Geek

Paul Rubin had a piece in the Wall Street Journal describing 10 fallacies of Web Privacy. This is my response, and the start of my blogs official "privacy" category.

The ZaCon II CFP is nearing it's closure date (tomorrow!), and this is an overt reminder to all of you thinking about submitting to do it. ZaCon is a great place to either give your first infosec presentation or deliver a tech-heavy presentation to a receptive crowd. All you need do is submit a short abstract to abstracts@zacon.org.za and if your submission is accepted, prepare and deliver a presentation. You don't even need to write a paper. If that isn't lowering the barrier to entry enough, then you're just lazy :)

If my submission is accepted (heavy bribery underway), then I'm hoping to set up an infosec BP-style debate, and will be approaching some of you "I'm smart but never share that outside the office" types to get involved, and hopefully have some fun.

You can read more of my thoughts on ZaCon here. Also, at some indeterminate point in the future, some ramblings about ZaCon will appear in episode 18 of Let's Talk Geek.

This is a cross-post from my other blogging home at SensePost.

Last week we presented an invited talk at the ISSA conference on the topic of online privacy (embedded below, click through to SlideShare for the original PDF.)

The talk is an introductory overview of Privacy from a Security perspective and was prompted by discussions between security & privacy people along the line of "Isn't Privacy just directed Security? Privacy is to private info what PCI is to card info?" It was further prompted by discussion with Joe the Plumber along the lines of "Privacy is dead!"

The talk, is unfortunately best delivered as a talk, and not as standalone slides, so here's some commentary:

Scroogle is no longer working for the second time this year (I archived the announcement at the end of this entry). The author claims Google deliberately killed the simple interface they were using. I've e-mailed to point out that Google Custom search works fine, but relying on Scroogle isn't going to cut it anymore. The obvious solution is to use GoogleSharing. However, not all devices support it due to the requirement of a Firefox plugin; my phone for example. After meeting Moxie I discussed the idea of including a search interface with the GoogleSharing server. The idea would be that <googlesharing server>:<port>/search would provide a plain HTTP interface to search through the server.

ifconfig -u|grep -v inet6|grep -v media| grep -v lladdr|grep -v ether|grep -v status|sed "s/flags=.*//"|sed "s/^.*inet \(.*\) netmask.*$/\1/"|sed "s/^\([elfv]\)/#\1/"|tr -d '\n'|tr '#' '\n' && echo

I just want a simple display of the interfaces on my system and their IPs. I was in a rush and came up with that disgusting line. On the one hand it demonstrates the power of Unix, on the other hand it demonstrates the problems with it. So, dear interwebs, please provide me with (in order of preference):

1. A better way of doing it (I'm thinking sysctl, [I'm on a Mac])
2. The right command line magic to get better greppable output from ifconfig
   
3. An optimised command line, specifically:
1. How can you combine the multiple "grep -v" commands?
2. How can I combine the sed & tr commands?

Failing that, here's a command you too can use to give you a fragile list of interfaces and their ipv4 addresses. I've embedded it on my desktop with GeekTool (OSX). It makes the FW logs also embedded on my desktop make more sense :)

UPDATE: I love you my fellow Geeks. The winning solution is from Craig Balding via twitter, who put us all to shame with the ridiculously simple piece of cli kung-fu that is:

ifconfig|awk '/mtu/ {nic=$1} /inet / {print nic " " $2}'

This has been reposted from it's original at my new second blogging home at SensePost.

In my previous role working as a security manager for a large retailer, I developed some password tools for various purposes, primarily to help non-security people with some of the basics. I licensed them under the GPL, and I think it's about time they saw the light of day.

There are a couple of tools, which I will explain below. They're all written in JavaScript, primarily because it is cross-platform, but can be centrally hosted. They all work in Firefox and Internet Explorer, although the automatic copy to clipboard functionality of the service desk tool is IE only.

The intention is for the tools to be placed into your organisation's intranet somewhere. I found they came in much use, allowing me to reference a specific tool and setting rather than esoteric password theory in documents. For example, security standards documents would say "Service account passwords should either be generated by the password generator set to the service account setting, or be rated as "very strong" by the password strength checker", which is far more practical than quoting a list of password rules.

Being centrally hosted also allows updates to be made immediately in the case of a policy change, new common password addition, or bug. This also allowed web logs to provide an audit trail of who was using the tools. Particularly useful in the case of monitoring service desk activity e.g. If the service desk records 100 password resets, and the tool only saw 10 hits, you know something's up.

If you're a tactile learner, you can grab them here.

For years I've had a tinfoil dilemma. I know that companies trying to own the internet love dropping cookies, and then using those cookies to track you around the tubes. It started with the advertisers like DoubleClick who would drop their cookie, then rely on their distribution of banner ads. Every time your browser hit a page with one of their banner ads, it would send it's cookie along and help them track you around the internet.

Verizon's Wade Baker (with assistance from Dave Kennedy, who I will refer interchangeably to as with Wade, Dave or Verizon) published a post claiming that vulnerability/security researchers are given too much leeway, and are closer to criminals than good guys. He suggests they should rather be called "narcissistic vulnerability pimps" (NVPs) in future. Dan Goodin got some clarification when writing his piece for The Register which expands on some of Verizon's motivations and justifications.

While I think I identify with part of his frustrations, he's wrong. Mostly due to an overconfidence in how vendors optimise for "shareholder value", but also because while scrabbling to paint vuln researchers as bad guys, he forgot about the actual bad guys.

Over the last few years I've come to notice a few entrenched ideas that, large consulting companies in particular, seem to be unable to deviate from. These ideas specifically relate to how to get the most out of your technical, particularly security, staff, but I'm sure they apply in other contexts too. I'm certainly no expert and these are just my observations, and while I did notice a steady stream of clever people leaving my $previous_employer, including myself (not clever, just leaving) I had some time to muse on the reasons. I'd love to hear comments from people who have/are running their own tech companies.

This week something special happened, something I'd been saving for the right person, something magical. Today, hackers took my private data. Everything's changed, I feel like a part of the world, connected to so many other people who have shared in this experience. Today, I'm a woman! (Ok, I may have gone a bit far with that last bit)

The skinny is that I use unique e-mail addresses for each service provider that I want to continue communicating with (for the ones I don't I use one-shot addresses). I noticed on the weekend that I was being deluged with pharmaceutical spam to three of these addresses, namely my Threadsy, Numbuzz & Share-it (via a product I bought there, ChatterBlocker) contacts. This lead me to tweet: "Either a security or ethics breach at @threadsy & @nimbuzz Getting Viagra spammed hard on the unique e-mail addresses I gave them."

Brian Krebs, author of SecurityFix and one of the very few mainstream infosec journalists, is pulling a McLeodd¹ and leaving the Washington Post to go on his own. He will be reporting from Krebs on Security from today.

Apart from the coverage, Brian has also got involved in or instigated responses to some threats, and I hope that fewer editorial restrictions allow him to do and say more.

In truth, I only really like Brian because he's linked, to me before, encouraging up to 1.5 people to read the abstract on my thesis ;), but more seriously providing data and inspiration to me and several other researchers.

Good luck Brian

Footnote 1: I probably shouldn't mix my ZA and Infosec references, but Duncan McLeodd left the Financial Mail to form independent tech news startup TechCentral.

Eugene Spafford has a warning for us in his latest entry that I thought worth remembering:

Generally, hackers who specialize in the latest attacks dismiss anyone not versed in their tools as ignorant, so I have heard this kind of criticism before. It is still the case that the "elite" hackers who specialize in the latest penetration tools think that they are the most informed about all things security. Sadly, some decision-makers believe this too, much to their later regret, usually because they depend on penetration analysis as their primary security mechanism.

In many ways, I worry that mechanisms like RSS & twitter and the associated behaviour help us to be up to date, but not knowledgeable, and that the implied arrogance of being up to date stops us from realising it.

I'm quite excited and honoured to host a guest entry from Yusuf Moosa Motara covering his talk at ZaCon (a video of which can be found here, and the slides here).

Update: Haroon's talk "Why ZaCon" at the con provides more of an overview. Including some aspects I didn't consider.

Our first South Africa fledgling unconference-like security conference, ZaCon, takes place this Saturday (21 Nov). Our intention was to have something which fits in the gap between corporate conferences like the ITWeb security summit and academic conferences like ISSA. The former is huge and can afford to bring over some of the big names, but also has plenty of "paid for" opinions and a sometimes less meaty content. The latter is peer-reviewed and requires more than a slide deck and a grin to present at, but also sometimes values theory over pragmatism and places a large burden on people already holding down a job.

As someone who uses a lot of web apps, I run into the problem of trying to remember multiple passwords. Most people resolve this by just using the same password across all the sites. However, as numerous, examples, have, demonstrated, that's not a good idea. The knee-jerk counter is to use a different password (or groups of passwords) across the sites, but that becomes difficult to remember. If you want the quick solution I'm proposing then check out SuperGenPass (or my customised version). The security geek details follow after the jump.