And the end

I’m home. I wrote this on the train, but the Amtrak WiFi wasn’t working when I went to post. Later, I saw that someone had had pretty much the same take I had about the lack of IPv6….

Final Shmoosings.

The last presentation prior to the closing was a bit hard to take. They (and Squidly1) insist they’re the good guys, and network admins shouldn’t take steps to stop their active probes.

Maybe I’d feel differently if the probes were passive, but these aren’t. (Coming from Punk Spider.) To me, you’d be a fool to let them continue to scan your network with impunity.

Yes, the Koreans they’re scanning might well be idiots. It doesn’t make the intrusion okay!

It’s things like this that make me wish iptables or pf had a –reject-with-diaf-blast flag. For some, –with-tcp-reset isn’t sufficient.

Summing up:

1. They’re treading on thin ice with their active probes. If they were using passive sniffing, it’d be one thing, trying to scan the entre Internet is another matter, altogether.
2. But they’re not scanning the entire Internet! IPv4 is a deprecated legacy protocol. If they were doing any sort of v6 scanning, things might be slightly more intriguing. Over at Users and Icecube, we’ve been getting scanned normally a couple of times a week over v6. I’m pretty certain nothing’s come of it. Obviously Cawcks doesn’t give us a native allocation, so we’re using a tunnel broker, but it’d likely be the same with a native connection.

But even with the biggest AWS node the world’s ever imagined, they wouldn’t have the horsepoer to scan the entire Internet over v6. And more and more of the backbone traffic actually is going that way. Maybe you can stay ignorant of that fact, but it doesn’t take much research to verify.

Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by users.757.org (Postfix) with ESMTPS id 7C795A9B6
for ; Thu, 2 Jan 2014 03:48:56 -0500 (EST)
Received: by mail.netbsd.org (Postfix, from userid 605)
id 0E08A14A12D; Thu, 2 Jan 2014 08:48:50 +0000 (UTC)
Delivered-To: netbsd-users@NetBSD.org
Received: from localhost (localhost [127.0.0.1])
by mail.netbsd.org (Postfix) with ESMTP id A6E4114A12A
for ; Thu, 2 Jan 2014 08:48:45 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1])
by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025)
with ESMTP id 9RaUQzm2pzs7 for ;
Thu, 2 Jan 2014 08:48:45 +0000 (UTC)
Received: from korriban.imil.net (korriban.imil.net [IPv6:2001:470:cbba::3])

So, that was Shmoocon. More than willing to discuss over a beer if someone is interested.

You don't have a clue

Watched this. Take-aways:

    I’m going to blame the speaker for being a Failcons’ fan. No, I don’t know that for sure, but he is from Georgia.
  • Rules of Evidence aren’t just a judge’s whim.
  • “Putting the air inside ping-pong balls is kind of an old school black programs inside joke.

Not going to hate too much, because it’s unfair.
1. Judges don’t just make snap decisions on evdience admissibility. These things are published. Since you don’t know that, it’d be smart for lawyers on both sides to try to exclude your evience just because you might testify.
2. The presentation focuses on admissibility of physical disks, and the data stored on them. Hashing ca work at the file level, then the machinations of what’s going on underneath aren’t important anymore. My question was: why would you ever go lower than the lowest admissible layer?
But I’m not going to hate too much. The last presentation is going on right now.

You don’t have a clue

Watched this. Take-aways:I’m going to blame the speaker for being a Failcons’ fan. No, I don’t know that for sure, but he is from Georgia.

  • Rules of Evidence aren’t just a judge’s whim.
  • “Putting the air inside ping-pong balls is kind of an old school black programs inside joke.
  • Not going to hate too much, because it’s unfair.

    1. Judges don’t just make snap decisions on evdience admissibility. These things are published. Since you don’t know that, it’d be smart for lawyers on both sides to try to exclude your evience just because you might testify.
    2. The presentation focuses on admissibility of physical disks, and the data stored on them. Hashing ca work at the file level, then the machinations of what’s going on underneath aren’t important anymore. My question was: why would you ever go lower than the lowest admissible layer?

    But I’m not going to hate too much. The last presentation is going on right now.

    Going for Broke

    Went and watched about forty minutes of this. After that long of the speakers not getting to the point about how they’re making attackers’ activities expensive, I gave up and left.

    Wow, that’s an awesome app signature tool you found in your Microsoft class! I’m sure its mere existence dissuades people from trying to write malicious things. I mean, it’s totes hard to get a copy of VS!

    Yes, you have to make it difficult for malicious stuff to run. I understand that. How are you costing the attackers anything? Their shit won’t run on your network; how are you costing them money, really? Quantify it.

    For things like malicious embedded attachments, bouncing group messages indiviually would quickly fill thier mail queues. Maybe an automated method to report them to ISC, get them added to blacklists galore?

    SMH.

    Two More

    I did get one response on Twitter about my keynote reax. I’ve written about Eddie the Ops Guy before, and don’t have much to say about him. Many of the “revelations” should be things people have long suspected.

    From my perspective, the question isn’t so much if or whether this sort of thing is done — it’s how much of it is admissible in court. Are people losing lives or property because of it? That’s a question the detractors seem to shy away from. To put it another way, I’ll be upset when Chris Dodd starts getting geoloc data, and the Air Force starts targeting Kim Dotcom.

    Schneier’s talk also focused on more encapsulation of data to prevent the government’s prying eyes. I think it’s something you can spend a bunch of time and money on without terribly concrete results.

    Would it be more effective to increase the data volume, making juicy things tougher to find? Go ahead and seed that UbuububububububnttuDebian Testing torrent. In 2GB chunks, it wouldn’t surprise me if it has the same effect as a 25M DB dump.

    Obviously, he’s got a lot of credibility in the Infosec world, so I won’t judge too harshly. I am slightly disappointed at the lack of political analysis, though. I can recall 2009, when the fresh-faced kids were all abuzz about how this new president was going to be fundamentally different. How quickly people forget.


    I also watched the talk on USB Mass Storage devices. Good talk, though I don’t have the time, money, or energy to do any of that stuff, myself, anymore. I never’d considered the information about the flash drives being downsized to meet the advertised capacities. Makes sense, but, just something I’d never thought of.

    I wonder if the same is true of SATA solid state drives; might could do some interesting things, then, if so….


    I sat in on the first part of DJB’s elliptical curves talk. Unfortunately, my body wasn’t cooperating with me, and it was reminding me of my futile attempts to help my wife with her calc homework earlier this week.

    The maths — they are not my strength.

    Hardware Crypto

    I went to see this after seeing this story a few weeks back.

    In my current gig (and I’m still more than open to something else *hint*), I’m planning to use these sorts of things for something.

    I guess what I was looking to see was whether it might still be possible to use these sorts of hardware crypto devices to augment software, even if they’re insecure. Yes, with my BSD mention, you might think that I’m a gray-bearded fat guy, but, I do remember the FDIV Bug. Even if you somehow still have one of those chips, there’s ways to work around the bug, but still use the co-processor, not turning your Pentium into a 586SX.

    I was hoping to see plans for something like that. On the lesser platforms that lack a buggy crypto device, you can still do everything in software.

    No dice; this was focused more on enterprise-grade crypto jank. Very few people ever find themselves using such hardware. Ever.

    But the presentation was still pretty good. I just think the target audience was rather limited.

    Shmoo Keynote Reax

    Disclaimer: I nodded off, and missed the first fifteen minutes of it.

    With that said, I have doubts about whether it could have been much better than what I actually did see. Maybe somebody will tell me what amazing things I could have seen there that I failed to see in the last 45.

    Major take-aways:

    • Most applications use insecure communications
    • Edward Snowden figured out that TOR isn’t sekur
    • TPM is infiltrated
    • A brower makes it harder to use a self-signed cert than it is for someone malicious to get a signed cert that the browser won’t complain about
    • Hardware manufacturers are lazy
    • Fuck you, right? Okay?

    Yes, the last one is snark pure and simple, but it is one of my pet peeves. No, actually it isn’t right, and what you said doesn’t get smart just because you asked me if it was right after you said it.

    My two major points:
    1. Not all communications need to be secure, even if many endpoint devices have the muscle to support that. There’s a reason SIP uses UDP. There’s also a reason your mother uses http:// when she watches that cute cat video for the eightieth time.
    2. It’s completely unrealistic to expect vendors to change to meet your amazing idea about the way things ought to be done.

    Early Shmoocon Thoughts

    I’m kind of hanging back in the room until the keynote, after watching the opening.

    A single thought comes to mind — maybe the thing was better last year just because the “break it” track was gone?

    One of the things that really bothered me a couple of years ago was the focus on destruction. To me, so much emphasis is placed on building these monolights that destruction becomes job number one

    Maybe in the past it was smart to worry about how to get rid of things, keep them from prying eyes. I really wonder now if that’s true.

    Thinking about my own gear I have with me. I get hacked, and…? Congratulations, you got some of my music library, and endless revisions of my resume.

    Getting the former might entice you to go see them play a show. Getting the latter might entice you to call me for an interview. And?

    The keynote appears to be about what steps you, as an individual, can take to prevent getting pwned. Guess what — you can’t completely avoid it, short of moving to a cabin somehwere in Montana. If the speaker focuses on what strategies are most effective, it’ll be a worthwhile talk.

    I’m not holding my breath, intentionally, at least. (My diaphragm does its own thing from time to time.) I’d like to see something where someone actually does the research to quantify the risks and effectiveness.

    So, your endpoint device is locked down tight? Give me a minute to find the fuck I’m not giving since nothing important is stored there these days.

    Sunday Discontent

    I’m not sure why I write more on Sundays. Football is on right now, but I really don’t care; I will root for whoever the AFC sends. Was disappointed in the Saints yesterday, but…. I will say this: Harbaugh and Steve Smith manage to make the Seachickens look downright classy.

    Perhaps I write because I have time to reflect on what happened the week before. I marvel at some people’s commitment to doing the wrong thing, despite being shown what the right thing is. (And rant about willful ignorance redacted. I haven’t bought enough professional certifications to make my observations relevant. My experience is unimportant.)

    Perhaps I’m fretting about the week to come.

    Take your pick.

    Feelin' Kinda Sunday

    About to go out to brunch. Have enjoyed my time off, but still have a few more days. Am I recharged? I don’t know.
    One of my colleagues posted this drivel about how one of the keys to success was not even looking at your email while you’re “off.” Along with working out, physically, during your lunch hour.
    The corollary? If you can take more than a couple of days’ break without your input being missed, your input probably wasn’t that important in the first place. Just a hunch.
    I do look at my email. I do answer the telephone. If that’ll make me unsuccessful in my career at a big company, I’m okay with that. I care more about being a good person able to look at himself in the mirror than I do about a fancy resume.
    I also care a lot about putting out quality work — that makes me a liability; I’m pushing back.
    But enough of that for now. There’s football I need to watch. The Failcons are doing what they do at halftime. Pfft.