Tuesday, December 30, 2008

Reliable IOS Exploitation

FX has given a comprehensive talk about IOS exploitation (including even TCL scripts operators leave behind when they moved jobs to retain access).

He has shown effective and ineffective ways of detecting compromise in IOS.

Then, he has shown how reliable exploitation of IOS routers works.

His talk will probably be downloadable from the CCC (25C3) web site by tomorrow.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Saturday, December 27, 2008

Attacking a Critical Internet Infrastructure

Hi folks and happy new year!

I am writing to spam about a talk about to be given at the CCC conference (25c3). I apologize for the cross-posting.

At the 4th day of CCC (30th), there is an interesting as-of-yet no details disclosed talk by a couple of good people.

http://events.ccc.de/congress/2008/Fahrplan/events/3023.en.html

Making the theoretical possible
Attacking a critical piece of Internet infrastructure

* Jacob Appelbaum
* Alexander Sotirov

There are no details provided on the web page which means both good and bad things depending on your point of view. Regardless, if you are not down here I'd
tune in to the web casts if you have the time. It's bound to be _very_ interesting.

Live streaming information can be found here:
http://events.ccc.de/congress/2008/wiki/Streaming

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, December 10, 2008

ISOI 6, Dallas TX - 29,30 January. Agenda and details

Hi all. ISOI is once again happening, and back to the States.

Almost final agenda: http://isotf.org/isoi6.html

As usual, while attendance is limited to the folks who are busy "saving the Internet"/"fighting crime", it is free of charge.

Once again we offer the public at-large the opportunity to attend without such membership. The process is: you submit a relevant talk, get vetted and get accepted.
We have two slots reserved for such a purpose.

Subjects of interest: case studies, attacks, botnets, fraud, ...
To submit email your talk idea to contact@isotf.org.

Is it time to say merry Xmas yet?

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Tuesday, November 18, 2008

BNP (British National Party) membership (supposedly) has been leaked

By tomorrow morning the web will be full of rumors that the membership list for the BNP (British National Party) has been leaked. I can not verify the list is true, but I can verify it is out there.

This was "spammed" earlier today on the criticalsecurity.net IRC server and channel:
http://bnpmemberslist.blogspot.com/
http://bnpmemberslist.blogspot.com/
http://bnpmemberslist.blogspot.com/

burn, f-er (censored by blog admin:)
Shortly later it was seen on the infamous /b/. An extremely popular image board, usually full of pornographic content. One of the more hellish areas of the web.

Obviously this content is being actively pushed on the net, and we have seen what happens when content is attempted to be censored on the Internet (a lot of lawyers waste a lot of time).

If this will prove to be true, this is yet another example of how your information is pretty much everywhere, any any one of these many places can get hacked.

This happens on occasion even with the most serious security measures put in place, so what of most of these organizations with your information, of which security is not up to scratch?

The blog holding the information and being pushed on the web is: http://bnpmemberslist.blogspot.com/

Another URL is of an SQL database holding the data, but I feel mentioning it here is effectively sending the data across on my own, which is less than ethical.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Thursday, November 06, 2008

All Hallows' Eve: Is There a Special Fire Code for Cemeteries in Poland?

[syndicated from my fun blog]

This post is about All Hallows' Eve as I experienced it in Poland, about remembrance, and the unseen economic forces I observed behind the scenes.

As part of my trip to Poland (which I will cover in a later, much happier, post) I met with Ela, whom I had briefly met before in Israel. She took me to a local cemetery for All Hallows' Eve. It was an uncomfortable walk, an emotional visit and a place where many background things showed themselves, and how they may be quietly, economically, impacting the world.

Ela is an ideologist with strong opinions and refers to herself as a "dissident". Highly loyal to her country (yet not afraid to be a critic) she works to right wrongs and protect the weak--Anywhere. She has an agile mind, but is so "on target" that she can at times miss the obvious, but not for long, and despite being moved by her emotions, she recognizes cold reason when presented to her.

I had a lovely meeting with her, but before we could sit and chat she insisted on taking me to a nearby cemetery. I'll first describe what was seen, and then what I saw--The hidden economy of life, and I suppose in this case, of death.

Being religious, Ela doesn't appreciate Halloween, as she sees it as a caricature of her worship. Demeaning the day in which she remembers those who have passed, inverting its purpose of self reflection. Being open-minded, she doesn't care if others celebrate Halloween in the now replicated "American" way (even me, partying here in Israel or there in Poland) but it's not for her.

First laying eyes on the cold stone fence and the tombstones behind it, I sighed audibly. What a waste of time. And of effort--To be polite. Yet, I was there. And as I was so was I now intrigued.

What I saw in the cemetery moved me. Hundreds if not thousands of graves, all of which with but few to many dozens of lit oil lamps (and some flowery plants) placed on them, displayed for the world to see. Strife and opinion put aside, Poles all go to the cemeteries that day to show respect, and remember. That, or in all likelihood their parents make them--No matter how old they may be--Much like they will "ask" their children.

Looking into the night I saw lights in the darkness, some twinkling behind a tree, others lined up to the distance. All carefully placed by the multitude of those who probably never even spoke to each other, all for the same reason, remembrance--resonating deep within me.

Not knowing the right etiquette, I still commented to Ela "let's not walk on the grass," there is something about such places that you simply know.

I am not one to get in touch with the holy feeling of any place, and I am one to get bored in museums (barbarian!!). Yet, even if moving between the graves was just going through the motions and feeling a bit odd--The multitudes, be it of people or of lamps, had me wondering all the while I was wandering, truly aimlessly and with bright eyes, on the beaten track.

There were some secrets to the cemetery.

Some, were obvious. I'd ask "Ela, what of the odd grave every once in a while with no lamps on it?". These felt so lonely. And she'd reply "these people probably have no relatives in town, or at all," I'd nod thoughtfully and she would go on "we have no family in town, either. So, we go to a grave with no lamps on it and place ours there. Elsewhere, someone does the same for our relatives' graves. We respect our dead, and the dead who have no one to come to them."

It's a win-win situation, you see? :)

Others, were obvious, and probably also noticed. "Ela," I'd say, dropping the extra "sexy" I often add when addressing her. She'd reply "Yes, these massive hills of garbage" at the entrance of the cemetery, mind you "...are in poor taste!"

I agreed, but couldn't help but comment after a moment of thought "and yet, there is order to the chaos. There is no garbage thrown on the grounds, anywhere."

The cemetery itself would put even Buffy's local cemetery in Sunnydale to shame, but it wasn't creepy. It was a place of memory, stones, and green grass. Yet the grass isn't always as green as your neighboring grave's, as you well know. Walking deeper into the cemetery, the previously clean tracks between graves were suddenly so full of leaves from the Fall that you could hardly step on the Earth.

A sign of decay? A show put on for the outside? A lazy keeper? More trees in that area? We didn't stop to check.

That area was darker, and also had significantly less graves in it. It had a monument on one side, and a large cross at the other. One was for the fallen soldiers who fought the Nazis during World War Two. Another was for the fallen in the resistance against the Nazis. Another monument was for the fallen in the resistance against the Soviet Union.. many of whom were members of the first resistance, but non survived many years into the occupation. This made this monument one for those who were "disappeared" during the reign of the Polish satellite state of before the collapse of the Soviet Union.

Each monument, or cross, was a mass grave. I didn't quite grasp that while staring into the darkness of grass with no graves on it.

Once I came over my half-shame at thinking about it, the patterns in which people placed the lamps on the graves caught my attention. Some were just put there in seemingly random placing. Others were immaculately placed. Some were on the ground, others on the tombstones.

Why half ashamed you ask? Well, I voiced the thought when we passed a double grave (probably for a husband and wife). There were big red lamps placed in a line right between the graves, separating them and other lamps put on both graves. "Probably trying to separate them from fighting beyond the veil." I joked, unsure how Ela would react.
:)

Looking at the cemetery and the.. event.. show.. taking place in it, with an economic eye, the market which formed outside, selling lamps, flowery plants and food, was probably a boost to Poland's economy that day, kind of like on the 4th of July in the States. A big business--People are dead, but there's a bright side! Right? ...?

More interesting though was the thought of the Warsaw Fire Department. I would really like to know what they were doing that night, and how many calls they received. Is there a special fire code for cemeteries, in Poland?

It reminded me of the potential for fire and how the Fire Department is aligned to cope with it, here in Israel for Lag BaOmer (a holiday where everyone and their sister lights a bonfires, all around the country (emptying every construction site of wood while they are at it, up to the point where these give away wood they buy especially just to keep themselves afloat).

I was there to experience Poland and its people (in the few days I had after my lecture), unlike many Israelis who go to glimpse what the holocaust left behind. While most of my trip was fun and games, I am glad Ela took me on this.. adventure? I am glad that I went, however unwillingly.

This was an interesting, touching, experience. One which I doubt many Israelis who visited Poland had experienced. Thank you Ela.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, November 05, 2008

When First Blogging (Spam-y Behavior)

[syndicated from my fun blog]

When I started blogging I made mistakes. What I learned was not about security, or writing--That came later. I learned about how to balance my presence in online communities with my blog posting--Without unintentionally being an annoying spammer.

Seeing a friend post to communities I am a member of in the past few months and repeating my mistakes, annoys me as much as spammers do (much like I used to annoy others). I searched for an ancient post of mine on the subject and here it is, updated.

Part I: How do I balance my blogging with my communities?

I like mailing lists and I participate in some, depending on free time and interest. Before I started blogging, I used to be more active, and felt these different discussion forums were a home. I had a problem.

I’d start talking about something there and say to myself “hey, why not write about it in a blog?” and I would. Or the other way around, I’d blog something and say “hey, wouldn’t this interest community home #21?” :P

I went through several phases before settling down on what was best:
  1. Email in that you wrote about something in the blog.
  2. Email in just a bit or a summary, as you don’t want to write twice, and send a link to your blog.
  3. Copy the entire blog post, and add a link (which is useful if the situation was unfolding in real time and updates to the text are expected).
  4. Include a link to your blog in your signature.
  5. Email in a copy, and unless you have a specific reason, don’t mention the blog.
I keep seeing other people repeating the above process (more or less), with minor variations as to which step comes first, and what is considered acceptable. Some people call them spammers, others just smile or pout. One thing is for sure, it is something many new bloggers who were part of at least one community before their blogging days, go through.

The thing is, I am my own worst critic and had to feel comfortable with posting. My solution ended up being #5 (although #4 is also okay, as critics of that one are just nit-picking flamers). More specifically, I decided:
"Stop worrying. Post what you want where you want, and try to avoid duplication. Do not mention the blog. Mention URL to the blog only when you have a reason to, such as *necessary* updates that will follow."
So, even if I did like the idea of people hearing of my blog (obviously), marketing was far from my main intent. I didn’t like the fact it ended up appearing like spam, in their eyes or in mine.

Part II: I want to "spam"! ;-)

"But." you might say "aren't there places in an online conversation where giving the URL to my blog is acceptable?"

Acceptable marketing in this case is viral, and if you participate people will find your blog. If you still want to send in the URL, make sure it is relevant.

The following are some occurrences in which it is okay to mention your URL in communities:
(Watch for the important notes and caveats later on)
  • As mentioned, you can place the URL is in your signature or profile information (quite alright, but I personally avoid these 99% of the time).
  • When a relevant topic presents itself, make a real comment and if, and only if, relevant, mention there was a similar incident, or you wrote about this before.
  • Unique posts with new and revealing subjects are exempt. An example would be: "I am on the cover of the New York Times!!!!111".
  • Similar to the above are announcements of a personal nature such a birth of a new baby girl, with pictures. Again, only if done rarely, and advisably with a direct URL.
Notes and caveats on "acceptable" exemptions:
  • Timing and rarity: Don't over-do it. Post URLs only *rarely* or you may as well spam.
  • Form: When you do post, a direct URL to the post is advisable.
  • Relevance: Don't force it. Here's an analogy from the product world as coined by a friend on one of my ideas--"Most solutions wait for a problem. This is a problem waiting for a solution". Wait until you see a relevant pre-existing topic where you find yourself repeating what you wrote in your blog.
  • Don't be a stranger: It's best to do so only if you are a *contributing* member.
In conclusion

I learned how to participate in these communities while having a topical blog, which for some reason originally was not straight-forward for me.

I now realize I went through the same process once before when I became active in more than one community. Learning is not an easy process, and repeating mistakes is what we are wired to do to try and make it work "this time". With it happening to me twice I was able to pinpoint what was bothering me and why, and apply the necessary changes.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, October 29, 2008

Phishing Registrar Accounts - ENOM is First Target

Criminals are now looking to use established domain names, via phishing targeted at domain registrars. This is possibly related to ICANN finally moving to stop the black hat registrars of the world.

According to the first report on the matter sent Yesterday to Registrar Operations (reg-ops) mailing list, the attacks seem to be run by gang of child pornography spammers. The domain names in the .biz TLD are all using fastflux technology to make the attack more difficult to mitigate.

Ironically, the email spam claims that the user's domain, according to the subject, has "Inaccurate whois information".

Until ENOM and other registrars get their anti phishing services in place, I believe it is the job of the Internet security operations community to help them out by taking down these attacks.

The Registrar Operations group (reg-ops) will be watching for these and mitigating them as fast as possible, in close cooperation with the registrars and the security community.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

ICANN Sends Termination Notice to Registrar

ICANN sent EstDomains a termination notice:
"Dear Mr. Tsastsin:

Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for EstDomains, Inc. (customer No. 919, IANA No. 943) is terminated...."


I believe this is a very positive step from ICANN, showing it is indeed an active part in shaping the Internet, as well as responsible to its constituents.

While I am sure this can not be an easy move to make, it is warranted in this case and I believe it to be a brave one. While such decisions must not be made rashly, it is my deepest regret WHOIS information is the only way to reach such ends.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Sunday, October 12, 2008

Are you getting your news from spam? My mother does.

This is a story about my mother and Obama.

My mother: "Have you heard about Obama? Really impressive guy."
Me: "What about him?"
My mother: "x, y and z."
Me: "Where did you hear about this?"
My mother: "I read email too, you are not the only one who is into technology."

Luckily, my mother bases her opinion on more than just spam messages, being an educated woman. I am not sure about others.

I refused to believe this. I still do. Yet, it is true. More and more people get their news from spam, and worse--Form political opinion based on what they read in it, especially when their friends send it to them in chain letters ("hey, you have to see this!").

Be it political spam targeted to change the minds of voters, or regular malicious spam, catching eyes with political blurbs so that users will open the email messages. These messages reach people, and they read them.

I don't have exact numbers, as I am unaware of research which tried to measure it. I am however, now facing the truth. What made me wake up was my mother.

Speaking with friends, my mother is far from the only person to be influenced by such email messages, though.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Friday, October 10, 2008

New stem cell research: "babies no longer required"

Two MAJOR leaps in stem cell research have been achieved, and published. In the past the only source for stem cells was from dead embryos, which caused many a-folk to be outraged by this use for "potential" (given, dead) babies. The moral, philosophical and scientific discussion aside, it just became much more interesting.

A year-old research declared skin cells can now be reprogrammed to act as stem cells. A new research declares stem cells can be extracted from testicles.
Study co-author Thomas Skutella, of the University of T├╝bingen in Baden-W├╝rttemberg, Germany, and his team isolated stem cells from adult, human testicles and cultivated them to become pluripotent cells, which can develop into many other types of cells.
While it was clear to me no ban can really stop research with such immense impact on humanity,(as well as a monetary impact on whoever holds the rights) this discovery is predicted to stop the opposition to stem cell research in its tracks. That may not be the case.

The
main moral objection is that "potential humans" (babies) were used, which is no longer the case, colourful language aside. Researchers have now shown that is no longer an issue (although naturally, further research is required).

The thing is, the opposition's argument is likely to change. It is true, "potential humans" will no longer (if the research holds water) be used, but the "don't play God argument" is about to be more strongly introduced.

These stem cells can just as easily be used to CREATE babies, and that is something the true opposition won't stand for, even if they were willing to give ground on it before.

Others may realize the huge impact on humanity this research will have, or changed their minds by now due to unfortunate personal or family medical experience. There will always be an opposition, or 20. That's what so beautiful about human society--the diversity.

Gadi Evron,
ge@linuxbox.org.



Follow me on twitter! http://twitter.com/gadievron

Tuesday, October 07, 2008

Logical fallacies and rationalizations, cont.

I recently came across this post, which reminded me of the logical fallacies and rationalizations discussion. The post discusses a vicious murder, but also touches on the very core of the subject we discussed, with a bit on "affecting change" and getting set in your ways, traditions and taboos.

Now, disengaging from the act of murdering three girls for "free will", which naturally, is difficult to do (as if we don't, it will hijack the discussion immediately)--this post has a very interesting first paragraph:
"Whenever you hear someone defend an action with the excuse that "it is our custom," "it is traditional," "we've always done it that way," "it is written so in our sacred texts," or variants thereof, slap 'em down and spit in their eye. Those are not excuses for anything but the perpetuation of bad old dogma rather than taking the useful step of actually thinking about causes and consequences fallacious shortcut that allows ancient evils to thrive."
Affecting change and getting movement in groups is a special interest of mine. The examples given above are the illiterate answers someone may give as to why they should or shouldn't do something (except for the "because it's written" which is a whole other unrelated concept).

More literate answers do exist when you speak with intelligent people, and then there can be several reasons why they hold to their beliefs, legitimately. These taboos came from somewhere and some of them were even a Very Good Idea™ at the time. Noticing things we know to be evil no longer are is difficult. Further, our beliefs are still what in many cases defines any group and shouldn't always be abandoned just because they are not necessarily reflecting reality.

Example from my life in computer security:
Sharing virus (computer) samples is considered "evil" and irresponsible by the Anti Virus industry, for reasons ranging from fear of spreading them to helping the criminals, or giving them feedback on what we know (not to mention losing a competitive edge).

And yet the landscape changed, these are everywhere nowadays so the criminals don't need "our" samples, while many defenders do--desperately--and have no "legal" means to get the same information. Yet, is it wrong for professional anti virus researchers to view such sharing as evil?

Getting set in your ways as well as following established taboos are quite fascinating in how they form and how they can be broken. Usual annoying disclaimer: nothing is ever black and white... blah blah.

The rationalizations mentioned, however, are another facet of the same thing we discussed earlier, I think?

Gadi.

Follow me on twitter! http://twitter.com/gadievron

Monday, October 06, 2008

Information warfare and defending organizations from computer espionage

This blog post is about computer-based espionage, and how we can defend our organizations against it. But I'd like to start from a mood piece of sorts.

There has been too much noise about information warfare lately. If we put DDoS (Distributed Denial of Service) and defacement attacks (such as in Estonia [PDF]) out of mind. The following two stories (coincidentally left to rot as Firefox tabs in my browser for the past two months) give a better understanding of what it is really about, without resorting to more scary stories about what China is, or isn't, doing.

We'll also touch on other interesting cases such as the Israeli Trojan horse case, when we talk about defensive measures in defending against computer-based espionage and targeted attacks.

The first is a report (without much detail or proof) on North Korea being involved in operations against South Korea using Trojan horses for espionage:
http://www.networkworld.com/community/node/32202

The second, is a lesson from history called The Farewell Dossier.

From Wikipedia:
The Farewell Dossier was a collection of documents containing intelligence gathered and handed over to NATO by the KGB defector Colonel Vladimir Vetrov (code-named "Farewell") in 1981-1982, during the Cold War.

...

This information led to a mass expulsion of Soviet technology spies. The CIA also mounted a counter-intelligence operation that transferred modified hardware and software designs over to the Soviets, resulting in the spectacular trans-Siberian incident of 1982. The details of the operation were declassified in 1996.
The resulting explosion was so big, it was supposedly confused for a Nuclear explosion by American decision makers until the CIA said: "oh, that's one of our operations."

A quote from this article puts it in a computer security perspective:
In June 1982, in a remote patch of Russian wilderness, a huge explosion ripped apart a trans-Siberian pipeline.

It wasn't a bomb that destroyed the natural gas pipeline and sent shock waves through the economy of what was then the Soviet Union. Instead, it was a software virus created by the CIA, according to a book by Thomas Reed, a former U.S. Air Force secretary and National Security Council member.
What does this mean?

While incapacitating and destruction-based attacks are certainly of significance, and important to defend against as they impact us directly, regardless of who the attacked party is or where in the world they are (DDoS attacks harm the Internet and its' users), smarter, quieter attacks, are all around us. How do we defend against them?

I expect most information warfare acts to be targeted, quiet, and covert. Espionage, or spying if you like, is not relevant to us unless we are the target. The diplomats and the intelligence communities of different countries can figure it out for us. It is an old occupation, and well covered by international law. Computers are simply another tool, or capability, to be used by these same people. There is nothing new here as far as how the game is played.

And yet, what if you are a target?

Recognizing there is a threat

You may have to defend against computer-based espionage for your own employer. Recent case studies, as well as research, have shown industrial espionage is indeed a big deal, and here are two examples.

One famous case from a few years ago which I had the unfortunate opportunity to study, lead incident response for in the Government, and brief Fortune 100 companies on, is the Israeli Trojan horse case.

Leading IT companies (most of which were local Israeli branches of Fortune 100 companies) were spied on using a Trojan horse built by an incompetent programmer, leaving traces of itself everywhere on the affected systems. This went on for for a long period of time, undetected by any of these companies.

The issue was only detected by chance when the creator of the Trojan horse used it for his own private purposes, and discovered during the investigation into this harassment case. The stolen information was fed directly to their competitors, which was most of the rest of the Israeli IT industry. The services themselves were rendered by civilian intelligence and investigation firms.

In another case Israeli case, the attackers broke into a local branch of the Post Office (also a small bank in Israel) and placed a wireless gateway connected to a switch inside. Through it they stole a few tens of thousands of Shekels in the few days they were in operation (the Israeli Post Office is a sort of a small bank). This case was also broken by complete chance, originally, as nothing was stolen, this was to be ignored by the bank and local authorities.

In other cases, intelligence agencies for various countries, such as France as a prominent example, have been spying on their own to make sure their own local companies have an edge competing with companies from other countries.

Here is an interesting quote from "The Industrious Spies, Industrial Espionage in the Digital Age".
This transition fosters international tensions even among allies. "Countries don't have friends - they have interests!" - screamed a DOE poster in the mid-nineties. France has vigorously protested US spying on French economic and technological developments - until it was revealed to be doing the same. French relentless and unscrupulous pursuit of purloined intellectual property in the USA is described in Peter Schweizer's "Friendly Spies: How America's Allies Are Using Economic Espionage to Steal Our Secrets."
Defending against computer-based espionage

For the purpose of defense, while I'd certainly hope for more resources (read a larger budget) and change my focus on where I apply it--there is no inherent difference in how you defend your organization from computer-based espionage than in protecting against any Joe hacker.

In espionage, the attacker has more resources, both technical and operational. That is the one technical difference, others are motive and legal standing.

Some of what I would do differently

I'd concentrate a bit more of my resources on network behavior analysis (which unfortunately, not many tools exist for, so good network security analysts are the main alternative), as well as on social engineering training and procedures.

Further, I'd prioritize cooperation with the physical security part of the organization, and HR (for personnel screening).

I'd also consider putting up a good deterrent as a cyber security policy. Both to add to the attackers risk, as well as to increase their cost.

First, by doing my job--making myself too difficult of a target in any way available to me, and letting people know about it. Stating the obvious with saying "do your job" is not too helpful, but is solid advice. It is a strong 180 degrees turn from strategies of the 1990's such as "let's not make ourselves a juicy challenge for these kids!"

Second, I'd invest anything I can spare on monitoring my network for anomalies and security incidents, starting with mapping what my network actually looks like. This might add to the risk factor for opponents that can't afford to be caught, and scare them. Covertness is the name of the game, or they would have come through the front door.

Entering am "industrial espionage defense" clause into your budget, or creating a “five year plan” to better protect your organization from organized industrial espionage, may just get you a larger budget to cope with your organization's security needs.

Do you have something you'd do different from (or in addition to) regular security practices when facing espionage from "organized" hackers? Any experience, or thoughts, you can share?

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Sunday, October 05, 2008

Time for self reflection

In case you don't read any of what I have to say below, read this: I have dual citizenship. Along with my homeland citizenship, I am of the Internet, and see it as my personal duty to try and make the Internet safe.

Atrivo (also known as Intercage), is a network known to host criminal activity for many years, is no more.

Not being sarcastic for once, this is time for some self reflection.

I wish I was one of those who sleep soundly tonight. Being clear in my conviction that Atrivo should be out of business, and being positive my decision to help that happen was sound--While I would do it again, I am sad.

I won't sleep soundly tonight, as that company, criminal and abusive as it clearly and contemptuously was, still sustained quite a few families in several layers of employment, from sysadmins sitting in the US of A all the way to minor low-level fraudsters employed by their clients' clients.

I will however, be able to look myself in the mirror for my part in the
effort to get rid of them--and even gloat some. My conscious is as clear to me as my sadness is crystal. We may not have changed the wall of battle in the long term and whenever one criminal falls, another jumps up to the opportunities of the land of the free--the Internet. But for once, just for a while, we halted the machine. We stopped the wheels of evil, even if only for a fortnight.

While doing so, ee also touched some lives in a destructive fashion. The criminals'.

No villain ever sees himself as the bad guy, as the saying goes. A friend recently showed me Russian language comments written on Brian Krebs' recent Washington Post story. In them, the posters ask: "why do you take our bread away?"

In a lecture during ISOI 5, some folks just didn't understand the meaning. Their bread. Their bread. We in the Western world, behind the cultural divide speak a different language. Their culture isn't poorer than ours, it is unequivocally different.

We can not truly comprehend what it means for some folks in Russia to no longer be able to feed their children this month. Nor can we understand that by sending email, we made those children starve. Cheap theatrics on my part, you say? You got that right. It doesn't make it any less true.

Cyber crime is a war waged against the Western world. At first, no one even noticed and it was a niche.. an art. While the artists still exist, they are a minority, the hackers. For the criminals however, motive is as irrelevant as nationality. Whatever actions are taken, be it a political defacement, fraud or spam, the unavoidable secondary impact remains the same: damage to the Western economy and security in an exponential growth which will become ever clearer in the coming years.

Yes, my friends. I would do the same again. I feel sorry for Atrivo, but they were harboring the equivalent for the Internet of active missile launchers firing on Israel from the Gaza strip. They are human beings who hit a curve in the road to their success. Cyber criminals, however, establish such growth as parasites and whatever I may feel for needing to resort to the end game weaponry, these people need to be smacked down like cockroaches.

Ten years ago they were a pride to their parents, today they are a scourge. What will they be in ten years?

If all reasonable and even some unreasonable approaches fail. That does not mean I don't have to feel sorry for them, and me. But it also doesn't mean we don't need to fight back.

Not even a hundred years ago, disastrously, war was business and an
acceptable horrifying part of life. A few years later, in 1918, war was
unthinkable. In the century since we who live in or are influenced by
Western culture made war no longer an option we can publicly stomach, while facing those who would play us like children because of it.

War is horrifying and evil, it is also a last resort in a world not as
ascendant as we would like to think. The Internet has its own "liberals" and I am proud to be one of them. However, I am also practical and see that wishing for a world we once had is not. A world where I could host files on my neighbor's servers openly, where children could happily use pocket calculators and go to libraries for their school work rather than Google and read Wikipedia. You did so, do your children?

This new world has its price, and that price is a complete loss of public privacy, and a culture of ineffective security.

We are reliant on our Auntie Jane's computer knowledge for our own security, and while not many would follow us to our bathrooms to infringe on our personal privacy, online we have no privacy, however much it helps us to lie to ourselves that something we do publicly (read, on the Internet) is private.

I accepted that, but that is because I am in the trenches for years. Others live better not knowing. But it doesn't mean I won't work diligently to make it remain.. functional.

Indeed, taking a step back from my niche in security, and seeing how bad things truly are--people can still surf for porn, and argue over who the best Star Trek captain is. Cyber crime, in all its immense activity of billions of incidents an hour, is background noise. But the background noise continually increases. When will it overflow?

All I really want is to maintain the functionality we have, regardless of the abuse. And yet... Going back to Atrivo, they made enough money by now. And regardless once more, their criminal clients are already back online elsewhere--in some places possibly hosted by what seems like Atrivo, only under a different name.

We did not win, but boy does it feel good to have a victory once in a while for morale's sake. We halted the machine, even if only just for a short time. That, my friends, also has strategic implications as far as our ability is to influence networks running clean on the Internet, although only time will determine if I am right on that.

Enough whining though. Who is next on the target list? :)

More seriously, why do I care so much? I have dual citizenship. Along with my homeland citizenship, I am of the Internet, and see it as my personal duty to try and make the Internet safe.

Gadi Evron,
Of the Internet.
ge@linuxbox.org

Follow me on twitter! http://twitter.com/gadievron

Tuesday, September 30, 2008

Most interesting article in months

Yesterday I tweeted about this article from the WSJ.

It describes a web site with an immense community of people--all of them watching a web cam looking out over a kid's front lawn. Purpose of web cam: surveillance--catch thieves of Obama signs.

Under such circumstances, with "squirrels moving about" being the one of two exciting events to happen thus far, statements such as "people with too much time on their hands" come to mind, and yet, is it the case?

The web site serves as a community, formed ad-hoc and yet not at all ridiculous. While the members obviously care for the reason they are there, namely, the Obama sign, and they would do quite a bit to make that point clear, they are followers and leaders in an online community with its own internal memes and pressures.

I can't predict if this community will last at the current interest levels over-time, but it is an extremely interesting occurrence.

The stated fact sign stealing in indeed a problem in several states, combined with direct communication between Obama supporters in different geographical locations outside of their own social circles would be strong enough, but add to that:

1. A feeling of fulfillment with a purpose -- watching the sign.
2. The home feeling of belonging to this formerly anonymous family.
3. Low-key moderation, but with clear leadership and stated occasional reminders of boundaries of discussion.

And you have an intriguing group dynamic.

The Obama sign, while important, is in my unverified opinion more of a badge which ideologically everyone there respects and needs in their "back yard" (pun intended) for political muscle in the group.

I'd be following this in the news, if follow-up stories are written (they often aren't). This also shows people can find alternative ways of discussing what they care about with the continued degradation of what I'd consider news and discussion forums, with clear agendas and untrustworthy reporting, on both sides.

This is indeed the most interesting story I read in months. And as a secondary point, I know two other folks who dealt with local security problems such as theft and bad players in their neighborhoods by installing such cameras.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Monday, September 29, 2008

Introducing yourself

A friend of mine found he was introducing himself poorly when he started his startup. I twittered about it, but after three message updates decided it was worthy of a blog post.

I did some online research (read Googled) on what the "repeater machines" (learning how to be human beings/business people/coaches/FOM--my acronym for Fad of the Month), were saying about the proper way of doing so.

First hit in Google seemed to be built right for my friend, I never read past the first paragraph though.

The search was worth it though, as pretty soon I came across some very funny links:
Bad ways to introduce yourself to women
Introducing yourself to large-breasted women

How do you introduce yourselves?

My friend originally started with: "ahh, I program, err.. I have this startup but I can't tell you about it". He will soon find his way, what is yours?

Me? I often skip introductions all-together.

"Introducing yourself" is not to be confused with the important 30-seconds/200 words "elevator pitches", which are good not just for new ventures but to get your point across--something I still struggle with daily being naturally inclined to brain-storm my way across the world.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Friday, September 26, 2008

Estonian Cyber Security Strategy document -- now available online

The Estonian cyber security strategy document is now available online. I must say once again the concept of a national cyber security stance is quite interesting.

Those who wish to download the document:
http://www.mod.gov.ee/?op=body&id=518

My contact there specified she'd be happy to answer any questions. To avoid spam of her inbox, email me for her address.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Thursday, September 25, 2008

Internet Vigilantism

The good people at Renesys wrote a blog about what they call "Internet Vigilantism".

While I feel I can not yet fully comment on the whole Atrivo / Intercage depeering movement, there is an underlying strategy to consider. I will comment at a later date.

The blog above asks:

While I'm not a big fan of cyber-crime or the providers who knowingly host these activities, I can't help but wonder where law enforcement is in this story. We still have laws, right? There is a lot of questionable activity and content on the Internet that is thriving and has no shortage of suitors. Even the most cursory look of of what passes for "content" should convince anyone that it's pretty hard to get thrown off the Internet — it just doesn't happen. But since it just did, I have no trouble believing that Atrivo had it coming. It's tough to piss off the entire world, especially when you have the money to pay them off. I only wonder why the cops didn't get there first [...]
My response is, 'okay', but please don't call it Vigilantism.

There is a difference between Vigilantism as it is perceived today and Vigilantism as it is in the dictionary. It means neighborhood watch.

When the Police is not around, that is something you need. "It's for the children".

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Tuesday, September 23, 2008

Disintegrate! Gust of wind! Can we get back to saving the world already?

I've recently been involved in an email thread which, partly by my doing, unfortunately degraded into a dirty flame war for a few hours.

Whenever meta discussion takes over real discussion, frustration builds up inside me. This comic strip from today which a friend just sent me, seems to explain the concept much better than I can.

Order of the Stick: http://www.giantitp.com/comics/oots0595.html

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Estonian Cyber Security Strategy document, translated and public

The Estonians have a public version of their cyber security strategy translated into English (currently available offline only). The concept of a national strategy for cyber security is one which I am particularly fond of (also see previous post, An Account of the Estonian Internet War).

The following is the Summary section from the document which might be of interest (Estonian Cyber Security Strategy — Cyber Security Strategy Committee, Ministry of Defence, ESTONIA, Tallinn 2008):

* * *

The asymmetrical threat posed by cyber attacks and the inherent vulnerabilities of cyberspace constitute a serious security risk confronting all nations. For this reason, the cyber threats need to be addressed at the global level. Given the gravity of the threat and of the interests at stake, it is imperative that the comprehensive use of information technology solutions be supported by a high level of security measures and be embedded also in a broad and sophisticated cyber security culture.

It is an essential precondition for the securing of cyberspace that every operator of a computer, computer network or information system realises the personal responsibility of using the data and instruments of communication at his or her disposal in a purposeful and appropriate manner.

Estonia's cyber security strategy seeks primarily to reduce the inherent vulnerabilities of cyberspace in the nation as a whole. This will be accomplished through the implementation of national action plans and through active international co-operation, and so will support the enhancement of cyber security in other countries as well.

In advance of our strategic objectives on cyber security, the following policy fronts have been identified:

  • application of a graduated system of security measures in Estonia;
  • development of Estonia's expertise in and high awareness of information security to the highest standard of excellence;
  • development of an appropriate regulatory and legal framework to support the secure and seamless operability of information systems;
  • promoting international co-operation aimed at strengthening global cyber security.

Policies for enhancing cyber security

1. The development and large-scale implementation of a system of security measures

The dependence of the daily functioning of society on IT solutions makes the development of adequate security measures an urgent need. Every information system owner must acknowledge the risks related to the disturbance of the service he or she provides. Up-to-date and economically expedient security measures must therefore be developed and implemented. The key objectives in developing and implementing a system of security measures are as follows:

  • to bolster requirements for the security of critical infrastructures in order to increase its resistance, and that of related services, against threats in cyberspace; to tighten the security goals of the information systems and services provided by the critical infrastructure;
  • to strengthen the physical and logical infrastructure of the Internet. The security of the Internet is vital to ensuring cyber security, since most of cyberspace is Internet-based. The main priorities in this respect are: strengthening the infrastructure of the Internet, including domain name servers (DNS); improving the automated restriction of Internet service users according to the nature of their traffic, and increasing the widespread use of means of authentication;
  • to enhance the security of the control systems of Estonia's critical infrastructure,
  • to improve on an incessant basis the capacity to meet the emergence of newer and technologically more advanced assault methods;
  • to enhance inter-agency co-operation and co-ordination in ensuring cyber security and to continue public and private sector co-operation in protecting the critical information infrastructure.

2. Increasing competence in cyber security

In order to achieve the necessary competence in the field of cyber security, the following objectives have been established for training and research:

  • to provide high quality and accessible information security-related training in order to achieve competence in both the public and private sectors; to this end, to establish common requirements for IT staff competence in information security and to set up a system for in-service training and evaluation;
  • to intensify research and development in cyber security so as to ensure national defence in that field; to enhance international research co-operation; and to ensure competence in providing high-level training;
  • to ensure readiness in managing cyber security crises in both the public and private sectors;
  • to develop expertise in cyber security based on innovative research and development.

3. Improvement of the legal framework for supporting cyber security

The development of domestic and international legislation in the field of cyber security is aimed at:

  • aligning Estonia's legal framework with the objectives and requirements of the Cyber Security Strategy;
  • developing legislation on protection of the critical information infrastructure;
  • participating in international law-making in the field of cyber security and taking steps internationally to introduce and promote legislative solutions developed in Estonia.

4. Bolstering international co-operation

In terms of developing international co-operation in ensuring cyber security, the Strategy aims at:

  • achieving worldwide moral condemnation of cyber attacks given their negative effects on people's lives and the functioning of society, while recognising that meeting the cyber threats should not serve as a pretext for undermining human rights and democratic freedoms;
  • promoting countries' adopting of international conventions regulating cyber crime and cyber attacks, and making the content of such conventions known to the international public;
  • participating in the development and implementation of international cyber security policies and the shaping of the global cyber culture;
  • developing co-operative networks in the field of cyber security and improving the functioning of such networks.

5. Raising awareness on cyber security

Raising public awareness on the nature and urgency of the cyber threats might be achieved by:

  • presenting Estonia's expertise and experience in the area of cyber security at both the domestic and international level, and supporting co-operative networks;
  • raising awareness of information security among all computer users with particular focus on individual users and SMEs by informing the public about threats existing in the cyberspace and improving knowledge on the safe use of computers;
  • co-ordinating the distribution of information on cyber threats and organising the awareness campaigns in co-operation with the private sector.
Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, September 17, 2008

ISOI 5, Tallinn, Estonia - Summary!

ISOI stands for Internet Security Operations and Intelligence. It is a professional conference, but with a very casual atmosphere. It brings together individuals who work daily to secure the Internet and respond to global security incidents, mostly as volunteers. They are often employed in government, law enforcement, ISPs and Telcos, anti virus, security industry and academia.

We often invite some policy makers as well, but they are there to learn rather than participate.

The conference is run under the Chatham house rules, with the added caveat of having to seek permission from the presenter before mentioning in public what was talked about.

When Hillar Aarelaid first approached me about hosting ISOI in Estonia, my first reaction was: 'cool'. My second was: 'ahhh'. After all, while going to Europe is something we wanted to do for a long time now... who would go as far as Estonia? I said 'go for it', and the rest is history.

How do the rednecks say: 'Boy!' I am happy I took the chance. I forgot the venue factor. You can judge how many people will attend the Virus Bulletin conference by, for example, if there was a conference there before, and how good of a vacation spot it is. Dublin was a huge hit, as was New Zealand. Get my drift?

Within two days of announcing ISOI 5, we had 50 Americans who RSVP'd as attending. We had two Europeans. Mind-boggling.

As the conference approached, more Americans RSVP'd and we found it amazing we had barely the same number of Europeans. We later found out that there were five other conferences before or immediately after ours, not to mention one in Sweden on the very same dates. The scale was then tipped and we ended up with lotsa Europeans, but the lesson about what vacation venues mean to Americans was learned.

Randy Vaughn once again came to the rescue with preparing the online schedule, and Hillar along with the rest of the Estonian CERT made our stay amazing, and ran one hell of a conference.

Conference highlights
1. Estonian girls. Enough said.
2. No tax on alcohol. Enough said.
3. No sleep in between conference days. 'So say we all!' :)

Two evenings before ISOI, before the local Estonian CERT conference, we all went out to an Irish pub, called St. Patrick's of all things. Hillar picked up the tab.

The evening before ISOI we all went out to a local place across from the Viru hotel, where after drinking profusely for hours and eating dinner, the bill was only 200 Euros or so (I just got diet coke, shame on me).

Chad from Sunbelt simply picked it up instead of gathering money, saying it costs less than dinner in Vegas--he is a great guy. Danny McPherson from Arbor picked up what was ordered later, which couldn't have possibly been more than 50 Euros--Danny is one of the more fun guys around. Lots of thanks to them both. Alcohol is really cheap over there. Think the night ended there? Think again.... but let's talk about the conference now.

While ISOI is centered around the trusted and vetted communities of folks who spend time protecting the Internet against evil cyber criminals (ooh), one highlight of the conference for me was a lecture named The Limits of 'permitted self-help' in Internet Security and Intelligence by Alana Maurushat, an Academic from Australia.

She opened the discussion of how far can "vigilante" groups (I hate that term, especially when it is wrong) go, what is legal and what isn't. Needless to say, while she was interesting, her initiation into our group was by fire. Several of us, while appreciative, were "active particpants".

She started by showing pirates on the screen, followed by an entire room yelling "Argh!!!". Good start.
The interesting discussion aside, she had to keep saying "permitted self help". I kept wanting to ask "right or left hand?" but eventually ended up using Aussie terminology (as she is from Australia, after all), saying "so, what are these wankers all about?"

Eventually I just said she must stop implying we all masturbate for a living, but it was a good time and a great discussion. She had a cold, and it was her birthday. Trial by fire, indeed. I hope she comes back, she added quite a bit to the mix.

Rick Wesson showed a map of abuse on the Internet inspired by an xkcd comic, and many other presentations filled the day, which unfortunately I barely had time to listen to. While Hillar was amazing and ran most of the conference, being the organizer keeps you busy. The rest of the presentations I can't really talk about without seeking permission (see first paragraph about Chatham house rules and caveat), so...

At the end of the first day we gathered some of the defenders of the Internet "war" of last year on a panel to answer questions. Estonians are very shy, so moderation was problematic, but it ended up being pretty interesting.

In the evening everyone went to a local restaurant/bar with local Estonian food, for the official "reception". Microsoft, Hansapank and SEB picked up the bill for the food, and Norman volunteered to pick up the drinks tab. I asked them to cover 1000 Euros, and after the first evening we never believed they would pay more than 500, given the low prices. It ended up being 1200 Euros. Unbelievable, but some of us can drink! Thanks Norman!

The second day had many neat presentations, but the second half of it was filled with presentation after presentation on the cyber conflict in Georgia last month, and one presentation on RBN by Jart Armin.

As a surprise (for me as well), Hillar flew in last second a system administrator from one of Georgia's banks to discuss how things went from her perspective. She gave a very good presentation, but the surprise he intended for me was ruined. Hillar was somewhat annoyed when I came to him with her business card. How did I find out, you ask?

"Hello, who are you? :)"
"I am Masha, I am lecturing tomorrow"
"No you are not, and I should know.. this is my conference"

I ended up giving her my copy of "Stranger in a Strange Land" by Robert A. Heinlein, which she earned (but left me book-less for the flight back home).

The rest is history. :)

Quite a surprise from Hillar!

The last evening of ISOI is when people often go off with friends to eat dinner. The Viru hotel bar seems to have become the main gathering point from which people went in groups, came back and left again. I sat back with my laptop, staring out the window as Estonian girls passed continually, while trying to hold up my end of several conversations.

It was a very good ISOI, and a very fun one, as well. Next one is around February, in Dallas TX. After that we will have one in Norway.

Special thanks once again go to the Estonian CERT: Toomas (who helped organize), Tarmo (who operated everything), Aivar (who regardless of anything, I am just happy was there), Kathrine (who made sure we all had food, and took care of us) and of course, Hillar!

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Tuesday, September 16, 2008

I should be shocked

From the nothing-is-holy and it-unfortunately-makes-sense departments.

I just received a 419 Nigerian spam attempt, but the means in which it reached me should have my blood boiling with anger.

It was sent as a comment to a eulogy I wrote in a Guestbook opened after the death of a friend.

How dare them, you ask? It only makes sense--I opened the message, didn't I?

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron

Sunday, September 07, 2008

I'm interested, but in you

[syndicated from a friend's blog where I posted this anonymously a few months ago]

Walking happily in the mall carrying my brand new Mac, a salesgirl caught my eyes and asked me to come over.

I walked closer stating clearly "I will come over, but I don't want to waste your time. I'm not buying anything." She was happy for me to approach regardless, smiling. I think I smiled back.

As soon as I got near the stand, she took my hand, kindly (felt nice) but firmly, and led me closer, turning me toward the stand and her. I was keenly aware of how this hand-hold made my body automagically follow her and of how breaking physical contact is difficult.

The salesgirl began to slowly fold the sleeve on the hand she held, probably preparing me to smell something, still touching my hand as she chatted me up. "Why do you have a Black Hat shirt but no black hat?"

I decided being nice and letting her flow with our chemistry, manufactured or not, is more than okay. How to simplify the answer though?

"I'm a hacker" *smile*

At this point, sleeve pulled back and hands removed she tried to convince me to try something on, I considered the "I'm allergic" excuse, but saw no reason to lie "Thank you, but I am not interested." I said with a finality.

"You bought a laptop?"
"Yes, just got out of the Apple store." Which incidentally, is right in front of the stand, and I was carrying the laptop case.
"Have you ever been stuck at an airport for like eight hours? What do you do for so long? Me it just drives nuts."
Raising my eye-brow but not missing a beat, showing real interest, I replied "I was once in London for six hours, I went to the center, ate lunch, and got back just in time for my flight."
"Yes," she said, slightly pouting "but what if you are stuck there for eight hours with nothing to do, what do you do then?"

When she left my hand alone. I waited a bit, and slowly started pulling my sleeve down while talking.

"It is always fun to get out of the airport and explore."
"Always?" she insisted.
"Sleep works. I really hate the Frankfurt airport, and there is nothing to do in Frankfurt." I rolled up my eyes "I was once stuck there for ten hours and just went to sleep."
"The laptop must help" she offered.
"Why, of course! The first thing I do when I get to the airport is look for food," *pause* "Obviously" *smile* "Then I start looking for a power socket for my laptop".

She tried again.
"How about this here..."
"I am not interested in creams."
"Ah, this is for your nails." *smile*
"Thanks, no." *smile*

Maybe my smile was an invitation incongruent to my verbal negation, but she kept going. When someone smiles at you--you often smile back whether you know it or not.

"Are you interested in me," *very slight pause* "showing you this here?" *smile*
I considered saying yes again and the allergic excuse tried to pop up, then with a large smile filling me and my face I heartily responded "I am interested in you, *slight pause* "not what you offer." *big smile* "But thank you so much."

Usually I'd not refuse, but I am not going to buy anything so why waste her sales time?

*Almost awkward pause* I followed up.

"You are good. If I was not aware of what you are doing, building rapport, you'd have me wrapped around your finger by now."
"Thanks, tell that to my boss." Who she pointed to. He was very interested in our conversation through-out, although he maintained his distance.

I half turned to go, and looking back from my shoulder "Can I ask you guys a quick question?"
"Sure" she said. She was still looking at me and nice, but not as excited and slightly pouting.

"Well," I began "again, you are very good, but did anyone teach you..."
She softly cut in "The story was true."
"I am sure it was," *smile* "but before you had your own story, did anyone teach you an example story to use?"
"No," she said "it's all mine." at this point the boss was also in the conversation, although he never really spoke. He leaned in and had his half smile of amusement and interest changed to one of interest and sarcasm.

I took my cue, thanked them both, and left.

Four points:
1. Holding my hand (shaking it then not leaving?) gave her control over me to make sure I stayed and move me around. It made us closer instantly. Maintaining touch opened me to her approach and made sure I listened. Even with the real-time analysis of what she was doing, it was slightly difficult for me to not do whatever she asks.

Powerless to stop it or not, me "letting" her fold my sleeve, although done slowly while keeping eye contact with me (so that I barely notice), implies that I already showed interest in what she offers. Regardless of me clearly stating otherwise. Having done that, why not try some perfume? It would be silly to roll the sleeve back down without trying, right?

2. She attempted to create rapport with me by speaking about my Black Hat shirt. I let her, but did not agree to buy. She may not have known much about hacking, decided I required a more intelligent approach or chose to use a different story to create more rapport.

Picking on another environmental cue, she spoke of my new laptop with the airport story. Perhaps my accent helped her spot me as a foreigner, but a separate story helped us feel more familiar with each other and took longer to explore.

3. When I said I am not interested in creams, she immediately disarmed me with "nails". This took me back a moment as I am a guy, and not a very beauty-aware one.

It was a nice and natural way to change the subject and kill my objection--what she said (nails) wasn't as important as this negation (don't worry). In my case though it wasn't the best approach--Especially as I didn't shave in two weeks. It should have screamed at her.

4. Although said in a flirtatious manner and not offensive, my "I'm interested in you, not what you sell" was a carbon copy of her disarming techniques. She couldn't break rapport, especially since I kept the chat with a smile after that.

Turning to leave then staying, but talking almost as in an after-thought without facing her, made her feel she isn't stuck with me and allowed me to explore her sales techniques without being too threatening, especially as I am four times her size. She probably lied, though.

All-in-all, it was a fun conversation and I didn't waste more than two or three minutes of her time. I didn't realize I could analyze her sale so easily. I can't wait to try this again in a year when I know more and see what I spot then.

Perhaps with a more advanced sales person such as an insurance agent, who will be more sophisticated. Seeing my progress is a big boost to my enthusiasm.

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron

Saturday, September 06, 2008

Cyber crime: an economic problem

During ISOI 4 (hosted by Yahoo! in Sunnyvale, California) whenever someone made mention of RBN (the notoriously malicious and illegal bulletproof hosting operation, the Russian Business Network) folks would immediately point out that an operation just as bad was just "next door" (40 miles down the road?), working undisturbed for years. They spoke of Atrivo (also known as Intercage). The American RBN, if you like.

In fact, while many spam operations use botnets and operate all around the world, a lot of the big players own their own network space and operate hosting farms, which are constant and "legitimate", right in the US--for years now.

While we may not be able to make contact and mitigate incidents in some countries, these operations inside the United States of America run undisturbed. They register thousands of domain names every day and fuel a whole economy, starting with spam continuing with phishing, malware and DDoS attacks, and ending in child pornography and more spam.

Background
For years the Internet has become increasingly "dirty". It isn't just about the thousands and millions of concurrent security incidents (automated, malicious code-based and other) happening every minute of every day.

It isn't even about the next stage, the botnets and massive fraud attacks. It's about the problem not changing. The Bad Guys (TM) or miscreants as some of us tend to call them (I prefer criminals) are a business. They have R&D, operations, outsourcing and so on. They collect statistics to make sure their revenue stream is maintained, and act to rectify the situation if it isn't.

They (ab)use the Internet for their business, but have shown, in old Russian war style, that if you go against them, they are not afraid of destroying this reveue stream called the Internet. Scortched Earth is an acceptable strategy. The criminals established a working deterrence on the Internet, as unlike us, they are willing and capable of using their power, to let the Internet go (root server attacks, Blue Security incident, etc.).

To change this equation the first realization we had was that this is an economic problem.

Changing the Economic equation
To impact their business you have to change how they treat it. This comes down to a basic cost vs. benefit calculation:
  • Cost (earning less or spending more)
  • Benefit (earning more or losing less)
Meaning, if it costs them one cent to send out 10 million spam messages, they are already spending more than they should. If they only earn a million USD a day, they are behind schedule for their qarterly revenue goals. Assymetrical much? :)

Anecdote: some UK banks lose over a million POUNDS each every DAY during phishing and banking malware attack waves.

We used to be able to impact their cost by "killing" their botnets, or making sure phishing sites stayed "on the air" for less time.

They have contingencies, design and operations to ensure they are never "down". They register domains for use just for a few minutes, and then discard them. Their botnets immediately jump to a new location if one "goes down", if it wasn't just a temporary location to begin with.

Graceful degradation is terminology not reserved just for the house of representatives.

This is not always true. When "bullet proof" hosting is found, they don't need to jump around. Example, some phishing sites hosted on Atrivo's IP space have been up and running since early 2007.

By taking down malicious sites, or as we like to call it, whack-a-mole (it just pops up somewhere else) we played the game, and they got better at what they did--they evolved.

The answer was: law enforcement. If the RISK factor became high enough, we could change the economics of the problem space.

Unfortunately, while having good intentions and good people, law enforcement is:
  • Considerably under-staffed
  • Hardly able to communicate inside the US
  • Barely able to communicate with agencies in other countries
  • When able to communicate, it often takes up to a year (unless they go off the books and talk to the folks directly rather than through Interpol)
  • When successful, often takes years (more than two) to build a case
  • Then, success is rare in comparison to the number of incidents
So what are we to do?

Law enforcement vs. maintaining our networks
At some point every network operators comes to this fork in the road. "Do I maintain my network and kick this SOB off my network, or wait for law enforcement?"

The answer should be self-evident by now, best intentions included.

This ties back in to the current situation with Atrivo / Intercage, which we will discuss later.

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron

Friday, September 05, 2008

RIP: Kevin Martin :(

Kevin Martin, a funny, nice, knowledgeable, tolerant and smart person, passed away today from a heart attack while being treated for colon cancer.

In this post I will share some of my thoughts, and some of his text. Please feel free, if you knew him, to share some more of the things he said and wrote in the comments section below.

He was an anti-spam community member, a science fiction fan, and an inspiration. I did not know him very closely, but I am truly sad. Our interactions over the last several years were always a pleasure, and when I heard of this my only thought, for at least 10 seconds, was:
NO!

But I couldn't reply to the message which told me of his passing with NO!
I wouldn't convey my soaring emotions, with NO!
I could only convey them in a proper fashion, saying it is sad news and a bad day. Bugger that.

That's not enough. For those of you who read this post, I searched for and quoted some of Kevin's email interactions of the past couple of years, to give you a taste of the sort of guy he was.
I don't think he'd mind, but I have no way to find out.

I will mostly quote discussions on public mailing lists where I was involved, or directly with me, although there are a few snippets out of other discussions, which I believe are OKAY.


Kevin, you will be missed.

On a personal note, Kevin is the second person to be linked to me in a social network, whose profile is active, but is no longer there. These Empty Spaces, as a friend of mine described so well, are sad. Messages in the middle of threads no longer being there, tags disappearing out of photos, accounts which sleep, and yet are there.

Memories of Kevin
In response to an email thread about spam, I once saw him say the following:
"That there are people who forgive is good, because it gives people who spam a reason to stop.

"That there are people who don't forgive is also good, because it gives people who have never spammed a reason to not start."
-- der Mouse
Speaking of himself:

Subject: Who, me?
Was one of the people clogging the Usenet moderators list that Chris Lewis mentioned, circa 1998, when someone tipped me off that the spam discussion was taking place elsewhere. And so it was, and so it is.

I'm now somewhere in the gray area between self-employed and semi-retired.
First message sent to the SF-hackers mailing list (a mailing list for old computer geeks who are science fiction fans):
[SF-hackers] Who Goes There?
Kevin Martin
Sat Apr 14 19:49:42 CDT 2007

I suppose you're wondering why Gadi called you all here tonight.
You're welcome to blame me.

Gadi Evron wrote:

>> I am unsure, but I think I never read anything with [John W.
>> Campbell's] name on it... what a shock.

To which I replied:

Okay... Have you ever read anything by Isaac Asimov, Robert A. Heinlein, or Spider Robinson? Lester Del Rey? Theodore Sturgeon?
A. E. van Vogt?

We were speaking of the best-known story by John W. Campbell the author, but he's much better known as the editor who discovered, polished, and published just about every well-known science fiction author of the forties, fifties, sixties, and early seventies.

If you like any of those, they're Campbell, one step removed.


... and things just sort of got out of hand. Enjoy.
Speaking of blog comment spam:
> Is there some other software I should be looking at?

The Akismet plugin for Wordpress has been kicking butt and taking names since I turned it on. It only asks me to intervene if it's not sure, which has been twice so far. When I log in, there's a cheerful little note waiting for me:

"Akismet has caught 200 spam for you since you first installed it.
You have no spam currently in the queue. Must be your lucky day. :)"
Random quote:
And of course if you were to go proactive about warning your customers, you'd probably get sued.
On Spider Robinson and his parody of Johnny Cash's song "A Boy Named Sue", from SF-hackers:
> Dianetics/Scientology was L. Ron Hubbard, not Campbell.

Actually, JWC was a big supporter of Elron, embarrassingly so;
Wikipedia has the whole sordid tale.

Spider is most definitely a 'he', as he makes clear in his tribute
to Shel Silverstein, "A Boy Named Spider."

"Some girl would giggle and I'd get flustered,
Then smack her in the face with a coconut custard
(Though later on I'd try to get inside her...)"

Unlike the boy named Sue, who was given a name that would make him "tough" in "a world that's rough," the youth in Spider's parody is the son of an aging hippie who wanted him to stay "hip" 'cause "this world's a trip."
Replying:
<voice class="Kosh">'Yes.'</voice>
On trust in leaky mailing lists:
Gadi Evron wrote:
> I made it clear [] is not a trust environment but rather a friends
> environment, with some very weird uncles.

Been waiting for someone to *ahem* comment on this remark.

We have had Threads That Will Not Die about "leaks," Andy, but please be aware that the policy of the list remains that A) you are here as an individual first, rather than a representative of any organization, and B) unless a poster waives it regarding a specific message, the default here is supposed to be "Fight Club"-style confidentiality.

Perhaps "trust environment" is a term of art that means something special to you, Andy, or to you, Gadi; the fact we weren't individually vetted by the Mossad doesn't keep me from trusting the folks here, or feeling upset at the prospect of that trust being casually betrayed.
On email practices:
+1 on the EVIL of giving one's passwords to random third parties. That needs to suffer a Firestorm of Withering Scorn whenever it pops up.
On adding new folks to a mailing list:
Me:
Private contact only, but I can ask...
Should I bring one of them to []?

Kevin:
If it's someone you'd trust to load magazines for your Galil.
Subject: Forum post: "Getting owned by spamhaus..."
A"naive user" story to share. The good news is that more than one
person on the board piped up with the correct answer, which I find
encouraging. You might want to skip to the punchline below.

Quote:

Anyone know how the hell to fix this?

Spamhaus is flagging the ip's for any email sent on the company emails.

[snip text]

And now Outlook is going all JH1 on me and smtp relays
are not working for any accounts.

On another note, how the hell did I become an IT guy? I have been
hitting the computer with a pipe wrench and that doesn't seem to help.

End Quote.


The punchline? /This is on a weight-lifting/body builders board./
Sad, but happy to remember,
Gadi Evron.


Follow me on twitter! http://twitter.com/gadievron

Wednesday, September 03, 2008

Hiring people and how communities run

This post by one Seth Godin speaks for itself, and is fascinating. The guy wanted to find out who to hire out of all the "PDFs". So, he put all the internship candidates on a Facebook group, and watched. He quickly saw four types of participants.
  • The game-show contestants, quick on the trigger, who were searching for a quick yes or no. Most of them left.
  • The lurkers. They were there, but we couldn't tell.
  • The followers. They waited for someone to tell them what to do.
  • The leaders. A few started conversations, directed initiatives and got to work.
Having had almost too much experience in getting projects running, making things happen, working to bridge big egos, building communities and forming new trends--or in other words, Herding Cats (TM)--I was hooked. it's not often I find another "campaign manager", and especially not a student of "affecting change".

I kept wishing the guy shared more information and some of his insight. He didn't, but it was still interesting.

Adjacent subjects hinted to in his post such as learning, hiring and mentoring are almost as interesting to me, and in general, I found the subject matter close to heart. The post really "spoke" to me.

The world is full of followers, and this idea will be copied. My fear is that the fakers will become the winners.

In the Israeli military any course you go through--especially officers' course--has occasional Psychometric tests where your friends "rate" you on different attributes. [*opinion* most of] The people who get the high scores are the fakers. That means you get smart people, but also poor actors (not too much acting required).

Looking at the huge industry preparing people for anything from the SATs to professional certifications, I can visualize how this methods could become [as] useless.

On the other hand, human nature has a way of coming through in the end. And, of course, in business--if the fakers "get the results" it doesn't really matter.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Tuesday, September 02, 2008

Would someone create pyFox already?

In the reverse engineering world IDA Python changed how people do things. Instead of wasting an hour of "monkey" labor on a repetitive task you could now write a Python script one-liner, or even load a script.

You could change variable names everywhere at once (even in comments), and do much more complicated things if you put your mind to it.

Firefox allows for people to build plugins, which is very useful. Using these plugins you can control what web pages look like and even Firefox itself (configuration). You can change text, images and scripts, pick an object, change encoding or even sort through Cookies.

Why not combine the two ideas?

pyFox would let you run command-line Python scripts from within Firefox. You could choose and manipulate objects, change the web page, search it for regular expressions, make it all in CAPITAL LETTERS or filter it for vulnerabilities.

On the other end you could load a script to manipulate cookies for a different expiration date, download a web page every five minutes to compare for changes or even harvest Google for a keyword, explore recursively on-the-fly, and see what you find.

The sky is the limit, and Python is the tool.

People have been using the web for everything ("everything over HTTP") since the last century, and creating entire projects utilizing browsers and HTTP. Why not bring this experience (which by the way, has been a security nightmare) and POWER to the hands of the end user?

Some folks referred me to a plugin called Greasemonkey which allows some web page manipulation using Javascript. And...

Very recently Ubiquity was released, allowing SOME of the functionality, connecting the symbols, etc. but at a very early stage:
http://labs.mozilla.com/2008/08/introducing-ubiquity/

So, any volunteers to create pyFox?

Update:
navtej shared the following URLs in a comment:
http://weblogs.mozillazine.org/roadmap/archives/008865.html
http://nufox.berlios.de/

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Monday, September 01, 2008

Logical fallacies and rationalizations

Recently I formalized some thoughts on the subject rationalizations people use and excuses they invent. More specifically my goal was to come up with a list of low-level basic rationalizations used when they are shown something they believe in to be false (a failed psychic, cult divination gone wrong, etc.).

These are thoughts underlining possible basic components, not a thesis.

The point behind this exercise is not to psychologically explain why people react this way, but to find the similarities and trends in logically false and vague/impossible to prove generalist statements (meaning irrefutable statements) people use at such times.

I started off with the following list, and emailed it to the skeptics mailing list for input:
  1. X is just testing our faith
  2. It is us who misunderstood the meaning
  3. We did get Y as X saw fit, it's just that X doesn't cater to our wants
  4. We have done something to anger X
  5. We have not been worthy enough
  6. Z has not been worthy and ruined it for the rest of us
  7. Humans are fallible/one can't always be right/X is off his/her game
Karen Daskawicz, a skeptics contributor shared a similar automatic response some folks use, but not immediately related to what I was seeking. Further, she concentrated more on religion vs. science which was not what I was looking for. Still, it was interesting:
I'm not sure if this is the sort of thing you're looking for, but one that I've heard a lot:

"Science doesn't know everything."
or (variation)
"Science has been wrong before."

[I cut her explanation of why this is a logical fallacy from this post, but it is available online]
Larry Huntley responded:
While I don't disagree with what you say here, it looks like the OP was looking more for rationalizations/reasons that people of faith would use when asked questions like "Why did allow your partner to die of Alzheimer's? You were both very religious; surely you prayed to him to make her well, didn't you?" and "Why was almost the entire congregation of the church wiped out by lightning strikes during the ice cream social Sunday night?" or "Why were all our mud-brick pyramids destroyed by flooding?"
Moving away from religion, which is not different than any other aspect of human life in having some less than intelligent followers in the mix of its members (and, yes, sometimes uses such tricks to convince the masses to convert), Wally Anglesea brought us back on track:
Well, speaking from contact from ex-cult members of my local doomsday cult,

Many have expressed the belief that "he was genuine when we were in (including receiving messages from heaven), but at sometime during the period, he went wrong, and the messages were coming from the other place.

Weird, I know, but it's how they rationalise their original positions.
At this point I was able to see some underline concepts behind the different rationalizations. While imperfect, the following cover most of these:
  1. Blaming self (wasn't worthy, angered X, blind to it, etc.)
  2. Blaming others (weren't worthy, angered X, bling to it, etc.)
  3. Claims of misunderstanding (did in fact happen, works in mysterious ways, power temporarily off, date/meaning was mis-interpreted, etc.)
Some rationalizations seem to combine several of these.

Thoughts anyone?
Can you think of any other rationalization I skipped or basic components I missed?

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Saturday, August 30, 2008

Friday, August 29, 2008

Washington Post: Atrivo/Intercage, why are we peering with the American RBN?

This Washington Post story came out today:
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html

In it, Brian Krebs discusses the SF Bay Area based Atrivo/Intercage, which has been long named as a bad actor, accused of shuffling abuse reports to different IP addresses and hosting criminals en masse, compared often to RBN in maliciousness. "The American RBN", if you like.

1. I realize this is a problematic issue, but when it is clear a network is so evil (as the story suggests they are), why are we still peering with them? Who currently provides them with transit? Are they aware of this news story?

If Lycos' make spam not war, and Blue Security's blue frog were ran out of hosting continually, this has been done before to some extent. This network is not in Russia or China, but in the silicon valley.

2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks?

What ASNs belong to Atrivo, anyway?

Anyone has more details as to the apparent evilness of Atrivo/Intercage, who can verify these reports? As researched as they are, and my personal experience aside, I'd like some more data before coming to conclusions.

Hostexploit released a document [PDF] on this very network, just now, which is helpful:
http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemid=15

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Thursday, August 28, 2008

Public sharing and a new strategy in fighting cyber crime

A couple of years ago I started a mailing list where folks not necessarily involved with the vetted, trusted, closed and snobbish circles of cyber crime fighting (some founded by me) could share information and be informed of threats.

In this post I explore some of the history behind information sharing online, and explain the concept behind the botnets mailing list. Feel free to skip ahead if you find the history boring. Also, do note the history in this post is mixed with my own opinions. As I am one of the only people who where there in the beginning though and lived through all of it, I feel free to do so (in my own blog post).

As I conclude, we may not be able to always share our resources, but it is time to change the tide of the cyber crime war, and strategize. One of the strategies we need to use, or at least try, is public information sharing of "lesser evils" already in the public domain.

History
It was my strong conviction that the bad guys (criminals!) already had access to all this data--now we know they do, and further, could test their own creations against anti virus detection (on their own to see they are not detected or using a tool such as VirusTotal). They could use honey pots and any number of other sources of public information. Then, they could also always measure success ratios--they do.

On the other hand, the Good GuysTM did not share. What sharing did happen was very limited and limiting. Aside to that, because it was so scarce, it was (and to a level still is) kept secret to a select group of friends. Others would not be allowed in very easily, nor should they for obvious trust issues.

System administrators and security researchers had to get their information from their own logs or public reports of limited value from vendors. This secrecy also had the consequence of the public not being aware a cyber crime problem even exists and later on, always being roughly three to six years behind the curve on accepting what is actually happening.

By extension, when after the Estonian "war" many countries and organizations became-literally-scared, they started creating tech policy, based on misconceptions and information glimpsed from the news media and vendor reports.

The black hat effect
The anti virus industry has an history of being strict on sharing. That is as it should be and quite proper. In the early 1990s there used to be roughly one virus released every month. Then someone released a study on one, and within a month 50 new variants came out. Disclosure was a bad idea. However, times, they are a-changing.

When malware can be found by anyone running an honey pot, surfing the web, opening their inbox or Googling for it, the strong restrictions on sharing made little sense as far as "aiding the bad guys" (read criminals). The strong argument remaining to be strict on sharing was "we are not black hats, we are careful with these things!"

This is fine, and acceptable. It is also burying our heads in the sand. While sympathetic, change was required as the big worms were out (circa 2003-4) and security professionals all over the world had no information. Worse, when most security vendors and therefore the media were concentrating on the big worms, exponentially bigger botnets were out there, undisturbed.

A new industry formed which would later be called "Anti Trojan", as they would detect these bots (Trojan horses) and remove them, while many anti viruses considered them:
1. Not their job to detect.
2. Not viruses.
3. "Garbage files".

Beginning 1997, I made many approaches and tried to get the AV industry involved, telling them they are only detecting 20 to 30 per cent of all malware, to no avail. in 2004-5 they started playing catch-up. This happened again two to three years late with spyware (new industry, two years late to the game, etc.) and two to three years late with rootkits.

At that point in time active sharing was established between vendors (not just AV), academia and others. Companies such as Checkpoint, Cisco or "God forbid" Microsoft had "no business" dealing with samples according to the AV industry, as they went elsewhere, with people such as myself driving this sharing and, yes, taking the heat.

The strict sharing policies had an extra motive (on part of the AV industry), which made little sense except for business sense. They had every marketing intention of maintaining an iron grip on malware samples, so that only they could sell products and control the information flow. It was brilliant for a few years, but they also self-marginalized themselves and were forced to become more generic security vendors to catch up, due to inability to change in time.

They now had massive competition and were out of touch. This reminds me of the copyright wars in the music industry.

This grip was broken as such information became readily available (which was, as mentioned, ignored by the AV community). I can take a very big part of the credit for breaking this iron grip, by fascilitating sharing communities where vendors, researchers, law enforcement and others not directly of the AV world could exchange samples as well as analysis. Being a part of the AV world, this made me persona-non-grata by some, but thankfully not for more than a year or so.

Still, vetting and silence were a pre-requisite in the newly formed communities. Trust was key. Some of the new mailing lists and communities formed by me were DA and MWP. Later copy-cats include malaware and II (not as vetted, but now more relevant as far as malware sharing goes).

Others still would have to create their own communities, such as the ISP world, fighting this problem on the network side. They would later on not accept the researchers much the like researchers would not accept them--for the very same reasons, and only to change their minds once these folks started working on their own (on mailing lists such as DA and MWP).

No one wants to be considered a black hat, but times change and necessities fascilitate evolution.

Sharing C&C information
It was a long journey, but we kept running into the same problems. We'd be fighting malware infecting a hundred thousand to three million users a day, with hundreds such incidents every single day. Yet, the public did not know about it, and the security vendors would be behind--concentrating naturally on their own niche.

We changed the world, enabled better sharing and created new trust models. And still, we would not truly cooperate. Cooperation and resource sharing aside (after all, many in the industry have financial agendas, as they should), we could not get the bigger picture straightened out. We needed to share intelligence on millions of stolen identities every day, but still couldn't get this malware sharing out of the way.

Command and control (C&C or C2) for botnets, for example, was information barred and restricted by the security and network operations communities now newly formed. After all, sharing would cause us to help the criminals. No? More than that, we'd no longer have control.

Much like with the AV industry before them, the anti terrorism folks in government and any other reactive fighters, the ISPs and operations professionals--me included--were indeed doing great work. We'd be fighting malware and botnets, but the problems just got worse, even if we were more organized.

A couple of years later, getting these C&Cs off-line was no longer useful, as they had graceful degradation and backup, immediately "jumping" somewhere else, undisturbed.

New researchers and organizations were refused acceptance once again, and started working on the problem on their own, sharing their information and eventually out-growing the original communities now set in their ways. Such is the way of the world. This showed me how sometimes divsersity, rather than cooperation, can be great. Repeating mistakes and seeing how they no longer are mistakes due to a changed landscape, was something I now appreciated.

My advocacy was to treat C&Cs as intelligence sources rather than targets, but the intelligence discussion is for another time in another post.

Soon, C&C information was publically available, and yet--to the public and policy makers, the cyber crime problem did not exist.

Enter the botnets@ mailing list
It was time for a change. Facing much resistance I created a public mailing list where the public, the sysadmins and the security researchers could share information, learn and fight cyber-crime.

The response was staggering. Dozens of contributors emailed in with detailed information, and yet--we felt uncomfortable about it. We treated folks like they were doing something wrong sharing in public, and sent mixed messages.

New groups were formed, and older groups got new recruits (such as Shadowserver, which the mailing list helped). It was still a win situation, but the mailing list had to go.

Today, about two years later, the botnets mailing list has been revived and in the past day the response has once again been staggering.

Folks share their information, get informed of new threats in a languge they understand (tech) and talk to each other. More over, they understand the risks and the ugly face of Internet security is out there for all to see. This time we need to be ready to accept this change.

Public fighting
Sharing information with the public has always been something I was personally attacked for, and yet, how else are you supposed to win a war if the people you fight for don't even know it is happening, or needed?

Last year, Estonia was attacked on the Internet by Russians [PDF]. It can not be proven if it was a public uprising, Internet-style, or state-sponsored action. Still, it re-affirmed some of my beliefs about affecting change and community forming.

To fight a war, you have to be involved and engaged. On the Internet that is very difficult, but the Russians found a way. It is a fact that while we made much progress in our efforts fighting cyber crime, we had nearly no effect what-so-ever on the criminals and the attackers. Non. They maintain their business and we play at writing analysis and whack-a-mole.

Using the botnets mailing list, I am borrowing a page from the apparent Russian cyber war doctrine, getting people involved, engaged. Personally aware and a part of what's going on.

It can't hurt us, and perhaps now, four years over-due and two years after the previous attempt, we may be ready to give it a go and test the concept.

Perhaps now regular malware can become something regular professionals deal with, low AV detection of samples can become public knowledge, and vetted communities can think strategically and respond to more problematic matters such as intelligence handling of millions of stolen identities, or criminal organizations operating--not only in Russia and China, but from the San Fracisco bay area.

We may not be able to always share our resources, but it is time to change the tide of the cyber crime war, and strategize. One of the strategies we need to use, or at least try, is public information sharing of "lesser evils" already in the public domain.

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron