I know I do. Up until now I’ve been using SSH tunnels to get my traffic back home where I know nobody is running a packetsniffer. The trouble with SSH tunnels though is that they’re fickle, and often drop. I wanted a better solution – so I made one.

www.atenlabs.com/zipline

Right now its pretty much just a VPN. My goals are pretty straight forward

• Obtain subscribers, and offer excellent service
• Grow the product, then upgrade the hardware and bandwidth
• Value-Adds, like in-line antivirus, antispam, malware etc – make the product SAFER
• Bolt on business-class solutions like traffic shaping, packet prioritization and SLA guarantees.

My inital product pricing will be something like this:

• $15/mo or $150 a year for the base package (You save 2 months worth by buying a year in advance)
• $25/mo or $250 a year for higher packet priority
• Business class services – still working this one out.

I’m totally open to collaboration. I built this for myself, and my friends – so that we could feel secure using sites, and applications that were built insecurely on public wireless networks without fear of someone capturing our credentials, or snooping in on our traffic (e.g. airpwn, ettercap, goatseAP and the others)

Ideas? Comments? Hatemail? Drop me a note!

I was late to hear – by a day. Thats 10 years in internet time, we all know. If you’re not in InfoSec you probably didn’t hear. Maybe you heard somewhere, irc, twitter, other bits of the intarnets that Kevin Mitnick got hacked. Everyone chuckled. As it turns out a whole bunch of people got compromised. People I know personally who I consider friends. Rob Fuller, Dan Kaminsky, the Hak5 group and a handful of others, including Kevin Mitnick.

Personal details were revealed, emails, chat logs – pretty scary stuff – and very sobering. A clear demonstration that things like cross site scripting and the spreading of malware (likely for the use of cascading spam or addition to botnets) is the least of our problems. Also clear proof that people who consider themselves security folks have to be very wary of using creature comforts such as reusing passwords or even operating a wordpress blog (3 updates in a month?! and 2.8.2 is vulnerable? gaw!).

The textfile the group distributed was called zf05.txt and after skimming it’s abundantly clear that wordpress played a huge part in these folks getting rooted. Almost every example was sort of an ‘all in one’ server that was used for ‘whatever’. Its also become clear that jam packing one server with a bunch of services makes it more vulnerable to compromise. Ever heard of KISS? “Keep it simple, stupid”. It’s used very commonly among engineers, computer people – you name it. Anyone that has to build things or design things. The minute you start adding complexity for no reason the proverbial altimeter begins its decline.

People who fake tech exacerbate things. There are groups that call themselves “tech” when in reality they are simply PR or Marketing. The problem here is that they advertise themselves as “technical solutions” to their clients – so the problem cascades – lots of sites/apps that go online with very very poor security which ultimately get compromised. The Web 2.0 craze has hypnotized people into putting almost everything they think and do ‘behind the scenes’. They let “someone else” worry about it. Guys, If YOU aren’t going to worry about the safety of your own data, NO ONE ELSE WILL. Some ruby programmers I’ve met are incapable of manually issuing a sql query. Others are incapable of interacting with sql unless they have phpmyadmin. These folks generate a requirement to artificially make systems more complex and less secure entirely to suit their evergrowing hatred of looking things up themselves or actually learning anything about the technology they use every day. The easiest way to think about it is this: Think of some people. Now think of these people all owning cars. Think of these people now requiring something as simple as an oil change, a tire change, or a simple tune up. Now think of these people taking their cars to a shop to get work done – for whatever reason: maybe they lack the tools, maybe their HOA doesn’t allow them to perform work on their cars on the grounds (those HOA people desperately need to be stabbed in the lungs, by the way) or maybe they just don’t know how. Now lets imagine these people have the work done, and are talking to the mechanics as they are preparing the invoice behind the counter. The mechanic begins to explain how their oil was changed, and these people abjectly refuse to learn or understand how this works even from a top-level non-technical aspect – they plug their ears and yell “NO! NO! AAALALALALA!! NOT LISTENING NO NOOOO! ALLALAAAAAA!”.

These people strongly support a fancy new term. “Cloud Computing”. Cloud computing will make this worse for everyone.

Let me jump away for a moment. I’d like to point out a fact. The attackers that distributed zf05.txt made a valid point – a point I’ve tried to make to peers, friends and clients alike – If your site/data are on shared hosting and you consider them secure that may mitigate some amount of risk. But if the other people hosting their data are vulnerable and your data is on the same system, you’re still vulnerable.

Now we have some ingredients – lets make a stew. Lets take these bits of information and put them all together and let it simmer.

• Non technical people whos requirements and behavior are insecure and promote systems being rooted
• Systems with lots of various services running on them
• A new trend of mashing these systems together to form giant systems that do the same thing, ending up being bigger and more powerful
• Commonly used software being exploited within a week of a patch.

Mix in a bowl with a wisk until creamy. Add a teaspoon of extra virgin olive oil to a cast-iron skillet. Add a bit of freshly cracked pepper to the oil and some freshly pressed/minced garlic. Let simmer until the pepper and garlic begin to bubble, then pour the mixture from the bowl into the skillet and add a squeeze of fresh key lime if you wish. Cook until firm or golden brown, flip once, then serve! Let stand for 10 minutes to cool. What do you get? What does it smell like? (Well if people actually taste of chicken then that may make one hell of a breakfast omlette). We dont know. Here’s why we don’t know:

• “Business people” like the idea of getting rid of systems administrators and IT overhead
• “Cloud Computing” does not have a security model yet
• There are no standards – this stuff is too new
• Far too many people are comfortable being hacked, and say “oh there’s nothing important on that sit/box”

.. Really, guys? You don’t use that same wordpress password everywhere? For your bank, for gmail, for your car insurance or your mobile provider to login? If a blackhat gets that password you’re really okay with it? If thats the case, I’d like you to kindly leave the internet, never to return. Please – do us all a favor, for the people that like keeping their privates private and their secrets secret, go away.

So we’re going to take all of these insecurities, vulnerabilities and holes – package them up with non-technical people demanding insecure practices so that they don’t have to learn or think and we’re going to replicate this ad nauseum and store the results in one gigantic computer grid system? Awesome. Maybe I should trade in my whitehat for a black one – since thats obviously where all the focus, media, fear and money are going to be. Or maybe I’ll just make my white hat bigger – perhaps people will come to their senses and listen to fact and reason. Perhaps not. I guess we’ll see.

I’m not the only one, either…

http://darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=218102139&cid=RSSfeed – Black Hat hackers mouths are beginning to water.

http://www.sensepost.com/blog/3706.html – open the ppt, this was the defcon17 “clobbering the cloud” talk. they pwned amazon ec2.

http://evilpacket.net/ – see the ‘theft of a rackspace cloud api key’. These guys got root on the rackspace/mosso cloud (you’re not supposed to be able to get a shell on rackspace’s cloud).

So you tell me, guys – what’s it going to be?

message ends

I’ve been very vocal in the last year about what I do – to the point it manifests itself as talks I give during BarCamp (LA and San Diego), and Refresh San Diego which is held at Qualcomm. Here is my most recent talk

I’ve decided that it’s in everyone’s best interests to at least have a dialog about security. That being said I’m now offering free consultations! To my amazement I’ve even had a few people turn down FREE HOURS from me. For the first time in quite a while I was literally without words.

I thought it best at that point to illustrate exactly what I mean by security.

• This is a screenshot of the last ten days of SQL injection exploits posted to milw0rm.com. This is *ONLY* SQL injections, not any other vulnerabilities (for everyone that thinks using magic_quotes_gpc is safe, think again (and again and again)
• Securityfocus, which is a major vendor for security information has its own section JUST for Microsoft Vista.
• ONE command line will give you a command shell on a vulnerable windows machine. That leads to installing malware, stealing passwords, reading emails – the whole nine yards – just like theyre sitting AT your computer, or on your server.
• Using WEP for wireless security is a joke. If you don’t use WPA you may as well not bother encrypting. That also leads to people sniffing your information out of the air – passwords, credentials, AIM/Yahoo conversations – everything.
• The web2.0 community is just making things worse by being willfully ignorant

The point I’m trying to get across is that security isn’t just installing a virus scanner and an adware scanner and making sure your system is free of viruses. Code is developed every day that exposes crucial information to the world, which is then indexed by google. Security isn’t just about viruses, its about making your private information stay private – in all cases. Error messages that leak information such as filenames, database names, database tables, usernames etc just help attackers gain further entry into systems.

I do more than just security work – I’m a full-fledged Systems Architect with over ten years of experience in the field. Once you build a large scale enterprise environment, it has to be secured, right?
Every once in a while during conversations at meetups I tell people that I’m a Security Researcher and a Systems Architect and they end up asking me later “so what do you actually DO?”. So heres a short list:

• Information Tecnhnology(IT) and Information Security(InfoSec) consulting: working directly with sales, marketing and PR departments to coach bloggers, twitter users and writers on what terminology to use, what new technology is out there, what is safe, what isn’t safe, figures and reports on the latest attacks, bot nets, viruses and other threats influencing the world
• MSSQL and MySQL database administration, design, tuning, and security
• Designing networks: switches, routers, firewalls, intrusion detection, backups, redundancy
• Workflow Management: Setting up HRIS systems, ticketing systems, automating things like installations, software deployments, antivirus and other workstation maintenance procedures, creating a documentation repository using mediawiki
• Emerging Technologies: Staying abreast of all new versions of software and hardware available, defining when and what to upgrade, planning upgrades, defining when and how to scale, choosing the right hardware and software for the job, identifying when to decommission old equipment or software and how execute it
• Security: Staying abreast of all current and anticipated versions of software frameworks, firmwares, networking and phone equipment, defining what software and appliances need to be secured and or upgraded, defining what network resources get deployed where in the clients landscape and subequently documenting everything along the way

There is no environment alien to me, no operating system I do not have experience with, no development/scripting language I have no experience with and there is no limit to what can be done with the proper resources.

The Rates for hours at AtenLabs are fiercely competitive and in our wake we leave nothing but courage, confidence, and smiling clients.

If you’re even thinking about contacting us for us for a free consultation – stop thinking and contact us.