Wednesday, December 30, 2009

Air Travel Security: Practical Industry Suggestions From Us

I am just a security guy, as are many others who will read this. Perhaps it is time us "simple" security guys got together and write some recommendations for air travel security? Get our voice out there as an organized professional group, which can in turn lobby for our professional recommendations.

Then we can edit them, vote on them, and submit them to the government for consideration in the upcoming brouhaha of committee discussions.

Here are mine, just to get the ball rolling:

Strategic:
0. Review useless technologies which are there for beyond the security theater purposes (which do matter) and start eliminating bad projects. Your purpose in security theater was to maintain air travel and keep people calm, right?
1. An investment in better intelligence (no brainer)
2. Create a "always strip-search" list rather than just "no fly" list., so that lesser threats can be dealt with responsibly without compromising the usefulness of the no fly one. I am sure they already have one, but they should layer this rather than deal with extremes.
3. Hire better agents (education/ability... better pay). Should be a small increase per person, but it will cost a lot in total. Then again, how much do all the current b/s additions cost?
4. Yours?

Tactical:
1. Copy Israel's air security training manual for agents. Israel's tactics may not be able to scale to the US level, but the training can.
2. Stop panicking and alienating people, so they are calmer and you can more easily identify suspicious people, so that this new training is more effective. Heck, do it anyway. Send TSA agents to some workshop on being nice. Or make shifts shorter.
3. Put "human sniffer" walk-through machines in every airport, for international flights.
4. Buy the better brand of baggage screening && X-ray machines for international flights (remember the liquid issue with checking for explosives in the last scare?)
5. Some people suggested to start profiling and leave PC behind, but I'm not touching that.
6. Yours?

Some of these are very high cost. Some of these are (on scale) very low cost.
Some of these should replace other high-cost idiocies, such as creating two new mega-airports, which is sound security-wise, but will only add an hop to the threat to jump over, with the same silly tests in yet another airport, rather than add a filter. Or full-body scans which will be of limited help, and insult us all.

What are yours? Join the discussion!

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Friday, December 18, 2009

Spymaster sees Israel as world cyberwar leader

Reuters reports from the Institute for National Security Studies (INSS), a Tel Aviv University think tank, where Major General Amos Yadlin, IDF chief of military intelligence, spoke:

In a policy address, Major-General Amos Yadlin, chief of military intelligence, listed vulnerability to hacking among national threats that also included the Iranian nuclear project, Syria and Islamist guerrillas along the Jewish state's borders.

Yadlin said Israeli armed forces had the means to provide network security and launch cyber attacks of their own.

He further said, as mentioned in this Israeli publication, that other countries, such as the United States and Great Britain, are establishing units for cyber defense, and that Israel has soldiers and officers on the job.

In fact, just today I heard a lecture by the director of the CIA who, as is general United States policy, places cyber security on the map when discussing issues such as proliferation of nuclear weapons and international terrorism.

HaAretz, an Israeli newspaper, quotes Major-General Yaldin as saying:

"Fighting in the cyber dimension is as significant as the introduction of fighting in the aerial dimension in the early 20th century." (my translation)

If this statement is to be believed, Israel is active in cyberspace. And yet, why would Israel admit that, regardless of if it really happens?

One option is that Israel decided it needs to show that its military is on par with other militaries around the world.

"Preserving the lead in this field is especially important given the dizzying pace of change," Yadlin said.

On the surface, disclosing cyber space activity, which your enemies can develop as well, or push to develop more of, seems silly.

After all, Major-General Yadlin said:

"Cyberspace grants small countries and individuals a power that was heretofore the preserve of great states,"

As Israel, much like the Western world, is very advanced technologically, it is more reliant on computers than many of its enemies and neighbors, and is therefore more at risk from potential cyber attacks. With attacks against Israel's internet presence these last few years, it may not be a silly idea after all.

With the world becoming more aware of threats to computer systems, investment in cyber security rising and more and more security incidents being disclosed; countries around the globe invest in cyber capabilities. Indeed, Israel too, which has been under internet attacks for years, needs to buckle up and do more to combat the threats.

Major-General Yadlin also mentioned cyber attacks fit well with Israel's doctrine for military offensives (mistranslated below as defense). This bit is tricky, and I will try and read between the lines.

"I would like to point out in this esteemed forum that the cyberwarfare field fits well with the state of Israel's defense doctrine,"

While Major-General Yadlin in all probability meant something along the lines of being bold and staying ahead of the curve, as in the same sentence he also spoke of Israeli youth and innovation, mentioning how Israel is often referred to as the "start-up country":

"This is an enterprise that is entirely blue and white (Israeli) and does not rely on foreign assistance or technology. It is a field that is very well known to young Israelis, in a country that was recently crowned a 'start-up nation'."

It is possible, although unlikely, that he meant to indeed discuss Israel's defense doctrine, thus possibly speaking about deterrence in cyberspace.

Deterrence is an integral part of Israel's defense doctrine, with the goal, in broad lines, of widening the window between inevitable Arab attacks by a strong response, some would say a disproportionate one, which will score a quick and decisive victory. Hopefully deterring them from attacking again. This strategy has roots in Israel's history all the way back to Ben Gurion's time and the formation of Israel.

Deterrence on the Internet, however, is mostly nonsense. This due to inability to identify who it is actually attacking you, and then if somehow successful, if it is really them or if their computer has been taken over by yet another attacker. Is someone trying to frame another as your attacker? Is your attacker even a nation-state to begin with, rather than an organization that doesn't care about retaliation?

On the internet, you may know who your enemies are rivals are, but you may never find out who is attacking you. The Internet is perfect for plausible deniability.

If this was the thinking behind the announcement, which I'd like to think is not the case, then the strategy was copied from the United States where this silliness has been going on now for a few years. The US strategic experts have been using Mutual Deterrence (or MAD, Mutually Assured Destruction) for over 70 years now, and feel comfortable with it. Therefore, when they needed to tackle the cyber realm, they immediately started pushing for a deterrence strategy even though cyber experts have been warning about it continually.

Deterrence for the most part, doesn't work online. It is my hope Israel does not repeat the American mistake on this matter and that I am right, and Major-General Yaldin was only speaking of Israel's spirit, where commanding officers lead the charge rather than wait behind.

From a completely different perspective, cyber warfare has been recognized as a strategic weapon on par with weapons of mass destruction for at least two decades. Israel does not admit strategic capabilities such as Nuclear Weapons, if it has them. Should it admit cyber capabilities?

"The potential exists here for applying force ... capable of compromising the military controls and the economic functions of countries, without the limitations of range and location."

While cyberspace is certainly strategic, the analogy to nuclear weapons is relatively weak.

There are obvious differences between the nuclear world and the cyber world, such as with tactical cyber uses of a very targeted nature -- without collateral damage, and in international law governing the proliferation of nuclear arms, while the cyber realm is in its infancy. In fact, the United States, Russia and the United Nations arms control committee are as I write these lines engaged in early discussions on securing cyberspace, and limiting military use of this realm.

When I first heard of the speech by Major-General Yaldin, I was highly disappointed with Israel for taking this route of public disclosure. Now, I am not so sure.

Disclosing that Israel is ready to defend itself and potentially engage its enemies in cyberspace right along-side the physical world, certainly has merit considering recent world events such as the attacks against Estonia and Georgia. I am just left wondering if this indeed discloses a real capability, or is just public relations.

I can personally attest from my years of defending Israel's internet, that Israel is under constant attack in cyberspace, and this intensifies whenever political tensions mount.

"At times it would seem," said Major-General Yaldin, "that our enemies would like to give a special award to Western companies whose products can be bought off-the-shelf at a reasonable price." (my translation)

Regardless, putting cyber security on the agenda along-side with Iranian nuclear weapons, Syria and Islamist guerrillas, is a step in the right direction to defending against the threats of cyberspace.

Gadi Evron,
ge@linuxbox.org.


Follow me on twitter! http://twitter.com/gadievron

Thursday, November 26, 2009

Was the ClimateGate Hacker Justified? Join the Debate!

A few days ago a story broke where someone hacked into a global warming research institute and stole all emails from the past 10 years, proving a conspiracy.

In the vast amount of emails stolen, some emails were also found with clear-cut lies, showing how some scientists conspired to deceive in scientific research about data that did not fit their agenda of proving global warming.

I am opening the subject for debate on the debate mailing list. It is a fascinating topic covering several subjects such as 'does the end justify the means?', 'irresponsible disclosure of personal data', 'is it justifiable to break the law?' and 'civil disobedience and the hackers' role in keeping society honest'.

Here are some possible questions to get the wheels rolling:

- Is the action taken by the hacker legal, ethical, and/or moral? Was the action justifiable?

- Do you believe the harm done as a result is justified for the good (disclosure) that came out of it?

- Can this be treated as civil disobedience?

For background, check out this story:
http://www.examiner.com/x-25061-Climate-Change-Examiner~y2009m11d20-ClimateGate--Climate-centers-server-hacked-revealing-documents-and-emails

Another source:
http://noconsensus.wordpress.com/2009/11/19/leaked-foia-files-62-mb-of-gold/


Join the debate mailing list, now! :)
http://whitestar.linuxbox.org/mailman/listinfo/debate

Please state your opinions openly, and let's discuss!

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, November 18, 2009

Announcement: Critical Internet Infrastructure WG is now open to public participation

ISOTF Critical Internet Infrastructure WG is now open to public participation.

The group holds top experts on internet technology, critical infrastructure, and internet governance, from around the globe.

Together, we discuss definitions, problems, challenges and solutions in securing and assuring the reliability of the global internet infrastructure, which is critical infrastructure for a growing number of nations, corporations and indeed, individuals -- world wide.

The group started as a closed and private forum, to discuss technical and operational risks, as other venues limited discussion of critical internet resources to politically charged subjects such ascontrol of ICANN and ARIN, thus overshadowing other important aspects.

As of November 18th 2009, the list is open for public access, to advance public awareness of the issues, and bring new talent on board.

The group is hosted by the ISOTF, but is governed by members.

Note: SCADA, network operations, and other related issues should be discussed in the appropriate forums, elsewhere. This group deals with the internet.

To subscribe:
http://isotf.org/mailman/listinfo/cii

Gadi Evron for ISOTF-CII-WG.

Follow me on twitter! http://twitter.com/gadievron

Friday, November 13, 2009

China, is it our cyber defense red herring?

There are thousands of articles perpetuating the claim that China is out to get us on the Internet. And yet, all these discussions are begging the question, is it China attacking? Also, are they even the "usual suspects"?

While I can point to real facts of China making active use of information warfare, cyber warfare, or whatever else you choose to call it (such as the release of 0 days being patched by Microsoft
and originally reported by the Taiwanese government, search Microsoft's site), I can also point to Germany (intelligence Trojan horse), the US (The Farewell Dossier) and other countries such
as North Korea (without much detail, so questioned).

We have a failing, that even as experts we see an IP source in China for an attack, and as it is popular, and we are still used to think in the physical world, jump to the conclusion the actor is from China. The actor is often from the US, Eastern Europe, Russia, Brazil, and many other countries. That in turn does not mean these actors are then sponsored by these countries. Information warfare is about covertness, not about being loud. The Internet is perfect for plausible deniability, as I've learned when writing the postmortem analysis of the 2007 attacks against Estonia, for the Estonian CERT.

The Chinese know more about the uses of being covert than any of the rest of us, in their strategy, their actions, and their history. If they are being so indiscreet it is for a specific reason, perhaps as a smoke-screen, or indeed, they are not doing it to begin with.

I am not saying the Chinese government does not attack, I am saying naming them continually is nothing but a baseless red herring, and an easy scape-goat we have all grown used to. Thus, blaming China by itself has become acceptable just because people did it often enough. The story of Ethos manufacturing itself.

Malicious computers in China are a problem we can't and shouldn't deny. However, continually claiming China is the Big Bad and attributing every attack to them, is beyond ridiculous. Nothing to see here, move along.

Then again, maybe if we keep saying it's the Chinese with every attack we see, they will get some ideas and make it true for us. It may eventually prove true, but our current proof is based mainly on people claiming it in the past. We are better than this.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Friday, October 30, 2009

Cyber War and Cyber Deterrence

A few days ago a Google Alert on my name let me know that I was referenced in a paper from RAND. I have high appreciation for RAND's work, so naturally I went to look.

The work by one Martin Libicki discusses cyber war and cyber deterrence. He is against the silly notion, much like I am.

I've grown so tired of repeating "these discussions the past two years in US defense circles are just ... stupid." I am happy that someone else, as articulate as Libicki, joined our side of the debate. Just because US experts are so used to deterrence as a strategy after 70 years, does not mean it fits the bill with the Internet. In fact, it is extreme folly.

I don't agree with everything Libicki says, but I do agree with him on this matter.

However...
Unlike many, I believe offensive capabilities are critical for any nation nowadays, but that thinking it would assist in defense is delusional.

Libicki's actual RAND paper can be found here:
www.rand.org/pubs/monographs/2009/RAND_MG877.pdf

Maybe now I can finally write a paper I want to write, on when deterrence actually does work on the Internet. There are cases where it does, but raising these before now would have muddied the water.

I also plan to be more vocal in the debate in the coming months, and pull out of the drawer some articles I wrote on the subject, for when it warms up and they can make a difference.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Tuesday, September 29, 2009

Medical Vaccines as an Analogy to Information Security

In the information security field, we often encounter an ethical dilemma. Should information become public, so that people can protect themselves, or better decide how to do so. Or should it remain secret so that larger harm is prevented? The world of Vaccines shows us an image of how medical professionals deal with the issue.

I recently wrote a blog post on an unrelated subject, vaccines and their risks. I have been gathering information on whether they are safe for some time now.

While they are in fact, in the vast majority of cases, safe, there is no easily available information online as to the risks associated with vaccination. Most of this data, therefore, can be found in scare-monger websites, spreading fear, uncertainty and doubt.

Whatever reason vaccine professionals have to take the party-line, we can assume one reason they do not wish public debate to avoid risk of more people not vaccinating, potentially increasing the death-toll and causing epidemics.

The similarities don't end there, and it truly is fascinating. For example the World Health Organization (WHO) monitors disease globally, detects new epidemics and responds accordingly, and thus monitoring the success of vaccines as well.

An interesting anecdote is on global risk analysis. How regulation trumps personal liberties world-wide in vaccination programs for new-born babies, as the risk of epidemics outweighs the infringement. Some people claim that this is no longer the case, and that these programs need to be reexamined. They seem to be wrong, but information is not easily available online. It is interesting to note, as once successful, even if it was no longer helpful I very much doubt society would easily change in this regard, much like I am sure it was difficult to initiate this program to begin with.

I doubt such regulation will happen in information security, but a common stance such as vaccine developers and medical doctors have on emerging threats could be highly beneficial to our field, when approaching the public.

Many interesting strategic and psychological lessons can be learned by examining this field, when compared to information security.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Friday, September 11, 2009

Lessons I Learned from Cyber Crime, an Article Series

I have been slow on updating this blog due to blogging on Dark Reading. I will make amends and start updating here more often. I will also start to cover my more interesting blogs on Dark Reading, here. You can also read my personal blog where I write about things I find interesting, or funny.

A few months ago I wrote a short series on some of the lessons I learned from the world of security and cyber crime. About systems and networks, people and communities, and finally, projects and making things happen, the first one begins with:
"The history of anti-spam teaches us about half-baked ideas and how people succeeded or failed to implement them. The analogy of evolution, while limited, demonstrates how reactionary solutions can achieve strategic goals before they are made obsolete by countermeasures.

How do you herd cats? In a series of blogs starting today, I'll explore the history of fighting cybercrime and how and why certain solutions worked while others failed, how we can recreate success, and what lessons we can distill to build business solutions, affect change in communities -- and even fight terrorism."
The three posts in question, are:

1. Lessons From Fighting Cybercrime
"... Criminals were forced to evolve in a desirable direction, which is a victory on its own. Evolution in capabilities occurs to circumvent security measures. By limiting the spammers' options they evolved to a technological battleground where we have more control."
2. Lessons From Fighting Cybercrime, Part 2

"... It enumerates ways by which "new" and "amazing" suggestions on solving the spam problem go wrong... If only "everyone" (or most people) used their solution or "forced users" to act counter intuitively (and similar truisms), spam would be "gone". It is well worth a read.

Trying to map how some solutions work while others can't even get off the ground and seeing how communities and social systems change is fascinating. The examples above and many other lessons of fighting cybercrime are illuminating. Especially when we consider they are mostly derived from failures of technical solutions to solve a human problem, a common design fallacy this day and age."

3. Cybercriminals: More Obvious Than They Think?
  • "...Let me pose it this way: It's a hot summer day, and you're drinking a beer at the beach. People are having fun and relaxing. Suddenly, you see a person wearing an heavy coat. Is this suspicious?"
  • "... Encryption is a great tool, but it also draws attention to you for using it. In your organization, how likely is an attacker to identify important resources just by watching for encrypted traffic? In some cases, it may be better to stay obscure, in the background as noise, than to use encryption. If the malware sample is new and therefore undetected by antivirus, then the same unfortunately applies to malware authors."
I hope you find these posts interesting. Do share your thoughts with me. Any anecdote, epiphany or even just an insight from your own experience will be appreciated.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Friday, May 01, 2009

My Recent Posts on Dark Reading - April 2009

As I mentioned before, I blog on Dark Reading.

Here are more of my posts from this past month:

Social Networks Blurring The Line Into Citizen Journalism
http://www.darkreading.com/blog/archives/2009/03/a_police_office.html
In 2006, Israel sent forces into Southern Lebanon during what is now known as the 2006 Lebanon War. Israel had security concerns about missiles harming its civilian population, but what it didn't bargain for was military citizen journalism.

Think, for a moment, about the potential chaos of such live war reporting: SMS messages from soldiers up front telling of deaths before families can be notified, or live videos of bloody battles recorded from cell phones and sent to the press.
Conficker's Real Threat
http://www.darkreading.com/blog/archives/2009/03/is_conficker_a.html
Conficker is a real problem, but the world won't end on April Fool's Day. Here's why.
I love predicting the future and being right. I am proud for not jumping into the Conficker FUD circus.

SCADA Security: What SCADA Security?
http://www.darkreading.com/blog/archives/2009/04/scada_security.html
SCADA, the control systems for such infrastructure services as water and energy, has us worried whenever critical infrastructure defense is mentioned. Why, then, is it the most insecure industry on the planet?
I published that a day before the WSJ published their hyped story on SCADA spies. I was a good and timely reference. Nice timing!

I'm Interested, But In You
http://www.darkreading.com/blog/archives/2009/04/im_interested_b.html
Social engineering is a disturbing aspect of overall security threat analysis because it is the human element that is least in our control. Security and psychology -- once again -- go hand in hand.

Roughly two years ago I wrote about a personal experience that exemplifies how salespeople can try to manipulate you using body language, bringing us to a subject close to hackers' hearts: social engineering.
Analyzing Security Psychology
http://www.darkreading.com/blog/archives/2009/04/planning_for_hu.html
The integration of psychology into the security strategic-thinking process is critical for the advancement of information security. The human element influences all security controls because all of these controls seek to regulate human behavior.
Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Tuesday, April 28, 2009

One shoot remote root for Linux?

While I am the first, I am sure soon I will just be one among thousands blogging this.

Sometimes news finds us in mysterious yet obvious ways.

HD Moore set a status which I noticed on my twitter:

@hdmoore reading through sctp_houdini.c - one-shot remote linux kernel root - http://kernelbof.blogspot.com/

I asked him about it on IM, wondering if it is real:
"looks like that
but requires a sctp app to be running"

Naturally, I retweeted.

I left a comment on the guy's blog:
It's always nice to have good and talented people show us how we forget the obvious, continually. This somehow brings memories of Ciscogate to mind, but just by similarity of the original DoS vulnerability story.

Thanks for your work and for keeping full disclosure alive and well (where responsible). Everyone should be patched by now, unless they don't believe DoS vulns to be "important enough".
Signed,

@gadievron

Sunday, April 26, 2009

Debugging for Medical Doctors

Today I wrote a blog post named: Debugging for Medical Doctors. In retrospect, I think it shows the difference between handling technology and handling humans, performing the same action.

Debugging for Medical Doctors
http://gevron.livejournal.com/18191.html
What's debugging you ask? When you know there is a bug in your program, you find it by the process of debugging. How do medical doctors do it? And how they may be doing it wrong.
I hope you find it useful.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Monday, April 20, 2009

Proposal: This House Will Legalize Spam

I sent this today to the newly formed debate mailing list. While this is not necessarily my opinion, I am picking a side and running with it.

In other words, the opinions presented in this debate are not necessarily my own. People will either support this proposition, or tear it apart.



Proposal: This House Will Legalize Spam

Spam is a service answering a demand. Making the product legal will will inject our suffering economy with much needed currency and allow our government to tax this billions of dollars industry.

We have seen this happening with alcohol during the prohibition. Alcohol is no longer illegal, and great benefits resulted from that decision with a booming world-wide industry and disappearance of the black market economy.

Spam is a black market economy. Medicine is sold for high prices in the US, so black market spam operations answered the demand and sell drugs from Canada for a lower price. Many of these are fake and result in poor care in the best of scenarios.

Economically, the pharmaceutical industry is suffering and the government is losing potential taxation revenue. More importantly, if spam was regulated controls could be put in place to protect public health.

We have been waging a "war on spam" for two decades now with no victory in sight. More than that, the email system is under continued threat of no longer being usable.

Similar misuses have been addressed by legalization in the past. This includes post spam and fax spam, which today have clear regulation.

Most of the email traffic on the Internet today is spam, resulting in:
1. Increased operational costs for networks and service providers.

2. Clogged mail boxes, user annoyance and legitimate email being lost, resulting in loss of productivity.

3. A support infrastructure for other criminal activity ranging from phishing to child pornography.

Our respected opposition may claim that legalizing spam will open the door for other sorts of legalization. We believe this claim is a logical fallacy, falsely claiming a slippery slope to muddy the waters.

We believe that taking this route on spam is positive, other directions with other "products" should be considered on their own merit. It is a fact that the end of prohibition did not result in legalization of drug usage.

In support of my case I bring before you a case study (below), written by me two years ago for a zdnet blog. I demonstrate how an unrelated legalization caused a large percentage of spam to stop and spam operations to collapse, when the demand ceased.

Gadi Evron,
ge@linuxbox.org.

---

Taking down spammers: Successful spam fighting via legalization, regulation and economics

Original URL:
http://blogs.zdnet.com/security/?p=720

By Gadi Evron

Working in the Israeli city of Netanya, next door to our offices was a spam operation with roughly 30 employees. One day they weren’t there anymore.

They were blog comment spammers, but officially were doing Search Engine Optimization or SEO. Instead of optimizing content, they posted illicit comments on many blogs with commercial or misleading messages leading to their clients’ web sites, mainly for the purpose of increasing their clients’ web sites visibility in search engines such as Google. They would do this using an illegal tool such as botnets, and make quite a bit of money.

The reason for their disappearance soon became clear; nearly all their clients were gone. A law was passed in the United States which addressed online gambling operations (”Unlawful Internet Gambling Enforcement Act” - UIGEA). As a result, the public gaming industry ceased accepting online wagers. More than that, UIGEA addressed processing payments to and from Internet gambling sites. In a day, most of US-based gambling web sites ceased to exist (others moved over-seas, although quite a bit of the world’s credit processing is done by US firms). This effectively caused
the death of numerous black hat SEO companies–comment spammers. Perhaps the UIGEA measure against processing of payments proved too difficult to overcome. Not being a lawyer I can’t say exactly how UIGEA caused this death. No matter, US online gambling operations were effectively destroyed.

Spam decreased. The underlying cause for that was that the clients weren’t there due to the inability to process payments because of the online Casinos law.

....
More...

Follow me on twitter! http://twitter.com/gadievron

Friday, April 10, 2009

Debate and general discussion mailing list, with good arguers

Hi all,

Do you want to participate in a debate and general discussion mailing list which will have members who are good and intelligent arguers?

Please contact me if you do.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Thursday, April 09, 2009

Reimage named "Cool Vendor" by Gartner. They are COOL

My friend Zak Dechovich started a startup named Reimage and I am very exited because Reimage was just named by Gartner as a "cool vendor".

While I was a disbeliever at the very beginning, I saw the light. I am VERY excited Reimage does. They are COOL.

The original idea behind the company was to help US, the computer savvy folk who have to fix our family's computers all the time, by creating easy to use software that does it for us.

While it originally was unintentional, they remove a lot of malware while they are at it. Making it a very useful security product to boot.

Reimage's web site:
http://www.reimage.com/

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, April 08, 2009

Fascinating Omegle Chat Logs

I have been chatting on Omegle all night, and some of the chats are absolutely fascinating. I don't want to flood this blog like I do my fun one. I will summarize here with links.

So far, I spoke with a dirt-road worker from Australia and a 15 years old sophomore girl tennis player from Maryland (trying to explain without sounding parent-yy about not sharing private information on the net).

I have been sharing these logs with a group of social scientists in an email thread. This is so intriguing.

The more interesting chat logs:

1. NSFW, very funny log where you see how anonymity lets people let loose.

2. A guy (apprently) coming out of the closet on Omegle.

3. Seeing social responsibility as base for good and evil
You may find this one boring, but I found it absolutely fascinating seeing how a person views the world in a way I find fscked up.

The person's social identity is what builds her (my guess) view of good and evil. I am thinking 17 years old.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Omegle: An Impressive "Web 2.0" Chat Service

[syndicated from my "not professional" blog: http://gevron.livejournal.com/15256.html]

Are you interesting enough at first impression? Do you introduce yourself well? On Omegle if you don't you're disconnected.

Reading the funsec mailing list discussion about twitter, David Chess referred to a new web site called Omegle. Dave wrote about it here.

Omegle allows you to start real-time chats with random anonymous people who can disconnect you at any time. Fascinating stuff.

My friend Imri Goldberg checked it out and convinced me I should look as well. On funsec he said:


My impressions:
1. Technically, it works really well.
2. What it is: web-based chat with random strangers.
3. Reminds me of my early days on IRC. You meet new people that are guaranteed to be at least somewhat interested in talking.
4. There is full anonymity, in the sense that you don't have a consistent identity that's kept from one conversation to another.*
5. There is no cost to disconnecting, if you don't like the conversation.
6. It's very much like speed-IRC, as in "speed dating" as opposed to regular dating.
7. Since you get a very specific IRC-like experience (meeting new people you'll never meet again anonymously), you can practice like Socrates did on the beach (Imri corrected this to Demosthenes: http://itotd.com/articles/319/demosthenes-stones/). You have only a few minutes and a few sentences to convince someone you're interesting, or they just disconnect, and you both move on.
8. You still have a lot of the IRC-like stuff, as in being asked "a/s/l" and so on. [age/sex/location]
9. I wondered how secure it is, who is logging the conversations/ip addresses involved etc.

All in all, a cute service. Also nice to know it was written by an 18-year old that's just finishing high-school, and as I said, it works well.

Cheers,
Imri.

* I was reminded of a very good discussion of online identities here: http://www.juliandibbell.com/texts/bungle.html. Old, but thought-provoking read. The relevant quote from that text is:
"Inside the MOO, however, such thinking marked a person as one of two basically subcompetent types. The first was the newbie, in which case the confusion was understandable, since there were few MOOers who had not, upon their first visits as anonymous "guest" characters, mistaken the place for a vast playpen in which they might act out their wildest fantasies without fear of censure. Only with time and the acquisition of a fixed character do players tend to make the critical passage from anonymity to pseudonymity, developing the concern for their character's reputation that marks the attainment of virtual adulthood."




My take on it is similar, I was very excited:

Omegle has a simple interface. No complex functionality at all. You can chat, and you can disconnect. You are anonymous unless you choose to tell the other person who you are.

I just finished my first chat there, and it was fun. It seems like a waste to me to be able to chat with people and yet not necessarily keep in touch, but the experience with the types of people you meet makes all the difference.

Unlike Imri, I was not reminded of Demosthenes meeting random people on the beach, but rather of the old classic movie adaptation for the novel Logan's Run where random people who match you exactly are transported to you so you can have non-committal sexual relations. Only in Omegle's case, not sexual.
This won't turn into a dating service (I'll probably be proven wrong).

The experience felt like a shot in the dark. You find someone random, defying the whole idea of the Internet where interest groups on every subject meet each other and become a marketing force based on that affiliation.

More interesting, this service as Imri mentioned with the Demosthenes story, raises the subject of how one introduces oneself to be interesting. Also, it allows us to talk to people without any prior knowledge or prejudice on who they are, which normally affects our social engine--how we treat other people and get treated.

The story of Omegle once again shows us that the cost of developing on computers is small to non-existent. If an 18 years old guy can create this, anyone can learn how to.

Update:
Chat bot for Omegle:
http://robotstranger.com

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Sunday, April 05, 2009

Obama and Afghanistan: "Predict Success and You May Fail. Predict Failure and You Will Fail"

[syndicated from my non-security blog: http://gevron.livejournal.com/]

I read an article this week which made me think. It took a generic phrase for success right out of a business self-help book, and covertly showed how it applies to current events with specific examples from politics and international relations. Tying it together at the end to show President Barack Obama where the author believes he went wrong. While the phrase was not specifically mentioned I was inspired and impressed. I am not sure this was intentional, but non-the-less "ME like".

In this post I will examine both what the article said (part which inspired me, anyway) and why I usually tend to disrespect others who say the same thing. If you want to read just about Barack Obama, skip to the right section below. Hint: it's the same as the title of this post.

It was in the last Economist (March 26th, 2009). There was a section examining President Obama's progress during his two months in office. I can't find the precise link online at the moment (I will look for it), but these were the two main articles.

"Just Think Positive"
When someone spits out a buzz sentence for instant success as a Tao of living one's life, I get suspicious. Most of the time these would be people who learned to believe in these buzzwords and take them to be The Tao of Life. Copy-cats who went to some workshop for three days and believe they discovered the answer to life's mysteries, religiously. They didn't learn how to think, only how to default to a "safe" programming routine which shows them what they should do, and where they went wrong.

No matter the circumstance (particular incidents or events which may be special cases) and never mind perspective (truth changes depending on point of view). It's all The Truth. Replacing one religion for another.

Useful, and pathetic. Yes, at the same time.

"Always Look Forward. Never Look Back"
You know the type. This is not to diss on all "workshops" or self-help courses and books, only on the Fad of The Month ones, and the people who get reprogrammed there.

I first encountered the phrase "Fad of The Month" when I purchased The Thin Book of Appreciative Inquiry (very thin at 63 pages. Packaging cost me more than the book, and of course Amazon put it in a new box before mailing).

In it the author mentioned that when the developer of this organizational development and change method (I believe David Cooperrider of Case Western Reserve University) was asked why he didn't write any popular article or book on the subject, he replied he didn't want it to become yet another Fad of The Month (my addition: think most self-help books and workshops).

Always Keep Trying
Question these folks who believe this is their truth and they will retort with the same buzzwords, in a circular logic. They may also blame you for being unenlightened (or an a-hole).

Try and accept their premise to be able to hold a discussion, trying to show them how always thinking positive is OKAY, but doesn't apply to this specific case, and you get more of the same. Logic escapes them. Strike that, thinking escapes them.

"Predict Success and You May Fail. Predict Failure and You Will Fail"
Barack Obama is starting to waver on Afghanistan. He was referred to as saying that the war may not be winnable. Through-out his campaign he mentioned how Afghanistan was a Just War (Casus Belli) and a Must War, as that's where the enemy is. To illustrate why this is important, Iraq he treats as a war of Choice.
Disclaimer: All of the above is my understanding of what he said, in my own words.

It is true that NATO and the United States are not winning in Afghanistan. It is also true the strategy employed there does not seem to be working, and that while said strategy is currently under review, [apparently] no one has any idea how to win it.

While the above can be acknowledges, saying it is not winnable is far from advisable:
1. If you don't want to get out, don't show signs of weakness to an enemy that watches for them with the strategy of "out-live the West's (or the American's) will to fight.
2. If you want to get out, don't tip your hand.

Further, as President Obama is currently looking for support to conduct war in Afghanistan, at his own party, in both houses (especially Congress?) and in Europe, displaying such a poor outward appearance is appalling.

Beyond not showing leadership, it shows those you want to commit to your cause with soldiers who may die fighting for it, that you don't really believe in it, or that they may get stranded without you.

Appearances aside, what's missing is called Resolve, and it is called Leadership.

Showing this example of diplomacy and international relations and tying it with the quoted phrase
"Predict Success and You May Fail. Predict Failure and You Will Fail", makes it one of the most inspiring articles I read this year. I wish that the Economist mentioned author names so I could email with thanks.

Any entrepreneur and business major, MBA and CEO, should read the articles in this section.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, April 01, 2009

GhostNet and computer spying on Tibet. It's just Spear Phishing.

Gary Warner covers the recent GhostNet story, where the New York Times told of academic research, uncovering a computer spy network using Trojan horses to spy on Tibet and the Dalai Lama, with fingers pointed at China.

While interesting as a case study and the researchers did good work... It's not new, it's really just old news called Spear Phishing. Using a "technology" called RAT.

You can read more about what Gary has to say here:
http://garwarner.blogspot.com/2009/03/ghostnet-or-gh0st-rat-cyber-persecution.html

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, March 25, 2009

Wireless service "steals" and proxies emails

Wireless (swisscom) at hotel steals my email messages and relays through a proxy rather than my MTA! WTF!!

Even "experts" can be fooled.

I automatically clicked "YES" on accepting the SSL certificate, I'm ashamed!

I know it is self-signed and therefore gives an error (I installed a new mail client).
Regardless of it being the first time, I would have liked the violations (self-signed and unknown) to be written in red, on separate lines. Make it a bit more user friendly so that at least folks who care about security are not tempted to act as lusers and click "yesyesyes".

No wonder a friend bounced my emails, they were being relayed from a non-authoritative MTA for linuxbox.org.
: host mx01.speakeasy.net[69.17.117.60] said: 554 5.7.1
: Client host rejected:
Access denied (in reply to RCPT TO command)

linuxbox's log file:
Mar 25 ... linuxbox ...
A53E6.2070502@linuxbox.org>, proto=ESMTP, daemon=MTA, relay=mail-out-01.swisscom-eurospot.com [83.97.120.90]

WTF?!

Worse still, this is the first time in ages I use a GUI client, so my mistake was installing it for the first time on a wireless hotel network.

Well, we learn.

Update:
These are called "transparent proxies" and apparently "everyone" does that. It helps, among other things, control outgoing spam from users.

One suggestion was to use submission on port 587 with STARTTLS

Update #2:
So I didn't click "yesyesyes" after all, I configured it wrong.
In Thunderbird I needed to set up encryption for SMTP regardless of what I set for the account. I was set to "tls, if available" so I was never alerted.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Phishing attacks against ISPs (also with Google translations)

In this email message I'd like to discuss two subjects:
a. Phishing against ISPs.
b. Phishing in different languages against ISPs as soon as Google adds a new translation module.

[My apologies to those who receive this email more than once.]

In the past few weeks there has been an increasing number of phishing attacks against clients of Israeli ISPs. I've only seen a few of these, but the local ISPs confirm it's happening across the board.

In all these cases, the phishing email is in Hebrew.

While we have seen ISP phishing and Hebrew phishing before, these attacks started when Google added translation into Hebrew.

Is this a trend? Have other countries (or populations) been targeted when Google added a translation module for more languages?

Notes:
a. Some Israeli ISPs emailed their clients warning against such attacks. Saying they'd never ask for their password, etc.

b. While I was certainly heavily involved with phishing originally and even started the first coordination group to deal with the issue, I am somewhat removed from it now, dealing more with phishing/banking Trojan horses.
Can anyone educate me as to how often ISPs get phished, if at all?

c. If you get phished, what strategies if any have you taken to prevent the attacks/respond to them/educate your clients? What worked?

d. I wonder if these translation misuses could eventually translate into some intelligence we will see in Google security reports, such as on malware.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Friday, March 20, 2009

My Blog on Dark Reading

I recently started blogging for Dark Reading, I will still be blogging here, but what I write there is for Dark Reading alone.

I noticed that because I didn't write for a while, my writing became rather poor (in my taste). I constantly move between between official and personal language, and find it more difficult to write short, and to the point. But I'm getting there.

So far I posted two blogs:
German Intelligence Caught Red-Handed In Computer Spying, Analysis
According to German Web site Der Spiegel, the German foreign intelligence agency BND has supposedly been spying on computer systems around the world in the past couple of years.

Everyone does it. Why not governments?


Authoritatively, Who Was Behind The Estonian Attacks?
In the past couple of weeks the press has been humoring a couple of rumors about who was behind the 2007 cyberattacks against Estonia [PDF]. During these attacks, Estonia's infrastructure, which relies heavily on the Internet, nearly collapsed.

This is not the first time such baseless attributions were made.

I was in Estonia when the attacks occurred. I wrote the post-mortem analysis and recommendations for the Estonian CERT, and I am going to authoritatively show you why these claims are baseless. I will list these accusations and responsibility claims, and show you why they should be ridiculed.
Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, March 11, 2009

Parliamentary debate at an Anime convention

Today I came across an event announcement for Anime-expo, which was:
A debate tournament. At an Anime con! :)

I considered implementing something similar myself for defcon (THE security and hacking conference).

I've just shared this with about 500 other con organizers in the scifi and Anime realms, so I think things are about to become interesting.

Finding it, I had to share, it's a grand idea!
http://forums.anime-expo.org/index.php?showtopic=8744

You will be hearing more from me on this. Perhaps a plan on how to combine a British Parliamentary Debate with a fan convention is an article I need to write?

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Monday, March 02, 2009

Deceptive use of language in conference advertisement [and on the difference between communication and manipulation]

[This was originally written for a community of science fiction con runners, which is why it has that clear theme. I altered it to fit the subject I ended up with.]

I just came across a blog post (linked at the bottom of my post), where the author discusses an email he received, advertising a conference in a deceptively persuasive fashion.

While I use the "scarcity" "trick" myself, I make sure and use it only when seats really are running out, and once at the beginning--Alerting people to how many seats we have as they all already know we will run out very quickly.

That of course refers to another "trick" the author mentions--social proof. Looking back at my "spam" emails I don't abuse it beyond the mentioning the seats available, in any advertisement. But I do make use of it, I know people who go to the con enjoy themselves, and discuss it amongst themselves and with their peers. I enjoy the back-lash email bombardment of "I really wanted to make it" as it helps me help others make it next time.

There is a downside to understanding persuasion. Our knowledge of it.

After being exposed to quite a bit of manipulation, especially in corporate environments and around Washington DC, I became _aware_ (apologies for use of new age terminology) that it "exists". Later on I was disturbed by finding out the same tools in my repertoire (or weapons in my arsenal if you like) I've used in good communication are used in manipulation as well. This made me think quite a bit if others, and myself, are acting in a manipulative fashion.

The difference between communication and manipulation is tricky at best. It is in Intent (of attacker) and Perspective (of victim), and we can add a third category of examination, the X, or Asimov "Mule", factor--Specific incident--which might change our normal understanding in specific odd-ball cases. Both in the decent meaning of influence, in good communication, and in the "evil" one, manipulation, noticing that I, or others, say or do something which answers to one of these possible "tricks" of influence immediately puts it under scrutiny of self-awareness (apologies for new-agey term) if it makes use of any of these "tricks".

Robert Cialdini in his book "Influence: Psychology of Persuasion" takes apart a sub-set of the world of influence and helpfully puts it into clearly defined and named categories by the use of terminology. That, not the text, is the greatest asset of the book.

He often mentions how all these tools of persuasion are really normal tools humans use to avoid over-loading with needless, indeed countless, decisions that spam our daily lives, and to make better decisions to boot (everybody buys an iphone, it *must* be better! it sure is cool, though). Knowing about how these work though, means the con artists, sales people, etc. will use them against us.

But as people who run conventions and conferences, how do we both use, and abuse, these "tricks" of influence? How can we make better use of them, and avoid being deceptive?

Notice yourself using it in your advertisement? Feeling left out as you are not a convention/conference manager? Have any anecdote from your position.. or daily life?

You can view the discussed blog which inspired this post, here:
http://www.changingminds.org/blog/0902blog/090227blog.htm

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Sunday, January 25, 2009

Security Psychology

I just came across a post telling of the Security and Human Behavior workshop (or conference). Here are a couple of other posts about it.

As you may remember, I've been researching this subject for about two years now, and I am very excited that a conference has now happened! It means I did not waste the last two years of my life after all! :)

I hope that more researchers will start looking into this subject, which as of the last six months I've been calling Humexp.

I am currently engaged in research looking into the Estonian cyber war from a social psychology perspective, which turned out to be quite interesting. More on that when I can share, though.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Saturday, January 03, 2009