Friday Squid Blogging: Squid T-Shirt

Pretty design.

Posted on October 21, 2011 at 4:10 PM • 22 Comments

Comments

Nick POctober 23, 2011 1:32 AM

@ Daniel

We used to go after child porn websites. Every guy who is hacking for fun likes to morally justify their actions. I have a stricter code of ethics than most, which included not harming innocent people. We hated those pedo-pricks & figured the law might not mind about us knocking their servers down & stuff. Never really thought about the honeypot angle. I guess we were so disgusted with the entire thing & so focused on destroying as many of them as possible that we didn't stop to think of these things. Sadly, their servers were disposable & the sites quite resilient.

Good fun. Surfed with pictures, caches, etc. turned off. Didn't have to even view an image for confirmation because they all talked the same way & you could just MD5-check the images once their box was yours. (Or assume guilty anyone who posts a questionable looking site with the words "cp" or "jb".) We'd anonymously send evidence to Feds here and there.

Too much risk that came with some technicalities, like how some part of our system might unknown to us cache & "possess" an image or something. Around that time, I stopped hacking. Wasn't out to make money or do newsworthy harm: just showing them their weakness & enjoying intellectual challenge. Almost 18 and the game was boring & repetitive. Trying to build truly secure systems was more interesting. Still haven't won that game, but we get closer all the time. (And further away in the commercial sector...)

Disclaimer: The above is a work of fiction. Any similarities to real persons or events is a coincidence. The author neither performs, nor condones, criminal activity.

GabrielOctober 23, 2011 7:15 PM

@Nick P: you should use lynx for that. Easy t prove no pics downloaded. This actually reminds me of a post on Krebs a few days ago about other gray hats taking on scareware extortionists.

Of course, the biggest problem is that competent law enforcement (not ICE) are leveraging real cp sites to snare the perverts over a few years. At that point, an attack on the site would be counterproductive. I have always worried that ICE would take down a site that the FBI or Interpol or some other agency was actively exploiting, sending the rats running for cover before they can nail the lot.

Nick POctober 23, 2011 9:05 PM

@ Gabriel

True on lynx, but what about the ASCII porn? ;)

On ICE vs LEO's, yeah this is a big issue. You might recall from the past that I focus a lot of subversion attacks because they're the most devastating. Infiltrating & developing reputation or clout in a black market forum is a subversion attack. These attacks have been extremely successful on carder forums & sporadically successful on cp forums. So, I'd say they should probably continue the strategy.

This leads us to the conflicts. One idea would be to have a way for ICE to check if a specific site or alias was a fed. This increases the likelihood that the fed might be detected, but the risk should be manageable if this is carefully audited & reviewed. The reason I'd do it this way is because I don't want a central database of covers that all can access. Too much risk of the operation getting blown. My method is local & allows sharing.

Nick POctober 23, 2011 9:11 PM

@ footwear

"Couldn't that person have adjusted there target to Area51, i'm pretty sure they you would have had a challenge for a couple of years"

But of course we did. ;) I designed, but didn't launch, many potential attacks & infiltrations. Most used an exotic or clever tactic to get in & move through security quickly. I did come up with a potential shortcut that might help attackers figure all that stuff out ahead of time. It was too easy of a weakness, especially for D.O.S. of the base.

That said, the plans have slowly been deteriorating in the dark, little used corners of my mind. I still remember the main stuff, but I have NO INTENTION of messing with Area 51 or classified facilities in general. They take that stuff very seriously, esp. Area 51.

DanielOctober 24, 2011 12:56 AM

Let's get conspiratorial. Is anyone really sure that interfering with the FBI is not in fact the real aim of the Anonymous attacks on "child porn" sites. It was only a few months ago that the FBI was arresting a slue of Anonymous members. Hitting certain child porn sites is a two-for-one deal. They get revenge on the FBI by messing up their investigations and do so while appearing in the press to have the moral high ground. Even if messing with the FBI wasn't directly their goal, I'm sure if it came to light that they did in fact compromise some FBI child porn investigations Anonymous isn't going to cry over it.

Uncle DemotivatorOctober 24, 2011 6:35 AM

@everyone talking about Anonymous:

Taking down child pornography websites is certainly a good thing but it's just funny when it's done by people who advocate total freedom on the Internet. Just LOL.

askme233October 24, 2011 8:30 AM

This is kinda funny since Anon sprang from 4Chan which is filled with jb and had a whole split with 7Chan on cp.

Clive RobinsonOctober 24, 2011 3:25 PM

This is a bit odd....

Some of you will remember that a group of students used the accelerometers in smart phones to work out what was being typed on the smartphone keypad.

Well this article claims a smillar thing, only the keyboard on a PC near the smart phone...

http://www.msnbc.msn.com/id/44993238/ns/...

Anybody know if this is new, or just a journo getting muddled up over the original story that has grown by "Chinese Whispers"?

Natanael LOctober 25, 2011 6:17 AM

@Clive: Both are real and independent.
It's actually a bit scary what our phones can do.
Soon they'll probably do the same things with the microphones to listen to the keys too (although a bit more battery heavy).
I bet you can do the same with the camera too (both by filming somebody typing on a phone from the phone's back, and for malware on a phone to figure out what's being typed on it).

Clive RobinsonOctober 25, 2011 4:00 PM

@ Natanael L,

"It's actually a bit scary what our phones can do."

Yup I'm starting to ask myself about who gets the benifit of the "Smarts" in my "smart phone".

Back in the 1990's I worked out how to use the GSM network to turn a mobile into a bug (not as cleaver as it sounds as all the bits are built into the standards you just have to join the dots).

However with downloadable software of uncertain parentage hiding much "spy-ware" the only question is how many "smarts" the 'spy in your phone" can steal before you notice...

What the spy-ware then uses those "smarts" for is open to the imagination, and it looks like there are people with very fertile imaginations out there.

Back when Maggie Thatcher was in power she actually put out an edict (based on advice from the technical intel spooks) that cellular phones should not be taken into secure areas even if they were turned off.

This was possibly because of what is often called "Hijack" where a weak confidential signal gets superimposed on a much stronger insecure signal, in effect a secret gets piggybacked out of a secure area to anybody who knows how to listen to it.

It looks like with modern smart phones we really do have a "spy in your pocket" that is smarter than the majority of users. Thus it looks like the "Meek have inherited the world" or atleast the "Nerds have inhabited the info world"...

Clive RobinsonOctober 25, 2011 11:19 PM

OFF Topic:

A couple of items over on the Cambridge Labs web site,

Firstly an interesting article on the use of rising news stories etc and search engines by those intent on misusing the effect for personal gain be it just link hits or more sinister malware etc. It goes by the catchy name of "Trending-term Explotation" and happens almost within minutes of a news story breaking,

http://www.lightbluetouchpaper.org/2011/10/20/...

Secondly Ross J Anderson is making further comment on the "Secure Boot" "OS vendor Lock In" system officialy called UEFI that Microsoft and the other "usual suspects" are backing,

http://www.lightbluetouchpaper.org/2011/10/24/...

As noted by one of the commenters this will not actually make the system any more secure for a particular OS, what it will do however is well and truly "lock you in" to the hardware vendors choice of OS supplier not your choice as the system owner.

Over and above constructing a Monopoly Market UEFI will stop to quite a large extent legitimate security research.

Further it will alow overreaching DRM systems which will stifle creative markets, to the detriment of us all.

To see why imagine only being able to hear the music a major record labels want you to hear because each track has to be digitaly signed and they own the root keys?

We saw what happens when "lockin on the user" cannot be enforced in the UK back in the 1960's.

The Options for music on the radio back then were the "BBC Light Service" or forign stations at night that faded in and out (The Luxembourg Effect). The result was "Unlicensed Broadcasters" or "Pirates" playing music a significant number of people wanted to hear not what people were told was exceptable by the monopoly created by the UK Government. In many respects unlicensed broadcasting allowed the "indie" lable music market" to develop into what it has become today.

And guess what at the time the UK Government fought tooth and nail to stop unlicenced broadcasting by bringing out draconian legislation such as the "Marine Offences Act". It is still trying to force a monopoly of "the favourd few" via OfCom which is why "unlicenced broadcasters" still exist in large numbers in the UK today.

And the only reason why "unlicenced broadcasters" still survive is because of the lack of "lock in of the user", alows the user to express their prefrence simply by "tuning the dial". Not that this has stopped the UK Government trying, they have had a significant hand in the specification of the VHF band replacment DAB (Digital Audio Broadcasting) which has serious user lock in hidden within it. Thankfully DAB has had a realy poor take up as consumers refuse to have it shoved down their throats.

Taking away an end users choice is effectivly a crime against their human right to free expression, however it is also a marketing persons holy grail as it limits the users choice to only that the controling marketer offers.

But UEFI will effect all things you can use a computer for so potentialy it can also stifle "free speach" and "legitimate protest" thus arguably benifiting those who belive in draconian government, police states and dictatorships.

Clive RobinsonOctober 26, 2011 12:19 AM

OFF Topic:

I don't know if anybody else has picked up on this SSL denial of service attack against servers using minimal resources,

http://thehackerschoice.wordpress.com/2011/10/24/...

Put simply this is a specification attack not an implementation error exploiting attack so it works against all software versions of SSL on all platforms.

The reason it works so well with minimal resources (a simgle laptop and DSL connection can bring down an SSL server farm) is because of the number of CPU cycles needed to do the crypto part of the SSL Renegotiation.

It is not helped by the fact that SSL works the wrong way around. When it was designed many years ago it was assumed that Servers would use Crypto Accelerator Cards and users PC's would be limited in CPU power. So the SSL specification puts the crypto heavy lift on the server not the client.

Todays reality as was predicted befor SSL was designed is the other way around, client PCs have CPU cycles to burn and servers are generaly stressed to the max.

What realy surprises me is despite the fact that many people have commented on the CPU cycle issue in the SSL spesification, it's taken so long for somebody to develop an attack for it...

As some of you will know I keep banging on about the problems with "specifications" and the issues arising from legacy effects it will be interesting to see how long it is before this one is fully sorted out (it should be fairly short as SSL Servers tend not to be put in true "embeded systems").

Clive RobinsonOctober 26, 2011 8:58 AM

@ Natanael L,

"... when is TLS 1.3 comming?"

Hmm before we get the next release of TLS first we need the RFC, then we need....

However the more pertinent question is,

Is SSL/TSL beyond it's shelf life?

Some would say yes in which case what do we replace it with.

Either way I hope it's after they have had a realy critical look at the failings of SSL/TLS in earlier versions.

My sugestion as always is to go not for an "absolute standard" but a "Standardized framework of replacable and upgradable sub-standards"

[by sub-standard I mean a standard for a replacable subcomponent within the framwork not something that is substandard in it's design]

The reason being if you make a stable frame work that has, as a requirment for compliance to the standard, the ability to have the component sub-standards upgradable in place, you almost immediatly reduce the legacy problem of "truely embedded systems" such as utility meters that would have an expected life of atleast 25years.

The simple fact is our history of security standards is not good when it comes to longevity, many have been shown to have failings or ommissions before the ink is dry (AES for instance, where the algorithm is secure but implementations are not). Thus we need a way to mitigate the issue without incuring other problems such MiTM attacks forcing systems into insecure modes by "falling back" for legacy system support.

Clive RobinsonOctober 26, 2011 9:09 AM

OFF Topic,

Further to my "human rights" comments above with UEFI, it appears that others may have similar views.

Googles Director of Public Policy, Bob Boorstin for instance has made similar comments a couple of days ago to an audiance at the Silicon Valley Human Rights Conferance. It would appear that he does not think that corporates are doing sufficient to promote their human rights of those people around the globe their products will effect (he gives Werner von Brown quote about rockets as an example). Further that cozying up to repressive governments is in the longterm bad business not just for the unfortunates being repressed but the corporates as well.

http://www.theregister.co.uk/2011/10/25/...

Clive RobinsonOctober 27, 2011 12:09 AM

OFF Topic:

It would appear that there is plenty of life left in the Zeus Trojan malware.

More specificaly SpyEye who took over Zeus development have added features to circumvent out of band authentication via mobile phones in various ways.

One is to manipulate the phone number registered with the bank, another that gets a user to download malware onto their smart phone. Either way the criminals end up controling both channels.

http://www.darkreading.com/advanced-threats/...

What surprises me is how long it has taken for this to occur (I'd provide a link back to Cambridge labs site where I had an interesting argument on the subject but they appear to have removed all entries prior to feb 06, why I don't know).

Gee WhizOctober 27, 2011 6:02 AM

I was interested to read about outsourcing of government intelligence jobs on this website. I wondered what the experts think?
http://www.thespywhobilledme.com/

It seems like the privatization of intelligence work could be a source of concern for folks interested in fidelity to a data gathering mission.

Clive RobinsonOctober 27, 2011 11:53 PM

OFF Topic:

My eye was caught by the title of this article,

http://www.nextgov.com/nextgov/...

As,

"Futures regulators want smartphone hacking device"

looked like it had significant privacy issues. I though ugh-hu more warrant less spying by US Gov, and the first paragraph appeared to confirm this,

"The Commodity Futures Trading Commission is searching for a phone hacking tool to investigate suspects' mobile devices for evidence of links to Ponzi schemes, insider trades and other illicit dealings"

However it is actually talking about stand alone forensic examination tools not eavesdropping technology.

Actualy the article is quite interesting when you get past the "journo hype" as it gives some background and aproximate cost of what such a device will cost.

Importantly though it shows just how lacking existing systems are in both their scope and devices covered.

The NextGov site is worth having a look at once a week as it has some quite interesting articles and is lower bandwidth than many other sites.

Clive RobinsonOctober 28, 2011 12:47 AM

OFF Topic:

Many moons ago I used to post things that were quirky or amusing as a "Friday Funday" smile raiser.

Well this item is definatly quirky...

Apparently DARPA want a "flying humvee" capable of vertical take off that costs less than 55m each and has had a couple of proposals and has thus set a test date...

http://gcn.com/Articles/2011/10/26/...

One commenter remarked,

"A HUMVEE is JUNK on the GROUND. Why would you want to put one in the air for that much money"

They might have a valid point 8)

On a more important note it appears the "China APT" mob are at it again,

http://www.wired.com/threatlevel/2011/10/...

It appears that a few years ago a couple of satellites may have been hacked via a Norwegian ground station for a few minutes, but there is little evidence of what happened or how.

Now the US Gov "China APT" mob are claiming in an official report that it was the Chinese without offering any supporting evidence.

Which kind of ignors the fact it could quite well have been any number of countries intel services (all Western ones are more than capable as are many other countries) or it might just have been an reasonably technicaly knowledgable individuals.

The problem with the China APT mob is that with each of the many unsubstantiated claims they make they lose credability, and sound more like saber rattling warmongers.

Whilst their loss of credibility in some circles is good, unfortunatly to others they sound very very convincing and that is bad as some of those people have the power to take the US to real physical spilled blood and guts war.

It's almost as if the US War Hawks want to fight the Korean war again with China not Russia as the super power in their sights this time.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..