Linux declared “hacker proof“, according to a contest at the CanSecWest conference. Here’s the rules of the game (you hack it, you get to keep it):
- Limit one laptop per contestant.
- You can’t use the same vulnerability to claim more than one box, if it is a cross-platform issue.
- Thirty minute attack slots given to contestants at each box.
- Attack slots will be scheduled at the contest start by the methods selected by the judges.
- Attacks are done via crossover cable. (attacker controls default route)
- RF attacks are done offsite by special arrangement…
- No physical access to the machines.
- Major web browsers (IE, Safari, Konqueror, Firefox), widely used and deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium, Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird, kmail) are all in scope.
There’s not quite enough in the way of detail here, but it’s pretty obvious (by the inclusion of web browsers and mail clients) that there is some level of client-software use going on, you’re not just trying to hack into an idle box plugged into a network.
This was a decidedly gamed contest. These are supposed to be “typical road warrior” targets, but I imagine that the people playing the part of “client software users” weren’t typical road warriors at all. Moreover, if you’re really worried about secure files on a laptop used by a typical road warrior, physical access to the machine is your number one problem, for crying out loud. Since none of these laptops use an encrypted storage solution (that I know of), all you need to get the file is physical access to the machine for about 2 minutes and a boot CD. For that attack scenario, all of these configurations would fall over and perish swiftly.
Ann’s recent blog post is one of those blog memes you see from time to time: “If you could pick only five albums to listen to for eternity, what would they be?” I’m going to define “album” thusly: one (1) complete recording, maximum of 72 minutes in length, distributed in the form of a single cassette, vinyl album, or compact disc.
So, no cheating and pulling out dual-disc “albums”, unless you want to pay two slots for it. This is extremely difficult. I am one of those people that walks around with a soundtrack in my head, but this contest isn’t about choosing 360 minutes of music, it’s about choosing 5 *albums*; there’s a significant difference. I consider albums to be a superset art – assembling an album isn’t just a matter of choosing 10-20 good songs, it’s about building a collection that is more than the sum of its parts. At the same time, if I’m stuck for eternity with only 5 albums, I can’t necessarily pick the best albums, because there are songs I must have. So, here’s mine, no particular order, with reasoning:
(1) City of Birmingham Symphony Orchestra: Walter Weller Conductor – Beethoven: The Complete Symphonies, Vol 1, CD 2 – (Symphony No 2 in D Major, No 5 in C Minor)
(2) Rush – Moving Pictures
(3) Assorted Motown Artists: Saturday Night Downtown, Disc (not sure, I’ll have to update this post when I can look at the playlists)
(4) Midnight Oil – Red Sails in the Sunset
(5) The Beatles – Abbey Road
Abbey Road because we must have some Beatles. Every time I hear “Oh Darling” or “I Want You (She’s So Heavy)”, I wish that I could sing this goddamn song as well as Paul /John does, because I would love to be able to sing it to my wife* in something other than my horrid singing voice. Red Sails because it is tied to a great number of memories in my head of my early teenage years. Not sure if the Birmingham recording is the best of Beethoven’s 5th, but it’s the one I have and I must have Beethoven’s 5th. Not only is this required in and of its own right, but several of my favorite memories of my father have this recording as the soundtrack, and I should miss the clarity of recollection that comes with the music itself. Saturday Night Downtown for similar reasons -> I must have some Motown, and this album has a number of associations with my mother that I would like to keep alive. Moving Pictures because we must have some Rush.
* – not implying that she’s planning on leaving me 🙂
Hilarious. Mixed-martial arts websites meet Viking berserkers.
Comedy gold quote:
“My old father, Thor Svensson, used to say that “defense is what happens when you’re about to die”
Yay! We have a new cybersecurity czar. From The Washington Post.
Boo! It’s not really certain who is in charge anymore.
Sources in the government contracting community said the White House is expected to announce as early as Thursday the selection of Rod A. Beckstrom as a top-level adviser based in the Department of Homeland Security.
… DHS only recently appointed Greg Garcia, former head of the Information Technology Association of America, to be assistant secretary for cyber-security and telecommunications…
Garcia in turn answers to Robert D. Jamison, who serves as Under Secretary for National Protection and Programs Directorate. When asked last week at a press briefing about a simulated cyber attack against the United States who would lead the government’s response in the event of a sustained cyber attack on the federal government, Jamison said that duty would fall to him.
Double Boo! Beckman’s not a security guy.
By all accounts, Beckstrom is neither a cyber-security expert nor a Washington insider. But his private-sector background and published writings emphasize a decentralized approach to managing large organizations.
Is it just a pathological condition that this Administration chooses people with no domain experience for positions of authority? How long until we hear, “Becksie, you’re doing a heckuva job”??
At NASA. Very cool. Today’s picture:
Bruce wrote an editorial for Wired (reproduced with commentary at his blog) about what kinds of people make good security people, and in which he muses about whether or not a security mindset can actually be taught. It’s good reading, particularly if you know me and want to know a little bit about the way my brain works. From the article:
SmartWater is a liquid with a unique identifier linked to a particular owner. “The idea is for me to paint this stuff on my valuables as proof of ownership,” I wrote when I first learned about the idea. “I think a better idea would be for me to paint it on your valuables, and then call the police.”
You see Bruce’s point. Security-minded people are naturally sneaky. Whether they exploit their natural sneakiness or not dictates whether they become a criminal, a CIA analyst, a law-enforcement agent, or just a guy like me who notices where the security cameras *don’t* overlap in the local convenience store.
One of the commentators pointed to this other blog post by Colin Percival, in which Percival states: “If you want someone to understand security, just send him to a university mathematics department for four years.”
To some extent I think Percival has a point. I have noticed that lots of mathematicians are naturally slated towards picking out the unseen assumptions that introduce systematic weakness. But (as I commented on Bruce’s blog), those same mathematicians can suffer from being stuck “in the box”. Mathematics is (generally) the study of closed axiomatic systems. Security systems are usually neither closed, nor axiomatic. Mathematically-trained security guys can oftentimes be obsessed with security inside a box, but they can easily miss the forest for the trees.
I’ll use on of my favorite Bruce anecdotes to illustrate the point: Bruce, back in his more naive days, was attending a security conference, and was involved in a discussion about a cryptographic protocol when someone (I think it was an FBI agent) started describing a side-channel attack. Bruce says something to the affect of, “But that’s cheating,” to which the FBI agent replies, “There is no cheating in this game.”
I see this all the time in Infosec IT papers, and it’s actually why I’ve chosen *not* to do Infosec work as my research focus -> everyone is obsessed with proving that some cryptographic protocol is secure, or figuring out attacks against those protocols. Sure, this is worthwhile and necessary work, but the real pressing “right-now-today” problems in Infosec aren’t protcol-related. Key management. Inherited trust. Authentication and Identification. These are the problems in security, and for the most part they are not really technical problems; they are process problems or human problems. You can prove a protocol is mathematically secure, but if your engineering results in keys sitting in memory, your implementation is insecure. And really, you can be an excellent mathematician and a really cruddy practical security specialist.