Language can be used for a lot more than simply convincing a part time employee to let you have more access than you should somewhere – Language can be used to full on exploit “memory corruption” in the mind. The use of the right language is powerful enough to overwrite peoples memories if even temporarily.

Below I’ve linked some information pertinent to the techniques employed when language is the tool used to achieve things like memory corruption, buffer overflows, execution of arbitrary code – except on people. In particular, pay attention to the cognitive biases – see if you think any of them apply to you

Then combine the cognitive biases with things like NLP anchoring and subliminal suggestion and you quickly end up with a recipe for gaining someones trust, convincing them to give you access somewhere or to something, or telling you secrets – all without having to don a fedex uniform and pretend you’re someone else. You can even have someone give you their phone and car keys – willingly.

Language is a very very powerful tool and put in the hands of information security professionals (or attackers) it becomes even more weaponized.

Apologies for the videos that wont embed – if you click through you can view them on their youtube page.

This is the charted battery usage over approximately 3 days. I learned very quickly that when you go to meetups and parties and pass around a brand new phone that very few people have everybody wants to try the same stuff on it over and over again – so the thing gets quite a workout and gets handed back to you with %20 battery left.

I’m using this app to monitor the battery and produce the data for the graph. So far it works out well – except when its not running it simply doesn’t record data, so the datapoints on the bottom of the chart make the graph look a little interesting. I’ve numbered some interesting behavior on the chart:

1. I recorded the Lost Abbey brewery tour for ~25 minutes. It consumed approximately %25 of the battery life
2. It took 3 hours and 45 minutes to charge from roughly %35 battery life to full.
3. in 40 minutes of usage I went from %80 battery to roughly %35
4. Leaving the phone overnight to cycle the battery
5. Disregard – You can see at the bottom of the chart the time jumps from ~09oo hours to ~1800 hours in one step.
6. I’d argue ‘standard’ daily usage
7. a good solid charge via my macbook
8. more standard usage

First impressions: This thing is *FAST*. I mean *FAST*. Clocked at 1ghz its very impressive. My G1 would chug and choke when opening the gallery as it tried to thumbnail all the pictures. I suspect the built-in 8 gig storage may have something to do with its I/O performance as I’m guessing the onboard flash is going to behave more quickly than an sdcard. One of the first things I love thinking about is ‘can this thing run nmap/metasploit/JtR/aircrack/etc’. As far as its ability to do that – I have every confidence that the thing could take the pepsi challenge should it arise – however I’ve almost immediately noticed I have to charge this thing 2x a day if I want to use it in any lengthy amount of time. I havent actually had it DIE on me yet, but it’ll get down to %20 or so battery before I start fiddling trying to find the charger.

Its fast, and very very capable. The camera beats the pants off the G1 camera hands down and this is a very appreciated breath of fresh air after having my G1. Only drawback is that it really does consume a lot of juice. I read in the forums that some users have been able to use batteries from other phones in the incredible successfully and extend their battery lives that way.

Interested in hacking the thing? We still don’t have root on it. What does having root mean? Tethering, overclocking, the possibility of all the wonderful linux-based tools we’re used to (nmap, metasploit, etc) and more.

Here are the forums if you want to throw your hat in the ring to get root and help the community expand the functionality of this phone.

I wanted to acknowledge valid points that were brought up in conversations carried on after the fact and transmogrify the undertone from my last post into an overtone in this one. My suspicion is that my previous snarkiness may have obfuscated the clarity of the point I was trying to make.

• Yes, absolutely, I agree that over-sharing your location creates a vulnerability and allows an attacker to build an attack profile (excessive meaning say, more than 3-5 checkins daily). As one friend put it “updating foursquare 24/7″ = bad. Foursquare is not “HELPING” the problem – yes they are “CONTRIBUTING” to it, but they are not “THE” problem.

• This is not a “new” attack vector. Foursquare is not the first application to allow one to publish ones whereabouts (if you REALLY wanna crap your pants, have a look at lattitude. If you think foursquare is bad your head will fall off)

• No, in this context, knowing if you’re in a building or in a certain room to a building is irrelevant. The point here is you’re “leaving your home vulnerable”. Personal security is a different subject entirely, and I prefer to stay on topic. The site that was mentioned was “Please rob me”, inferring “come to my home and rob it while I’m not there”. If people would like to have a healthy discussion about personal security, I’d be happy to be a part of it – however this is not it. This discussion is about the home.

• It is less likely that an ACTUAL home-invader will use foursquare over any other social/web2.0 site. Standard usage dictates one has to click an accept button to allow someone to view their checkins (unless they’re published to facebook/twitter, then it’s moot anyway). I’ve had friends that have had their homes burglarized and in every case the attacker was not what any of us would consider an “advanced enough” computer user to utilize foursquare as a prelude to a burglary. It was always something like “we saw them packing up to leave on a ski trip” -visual, in person. If an attacker is enlightened enough to employ the use of attacks like CSRF and social engineering methodology they’re going to go after what you have in the bank, in investments, carbon credits (a new one!) and other things that are far more valuable than your television.

• In this context its foursquare that’s being thrown under the bus. Their ‘fault’ in this case was to take an already popular idea (dodgeball) and make it more popular. It’s the “in” thing to do rightnow – overshare. Some people do it, other people don’t – people manage their own risk. Telling twitter you’re going to the bar, versus checking in on foursquare AT the bar, versus gowalla, or a facebook update – its all the same thing: You’re telling the internet you’re not home. The problem is the behavior, not the “tool used”.

The last line of the last post I wrote is more or less the overall point I’m trying to make. Somehow, or for some reason the masses have decided to have an epiphany where they throw their hands in the air and declare foursquare unsafe.

Agreed, they have a valid point. I won’t argue that, but its synonymous with walking into the burn ward at a hospital, walking past rows and rows of disfigured and suffering individuals, stopping at one random person then exclaiming to the world how THIS PARTICULAR PERSON is suffering and needs medical attention and oh-woe-is-me-what-a-world.

Generally speaking, the same people who have ‘come to this realization now’ are guilty of using many other applications that “tell people they are not home”.

My point, reconstituted without snark is: You’ve been doing it for years, and you JUST NOW realized it? THATS the problem. Not foursquare. The very same author of the blogpost I linked to is guilty of frequently publishing their location using a variety of applications. At best I can only speculate, but my speculation is that it was done for the readership and stir the pot – not to actually provide any real warning.

Moreso is a problem when people who have openly admitted their noviceness in linux, security and other things of a technical nature decide to take up a crusade. They’re loud, boisterous and spend lots of energy on a ’cause’ that they simply don’t understand. The first thing that comes to mind when thinking about these people is an angry neanderthal – angry that the wind blew out his fire, who then goes and bludgeons his neighbor with a rock out of rage, or the salem witch trials where women were called out as witches and burned alive, their pleas of innocence ignored.

This is exactly what I’m dealing with – novices, newbies and beginners who know little to nothing about information security, the industry surrounding it – picking up a torch and going on a crusade because of something they don’t understand.

I’ve been dealing with a small handful of these people, and it seems the further along I get in growing my business, the more opportunity these trolls think they have to shoot me down. I’m going to draw out, chronologically the whole series of events from then until now – including how I’ve contacted attorneys, sent cease and desist notices, and how I personally have suffered, and the friends and loves ones around me have have suffered because two guys in Riverside simply cannot act like adults. It’s a long ride, but for those interested in the whole story, end to end, read on.

I apologize to those who’s names I’m about to drop, who I told I’d keep out of this – but at this point it’s unavoidable. I have to name names to tell the story.

Two years ago I was just starting out freelancing. Like any energetic entrepreneur I had gotten my hands on some new hardware and some new software and was training myself to become more useful to organizations big or small which could benefit from my skills. A friend of mine, Dante invited me to a user group in Riverside. He said some people I already talk to on twitter go, and that it’s a group of linux guys. Now – I’ve been doing linux sysadmin work since 2000. I’ve met a LOT of linux sysadmins – so what I was expecting was essentially a bunch of hackers. People who work with linux, are enthusiastic about linux and have an interest in the security of linux. Oh boy was I wrong. The only linux people that were there I could count on two fingers – Myself and Dante. Everyone else may as well have come fresh from a  ”Welcome to your first time booting ubuntu” class. They were ‘linux enthusiasts’, alright – about learning it from the ground up. No practical or vocational experience to speak of.

Now this was back in December of 2008, so my recollection of the EXACT events is a bit hazy. I want to say that Dante and I were among the first few people there. We met a guy named Chris and I think another person who I cannot recall at a restaurant before going to the coffeeshop. As we ate dinner everyone seemed cheerful. I was talking about my new consultancy, and spreading the word that I was openly looking for information security consulting work and hoped to give a demonstration about wireless security. After dinner we moved to the coffeeshop and I think one or two more people were there to meet us – David Kaiser being one of them. As we sat down, I got out my equipment and booted into a backtrack3 live CD. As we sat and talked, people asked me what the extra hardware was for – I explained that this was a tool used to do vulnerability assessments, and crack WEP networks to demonstrate the difference between WEP and WPA/WPA2 networks. I explained I was going to give them a demonstration. People seemed enthusiastic about it – nobody contested it at all or in any way gave me the impression that “what you’re about to do is not okay”. Afterall I did THE EXACT SAME THING at Refresh San Diego which is held at Qualcomm and I was applauded for it. Here is part one and part two of the video of my presentation – Give them a watch and see for yourself!

I explained that I was going to do a LAN attack to demonstrate how important it is to transmit credentials with some degree of encryption. Again, nobody contested it. In fact, Dante sported a bit of a grin sitting across from me. Being a regular participant in DEFCAMP, an information security based set of challenges that I used to run during BarCamp San Diego, Dante knew exactly what was about to happen – the people in the audience whos first knee-jerk reaction is to flip out would play their part, and flip out. No damage would be done, but these newbies would have a new found enlightenment and would experience first hand what could happen if an actual malicious attacker were to attack them. This form of exercise puts the “attacker” and the “victim” right next to eachother so that everything can be seen end-to-end. This gives the “victim” insight into how the attack is carried out – and helps them understand why we use certain measures to protect against it. Having spent 3 years now organizing BarCamp San Diego and DEFCAMP, I had a direct hand  creating a warm and friendly environment for people to learn. I made a mistake assuming that even though there were 3 people there who had regularly attended BarCamp San Diego, that warm and friendly environment made its way up to Riverside that night.

Shortly after I had setup the equipment, Roger Rustad and another person showed up. Roger sat next to Dante, and this other person sat to my right, at the end of the table. I told Roger and his friend I was playing with backtrack3 and I was going to show demonstrate an attack. Again, the immediate response was met with enthusiasm.

I began by running a commonly known, commonly used application called ettercap. This is a tool that is found on nearly every security linux distribution live-cd, backtrack3 being one of them. It’s designed to function exactly as I had used it – as a learning tool. By default, ettercap supports SSH and SSL decryption by way of forging certificates when already ‘in the middle’. Rogers friend browsed to gmail and was presented with a security certificate error very similar to this one.

I was surprised that he was unphased by this – a security certificate error for GMAIL? He clicked “okay” to the popup and continued on to gmail. Once he did that, I saw his gmail credentials pop up in the message window in ettercap. I raised my hand, interrupted everyones side conversations and asked

Who here just browsed to gmail.com?

The guy next to me raised his hand. I turned my laptop to him and showed him the captured credentials. His facial expression changed – he got angry.

What the hell is this?!

He asked, throwing his arms into the air.

You clicked to approve an invalid security certificate for gmail.com

I replied.

At this point the guy got VERY angry. He started yelling at me, he stood up, he told me he was going to punch me in the face and then smash my laptop and throw it across the room.

Dude, Relax – Do you think that if I was going to be doing this maliciously or actually trying to steal credentials, I would have SHOWN YOU what I just did? Calm down – this was only an exercise. I’m not keeping any of this, its on a Live CD.

He calmed down, and the conversations began again. About 5 minutes later Roger looked up at me and asked something like

Did you delete that log?

I was confused.. the conversation went something like this:

Hm? Delete what log?

The password you just captured. The logs. For that app you used.

There is no log. I closed the application already, so nothing was kept, but ettercap doesn’t log by default. And even if it did, I could simply reboot and everything that’s in memory would get wiped.

Then you need to stop what you’re doing and reboot right now!

What? Why? I just told you that I’m not keeping anything, why are you raising your voice at me?

You need to delete whatever it is you have over there and reboot right now! Thats fucked up!

Roger – Do you understand what a LiveCD is? You boot into it, everything stays in RAM, and when you reboot, it’s all gone. I didn’t keep any logs, I didn’t save any data – this was a demonstration. What the hell would I do with his password anyway? Hes changing it as we speak.

I forget where the conversation went from there, but it was clear that Roger clearly thought I was up to no good. I’m still bewildered at what he thought I could do with an expired password, but it was abundantly clear he was not interested in listening, and simply wanted me to obey his commands. After I gracefully shut down backtrack I rebooted my workstation and removed the backtrack3 cd and showed it to him, as well as turning my laptop around to demonstrate that I was now back in OSX.

This seemed to make him happy. The only two people at the table that had any issue with it had arrived over an hour late to the meetup, and still did not have any issue with what I was doing until I captured someones credentials. I have no idea what they thought I was going to do when I said “I’m going to give a demonstration” – perhaps they thought I was going to show a powerpoint presentation, or give a talk – maybe in retrospect I should have said “I’m going to do a live demonstration” instead of “I’m going to demonstrate an attack”. At this point I can only speculate what I could have done to inhibit the rage that Roger and his friend demonstrated, screaming, yelling, threatening me with violence and destruction of property. I took it in stride. I figured someone would come to their senses eventually. Dante and I sat quietly watching this whole thing transpire, waiting for the rage to subside. I thought it was interesting that Roger was more upset than the guy whos credentials were captured.

Eventually people got tired, people decided it was time to go home, I shook hands with a lot of people, I exchanged business cards with them as well – it seemed that the meetup went swimmingly, with the exception of that little bit of bad business where I was going to get “punched in the face and my laptop smashed”. This was on a Friday or a Saturday night, if I recall, because the next morning I woke up to a fairly ghastly email.

Roger had written a long drawn out email to the mailing list, and CC’ed me – written in the context of a board member, or some other lofty authority figure, calling me out on “stealing passwords”.

WHOA WHOA WHOA – I thought to myself, when I left the meetup last night everything was kosher. People shook my hands, people took my business cards. He goes on to say how the group should form some sort of committee to talk about “what happened” and “how they’re going to address it”.

What? Did something happen after I left? What “needs to be addressed”? They’re talking like someone admitted to the group that they had a heroin problem and there needed to be an intervention.

I hit reply all and composed a reply telling Roger to calm down again, and going on to say that starting a witch hunt was a stupid way to express his frustration, and that it wouldn’t do any good because the “witch” wasn’t hiding. My reply went to Roger but not to the group – apparently my attempts to join the mailing list were not approved by the administrator.

After about 20 minutes, my phone rang. It was Roger. He called and in a very stern and angry tone of voice began scolding me for misbehaving at his meetup group. I explained again, ad nauseum this time that there was no issue – I apologized for scaring him and his friend, and hurting his feelings and posed a very simple question:

Do you think that I was actually being malicious? Do you think that after telling everyone at the meetup that I was trying to go into consulting that I would immediately thereafter start trying to capture their credentials? What do you think I would do with them anyway?

Roger was not interested in pursuing a logical line of questioning or reason. Nor was he interested in answering any of my questions or allowing me to speak. He continued to talk over me and insisted that I should “talk to the group” about it. I explained that I had tried, but all of my emails to the mailing list were rejected. He then admitted that he knowingly told members of the group false information about what had happened. He told me that he had other phone calls with other meetup members who were of a less technical nature and used phrases like “I don’t know what he captured” and “I don’t know, he may have seen everything!”.

At this point I lost my temper.

Do you realize what you’ve done? You’ve started a panic. You’ve told a bunch of people lies – why did you tell these people that I captured stuff? You know I didn’t capture anything but what you saw – you were sitting RIGHT ACROSS FROM ME. I even showed you that I rebooted. Why would you tell people that their credentials were compromised if you didn’t know? I thought we were friends! Why would you throw me under the bus like that? You could have called me and plainly asked me what I captured. You could have given all those people who had questions my phone number or email address and told them to contact me directly – but you didn’t. Instead you spread fear and doubt. Instead, you made up a story about “Dan the evil hacker” who came to your meetup group and “did something bad”, which apparently did not yield any results, hurt anybody, or cause any damage whatsoever. You’ve started a witch hunt.

After my rant, Roger agreed that he could have phrased things differently to the people he talked to before calling me. He called one member of the group – who is a blind person, and flat out told him “Go change ALL your passwords! I have no idea what Dan captured! he could be spying on you right now!”. From what I’m told the blind person went into a panic – because of what Roger told him, not because of what happened at the coffee shop. Again, when people exited the coffeeshop the night of the meetup – everyone was happy, and people exchanged business cards with me.

At this point Roger said something like “well, no harm no foul. I guess we can move past it. Friends?”

My response was “Are you out of your fucking mind? You just threw me under the bus to a room full of people, and now that I’ve proven you wrong using your own words you want to be friends? How the hell can I ever trust you again? If you ever came to one of my talks you would shit your pants and label me a terrorist, then call 911. I cant trust you anymore, you’re not my friend – you’re just a troll”

That was that. I hung up on Roger and never spoke to him again.

However in June of 09 I had just landed my first Sarbanes Oxley IT compliance audit. I was VERY excited. My client and I were exchanging the required paperwork when I got an email stating they had googled me in doing some due diligence and found a forum thread – created by Roger with a duplicate of what was on the mailing list. I told him the story, I linked him to the Qualcomm RefreshSD talk and said that to the best of my ability I was unable to put to rest two attendees of a meetup group who were absolutely terrified of information security. I encouraged him to read the threads and to see the inconsistencies – there were absolutely no replies from me – they had blocked me from being able to reply or retort, and people who were not even in attendance of the meetup joined in the fun to badmouth me, call me a script kiddie and make baseless accusations and tell stories about things that “may have happened”.

I thought I had lost the deal for certain – but I got a call back from my client and he explained that after reading the threads it was abundantly clear that these were baseless accusations and that “You cant believe everything you read on the internet”. I was happy to have the client move forward.

My stomach sank though. “Crap”, I thought. “This is a big deal – if clients are finding this when googling me before I start work – this means I’m going to have to explain this to *EVERYONE*. Oh man, this is going to suck.”

So I composed an email to Roger, and David:

Hello David,

I was notified today by a client of mine that there are some scathing remarks about me publically available on the socallinux.org forums.

I’d like for you to make those private.

It’s pretty clear that you and your LUG friends don’t like me very much – and that’s fine – you’re allowed to hold whatever opinions you want.

My problem is that I’ve been put in a compromising situation – a discussion thread that I have no part in writing pages upon pages of scathing remarks and labeling me as a “script kiddie” – I can also see that all of my responses to roger were not included, so the whole thing is even taken out of context and is one sided as my responses and arguments are nowhere to be found.

The bottom line it’s hurting my ability to freelance which is how I pay my bills and rent.

Whatever I may have done to slight you, Im certain it didn’t cause you any grief when it came to eating and paying for where you live.

I’ll ask you kindly to either remove the posts or make them private.

Thanks in advance

-Dan
atenlabs.com

It was ignored. I sent another letter after my first stating that when using the phrases “Not formally disclosing”, “When Dan set out to steal passwords” and “Doing things in secret” were outright lies – legally considered libel, and that they were hurting my ability to put food on the table. I used stern language in saying that if the mailing list items and forum posts were not taken down, I would be forced to come back with an attorney.

At that point I got a polite message back from Roger plainly giving me his address, phone number and other details – a symbolic way to say “bring it on”.

So I did. I hired an intellectual property attorney in Solana Beach who was referred to me by a family practice attorney. I spent a few days going over what had happened with my attorney – having him read the whole thread, showing him how ettercap works, how backtrack works and other technical details required to properly understand what happened, and what Roger and David chose to write – and how they GROSSLY differ.

My attorney agreed that Roger and David were being libelous, and composed a cease and desist letter stating the facts and asking Roger and David to at the bare minimum make the mailing list private. I had lost a handful of contracts already because of all the negative comments already, and I had to ‘stop the bleeding’. I was quickly approaching bankruptcy.

Here is a copy of the cease and desist letter.

I asked that the letter be sent certified mail so that we could ensure delivery. About a week later my attorney called me to let me know that both letters, one to Roger Rustad and the other to David Kaiser were both rejected. I chuckled – they had called my bluff and failed. I asked him then to send it via email, and CC me – which he did.

Two days after that happened, the forum on their site dissapeared. I had considered it a victory, and stopped thinking about it. I was traveling and I got a phone call from another perspective client who wanted to have a black box penetration test done against software they were developing. “Wonderful!” I exclaimed, and we exchanged NDAs and service contracts and began talking on the phone.

A couple days into the talks, I get a call from one of the other contracting companies in on the deal – they tell me that this client googled me, found some mailing list items about “some dispute”, and got cold feet – thereby abandoning the contract.

I was infuriated. I googled myself and found what exists today – a single thread on a mailing list where my full name is used very often – the same baseless allegations and accusations are made – dating all the way back to December of 2008.

I called my attorney back and asked him what I should do. He explained that immediately to take them to court over it could easily cost 10 to 15 thousand dollars and it may be months before the case is accepted into court, and it could be even longer to get a judgement against them. I sighed, wishing I had the money to move forward, and we agreed to put the case on hold until I was able to save up enough money to proceed. I’ve since started a savings account for this.

In the mean time, I had hired some friends who are SEO experts to help me at the very least bring to light all of the presentations, the community leadership, free audits and other things I’ve done in the last 5 years to help bring the tech community here together, and help spread an air of welcome and open learning.

After a couple weeks I had started making a lot of good progress – until one day I noticed that new entries in their mailing list had caused the thread in google to float higher in the rankings. I read it – Roger and David had began writing back to the mailing list describing how I was building a case against them for libel and defending themselves to their friends – using MORE libel. Since I had, and still have absolutely no input on that thread (They’ve since firewalled me) I cannot even issue a rebuttal on their list. Soon afterwards I started seeing things like this spammed in the comments on a handful of blogs I write on:

Whaaaaat? I looked up that IP and it’s the general area that Roger lives in. Roger full on decided to start a blackhat SEO campaign against me. He just couldn’t leave it alone. I followed the link to the blogspot URL and I saw this:

I was a bit taken back – Perhaps my first cease and desist to Roger didn’t really sink in – I was explaining legally that I was going to pursue a lawsuit against him for damages, being able to cite in writing dollar figures for clients that walked away who directly cited his writings and Davids writings. Now he does this? SEO suicide? Does he like it in court? What? I’d love it spelled out for me.

The situation instantly changed from “Trolls on the internet” to  ”I’m being attacked on the internet for no good reason, years after the fact”.

The next occurrence was again something that made me recoil – A member of BarCamp San Diego chiming into a completely unrelated mail thread directly citing Rogers email thread, calling me out to be a “fox in a henhouse” as a reply to my email about Zipline coming online. The accuser being one of a handful of people who tried to execute a coup de tas against BarCamp San Diego a few years ago. Again, entirely not surprising. It seems all this negative energy directed at me by Roger and David has garnered the attention of other folks who think badly of me. Again, best I can do is chalk it up to convergence theory – trolls “going with the crowd” – people attacking me for fun solely because other people are doing it.

This was a lot easier to control as I was actually able to respond to the thread. The conversation did not last long as the more that Roger and Hober talked, the clearer it became that this was about hurting me in the public eye. Their goal was to make me hurt in the pocketbook – and they accomplished that goal. All the negativity spread by Roger and Hober caused clients to walk away from me. Roger even attacked BarCamp directly, trying to link the spotless reputation of a wonderful tech community in San Diego to his previous baseless allegations of me being somehow evil. It was because of his aggressive and warrantless attacks on BarCamp San Diego that security turned him away at the door.

One of the subjects in the longer version of my  How Not to be a Freelancer talk was to mention “Never do business as yourself, get a fictitious business name, or an LLC”. I briefly mentioned it – but this whole debacle is directly what that bullet point addresses. I should have bought an LLC in the beginning and worked under the company name – I’m now paying the price.

Dan Kaminsky said it best “You can’t join the war, then walk out on the battlefield and expect NOT to get shot”.

This morning (Feb 9) I got call from Road Runner – my ISP. They explained that they had received a complaint that someone was “attacking” someone else from one of my IP addresses. I was told this happened at something like 3:15 in the morning. I asked the caller for more information, so I was sent a small excerpt from what looked like an apache log file which had no destination host information whatsoever. It was something like ten lines deep and contained a very old and poorly executed directory traversal attack, which appeared to be unsuccessful. I rolled my eyes. Anyone could do this to their own webserver, and then use a one-line regular expression in VI to forge the source IP. At 3:15 in the morning? On a weeknight? The same Night I had picked up my girlfriend from LAX? I’d be up at 3:15 in the morning trying to hack someone and not spending time with my girlfriend? Seriously?

Looks like Roger and David are up to no good – again. They aren’t happy leaving me alone at this point, with the damage they’ve already done to me. Its abundantly clear that whenever their standard troll lifestyles come grinding to a halt, I’m that torch they can pick back up again and wave around. I exist to these two solely as a toy.

My speculation is that its convergence theory – the idea that someone speaking to a crowd can influence the crowds direction – as very clearly made evident by the non-technical fellowship their group is comprised of, as well as the well-documented evidence that if left alone their stories get more and more audacious. Even now I’m seeing Rogers friends message me directly on twitter in an attempt to further yet MORE baseless accusations.

At this point I have to identify what is really going on here. I’ve spent so much time in ‘defensive’ mode trying to do damage control, I didn’t take the time to do any due diligence on my attacker(s). After about half an hour looking around on the internet, I was able to find some facts – entirely NOT surprising facts:

Roger Rustad is new to linux.

Roger Rustad has directories full of “newbie documents” (And another!)

Roger Rustad is very new to linux, again

Roger Rustad demonstrates his lack of ability to google for an answer

Roger Rustad doesn’t know that you can get viruses by email

Roger Rustad is a self-proclaimed “linux hippie”

How could someone who is so green when it comes to networking and linux think that they could accuse people of being so evil – especially when they don’t understand the accusation? Why on earth is it Roger who’s doing all this attacking and not the guy whos credentials I captured? That guy I’ve never heard from again!

I’m not even sure what their endgame is – capturing traffic is not an end, its a means. When REAL attackers, REAL blackhats capture credentials they do it by the thousands. By the TENS of thousands. Attackers then use these captured credentials to send phishing emails in attempts to somehow steal money or other valuable information, or further compromise the accounts to send more malware or spread botnet code. Real attackers don’t go to coffee shop meetups and share the credentials they captured.

Every time I try to think through why they would want to do this the end I come to is “purely for their own entertainment”. They stand to gain nothing, I don’t have a competing business, I’ve left them completely alone – and even my attorney agrees with me that what they’re doing is grounds for a lawsuit.

Michael Caine said something that sums this situation up nicely, in a movie he was in a while ago:

…Because he thought it was good sport. Because some men aren’t looking for anything logical, like money. They can’t be bought, bullied, reasoned or negotiated with. Some men just want to watch the world burn.

The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

For those of you who aren’t sure what that means, here’s the breakdown:

The most basic form of authentication apache uses is called ‘basic auth’. All it does is take your credentials and encode them using base64 – the same encoding used for email attachments. Encoding is not encryption. You can decode this in seconds. There are even apps that will do it for you if they see a base64 encoded string.

@quine asked me to do a packetsniff on my phone, so I plugged my G1 into my notebook, fired up adb and got a shell on my phone. Tcpdump -s 65535 -A -l -nnnvvv  showed me this

11:18:35.553924 IP (tos 0×0, ttl 64, id 54010, offset 0, flags [DF], proto TCP (6), length 286) 25.97.11.256.39819 > 174.129.33.12.80: P, cksum 0xc5e2 (correct), 1:247(246) ack 1 win 2920

E…??@.@.r..a.?.!….PDH?.????P..h??..GET /v1/user?mayor=0&badges=0&geolat=31.123456&geolong=-110.123456&geohacc=5000.0 HTTP/1.1

User-Agent: com.joelapenna.foursquared 2010011401

Host: api.foursquare.com

Connection: Keep-Alive

Authorization: Basic T2hUaGlua1lvdXJlOkNsZXZlckRvbnRjaGEK

UHHH.. that ‘Authorization: Basic’ line there are my credentials. Right along there with my GPS coordinates! They’re sent with nearly every request. In the clear! Wow – I’m never using my phone on unencrypted wifi again.

To decode base64 one must merely copy/paste the encoded string into any one of a handful of different decoders. We used this command line on osx:

echo ‘<base64 string>’ | openssl enc -base64 -d

There are applications that exist now, like dsniff, which will deobfuscate the credentials when they’re seen on the lan or over the air. This is pretty bad. There’s no other way to put it. Thanks to @jennyjenjen for meeting up with me to test it on the iphone, which uses the same API, and is just as vulnerable.

My suggestion: If you’re going to use foursquare on your mobile device, make sure you’re not using open coffeeshop wifi spots, and you’re using your carriers 3g/cdma/gsm/etc internet connection. This will protect you from the potential of people sniffing credentials on your lan. Or, have a look at zipline!

With the information that I know now (12:40am, 12/18):

The host which contained the landing page was hosted with bluehost. This tells us a few things

• They didn’t have the infrastructure to do packet captures, or credential theft. Bluehost does shared hosting.
• Any attempt to do so would have thrown TONS of SSL errors, and very likely DDoS’ed the server hosting the landing page. (Twitter had HUNDREDS of servers, these guys had 1.). All of your twitter apps would have thrown errors, or flat out stopped working.
• Twitters security infrastructure was left untouched, and was not a target of the attack.

I’ve been watching twitter scroll with sensationalism and panic, people yelling “OH GOD TWITTER GOT HACKED EVERYONE CHANGE YOUR PASSWORDS NOW”.

Please – don’t do that.

Its going to make everyones job harder who have to work on this situation, it incites panic and causes people to prematurely flip out and do things they probably shouldn’t do.

I’ve had to deal with this in the past – people throwing their arms in the air and screaming about passwords being compromised when they in fact weren’t. It did not end well.

Please – think before you hit send.

If you read anything these two post on socallinux.org you can quickly determine they use this mailing list to defame whomever they choose – and because their mailing list gets both spidered by google, and mirrored by list-serv they get pretty much automatic SEO. Multiple domain names replicating messages. And if the mailing list gets any activity for any reason the SEO goes up.

This is like a troll sniper rifle. You want someone to go down in flames, or you just want to make them real miserable? Talk smack about them somewhere that gets spidered by google and replicated to other sites. If anyone googles them, they’ll find listserv messages, mail-archive.com and google cache results all parroting the original messages.

Google is like the force. It can be used for good and evil. In this example, we’re looking at using it for evil.

I never really took personal branding seriously until it bit me – and upon this realization immediately found a pretty blatant ‘vulnerability’. Well, it’s not REALLY a vulnerability, it preys on peoples inclination to believe what they read as fact and not take any time to check up on it – so it’s more like a social hack, or social engineering. This presents an attack vector that historically could only be used by larger media outlets.

Now, we have google, and google cache – these tools can be used to make someone miserable for a long period of time, or sway peoples opinion on things – or to make people believe whatever you choose.

Google your name. Seriously – open a new tab and type your name into google – see what comes up. Go at least 3-5 pages deep.

Is there anything in there that would prevent a company from hiring you, or a new client from signing a contract with you?

There isnt? – well thats a good sign!

What if I started writing emails on a tiny, but public email list (like listserv, or google groups), or wrote a few blog posts talking about how evil you were, and some evil things you’ve done – even if you’d done no such evil? That might not fare so well for you the next time someone does their homework on you.

“But thats libel” you say. True, that is in fact libel. People lying about you in print.

“You can sue for that!” Yep – you can! It’ll cost you, probably in excess of 5 or 10 grand and you’ll end up with a court order to the defendants issuing them to take down whatever needed to be taken down (Unless you sue for damages – for example if you can prove that clients walked away from you and companies won’t hire you because they found this stuff on google).

“Wow thats a headache” It absolutely is.

The bottom line is unless you’re prepared to throw 5-10 thousand dollars at the problem you won’t be able to do much other than ask nicely, and if asking nicely doesn’t get the job done you’re sorta boned. If you do have the money though, libel is libel – and if you can prove in court its libel, you win. Period.

So in summation: Using google to attack people, hurt brand names and generally troll has a VERY high success rate – but  you’re liable to get sued.