Category: Security Theater

A praise of Folly – Security Theater and the OSI layers 8 and above

Early in February 2018 I was happy to give a speech at FOSDEM, in Brussels. They booked me after Howard Chu and right before the closing keynote – awesome, and there were a few thousand geeks in the audience – I guess that was the largest crowd I ever spoke to.

And I told them about “A praise of Folly: Security Theater – The mostly unknown OSI Layer 8 and above” – see References. Here’s my ongoing collection.

Here’s the video

Mimikatz on Windows Server 2019… nice music.

DoktorCranium is fiddling around with Windows Server 2019 Insider Preview Build 17650 and Mimikatz, a security tool used by hackers e.g. for intruding the German parliament, the Bundestag in 2015/2016 . “Bypassing Windows Defender, Loading meterpreter, and executing the latest Mimikatz just for fun.” Why? Because he can. And Open Source rocks. I still find it hard to believe so many security-sensitive environments still use software from the shelf. And if you like Benjamin Delphy’s work, look at this video about Kekeo: https://www.youtube.com/watch?v=sROKCsXdVDg

Windows Server 2019 Insider Preview Metasploit/Mimikatz tests – YouTube 

Applied Crypto Hardening Handbook Update published

Some good friends were involved here, and their work is so much appreciated! 

Applied Crypto Hardening: bettercrypto.org

“This guide arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security officers saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.”

The Military-Malware-Complex. An Article I recently published in Linux Magazine US.

Pretty Complex » Linux Magazine

“… this military-industrial complex has advanced into a new domain: If data is the new oil [3], then access to data is crucial for corporate and national prosperity…. There is a huge market of software developers, admins, hackers, and surveillance technology orbiting US military as well it’s affiliated industries “

Keylength.com: Which Key length/cipher to use for a certain period of time

Reality update: Keylength – Compare all Methods … :

This web site implements mathematical formulas and summarizes reports from well-known organizations allowing you to quickly evaluate the minimum security requirements for your system. You can also easily compare all these techniques and find the appropriate key length for your desired level of protection. The lengths provided here are designed to resist mathematic attacks; they do not take algorithmic attacks, hardware flaws, etc. into account.

ECCploit … nice…

… : ecc-rh-paper-eccploit-press-preprint.pdf … :

To address the second challenge, we present ECCploit, a new Rowhammer attack based on composable, data-controlled bit flips and a novel side channel in the ECC memory controller. We show that, while ECC memory does reduce the attack surface for Rowhammer, ECCploit still allows an attacker to mount reliable Rowhammer attacks against vulnerable ECC memory on a variety of systems and configurations.

Thx to Fefe. 

Krypto-pr – Do you Legally “own” with Bitcoin?

Things I read…: ” Short introduction to krypto-property by Preston Byrne”

https://prestonbyrne.com/2018/11/23/krypto_property/

Wrapping up, the reason that the matter of Bitcoin’s ultimate classification as property hasn’t come up yet is because, in common practice, ownership  disputes are resolved at a higher conceptual level than inquiring about the “nature of a bitcoin itself” – when I deposit coins at an exchange, e.g., it ought to be pretty clear from the exchange’s TOS that if I have a balance on the exchange, I can ask the exchange to spend an amount equal to that balance back to me on request and, if they fail to do so, I can ask a court to force the exchange to render specific performance or pay damages. A dispute of that kind, of which there have been many, doesn’t ask at what point title transferred and what the fundamental nature of that title is, because it doesn’t have to. It looks instead at the contractual obligations between the counterparties and whether those obligations were satisfactorily performed.

One could write chapter and verse comparing these two jurisdictions and their treatment of Bitcoin as an asset. That said, it’s a Friday night and I have places to be, so for now it will have to suffice to say only that the question has no answer and at some point, probably sooner rather than later, there is going to be a case that explores these fundamental issues (I am frankly shocked that Oxford v. Moss hasn’t been raised yet in any of the UK-based Bitcoin fraud prosecutions).

I look forward to reading those decisions.”

“The Decline and Fall of the Zuckerberg Empire”

http://nymag.com/intelligencer/2018/11/the-decline-and-fall-of-the-zuckerberg-empire.html

A 6,000-word report published in the New York Times last week disclosed in humiliating detailthe lengths to which Facebook has gone to protect its dominance and attack its critics. As various interlocking crises concerning hate speech, misinformation, and data privacy widened, top executives ignored, and then kept secret, evidence that the platform had become a vector for misinformation campaigns

(…)
Over the past year, I’ve spent time trying to wean myself off tech mega-platforms, generally with little success. Google’s search, for all my complaints, is still the best way for me to navigate the internet; Amazon is still so unbelievably convenient that the thought of quitting it exhausts me. But I logged out of Facebook more than a year ago and have logged back in fewer than a dozen times since. Checking Facebook had been a daily habit, but it also hadn’t improved my life or made itself necessary. Not many Roman plebes would have said that about the Pax Romana. Some empires fall because they’re invaded from the outside or rot from within. Zuckerberg’s could be the first in history to collapse simply because its citizens logged out.

Why do we get such stupid ads? Because it’s only a numbers’ game…

Newco Shift : Dear Advertising Industry: Please Do Better. You’re Killing the Open Web. … :

Let’s apply that reality to our robe example. Let’s say the robe costs $60, and yields a $20 profit for our e-commerce advertiser, not including marketing costs. That means that same advertiser is can spend upwards of $19.99 per unit on advertising (more, if a robe purchaser turns out to be a “big basket” e-commerce spender).  So what does our advertiser do? Well, they set a retargeting campaign aimed anyone who ever visited our erstwhile robe’s page.  With CPMs averaging around a buck, that robe’s going to follow nearly 20,000 folks around the internet, hoping that just one  of them converts.

Instagram stored your password in plain text…

 Nice: Looks like Instagram is trying to compete with Linkedin in terms of password in-security: Instagram accidentally exposed some user passwords through its data download tool – The Verge … :

According to Instagram, some users who used that feature had their passwords included in a URL in their web browser, and that the passwords were stored on Facebook’s servers, Instagram’s parent company. A security researcher told The Information that this would only be possible if Instagram stores its passwords in plain text, which could be a larger and concerning security issue for the company. An Instagram spokesperson disputed this, saying that the company hashes and salts its stored passwords.

This is the end… when the sun makes sea mines detonate (Vietnam stories)

A Powerful Solar Storm Likely Detonated Dozens of U.S. Sea Mines During the Vietnam War

“An analysis of recently declassified U.S. military documents confirms suspicions that, during the late stages of the Vietnam War, a powerful solar storm caused dozens of sea mines to explode. It’s a stark reminder of the Sun’s potential to disrupt our technological activities in unexpected ways. As part of Operation Pocket Money, the U.S. Navy planted a series of Destructor sea mines near strategic ports off the coast of North Vietnam. A few weeks later, on August 4, 1972, crew members aboard U.S. Task Force 77 aircraft suddenly observed a batch of explosions south of Hai Phong. In all, some 20 to 30 explosions were documented in just 30 seconds. Another 25 to 30 patches of muddy water were also observed, indicative of further explosions.”