RON PAUL’s theiry fron 2008 is that the September 11, 2001 attacks were the result of blowback from US operations overseas if this theory is correct, why hasnt there been another attack sinxe?
Month: March 2022
Shmoocon Ten
Watching this about crypto.
Mubix, when he sees something new, he starts trying to figure out how to misuse something.
If you don’t include “crypto is horrible,” or “crypto sucks” when you’re coding in encryption, it will fail.
Solarwinds was relatively easy to crack because they used old protections, that was probably what caused the problems.
You can’t spell cryptography without crime.
Shmoocon Nine
EFF presentation on some recent SCOTUS decisions.
One of the things I’d wanted to write about is looking back at Shmoocons past regarding politics.
Obama was good for privacy.
Trump was elected due to Russian meddling in 2016.
Shmoo Two GSOC Boogaloo
https://www.shmoocon.org/speakers#goahead
Log capture and analysis. If a bear splints in a forest, does anybody care?
Shmoo Seven
This one about broadcast satellites.
Yes, this is fascinating stuff for me, with my past in the broadcast industry.
I’m having flashbacks to cleaning fourteen inches of snow out of a C-Band reciever.
(I ended up buying every jug of windshield washer fluid at the 7-Eleven on the way to the transmitter site, and pouring that over the dish until I could get the dish clear enough to pull a signal again.)
The bit about the higher orbit for spent satellites is fascinating to me. I kind of had just figured they let them fall out of orbit. But that they send them higher, so they’re out-of-the-way explains the ring of space junk.
Shmo0 5
Use modern web API programming techniques for …?
ARM microcontrollers are ubiquitous.
You can tell from the headers of the binaries. Mix and match thereafter.
Stepped out because I didn’t think IU’d get a lot of benefit out of it, and I wasn’t feeling well.
Shmoofo
This
More is coming
In between talks, I’ve been dealing with thoughts about the Central Bank Digital Currency (CBDC), which has been an ongoing issue of concern on several of the shows I consume.
My initial thought was that regardless of the type of currency you’re issued, it doesn’t matter. You can exchange it for whatever good, currency, or service you want.
But there’s also the issue where they can dictate what you can spend the digital currency on, and take it back retroactively.
If there’s a stipulation that you can only spend the currency at certain places, might that contradict the idea that Federal Reserve Notes are good for all debts public or private. (If you have one nearby, look; it says that right on the bill)
Further, if previously-issued funds can be taken back, were you paid? Would that violate various employment laws? So, you’re making $42/hr., but you went to the capitol on January 6, 2021. Can money be taken from you because you were there? What if the retroactive taking bumps your compensation down to less than the agreed-upon $42/hr.?
Are labor unions okay with this: What if there was a stipulation that you could only spend those coins on things your employer or the state approves of: I mean, you might want to hit every single New York Jets road game in the upcoming season. I don’t know why you’d want to do that, but you should be able to. How about tithing a certain percentage to your church?
Still working through it all…..
I will finish up my Shmoocon write-ups after I get home.
Shmoocon Again
2022 edition after it was cancelled last year.
As I said in the last entry, I’m really leaning towards not going again. I’ll probably do the Shmooze-a-student, and sell the ticket that comes with it at cost.
Physically, I just can’t do it anymore.
Reflecting on it, though, notably absent were both the detest of the “other side” of US politics, and the self-assured consensus that the participants’ political views were going to make everything okay.
One of the things from the last one was the whole Russian collusion narrative about President Trump. This was my thinking
There are many people who still believe that stuff.
But there’s still, too, people who believe that Trump won in 2020.
I think there’s something about admitting when your initial take on something was incorrect.
It’s probably not fair to expect a speaker at a convention to come back and say, “yeah, about that,” but continued silence from others makes me wonder.
I’m not saying that you come out and shit on previous speakers’ bits, but you can, at least, revisit a bit later.
But on to the individual talks’ reax….
First Up….
Log capture and analysis. If a bear splints in a forest, does anybody care? (That’s what I typed at the time, and I’m not sure if that was the correct word. MacBook Air doesn’t stay on my belly reliably.)
Part of what I’m doing in my current role is dealing with implementing a Commercial-Off-The-Shelf product to do log monitoring.
But, for my situation, there’s enough multi-layer security that these COTS products aren’t really useful.
At least, now, I’m not getting pressured to loosen layers of the security stack to let these commercial products work as designed.
I tend to use ProtonVPN because I’m cheap, and it’s included with my ProtonMail subscription.
(I went with ProtonMail because I felt better about the Swiss protecting customers’ privacy. The Swiss government’s response to Russia gives me a bit of pause, but I still feel better about it than anything in the US, EU, or Soviet Canuckistan…)
The tagline of this site works in reverse, too. Anytime you do something online, somebody can probably snoop on it. Deal with it.
Temporal connections are tougher to crack, but everything can be cracked.. It’s not a question of if, it’s a question of when.
The talk went into something about APIs, and I think I started to lose the handle on the talk(s). Maybe the next part was about a different presentation, altogether? I don’t know.
Use modern web API programming techniques for …?
ARM microcontrollers are ubiquitous.
You can tell from the headers of the binaries. Mix and match thereafter.
Stepped out because I didn’t think IU’d get a lot of benefit out of it, and I wasn’t feeling well.
Reading the description, it sounds a bit like a new form of a honeypot; something there just for people to fuck with to no avail.
I’m having flashbacks to when I put a GNU/Hurd box on a publicly-accessible IPv4 address to see how long it took someone to break in. With Telnet enabled.
It took a Navy Red Team friend several days, but he eventually cracked the password, get a command shell, then didn’t know what the fuck to do with it.
Due to technical difficulties, presentation didn’t start until nearly twenty minutes late.
This is an attempt to create a Web Service, not a regular binary on the host.
Good sandbox for both red and blue teams; tracks everything
Using a packet sniffer, the developer was able to capture HTTP packets, and assemble an HTTP session. From that assembled HTTP session, he could start figuring out some things.
Bulk command shove; no idea who ran which command.
The developer used remote shell over HTTP to sites around the world.
For the Windows stuff, he was operating on the WinSock DLL.
(When I did some programming, I found that DLL to be, ummm…ancient. Maybe it’s gotten better since I was plunking away on it in 2006.)
He is planning to “open source” the code, but Larry Ellison executing his jerk options again.
It does sound like neat tech. I’m not sure I completely understand how it’s used, but, then, I’m not a pen tester.
This one about broadcast satellites.
Yes, this is fascinating stuff for me, with my past in the broadcast industry.
I’m having flashbacks to cleaning fourteen inches of snow out of a C-Band reciever.
(I ended up buying every jug of windshield washer fluid at the 7-Eleven on the way to the transmitter site, and pouring that over the dish until I could get the dish clear enough to pull a signal again.)
The bit about the higher orbit for spent satellites is fascinating to me. I kind of had just figured they let them fall out of orbit. But that they send them higher, so they’re out-of-the-way explains the ring of space junk.
Discussion of odd WordPress plugins that might have security issues.
I understand it, but this, and the work call that had me watching this over the stream link from my hotel room, really reinforce my commitment to not using anything that’s not supported directly by a vendor.
Trying to do this stuff in-house is just too fraught with peril for my tasted.
Interesting aside that the totes-didn’t-used-to-do-evil search company downlinks sites that have WP vulgarities. I, generally, think that SEO is snake oil, but if that’s what that formerly not-evil company is doing, well…
Static front page that gets picked up, then escort users in after they land on the static site with tons of keywords in the HEAD element.
There’s been a big push the past couple of years to force everything behind SSL. Maybe it makes sense, now, to put most content back in a place where the search engines can’t capture it?
The tagline for this blog is, “everything gets deleted, eventually.” I’m sure there’s things on the Internet I wrote years ago that don’t reflect my views today. Whatever.
As more things get pushed behind paywalls, the less background you can find on someone. I’m okay with that.
EFF presentation on some recent SCOTUS decisions.
One of the things I’d wanted to write about is looking back at Shmoocons past regarding politics.
Obama was good for privacy.
Trump was elected due to Russian meddling in 2016.
(I touched about that a bit earlier in this entry; I really shouldn’t still be annoyed by the one thing from 2020, but I am. You have to admit you’ve been wrong when that happens. This kind of speaks to another thing that’s been bothering me, lately. I’d subscribed to the position that Russia wasn’t going to invade Ukraine. I was wrong. So were the people who helped me form that conclusion.)
Watching this about crypto.
Mubix, when he sees something new, he starts trying to figure out how to misuse something. (Props!)
If you don’t include “crypto is horrible,” or “crypto sucks” when you’re coding in encryption, it will fail.
Solarwinds was relatively easy to crack because they used old protections, that was probably what caused the problems.
You can’t spell cryptography without crime.
I didn’t write much about the final concluding presentations. I did watch those, because I’d already checked out of my hotel room.
Did I have a good time? Um…I guess?
I needed to do something like that. It felt good to get out of my apartment for the first time in basically two years.
Something to discuss with my “care team” soon. Back to work tomorrow. The Thursday to Saturday thing kind of works when there’s not a Monday holiday just after.
Next year’s is the week after MLK Day, which might make things a bit strange for people.
But that I’ve not really been going to an office regularly in years makes it kind of a yawner. I probably could have worked today, if needed. Whatever.
I’m just glad it’s not going to be like 2014, where I got laid off my first day back to work after the conference and the Monday holiday.
I’ll omit the curses for that company. They did sponsor Shmoocon this year. Needless to say, I didn’t care to stop by their booth.
Shmoo 6
Reading the description, it sounds a bit like a new form of a honeypot; something there just for people to fuck with to no avail.
I’m having flashbacks to when I put a GNU/Hurd box on an publicly-accessible IPv4 address to see how long it took someone to break in. With Telnet enabled.
It took a Navy Red Team friend several days, but he eventually cracked the password, got a command shell, then didn’t know what the fuck to do with it.
Due to technical difficulties, presentation didn’t start until nearly twenty minutes late.
This is an attempt to create a Web Service, not a regular binary on the host.
Good sandbox for both red and blue teams; tracks everything
HTTP capture signatures.
Bulk command shove; no idea who ran which command.
Remote shell over http to sites around the world.
For the Windows stuff, he was operating on the WinSock dll. When I did some programming, I found it ummm…ancient. Maybe it’s gotten better since I was plunking away on it in 2006.
He is planning to “open source” the code, but Larry Ellison executing his jerk options again.
It does sound like neat tech. I’m not sure I completely understand how it’s used, but, then, I’m not a pen tester.