power cords, USB cords, adapters, A/V cords
  • Flashlight
  • Digicam with video and zoom lens
  • Disposable digicam
  • Prepaid cell
  • Magnets and small wires
  • Lockpicks
  • Surveillance camera detector
  • Night vision device
  • Plastic handcuffs, carabiners, bungee cords, rope, twine, duck tape
  • Flask of that day’s fave liquor, plus smokes and Zippo
  • Toiletries and makeup
  • “Big wad o’ money, nothin’ less than a twenty.”
  • Radio scanner
  • Several passports 😉
  • Spare batteries!
  • Porn mags (to distract / bribe guards. really.)

Give me your hot, your sexy, your DC vouchers….

July 20, 2010

If an outsider had to describe DefCon in one word, it would be: sausagefest. I have a theory that many more women – specifically, hot altpunk chicks who are looking for a geeky sugardaddy – would attend if it weren’t for that $140 fee. Therefore, I suggest that any Black Hat attendees who are not going to DefCon contribute their $100 DC vouchers to yours truly and I will see that they go to those who need them most – the hotties.

Because unlike Network World, DefCon *is* an appropriate venue for off-color entertainment and rampant displays of flesh, right? C’mon, everyone wins! DM me on twitter @johnnycocaine or email me at johnnycocaine@gawab.com to join the fun!

Where TF is Johnny Cocaine?

June 29, 2010

I thought it would be fun to run a little unofficial contest during DefCon (/Black Hat / BSides).  The object is simply to find yours truly, in person, based on hints I give out in real time.  I don’t know what these will be yet, but they will be geeky.  E.g.,

  • Scan the DefCon WiFi net and look for HTTP banners with hints in them.
  • Look for clues in Bluetooth or WiFi devices in your area.
  • Look for memory cards, CDs, or (just to fuck with you) floppies.
  • Written notes or photos
  • Clues on Twitter, of course… hopefully they’ll have the screen with the twitter page again.
  • The DefCon forums
  • And expect to use your knowledge of math, geometry, sci-fi, cult movies, drug lore, and alt porn.

Catch me if you can!

Look at cute girls and read about Infosec

March 30, 2010

Here’s more pics of the cute “me”.  But first, read my previous post about why we’re losing the cyberwar(s).

http://www.collegehumor.com/cutecollegegirl/KaylaG

Losing the cyberwar

March 29, 2010

I’ve seen a lot of stuff in the press recently about cyberwar, both as a complement to traditional military action and in the sense of a shadow war that may occur between nations that are ostensibly not at war with each other.  And don’t even get me started on Advanced Persistent Threat.  If I tattooed “APT” on my ass and walked along 101 naked, I’d have VCs stopping and handing me bags of cash.  I have, in the past, publicly scoffed at the idea that the U.S. or any of its close allies is in any way competent to prosecute a cyberwar.  Neither offensive nor defensive capabilities exist in proportion to the threat.  We are as unprepared for this threat as we were for people with box cutters to commandeer planes on 9/10.  I see several reasons why this will not change any time soon.

The first reason is economic.  Anyone who does computer security knows that increasing security almost always decreases the utility of a system to users.  It would be much easier if we didn’t have to use passwords, right?  The same is true on a much larger scale; to secure our financial institutions, utilities, transportation, and communications would cost a lot of money.  Not just a one time stimulus package, either, but huge ongoing costs in the form of less convenience and lower productivity.  The problem is, who is going to bear this cost?  The software vendors, whose software isn’t secure enough because they want to deliver the most useful software they can, as fast as they can?  Private industry, who skimps on infosec spending because they figure the cost shouldn’t be borne by them alone, and it affects their bottom line?  The government, who, even if it was politically palatable, would then be faced with the task of going in to every software vendor and large organization and enforcing standards?

Security spending is like insurance.  It has to be less money than what you expect to lose if you don’t spend it.  So credit card companies will come up with ways to keep fraud at manageable levels.  The expected loss is calculated by multiplying financial loss by the likelihood of it occurring.  But no one thinks a large scale cyberattack with devastating consequences is likely right now.  They appear to find it even less likely than, say, a huge earthquake or similar natural disaster, to judge from how much they spend on cybersecurity compared to traditional business continuity.  How many companies have a business continuity plan that specifically deals with a widespread cyberattack?  How would you even begin to recover if your network was toast, all your servers were pwned, your desktops were suspect, you couldn’t verify which backups were good, you had contaminated a bunch of your vendors, partners and customers, and all of your corporate Blackberries refused to do anything but play “Taps”?  What if it happened to a dozen major stock exchanges on the same day?

The second reason can be deduced from the first.  Traditionally, at least in recent centuries, a country’s defense is outsourced to a professional military class, which includes, for purposes of this discussion, border patrol, Coast Guard, etc. (or the equivalent in your locale.)  Most citizens, corporate employees and organizations are not responsible for preventing an attack on a day to day basis.  In cybersecurity, however, the attackers are essentially already inside the national boundary.  Everyone who uses a cell phone or computer is at risk of being personally attacked, at any time, by a nation-state level adversary.  I’d say it’s like living in a nation of walled towns, where transportation between towns is only via heavily armed and armored caravan, but it’s worse than that.  If the towns are corporate networks, where some of the risk has been centralized on to corporate IT departments, and the transportation is encrypted network traffic, then we live in a nation of walled commercial centers, where everyone lives outside the walls, and is, therefore, on their own in case of an attack!

Don’t jump to the conclusion that we should build a Great Firewall, that every country should.  For one, it wouldn’t work.  We need to realize that we cannot draw a circle around a piece of the Internet the way we can around a piece of land and treat it as a single, defensible entity.  Like it or not, every one of us is a combatant.

Finally, the biggest reason of all for losing the cyberwar is having the wrong people fighting it.  Do you really think that anyone in the federal government or the upper levels of the Pentagon understands computer security? No. Fucking. Way.  I have a friend of a friend of a friend who advises a Secretary on cyber security.  Is this person a former black hat?  A Ph.D. in computer science?  Someone who has spent 20 years in the trenches?  No, they’re a politically savvy bureaucrat with an MBA in Management or some such bullshit.  The people who are making decisions now were already almost retirement age when the Internet, email and cell phones got big.

But wait, they’ve got a cadre of smart, young up-and-comers to advise them, right?  Wrong.  The people who understand computer security are hackers, in the original sense of the word.  They try things that aren’t supposed to be possible.  They demand hard evidence before they believe.  They question things and find out the difference between the artificially created rules and the actual limitations of reality.  They have little use for social mores that don’t make sense.

These kind of people will never, ever get a security clearance, succeed in the military, or even be interested in joining it.  People who succeed in the military and intelligence communities have to be good at following rules, at conforming, and most of all at Believing.  Hackers aren’t good at any of those things, or, by definition, they are not hackers.  Also, hackers don’t agree that, say, marijuana is evil and alcohol is good just because of an arbitrary law.  They sometimes have weird religious beliefs, unusual lifestyles, and a tendency to speak out strongly about things they believe in.  None of these is conducive to getting a TS/SCI.

Take a look at the presentations at Black Hat or something.  The most interesting technical talks are by people who have ponytails, haven’t shaved, are wearing a T-shirt and are often not the best public speakers.  The guys who work for the feds, vendors or big name consulting companies have metrosexual haircuts, a CISSP, and a 3 year old Bachelor’s degree.  They give talks on “methodologies” and insert not-so-subtle plugs for their products.  These are the “security gurus” for the feds and contractors like Blackwater and CACI.

Oh, I’m sure there are some brilliant people hidden away in the basements at Ft. Meade and Langley; they just aren’t allowed to speak at Black Hat.  And certainly, some of the TLAs have no qualms about hiring a “real” hacker for certain jobs, regardless of security clearance; they just won’t admit it.  But by and large, the people making decisions – and even implementing those decisions – about cybersecurity on a national level are entirely unqualified to do so.

Some of you will say, oh, he’s just bitter because his last name is “Cocaine” and he can’t get a job doing cool white hat stuff.  Nah.  I like the life of a freelancer, and I’m sure not cut out to be a cop.  Cubicles make me itchy.  But that’s what I’m saying – the two mindsets are almost completely exclusive of each other.

Anyway, enough bloviation.  See you after the #Hackpocalypse.