/bill's House O Insomnia : Security

Singles.org fesses up - sort of

William — Tue, 24 Feb 2009 15:45:00 GMT

This place is beyond low. countless email accounts have been breached, several facebook pages, several paypal accounts and much more. As of last night, if was in full free for all mode as more vulnerabilities were found (although vulnerability is a bit...(read more)

Singles.org - db.singles.org - The Saga Continues

William — Tue, 24 Feb 2009 01:52:00 GMT

At this point, seeing how pathetic Singles.org is resonding to this, they deserve everything they get. This is all kinda epic except real people are getting hurt. They aren't the ones paying for it, well, at least until now. I'll post screen caps...(read more)

The hacking of db.singles.org continued

William — Mon, 23 Feb 2009 12:38:00 GMT

Well, I've recieved a few comments and emails about this and things are just getting worse. As of 7:38 AM 02.23.2009 they still haven't put anything on their site indicating anything even happened. Email is clearly not a valid option b/c of the...(read more)

The Hacking of http://db.singles.org

William — Sun, 22 Feb 2009 23:03:00 GMT

I was hesitant to write about this b/c I've been threatened pretty seriously about my role in it. But it's important for people to understand a few things about the state of security today. What occurred was so pathetic, the result of such rampant...(read more)

Using Facebook to launch a Botnet army

William — Sat, 06 Sep 2008 17:07:41 GMT

Wired has a piece talking about how easy this would be to do. It's not entirely speculative since researchers built such a beast. I think the hype is a bit much though. The argument they make could be made for any mechanism that can get people to install software on their own computers. But unlike most other means, such an attack seems really easy to countermeasures. It wouldn't take long to figure it out and Facebook could easily send out a notice telling you to uninstall it. Much like human viruses, computer viruses and botnets are only really effective if they are allowed to exist in the infected host for a period of time, at least long enough to spread in the case of viruses, or long enough to be used in the case of botnets. I'm not so naive to think that some Facebook users aren't all that computer savvy, but overall I think it's a demographic that's fairly sophisticated. And they talk to each other a lot. Even if every facebook users downloaded the app (something really hard to fathom), it seems it would be pretty easy to eradicate. The more popular and more pernicious the bots, the more buzz there would be. That's not to say they don't raise some good points and that Facebook shouldn't try to prevent such things from happening, but it seems like it's only worrisome in the theoretical sense.

I'd just close the hole...

William — Sun, 09 Mar 2008 02:15:00 GMT

There are often times that I read something, typically involving a lawsuit, that I'm shocked people push. Often they are so embarassing, I'd probably pay extortion money to keep the crap quiet if someone threatened to go public about something I did. But instead of trying to keep it quiet and just fixing it, they involve lawyers and threats. NewsFlash - threatening bloggers and web sites backfires. I can say unequivocally, if I was the one that created something this widely used, that brough in this much money and had such a glaring security flaw , I would just fix it quietly. I wouldn't want my name associated with something this moronic and sloppy. I'd be paying bribes to the owner of HowardForums to have him keep it quiet, not threatening him and attracting attention. Actually, I'd do neither. I'd thank him for helping me create a more secure system (then I'd fall on my sword in ritual suicide b/c Gawd this is embarassing)

Privacy is an outdated notion

William — Mon, 11 Feb 2008 01:16:00 GMT

That's not to say that I like that fact, or that I don't lament it, but if you really think about it, it's hard to deny. After 9/11, I was reading a Wall Street Journal aritcle discussing the national id card. Larry Ellison was a big supporter of it (and more cynical people believed his motivations were financial in that Oracle databases were the most likely ones to be used to implement such a scheme) and countered the privacy objections by saying something to the effect of "privacy is an illusion, you don't have any". He went on to point out that we get filmed x hundred times a day without even knowing it most of the time. All of our cell calls are logged. SMS messages are all logged. Same for email. And since we decreasingly use cash, most of our purchases are tracked as well. So his point is that we'd gain security and give up little to no liberty, so why not? I really hate this fact, but it'd be hard to disagree with him - at least in his assessment of the 'problem', there are many objections against the solution.

This post won't come as a surprise to anyone and I bet to some extent, we've all done this to ourselves already, but it does drive the point home. I remember reading a book called How to Be Invisible several years ago and really liked it. It might sound like one of those Paladin Press "Never pay taxes again" types of books, but it's not. In fact, the author is quite militant when it comes to people using his suggestions to break the law. His whole concept is how to keep yourself off the grid while living legally - that there are many cases of people being stalked, killed, or just bothered b/c of publicly available information so it pays to keep yourself off the grid. After 9/11 he said many of his suggestions should no longer be used b/c trying to keep things private took on a new meaning. I remember the book's opening quote "Government's keep secrets from people, why then should people not be allowed to keep secrets from government" I still paruse his http://www.howtobeinvisible.com/ and this sort of stuff makes me think I ought to go through and read the updated book again.

Mujihadeen Secrets II

William — Mon, 11 Feb 2008 00:25:00 GMT

Increasingly, I read stuff in 'serious' publications and have to wonder if it wasn't supposed to be posted to the Onion instead. This is a perfect example . The map of their 'locations' is priceless.

The Bill of Rights in 2007

William — Wed, 19 Dec 2007 03:31:21 GMT

So often when I hear talking heads pontificate about constitutional issues, I hear two basic sides. The first is the strict constructionist interpretation where they claim the constitution is clear as day hence end of discussion. On the other side you have the 'living constitution' side that often acts like anything that is inconsistent with their agenda should just be interpreted away. Whichever side one buys in to, it's hard to argue that rapid technological advances don't really complicate many legal issues. Orrin Kerr examines the United States vs King.

In short, a contractor in Saudi Arabia was connected to a military network. While doing routine patrols of the network, an analyst found some porn and happened to notice a folder named Pedophilia. That prompted him to look further and as it turns out, the folder was accurately labeled. King was arrested and charged. His defense was that the search was illegal. Personally, all normal legal issues aside, i think he should be thrown in jail for being a sick SOB and stupid enough to plug a computer with highly illegal material on it into a military network. It's not like that's material you bring to work to show your buddies and you'd have to know that a military network is likely to be subject to a higher degree of scrutiny than your average office. I know, there are tons of examples of amazing security lapses and incompetence on govt networks, but counting on the fact security might currently be lax is really foolish b/c just b/c it's lax now, who's the say that the next network guy they hire won't be competent? Having experience on two military installations, from what I saw, security was very tight. So much so, that our standard operating policy was "Don't do anything on that network that you wouldn't be ok with if it showed up on the front page of tomorrow's newspaper." And for God's sake, if you're doing something illegal (as well as something that you can rest assured will seriously anger just about any sane human being on Earth), why would you use the naming conventions he did?

All that aside, the case is mighty interesting and such issues are only going to become more and more frequent.

Crypto stuff

William — Sat, 08 Dec 2007 22:51:58 GMT

I had a little extra time to catch up on life this weekend and found myself slowly getting sucked into stuff on Bruce's site that I've missed over time. Ever since I picked up Applied Cryptography (and my Borland C++ compiler), I've appreciated how much butt he kicks. I've used Password Safe for a while and toy with the idea of porting it to the compact framework, but each time I get overwhelmed with the feeling that most of the stuff I work on is lame and unimportant. Even on 'cooler' projects involving WCF and WF, at the end of the day, it' still sort of the same stuff different day.

How do you read something like this and not feel jealous that there's a lot cooler stuff out there than writing line of business apps?

"I had a client once who desperately wanted to design his own encryption algorithm. He had no cryptographic training, no experience analyzing other algorithms. He was a designer, he said, not an analyst. So Counterpane did his analysis for him, and we broke his algorithm in a day. He fixed it and sent it back, and we broke it in two days. He fixed it and sent it back again, and we broke it again. Finally, the fourth version of his algorithm resisted our attempts at cryptanalysis...at least for the full 40 hours our contract specified. The client was happy; finally, he had a secure algorithm."

Wordpress Vulnerability

William — Thu, 29 Nov 2007 20:22:04 GMT

When I saw Bruce's post on using Google crack MD5 Hashes for you, I had to chuckle. Here's a link to the article Bruce is referencing. Once again, it shows a pretty good case of the damage that can happen by overlooking the seemingly obvious. (Would you want to be the developer that told your boss "Don't worry about it their Chief, our security is pimped out . We got those passwords hashed and locked down" only to read some guy's blog showing you blew it?) Whenever someone thinks their security is breached, you often hear complex impressive sounding explanations of the exploit, but in reality, what usually happens is either they were wrong about being hacked in the first place, or they or someone else actually gave away information and didn't realize it. I remember reading 2600 back in the day, then reading Kevin Mitnick's book and Mitnick's whole game was Social Engineering and using people (the weakest link in the chain) to handle business) I would guess that creating a strong password and changing it regularly would protect you from a lot of things. Keeping the password to yourself and learning enough about your software that you can manage basic functions yourself probably doesn't hurt either.

On a less serious note (There's a blogger who's loves trashing Community Server and digs Wordpress. Now I know the mere mention of the name Anthony or Wordpress, is enough to fan the flames of of any love-struck fool's man-crush so my apologies if I got anyone excited. the mere mention of Anthony is enough to make the poor guy start babbling about Ryan O pulling off exploits that would make the KGB jealous. RO's hacking skills are about as real as A & Mel's wedding date ( although CC doesn't get complains about how RO won't ever get himself some hacking skills so maybe my analogy isn't so good).

Protecting your laptop data like a Pro

William — Thu, 29 Nov 2007 17:47:50 GMT

Nothing too shocking if you take protecting your data seriously, but a good read nonetheless. These days, depending on what you do, a stolen laptop could make front page news, a little precaution goes a long way