Revisiting L0pht testimony – 20yrs later

Here is a copy of my introductory statement from the May 22, 2018 briefing where L0pht revisited its historic Senate testimony of twenty years earlier. (supporting links at the end.)

Good Afternoon, I’m Space Rogue. Twenty years ago, out of fear of corporate retaliation through lawsuits Space Rogue was the only name I used. Today I also use the name Cris Thomas, although not as frequently, and I work as the Global Strategy Lead for IBM’s X-Force Red which is the offensive security services part of IBM Security.

We are here today to talk about how things have changed in information security over the last twenty years. When we were here twenty years ago a lot of people said, we were a voice of reason attempting to warn people about just how much risk was inherent in our critical systems. A lot of people in information security, or I guess we call it cyber security now, that’s one change right there, will tell you that nothing has changed, that we still have issues with passwords from password reuse, to weak passwords, to no passwords. We still have organizations who ignore the problems either through ignorance, ambivalence or just greed. And we still have people who try to blame users for technological failures.
Continue reading

A Hacker at the Polls

On the second Tuesday in November I burned a vacation day, woke up at five in the morning and drove to a church down the street from where I live. I sat at a long table for thirteen hours and looked up names in a book. While I wasn’t at the church to pray I still felt as though I was cleansing my soul in some way. Over the years for various reasons I had amassed what I felt was extremely high level of personal voter debt and I felt this was a way to at least begin to pay some of it back.

During the last election I spent a lot of time being a pundit preaching about the integrity of the voting process. I figured if I am going to keep talking about elections I should get a look at what actually happens at polling places. So a few months before this election I did a few google searches, found my county’s voter information website and sent an email to the address listed for volunteers. The district where I vote was full so they assigned me to the neighboring district. In Pennsylvania the state voting website has a few videos to help explain to volunteers what to expect on Election Day. Despite them requiring Flash, I watched them all.

Of course I had to live tweet the whole day. When I arrived on Election Day morning it was just me and ‘Mary’ the Judge of Elections. Even though there wasn’t much to see she showed me around, pointed out the coffee and the restrooms and mentioned the voting machines which were already set up off to the side. In my district we use a Direct Record Electronic (DRE) voting machine. They weren’t much to look at but I still had to fight my urges to immediately start pulling them apart. I wasn’t here to test or even play with the machines anyway.

Continue reading

The Continuing Evolution of Cyber

I don’t think there is another word in the English language that provokes as much of an emotional response from information security professionals as much as ‘cyber’. In fact, half of the people who just read that last sentence are like yeah, but cyber is not a word it’s a prefix. (The other half probably just started giggling.) Unfortunately for them Merriam-Webster and the Oxford English Dictionary have both recently listed cyber as a stand-alone word as an adjective with the definition ‘of, relating to, or involving computers or computer networks’ which to me is an extremely broad definition. The Cambridge, Macmillan and Longman dictionaries all still lists cyber as a prefix but I am sure they will upgrade it to full word status soon. Can official use as a noun, the cyber, be far behind?

Cyber is generally understood to have originated in the Greek word ‘ΚUßερυητης’ or ‘kybernetes‘ which originally meant helmsman, as on a ship, which came to mean ‘to steer’ and eventually ‘to govern’. Norbert Wiener chose this word when, in 1948, he entitled his book Cybernetics or Control and Communication in the Animal and the Machine It was Wiener’s work on the automatic aiming and firing of anti-aircraft guns during World War II that caused Wiener to investigate information theory. This was the first documented use of the word ‘cybernetics’ in English.

Continue reading

SouthWest Password Ad is both Good and Bad.

Southwest Airlines recently aired a TV ad in their “Wanna Get Away” series that features some serious password blunders. In the ad a General is asked for his password so that they “can lock down the system” which he then reluctantly provides. The password, “ihatemyjob1”, is rather embarrassing and hilarity ensures. Lets watch…


Let us count the bad security practices used in this ad…

1. A Single point of failure. (The General)
2. He verbally shares his password for everyone to hear instead of typing it in himself.
3. The password is displayed without a mask.
4. The password is displayed in 100 point type on a 20 foot screen for everyone in the room to see.
5. Password does not use uppercase or special characters.
6. While the password uses a number it is appended to the end.
7. No 2 factor authentication.
8. Everyone who sees this ad thinks that while ‘ihatemyjob1’ may be an embarrassing password it is perfectly acceptable since a general uses it.

Let us count the good security practices in this ad

1. The password is longer than eight characters.
2. The password uses a number.
3. Everyone who watches this ad hopefully realizes that they use a similar password and quickly changes it to something better.

Lets face it, while slightly funny this ad will make no one stop and think about how secure their own password may or may not be. However, it might make some people think that ‘ihatemyjob1’ or something similar is perfectly ok to use.

Addendum: The general’s uniform in this ad is a disgrace. Although probably done on purpose so as to not offend any one service they have in fact offended all services.

Tilting It Sideways

Trying to track down the origins of an Internet meme can be an almost fruitless endeavor. Other than giving credit to its originator and perhaps giving them a few minutes of Internet fame there really isn’t a lot at stake by determining who was the kid in the success.gif or what meme Laina Morris is responsible for. Finding the origin of a story involving the breach of critical infrastructure however, can be rather important.

Like funny Internet memes, stories about compromises of water plants, steel factories, power companies or other systems controlled by SCADA or ICS can be repeated over and over until they are accepted as facts with no one questioning their authenticity. Previous events such as power outages in Brazil, a water pump failure in Illinois, the improper shut down of a blast furnace at a German steel mill, a pipeline explosion in Turkey were all originally attributed to cyber attacks. In fact cyber attacks were blamed in almost all cases not because there was any actual evidence but rather the lack of any other explanation. Since nothing else could have caused the problem it must have been those meddling hackers.

I recently heard of a new incident that seems to fall into this same scenario. The story claims that hackers broke into the control system of a floating oil rig off the coast of Africa, somehow messed with the ballast control and caused the rig to tilt. The rig had to be taken offline while the systems were cleaned up. As with most of these types of stories no supporting information is given. No actual dates, no name of the oil rig or its owner, even the location in this story is vague, ‘off the coast of Africa’, an entire continent.

Continue reading

I watched CSI:Cyber so you don’t have to.

CSI has a proven formula for making popular TV shows. Unfortunately that history does not include accurate TV shows. When it comes to tech and things ‘cyber’ this is probably the preeminent example of CSI being bad and wrong at the same time. I thought there was no way they could top this, I was wrong.

Hollywood has had a long history of doing tech wrong. Take a look at the recent Scorpion TV show, on second thought don’t, its almost as bad. Occasionally Hollywood does get Tech correct, like with the recent Blackhat movie, but while the tech was good the movie itself was bad for other reasons. The last time, perhaps the only time, Hollywood got the movie and the tech right was Sneakers, which is coming up on a quarter century in age.

While I think it is great that TV shows like this bring technical issues to a mass audience, scaring people into thinking that the Internet is out to get them is probably not in anyone’s best interest. Humans often do stupid things when they are scared.

Let me talk first about the few things that CSI:Cyber got right. The show mentions that social media is a huge aide to law enforcement and one of the characters jokingly says that’s why he doesn’t use it. This is absolutely correct; Facebook, Twitter and other sites are often the first step in an investigation of any sort, often even before they interview witnesses or suspects.

The softball shaped camera that is thrown through an open window into the bad guys lair near the end is an actual thing that is actually used by law enforcement. They got this right.

In another scene one of the technical characters, who is labeled as ‘the greatest hacker in the world’ (I’m not even going to touch that statement) claims that RATs or Remote Access Trojans are easy to get for $40 on the ‘surface net’. He is right about the easy to get part although his price is a little high and I have no idea what the ‘surface net’ is. But yes, tools that online criminals use like RATs are very easy to come by. The thing about Remote Access Trojans is that they are very similar to legitimate Remote Access Tools like say Go To My PC or Remote Desktop,

Probably the most important thing that they got right in this show was when the Worlds Greatest Hacker was berating the lowly tech employee for allowing a vulnerability to exist in the companies software and the tech guy responds with “I took it upstairs but they didn’t listen.” This is an all to common theme that is often repeated in the information security world. Company executives often refuse to listen to security concerns and instead focus more on the bottom line. This is probably the single truest thing this show got right.

The second most important thing they got right was the weak security present in many Internet connected cameras. Many such cameras have default passwords and are easily searched for over the Internet allowing anyone to connect to the camera and watch and listen to what is happening. There have been cases where people will connect to a camera and then yell at the sleeping baby. Manufacturers of these cameras were told about their default password problems but most refused to fix the problem, that is until these stories started to hit the press and the FTC started to levy fines. Even after the companies issues an update to the devices firmware it is up to the owner of each camera to learn about the update and apply the patch themselves. This seldom happens leaving tens of thousands of devices installed in peoples homes that anyone can access.

Other than that just about everything else in the show is just completely unbelievably wrong. Not only are things wrong but they play on known false tropes, like that lead can block radio signals (it can’t), that convicted criminals are allowed to work in the field on active investigations, that you can quickly separate overlaid audio and translate it, that you need big wall sized monitors in order to catch bad guys, that hackers who could be half way across the world are conveniently just an hour or less away, that non-smart phones can have GPS aps and that cops treat forensic data so carelessly.

One of the most egregious examples was the speed at which the characters analyzed the cameras source code and it came up all green and then turned red. Source code doesn’t just magically turn red when malware is found. Reverse engineering is painstakingly hard, and it takes a lot of time. If code could just magically turn red if it did bad things, like it does in this show, the world would be a much much better place.

I was especially troubled by one of the statements made early in the show “Any crime involving electronic devices is by definition, cyber” While this is just a TV show there are people who believe this or at least will be influenced by this. This scares me as I guess that makes my electric drill cyber.

Also I loved how the characters on the show could do these crystal clear remote videoconferences from remote locations? How? They never bothered to explain where the camera was or what are they are using for bandwidth. If they did it with their cell phones I want to get on that data plan.

And I could not overlook that they had the one black person on the show repeat a racist nursery rhyme “Einie meane miny moe, catch a…” well they changed the word on the show but I’m really surprised they let that through.

If you didn’t watch this show you didn’t miss anything, at all, and I encourage you not to watch it, in fact just forget that that it exists and with any luck it will be canceled. And then we just have to wait for the next TV show to do tech wrong.

All of this has happened before and all of this will happen again

Two teenagers in Winnipeg Canada somehow got the idea to see if the default password on a Bank of Montreal ATM machine was still valid. The got the default password after finding the operators manual for the ATM online. As is often the case the default had not ben changed and was still valid. Instead of taking all the money they could carry and running away the kids instead went to the bank to let them know. Of course being fourteen-year-old kids they went to their local branch, and where, being fourteen-year-old kids, no one believed them. The kids had to go back to the ATM and get it to print out stats like how much money was still in the ATM before the bank branch manager believed them enough to notify the banks security department.

There are a lot of things that can be learned from this story, or actually should have already been known. If these kids had tried this in the United States, despite their good intentions, they may have been charged with a violation of the CFAA (Computer Fraud and Abuse Act). If the bank manager had not been so understanding I am sure they could have been charged with the Canadian equivalent. Testing for default passwords on bank owned ATMs is probably not the smartest way to utilize your free time.

The branch manager should have taken the allegation seriously the first time, regardless of how old the people with the information were. Instead the branch manager evidently told the kids that what they initially reported was impossible. This shows a serious lack of security awareness training for Bank of Montreal employees.

What about the bank itself? Why did the Bank of Montreal leave a default six-digit password on an ATM machine? It is unlikely that only one machine out of several hundred ATMs was configured with the default password. I hope BMO gets around to changing all those defaults before someone is able to make off with the cash.

The worst part about this story I think is that all of this has happened before. A lot of people have heard about the presentation at the Blackhat conference in 2010 by the late great Barnaby Jack where he made an ATM spit out money on stage. That was sort of sensational and required access to the back of the machine. But what about the arrest of two people in Lincoln, Nebraska in 2008 when they used default passcodes to steal money from an ATM? Or the thefts in Derry, PA in 2007 from Triton 9100 model ATM after the default passcodes were found online? Or again in Virginia Beach, VA in 2006, this time using default passcodes in the Tranax 1500 also found online in the operators manuals.

So in this one story we have default passcodes that aren’t changed, people who do not take security alerts seriously, people not learning from history and the possibility of innocent kids running afoul of the law. Of course all of this has happened before and unfortunately all of this will happen again.

Everybody must get stoned

Apparently FBI Director James Comey thinks that everyone in the Information Security Industry is a dope-smoking pothead who gets high just before an interview. “I have to hire a great work force to compete with those cyber criminals, and some of those kids want to smoke weed on the way to the interview,” James Comey was quoted as saying.

Of course two days later, after basically insulting most of the Information Security Industry by calling them all stoners Director Comey said his comments shouldn’t be taken seriously and that he was only trying to inject some humor.

Currently the FBI says that anyone who has used marijuana in the last three years is “not suitable for employment”. In addition you cannot have used other illegal drugs for the previous ten years. So the FBI has already recognized that marijuana is different from other ‘hard’ drugs and now they may be thinking about relaxing those standards even further. Considering that there are twenty-one states where marijuana for medical use is perfectly OK, and two states, Colorado and Washington, where marijuana is legal for recreational use it makes sense for the agency to revisit its anti-drug policy. However, specifically singling out one specific group such as Information Security professionals may not be the best way to attract applicants.

If the FBI wants to review its marijuana policy in light of the recent relaxation of laws in some states for all potential applicants regardless of job function, well that’s great. The overall sentiment towards soft drugs like marijuana is changing and employers, including the FBI, should adjust to that sentiment at the same rate as society. However, to relax standards for just one specific job type sends the wrong message.

The FBI has open head count for over two thousand recruits this year, most of those will be assigned to cyber crime units. The FBI like every other employer in the security industry is having a difficult time attracting qualified applicants for those positions. The US Army has said in the past that it wants to relax physical fitness standards for cyber warriors Relaxing standards for those applicants, as I have argued before, is not the best way to get qualified candidates and sends the wrong message to applicants or current employees who met the old standards.

This is a simple economics question of supply and demand. When the demand is high and the supply is low the price, or in this case the salary, must go up. Artificially increasing the supply by lowering standards helps no one. If the FBI wants to lower standards to increase the pool of applicants how about it take a look at some of the other things that will automatically disqualify job candidates for employment with the FBI. If you failed to register for the selective service, guess what? No FBI job for you, same with defaulting on a government insured student loan. I have to think that the number of qualified candidate who have defaulted on a student loan and or did not register with the Selective Service is probably several times greater than those who light up a joint just before an interview. If the FBI is serious about increasing its applicant pool perhaps it should reexamine those restrictions as well.

The FBI and other government agencies have a lot of strikes against them when attempting to attract highly qualified applicants. Things like a strict dress code, initial assignments to small offices, and government bureaucracy don’t help at all. However, the FBI does have things that other employers can’t offer like an amazing benefits package, stable employment that isn’t subject to market forces and of course the fact that they are the government. There is a distinct subset of people that look at employment in the government and in law enforcement as an attractive option. Perhaps the FBI and other agencies should play up these strengths when recruiting as opposed to reducing standards.

But seriously are people really getting high before interviews, especially at the FBI, as Director Comey even humorously suggests? If someone showed up drunk to an interview I wouldn’t hire them either, let alone if they were stoned out of their mind. I am sure there is some drug use in the Information Security Industry just like there is with the rest of the population but to suggest that infosec people are a bunch of reefer toking stoners who are getting high so much they can’t sober up enough for an interview tells me they aren’t very familiar with the industry they are trying to recruit from.

Is it time for an industry wide MAPP program?

As you might suspect, the bad guys have much better exploit notification than the good guys. While there is no central repository of vulnerability information that is only released to the good guys, Microsoft does an excellent job with early notification of its vulnerability information via its MAPP (Microsoft Active Protections Program). Should there be something similar setup for all security bugs on an industry wide basis?

On the surface it sounds like a great idea. Information about critical bugs like HeartBleed could be shared with trusted and vetted members early before the information was made publicly available and the bad guys could take advantage of it. This gives those trusted members time to fix the problem before the bad guys could develop new attacks and take advantage of the flaws.

This is how MAPP works. Microsoft has very strict guidelines on who can and cannot be included in the program and if you are found to be leaking information before the specified release date you are ejected from the program. Microsoft historically only granted a few days notice to its trusted MAPP partners of the upcoming Patch Tuesday bugs but have recently expanded this length of time to give vendors more time to develop protections for their products before the bad guys can reverse engineer the patches and develop exploits for those bugs.

This all works for Microsoft because they are in control of their information, the number of members in MAPP is kept small and each much conform to strict guidelines to protect the information Microsoft provides. But on an industry-wide scale this model falls apart. A prime example of the chaos that can surround a critical bug disclosure is the mess surrounding the disclosure of the HeartBleed bug. If you look at the timeline composed by the Sidney Morning Herald it is evident that attempting to keep the disclosure process simple and organized on an industry wide level is anything but simple. The process is fraught with non-disclosure agreements, employee leaks and covert secrecy, definitely not a process that should be trusted with critical software vulnerabilities.

The first issue of an industry wide MAPP style program would be who would run it? Is this a task for the US government? What about bugs found outside the United States? How would you keep the NSA or other agencies from attempting to horde a critical flaw and add it to their weapons stockpile? While an independent international third party could run such a program how would it be funded? You could charge a fee to trusted members but then you introduce the possibility of someone buying their way in even though they shouldn’t be trusted. Not to mention the ethical debate that would arise from ‘selling’ vulnerability information.

Then there is the matter of deciding who can be trusted with handling such information early. As with any secret the more people you tell the harder it is to keep secret and as a the heartbleed timeline shows some people may leak information to their friends and employers or bad guys before a public announcement. Membership should be limited to prevent the circle from getting to large but who decides who is in and who isn’t?

Of course all this completely ignores the actions of the rogue researcher who is free to do whatever they want with their research. There is nothing stopping them from publishing such information publicly, telling a small group of people, selling it to the highest bidder or hording it for their own uses and telling no one.

An industry wide MAPP program sounds good at first but due to governance issues, international politics, and of course money, it would be difficult to keep together, keep the information out of the hands of the bad guys, and probably just create way to much drama and infighting inside the industry. Even if you were able to solve all those problems there will still be the one person who decides they don’t want to play by the rules and will do what they want.

A Psycho Analysis of Jericho

The epic box-o-shit. I don’t know where the tradition started but it has been perfected by Jericho of Beginning at least five years ago Jericho has boxed up the chotskies, leftover guinea pig fur, random bits of useless tech and whatever else he happened to have laying around and shipped them off to whoever he felt was most deserving, or whoever he felt would make the best victim. I had been waiting in anticipation (actually it was down right fear) until I received what I almost knew was coming, but it never did.

About a year ago I was at a local flea market when I spied at the bottom of a box of random crap a glass squirrel approximately eight inches high. It was depression era pressed glass, speckled with random paint drops, a few chips in the glass and a rather nasty piece of sticky green felt glued to the bottom. Somehow this disgusting piece of glass made me think of Jericho. I figured the squirrel needed a better home than the bottom of some random box full of shit. It needed to become the centerpiece of highly selected box-o-shit. I figured it was time to put my box-o-shit destiny into my own hands, time to tempt fate, time to poke the angry guinea pig with a carrot.

Glass Squirrel

The guy at the flea market wanted $20 for the squirrel with the paint spots, chipped glass and nasty sticky felt on the bottom. Not really sure what he was thinking but I managed to talk him down to $8. I took the squirrel home, scrubbed off the paint drops and the nasty felt. There wasn’t much I could do for the chips in the tail though. By now it didn’t look to bad and I was wondering if maybe I should keep it for myself, that jerk Jericho definitely did not deserve anything half as nice as this.

Instead of using shipping peanuts or those bags of air or even crushed newspapers, I instead grabbed every chotsky, random bits of useless tech and whatever else I happened to have laying around and used that for packing material. Unfortunately I was fresh out of leftover guinea pig fur.

It took Jericho three months before he even acknowledged receiving the box but he eventually wrote it up. And then I waited. I waited for the inevitable retaliation that was sure to come my way. I knew Jericho wouldn’t just let an eight-inch tall glass squirrel arrive unsolicited in the mail and do nothing about it. But I waited, Spring turned to Summer and every trip to the mailbox filled me with more and more dread, when would he strike? When would he put and end to this torture? Why oh why did I ever decide to send that jerk anything at all? I should have kept that squirrel for myself or better yet let it sit and rot in the bottom of that box of random shit at the flea market.

Finally after nearly a year of self imposed torture, of opening the mailbox each day in anticipatory fear, it arrived, a small unassuming brown box. I immediately knew right away what it was and where it was from. On the one hand I was relieved that my torment was over, but I knew I still had to open the box, I still had to pour through the contents of whatever wretched debauchery Jericho’s twisted mind decided to send me. It has taken me a while; months actually, to get up the courage to finally pull back the packing tape to reveal the contents of Jericho’s box-o-shit.


What I realized as I went through the contents of the box was that it wasn’t about me, it wasn’t about revenge for a glass squirrel. This box-o-shit and maybe all boxes-o-shit are glimpses into the deranged mind that is Jericho. Perhaps even a desperate cry for help that echoes from the basement he must live in deep inside the Rocky Mountains.

As you can see on the top of the box was a plastic baggy full of multi colored paper with two stick-on eye balls and labeled with the word ‘puzzle’. Obviously this is a symbol of a cracked and fractured psyche symbolized by the many pieces of different color paper cut up into small sizes. Obviously Jericho is crying out for someone to put his poor soul back together again.

open box

Beneath the puzzle was a collection of magazine subscription cards, which at first glance might seem like nothing more than filler for the box. However, after sorting the cards and conducting a frequency analysis on the represented publications it is clear that these cards are yet another look into at the enigma that is Jericho. While it is well known that Jericho is at or below average intelligence he considers himself to be of above average intelligence. This is indicated by the large number of subscription cards to Discover and Science Today magazine. The subscription cards to Men’s Health and Psychology Today indicate that he knows that he has a problem and is looking for some sort of solution, which he hopes to find by reading these magazines. While he considers himself to technologically knowledgeable and therefore reads Wired magazine the fact that he is still subscribing to dead tree publications shows that he is in fact a Luddite. Of course anyone as mentally instable as Jericho will have deep-seated sexual frustrations as indicated by the subscriptions to Penthouse and Maxim, as well as the included Durex condom found elsewhere in the box.


And while we already have enough information to determine that Jericho needs major professional help there is yet more supporting evidence within the box. A collection of Pimm’s Cup and several tequila bottle caps shows his attempts at self-medication through alcohol. The collection of self-promoting stickers shows a predilection to narcissism and the random keys, rocks, candy and fur balls shows just how schizophrenic he actually is. The collection of dinosaurs is obviously a link to his still present infantilism.




Unfortunately I only do psycho analysis and perpetrator profiling as a hobby, as such there are still a few items in this box-o-shit that I have been unable to apply towards the subject Jericho. A Honda emblem? A Slinky Jr? An Elevation of privilege card game? And who inside the United States under the age of sixty has a copy of a Susan Boyle CD? (I guess I do now.) I am sure with proper analysis these items will also provide valuable insight into the deranged and demented mind of Jericho.

Susan Boyle

demented yellow squirrel