I wanted to acknowledge valid points that were brought up in conversations carried on after the fact and transmogrify the undertone from my last post into an overtone in this one. My suspicion is that my previous snarkiness may have obfuscated the clarity of the point I was trying to make.

• Yes, absolutely, I agree that over-sharing your location creates a vulnerability and allows an attacker to build an attack profile (excessive meaning say, more than 3-5 checkins daily). As one friend put it “updating foursquare 24/7″ = bad. Foursquare is not “HELPING” the problem – yes they are “CONTRIBUTING” to it, but they are not “THE” problem.

• This is not a “new” attack vector. Foursquare is not the first application to allow one to publish ones whereabouts (if you REALLY wanna crap your pants, have a look at lattitude. If you think foursquare is bad your head will fall off)

• No, in this context, knowing if you’re in a building or in a certain room to a building is irrelevant. The point here is you’re “leaving your home vulnerable”. Personal security is a different subject entirely, and I prefer to stay on topic. The site that was mentioned was “Please rob me”, inferring “come to my home and rob it while I’m not there”. If people would like to have a healthy discussion about personal security, I’d be happy to be a part of it – however this is not it. This discussion is about the home.

• It is less likely that an ACTUAL home-invader will use foursquare over any other social/web2.0 site. Standard usage dictates one has to click an accept button to allow someone to view their checkins (unless they’re published to facebook/twitter, then it’s moot anyway). I’ve had friends that have had their homes burglarized and in every case the attacker was not what any of us would consider an “advanced enough” computer user to utilize foursquare as a prelude to a burglary. It was always something like “we saw them packing up to leave on a ski trip” -visual, in person. If an attacker is enlightened enough to employ the use of attacks like CSRF and social engineering methodology they’re going to go after what you have in the bank, in investments, carbon credits (a new one!) and other things that are far more valuable than your television.

• In this context its foursquare that’s being thrown under the bus. Their ‘fault’ in this case was to take an already popular idea (dodgeball) and make it more popular. It’s the “in” thing to do rightnow – overshare. Some people do it, other people don’t – people manage their own risk. Telling twitter you’re going to the bar, versus checking in on foursquare AT the bar, versus gowalla, or a facebook update – its all the same thing: You’re telling the internet you’re not home. The problem is the behavior, not the “tool used”.

The last line of the last post I wrote is more or less the overall point I’m trying to make. Somehow, or for some reason the masses have decided to have an epiphany where they throw their hands in the air and declare foursquare unsafe.

Agreed, they have a valid point. I won’t argue that, but its synonymous with walking into the burn ward at a hospital, walking past rows and rows of disfigured and suffering individuals, stopping at one random person then exclaiming to the world how THIS PARTICULAR PERSON is suffering and needs medical attention and oh-woe-is-me-what-a-world.

Generally speaking, the same people who have ‘come to this realization now’ are guilty of using many other applications that “tell people they are not home”.

My point, reconstituted without snark is: You’ve been doing it for years, and you JUST NOW realized it? THATS the problem. Not foursquare. The very same author of the blogpost I linked to is guilty of frequently publishing their location using a variety of applications. At best I can only speculate, but my speculation is that it was done for the readership and stir the pot – not to actually provide any real warning.

In this case, frankly, I’m appalled. This is absurdity at its best. Lets all get on the paranoia choo-choo with Jennifer Van Grove and the silly website she’s blogging about, cancel our foursquare accounts, and go hide at home in fear. Sorry to call you out like this Jen, but this is purely knee-jerk baseless paranoia. If someone sees me IN THE PARKING LOT AT THE GROCERY STORE, then they also know I’m not home. This isn’t anything new.

The common complaint I have with blogposts and arguments like this is that people never think two steps ahead. Nobody ever considers engaging their foresight muscle and actually thinking this sort of thing through to conclusion.

I’m a security-minded person. That means I have to very often think like an attacker. I have to plan out “missions”, I have to completely exhaust all nefarious ideas and plotting in an effort to fortify the clients that hire me to make them more secure. This exercise allows me to put on an attackers hat and logistically consider courses of action in an effort to understand things like the frame of mind and context of an attacker.

In the last few weeks I’ve seen a lot of folks all of the sudden “realize” that when checking into foursquare this tells the internet that “you’re not at home”. Disappointingly enough the first thing that short-sighted people think is “OH GOD THIS MEANS EVERYONE KNOWS I’M NOT HOME. I’M GOING TO GET ROBBED!”. I cannot articulate using text exactly the style in which I face-palmed. To bring some clarity to those who have chosen to forego foresight, I’ve made this handy flow-chart. Have a look:

Simply put: If you’re going to rob someone, you have to put a little thought into it. You may be shot. You may be caught on camera. You may have to deal with nosy neighbors. Do you even know who this person is or where they live? Think about it for more than 30 seconds. If you’re still convinced that foursquare will get you robbed, print this chart out, and put it over your display using a stapler.

Stop being paranoid. Stop following the crowd. Wake up.

Moreso is a problem when people who have openly admitted their noviceness in linux, security and other things of a technical nature decide to take up a crusade. They’re loud, boisterous and spend lots of energy on a ’cause’ that they simply don’t understand. The first thing that comes to mind when thinking about these people is an angry neanderthal – angry that the wind blew out his fire, who then goes and bludgeons his neighbor with a rock out of rage, or the salem witch trials where women were called out as witches and burned alive, their pleas of innocence ignored.

This is exactly what I’m dealing with – novices, newbies and beginners who know little to nothing about information security, the industry surrounding it – picking up a torch and going on a crusade because of something they don’t understand.

I’ve been dealing with a small handful of these people, and it seems the further along I get in growing my business, the more opportunity these trolls think they have to shoot me down. I’m going to draw out, chronologically the whole series of events from then until now – including how I’ve contacted attorneys, sent cease and desist notices, and how I personally have suffered, and the friends and loves ones around me have have suffered because two guys in Riverside simply cannot act like adults. It’s a long ride, but for those interested in the whole story, end to end, read on.

I apologize to those who’s names I’m about to drop, who I told I’d keep out of this – but at this point it’s unavoidable. I have to name names to tell the story.

Two years ago I was just starting out freelancing. Like any energetic entrepreneur I had gotten my hands on some new hardware and some new software and was training myself to become more useful to organizations big or small which could benefit from my skills. A friend of mine, Dante invited me to a user group in Riverside. He said some people I already talk to on twitter go, and that it’s a group of linux guys. Now – I’ve been doing linux sysadmin work since 2000. I’ve met a LOT of linux sysadmins – so what I was expecting was essentially a bunch of hackers. People who work with linux, are enthusiastic about linux and have an interest in the security of linux. Oh boy was I wrong. The only linux people that were there I could count on two fingers – Myself and Dante. Everyone else may as well have come fresh from a  ”Welcome to your first time booting ubuntu” class. They were ‘linux enthusiasts’, alright – about learning it from the ground up. No practical or vocational experience to speak of.

Now this was back in December of 2008, so my recollection of the EXACT events is a bit hazy. I want to say that Dante and I were among the first few people there. We met a guy named Chris and I think another person who I cannot recall at a restaurant before going to the coffeeshop. As we ate dinner everyone seemed cheerful. I was talking about my new consultancy, and spreading the word that I was openly looking for information security consulting work and hoped to give a demonstration about wireless security. After dinner we moved to the coffeeshop and I think one or two more people were there to meet us – David Kaiser being one of them. As we sat down, I got out my equipment and booted into a backtrack3 live CD. As we sat and talked, people asked me what the extra hardware was for – I explained that this was a tool used to do vulnerability assessments, and crack WEP networks to demonstrate the difference between WEP and WPA/WPA2 networks. I explained I was going to give them a demonstration. People seemed enthusiastic about it – nobody contested it at all or in any way gave me the impression that “what you’re about to do is not okay”. Afterall I did THE EXACT SAME THING at Refresh San Diego which is held at Qualcomm and I was applauded for it. Here is part one and part two of the video of my presentation – Give them a watch and see for yourself!

I explained that I was going to do a LAN attack to demonstrate how important it is to transmit credentials with some degree of encryption. Again, nobody contested it. In fact, Dante sported a bit of a grin sitting across from me. Being a regular participant in DEFCAMP, an information security based set of challenges that I used to run during BarCamp San Diego, Dante knew exactly what was about to happen – the people in the audience whos first knee-jerk reaction is to flip out would play their part, and flip out. No damage would be done, but these newbies would have a new found enlightenment and would experience first hand what could happen if an actual malicious attacker were to attack them. This form of exercise puts the “attacker” and the “victim” right next to eachother so that everything can be seen end-to-end. This gives the “victim” insight into how the attack is carried out – and helps them understand why we use certain measures to protect against it. Having spent 3 years now organizing BarCamp San Diego and DEFCAMP, I had a direct hand  creating a warm and friendly environment for people to learn. I made a mistake assuming that even though there were 3 people there who had regularly attended BarCamp San Diego, that warm and friendly environment made its way up to Riverside that night.

Shortly after I had setup the equipment, Roger Rustad and another person showed up. Roger sat next to Dante, and this other person sat to my right, at the end of the table. I told Roger and his friend I was playing with backtrack3 and I was going to show demonstrate an attack. Again, the immediate response was met with enthusiasm.

I began by running a commonly known, commonly used application called ettercap. This is a tool that is found on nearly every security linux distribution live-cd, backtrack3 being one of them. It’s designed to function exactly as I had used it – as a learning tool. By default, ettercap supports SSH and SSL decryption by way of forging certificates when already ‘in the middle’. Rogers friend browsed to gmail and was presented with a security certificate error very similar to this one.

I was surprised that he was unphased by this – a security certificate error for GMAIL? He clicked “okay” to the popup and continued on to gmail. Once he did that, I saw his gmail credentials pop up in the message window in ettercap. I raised my hand, interrupted everyones side conversations and asked

Who here just browsed to gmail.com?

The guy next to me raised his hand. I turned my laptop to him and showed him the captured credentials. His facial expression changed – he got angry.

What the hell is this?!

He asked, throwing his arms into the air.

You clicked to approve an invalid security certificate for gmail.com

I replied.

At this point the guy got VERY angry. He started yelling at me, he stood up, he told me he was going to punch me in the face and then smash my laptop and throw it across the room.

Dude, Relax – Do you think that if I was going to be doing this maliciously or actually trying to steal credentials, I would have SHOWN YOU what I just did? Calm down – this was only an exercise. I’m not keeping any of this, its on a Live CD.

He calmed down, and the conversations began again. About 5 minutes later Roger looked up at me and asked something like

Did you delete that log?

I was confused.. the conversation went something like this:

Hm? Delete what log?

The password you just captured. The logs. For that app you used.

There is no log. I closed the application already, so nothing was kept, but ettercap doesn’t log by default. And even if it did, I could simply reboot and everything that’s in memory would get wiped.

Then you need to stop what you’re doing and reboot right now!

What? Why? I just told you that I’m not keeping anything, why are you raising your voice at me?

You need to delete whatever it is you have over there and reboot right now! Thats fucked up!

Roger – Do you understand what a LiveCD is? You boot into it, everything stays in RAM, and when you reboot, it’s all gone. I didn’t keep any logs, I didn’t save any data – this was a demonstration. What the hell would I do with his password anyway? Hes changing it as we speak.

I forget where the conversation went from there, but it was clear that Roger clearly thought I was up to no good. I’m still bewildered at what he thought I could do with an expired password, but it was abundantly clear he was not interested in listening, and simply wanted me to obey his commands. After I gracefully shut down backtrack I rebooted my workstation and removed the backtrack3 cd and showed it to him, as well as turning my laptop around to demonstrate that I was now back in OSX.

This seemed to make him happy. The only two people at the table that had any issue with it had arrived over an hour late to the meetup, and still did not have any issue with what I was doing until I captured someones credentials. I have no idea what they thought I was going to do when I said “I’m going to give a demonstration” – perhaps they thought I was going to show a powerpoint presentation, or give a talk – maybe in retrospect I should have said “I’m going to do a live demonstration” instead of “I’m going to demonstrate an attack”. At this point I can only speculate what I could have done to inhibit the rage that Roger and his friend demonstrated, screaming, yelling, threatening me with violence and destruction of property. I took it in stride. I figured someone would come to their senses eventually. Dante and I sat quietly watching this whole thing transpire, waiting for the rage to subside. I thought it was interesting that Roger was more upset than the guy whos credentials were captured.

Eventually people got tired, people decided it was time to go home, I shook hands with a lot of people, I exchanged business cards with them as well – it seemed that the meetup went swimmingly, with the exception of that little bit of bad business where I was going to get “punched in the face and my laptop smashed”. This was on a Friday or a Saturday night, if I recall, because the next morning I woke up to a fairly ghastly email.

Roger had written a long drawn out email to the mailing list, and CC’ed me – written in the context of a board member, or some other lofty authority figure, calling me out on “stealing passwords”.

WHOA WHOA WHOA – I thought to myself, when I left the meetup last night everything was kosher. People shook my hands, people took my business cards. He goes on to say how the group should form some sort of committee to talk about “what happened” and “how they’re going to address it”.

What? Did something happen after I left? What “needs to be addressed”? They’re talking like someone admitted to the group that they had a heroin problem and there needed to be an intervention.

I hit reply all and composed a reply telling Roger to calm down again, and going on to say that starting a witch hunt was a stupid way to express his frustration, and that it wouldn’t do any good because the “witch” wasn’t hiding. My reply went to Roger but not to the group – apparently my attempts to join the mailing list were not approved by the administrator.

After about 20 minutes, my phone rang. It was Roger. He called and in a very stern and angry tone of voice began scolding me for misbehaving at his meetup group. I explained again, ad nauseum this time that there was no issue – I apologized for scaring him and his friend, and hurting his feelings and posed a very simple question:

Do you think that I was actually being malicious? Do you think that after telling everyone at the meetup that I was trying to go into consulting that I would immediately thereafter start trying to capture their credentials? What do you think I would do with them anyway?

Roger was not interested in pursuing a logical line of questioning or reason. Nor was he interested in answering any of my questions or allowing me to speak. He continued to talk over me and insisted that I should “talk to the group” about it. I explained that I had tried, but all of my emails to the mailing list were rejected. He then admitted that he knowingly told members of the group false information about what had happened. He told me that he had other phone calls with other meetup members who were of a less technical nature and used phrases like “I don’t know what he captured” and “I don’t know, he may have seen everything!”.

At this point I lost my temper.

Do you realize what you’ve done? You’ve started a panic. You’ve told a bunch of people lies – why did you tell these people that I captured stuff? You know I didn’t capture anything but what you saw – you were sitting RIGHT ACROSS FROM ME. I even showed you that I rebooted. Why would you tell people that their credentials were compromised if you didn’t know? I thought we were friends! Why would you throw me under the bus like that? You could have called me and plainly asked me what I captured. You could have given all those people who had questions my phone number or email address and told them to contact me directly – but you didn’t. Instead you spread fear and doubt. Instead, you made up a story about “Dan the evil hacker” who came to your meetup group and “did something bad”, which apparently did not yield any results, hurt anybody, or cause any damage whatsoever. You’ve started a witch hunt.

After my rant, Roger agreed that he could have phrased things differently to the people he talked to before calling me. He called one member of the group – who is a blind person, and flat out told him “Go change ALL your passwords! I have no idea what Dan captured! he could be spying on you right now!”. From what I’m told the blind person went into a panic – because of what Roger told him, not because of what happened at the coffee shop. Again, when people exited the coffeeshop the night of the meetup – everyone was happy, and people exchanged business cards with me.

At this point Roger said something like “well, no harm no foul. I guess we can move past it. Friends?”

My response was “Are you out of your fucking mind? You just threw me under the bus to a room full of people, and now that I’ve proven you wrong using your own words you want to be friends? How the hell can I ever trust you again? If you ever came to one of my talks you would shit your pants and label me a terrorist, then call 911. I cant trust you anymore, you’re not my friend – you’re just a troll”

That was that. I hung up on Roger and never spoke to him again.

However in June of 09 I had just landed my first Sarbanes Oxley IT compliance audit. I was VERY excited. My client and I were exchanging the required paperwork when I got an email stating they had googled me in doing some due diligence and found a forum thread – created by Roger with a duplicate of what was on the mailing list. I told him the story, I linked him to the Qualcomm RefreshSD talk and said that to the best of my ability I was unable to put to rest two attendees of a meetup group who were absolutely terrified of information security. I encouraged him to read the threads and to see the inconsistencies – there were absolutely no replies from me – they had blocked me from being able to reply or retort, and people who were not even in attendance of the meetup joined in the fun to badmouth me, call me a script kiddie and make baseless accusations and tell stories about things that “may have happened”.

I thought I had lost the deal for certain – but I got a call back from my client and he explained that after reading the threads it was abundantly clear that these were baseless accusations and that “You cant believe everything you read on the internet”. I was happy to have the client move forward.

My stomach sank though. “Crap”, I thought. “This is a big deal – if clients are finding this when googling me before I start work – this means I’m going to have to explain this to *EVERYONE*. Oh man, this is going to suck.”

So I composed an email to Roger, and David:

Hello David,

I was notified today by a client of mine that there are some scathing remarks about me publically available on the socallinux.org forums.

I’d like for you to make those private.

It’s pretty clear that you and your LUG friends don’t like me very much – and that’s fine – you’re allowed to hold whatever opinions you want.

My problem is that I’ve been put in a compromising situation – a discussion thread that I have no part in writing pages upon pages of scathing remarks and labeling me as a “script kiddie” – I can also see that all of my responses to roger were not included, so the whole thing is even taken out of context and is one sided as my responses and arguments are nowhere to be found.

The bottom line it’s hurting my ability to freelance which is how I pay my bills and rent.

Whatever I may have done to slight you, Im certain it didn’t cause you any grief when it came to eating and paying for where you live.

I’ll ask you kindly to either remove the posts or make them private.

Thanks in advance

-Dan
atenlabs.com

It was ignored. I sent another letter after my first stating that when using the phrases “Not formally disclosing”, “When Dan set out to steal passwords” and “Doing things in secret” were outright lies – legally considered libel, and that they were hurting my ability to put food on the table. I used stern language in saying that if the mailing list items and forum posts were not taken down, I would be forced to come back with an attorney.

At that point I got a polite message back from Roger plainly giving me his address, phone number and other details – a symbolic way to say “bring it on”.

So I did. I hired an intellectual property attorney in Solana Beach who was referred to me by a family practice attorney. I spent a few days going over what had happened with my attorney – having him read the whole thread, showing him how ettercap works, how backtrack works and other technical details required to properly understand what happened, and what Roger and David chose to write – and how they GROSSLY differ.

My attorney agreed that Roger and David were being libelous, and composed a cease and desist letter stating the facts and asking Roger and David to at the bare minimum make the mailing list private. I had lost a handful of contracts already because of all the negative comments already, and I had to ’stop the bleeding’. I was quickly approaching bankruptcy.

Here is a copy of the cease and desist letter.

I asked that the letter be sent certified mail so that we could ensure delivery. About a week later my attorney called me to let me know that both letters, one to Roger Rustad and the other to David Kaiser were both rejected. I chuckled – they had called my bluff and failed. I asked him then to send it via email, and CC me – which he did.

Two days after that happened, the forum on their site dissapeared. I had considered it a victory, and stopped thinking about it. I was traveling and I got a phone call from another perspective client who wanted to have a black box penetration test done against software they were developing. “Wonderful!” I exclaimed, and we exchanged NDAs and service contracts and began talking on the phone.

A couple days into the talks, I get a call from one of the other contracting companies in on the deal – they tell me that this client googled me, found some mailing list items about “some dispute”, and got cold feet – thereby abandoning the contract.

I was infuriated. I googled myself and found what exists today – a single thread on a mailing list where my full name is used very often – the same baseless allegations and accusations are made – dating all the way back to December of 2008.

I called my attorney back and asked him what I should do. He explained that immediately to take them to court over it could easily cost 10 to 15 thousand dollars and it may be months before the case is accepted into court, and it could be even longer to get a judgement against them. I sighed, wishing I had the money to move forward, and we agreed to put the case on hold until I was able to save up enough money to proceed. I’ve since started a savings account for this.

In the mean time, I had hired some friends who are SEO experts to help me at the very least bring to light all of the presentations, the community leadership, free audits and other things I’ve done in the last 5 years to help bring the tech community here together, and help spread an air of welcome and open learning.

After a couple weeks I had started making a lot of good progress – until one day I noticed that new entries in their mailing list had caused the thread in google to float higher in the rankings. I read it – Roger and David had began writing back to the mailing list describing how I was building a case against them for libel and defending themselves to their friends – using MORE libel. Since I had, and still have absolutely no input on that thread (They’ve since firewalled me) I cannot even issue a rebuttal on their list. Soon afterwards I started seeing things like this spammed in the comments on a handful of blogs I write on:

Whaaaaat? I looked up that IP and it’s the general area that Roger lives in. Roger full on decided to start a blackhat SEO campaign against me. He just couldn’t leave it alone. I followed the link to the blogspot URL and I saw this:

I was a bit taken back – Perhaps my first cease and desist to Roger didn’t really sink in – I was explaining legally that I was going to pursue a lawsuit against him for damages, being able to cite in writing dollar figures for clients that walked away who directly cited his writings and Davids writings. Now he does this? SEO suicide? Does he like it in court? What? I’d love it spelled out for me.

The situation instantly changed from “Trolls on the internet” to  ”I’m being attacked on the internet for no good reason, years after the fact”.

The next occurrence was again something that made me recoil – A member of BarCamp San Diego chiming into a completely unrelated mail thread directly citing Rogers email thread, calling me out to be a “fox in a henhouse” as a reply to my email about Zipline coming online. The accuser being one of a handful of people who tried to execute a coup de tas against BarCamp San Diego a few years ago. Again, entirely not surprising. It seems all this negative energy directed at me by Roger and David has garnered the attention of other folks who think badly of me. Again, best I can do is chalk it up to convergence theory – trolls “going with the crowd” – people attacking me for fun solely because other people are doing it.

This was a lot easier to control as I was actually able to respond to the thread. The conversation did not last long as the more that Roger and Hober talked, the clearer it became that this was about hurting me in the public eye. Their goal was to make me hurt in the pocketbook – and they accomplished that goal. All the negativity spread by Roger and Hober caused clients to walk away from me. Roger even attacked BarCamp directly, trying to link the spotless reputation of a wonderful tech community in San Diego to his previous baseless allegations of me being somehow evil. It was because of his aggressive and warrantless attacks on BarCamp San Diego that security turned him away at the door.

One of the subjects in the longer version of my  How Not to be a Freelancer talk was to mention “Never do business as yourself, get a fictitious business name, or an LLC”. I briefly mentioned it – but this whole debacle is directly what that bullet point addresses. I should have bought an LLC in the beginning and worked under the company name – I’m now paying the price.

Dan Kaminsky said it best “You can’t join the war, then walk out on the battlefield and expect NOT to get shot”.

This morning (Feb 9) I got call from Road Runner – my ISP. They explained that they had received a complaint that someone was “attacking” someone else from one of my IP addresses. I was told this happened at something like 3:15 in the morning. I asked the caller for more information, so I was sent a small excerpt from what looked like an apache log file which had no destination host information whatsoever. It was something like ten lines deep and contained a very old and poorly executed directory traversal attack, which appeared to be unsuccessful. I rolled my eyes. Anyone could do this to their own webserver, and then use a one-line regular expression in VI to forge the source IP. At 3:15 in the morning? On a weeknight? The same Night I had picked up my girlfriend from LAX? I’d be up at 3:15 in the morning trying to hack someone and not spending time with my girlfriend? Seriously?

Looks like Roger and David are up to no good – again. They aren’t happy leaving me alone at this point, with the damage they’ve already done to me. Its abundantly clear that whenever their standard troll lifestyles come grinding to a halt, I’m that torch they can pick back up again and wave around. I exist to these two solely as a toy.

My speculation is that its convergence theory – the idea that someone speaking to a crowd can influence the crowds direction – as very clearly made evident by the non-technical fellowship their group is comprised of, as well as the well-documented evidence that if left alone their stories get more and more audacious. Even now I’m seeing Rogers friends message me directly on twitter in an attempt to further yet MORE baseless accusations.

At this point I have to identify what is really going on here. I’ve spent so much time in ‘defensive’ mode trying to do damage control, I didn’t take the time to do any due diligence on my attacker(s). After about half an hour looking around on the internet, I was able to find some facts – entirely NOT surprising facts:

Roger Rustad is new to linux.

Roger Rustad has directories full of “newbie documents” (And another!)

Roger Rustad is very new to linux, again

Roger Rustad demonstrates his lack of ability to google for an answer

Roger Rustad doesn’t know that you can get viruses by email

Roger Rustad is a self-proclaimed “linux hippie”

How could someone who is so green when it comes to networking and linux think that they could accuse people of being so evil – especially when they don’t understand the accusation? Why on earth is it Roger who’s doing all this attacking and not the guy whos credentials I captured? That guy I’ve never heard from again!

I’m not even sure what their endgame is – capturing traffic is not an end, its a means. When REAL attackers, REAL blackhats capture credentials they do it by the thousands. By the TENS of thousands. Attackers then use these captured credentials to send phishing emails in attempts to somehow steal money or other valuable information, or further compromise the accounts to send more malware or spread botnet code. Real attackers don’t go to coffee shop meetups and share the credentials they captured.

Every time I try to think through why they would want to do this the end I come to is “purely for their own entertainment”. They stand to gain nothing, I don’t have a competing business, I’ve left them completely alone – and even my attorney agrees with me that what they’re doing is grounds for a lawsuit.

Michael Caine said something that sums this situation up nicely, in a movie he was in a while ago:

…Because he thought it was good sport. Because some men aren’t looking for anything logical, like money. They can’t be bought, bullied, reasoned or negotiated with. Some men just want to watch the world burn.

The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.

We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.

I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes.  I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.

These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.

For those of you who aren’t sure what that means, here’s the breakdown:

The most basic form of authentication apache uses is called ‘basic auth’. All it does is take your credentials and encode them using base64 – the same encoding used for email attachments. Encoding is not encryption. You can decode this in seconds. There are even apps that will do it for you if they see a base64 encoded string.

@quine asked me to do a packetsniff on my phone, so I plugged my G1 into my notebook, fired up adb and got a shell on my phone. Tcpdump -s 65535 -A -l -nnnvvv  showed me this

11:18:35.553924 IP (tos 0×0, ttl 64, id 54010, offset 0, flags [DF], proto TCP (6), length 286) 25.97.11.256.39819 > 174.129.33.12.80: P, cksum 0xc5e2 (correct), 1:247(246) ack 1 win 2920

E…??@.@.r..a.?.!….PDH?.????P..h??..GET /v1/user?mayor=0&badges=0&geolat=31.123456&geolong=-110.123456&geohacc=5000.0 HTTP/1.1

User-Agent: com.joelapenna.foursquared 2010011401

Host: api.foursquare.com

Connection: Keep-Alive

Authorization: Basic T2hUaGlua1lvdXJlOkNsZXZlckRvbnRjaGEK

UHHH.. that ‘Authorization: Basic’ line there are my credentials. Right along there with my GPS coordinates! They’re sent with nearly every request. In the clear! Wow – I’m never using my phone on unencrypted wifi again.

To decode base64 one must merely copy/paste the encoded string into any one of a handful of different decoders. We used this command line on osx:

echo ‘<base64 string>’ | openssl enc -base64 -d

There are applications that exist now, like dsniff, which will deobfuscate the credentials when they’re seen on the lan or over the air. This is pretty bad. There’s no other way to put it. Thanks to @jennyjenjen for meeting up with me to test it on the iphone, which uses the same API, and is just as vulnerable.

My suggestion: If you’re going to use foursquare on your mobile device, make sure you’re not using open coffeeshop wifi spots, and you’re using your carriers 3g/cdma/gsm/etc internet connection. This will protect you from the potential of people sniffing credentials on your lan. Or, have a look at zipline!

With the information that I know now (12:40am, 12/18):

The host which contained the landing page was hosted with bluehost. This tells us a few things

• They didn’t have the infrastructure to do packet captures, or credential theft. Bluehost does shared hosting.
• Any attempt to do so would have thrown TONS of SSL errors, and very likely DDoS’ed the server hosting the landing page. (Twitter had HUNDREDS of servers, these guys had 1.). All of your twitter apps would have thrown errors, or flat out stopped working.
• Twitters security infrastructure was left untouched, and was not a target of the attack.

I’ve been watching twitter scroll with sensationalism and panic, people yelling “OH GOD TWITTER GOT HACKED EVERYONE CHANGE YOUR PASSWORDS NOW”.

Please – don’t do that.

Its going to make everyones job harder who have to work on this situation, it incites panic and causes people to prematurely flip out and do things they probably shouldn’t do.

I’ve had to deal with this in the past – people throwing their arms in the air and screaming about passwords being compromised when they in fact weren’t. It did not end well.

Please – think before you hit send.

I know I do. Up until now I’ve been using SSH tunnels to get my traffic back home where I know nobody is running a packetsniffer. The trouble with SSH tunnels though is that they’re fickle, and often drop. I wanted a better solution – so I made one.

www.atenlabs.com/zipline

Right now its pretty much just a VPN. My goals are pretty straight forward

• Obtain subscribers, and offer excellent service
• Grow the product, then upgrade the hardware and bandwidth
• Value-Adds, like in-line antivirus, antispam, malware etc – make the product SAFER
• Bolt on business-class solutions like traffic shaping, packet prioritization and SLA guarantees.

My inital product pricing will be something like this:

• $15/mo or $150 a year for the base package (You save 2 months worth by buying a year in advance)
• $25/mo or $250 a year for higher packet priority
• Business class services – still working this one out.

I’m totally open to collaboration. I built this for myself, and my friends – so that we could feel secure using sites, and applications that were built insecurely on public wireless networks without fear of someone capturing our credentials, or snooping in on our traffic (e.g. airpwn, ettercap, goatseAP and the others)

Ideas? Comments? Hatemail? Drop me a note!

If you read anything these two post on socallinux.org you can quickly determine they use this mailing list to defame whomever they choose – and because their mailing list gets both spidered by google, and mirrored by list-serv they get pretty much automatic SEO. Multiple domain names replicating messages. And if the mailing list gets any activity for any reason the SEO goes up.

This is like a troll sniper rifle. You want someone to go down in flames, or you just want to make them real miserable? Talk smack about them somewhere that gets spidered by google and replicated to other sites. If anyone googles them, they’ll find listserv messages, mail-archive.com and google cache results all parroting the original messages.

Google is like the force. It can be used for good and evil. In this example, we’re looking at using it for evil.

I never really took personal branding seriously until it bit me – and upon this realization immediately found a pretty blatant ‘vulnerability’. Well, it’s not REALLY a vulnerability, it preys on peoples inclination to believe what they read as fact and not take any time to check up on it – so it’s more like a social hack, or social engineering. This presents an attack vector that historically could only be used by larger media outlets.

Now, we have google, and google cache – these tools can be used to make someone miserable for a long period of time, or sway peoples opinion on things – or to make people believe whatever you choose.

Google your name. Seriously – open a new tab and type your name into google – see what comes up. Go at least 3-5 pages deep.

Is there anything in there that would prevent a company from hiring you, or a new client from signing a contract with you?

There isnt? – well thats a good sign!

What if I started writing emails on a tiny, but public email list (like listserv, or google groups), or wrote a few blog posts talking about how evil you were, and some evil things you’ve done – even if you’d done no such evil? That might not fare so well for you the next time someone does their homework on you.

“But thats libel” you say. True, that is in fact libel. People lying about you in print.

“You can sue for that!” Yep – you can! It’ll cost you, probably in excess of 5 or 10 grand and you’ll end up with a court order to the defendants issuing them to take down whatever needed to be taken down (Unless you sue for damages – for example if you can prove that clients walked away from you and companies won’t hire you because they found this stuff on google).

“Wow thats a headache” It absolutely is.

The bottom line is unless you’re prepared to throw 5-10 thousand dollars at the problem you won’t be able to do much other than ask nicely, and if asking nicely doesn’t get the job done you’re sorta boned. If you do have the money though, libel is libel – and if you can prove in court its libel, you win. Period.

So in summation: Using google to attack people, hurt brand names and generally troll has a VERY high success rate – but  you’re liable to get sued.

From the beginning I got their “Business class” cable. It was 150/month for what I needed. The cablemodem would randomly drop its signal leaving me with no connection and customers that were down. It still does it. With no explanation from Time Warner.

The contract I signed with them was for 1 year. Within that year, they were contractually obligated to an SLA and some other things, and during that year it was pretty easy to get them on the phone, and get them to respond to issues I’ve had with their (terrible) service. Once that contract ran out, however – suddenly it was like pulling teeth to get my ‘accounts manager’ on the phone. When I did track down the guy he told me that it was someone elses job now and to go deal with them – but they were nowhere to be found either.

It’s now been just a tick over four years I’ve had this line with Time Warner. I should also explain that running a business out of my home, I had two accounts on the same physical line – a home television account (which I’ve cancelled) and the business internet account. The sad part is that apparently they have no system to keep track of these things and the installers really could care less because they’re practically anonymous.

A few months ago I cancelled my cable and took the leap to watching what I’d normally watch on TV, on sites like hulu. This saved me over 100/mo. I’ll describe what I did

• Paid my final bill (which was in excess of $200), bringing my balance to 0.
• Called Time Warner, Cancelled my cable. They told me that as long as I had the cable box, the billing would continue.
• I returned the cable box 3 days later.
• A month goes by
• I get another bill from time warner for 90 dollars.
• I call asking about the bill, wondering what it was, and the following conversation transpired:

I’m sorry sir, you still had basic cable, thats what the bill was for.

I don’t understand. Why did I still have basic cable?

I don’t know, sir. Its just what the system shows.

Does your system show that I called and cancelled my cable?

Yes, it does

So why didn’t you guys cancel my cable?

Sir, you could have plugged your tv into the wall and gotten basic cable, that’s why you were charged.

Why would I do that if I EXPLICITLY called to cancel my cable?

I don’t know sir, thats just what my system shows.

Isn’t basic cable something like 12 dollars a month?

Something like that, yes.

So how on earth could I amount a 90 dollar bill in a month with only basic cable, AFTER I’ve asked you to cancel my cable?

I don’t know sir, you’ll have to talk to someone else about it.

• Now I’m getting BOTH bills from Time Warner *AND* the collection company they’ve hocked me out to. The last time I sent someone to collections (yes, I’m a business owner too, and I’ve had to deal with people who don’t pay) the procedure was to take the money the collections people give you and let them keep what they collect from the victim. Time Warner wants me to pay them *AND* the collection agency? This is completely absurd and completely not acceptable.

The best part is that when I cancelled my television account with Time Warner they sent a truck out to disconnect the line – the same line I use for my business internet. This brought me down for a day and I was furious – I called them and again, they had pretty much nothing to say. I’ll be running this one up the flagpole, recording all my conversations with them and posting everything. I’m looking forward to posting audio of their representatives basically telling me “We’re bending you over the sink for 90 dollars, and we dont know why”.

EDIT: Also, I’ve been noticing that to their consumer market they’re offering ‘24 megabit gaming service’. They have failed to explain why consumers that pay 20/mo can get nearly twice the bandwidth a business account can get, and adamantly refuse that its possible to do what their own ads are saying. I get these in the mail, you see. Against my will. I get ads from a company I already have products from, advertising to me WHAT I ALREADY OWN.

• Mckt decided to leave early, and gave me his speaking spot, which I took. Before I was able to speak, barkode approached me and kindly asked me to give my speaking slot to his panel since they desperately needed more time. I agreed. I went from speaking, to not speaking, to speaking to not speaking in one day. I was still a little sad to not be able to give my peoplehacking talk though.
• Jolly approached me starting out his query with “So Viss, you’re a social engineering guy…” and explained how he wanted to pwn the counting jar contest (explained below)
• I met a really neat guy from San Francisco that lapses into a really bad scottish accent when I do my really bad irish accent. This made all the dinners and parties we went to hilarious.
• I spent some time in the lockpicking village teaching new folks how to pick locks (this is fairly standard for me at this point)

Jolly comes up to me with a few friends and asks “So we want to pwn the counting jar contest”. I smile. We step out onto the balcony outside and I start going over ways on how to sleight-of-hand the jar off of the table and replace it with a duplicate. After about 10-15 minutes of showing them techniques, it’s clear they aren’t really into the sleight-of-hand method. I talked a little bit about distraction methodology and how to get the target to turn their back on the jar and after another volley of ‘meh’ responses I said “Fine. I’ll go distract them, YOU nab the jar.”. They smiled.

I approached the counter and asked the people sitting behind it if I could get their picture:

You can see Jolly in the background on the right making the switch.

Poof! A jar appears!

I didn’t get to talk about social engineering, so I just did it instead.

I did however leave the con with a warm sense of friendliness and a brain tingling from stimulation. I love the smaller hacker cons because there is so much insightful conversation and so many awesome smart people to talk to, meet and hangout with. I always leave these things feeling a deep sense of gratitude.

I was late to hear – by a day. Thats 10 years in internet time, we all know. If you’re not in InfoSec you probably didn’t hear. Maybe you heard somewhere, irc, twitter, other bits of the intarnets that Kevin Mitnick got hacked. Everyone chuckled. As it turns out a whole bunch of people got compromised. People I know personally who I consider friends. Rob Fuller, Dan Kaminsky, the Hak5 group and a handful of others, including Kevin Mitnick.

Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).

The textfile the group distributed was called zf05.txt and after skimming it’s abundantly clear that wordpress played a huge part in these folks getting rooted. Almost every example was sort of an ‘all in one’ server that was used for ‘whatever’. Its also become clear that jam packing one server with a bunch of services makes it more vulnerable to compromise. Ever heard of KISS? “Keep it simple, stupid”. It’s used very commonly among engineers, computer people – you name it. Anyone that has to build things or design things. The minute you start adding complexity for no reason the proverbial altimeter begins its decline.

People who fake tech exacerbate things. There are groups that call themselves “tech” when in reality they are simply PR or Marketing. The problem here is that they advertise themselves as “technical solutions” to their clients – so the problem cascades – lots of sites/apps that go online with very very poor security which ultimately get compromised. The Web 2.0 craze has hypnotized people into putting almost everything they think and do ‘behind the scenes’. They let “someone else” worry about it. Guys, If YOU aren’t going to worry about the safety of your own data, NO ONE ELSE WILL. Some ruby programmers I’ve met are incapable of manually issuing a sql query. Others are incapable of interacting with sql unless they have phpmyadmin. These folks generate a requirement to artificially make systems more complex and less secure entirely to suit their evergrowing hatred of looking things up themselves or actually learning anything about the technology they use every day. The easiest way to think about it is this: Think of some people. Now think of these people all owning cars. Think of these people now requiring something as simple as an oil change, a tire change, or a simple tune up. Now think of these people taking their cars to a shop to get work done – for whatever reason: maybe they lack the tools, maybe their HOA doesn’t allow them to perform work on their cars on the grounds (those HOA people desperately need to be stabbed in the lungs, by the way) or maybe they just don’t know how. Now lets imagine these people have the work done, and are talking to the mechanics as they are preparing the invoice behind the counter. The mechanic begins to explain how their oil was changed, and these people abjectly refuse to learn or understand how this works even from a top-level non-technical aspect – they plug their ears and yell “NO! NO! AAALALALALA!! NOT LISTENING NO NOOOO! ALLALAAAAAA!”.

These people strongly support a fancy new term. “Cloud Computing”. Cloud computing will make this worse for everyone.

Let me jump away for a moment. I’d like to point out a fact. The attackers that distributed zf05.txt made a valid point – a point I’ve tried to make to peers, friends and clients alike – If your site/data are on shared hosting and you consider them secure that may mitigate some amount of risk. But if the other people hosting their data are vulnerable and your data is on the same system, you’re still vulnerable.

Now we have some ingredients – lets make a stew. Lets take these bits of information and put them all together and let it simmer.

• Non technical people whos requirements and behavior are insecure and promote systems being rooted
• Systems with lots of various services running on them
• A new trend of mashing these systems together to form giant systems that do the same thing, ending up being bigger and more powerful
• Commonly used software being exploited within a week of a patch.

Mix in a bowl with a wisk until creamy. Add a teaspoon of extra virgin olive oil to a cast-iron skillet. Add a bit of freshly cracked pepper to the oil and some freshly pressed/minced garlic. Let simmer until the pepper and garlic begin to bubble, then pour the mixture from the bowl into the skillet and add a squeeze of fresh key lime if you wish. Cook until firm or golden brown, flip once, then serve! Let stand for 10 minutes to cool. What do you get? What does it smell like? (Well if people actually taste of chicken then that may make one hell of a breakfast omlette). We dont know. Here’s why we don’t know:

• “Business people” like the idea of getting rid of systems administrators and IT overhead
• “Cloud Computing” does not have a security model yet
• There are no standards – this stuff is too new
• Far too many people are comfortable being hacked, and say “oh there’s nothing important on that sit/box”

.. Really, guys? You don’t use that same wordpress password everywhere? For your bank, for gmail, for your car insurance or your mobile provider to login? If a blackhat gets that password you’re really okay with it? If thats the case, I’d like you to kindly leave the internet, never to return. Please – do us all a favor, for the people that like keeping their privates private and their secrets secret, go away.

So we’re going to take all of these insecurities, vulnerabilities and holes – package them up with non-technical people demanding insecure practices so that they don’t have to learn or think and we’re going to replicate this ad nauseum and store the results in one gigantic computer grid system? Awesome. Maybe I should trade in my whitehat for a black one – since thats obviously where all the focus, media, fear and money are going to be. Or maybe I’ll just make my white hat bigger – perhaps people will come to their senses and listen to fact and reason. Perhaps not. I guess we’ll see.

I’m not the only one, either…

http://darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=218102139&cid=RSSfeed – Black Hat hackers mouths are beginning to water.

http://www.sensepost.com/blog/3706.html – open the ppt, this was the defcon17 “clobbering the cloud” talk. they pwned amazon ec2.

http://evilpacket.net/ – see the ‘theft of a rackspace cloud api key’. These guys got root on the rackspace/mosso cloud (you’re not supposed to be able to get a shell on rackspace’s cloud).

So you tell me, guys – what’s it going to be?

message ends