I’ve been watching the xoom for a few months now, smiling, grimacing, laughing, complaining – as the rumors and news dribbled out.

First Impressions from the first 12 hours:

PROS

• its FAST. I mean FAST.
• Angry birds goes very very fast. I presume I’ll be spending a lot of my bored-time screwing with it.
• I’m now in something like a dozen concurrent games of words with friends.
• The first thing I noticed was that it supports full-disk encryption. I turned that on right away.
• The calendar app is awesome, very fluid and easy to use.
• I can very nearly type two handed on the keyboard as if it were a regular computer keyboard. I’m certain this will improve with time, I’m making a ton of typos.
• I can video-call my fiance in england from ANYWHERE using google voice chat. Its glorious and awesome. I propped the thing up between the shifter and the dash in my car to test it, and sitting in traffic it was high res and clear, high frame rate. We’re finally in the future – I can internationally video call from the car for free.
• I love that in video-chat you can switch back and forth between the forward facing and the rear cameras. That right there will be EPIC for any instance where you need someone to show you something, and they want to see where the camera is pointing. Normally (like on laptops) this means having to point the screen away from you, so you’re filming but you can’t see what you’re filming.
• There was a root howto up less than 6 hours after I bought it.
• Using it as navigation in the car is BEAUTIFUL. That alone makes me want to build a mount for it so its held properly.
• Using it as a giant touchpad for my windows/gaming box which is plugged into my 50″ tv is GLORIOUS. It works as a giant touchpad (link). I will be using this A LOT.
• It supports multiple google accounts, allowing one to use personal and multiple ‘other’ accounts at once. This is particularly useful for me as I’m a contractor/consultant and I often have to manage multiple accounts.
• Its been said this thing will support usb host mode, meaning I should be able to plug
• One chief complaint I’ve read was that apps that were ‘made for phones’ look ‘stretched and bad’. Well, the ones I use actually look BETTER. Like wifi analyzer, tweetdeck and antennas. GPS test plus looks RAD!
• Another complaint people had were that the speakers faced back – I just hold it cupping the speakers and it channels the sound towards me. I’m half tempted to make a couple little ‘ears’ for the thing out of hard plastic that channel the sound forward, and double as an angular stand. Maybe one whole thing that does that plus has a kickstand (HINT HINT PEOPLE WHO HAVE MANUFACTURING CONTRACTS)
• I feel a lot less constrained – I imagine my phone now will not need to be checking twitter/email/gtalk/etc and I’ll be doing that on the xoom, so my phones battery should last longer.

CONS

• It cant see my jawbone jambox for some reason. It can see my laptop and my phone, but not the bluetooth speakers (!?!?! no idea. I’ll wait until I get my ubertooth zero to find out wtf.) No Idea what I did differently this time, I got it working. *shrug* – sounds badass too
• I can’t control my parrot ar.drone with it (yet) because I need to find a hack allowing the xoom to associate to ad-hoc networks – though theres another way around this by making the ar.drone associate to an infrastructure AP
• Skype doesnt support video calls (yet)
• I really like the HTC clock on my incredible. I want it on the tablet!
• Now that its rooted, I want to stream movies from my drobo – I can do that on my phone by using cifsmanager, which drops a kernel module in enabling cifs client support – so apps simply think theyre pulling from local storage. After installing it, the xoom said ‘this application isn’t installed’ when I tried to run it. Weird.
• I cant shake the feeling that I absolutely need to find a way to block the in-app ads. Even on a tablet, they take up a lot of real estate.

TODO

• Try to get nmap running
• Try to install debdroid, see what happens
• Look into seeing what it would take to get pyrit or the aircrack suite running on this thing
• I WANT DRIFTNET FOR THIS PLATFORM \o/
• I want to setup ettercap + sslstrip + daemonlogger on this platform
• I want to see a REAL site survey tool for this platform, like visiwave. That would be EPIC. I’d buy that in a heartbeat.
• A good ‘dual pane’ (like email) google reader app
• Need to see if I can turn it into a remote display for my mac or another computer.

More to come as I learn!

If you read anything these two post on socallinux.org you can quickly determine they use this mailing list to defame whomever they choose – and because their mailing list gets both spidered by google, and mirrored by list-serv they get pretty much automatic SEO. Multiple domain names replicating messages. And if the mailing list gets any activity for any reason the SEO goes up.

This is like a troll sniper rifle. You want someone to go down in flames, or you just want to make them real miserable? Talk smack about them somewhere that gets spidered by google and replicated to other sites. If anyone googles them, they’ll find listserv messages, mail-archive.com and google cache results all parroting the original messages.

Google is like the force. It can be used for good and evil. In this example, we’re looking at using it for evil.

I never really took personal branding seriously until it bit me – and upon this realization immediately found a pretty blatant ‘vulnerability’. Well, it’s not REALLY a vulnerability, it preys on peoples inclination to believe what they read as fact and not take any time to check up on it – so it’s more like a social hack, or social engineering. This presents an attack vector that historically could only be used by larger media outlets.

Now, we have google, and google cache – these tools can be used to make someone miserable for a long period of time, or sway peoples opinion on things – or to make people believe whatever you choose.

Google your name. Seriously – open a new tab and type your name into google – see what comes up. Go at least 3-5 pages deep.

Is there anything in there that would prevent a company from hiring you, or a new client from signing a contract with you?

There isnt? – well thats a good sign!

What if I started writing emails on a tiny, but public email list (like listserv, or google groups), or wrote a few blog posts talking about how evil you were, and some evil things you’ve done – even if you’d done no such evil? That might not fare so well for you the next time someone does their homework on you.

“But thats libel” you say. True, that is in fact libel. People lying about you in print.

“You can sue for that!” Yep – you can! It’ll cost you, probably in excess of 5 or 10 grand and you’ll end up with a court order to the defendants issuing them to take down whatever needed to be taken down (Unless you sue for damages – for example if you can prove that clients walked away from you and companies won’t hire you because they found this stuff on google).

“Wow thats a headache” It absolutely is.

The bottom line is unless you’re prepared to throw 5-10 thousand dollars at the problem you won’t be able to do much other than ask nicely, and if asking nicely doesn’t get the job done you’re sorta boned. If you do have the money though, libel is libel – and if you can prove in court its libel, you win. Period.

So in summation: Using google to attack people, hurt brand names and generally troll has a VERY high success rate – but  you’re liable to get sued.

• Mckt decided to leave early, and gave me his speaking spot, which I took. Before I was able to speak, barkode approached me and kindly asked me to give my speaking slot to his panel since they desperately needed more time. I agreed. I went from speaking, to not speaking, to speaking to not speaking in one day. I was still a little sad to not be able to give my peoplehacking talk though.
• Jolly approached me starting out his query with “So Viss, you’re a social engineering guy…” and explained how he wanted to pwn the counting jar contest (explained below)
• I met a really neat guy from San Francisco that lapses into a really bad scottish accent when I do my really bad irish accent. This made all the dinners and parties we went to hilarious.
• I spent some time in the lockpicking village teaching new folks how to pick locks (this is fairly standard for me at this point)

Jolly comes up to me with a few friends and asks “So we want to pwn the counting jar contest”. I smile. We step out onto the balcony outside and I start going over ways on how to sleight-of-hand the jar off of the table and replace it with a duplicate. After about 10-15 minutes of showing them techniques, it’s clear they aren’t really into the sleight-of-hand method. I talked a little bit about distraction methodology and how to get the target to turn their back on the jar and after another volley of ‘meh’ responses I said “Fine. I’ll go distract them, YOU nab the jar.”. They smiled.

I approached the counter and asked the people sitting behind it if I could get their picture:

You can see Jolly in the background on the right making the switch.

Poof! A jar appears!

I didn’t get to talk about social engineering, so I just did it instead.

I did however leave the con with a warm sense of friendliness and a brain tingling from stimulation. I love the smaller hacker cons because there is so much insightful conversation and so many awesome smart people to talk to, meet and hangout with. I always leave these things feeling a deep sense of gratitude.

I was late to hear – by a day. Thats 10 years in internet time, we all know. If you’re not in InfoSec you probably didn’t hear. Maybe you heard somewhere, irc, twitter, other bits of the intarnets that Kevin Mitnick got hacked. Everyone chuckled. As it turns out a whole bunch of people got compromised. People I know personally who I consider friends. Rob Fuller, Dan Kaminsky, the Hak5 group and a handful of others, including Kevin Mitnick.

Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).

The textfile the group distributed was called zf05.txt and after skimming it’s abundantly clear that wordpress played a huge part in these folks getting rooted. Almost every example was sort of an ‘all in one’ server that was used for ‘whatever’. Its also become clear that jam packing one server with a bunch of services makes it more vulnerable to compromise. Ever heard of KISS? “Keep it simple, stupid”. It’s used very commonly among engineers, computer people – you name it. Anyone that has to build things or design things. The minute you start adding complexity for no reason the proverbial altimeter begins its decline.

People who fake tech exacerbate things. There are groups that call themselves “tech” when in reality they are simply PR or Marketing. The problem here is that they advertise themselves as “technical solutions” to their clients – so the problem cascades – lots of sites/apps that go online with very very poor security which ultimately get compromised. The Web 2.0 craze has hypnotized people into putting almost everything they think and do ‘behind the scenes’. They let “someone else” worry about it. Guys, If YOU aren’t going to worry about the safety of your own data, NO ONE ELSE WILL. Some ruby programmers I’ve met are incapable of manually issuing a sql query. Others are incapable of interacting with sql unless they have phpmyadmin. These folks generate a requirement to artificially make systems more complex and less secure entirely to suit their evergrowing hatred of looking things up themselves or actually learning anything about the technology they use every day. The easiest way to think about it is this: Think of some people. Now think of these people all owning cars. Think of these people now requiring something as simple as an oil change, a tire change, or a simple tune up. Now think of these people taking their cars to a shop to get work done – for whatever reason: maybe they lack the tools, maybe their HOA doesn’t allow them to perform work on their cars on the grounds (those HOA people desperately need to be stabbed in the lungs, by the way) or maybe they just don’t know how. Now lets imagine these people have the work done, and are talking to the mechanics as they are preparing the invoice behind the counter. The mechanic begins to explain how their oil was changed, and these people abjectly refuse to learn or understand how this works even from a top-level non-technical aspect – they plug their ears and yell “NO! NO! AAALALALALA!! NOT LISTENING NO NOOOO! ALLALAAAAAA!”.

These people strongly support a fancy new term. “Cloud Computing”. Cloud computing will make this worse for everyone.

Let me jump away for a moment. I’d like to point out a fact. The attackers that distributed zf05.txt made a valid point – a point I’ve tried to make to peers, friends and clients alike – If your site/data are on shared hosting and you consider them secure that may mitigate some amount of risk. But if the other people hosting their data are vulnerable and your data is on the same system, you’re still vulnerable.

Now we have some ingredients – lets make a stew. Lets take these bits of information and put them all together and let it simmer.

• Non technical people whos requirements and behavior are insecure and promote systems being rooted
• Systems with lots of various services running on them
• A new trend of mashing these systems together to form giant systems that do the same thing, ending up being bigger and more powerful
• Commonly used software being exploited within a week of a patch.

Mix in a bowl with a wisk until creamy. Add a teaspoon of extra virgin olive oil to a cast-iron skillet. Add a bit of freshly cracked pepper to the oil and some freshly pressed/minced garlic. Let simmer until the pepper and garlic begin to bubble, then pour the mixture from the bowl into the skillet and add a squeeze of fresh key lime if you wish. Cook until firm or golden brown, flip once, then serve! Let stand for 10 minutes to cool. What do you get? What does it smell like? (Well if people actually taste of chicken then that may make one hell of a breakfast omlette). We dont know. Here’s why we don’t know:

• “Business people” like the idea of getting rid of systems administrators and IT overhead
• “Cloud Computing” does not have a security model yet
• There are no standards – this stuff is too new
• Far too many people are comfortable being hacked, and say “oh there’s nothing important on that sit/box”

.. Really, guys? You don’t use that same wordpress password everywhere? For your bank, for gmail, for your car insurance or your mobile provider to login? If a blackhat gets that password you’re really okay with it? If thats the case, I’d like you to kindly leave the internet, never to return. Please – do us all a favor, for the people that like keeping their privates private and their secrets secret, go away.

So we’re going to take all of these insecurities, vulnerabilities and holes – package them up with non-technical people demanding insecure practices so that they don’t have to learn or think and we’re going to replicate this ad nauseum and store the results in one gigantic computer grid system? Awesome. Maybe I should trade in my whitehat for a black one – since thats obviously where all the focus, media, fear and money are going to be. Or maybe I’ll just make my white hat bigger – perhaps people will come to their senses and listen to fact and reason. Perhaps not. I guess we’ll see.

I’m not the only one, either…

http://darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=218102139&cid=RSSfeed – Black Hat hackers mouths are beginning to water.

http://www.sensepost.com/blog/3706.html – open the ppt, this was the defcon17 “clobbering the cloud” talk. they pwned amazon ec2.

http://evilpacket.net/ – see the ‘theft of a rackspace cloud api key’. These guys got root on the rackspace/mosso cloud (you’re not supposed to be able to get a shell on rackspace’s cloud).

So you tell me, guys – what’s it going to be?

message ends

I’ve been very vocal in the last year about what I do – to the point it manifests itself as talks I give during BarCamp (LA and San Diego), and Refresh San Diego which is held at Qualcomm. Here is my most recent talk

I’ve decided that it’s in everyone’s best interests to at least have a dialog about security. That being said I’m now offering free consultations! To my amazement I’ve even had a few people turn down FREE HOURS from me. For the first time in quite a while I was literally without words.

I thought it best at that point to illustrate exactly what I mean by security.

• This is a screenshot of the last ten days of SQL injection exploits posted to milw0rm.com. This is *ONLY* SQL injections, not any other vulnerabilities (for everyone that thinks using magic_quotes_gpc is safe, think again (and again and again)
• Securityfocus, which is a major vendor for security information has its own section JUST for Microsoft Vista.
• ONE command line will give you a command shell on a vulnerable windows machine. That leads to installing malware, stealing passwords, reading emails – the whole nine yards – just like theyre sitting AT your computer, or on your server.
• Using WEP for wireless security is a joke. If you don’t use WPA you may as well not bother encrypting. That also leads to people sniffing your information out of the air – passwords, credentials, AIM/Yahoo conversations – everything.
• The web2.0 community is just making things worse by being willfully ignorant

The point I’m trying to get across is that security isn’t just installing a virus scanner and an adware scanner and making sure your system is free of viruses. Code is developed every day that exposes crucial information to the world, which is then indexed by google. Security isn’t just about viruses, its about making your private information stay private – in all cases. Error messages that leak information such as filenames, database names, database tables, usernames etc just help attackers gain further entry into systems.

I do more than just security work – I’m a full-fledged Systems Architect with over ten years of experience in the field. Once you build a large scale enterprise environment, it has to be secured, right?
Every once in a while during conversations at meetups I tell people that I’m a Security Researcher and a Systems Architect and they end up asking me later “so what do you actually DO?”. So heres a short list:

• Information Tecnhnology(IT) and Information Security(InfoSec) consulting: working directly with sales, marketing and PR departments to coach bloggers, twitter users and writers on what terminology to use, what new technology is out there, what is safe, what isn’t safe, figures and reports on the latest attacks, bot nets, viruses and other threats influencing the world
• MSSQL and MySQL database administration, design, tuning, and security
• Designing networks: switches, routers, firewalls, intrusion detection, backups, redundancy
• Workflow Management: Setting up HRIS systems, ticketing systems, automating things like installations, software deployments, antivirus and other workstation maintenance procedures, creating a documentation repository using mediawiki
• Emerging Technologies: Staying abreast of all new versions of software and hardware available, defining when and what to upgrade, planning upgrades, defining when and how to scale, choosing the right hardware and software for the job, identifying when to decommission old equipment or software and how execute it
• Security: Staying abreast of all current and anticipated versions of software frameworks, firmwares, networking and phone equipment, defining what software and appliances need to be secured and or upgraded, defining what network resources get deployed where in the clients landscape and subequently documenting everything along the way

There is no environment alien to me, no operating system I do not have experience with, no development/scripting language I have no experience with and there is no limit to what can be done with the proper resources.

The Rates for hours at AtenLabs are fiercely competitive and in our wake we leave nothing but courage, confidence, and smiling clients.

If you’re even thinking about contacting us for us for a free consultation – stop thinking and contact us.