The NSA is now following you on Twitter?
Just got this notification in e-mail, the NSA is following me on twitter! Or at least someone who says they’re the NSA and is playing a joke.
Review: Phrack Vol. 64 A Shell of its Former Self
As an information security professional, lately I've become quite bored. The state of hacking today seems to be almost solely employed by the spammer-class of miscreants looking to make as much money as quickly as possible. It's big business now. As such, they continue to exploit the same weaknesses, again and again, and simply lack the spirit and ingenuity of previous generations of hackers.
It is in this environment that the latest issue of the underground hacking magazine Phrack has been written after a long hiatus and under a new team of editors. If the document was a disappointment, it is because of the promise it has failed to live up to. As someone who has a notorious attitude problem, a healthy disrespect for authority, and a marked David complex, I have some sympathy for their underground and anti-authority tendencies, though I've not participated in the underground.
That said, the current issue of Phrack looks like it is written more by disgruntled teenagers trying to be nostalgic for a long passed era which they never even participated in. Much like the anti-war protestors, who continue to try to relive their glory days of the 60s, Phrack is an attempt to live the hacking glory days of the 80s and 90s. The problem with both is that those days are gone. "You can never go home again."
Hacking has been commoditized. With spammers running the show whose bottom-line is money, information security threats have become quantifiable, systemitizable, and predictable. Occasionally there are some really neat new security hacks, the WMF exploit and the ANI exploit come to mind, but by and large, it's the same old stupid tricks done and redone. This is because they continue to exploit the weakest link, the unsophisticated PC user who will still fall prey to 419 scams after all these years. Upwards of 80% of people will click on phishing e-mails if the message looks "good" enough, such as through a social networking site. Any idiot can own hardware now… and they do. It's quantity over quality.
At the same time, many of the old school hacker groups have sold out. Instead of continuing to work on their craft, they've gone to work for the highest bidder. As a result, the old hacking vitality has been lost. The Phrack editors are fond of saying that the information security guys need hackers, or they wouldn't exist. It's true. I wouldn't be doing the job I do if it weren't for hacking; the problem is that you're boring the hell out of me.
Here is the environment that Phrack is working in, trying to resuscitate a likely dead horse. They're hoping they can succeed, but I doubt it. With all the poor spelling and grammar, it's not likely they are up to the task. How can you try to teach people the syntax of shellcode when you don't have a basic understanding of the syntax of the English language? There is a difference between the cutesy-31337 h4×0r speak and sloppy writing. Phrack 64 was pock-marked with the later.
To be fair, there is some good info in this issue. I found the RDS-TMC article informative and full of fun little tricks I'll have to try on my friends. Some articles rank along the lines of a digital fecal toss. "The Revolution will be on YouTube" was so pointless and insipid I got dumber having read it. Pages are marked with Phrack trying to convince people they are important. Let me introduce Bambenek's Second Law:
If you have to convince people you are (still) relevant, you aren't.
The demise of the hacking underground is a familiar story when capitalism comes to town. While communism is an economic, political, and social theory; capitalism is only an economic theory. When it gets applied as a political and social theory, dysfunction occurs. In the case of the hacking underground, some sold out, others hopped in, and the wheel moved forward with the profit motive, and the fine people at Phrack are disgruntled because they've been left behind.
Blogging is another example. Take the earliest bloggers; they all knew each other and there was a great spirit to it. Now it's been commoditized by splogs, been left behind by those who sold out, and the media has created their own. There are a few good blogs still out there (such as Blogcritics Magazine which is more online magazine, and my own blog of course), but the signal-to-noise ratio is quite low.
Phrack is a relic of the past and a shell of its former self. It has managed to break out of obscurity with new editors and perhaps they can make it into a solid technical magazine once again, but the underground they represent is dead and will remain so. Likely, when the editors figure that out, they'll go on to something else too.
The Great Wikipedia Joke
MercatorNet has posted my recent article on wikipedia.
According to Wikipedia’s own estimates there are over 765,000 stubs. This estimate could off by about 20 per cent because Wikipedia rounded up in its counts and articles might be listed as a stub in multiple categories. This leaves about 600,000 stubs. That means over two in five articles in Wikipedia are stubs. That does not include articles that are stubs that have not been tagged by someone. This is in line with other estimates.
Wikipedia also has a policy forbidding the use of original research in Wikipedia. If it hasn’t been published somewhere else, it cannot be used. However, over 180,000 articles are tagged by Wikipedia as not having necessary sources. That is, over 12 per cent of the articles in Wikipedia contain assertions which have not been documented.
Lastly, there are pages that exist solely as “disambiguation” pages. These are pages listing the many alternatives for a certain word. For instance, if you search Wikipedia for “George Bush”, you get a page that lists the alternatives of what you might mean. There are about 73,000 disambiguation pages. There are also about 32,000 articles that are nothing but lists of other articles.
Adding the numbers above shows that 58 per cent of articles on Wikipedia have no intellectual merit whatsoever.
Read more at Mercator.
Al Qaeda’s Economic War and Online Identity Theft: A Perfect Storm
Online identity theft has become a constant concern in a world of online shopping and bill paying. In the rush to move to the internet age, many companies simply neglected security concerns and the result has luckily not been as bad as it could have been.
In 2005, I did an estimate of the amount of money that was compromised because of online identity theft and came up with $24 billion in the United States alone. With the help of Agnieszka Klus, I redid the study recently with more realistic numbers and found over $55 billion was compromised. That amount is enough to pay off the entire state debt of Illinois.
Despite this large amount of money being at risk, very little of that money actually gets stolen. What investigators have found is despite it being relatively easy to steal money online, the current fraud protections make it hard to steal a great deal of money; “The straw is only so big”, according to one government source. The running assumption is that online identity theft would be used for theft and there is a finite limit of the amount of theft that can actually take place. This has allowed financial institutions to build in this amount into their business models and simply write the cost of fraud and fraud protection into the price for their services.
The idea that we, as a society, should rely on only one layer of protection (the limitation on how much can be stolen) is absurd and violates defense in depth. Eventually someone will figure out a way around the straw. More importantly, however, earlier this month proved false the assumption that identity theft would be used solely for stealing money.
On December 1st, the Department of Homeland Security warned of an “aspirational threat” to United States banking interests by Al Qaeda. A website claiming to be affiliated with Al Qaeda encouraged the cyberattack against US financial interests using denial of service attacks and viruses. While the specific methods of attack are “low tech” and easy to prevent, it shows that terrorist groups are moving to expand their tactics to include economic warfare.
If the goal of identity theft is to make money, the incentive is to keep taking as much as you can. If the goal is economic warfare, the behavior changes dramatically. As a concrete example, Al Qaeda could use run-of-the-mill hacker techniques to build a large botnet to steal identities. It could then use those machines that they have taken over to process fake transactions in the name of that consumer.
For instance, they could use a consumer’s home PC and process transactions at amazon.com to buy a bunch of books using the credit card information and home address of the consumer. It is not clearly a case of fraud because the hacker is not getting any personal gain. Does Amazon or the credit card company believe that the consumer really didn’t make the order when the product is going to their home address?
Now repeat this attack for a thousand consumers, ten thousand consumers, or one hundred thousand consumers. What would happen with the ensuing media coverage is that consumers would think twice about shopping online if their assets can’t be protected. They would think twice about paying bills online or banking online if they’re bank accounts can’t be protected. If done correctly and on a large enough scale, it would lead to a dramatic loss of confidence in electronic commerce and could push the United States economy back ten years.
The fundamental problem with electronic commerce is that transactions are not effectively authenticated. If someone knows all the right information, they can place a transaction in your name. We’ve learned that in the digital age that stealing information from consumer PCs is remarkably easy. However, there exists technology today to fix this problem.
Two-factor authentication (something you “have” and something you “know”) would mitigate the risk of stolen information. Some banks use key chains that generate random numbers to authenticate users to their bank accounts. This must be widely applied to not only bank accounts but general financial transactions online. As another example, instead of entering credit card information with a keyboard, a user could insert a credit card with an embedded smart card into a card reader attached to their computer. The reader could have a keypad to enter a PIN to make the transaction secure and the card reader would happily give the online merchant all the information it needed to complete the transaction.
There are a variety of technologies to properly authenticate users to make purchases and these should be adopted. Al Qaeda and other groups are already on the lookout to undermine our economy. The question is will we stop them before it’s too late.
Learn More Online
Ever thought about learning online? It’s easy to get an online bachelors degree in anything from foreign policy to political science. Just look into finding a great online college and you’ll be on your way to getting an education in something you love!
Tuning Out: Students Paying Less and Less Attention in Class
I remember very clearly the first law class I took. I arrived just moments before the class started and sat in the back of the room which is generally my custom. I realized right away that every desk had power and an internet jack which I found kind of cool at the moment.
The person just in front of me (who intended to be in the back of the class before I showed up) turned around and asked me as I sat down, “Hey, do you mind if I look at porn during class?”
This event was memorable not just because of the absurdity of the question but it was one of the few times in my life that I was left speechless. Any number of obnoxious comebacks would have done but I was taken aback at not only the boldness of asking such a question but the concept of looking at pornography during a class on jurisprudence.
Having internet access in a classroom is simply a bad idea. I’ve been to enough classes now to see that none of them have actually made use of that for an educational reason. People will play solitaire, check their e-mail, or even play World of Warcraft during class, occasionally switching back to Word to type in a few notes.
However, the University of Illinois, like many other universities is blanketing the campus with wireless connectivity, including connectivity in the classroom. Some locations make sense like the dorms or the airport. Others locations are a rather sad social commentary, such as the performing arts theater. I’m not much for operas, but if I did go I’d certainly want to be free from the digital leash of e-mail.
Wireless internet access provides no enhancement to the classroom experience and detracts much from it.
It’s easy to blame students who don’t want to give due attention to their studies, however, many instructors here are so obviously disinterested in teaching that their lectures are largely a waste of time. I’ve encountered far more professors who spend lecture time reading out of the book or out of pre-printed lecture notes than professors who actually try to teach and provide solid material in class.
The provision of internet access to the classroom provides yet another incentive for students to tune out during class. While it would be easy to say that those who don’t perform will just fail out, the problem is with the current tendencies, if the bulk of students start underperforming because of web surfing they’ll just lower the standards.
Mercator Column Up: Google, YouTube, and Web 2.0
I have another paid column with Mercator up called Google, YouTube, and Web 2.0 on the recent acquisition of YouTube by Google, what it means for online advertising, and what it means for the “new media”.
Tin Foil Hats and Net Neutrality
My latest DI column is up on Network Neutrality.
Tin foil hats and net neutrality
John Bambenek
Posted: 7/14/06
Network neutrality is a sham issue that deserves to be put to the violent death of all such faux rallying cries. After a great deal of research and after interviewing Frannie Wellings, government relations manager of FreePress, I have found nothing to base the charge that evil big business is plotting the demise of the Internet and with it the free world.What is clear from studying the issue is that the push for network neutrality is being driven by regressive politics and paranoia. These can be summarized by three components.
The first is the theory of the stupid consumer, the belief that the consumer lacks the motivation, intelligence, or moral wherewithal to advocate for their own interests in the marketplace. Basically, consumers are too stupid to realize they are getting the shaft and they need the benevolence of a federal agency to make sure consumer’s values are respected (usually without even having to consult with consumers to know what those values are).
The second is that of perennial suspicion of any corporation. Usually when an entire group is generalized by the actions of a small minority, it is called stereotyping. When the group being stereotyped is corporations, it is called “progressive politics.” Corporations are evil by definition, so they must not be allowed any freedom. In short, it’s the legislative codification of rank bigotry.
The last is that corporations exist solely to stick it to consumers. Supply and demand is cast aside as an archaic concept. There is no such thing as a free exchange, there is only the continuous attempt by big business to pillage the countryside. The fact that Internet service providers have shown no inclination to start regulating what Web sites their consumers are seeing doesn’t matter. They’ll do it eventually because they hate society and their board members weren’t loved enough by their mommies.
Never mind that it was corporations that built the Internet into what it is today. If it was left up to the government, we’d still be using Gopher. Ironically, up until about ten years ago Internet service providers exercised complete control over what services were available and what merchants you have access to online. That model was abandoned by the very same corporations that are now demonized. No consumer wanted it, advertisers stopped paying for it and it fell apart. The eminent return of a business model that was trashed a decade ago is absurd. It was Internet service providers that led the charge to open the floodgates, not the government and not partisan organizations.
The fact that the net neutrality debate is being driven by militant left-wing organizations makes the entire proposal suspect. Having attended FreePress events, I know their definition of a free media is one where society universally accepts and believes the regressive political agenda. If the Electronic Frontier Foundation were pushing this, or another organization that has some credentials in technology, the debate would have credibility. The fact that the organizations pushing this are purely partisan smacks of a political agenda.
The net neutrality debate is nothing more than the attempt to build a bogeyman and then demand the government do something about it. I’d prefer my congressmen deal with real problems instead of invented nightmares.
