Aten Labs

Having been practicing information security on a freelance basis for roughly 2 years now, I’ve quickly come to learn that the information security industry is very incestuous – teeming with folks that think the standard “how to survive prison” methodology works for information security. Find someone who’s made a name for themselves, beat the everliving crap out of them, assume their former glory. This is a problem. Primarily because it doesn’t work, and secondly because nobody has ever been able to do it right and get their intended results.

Moreso is a problem when people who have openly admitted their noviceness in linux, security and other things of a technical nature decide to take up a crusade. They’re loud, boisterous and spend lots of energy on a ’cause’ that they simply don’t understand. The first thing that comes to mind when thinking about these people is an angry neanderthal – angry that the wind blew out his fire, who then goes and bludgeons his neighbor with a rock out of rage, or the salem witch trials where women were called out as witches and burned alive, their pleas of innocence ignored.

This is exactly what I’m dealing with – novices, newbies and beginners who know little to nothing about information security, the industry surrounding it – picking up a torch and going on a crusade because of something they don’t understand.

I’ve been dealing with a small handful of these people, and it seems the further along I get in growing my business, the more opportunity these trolls think they have to shoot me down. I’m going to draw out, chronologically the whole series of events from then until now – including how I’ve contacted attorneys, sent cease and desist notices, and how I personally have suffered, and the friends and loves ones around me have have suffered because two guys in Riverside simply cannot act like adults. It’s a long ride, but for those interested in the whole story, end to end, read on.

I apologize to those who’s names I’m about to drop, who I told I’d keep out of this – but at this point it’s unavoidable. I have to name names to tell the story.

Two years ago I was just starting out freelancing. Like any energetic entrepreneur I had gotten my hands on some new hardware and some new software and was training myself to become more useful to organizations big or small which could benefit from my skills. A friend of mine, Dante invited me to a user group in Riverside. He said some people I already talk to on twitter go, and that it’s a group of linux guys. Now – I’ve been doing linux sysadmin work since 2000. I’ve met a LOT of linux sysadmins – so what I was expecting was essentially a bunch of hackers. People who work with linux, are enthusiastic about linux and have an interest in the security of linux. Oh boy was I wrong. The only linux people that were there I could count on two fingers – Myself and Dante. Everyone else may as well have come fresh from a  ”Welcome to your first time booting ubuntu” class. They were ‘linux enthusiasts’, alright – about learning it from the ground up. No practical or vocational experience to speak of.

Now this was back in December of 2008, so my recollection of the EXACT events is a bit hazy. I want to say that Dante and I were among the first few people there. We met a guy named Chris and I think another person who I cannot recall at a restaurant before going to the coffeeshop. As we ate dinner everyone seemed cheerful. I was talking about my new consultancy, and spreading the word that I was openly looking for information security consulting work and hoped to give a demonstration about wireless security. After dinner we moved to the coffeeshop and I think one or two more people were there to meet us – David Kaiser being one of them. As we sat down, I got out my equipment and booted into a backtrack3 live CD. As we sat and talked, people asked me what the extra hardware was for – I explained that this was a tool used to do vulnerability assessments, and crack WEP networks to demonstrate the difference between WEP and WPA/WPA2 networks. I explained I was going to give them a demonstration. People seemed enthusiastic about it – nobody contested it at all or in any way gave me the impression that “what you’re about to do is not okay”. Afterall I did THE EXACT SAME THING at Refresh San Diego which is held at Qualcomm and I was applauded for it. Here is part one and part two of the video of my presentation – Give them a watch and see for yourself!

I explained that I was going to do a LAN attack to demonstrate how important it is to transmit credentials with some degree of encryption. Again, nobody contested it. In fact, Dante sported a bit of a grin sitting across from me. Being a regular participant in DEFCAMP, an information security based set of challenges that I used to run during BarCamp San Diego, Dante knew exactly what was about to happen – the people in the audience whos first knee-jerk reaction is to flip out would play their part, and flip out. No damage would be done, but these newbies would have a new found enlightenment and would experience first hand what could happen if an actual malicious attacker were to attack them. This form of exercise puts the “attacker” and the “victim” right next to eachother so that everything can be seen end-to-end. This gives the “victim” insight into how the attack is carried out – and helps them understand why we use certain measures to protect against it. Having spent 3 years now organizing BarCamp San Diego and DEFCAMP, I had a direct hand  creating a warm and friendly environment for people to learn. I made a mistake assuming that even though there were 3 people there who had regularly attended BarCamp San Diego, that warm and friendly environment made its way up to Riverside that night.

Shortly after I had setup the equipment, Roger Rustad and another person showed up. Roger sat next to Dante, and this other person sat to my right, at the end of the table. I told Roger and his friend I was playing with backtrack3 and I was going to show demonstrate an attack. Again, the immediate response was met with enthusiasm.

I began by running a commonly known, commonly used application called ettercap. This is a tool that is found on nearly every security linux distribution live-cd, backtrack3 being one of them. It’s designed to function exactly as I had used it – as a learning tool. By default, ettercap supports SSH and SSL decryption by way of forging certificates when already ‘in the middle’. Rogers friend browsed to gmail and was presented with a security certificate error very similar to this one.

I was surprised that he was unphased by this – a security certificate error for GMAIL? He clicked “okay” to the popup and continued on to gmail. Once he did that, I saw his gmail credentials pop up in the message window in ettercap. I raised my hand, interrupted everyones side conversations and asked

Who here just browsed to gmail.com?

The guy next to me raised his hand. I turned my laptop to him and showed him the captured credentials. His facial expression changed – he got angry.

What the hell is this?!

He asked, throwing his arms into the air.

You clicked to approve an invalid security certificate for gmail.com

I replied.

At this point the guy got VERY angry. He started yelling at me, he stood up, he told me he was going to punch me in the face and then smash my laptop and throw it across the room.

Dude, Relax – Do you think that if I was going to be doing this maliciously or actually trying to steal credentials, I would have SHOWN YOU what I just did? Calm down – this was only an exercise. I’m not keeping any of this, its on a Live CD.

He calmed down, and the conversations began again. About 5 minutes later Roger looked up at me and asked something like

Did you delete that log?

I was confused.. the conversation went something like this:

Hm? Delete what log?

The password you just captured. The logs. For that app you used.

There is no log. I closed the application already, so nothing was kept, but ettercap doesn’t log by default. And even if it did, I could simply reboot and everything that’s in memory would get wiped.

Then you need to stop what you’re doing and reboot right now!

What? Why? I just told you that I’m not keeping anything, why are you raising your voice at me?

You need to delete whatever it is you have over there and reboot right now! Thats fucked up!

Roger – Do you understand what a LiveCD is? You boot into it, everything stays in RAM, and when you reboot, it’s all gone. I didn’t keep any logs, I didn’t save any data – this was a demonstration. What the hell would I do with his password anyway? Hes changing it as we speak.

I forget where the conversation went from there, but it was clear that Roger clearly thought I was up to no good. I’m still bewildered at what he thought I could do with an expired password, but it was abundantly clear he was not interested in listening, and simply wanted me to obey his commands. After I gracefully shut down backtrack I rebooted my workstation and removed the backtrack3 cd and showed it to him, as well as turning my laptop around to demonstrate that I was now back in OSX.

This seemed to make him happy. The only two people at the table that had any issue with it had arrived over an hour late to the meetup, and still did not have any issue with what I was doing until I captured someones credentials. I have no idea what they thought I was going to do when I said “I’m going to give a demonstration” – perhaps they thought I was going to show a powerpoint presentation, or give a talk – maybe in retrospect I should have said “I’m going to do a live demonstration” instead of “I’m going to demonstrate an attack”. At this point I can only speculate what I could have done to inhibit the rage that Roger and his friend demonstrated, screaming, yelling, threatening me with violence and destruction of property. I took it in stride. I figured someone would come to their senses eventually. Dante and I sat quietly watching this whole thing transpire, waiting for the rage to subside. I thought it was interesting that Roger was more upset than the guy whos credentials were captured.

Eventually people got tired, people decided it was time to go home, I shook hands with a lot of people, I exchanged business cards with them as well – it seemed that the meetup went swimmingly, with the exception of that little bit of bad business where I was going to get “punched in the face and my laptop smashed”. This was on a Friday or a Saturday night, if I recall, because the next morning I woke up to a fairly ghastly email.

Roger had written a long drawn out email to the mailing list, and CC’ed me – written in the context of a board member, or some other lofty authority figure, calling me out on “stealing passwords”.

WHOA WHOA WHOA – I thought to myself, when I left the meetup last night everything was kosher. People shook my hands, people took my business cards. He goes on to say how the group should form some sort of committee to talk about “what happened” and “how they’re going to address it”.

What? Did something happen after I left? What “needs to be addressed”? They’re talking like someone admitted to the group that they had a heroin problem and there needed to be an intervention.

I hit reply all and composed a reply telling Roger to calm down again, and going on to say that starting a witch hunt was a stupid way to express his frustration, and that it wouldn’t do any good because the “witch” wasn’t hiding. My reply went to Roger but not to the group – apparently my attempts to join the mailing list were not approved by the administrator.

After about 20 minutes, my phone rang. It was Roger. He called and in a very stern and angry tone of voice began scolding me for misbehaving at his meetup group. I explained again, ad nauseum this time that there was no issue – I apologized for scaring him and his friend, and hurting his feelings and posed a very simple question:

Do you think that I was actually being malicious? Do you think that after telling everyone at the meetup that I was trying to go into consulting that I would immediately thereafter start trying to capture their credentials? What do you think I would do with them anyway?

Roger was not interested in pursuing a logical line of questioning or reason. Nor was he interested in answering any of my questions or allowing me to speak. He continued to talk over me and insisted that I should “talk to the group” about it. I explained that I had tried, but all of my emails to the mailing list were rejected. He then admitted that he knowingly told members of the group false information about what had happened. He told me that he had other phone calls with other meetup members who were of a less technical nature and used phrases like “I don’t know what he captured” and “I don’t know, he may have seen everything!”.

At this point I lost my temper.

Do you realize what you’ve done? You’ve started a panic. You’ve told a bunch of people lies – why did you tell these people that I captured stuff? You know I didn’t capture anything but what you saw – you were sitting RIGHT ACROSS FROM ME. I even showed you that I rebooted. Why would you tell people that their credentials were compromised if you didn’t know? I thought we were friends! Why would you throw me under the bus like that? You could have called me and plainly asked me what I captured. You could have given all those people who had questions my phone number or email address and told them to contact me directly – but you didn’t. Instead you spread fear and doubt. Instead, you made up a story about “Dan the evil hacker” who came to your meetup group and “did something bad”, which apparently did not yield any results, hurt anybody, or cause any damage whatsoever. You’ve started a witch hunt.

After my rant, Roger agreed that he could have phrased things differently to the people he talked to before calling me. He called one member of the group – who is a blind person, and flat out told him “Go change ALL your passwords! I have no idea what Dan captured! he could be spying on you right now!”. From what I’m told the blind person went into a panic – because of what Roger told him, not because of what happened at the coffee shop. Again, when people exited the coffeeshop the night of the meetup – everyone was happy, and people exchanged business cards with me.

At this point Roger said something like “well, no harm no foul. I guess we can move past it. Friends?”

My response was “Are you out of your fucking mind? You just threw me under the bus to a room full of people, and now that I’ve proven you wrong using your own words you want to be friends? How the hell can I ever trust you again? If you ever came to one of my talks you would shit your pants and label me a terrorist, then call 911. I cant trust you anymore, you’re not my friend – you’re just a troll”

That was that. I hung up on Roger and never spoke to him again.

However in June of 09 I had just landed my first Sarbanes Oxley IT compliance audit. I was VERY excited. My client and I were exchanging the required paperwork when I got an email stating they had googled me in doing some due diligence and found a forum thread – created by Roger with a duplicate of what was on the mailing list. I told him the story, I linked him to the Qualcomm RefreshSD talk and said that to the best of my ability I was unable to put to rest two attendees of a meetup group who were absolutely terrified of information security. I encouraged him to read the threads and to see the inconsistencies – there were absolutely no replies from me – they had blocked me from being able to reply or retort, and people who were not even in attendance of the meetup joined in the fun to badmouth me, call me a script kiddie and make baseless accusations and tell stories about things that “may have happened”.

I thought I had lost the deal for certain – but I got a call back from my client and he explained that after reading the threads it was abundantly clear that these were baseless accusations and that “You cant believe everything you read on the internet”. I was happy to have the client move forward.

My stomach sank though. “Crap”, I thought. “This is a big deal – if clients are finding this when googling me before I start work – this means I’m going to have to explain this to *EVERYONE*. Oh man, this is going to suck.”

So I composed an email to Roger, and David:

Hello David,

I was notified today by a client of mine that there are some scathing remarks about me publically available on the socallinux.org forums.

I’d like for you to make those private.

It’s pretty clear that you and your LUG friends don’t like me very much – and that’s fine – you’re allowed to hold whatever opinions you want.

My problem is that I’ve been put in a compromising situation – a discussion thread that I have no part in writing pages upon pages of scathing remarks and labeling me as a “script kiddie” – I can also see that all of my responses to roger were not included, so the whole thing is even taken out of context and is one sided as my responses and arguments are nowhere to be found.

The bottom line it’s hurting my ability to freelance which is how I pay my bills and rent.

Whatever I may have done to slight you, Im certain it didn’t cause you any grief when it came to eating and paying for where you live.

I’ll ask you kindly to either remove the posts or make them private.

Thanks in advance

-Dan
atenlabs.com

It was ignored. I sent another letter after my first stating that when using the phrases “Not formally disclosing”, “When Dan set out to steal passwords” and “Doing things in secret” were outright lies – legally considered libel, and that they were hurting my ability to put food on the table. I used stern language in saying that if the mailing list items and forum posts were not taken down, I would be forced to come back with an attorney.

At that point I got a polite message back from Roger plainly giving me his address, phone number and other details – a symbolic way to say “bring it on”.

So I did. I hired an intellectual property attorney in Solana Beach who was referred to me by a family practice attorney. I spent a few days going over what had happened with my attorney – having him read the whole thread, showing him how ettercap works, how backtrack works and other technical details required to properly understand what happened, and what Roger and David chose to write – and how they GROSSLY differ.

My attorney agreed that Roger and David were being libelous, and composed a cease and desist letter stating the facts and asking Roger and David to at the bare minimum make the mailing list private. I had lost a handful of contracts already because of all the negative comments already, and I had to ’stop the bleeding’. I was quickly approaching bankruptcy.

Here is a copy of the cease and desist letter.

I asked that the letter be sent certified mail so that we could ensure delivery. About a week later my attorney called me to let me know that both letters, one to Roger Rustad and the other to David Kaiser were both rejected. I chuckled – they had called my bluff and failed. I asked him then to send it via email, and CC me – which he did.

Two days after that happened, the forum on their site dissapeared. I had considered it a victory, and stopped thinking about it. I was traveling and I got a phone call from another perspective client who wanted to have a black box penetration test done against software they were developing. “Wonderful!” I exclaimed, and we exchanged NDAs and service contracts and began talking on the phone.

A couple days into the talks, I get a call from one of the other contracting companies in on the deal – they tell me that this client googled me, found some mailing list items about “some dispute”, and got cold feet – thereby abandoning the contract.

I was infuriated. I googled myself and found what exists today – a single thread on a mailing list where my full name is used very often – the same baseless allegations and accusations are made – dating all the way back to December of 2008.

I called my attorney back and asked him what I should do. He explained that immediately to take them to court over it could easily cost 10 to 15 thousand dollars and it may be months before the case is accepted into court, and it could be even longer to get a judgement against them. I sighed, wishing I had the money to move forward, and we agreed to put the case on hold until I was able to save up enough money to proceed. I’ve since started a savings account for this.

In the mean time, I had hired some friends who are SEO experts to help me at the very least bring to light all of the presentations, the community leadership, free audits and other things I’ve done in the last 5 years to help bring the tech community here together, and help spread an air of welcome and open learning.

After a couple weeks I had started making a lot of good progress – until one day I noticed that new entries in their mailing list had caused the thread in google to float higher in the rankings. I read it – Roger and David had began writing back to the mailing list describing how I was building a case against them for libel and defending themselves to their friends – using MORE libel. Since I had, and still have absolutely no input on that thread (They’ve since firewalled me) I cannot even issue a rebuttal on their list. Soon afterwards I started seeing things like this spammed in the comments on a handful of blogs I write on:

Whaaaaat? I looked up that IP and it’s the general area that Roger lives in. Roger full on decided to start a blackhat SEO campaign against me. He just couldn’t leave it alone. I followed the link to the blogspot URL and I saw this:

I was a bit taken back – Perhaps my first cease and desist to Roger didn’t really sink in – I was explaining legally that I was going to pursue a lawsuit against him for damages, being able to cite in writing dollar figures for clients that walked away who directly cited his writings and Davids writings. Now he does this? SEO suicide? Does he like it in court? What? I’d love it spelled out for me.

The situation instantly changed from “Trolls on the internet” to  ”I’m being attacked on the internet for no good reason, years after the fact”.

The next occurrence was again something that made me recoil – A member of BarCamp San Diego chiming into a completely unrelated mail thread directly citing Rogers email thread, calling me out to be a “fox in a henhouse” as a reply to my email about Zipline coming online. The accuser being one of a handful of people who tried to execute a coup de tas against BarCamp San Diego a few years ago. Again, entirely not surprising. It seems all this negative energy directed at me by Roger and David has garnered the attention of other folks who think badly of me. Again, best I can do is chalk it up to convergence theory – trolls “going with the crowd” – people attacking me for fun solely because other people are doing it.

This was a lot easier to control as I was actually able to respond to the thread. The conversation did not last long as the more that Roger and Hober talked, the clearer it became that this was about hurting me in the public eye. Their goal was to make me hurt in the pocketbook – and they accomplished that goal. All the negativity spread by Roger and Hober caused clients to walk away from me. Roger even attacked BarCamp directly, trying to link the spotless reputation of a wonderful tech community in San Diego to his previous baseless allegations of me being somehow evil. It was because of his aggressive and warrantless attacks on BarCamp San Diego that security turned him away at the door.

One of the subjects in the longer version of my  How Not to be a Freelancer talk was to mention “Never do business as yourself, get a fictitious business name, or an LLC”. I briefly mentioned it – but this whole debacle is directly what that bullet point addresses. I should have bought an LLC in the beginning and worked under the company name – I’m now paying the price.

Dan Kaminsky said it best “You can’t join the war, then walk out on the battlefield and expect NOT to get shot”.

This morning (Feb 9) I got call from Road Runner – my ISP. They explained that they had received a complaint that someone was “attacking” someone else from one of my IP addresses. I was told this happened at something like 3:15 in the morning. I asked the caller for more information, so I was sent a small excerpt from what looked like an apache log file which had no destination host information whatsoever. It was something like ten lines deep and contained a very old and poorly executed directory traversal attack, which appeared to be unsuccessful. I rolled my eyes. Anyone could do this to their own webserver, and then use a one-line regular expression in VI to forge the source IP. At 3:15 in the morning? On a weeknight? The same Night I had picked up my girlfriend from LAX? I’d be up at 3:15 in the morning trying to hack someone and not spending time with my girlfriend? Seriously?

Looks like Roger and David are up to no good – again. They aren’t happy leaving me alone at this point, with the damage they’ve already done to me. Its abundantly clear that whenever their standard troll lifestyles come grinding to a halt, I’m that torch they can pick back up again and wave around. I exist to these two solely as a toy.

My speculation is that its convergence theory – the idea that someone speaking to a crowd can influence the crowds direction – as very clearly made evident by the non-technical fellowship their group is comprised of, as well as the well-documented evidence that if left alone their stories get more and more audacious. Even now I’m seeing Rogers friends message me directly on twitter in an attempt to further yet MORE baseless accusations.

At this point I have to identify what is really going on here. I’ve spent so much time in ‘defensive’ mode trying to do damage control, I didn’t take the time to do any due diligence on my attacker(s). After about half an hour looking around on the internet, I was able to find some facts – entirely NOT surprising facts:

Roger Rustad is new to linux.

Roger Rustad has directories full of “newbie documents” (And another!)

Roger Rustad is very new to linux, again

Roger Rustad demonstrates his lack of ability to google for an answer

Roger Rustad doesn’t know that you can get viruses by email

Roger Rustad is a self-proclaimed “linux hippie”

How could someone who is so green when it comes to networking and linux think that they could accuse people of being so evil – especially when they don’t understand the accusation? Why on earth is it Roger who’s doing all this attacking and not the guy whos credentials I captured? That guy I’ve never heard from again!

I’m not even sure what their endgame is – capturing traffic is not an end, its a means. When REAL attackers, REAL blackhats capture credentials they do it by the thousands. By the TENS of thousands. Attackers then use these captured credentials to send phishing emails in attempts to somehow steal money or other valuable information, or further compromise the accounts to send more malware or spread botnet code. Real attackers don’t go to coffee shop meetups and share the credentials they captured.

Every time I try to think through why they would want to do this the end I come to is “purely for their own entertainment”. They stand to gain nothing, I don’t have a competing business, I’ve left them completely alone – and even my attorney agrees with me that what they’re doing is grounds for a lawsuit.

Michael Caine said something that sums this situation up nicely, in a movie he was in a while ago:

…Because he thought it was good sport. Because some men aren’t looking for anything logical, like money. They can’t be bought, bullied, reasoned or negotiated with. Some men just want to watch the world burn.

Tags: absurd, absurdity, david, ed, hober, kaiser, libel, linux, newb, newbies, noobs, o'connor, rog, rogelio, roger, rustad, scubacuda, slander, socal, socallinux.org, troll, trolling, wannabes

This entry was posted on Tuesday, February 9th, 2010 at 6:22 pm and is filed under insight, rants. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.