Friday, November 30, 2007

WEP Cracking with kismac (you can't hide)

A friend recently informed me that he would be securing his wireless network with WEP encryption and hiding his SSID. While this is a good idea and will deter 99.99% of evil crax0z, it's important to remember that WEP is not safe.

In this video we see someone crack a WEP network and recover the password in 10 minutes, even though the SSID is hidden. They use the excellent tool kismac, which is great for casual wardriving as well as packet interception and WEP cracking.

Remember, security through obscurity only works if you are actually obscure!

And a great article on preventing hacks by running software so ancient that nobody remembers how to hack into it. Security through obsolescence. Even the article is old.
"I have one box still running a version of Solaris that's so old none of the script kiddies can figure it out," Brian says. "They tend to focus on the latest and greatest, and don't have the slightest idea how to handle my old Sun box."
Brian points out that some of the most secure Department of Defense Web sites -- ones that don't make headlines by getting cracked all the time -- run old versions of Mac OS and the venerable WebSTAR server suite. "

Wednesday, November 28, 2007

Copy the key. Make a good first impression.

copy a key using a soda can, copier, scissors.

You can easily get the master key for a building by asking the secretary to borrow it because you "forgot your X in room Y."
Social engineering. Learn it, love it, design against it.

Monday, November 26, 2007

The Death of Facebook

Cory Doctorow, eminent SF Author and contributor to BoingBoing finally tells about the billion dollar elephant in the room.
*disclaimer. I used to think Cory Doctorow was a publicity hungry SF faker, but after reading his work, I recognize his brilliance. The man can write. He is no poseur.

There is a reason that LiveJournal faded, and Blogger, and MySpace is on the way, and Friendster, and Linkedin, and Orkut, etc. Facebook is this week's boring rehash.
Everyone googles themselves, no one wants to be googled. You want to be found by long lost friends but you don't lose touch with long lost friends, you lose touch with creepy weirdos that you maybe kinda liked to hang out with, but now you'd rather save the energy and just not talk to.

Except you get a friend request. Then you're an asshole for saying no. So you start signing in less frequently because this person who you kinda liked to hang out with, but you don't really interact with anymore is now part of your "friends list" and you see every goddamn message they post. You can't escape me, I can't escape you, neither of us politely.

Let's all pretend that we're not "that guy". Right. You're "that guy" to somebody.

Facebook is a waste of your time and everybody's money. Close your account. In 10 years, all these undergrads will wonder why they wasted 6 hours a day on some stupid facebook garbage when they were missing out on college life. Oh well. C'est la vie.

Saturday, November 24, 2007

Firefighters sidestep the 4th ammendment

Firefighters sidestep the 4th ammendment

What scares me is not the sentiments of the author, nor the mainstream publication, but the blind obsequious acceptance. Only DoubleThink could allow someone to even write these words in the US. I do not fear the Authoritarians. I fear their followers. These are they. Let's fisk.
Unlike police, firefighters and emergency medical personnel don’t need warrants to access hundreds of thousands of homes and buildings each year, putting them in a position to spot behavior that could indicate terrorist activity or planning
You say this like it's a good thing.
Since the Sept. 11, 2001, terrorist attacks, Americans have given up some of their privacy rights in an effort to prevent future strikes.
We did not give them up. They were taken from us.
The American Civil Liberties Union says using firefighters to gather intelligence is another step in that direction.
Ok, wrong analogy, how about Fahrenheit 451. Burning forbidden knowledge via firefighters? Check!
“They’re really doing technical inspections, and if perchance they find something like, you know, a bunch of RPG (rocket-propelled grenade) rounds in somebody’s basement, I think it’s a no-brainer,”
Srsly. Does that happen often? Has any firefighter ever found an RPG in someone's burning down house? Call up the Malibu guys; no I'll wait. Srsly. I mean.. who the hell writes sentences like that? "But what if we found a buncha RPGS in a basement." That's actually what he said. Is this an epidemic?
said Jack Tomarchio, a senior official in Homeland Security’s intelligence division.
Oh well that explains everything. FAIL.
When going to private residences, for example, they are told to be alert for a person who is hostile, uncooperative or expressing hate or discontent with the United States; unusual chemicals or other materials that seem out of place; ammunition, firearms or weapons boxes; surveillance equipment; still and video cameras; night-vision goggles; maps, photos, blueprints; police manuals, training manuals, flight manuals; and little or no furniture other than a bed or mattress.
Fact. You have described every engineering student in the USA.
They list 19 criteria. I would fall under 17 of those.

Clearly I am a terrorist. Me,
and the cat.
(for those playing at home, I would behave or own the following in a private residence: 1) hostile, 2) Uncooperative, 3) expressing discontent with the US, 4) unusual chemicals, kinda vague eh? 5) materials out of place, 6) ammunition, ye gods tons of it. 7) firearms, boy howdy 2nd Amendment. 8) weapons boxes, they send ammo in these. 9) surveillance equipment, i have a police scanner and some mirrors. 10) still and video cameras, who doesn't have these? 11) night vision goggles, they're fun. 12) Maps, of my city, in my car, 13) photos, 14) training manuals, vague as hell, but yes. 15) I have a book on cesnas. 16) little or no furniture? hi all college males.

“We’re there to help people, and by discovering these type of events, we’re helping people,”
Wow. Whatever makes you sleep at night buddy.
And the fire service is also represented in at least 13 state and regional intelligence “fusion” centers across the country — where local, state and federal agencies share information about terrorism and other crimes.
Bruce Schneier specifically warned about these "fusion" centers and mission creep. It's like reading tomorrow's newspaper.
“So we see things and observe things that may be useful to law enforcement,” he said. “We can walk into your house. We don’t need a search warrant.”
Yeah Bob, that's kinda the problem. See.. the 4th Amendment. You are an authoritarian follower.
But Cade said that until recently, there’s been no mechanism for fire departments to share what they learn with law enforcement and intelligence analysts who could use it.
Fire departments are unable to use telephones? Riiiiiiiight.
Homeland Security said if its program with New York is expanded across the country, civil rights and civil liberties training would be included.
Yes. DHS is such a huge defender of civil liberties. Heckuva job DHS.

Tuesday, November 20, 2007

Copy a key using a soda can, copier, scissors.

Instructables. What a great site. I did a similar trick after "borrowing" the master key from the departmental secretary.

Who wants to carry around 12 different large metal pointless keys? Get yourself a master key. What does most every place of business have?
Soda machines
Copy machines
Crappy security about who gets master keys.

How to make a working duplicate of a door key with a copy machine, soda can, scissors, etc.
Are xerox machines good enough to literally xerox a key put on the glass and have the same dimensions on the output paper? Yes. :)

Wednesday, November 14, 2007

Three types of authentication.

Security theory: There are 3 ways to authenticate yourself. Most of the time you may prefer anonymity, but in some cases, you must prove you are who you say you are.
If you are trying to access my house, my safe deposit box, my hard drive, etc, you must authenticate to the satisfaction of the door knob, the bank, or the filesystem respectively.

These are the 3 methods of Authentication:

What you have -- keys, badges, ID, passcards, tokens.
These are physical objects and go towards identifying you by what you physically *own*. The obvious problem here is that objects can be taken and are not tied or "signed" to any particular person. This makes it easy to loan your verification for temporary uses like valet parking, but objects can be stolen. Keys can be duplicated, IDs can be faked, and nobody knows what the heck a valid badge looks like anyway.
How many FBI badges or CIA ID cards have you seen? How would you know if it's real?

What you are, your DNA, fingerprints, voice match, cadence of your typing, your walk, talk, act. Your smell, shoeprints, aura, your retinal scan, your vein patterns. Anything that leaves the impression of YOU, but nothing that can come from someone else. These are things that can be taken from you. They cannot be faked but can be stolen. Secondary level of security, What you are is better than what you have, but is nothing compared to what you know.

What you know. Passwords, passphrases. Things that cannot be beaten out of you. Passwords cannot be compelled to be told, they cannot be stolen (from your mind), they cannot be duplicated. Other examples include your memories.
We've all thought about the time traveler trick. Imagine yourself from the future convincing yourself now that you are really the future you. You can name things that only you could possibly know, such as your 2nd pet's name, the number of girls you've slept with, etc.
Needless to say, this method of authentication is the most secure and the most unwieldly.

In previous posts I discussed the UK woman who is being forced to reveal her decryption key. Could this happen to you?

Her door keys can be duplicated, her fingerprints can be stolen or coerced, but no court could make her, me, or you spell out your most secret passwords. What you know is better than what you have or what you are.

UK Police Can Now Demand Encryption Keys

Papiere Bitte. UK Police can demand your encryption keys, your passwords, presumably your PIN, and yo momma's maiden name.

"Paper's please, citizen." Those words ought to invoke fear in you. We used to make fun of Soviet Russia where you needed internal passports. But then we had the Red Scare, you could DoS a person.

So now the UK has done it. They are actually demanding you turn over your encryptionn keys. On penalty of what? 2 yrs in jail.

Lesson 1: If your crime is punishable by more than 2 years in prison, tell them to pound sand. You'll get off easier.
Lesson 2: If you don't like Susan up the street, plant an encrypted file on her and call the coppers. She can't give them the key for what she doesn't know she has. 2 years of no more Susan. Denial of Service of life.

Lesson 3: The government can't crack our encryption, otherwise they'd not bother forcing the keys out of us. A rather enlightening admission don't you think?

Denial of Service

I'm sure you heard about the angry father-in-law who sent an email to DHS to prevent his son-in-law from visiting the USA. The son-in-law was held for over 12 hours and sent back to Sweden, home of lutefisk and terrorists.

"The man, who admitted sending the email, said he did not think the US authorities would stupid enough to believe him." Dear God, never underestimate the stupidity of petty dictators!

Denial of Service. Against a guy. For an entire country. Impressive.

Next post up, we see another example. (Hint, turning in your neighbors as Secret Commies is also a form of DoS.)

Thursday, November 8, 2007

Cracking shareware on OSX, for the lazy

Now you've installed Leopard, and you need to update all your little shareware utils. Normally you just grab the latest serial from (get the excellent program iSerial Reader which comes with monthly updated databases of serials).

But why go through the trouble to find old versions of software when you can crack OSX shareware yourself.

Cracking OSX shareware for the lazy. Now you can spend your time telling yourself whatever it takes to get to sleep at night because you cheaped out on $10 shareware for a starving author.

Saturday, November 3, 2007


Leopard includes a new type of file image called a "Sparsebundle". How is this different from a sparseimage? What is it used for? I'm sure someone at Apple knows, but the googlesphere doesn't seem to be doing much good. Here's what I've learned:

Sparsebundle images are like Sparseimages except they are made up of "bands".
Sparsebundles are used by Filevault in Leopard and help with Time Machine backups.
Bands have individual 8Mb chunks. Time machine will only back up chunks that have changed.
Sparsebundles are actually directories, you can look in them to see the data structure. Here is what you see.

This is why Time Machine has to log out to back up your Filevaulted Users directory. However, it is a huge bonus because otherwise, if you changed a single byte while logged in, your previous filevault structure would have changed the attributes of the Entire Ginormous Sparseimage, which would then take hours for Time Machine to back up.

Now using Sparsebundles, you log out, and Time Machine looks at the meta-data for the chunks that have changed and only backs up those. Also, the Time Machine backup was supposed to be encrypted, this support seems to have been dropped. But since your sparsebundle is copied whole, filevaulted users are safe. You non-filevault using people are leaving usb drives full of your data all over the place though. Beware.
This appears to be a stopgap measure before ZFS is fully implemented. Use ZFS peoples. It has snapshots and pools.

Thursday, November 1, 2007

The War on the Unexpected

"We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested -- even if you did nothing wrong, and had no intention of doing anything wrong."

Read Bruce Schneier's excellent essay.

Be afraid, be normal, "Live free or Die!" does not seem to be the prevailing wisdom today. Wimps. As usual Bruce tears up the baby-coddled thinking of the terror-mongers. The people who advocate this style of followership are the children of the "Greatest Generation"?

I'm a Gen-X'er myself and I have to say, piss poor show fellows, piss poor.
I know the Boomers are scared of death and scared of non-conformity, and have nothing to live for but life itself, but grow a backbone. Don't let the blikenlights scare you!

"Of course, by then it's too late for the authorities to admit that they made a mistake and overreacted, that a sane voice of reason at some level should have prevailed. What follows is the parade of police and elected officials praising each other for doing a great job, and prosecuting the poor victim -- the person who was different in the first place -- for having the temerity to try to trick them."

Damn you Boomers for giving away MY freedoms and for setting us on this authoritarian course. Now we gotta fight.