Only so many spoons

Since I’m not using a lot of them working right now, my brain is moving at an insane rate in this late hour.

Before Shmoocon 2013, I’d started on a CFP response, inspired by Mouse’s talk the year before about active defense. My scarred-up brain started down this path after seeing Mudge’s keynote the last year at the Marriott (aka Snowmageddonpacolypsewhatever).

When he was talking from his carefully-sanitized slides, he showed a common host. It had eight vulnerabilities via a Retina scan.

Someone about four rows back raised his hand. Before he was really recognized to speak, he pointed out that at least three of them were HBSS vulnerabilities.

So, after musing on those two talks some, my premise was, essentially, that building monolithic systems increases the attack vector. So, what do you do? Throw something else on top of that monolith to protect it.

Once the attacker is around the defenses, he’s got a target-rich environment to exploit the system.

Unfortunately, as I was walking through the rebuttal I could expect from the audience, I came across an argument I couldn’t refute — some of these defenses do actually close some holes. While the overall vector may be bigger, it’s less vulnerable to some of the more common attacks.

As I’ve been listening to my wife dig through her math coursework, I’ve been thinking about what the equation on this would look like.

The vector calculation would need to include the overall attack risk of the base OS, each application installed atop the OS, minus the holes patched by the sekurity measures (whether hard or soft).

What are the most common NVD for the OS? Which are closed by the security measures? Of the remaining, what are the of exploit for each?

Busted-ass WinXP box has a 38% chance of getting 0wned in a month. It has Flash and Java installed on it, which raises the chance to 60%. It has SuperSEkurSoftFW installed, which brings the XP number down to 33%, and knocks two points off Java and Flash, leaving 51%.

I wish I had more math skills to write a nasty-looking equation for all this. *sigh*

But the overall concept remains — the less stuff you stack on a host, the smaller the overall vector, regardless of whatever security middleware you throw on it to plug holes.

And the end

I’m home. I wrote this on the train, but the Amtrak WiFi wasn’t working when I went to post. Later, I saw that someone had had pretty much the same take I had about the lack of IPv6….

Final Shmoosings.

The last presentation prior to the closing was a bit hard to take. They (and Squidly1) insist they’re the good guys, and network admins shouldn’t take steps to stop their active probes.

Maybe I’d feel differently if the probes were passive, but these aren’t. (Coming from Punk Spider.) To me, you’d be a fool to let them continue to scan your network with impunity.

Yes, the Koreans they’re scanning might well be idiots. It doesn’t make the intrusion okay!

It’s things like this that make me wish iptables or pf had a –reject-with-diaf-blast flag. For some, –with-tcp-reset isn’t sufficient.

Summing up:

1. They’re treading on thin ice with their active probes. If they were using passive sniffing, it’d be one thing, trying to scan the entre Internet is another matter, altogether.
2. But they’re not scanning the entire Internet! IPv4 is a deprecated legacy protocol. If they were doing any sort of v6 scanning, things might be slightly more intriguing. Over at Users and Icecube, we’ve been getting scanned normally a couple of times a week over v6. I’m pretty certain nothing’s come of it. Obviously Cawcks doesn’t give us a native allocation, so we’re using a tunnel broker, but it’d likely be the same with a native connection.

But even with the biggest AWS node the world’s ever imagined, they wouldn’t have the horsepoer to scan the entire Internet over v6. And more and more of the backbone traffic actually is going that way. Maybe you can stay ignorant of that fact, but it doesn’t take much research to verify.

Received: from ( [IPv6:2001:4f8:3:7::25])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by (Postfix) with ESMTPS id 7C795A9B6
for ; Thu, 2 Jan 2014 03:48:56 -0500 (EST)
Received: by (Postfix, from userid 605)
id 0E08A14A12D; Thu, 2 Jan 2014 08:48:50 +0000 (UTC)
Received: from localhost (localhost [])
by (Postfix) with ESMTP id A6E4114A12A
for ; Thu, 2 Jan 2014 08:48:45 +0000 (UTC)
X-Virus-Scanned: amavisd-new at
Received: from ([])
by localhost ( []) (amavisd-new, port 10025)
with ESMTP id 9RaUQzm2pzs7 for ;
Thu, 2 Jan 2014 08:48:45 +0000 (UTC)
Received: from ( [IPv6:2001:470:cbba::3])

So, that was Shmoocon. More than willing to discuss over a beer if someone is interested.

Shmoo Keynote Reax

Disclaimer: I nodded off, and missed the first fifteen minutes of it.

With that said, I have doubts about whether it could have been much better than what I actually did see. Maybe somebody will tell me what amazing things I could have seen there that I failed to see in the last 45.

Major take-aways:

  • Most applications use insecure communications
  • Edward Snowden figured out that TOR isn’t sekur
  • TPM is infiltrated
  • A brower makes it harder to use a self-signed cert than it is for someone malicious to get a signed cert that the browser won’t complain about
  • Hardware manufacturers are lazy
  • Fuck you, right? Okay?

Yes, the last one is snark pure and simple, but it is one of my pet peeves. No, actually it isn’t right, and what you said doesn’t get smart just because you asked me if it was right after you said it.

My two major points:
1. Not all communications need to be secure, even if many endpoint devices have the muscle to support that. There’s a reason SIP uses UDP. There’s also a reason your mother uses http:// when she watches that cute cat video for the eightieth time.
2. It’s completely unrealistic to expect vendors to change to meet your amazing idea about the way things ought to be done.