dc0de’s & friends notes…

So, a geek friend of mine (we’ll call Joe) has a teenage girl (we’ll call Ana) who started sleeping in late, and skipping her first few classes of school.  “Joe” has a rule for “Ana” about school.  That rule is very simple, “Don’t make me have to talk to the school, ever.”

Well, “Ana’s” behavior was causing the school to contact “Joe” daily, and after discussing the problem with “Ana” for several days, with no real change in her behavior, “Joe” took the problem on as only a geek would do.  He decided that he would wake her up at 0530, to ensure that she could get up, showered, dressed, eat breakfast, and walk to school on time.

At this point of the story, it is important to inform you that “Joe” is a night owl.  He is a very grumpy morning person, if not as bad as me, perhaps a bit worse.

• He does NOT do mornings.
• At All.
• Ever.

So, “Joe” goes down to harbor freight, purchases a “100 dB Old Fashioned Sound ‘Ooga’ Air Horn” , couples it with an Arduino on his home network, places it under “Ana’s” dresser in her bedroom, and sets up a cron job to fire off at 0530.  This was all done while “Ana” was in school.

Fast forward to the next morning…

The cron job fires, 100db of OOoooga Goodness goes off for 5 seconds, and “Ana” bolts out of her room angry, showers, gets dressed, eats breakfast, and gets to school on-time.

That afternoon, when she comes home, she and “Joe” sit down and talk again, and “Joe” asks, “So, you seem to be having a problem with getting up in the morning.  We discussed this problem, and it’s impact on me, as I don’t want to get calls from the school.  So, your problem, became MY problem.  I’m a problem solver.  Are we going to have a problem getting up tomorrow morning? I can set an alarm for you.”

“Ana” replied, “No, we’re not going to have a problem.”

“Joe” is a kindred spirit, we’re problem solvers.  Don’t make YOUR problem MY problem, I WILL solve it.

FYI, “Ana” has been getting up in the morning on time ever since…

“Exactly two things have made sexism lower at DEFCON since DEFCON 8:
An increased number of women in technology attending, and attendees who now know that they may have to step in to help. Everything else … is security theater.”
–dc0de.

Paying Homage to the Community…

As we begin to prepare to go to DEFCON 20 we need to be humbled that something that Dark Tangent (aka Jeff Moss) started twenty years ago, is not only still going on, but is THRIVING more than ever.  When I went to DEFCON in 2000, (DEFCON #8), I never really expected that I would be able to support the community that makes this convention possible.  Not only was I awestruck by the amount of knowledge and camaraderie that defines DEFCON, but also wanted to help continue to give something back to the community that makes DEFCON possible.  As DEFCON grew, and moved from the venerable Alexis Park to the Riviera Hotel, I was asked by noid (Head of Security Goons) to become a Security Goon.  Not only was I honored, but I had very little knowledge of how much work was involved and how great an organization the Security Goons and DEFCON Goons were.

Now that I am a Goon, and this will be my 7th year donating over a week of vacation, personal expense, and compromise to volunteer my time to work at DEFCON.  Some of the maladies that befall a Goon while walking anywhere from 11 to 21 miles per DAY, for at least three days, (This year looks like 4 days of work) include:

• leg cramps
• sore feet
• loss of voice
• “DEFCON Flu”
• Sharpie on body parts
• over ingestion of alcohol
• verbal and physical abuse

The hackers life – my weekend at Defcon - Lou Lesko - National Geographic

GOONOLOGY 101 - Technorazzi Magazine

Official DEF CON FAQ v0.95

Who are the Goons of DEF CON?

Related articles

• ---

• The DEFCON Documentary(ascii.textfiles.com)

  ---

• DefCon: 20 Years of Hackers, Hijinks and Snooping Feds(wired.com)

  ---

• An Insider’s Look at the Social-Engineer.Org SE CtF at DEFCON(ethicalhacker.net)

  ---

• Defcon 20 SECTF For Kids: Return of the Schmooze(social-engineer.org)

  ---

• Defcon 20 SECTF – Battle of the SExes(social-engineer.org)

Help find this stolen motorcycle.

A friend of mine had his motorcycle stolen between 11/4/11 19:30 and 11/5/11 10:00 near 25th and Gaffey, San Pedro CA. Please be on the look out for it, it’s a 1977/76 Motoguzzi 850 t3, with the following distinguishing features.

• Clutch lever is original Motoguzzi aluminum (as seen in photo)
• Rear brake lever is newer, black, very diff from clutch lever
• The pipes you see in that picture are specific. They aren’t unique but you probably won’t see another Motoguzzi with them
• The tank has a ‘scar’ on the right side just below the Motoguzzi logo
• Seat is new marine vinyl except for the rear section which still has the original material, with a crack, and the original MotoGuzzi silk screened on it
• Has non-stock, aftermarket spoke wheels
• Front tire has a groove in it, just right of center (as your facing it)

If you have any information at all regarding this motorcycle, please contact  flea23b at gmail dot com, or me at mr.dc0de at gmail dot com.  (note that there is a ZERO in my username)

I just read this article on computerworld.com, and was happily surprised for the first time in 10 years.

Finally, someone get’s “it”.

The FFIEC is planning on requiring stronger dual authentication methods for online transactions, which is a very good thing.  PCI, Sarbanes-Oxley, HIPAA, GLBA, and a myriad of other regulations and requirements are not keeping pace with the ever shifting threat landscape.  In fact, most of them are so committee driven, it simply takes YEARS to get a new requirement instituted in the standard, and then there are YEARS allowed to implement the new standard.  The FFIEC is a bit different however.  I’ve worked in the financial sector for many years, (12+), and have respected the FFIEC’s direction with information security.  I feel that they set the strongest set of standards today, with the exception of Top Secret Government networks.

The greatest part of the FFIEC, is that their governance has teeth.  If a financial institution fails the audit, and fails to remediate the failings, the FFIEC’s Regulatory Agencies can go so far as to close that financial institution.  This is different from most every other regulation or requirement, as the business is simply closed.  Not fined, not shamed on the front page of national news papers, it simply has it’s doors closed.  Ponder that for a moment, you fail, and you’re closed.  You can’t Risk Manage away the costs of LOSING THE ORGANIZATION, unlike a fine for non-compliance, … so, IMHO, those are REAL TEETH.  I’ve added a link to the FFIEC’s Standards and Regulations at the bottom of this post.

My two favorite comments in the article are  below:

“Obviously, some of the banks thought that it was enough if they simply added cookies or challenge/response-based authentication,” Litan said.

“What has happened is that the FFIEC has realized that some banks need to be told in black and white what they need to do.”

via Banks may soon require new online authentication steps – Computerworld.

Related articles

• Govt May Soon Force Banks to Impose New Online Authentication Steps (pcworld.com)
• FFIEC Guidelines – Update Imminent? (silvertailsystems.wordpress.com)
• SC Magazine on whether or not authentication is sufficient (silvertailsystems.wordpress.com)
• Incite 1/25/2011: The Real-Time Peanut Gallery (securosis.com)
• Hurricane Beacon 2011-01-26 (hurricanelabs.com)
• Experi-Metal vs. Comerica Case Heads to Trial (krebsonsecurity.com)
• Escrow Co. Sues Bank Over $440K Cyber Theft (krebsonsecurity.com)
• Silver Tail Systems webinar with Brian Krebs (silvertailsystems.wordpress.com)

It’s the Latency, Stupid.

I was reminded again today of the above rant penned by Stuart Chesire, in May of 1996.  I overheard someone from our “offshore” (see India) team who was having latency issues with their connections from India, to the United States.

Regardless that there are reports that India is far ahead of the United States with regards to Information Technology education, it seems that these SIMPLE things are often overlooked.  Sadly, it’s not just the Indian education system that is overlooking this.  I see this is a VERY common occurrence in my line of work.

Look people, if the road is slow, no amount of lanes across is going to make it faster.  You’re stuck with latency.

Some great examples of latent connections:

1. India to the United States (Pacific Ocean fiber crossings)
2. Any “broadband – satellite” connection.  (a single packet path of 44,462 mi, more than twice the earth’s circumference)
3. Dial up

Get with it folks, we haven’t beat the speed of light yet, so until we do, deal with the latency… kthnxbye

Conversation with thiflannigan3452
(06:53:40) Thi Flannigan: hey cutie
(07:18:49) me: cutie?
(07:19:04) Thi Flannigan: Yay someone to talk to !! how are u?
(07:19:17) me: not too bad, have we met?
(07:19:32) Thi Flannigan: I’m great thanks for chattin with me I found your name in the online members search whatcha up to?
(07:20:24) me: getting ready for work.
(07:20:40) Thi Flannigan: I’m not too into exchanging pics .. are you?
(07:21:00) me: no.
(07:21:17) Thi Flannigan: i’d rather see each other u can see the real thing on my cam… u want to?
(07:21:26) me: no thanks.
(07:21:40) Thi Flannigan: no worries..thouhght u wanted to see me naked ..:)
(07:21:59) me: ummm, no. not into watching cams… more into doing the real thing.
(07:22:16) Thi Flannigan: Click http://www.acceptinvite.com/xxxxx it’s a more secure place with my cam u will have to verify your age so I’m not showing my pussy to a minor , i had to do it too but dont worry its 100% FREE and its alot of fun once u get in
(07:22:26) me: nope, don’t do that.
(07:22:41) Thi Flannigan: make sure you click join free in orange at the top,click it k?
(07:22:46) me: no.
(07:22:56) me: I have frogs in my shoes
(07:23:01) Thi Flannigan: ok, fill out your info,first and last name, make sure you put your correct b-day k?
(07:23:10) Thi Flannigan: Credit card, debit card, or atm is just to verify your age hun, your card will NOT be charged just validated see where it says that? like i said it’s FREE… cant show tits and pussy to minors..you know?
(07:23:27) me: have you ever put peanut butter in your pants pockets?
(07:23:43) Thi Flannigan: I’m inside waiting for you.
(07:24:05) me: oh, inside my computer? or inside my car?
(07:24:49) me: Are you there?
(07:27:20) me: oh no, are you trapped in my computer?

New regulations would give law enforcement a “back door” to monitor online communications, threatening civil liberties and stifling innovation in the process.

Taking a cue from the authoritarian regimes of Saudi Arabia and the United Arab Emirates, American law-enforcement and intelligence agencies are seeking to re-engineer the Internet and other digital communications networks to make them easier to spy on.

…

It’s hard to blame harried law-enforcement officials for wishing they could freeze time or control disruptive technological changes. They can’t, of course, but they could do a great deal of damage to both the high-tech economy and the security of global communications before they figure that out.

via Wiretapping the Internet | The American Prospect.

Related articles by Zemanta

• I pledge… (noblesouth.com)

The sin of techno lust

In the business space it’s easy to get seduced by sexy security technologies but implementing too many security technologies will increase operational risk of information security instead of achieving defense in depth.

via When defense in depth fails – two deadly sins | Israeli Software.

Great article by Israeli Software on why Defense in Depth fails…

Related articles by Zemanta

• Security weaknesses in airport internet kiosks (securityninja.co.uk)
• Benlog: defending against your own stupidity (boxofmeat.net)
• Learned Lessons Are Not the Whole Picture (bloginfosec.com)
• The Two Most Important Questions in Cybersecurity (blogs.forbes.com)
• Changing User Behavior is Key to the Malware Protection Process (insight.accuvant.com)
• TechnoDyne Hosts Certified Information Systems Security Professional (CISSP) Certification Exam Training Class in Tysons Corner, Virginia (eon.businesswire.com)
• Updates to NIST SP 800-53 (flyingpenguin.com)

A great article for the lock picking newbie…. (by Jon Wellborn @ jonwellborn.com)

I’m assuming this newbie has already spent some time with basic lock concepts the LSI Guide to Lockpicking and the MIT Guide to Lockpicking are both sufficient for this introduction and has attempted to pick a few locks, with some success, and wants to establish a good practice base to build from. Hopefully the following will serve that purpose in a general way:

via Lockpicking – practice locks and starter picks « Never a dull moment.

Related articles by Zemanta

• Competitive lockpicking growing in US popularity (makezine.com)
• The Growing Sport of Competitive Lockpicking (neatorama.com)
• Professional Lock-Picking Competition Showcases the Superior Pick Resistance of Kwikset SmartKey Deadbolts (prweb.com)
• Locksport: Competitive Lockpicking Growing In U.S. Popularity (huffingtonpost.com)