Music, and Yongmudo


I was asked to choose the music for this video by the editor, but wound up liking her sample track so much I just re-recorded it.  It was a great dip in the water of my re-introduction to music.  Check it out.  (Oh, and I’ve got a few cameos in the video as well, of me getting suitably beaten up ; )


LinkedIn: Last Name Conceal, Account-Based. Swing And A Miss.

Dear LinkedIn:

I somewhat like the idea that you block viewing last names of third-degree contacts. It makes company-mining slightly more difficult, and is a cute way to upsell your account upgrades.

Trouble is, no one seems to have told the “Viewers of this profile also viewed…” widget, which goes right on ahead and blasts out the full names of those that viewers of a profile have also viewed.

Not that I care, really.  In fact, as regards myself, I honestly couldn’t care less.  If I didn’t want people to see my full name and title, I wouldn’t have a public profile on LinkedIn.

But, it does seem to defeat the purpose of blocking last names on the main page, when the widget – just a quick scroll down on the exact same page – totally undermines this effort.

(PS: thanks for leaving that bug in; it really does make data mining easier ; )


[Note: I’d like to put in screen shots, and will if I ever get around to creating a blank LinkedIn account.]

BSides LV Memory x2


We’re having a little … discussion … over on the BSides group list, and Erin most appropriately started us off with the lovely memories.

Mostly so I don’t have to choke the thread with a 300K JPG, and also so it’s somewhere else, I post the picture here.

For context, here’re two of my favorite BSides memories, in this case about LV #2:

– Track #2, the “game house”, was over capacity and overheated from the jump on day one.  Jack managed to miracle a 3-ton unit literally overnight. (I’ve pulled some huge honkin’ rabbits out of my ass before, but Jack wins the prize for this.  He must have been bleeding for months.)

– Track #2, end of day one.  As speaker wrangler, I noticed the last talk of the day in that overheated and under-oxygenated room was a panel, and (IIRC) my contact for that panel was Leigh Honeywell. I went to her and started to ask, “Since y’all are a panel, do you need A/V, or can we just leave the doors open for that hour?”

I got as far as “do you…” in that sentence, and Leigh finished that sentence for me with the words “… want to run it by the pool?”

I blinked for a few seconds, and said, “Give me 15 minutes.”  Went to Vyrus and Jack, and damn if within 15 minutes Vyrus hadn’t redirected all the necessary A/V to the poolside – in particular, the beach. Jack got the video camera set up on the walkway in about that time, and off we went.

That’s what I’m talkin’ ’bout.

But a picture’s worth 1000 words, as we know, so I’ll just STFU and leave you with this.

Lockpicking Village

Lockpicking Village, Maker Faire 2011.

This was a great time, two full days, I never left the Village and I never felt the need to.

Impossibly, Deviant has footage of me doing some of my first actual presentations.  I show people about lockpicking all the time individually and/or in small groups, but I don’t often do it en masse.

Thanks again to Deviant, Babak, and Michelle.  You are all awesome and it was wonderful to see you all again.



I am now going to wash my hands.  And probably my face.  And absolutely sterilize my microphone.

(Update: described by Vyrus as “Nerdcore Justin Timberlake.”)

(Update 2: Nominated for a pwnie award at Black Hat 2011, but lost to Geohot, which proves that there is still justice in the Universe. (Congratulations, cat.))

(At Ryan’s suggestion, the lyrics):

11 am, waking up, still morning
Gotta wake up, gotta get outside

Gotta get my first Hoffacino
Wi-fi tempting, target too easy
Day growin older, sun tryinna kill me
Gotta get my ass inside
Gotta hit twitter, gotta read my friends (talk shit)
Breakin in the front door
Slipping in the back door
Gotta make my mind up
Which door should i take?
It’s 0-day 0-day
Gotta get out my 0-day
Everybody’s puttin their guard on the wrong end, wrong end
0-day, RSA,
Every day, brand new way
H B Ga-ry
Getting’ out my name on slashdot
12:45, information highway
Typing’ so fast, my fingers fly
Host, boast, your servers are toast
Hackin’s never done
Dualcore got this so does vyrus
These cats all be tight
My man viss, he got this
Now you pwned, bitch (chorus)
Yesterday was no day, slow day
Today i-is 0-day, 0-day
You-you-you so stoopi’
Or under-resourced
Or maybe just a lazy bastard
Tomorrow is 1-day
Defenses come after-wards
I don’t want this 0-day to end
C-P, Vyrus double-oh-1,
Ridin with Savant 4-2 and Banasidhe
In the next whip, MCKT
Fast cracks, from the l0phtcrack,
From the Spacerogue’s time
Storms and TK and Jerm killin worms
Talkin ’bout Herman it’s Blue Boar’s turn
Jeremiah G all the time
Shout out to DC 949
And word to all my folks (not) in this rhyme

Four Great Ways to Fry your Identity

This is an old post (from 3/09) on BigFix(now an IBM company)’s blog site.  I recreate it here for posterity.  And I need to write more.


The paper describing the hijacking of the Torpig botnet by the fine folks at UCSB is very engaging, even if one has technical training of less than Olympic caliber. Among the topics covered are the browsing patterns of an estimated 182,000 infected hosts.

While the technical details were of great interest — in particular, the concept of Domain Flux and the infrastructure of a botnet—as an IT engineer of a growing technical company, the browsing analysis jumped right off my page. I’d like to point out four very special points the paper raised.

Since these are browsing habits of people who are already infected, chances are that if you see anything familiar, you might rethink the way you – or your community – use the web.

1. The first thing that caught my attention in sec. 6.1 was the discussion of the number of financial accounts that were stolen. That was idly interesting, but the last sentence woke me up:

“38% of the credentials stolen by Torpig were obtained by the password manager of browsers, rather than by intercepting an actual login session.”

I can’t tell you how many times I’ve shoulder-surfed people “logging in” to data-sensitive sites with a single click. These metrics on its risk are sobering.

Personally, I have no use for a browser’s password manager, but if you do: think seriously about how much you do, or don’t, want be one of those 38%.

(In passing, I do have to admire the botnet’s approach on this topic: kind of the digital equivalent of hitting it with a wrench.)

2. In section 6.4, we are reminded again of the importance of having a good password policy:

“Our analysis found that almost 28% of the victims reused their credentials for accessing 368,501 web sites.”

There are ways to make a gaggle of passwords different, easy to remember, and yet not require a password manager. I would love to get into some ideas on how to do that, and welcome the discussion it would generate … but perhaps another time.

To paraphrase one of the popular metaphors in the paper’s conclusion: people understand the concepts of the security of a car but don’t bother to apply those same concepts to their computing environment.

Fundamentally, would you leave your car, house, and work keys all on the hood of your car every time you parked it? That’s the effective risk incurred by reusing passwords among such sites through a browser’s password manager. The only real difference is that not to see the risk usually means not to think about it*.

3. Section 6.5 of the paper glances at the infected computers themselves, and discusses the zeitgeist of peoples’ actual browsing activity. The highest single observable interest of Torpig-infected users is to seek jobs and submit resumes, at 14%.

Sure, in today’s economy, a pile of those are probably home users. But if I were to somehow sniff any company’s web traffic on any given day, I would fully expect to see non-manager-initiated job board HTTP requests. What I mean to say is that just because it’s a work computer doesn’t mean it’s inherently safe. Yes, it’s presumably being protected by the IT staff, but no security measures are foolproof, and they haven’t been since the first rooster crowed at the dawn of civilization.

4. Finally, the paper noted that:

“… online security is a concern of the infected population (almost 10% of [infected emails] mention phishing, viruses, and spyware), but only a few people seem to suspect that they are using an infected machine.”

Torpig in particular builds sophisticated phishing pages for common banks, eBay, and PayPal sites that are very devoted to passing surface authenticity tests (sane URLs, valid SSL certs, etc.), so it isn’t too surprising that once infected, the users would only have dug the machine deeper into the disease.

Still, standard rules apply – in a nutshell, if you think something’s suspicious, it probably is. Specifically, if you log in to a site that immediately asks for your bank account number or social security number – look to your computer’s health, it might well be running a temperature.

The constant war between security and convenience rages on like the climax of a John Woo movie. No one wants to go through all the work they need to in order to keep a secure and sane computing environment. I can’t blame them—I didn’t used to lock my car until after it got looted a few times**.

Managing risk is something that can’t be done only by your CI/SO, just like managing corporate costs can’t be done only by the CFO. At some point, on some level, everyone has to be involved.

You can park your car with the windows down with the keys in the ignition***, or you can take the keys and roll up your windows. You can keep using the same password that you’ve had for years, (your firstborn’s name, your favorite candy, what have you), and use that for everything you do online, or you can devise some memorable means of switching up your passwords that is unique to every site yet meaningful only to you, so you can wean off the training wheels of a browser’s password manager.

After all, it’s easier to replace your car than your identity.


*cf. “turn up the radio when the engine starts to make funny noises” and other such metaphors by Tim Keanini
** Yes, I’m a slow learner.
***Or, if you live in the San Francisco Bay Area, you can leave your laptop visible in the back seat of a locked car.