So The Last HOPE is over and while I am still here in New York (the reason why Iâ€™ll save for another day) I have been contemplating the events of the weekend. All in all I thought the con ran extremely well which is a bit unusual in my experience for HOPE. While there were a few excellent talks that I mentioned in my previous post I found many of the talks to be… elementary. But hacker cons are sooo much more than just the talks and presentations, they are time to reconnect with old friends, friends you only see at cons and online. Time to drink bears and retel old war^h^h^h hacking stories. The fact that this is the â€œLastâ€ HOPE and that 2600 the book has just been released I have been reflecting on my own travels through this underground maze. From my first real introduction to hacker culture at HoHo Con â€˜92 held in Houston Texas to the â€˜lastâ€™ Pump con in Philadelphia just a few years ago. In â€˜92 the internet did exist but getting access to it was a bit more difficult. I remember making a modem call from my HP95LX from my hotel room to post news from HoHo con back on the hometown BBS. By the time of the first HOPE in 1995 the Internet was much more prolific but still new and shiny. The First HOPE captured that excitment of newness and the possibilities that it presented. Here at The Last HOPE people are live twittering (tweeting?), disecting talks and heckling in real time from behind keyboards. Change is of course inevitable but I think what I am seing here is a change in the culture itself. Sure parents are now bringing their kids to the same cons they snuck out of the house to go to, but I think it is more than just the core population growing older. There is a definite shift in how people interact and react to each other and technology. I havenâ€™t quite been able to put my finger on it but I have been feeling it all weekend. Much like the first HOPE opened a new chapter I got the feeling that this last HOPE is closing a chapter in hacker history and culture. It makes me wonder what comes next?
P.S. Rumour has it that the Hotel Pennsylvania will not be torn down due to the poor economy. In which case, if it is still standing, the next HOPE will be in 2010. (Eternal HOPE?, HOPE Pheonix?). Personally I think if this con continues they should come up with a new name. The era of HOPE is over.
No Comments »
After you attend more than a half dozen or so hacker cons you start to realize several recurring themes amoung presentation topics. Topics such as Freedom of Information Act requests, hacker spaces, or hacker history have been done several times at various cons. The Last Hope is no different as these topics have recurred here as well. The difference here is that the presentors of these topics have each taken a different more interesting slant and have actually presented new and useful information. The FOIA talk has actually motivated me to file a few requests myself. The Hacker Spaces presenation actually broke down many of the problems that we ran into at the L0pht and even some we didnâ€™t have and actually codified them all with solutions creating almost a blueprint for anyone wanting to create thier own hacker space. And Sketch Cowâ€™s talk on hacker history makes you stop and think when you realize that future historians may only have major media sources such as hollywood movies and copies of Newsweek to try to understand what all hacker culture was all about.
Looking forward today to talks on Phone Phreaking History, Copying High Security Keys, Honeypots for the Home User, and the premier of Hackateer.
Can’t be here and are missing all the action? Check out the Live twitter feed and the Flickr stream.
No Comments »
I’m sitting on the floor of the eighteenth level of the Hotel Pennsylvania at The Last HOPElistening to Karsten Nohl talk about the (Im)possibility of Hardware Obfuscation as he discuss tracing connections in integrated chip design. Heady stuff. Already ran into Lady Ada from AdaFruit Industries and Road Dancer from the old (defunct?) HDF.
So far it is a very interesting crowd mix, there are your standard hacker types but here also seem to be a lot of â€˜normalâ€™ people as well. The crowd seems sedate but there is a certain electric charge in the air present at all hacker cons. The real fun will come later tonight as people absorb all the new information presented at the talks and start to mix it up amongst themselves. Good stuff.
Check my flickr stream for pictures.
No Comments »
You may have noticed over there on the right hand side of this website a link to Attrtion.org’s DLDOS or Data Loss database. The DLDOS (despite the poor choice of acronyms, or was that on purpose?), like Attrition’s Defacement Archive before it, is an extremely useful tool that has become the authoritative archive of privacy and data security breaches and is used extensively by researchers in the field. Even to just casually browse through the over 1000 listings of data breeches is an eye opening experience. Most of these breeches never make the news or if they do are seldom on the front page. With more and more companies attempting to keep such security lapses secret such a resource becomes more and more valuable. As the database’s usefulness has grown so has the resources needed to keep it online. Resources that Attrition.org just does not have. Thankfully Attrition has been able to find someone else to maintain and support this valuable resource.
As of July 15th the Open Security Foundation (OSF) will take over maintenance and expansion of the database. The new system will have much more data and many more feature and be available as a free download for non-profit use. Bravo to both Attrition and the OSF not only for creating and maintaining this resource but also for making sure it does not disappear.
Check oput the new DataLoss DB here.
P.S. See you all at The Last Hope. I’ll hopefully have several blog posts from the show floor.
No Comments »
I was at Autozone yesterday getting a set of Upper Strut Mounts for my 167K mile old Saturn when the sales guy asked me for my phone number. I didn’t hesitate a bit and just rattled off ten digits. The same ten digits I always give out. Ten digits which in fact are not my phone number.
So what does this have to do with anything? Hopefully it serves as a reminder that the only one who is going to protect your identity is you. Some people obviously think they can hire some other company to protect their identity for them. A company like LifeLock which promises to “guarantee your good name.” Since the company’s founder publishes his own social security number on its web site and in print advertisements they must be able to protect people from identity theft, right? Why worry? Just pay Lifelock and your good name is guaranteed!
Well come to find out the company is currently being sued by customers in at least three states who say that LifeLock did anything but protect their identities. In the course of gathering information for the trial the lawyer for the case found 87 instances where people have tried to steal the identity of the CEO of the company, 20 of which were attempts at obtaining fake drivers licenses. And one instance of fraud being perpetrated in the name of the CEO! (I wonder if the CEO can get a refund?)
So what is the lesson to be learned? You can either pay your $10 a month and live in blissful ignorance until you get burned or you can expend a little effort and protect yourself. Don’t give out personal information to people who don’t need it (which is just about everyone), don’t use your PIN in point-of-sale machines, check your credit reports once a year, and don’t do what the CEO of Lifelock did and publish your social security number on your website.
1 Comment »
Everyone gets a kick out of TV shows and news reports that feature stupid criminals. People who get themselves locked inside the store they are trying to rob or stuck in the air vent attempting to break in. For some reason you don’t hear about the smart criminals very often. Maybe they don’t get caught as much?
Recently there has been a new twist on the old credit card number scam. Criminals have found a way to modify those point-of-sale scanning machines everyone swipes their cards through to make copies of the information. I’ve written about this before here and here. Previously it was Stop & Shop Supermarkets who had their card readers physically altered inside the store to record card information (smart) and the second time it was researchers at the University of Cambridge [PDF] who found how easy it was to tamper with the tamper resistant chip and pin machines (wicked smart). Now it is Lunardi’s Supermarket in Los Gatos California who have found their card swipe machines altered to record the card number and PIN. At least a hundred people so far have reported fraud against their cards.
There isn’t a lot of room inside those little machines, so to be able to take one apart, install your recording device then put it back together and install it inside the store without anyone noticing seems to be pretty damn smart to me.
So you want to be smarter? Don’t trust the machines. Don’t give out your PIN number to every retailer you shop at. When the machine asks for a PIN hit the cancel button and choose ‘credit’ instead of ‘debit’. If your debit card can’t double as a credit card get to your bank today and demand one that can. Don’t give your PIN to the Supermarket or Walmart, and at the corner MOM & POP store use cash. Cash is King. Even at the ATM protect your PIN, look for tampering at the machine, cover your hand when entering the number. Be smarter than the criminals. Sure you may feel like George Costanza in an episode of Seinfeld but better to feel like a stocky bald man than to become the victim of fraud.
1 Comment »
So about nine years ago Tan at the L0pht first wrote about the creation of a Cyber Underwriters Laboratory. Like the real UL the Cyber UL would be tasked with independently testing and evaluating software, specifically security related software without the influence of vendors. At the time no one paid much attention and the idea went pretty much nowhere. Since then, in the wake of broke non-secure USB drives and people still using XOR encryption, such luminaries such as Bruce Schneier and even myself have commented that such an organization is sorely needed.
Well Tan has now responded himself with a followup to his original paper. The new paper Cyber Underwriters Laboratories – Reloaded takes a look at the PCI compliance required by VISA as a possible starting ground or model for such an organization.
Lets hope that this time people realize that the importance of such software evaluations is critical not just to the future of online commerce but is critical to the future of simply being online.
No Comments »
I have a list of websites that I read as part of my morning ritual just like everybody else. It helps fritter away the first few minutes of the day as I wait for my tea to cool to a drinkable temperature. Like most of the people who visit my little blog here you probably also read Slashdot. The stories are usually interesting enough to hold my interest while waiting for the aforementioned tea. (Red if you must know.) Today however, was posted a very rare treat, (for /. anyway) an extremely interesting and informative comment thread regarding Security Ethics. An important topic that isn’t discussed very often outside of vulnerability disclosure. Considering just how valuable Security people and IT workers in general are to a company (despite what your boss might think) it is important to maintain a high level of ethical behavior while at the same time remaining gainfully employed. Especially when all to often those two tasks seem diametrically opposed. This balancing act has forced myself to change employment more than once. The discussion thread on Slashdot provides some interesting horror stories, sage advice, and ammusing ancedotes about what really goes on during those SOX, SAS-70, 404 etc.. audits that the big companies (and governments) are so fond of.
No Comments »
One of the more popular features of HNN (The Hacker News Network) was the daily list of web page defacements that was maintained at the time by Attrition.org. Maintaining such an archive soon overwhelmed Attrition and the task was taken over by Alldas. After the demise of Alldas, a small (at the time) upstart security site in Austria, Zone-H took over. They have been maintaining the defacement archive for years and years slowly adding to it over time as new websites get compromised. Their archive now encompasses over 2.6 million web page defacements. The amount of data they have collected is invaluable and is an amazing resource for security researchers to gain a historical perspective on the frequency and methods of attacks used over the years.
Lately Zone-H has had some rough times, their founder has been arrested in relation to an Italian spying scandal and they have been coming under increasing criticism from people who think their archive is actually promoting web page defacements. As a result they are actually thinking about discontinuing the defacement archive.
This would be an unfortunate occurrence if it was to happen. They are currently running a poll on their front page, (in the left column) as to whether they should continue hosting and updating the archive or not. I urge you to cast your vote and help save a valuable security research tool.
1 Comment »
I’m still busy recovering from the excellent Source Boston conference and I will post a recap soon but I wanted to get this out there.
Last week I wrote about RFID enabled external hard drives that supposedly offered secure encryption of your data that turned out to be simple XOR. Well now USB thumb drives with integrated fingerprint readers have been found to be just as much Snake Oil. Hiese Security has reviewed several of the devices and have found it very easy to bypass the security of all of them. Companies that make crap like this should be found criminally responsible for fruad.
People see biometrics and automatically think they are secure, same thing when they see the word ‘encryption’. Your fingerprint is not a secret, you leave thousands of copies lying around everyday. In addition once the attacker has physical access to the device then your security will be compromised, fingerprint or not.
Oh, and I hope everyone had fun on Pi Day yesterday.
1 Comment »