Airpwn

If you don't know about airpwn, then you're missing out on some funny. Remember kids, the "man in the middle" attack is sometimes very very disturbing!

Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were:

HTTP goatse, 100% of the screen
HTTP goatse replacing all images
HTTP goatse as the page background via CSS
HTTP tubgirl replacing all images
HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures)
HTTP javascript alert boxes, letting people know just how pwned they were
FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)

Off the record messaging (forward security)

Interesting concepts, especially forward security
http://www.cypherpunks.ca/otr/#faqs

The idea here is to have secure messaging with a few more benefits than have been available by encrypted chat (offered by gaim and many others for several years). It's supported by everyone's favorite client, Adium X. One of the problems with other methods of encrypted conversations is that they were all authenticated with the same key, so that if your machine is ever compromised the attacker can now read all your past conversations. Also, if your machine is compromised, you cannot deny having said what you said since it was signed with your key.

OTR messaging uses crazy math to ensure that each conversation is encrypted with a different key derived from the same original secret key. Therefore you cannot use a captured private key to unencrypt previous messages but you know the current conversation is authenticated because all the subkeys must have been made with the original key. (This is part of the gpg specification.)

AdiumX is available as a download beta with OTR built in.
I used to use encrypted chat but only 3 of my friends had compatible versions, so unless this were to gain traction amongst a high proportion of your friends, it is probably not very useful. However, the novel abilities of OTR would be nice to see in other products.

Imagine someone capturing your secret key and having the ability to decrypt all your previous communications. That's what happened to the Nazis when they got lazy and started reusing keys.

How to build a kitchen timer

Check out these circuit diagrams. What? It's a kitchen timer. What did you think it was?

The guy from frisnit.com has lots of great projects.

It's a kitchen timer. Use it to time spaghetti, or maybe an egg. It uses two PICs, one acts as a keyboard encoder, the other drives the display and supports the timer functions. You key in the desired time and press '#'. It's accurate to 1/100th of a second, which can make all the difference I'm sure you'll agree

Also, the duct tape is critical to it's operation! Let me know when you attempt to bring one of these on board an airplane!

Radio scanning in Louisiana, frequency lists available

Radio scanning in Louisiana, frequency lists available
(Current list that I use.)
(Current list of open channels of all kinds of businesses and agencies)


Louisiana is supposed to be switching over to the Louisiana Totally Interoperable Environment (LATIE) system for all police, fire, EMS, etc radio communications. Some parishes are up and running, and some are taking their time. Listed at that link are frequencies and ID codes for State Police, local police, and basically every other LATIE equipped department. Please note that Lafayette Parish has switched over to encryption with their systems. To listen to LATIE traffic you must have one of two different models currently available. The Uniden BCD369T handheld going for $300-500, or the super bad-ass Uniden BCD996T which is basically sentient.

Here is the forum for LATIE related questions for hobbyists:
http://www.radioreference.com/forums/forumdisplay.php?f=13

My personal belief is that encryption is too difficult for the state guys to even mess with for at least one more generation of gear. Most agencies will continue to use the easiest, cheapest, oldest, and least secure methods of communication until they are forced to adhere to some new minimum requirement. This is good for those of us who want to hear them talk (including reporters, news channels, and any hobbyist.)

I've compiled a massive list of *currently used, non-trunk frequencies of everyone from the cops to mcdonalds and drive throughs, and LSU services available here below the fold. Please enjoy.

If the cops are going to be blasting their radio waves directly into my apartment, then they have no right to complain that I decide to listen to them.

Mac Users: Set Your File Vault Master Password

Since this blog is, at least in part, about bringing to your attention possible security threats, I'll make my first post here about a threat I recently thought up.  I mentioned this to a friend and, the more we discussed it, the scarier it seemed.  Luckily, there's a simple fix.

The threat in question is the threat of an unset Master Password on your macintosh's File Vault.  Now, many of you are like me, and have been so scared reading about File Vault that you don't currently intend to ever turn it on.  But, at the very least, you should set a Master Password in the File Vault preferences pane (System Preferences > Security > File Vault).  Doing so will NOT turn on File Vault.

Why, you ask?  Well, I suppose that depends, in part, on where you're using your computer.  Mine, a Powerbook G4 running Leopard, stays open on my desk all day.  I'm a graduate student at a university, and my desk is in an office I share with many others.  The office itself remains open during the day and so passers by theoretically have direct access to my machine.

I regularly leave it there, protected by a laptop lock, and go get coffee, teach lab, or take a walk.  In addition to this physical protection, I've recently disabled automatic login and turned on password requirements to wake the computer from sleep or screen saver (both in System Preferences > Security > General).  I've also made an encrypted disk image (using Disk Utility) that contains all of my sensitive data.  This encrypted disk image means that even if someone gains physical access to my machine with the login passwords down, my most sensitive data is safe from prying eyes.  But despite all of these measures, the File Vault Master Password is another security hole that is too easily plugged to risk ignoring it.

It's an unlikely scenario, but one in which you would be completely fucked if it were to occur.  Let's say I'm off getting coffee and my officemates are off doing whatever they are doing.  Now further assume that in a moment of forgetfulness, I left my computer open and didn't trigger the screen saver.  A person with malicious intent could walk in before the screen saver automatically starts and, unopposed, access the File Vault Preferences.  If the Master Password is unset, they could set it themselves and trigger File Vault to lock up my home directory.  I would come back from coffee to an unusable machine in which all of my precious personal data, including any encrypted disk images that I put sensitive stuff in, was encrypted with a key that I did not possess.

While it's true that the antagonist still shouldn't have access to my most personal data, because it's in the encrypted disk image that I never mount unless I'm actively using, it would deny ME access to my own data, which is almost as bad.

I admit, it's an improbable happening, but one that, nonetheless, remains well within the realm of possibility and for which the countermeasures are far too easy to justify ignoring.  If you set the Master Password, then you and your computer are safe from would-be practical jokers or evil office trolls who might encrypt your home directory without giving you the key.   Having the Master Password set doesn't require you to turn File Vault on, but it does allow you to turn it off if someone else turns it on.  And, if that's not enough of an incentive to make you take action, I don't know what is.

WEP Cracking with kismac (you can't hide)

A friend recently informed me that he would be securing his wireless network with WEP encryption and hiding his SSID. While this is a good idea and will deter 99.99% of evil crax0z, it's important to remember that WEP is not safe.

In this video we see someone crack a WEP network and recover the password in 10 minutes, even though the SSID is hidden. They use the excellent tool kismac, which is great for casual wardriving as well as packet interception and WEP cracking.

Remember, security through obscurity only works if you are actually obscure!

----------------
And a great article on preventing hacks by running software so ancient that nobody remembers how to hack into it. Security through obsolescence. Even the article is old.

"I have one box still running a version of Solaris that's so old none of the script kiddies can figure it out," Brian says. "They tend to focus on the latest and greatest, and don't have the slightest idea how to handle my old Sun box."
Brian points out that some of the most secure Department of Defense Web sites -- ones that don't make headlines by getting cracked all the time -- run old versions of Mac OS and the venerable WebSTAR server suite. "

Copy the key. Make a good first impression.

copy a key using a soda can, copier, scissors.
http://www.instructables.com/id/S232P32F9056XNQ/

You can easily get the master key for a building by asking the secretary to borrow it because you "forgot your X in room Y."
Social engineering. Learn it, love it, design against it.

The Death of Facebook

http://informationweek.com/news/showArticle.jhtml?articleID=204203573

Cory Doctorow, eminent SF Author and contributor to BoingBoing finally tells about the billion dollar elephant in the room.
*disclaimer. I used to think Cory Doctorow was a publicity hungry SF faker, but after reading his work, I recognize his brilliance. The man can write. He is no poseur.

There is a reason that LiveJournal faded, and Blogger, and MySpace is on the way, and Friendster, and Linkedin, and Orkut, etc. Facebook is this week's boring rehash.
Everyone googles themselves, no one wants to be googled. You want to be found by long lost friends but you don't lose touch with long lost friends, you lose touch with creepy weirdos that you maybe kinda liked to hang out with, but now you'd rather save the energy and just not talk to.

Except you get a friend request. Then you're an asshole for saying no. So you start signing in less frequently because this person who you kinda liked to hang out with, but you don't really interact with anymore is now part of your "friends list" and you see every goddamn message they post. You can't escape me, I can't escape you, neither of us politely.

Let's all pretend that we're not "that guy". Right. You're "that guy" to somebody.

Facebook is a waste of your time and everybody's money. Close your account. In 10 years, all these undergrads will wonder why they wasted 6 hours a day on some stupid facebook garbage when they were missing out on college life. Oh well. C'est la vie.

Firefighters sidestep the 4th ammendment

Firefighters sidestep the 4th ammendment

What scares me is not the sentiments of the author, nor the mainstream publication, but the blind obsequious acceptance. Only DoubleThink could allow someone to even write these words in the US. I do not fear the Authoritarians. I fear their followers. These are they. Let's fisk.

Unlike police, firefighters and emergency medical personnel don’t need warrants to access hundreds of thousands of homes and buildings each year, putting them in a position to spot behavior that could indicate terrorist activity or planning

You say this like it's a good thing.

Since the Sept. 11, 2001, terrorist attacks, Americans have given up some of their privacy rights in an effort to prevent future strikes.

We did not give them up. They were taken from us.

The American Civil Liberties Union says using firefighters to gather intelligence is another step in that direction.

Ok, wrong analogy, how about Fahrenheit 451. Burning forbidden knowledge via firefighters? Check!

“They’re really doing technical inspections, and if perchance they find something like, you know, a bunch of RPG (rocket-propelled grenade) rounds in somebody’s basement, I think it’s a no-brainer,”

Srsly. Does that happen often? Has any firefighter ever found an RPG in someone's burning down house? Call up the Malibu guys; no I'll wait. Srsly. I mean.. who the hell writes sentences like that? "But what if we found a buncha RPGS in a basement." That's actually what he said. Is this an epidemic?

said Jack Tomarchio, a senior official in Homeland Security’s intelligence division.

Oh well that explains everything. FAIL.

When going to private residences, for example, they are told to be alert for a person who is hostile, uncooperative or expressing hate or discontent with the United States; unusual chemicals or other materials that seem out of place; ammunition, firearms or weapons boxes; surveillance equipment; still and video cameras; night-vision goggles; maps, photos, blueprints; police manuals, training manuals, flight manuals; and little or no furniture other than a bed or mattress.

Fact. You have described every engineering student in the USA.
They list 19 criteria. I would fall under 17 of those.

Clearly I am a terrorist. Me, and the cat.
(for those playing at home, I would behave or own the following in a private residence: 1) hostile, 2) Uncooperative, 3) expressing discontent with the US, 4) unusual chemicals, kinda vague eh? 5) materials out of place, 6) ammunition, ye gods tons of it. 7) firearms, boy howdy 2nd Amendment. 8) weapons boxes, they send ammo in these. 9) surveillance equipment, i have a police scanner and some mirrors. 10) still and video cameras, who doesn't have these? 11) night vision goggles, they're fun. 12) Maps, of my city, in my car, 13) photos, 14) training manuals, vague as hell, but yes. 15) I have a book on cesnas. 16) little or no furniture? hi all college males.

“We’re there to help people, and by discovering these type of events, we’re helping people,”

Wow. Whatever makes you sleep at night buddy.

And the fire service is also represented in at least 13 state and regional intelligence “fusion” centers across the country — where local, state and federal agencies share information about terrorism and other crimes.

Bruce Schneier specifically warned about these "fusion" centers and mission creep. It's like reading tomorrow's newspaper.

“So we see things and observe things that may be useful to law enforcement,” he said. “We can walk into your house. We don’t need a search warrant.”

Yeah Bob, that's kinda the problem. See.. the 4th Amendment. You are an authoritarian follower.

But Cade said that until recently, there’s been no mechanism for fire departments to share what they learn with law enforcement and intelligence analysts who could use it.

Fire departments are unable to use telephones? Riiiiiiiight.

Homeland Security said if its program with New York is expanded across the country, civil rights and civil liberties training would be included.

Yes. DHS is such a huge defender of civil liberties. Heckuva job DHS.

Copy a key using a soda can, copier, scissors.

Instructables. What a great site. I did a similar trick after "borrowing" the master key from the departmental secretary.

Who wants to carry around 12 different large metal pointless keys? Get yourself a master key. What does most every place of business have?
Soda machines
Copy machines
Scissors
Crappy security about who gets master keys.

How to make a working duplicate of a door key with a copy machine, soda can, scissors, etc.
Are xerox machines good enough to literally xerox a key put on the glass and have the same dimensions on the output paper? Yes. :)

Three types of authentication.

Security theory: There are 3 ways to authenticate yourself. Most of the time you may prefer anonymity, but in some cases, you must prove you are who you say you are.
If you are trying to access my house, my safe deposit box, my hard drive, etc, you must authenticate to the satisfaction of the door knob, the bank, or the filesystem respectively.

These are the 3 methods of Authentication:

What you have -- keys, badges, ID, passcards, tokens.
These are physical objects and go towards identifying you by what you physically *own*. The obvious problem here is that objects can be taken and are not tied or "signed" to any particular person. This makes it easy to loan your verification for temporary uses like valet parking, but objects can be stolen. Keys can be duplicated, IDs can be faked, and nobody knows what the heck a valid badge looks like anyway.
How many FBI badges or CIA ID cards have you seen? How would you know if it's real?

What you are, your DNA, fingerprints, voice match, cadence of your typing, your walk, talk, act. Your smell, shoeprints, aura, your retinal scan, your vein patterns. Anything that leaves the impression of YOU, but nothing that can come from someone else. These are things that can be taken from you. They cannot be faked but can be stolen. Secondary level of security, What you are is better than what you have, but is nothing compared to what you know.

What you know. Passwords, passphrases. Things that cannot be beaten out of you. Passwords cannot be compelled to be told, they cannot be stolen (from your mind), they cannot be duplicated. Other examples include your memories.
We've all thought about the time traveler trick. Imagine yourself from the future convincing yourself now that you are really the future you. You can name things that only you could possibly know, such as your 2nd pet's name, the number of girls you've slept with, etc.
Needless to say, this method of authentication is the most secure and the most unwieldly.

In previous posts I discussed the UK woman who is being forced to reveal her decryption key. Could this happen to you?

Her door keys can be duplicated, her fingerprints can be stolen or coerced, but no court could make her, me, or you spell out your most secret passwords. What you know is better than what you have or what you are.

UK Police Can Now Demand Encryption Keys

Papiere Bitte. UK Police can demand your encryption keys, your passwords, presumably your PIN, and yo momma's maiden name.

"Paper's please, citizen." Those words ought to invoke fear in you. We used to make fun of Soviet Russia where you needed internal passports. But then we had the Red Scare, you could DoS a person.

So now the UK has done it. They are actually demanding you turn over your encryptionn keys. On penalty of what? 2 yrs in jail.

Lesson 1: If your crime is punishable by more than 2 years in prison, tell them to pound sand. You'll get off easier.
Lesson 2: If you don't like Susan up the street, plant an encrypted file on her and call the coppers. She can't give them the key for what she doesn't know she has. 2 years of no more Susan. Denial of Service of life.

Lesson 3: The government can't crack our encryption, otherwise they'd not bother forcing the keys out of us. A rather enlightening admission don't you think?

Denial of Service

I'm sure you heard about the angry father-in-law who sent an email to DHS to prevent his son-in-law from visiting the USA. The son-in-law was held for over 12 hours and sent back to Sweden, home of lutefisk and terrorists.

"The man, who admitted sending the email, said he did not think the US authorities would stupid enough to believe him." Dear God, never underestimate the stupidity of petty dictators!

Denial of Service. Against a guy. For an entire country. Impressive.

Next post up, we see another example. (Hint, turning in your neighbors as Secret Commies is also a form of DoS.)

Cracking shareware on OSX, for the lazy

Now you've installed Leopard, and you need to update all your little shareware utils. Normally you just grab the latest serial from serialz.to (get the excellent program iSerial Reader which comes with monthly updated databases of serials).

But why go through the trouble to find old versions of software when you can crack OSX shareware yourself.

Cracking OSX shareware for the lazy. Now you can spend your time telling yourself whatever it takes to get to sleep at night because you cheaped out on $10 shareware for a starving author.

Sparsebundle

Leopard includes a new type of file image called a "Sparsebundle". How is this different from a sparseimage? What is it used for? I'm sure someone at Apple knows, but the googlesphere doesn't seem to be doing much good. Here's what I've learned:

Sparsebundle images are like Sparseimages except they are made up of "bands".
Sparsebundles are used by Filevault in Leopard and help with Time Machine backups.
Bands have individual 8Mb chunks. Time machine will only back up chunks that have changed.
Sparsebundles are actually directories, you can look in them to see the data structure. Here is what you see.

This is why Time Machine has to log out to back up your Filevaulted Users directory. However, it is a huge bonus because otherwise, if you changed a single byte while logged in, your previous filevault structure would have changed the attributes of the Entire Ginormous Sparseimage, which would then take hours for Time Machine to back up.

Now using Sparsebundles, you log out, and Time Machine looks at the meta-data for the chunks that have changed and only backs up those. Also, the Time Machine backup was supposed to be encrypted, this support seems to have been dropped. But since your sparsebundle is copied whole, filevaulted users are safe. You non-filevault using people are leaving usb drives full of your data all over the place though. Beware.
This appears to be a stopgap measure before ZFS is fully implemented. Use ZFS peoples. It has snapshots and pools.

The War on the Unexpected

"We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested -- even if you did nothing wrong, and had no intention of doing anything wrong."

Read Bruce Schneier's excellent essay.

Be afraid, be normal, "Live free or Die!" does not seem to be the prevailing wisdom today. Wimps. As usual Bruce tears up the baby-coddled thinking of the terror-mongers. The people who advocate this style of followership are the children of the "Greatest Generation"?

I'm a Gen-X'er myself and I have to say, piss poor show fellows, piss poor.
I know the Boomers are scared of death and scared of non-conformity, and have nothing to live for but life itself, but grow a backbone. Don't let the blikenlights scare you!

"Of course, by then it's too late for the authorities to admit that they made a mistake and overreacted, that a sane voice of reason at some level should have prevailed. What follows is the parade of police and elected officials praising each other for doing a great job, and prosecuting the poor victim -- the person who was different in the first place -- for having the temerity to try to trick them."

Damn you Boomers for giving away MY freedoms and for setting us on this authoritarian course. Now we gotta fight.

ultratoast

Fighting the petty dictators

Authoritarianism is rampant in our society. Just last week I ran into at least 3 petty dictators. This can be anything from the local "Officer Friendly" telling you to "Move along", to bureaucratic government office secretaries guarding their tin-pot dictatorships with utter contempt for outsiders.

Hierarchy is everything to these petty people. Big Fish, Small Pond. But you must deal with them and it can be exasperating. Think DMV writ large.

I'll be discussing how to subvert the Panopticon society for our ends. Points to ponder in a future post are:
1) The universal surveillance is ineffective for The Man, as no one is watching, and it acts to protect the system.
2a) We value government transparency and personal privacy. The government values government privacy and personal transparency.
2b) We want to keep our secrets, while the government wants to see them, and vice versa.
3) They can monitor the public spaces, even take your data, but we cannot effectively do this to them.

Dictators small and large hate spotlights. Atrocities are carried out in the dark, people are "disappeared." The way to combat petty abuses of petty power are the same as to combat great abuses of great power.

You will never win by complaining. You are doomed to pointlessness. There is nothing you can do to make the departmental secretary to care. She was there before you and she'll be there after you and she'll do nothing to help you. If you annoy her, she will make your life miserable.

Here is how you fight back. Cops will lie and threaten. Flight attendants will make up rules and lie to you. "Because I said so" works for mom, but not for these little nuts. What you need is to spy on yourself. Record everything. Then you have a backup.
Cops hate photographers, unfortunately for them,
photographers have rights. (carry this on your person)

There are lots of reasons to record everything in your life, besides just happening to have some crucial evidence to redeem yourself if you are threatened. In years to come, you may wish to recall conversations you had with others, perhaps after a death your records would console loved ones. Perhaps someone you associate with will become famous. Perhaps you yourself will want to hear what you sounded like as a young man or lady in 30 years time. Think of recordings of your mother and how they are precious to you.

Setting this up to be painless is easier than you might think. I'll have a simple post soon detailing equipment.

ultratoast

Comedy Computer Security

Leopard is coming out this week and has all kinds of great cryptic features that are security related. But when you want to find a good place to eat, find a fat person and follow him. In that spirit, I give you the Encyclopedia Dramatica's take on security.

"Security is a broad generalization; a meme of sorts used by the government, which means absolutely nothing. Security is often found at nightclubs, government establishments, and Jesus factories, but is never found on the internet."

Moar soon!

"They is perhaps the smartest person ever, and the perfect person to cite in an argument." omg pwniez

Kibo is my hero

Kibo is a genius. Grepping the entire Usenet feed for your name so that you can reply and appear everywhere at once. Legendary.

Next post will involve us listening to the radio waves that go through our houses. I didn't ask for them to send signals to my living room, don't complain when we listen to them!

I have a kibo number. It is lower than yours. Weep.

More stolen laptops with personal information

Once again some laptops have been stolen which contain lots of personal information. The solution by the TSA is to require encryption. Perhaps they were just trying to keep up with the data loss experts here in the state of Louisiana where our LOFSA organization who recently lost thousands of student records and financial information. Incredible. And in a stunning display of stupidity, LOFSA decided to wait for weeks to tell us. Because, you know.. this isn't time sensitive or anything.

Bruce Schneier and other security gurus have written extensively about the false security of companies and organizations who fail to notify their customers, and the Consumerist.com regularly exposes companies trying to hide their ineptitude. The only solution to data theft is the same as the solution to the Tylenol product tampering case. Massive overwhelming immediate disclosure and response. Johnson & Johnson, to their credit, did not try to PR their way out of that mess. They knew there was only one way to save the company after millions of customers now feared their products, overwhelming action. Millions were spent to recall and destroy existing stocks of tylenol, and the company, this is key, *wanted you to know*.

LOFSA could have bought credibility by immediate disclosure and reassurance that they were doing everything to protect us, but they decided to try to hide. The TSA keeps losing laptops and reacts rather than pro-actively protects.

What does this have to do with you? Encrypt YOUR laptop, YOUR data. If it's bad enough for thieves to get your name and identity, imagine how bad it would be if they got your whole laptop. Encrypt today!

What's in your "permanent record"

Remember that time that Mrs. Grumbly caught you putting crayons up your nose and threated to put it in your permanent file... OOOOOOOOHHH NOOOO! Where did you think she was sending it? That's right. The FBI, NSA, CIA, DHL, DDF, NAACP, and NAFTA. They *all* have a dossier on you, citizen.
A few weeks ago I sent in my request for my DHS Travel Dossier (you didn't think it was really a "dossier" did you? eh? EH?! you betcha... good german.) Recently I've traveled quite a bit and according to my passport's electronic codes, I'm 129 years old, and no one noticed this, through like 7 countries and numerous airports. But I *did* remove my shoes, and liquids. I'm dying to know what they actually bothered to track about me, since my age was of no importance. Also, requesting your documents is basically free and takes about 10 minutes, no notary. UnsecureFlight.com hosts the "ATS Privacy Act Records Request" and the accompanying release form.

Now BoingBoing has post on getting your FBI file, neat! I can't wait to see what's in mine, and also to waste some bureaucrat's time. It's called getmyfbifile.com, here's what BoingBoing says, "This site helps you automatically generate the letters you need to send in to get your own FBI file ... and while you're at it, you can also get your NSA, CIA, DIA, DSS, Secret Service, etc. files too, just by checking a few boxes." I'm so excited, I want to cross-dress just so I get data-mined with J. Edgar Hoover. I'll update the blog with my results when they arrive.

Anecdote, I heard a story about a girl who applied to be a whitehouse intern and was questioned about having joined the "Objectivist club," which meant she had filled out a card on the back of an Ayn Rand novel and that somehow put her on a list! Imagine what kind of lists YOU'RE on! (This is another reason I've legally changed my name to "Void", just to screw up check cashing).

This is how you seriously destroy the government.

HIDS or, screw the NSA! Host-based intrusion detection

You've secured your laptop now, according to best practices. You have turned on FileVault disk encryption, turned off unnessary services, disabled automatic login, etc.
Now the bastards have to come after you the old fashioned way, they have to penetrate your code walls and steal your internets.

"But how can the dastardly FBI, NSA, DHL, Section 8 bastards break my code walls?" you ask. Easily. You are running multiple programs which phone home all the time and connect to other computers through sometimes lousy protocols or implementations. That Weatherbug may be more of a bug than you realize. First step is to run Little Snitch, which will tell you when applications connect to the net and give you the opportunity to deny them temporarily or permanently. Next run nmap on yourself to make sure you only have approved ports open. Now you've done your due diligence, but The Man won't give up!

You need a HIDS, a Host-based Intrusion Detection System. This kind of program will scan your machine and make sure that you haven't been pwned, running root-kits, badware, keyloggers or other garbage that the G-men (or romanian script-kiddies) would use to monitor you. Think it can't happen? There was a recent case where a mafioso was busted even though he used all kinds of crazy encryption on his machine. They used a sneak-and-peak warrant to sneak in his house and install some nosey-ware into his machine and then watched him for *months*!!! He'd have been better off if he was checking for file modifications. Don't think your mighty encryption will stop them. This ties into the above best practices by disallowing automatic login, etc. But remember, if they have physical access to your machine, life gets much more difficult.
We'll cover how to defeat more advanced monitoring techniques in future posts. Remember, if they cannot just boot your machine and read it, they'll have no choice but to resort to more expensive/difficult and less effective techniques. Our goal is to get them to the point of using Van Eck Phreaking and having goatse as your screensaver. Heh.

Read this infoarnarchy article on methods of intrusive surveillance. If my job was to steal your data, this is the manual I would follow.

Sign Sign, Everywhere a Sign

My next project is in the style of Telstar Logistics, i.e. Urban Camouflage, or social engineering.
"One day, I had an epiphany -- if I disguised the van to look like a work vehicle, I'd be able to park in yellow-curb zones without getting parking tickets. "
People love signs, especially low wage, rules-oriented mindless zombies. These people can be found everywhere such as DMVs, utility companies, airports, and especially universities. You can tell you're dealing with someone who values rules over reason if the conversation goes something like this:
"Hi, I'd like to do X"
"I'm sorry, sir, you can't do X"
"Why not?"
"It's policy"
"Who has the authorization to override this?"
"It's policy"
... as though that is the final answer.

OBEY! (corporate phenomenology, I'm sure you've seen these stickers)

Anyhow, let's mess with these people. Around LSU you will often see little yellow laminated signs stapled to sticks in front of random parking spots that say "Reserved for ####, good for TOWING ENFORCED". No one ever parks in front of them.
The other day I went to school and saw a plastic sign in front of some spots that simply said "No Parking", and sure enough, no one parked there. I knew there was no event or anything, and the parking nazis never question their bosses or consult reason so these signs tend to stay. The next day, the sign was still there and still no one parked there... so I did. And then I kicked over the sign. When I got back to my car, I had no ticket and the sign was gone!
So now I've made my own laminated sign on a stick and I'll keep it in my trunk and park wherever I feel like.
Some people said, "but that's illegal!" Huh? Not unless you want to count it as littering. It's not my fault if other people listen to my signs! Freedom of speech baby!
Pics coming soon.

Parking meters, or "mini-atms"

If I were homeless, I would spend all my spare time figuring out how to get into parking meters instead of bothering people for spare change. I mean look around! There's little boxes of money ($30-60 according to sources) spaced every 10 feet damned near everywhere in major cities.
Why bum when you can surreptitiously slide in a home made rake and tension wrench into a parking meter and walk off with lunch, dinner, a pack of smokes *AND* some Thunderbird money.

The parking meters around here are manufactured by Duncan parking meter company and use quarters. There's probably a large number with no cameras, and if you time your attack to vary meters on varying days, or even just leave some change in each one, you'd likely never get caught.

These guys got greedy. Besides, why use an angle grinder? That just alerts the meter maids to your presence. The keys on these meters are generally very short 5 pin models, not tubular, very easy to pick even for a novice.

Everyone robs ATMs because "that's where the money is." Teenagers spend countless hours trying to defeat vending machines (my personal favorite was to smash nickels until they are the size of quarters).

Next time you need laundry money and you realize you just dropped $.50 into the meter, think about it...

AWID and LSU, parking hacking

Recently Louisiana State University started up a program called "Easy Streets" which cuts off students or general traffic from using any streets that pass through the university campus. They are using lifting barriers and RFID detectors made by AWID (Applied Wireless IDentification). I haven't quite figured out a way to bypass the RFID system yet so I am looking for your help. Here's what I've learned so far:

1) The readers are model LR-911 units. This design has been in production for a number of years and probably has backend software from iAnywhere. The benefit of this is that iAnywhere supports a billion protocols and basically no encryption. The drawback is finding out how to access this functionality.
"RFID Anywhere Appliance Edition"
supports TCP/IP, HTTP and the EPC reader protocol. It also adds security functions, software for configuring the readers remotely from a Web browser and an application programming interface for executing business logic on the reader itself."

2) The wand is given to each member of the faculty or staff who has access to park on our precious streets and mow down pedestrians (aka, the people who pay them). The model of the wand is the "MT tag", and it the system operates on the 900-928 Mhz unlicensed band, from a distance of ~5 meters.

3) Here are the instuctions on cloning a verichip, with code and blueprints ready to go. While Bruce Schneier discusses cloning a US Passport and how it's done. This is the home-made kit to clone a verichip, all that should be required is a different number of wraps for the antenna.


4) Make.org has tons of info on projects to play with RFID, and there are kits with readers and tags available but they all seem to focus on the 14khz spectrum (only good for inches away), and not the relatively uncommon 900Mhz band.

This RFID system is basically unencrypted and requires no handshake or verification. It is also quite likely that part of the tag is writable and that a blank tag ($15) could be cloned. The technology is virtually identical to Verichip except for using the 900Mhz range instead of 14khz. Tools written for cloning Verichips and US Passports *should* be able to clone these chips also, except that building such tools is too time-consuming and difficult for me, and I cannot find a cheap source for a chip reader/writer.

My next idea involves bypassing verification altogether and perhaps activating the induction loop for the exit side, however that could get me in trouble if i'm spotted going in the "out" door and would only be good for parking lot access, not general travel. Please send ideas in the comments. I'll add more as I get time to do more research.

Cryptome, or how to piss off the CIA

This guy is crazy. John Young runs Cryptome.org which is a fantastic repository of questionable documents. It's where you go to find the CIA's manual for staying in deep cover or the names of spies, or obscure government documents that many people would rather we not access.

All paranoid people should keep an eye on this site.

NSA's Guide to Securing Mac OS X 10.4 Tiger

Just a quick update. Here is Apple's own guide for securing a machine running Tiger. Endorsed by the NSA, if it's good enough for them, it's good enough for you!
http://images.apple.com/server/pdfs/Tiger_Security_Config_021507.pdf
Good bedtime reading for comprehensive security practices

Mac laptop stolen at the coffee shop

No, my laptop wasn't stolen, but here's an interesting tale of recovery of one that was. Now this is an unabashedly mac-centric site so the following guide is focused on some OS X based tools, but there are linux versions and windows versions of several of these techniques.

Being a mobile laptop user is wonderful, but having your laptop walk off is a heart dropping experience, not so much for the lost hardware but for the data you've got on it. And not so much for losing the data (you are making daily backups right?) but for the thieve's access to it. If you're super-paranoid, you might even worry if it wasn't a gov't black bag job.
Coffee shops and college campuses are great places to steal things. People are complacent because they consider it "their space" and forget the scale of openness. These places have an extremely high turnover of people all of whom "look like they belong". How do you make sure they can't see those special pictures you have stored on your machine? Encryption and lots of it!

1) First of all, turn on your screen saver password.
2) Turn on "Require password to wake this computer from sleep or screen saver" in your Preferences -> Security window.

Your mega-super-encryption will not save you if I close your laptop, walk off with it, and plug it into a usb drive at my leisure. I have complete access.

What happens here is, they close your laptop, walk off with it, and are confronted with a password when they open it up to look at your stuff. Their only option is to then reboot the machine, but aha! You've also enabled "Disable automatic login" so that they must still enter a password if it is rebooted.

I leave the IR function disabled because I don't want someone to figure out a way to use FrontRow or the relatively obsure IR protocols to bypass my screensaver password. As for secure virtual memory, i'm just not that paranoid yet. All RAM gets wiped after each reboot so they would have to know in advance that I had done all this and not to restart the machine, *then* still have to figure out a way to dump the contents of RAM somewhere readable. That is an unlikely scenario.

For the same reason, I don't click "Require Password for each secure system preference" since I am the only user on this machine and if they get that far, I'm already toast.

3) Turn on File Vault. Yes, it's scary. However it is very careful to verify everything and there seems to be no speed loss. What this does is prevent the attacker from just pulling your harddrive and putting it into another machine or usb enclosure and just reading all your data. For this reason, Open Firmware Passwords are basically useless. The computer is a husk that accesses a hard drive. Why bother with trying to crack a bios password when you can just rip the drive out of it? Does this happen? You betcha! Here's tons of stories about data recovered off of drives sold on ebay.

Now your data is much safer. If someone steals your laptop, at best they'll have to reformat the drive, and at worst, they'll end up with a brick of harddrive that contains a sparseimage of encrypted garbage.

The government could spend *years* and never recover your data. This gives you plausible deniability, which we will discuss in a future post.

Migrating to secure anonymity

It's too late! You've posted on the internet with your real name. You've posted your LiveSpaceJournalBook page with all your own details that future bosses can read. You're trapped! Now you're sitting around and you want to go to a forum and discuss unpopular ideas, but you don't want the NSA, FBI, bogeyman to find you or know it's you, or connect it to you at all. How do you do this?

Establish a separate identity that exists only online. The fact that you have an existing presence is a good thing. Remember that it would be mighty suspicious if you didn't have existing persona online. Give "The Man" something to follow, give him a past, a present, a you. Don't drop off the internet suddenly, continue posting your normal every day stuff, your fluffy dog page, your youtube videos, just don't let any of that be associated with your new anonymous identity.

I will be starting a series of posts of specific step-by-step instructions on how to give yourself an untraceable, secure connection and communications network to have at your disposal. This is a guide.

Anonymous web browsing with Tor

Today we will discuss Tor onion routing. You are visiting a website but you need anonymity. Perhaps you are looking up porn or whatever and you don't want your traffic being traced back to you. Time for "Tor Onion Routing" found here http://tor.eff.org/

The important thing to remember is that Anonymity is NOT EQUAL to encryption. In other words, use Tor to hid your route, but remember, it encrypts nothing. The remote sysadmin and the local sysadmin can still sniff and read all your traffic. They just don't know where it is going to or coming from... unless you tell them in your messages.

For Mozilla Firefox use this plugin to add a button to your menu bar to enable Tor Onion Routing.
Since you are using Mac OS X, use Vidalia which is a graphical interface (GUI) to the Tor program.

Now, start up Firefox and hit the torbutton and start surfing anonymously.
You must read Bruce Schneier's post regarding the difference between anonymity and privacy.

Let's break security!