Security

Getting paid to break into things: How vulnerability assessors work at Argonne National Lab

Let's face it. Deterrents such as "keep out" or "do not open" are powerful magnets to us techies. Now, imagine getting paid to ignore those warnings.

I remember my first lock-picking experience. ...It was a dark and stormy night. Just kidding. While celebrating my ninth birthday at a fancy restaurant with my parents, I needed to attend to something. Making sure to excuse myself, I headed for the men's room.

Checking out the graffiti, while waiting for things to happen, I glanced at the toilet-paper dispenser. I noticed it was locked. With nothing better to do at that moment, I pulled out my prized possession, a totally-cool Swiss Army knife and got to work.

After an inordinate amount of time, my father came in to check on me. He asked, "Is there a problem?" With a smile, I said, "At first, but I figured it out."

Of similar mind: Vulnerability Assessments Team

I'd like to introduce you to a group of people who would have the dispenser lock open in no time. They are members of the Vulnerability Assessments Team (VAT) at Argonne National Laboratory. They're the ones who break into stuff that supposedly cannot be broken into.

I learned about VAT indirectly. Steve Gibson in one of his Security Now podcasts was talking about a list of Security Maxims written by Dr. Roger G. Johnston. Dr. Johnston described where his words-of-wisdom came from:

"Being a vulnerability assessor makes one pretty cynical. Or maybe you need to be cynical to see security problems. Or maybe both are true. Anyway, these maxims were developed partially out of frustration at seeing the same kinds of problems over and over again."

The doctor's list of maxims really resonated with me. So much so, I wrote an article about his aphorisms. Here are a couple of my favorites:

  • Too Good Maxim: If a given security product, technology, vendor, or techniques sounds too good to be true, it is. And it probably sucks big time.
  • Scapegoat Maxim: The main purpose of an official inquiry after a serious security incident is to find somebody to blame, not to fix the problems.

While quizzing Dr. Johnston about his maxims, I kept hearing about a group called VAT and the incredible things they were doing. Being more of a tortoise than a hare, it took me awhile. But, I finally realized the need for another article.

The experts at VAT

After several phone calls and emails, I finally got the scoop on Dr. Johnston and the VAT. What I learned is impressive. Consider the mission:

"The VAT works extensively in the areas of product anti-counterfeiting, tamper and intrusion detection, cargo security, nuclear safeguards, and the human factors associated with security using the tools of industrial and organizational psychology."

If that isn't enough:

"The VAT also runs a one-stop microprocessor shop where Argonne scientists and researchers can have a microprocessor solution - hardware and software - for analog or digital measurements in about a week."

This VAT fact sheet describes some of its recent accomplishments: How to detect a sticky bomb (very cool), how to determine where biometrics and access-control devices are vulnerable, and how to secure a secret key are some of the more notable.

It's a little late for me, but I was compelled to ask Dr. Johnston: How does one get a job like his? Also, I was anxious to learn how good the team members were at picking locks. Here is what he had to say:

How does one prepare for a job like yours? Johnston: I have no idea! Like a lot of people in the security business, I stumbled into the field when somebody retired and they needed a replacement. The "tools" I think one has to develop to be a good vulnerability assessor are mostly mental. They include:
  • Skepticism; having the desire to check things out for one's self, as opposed to automatically believing the canonical view.
  • Strong BS meter, intuition, and creativity; really wanting to find security problems and solutions (rather than reassuring yourself that everything is fine).
  • Not being afraid to rock the boat.
  • The ability to think like a bad guy, possess some degree of intrinsic evil.
  • Hacker's mentality that involves trying to devise ways to defeat things.

It is helpful that many team members, including myself, have a physics background. Besides the applicable technical knowledge, physicists tend to believe even intricate systems operate under simple, understandable principles. This is a good mindset when facing complex security applications.

Engineering is not typically a good background for this type of work. Engineers often have the wrong mindset for thinking like the bad guys. This may be why most devices and systems have poor security.

Kassner: I know my friends who are engineers are going to be irritated. So, I asked Dr. Johnston to explain:

"There is an old saying: When you're holding a hammer, everything looks like a nail! Engineers and computer scientists look at security from a completely different perspective than the people trying to break in."

If you think about it, creating something and trying to destroy it are on opposite sides of the spectrum.

What is a day at the VAT labs like? Johnston: It sure beats working for a living. Every day is different. On any given day we may:
  • Work on the bench, testing hardware or microprocessor circuits.
  • Work in the field, testing attacks and investigating security programs.
  • Reverse engineer software, including microprocessor code.
  • Produce videos and training materials that demonstrate attacks, potential countermeasures, product redesigns, and suggested security protocols for our sponsors and security professionals.
  • Write research papers. I serve as editor of the Journal of Physical Security.

I also meet with government officials, private security managers, and give talks at conferences, trying to raise awareness of security issues. This tends to be an uphill battle because Security Theater, cognitive dissonance, and denial are difficult to compete against.

What is the easiest and most difficult part of your job? Johnston: Figuring out vulnerabilities is always the easy part. There are so many of them. And the same security blunders keep cropping up across a wide range of security devices and systems (locks, tags, seals, biometrics, and other access control devices).

Next, determining practical, cost-effective countermeasures is a bit harder, but fairly straightforward.

The hard part of being a vulnerability assessor is figuring out how to deliver the "bad news". Generally, we start out discussing what is good about the security because:

  • We want the dialogue to continue.
  • The good security features might have been an accident and we want them to continue.
  • We found this helps the customer be better prepared to hear about problems.
Kassner: This struck me as odd. Why would an organization that asked for help have problems with what VAT found? It's like asking for advice, then arguing with the person who gave it. So, I quizzed Dr. Johnston about this:

"It can be a political hot potato, especially if the product we are testing is already in service. Telling a company that one of their products has issues is something they do not want to hear. That is why we prefer working with companies when the product is in the design stage."

The project you thought would be hard but wasn't? Johnston: I thought nuclear safeguards would be a challenging area to find vulnerabilities. But, it seems, the amount of careful thought devoted to security is not proportional to the importance of an application. The same kind of dumb mistakes can be found in nuclear safeguards as in other security applications.

"Thugs versus nerds"?

Dr. Johnson used the expression "thugs versus nerds" several times during our conversations. I laughed when I heard it, but did not truly understand what it meant. You might find Dr. Johnston's explanation interesting:

"People concerned with physical security have a completely different mindset than those dealing with cyber security. For example, it only takes a few break-ins to get a lock maker concerned. Yet, on any given day, security administrators expect that several computers will get broken into.

That difference in threshold makes things interesting when you get both types together. I have been in meetings where a company wants to consolidate physical and cyber security into one group. That's not possible, unless the person in charge understands the different mentalities in play."

More physical than cyber

While trying to make sense of my notes, I was struck by one thing. Though Dr. Johnston and the VAT members work with sophisticated electronics, they usually end up breaking in using simple physical methods.

That's not what I expected so I thought maybe I was mistaken. I called Dr. Johnston and asked for clarification. He said, "Yep, why bust your butt trying to break in electronically, when it is easier and faster using physical means." Dr. Johnston went on, "Cyber security is in a pretty good place. It's physical security that needs help."

My notes were right, but the hands-on approach did not seem easier to me. He explained:

"Any break-in to a high-profile target requires significant preparation. You do not want to get caught and you want the exploit to work. A cyber break-in may work, but remember that's where the attack is expected and where the most defenses will be placed.

We prefer the physical approach. All we need is 15 seconds with a piece of equipment--a router--to install some hardware programmed to create for instance, a Man in the Middle attack."

I next asked how they would get their hands on the router. Dr, Johnston replied, "Ever hear the term ‘chain of custody'?" I mentioned I did and he continued:

"For the most part, keeping careful track of devices is not commonly done. During any one of the stops from the manufacturer to the data center, we could bribe or social engineer someone to get our hardware installed. Or just install it ourselves during transport or while it is sitting on a loading dock somewhere, or even after it is installed since physical security for cyber hardware is often not sufficient."

If you aren't convinced, I suggest you watch this video. Dr. Johnston and VAT members used a similar approach to compromise electronic voting machines.

Final thoughts

Dr. Johnston and VAT members have a serious task and, dare I say, lots of work ahead of them. Thankfully they are up to it. I would like to thank Dr. Johnston for explaining the ins and outs of being a vulnerability assessor.

On a more humorous note, Dr. Johnston has managed to acquire so many security maxims that he has written a new book, Security Sound Bites: Important Ideas About Security from Smart-Ass, Dumb-Ass, & Kick-Ass Quotations.

Almost forgot, I wanted to thank the good Doctor for reviewing my resume and his sincerity when mentioning I should keep my day job as an engineer.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

55 comments
harryolden
harryolden

Boy I realy would like a job like that I always have a interest in "how do I get it open, how does it work,can I alterit what happends if I push this button wow. I did visit a place that repaired the banks computer and found out how thy work just by looking inside and told them, oops classified material here lol. Thanks for the info.

oldbaritone
oldbaritone

It's always been that way. Given enough time, money and effort, anything that can be opened legitimately can be opened illegitimately too.

bboyd
bboyd

QC&QA maxim: the more you inspect the more problems you find. You inspect to reduce external risk, the internal risk is that you spend more resources on the product. Corollary: if you don't inspect all your risk becomes external. Intrusion maxim: if you only after some of the fruit, grab the low hanging ones. Don't risk personal involvement if a simple external method will get you the lesser but sufficient access. Corollary: you get all the fruit if you take a bigger risk. Theses guys seem to have a better grasp of the 80% rule of QC working on security. Two people looking at security will each likely find 80% of the problems from the same perspective those 80% will overlap sufficiently to waste most of the second persons time. However that obtuse perspective these guys will put the 80% solidly on a different set of problems. Would love to work with them. And very fun article MK.

seanferd
seanferd

Great article. The thing about engineers: Particularly as opposed to scientists (i.e., people actually practicing science), engineers have little in the way to weed out those with less-than-rigorous (or less rational) thinking skills. You will find no small number of engineers who, while perhaps excellent at engineering, will loudly and proudly believe and support support completely wacky ideas. Scientists who go a bit batty or attempt to speak authoritatively outside their discipline are roundly mocked by peers and science fans. They are entirely different cultures. There are plenty of engineers with the right mindset, just a lesser percentage than scientists, in general. Overall, practicing engineering doesn't require skeptical, critical thinking, but good maths skills and maybe some understanding of materials properties. Cheers for the good engineers.

AnsuGisalas
AnsuGisalas

Having too great a time reading through Dr. Johnston's maxims... One of the ones I like even better than the rest: [i]"Onion Maxim: The second most common excuse for not fixing security vulnerabilities is that "we have many layers of security", i.e., we rely on "Security in Depth". Comment: Security in Depth has its uses, but it should not be the knee jerk response to difficult security challenges, nor an excuse to stop thinking and improving security, as it often is."[/i] Just how many sieves do you have to stack on top of each other to make a waterproof whole? :p

Michael Kassner
Michael Kassner

Should be the advertising slogan for the vulnerability assessors at Argonne National Labs. Learn about some of their experiences.

Michael Kassner
Michael Kassner

"anything that can be opened legitimately can be opened illegitimately too." There is the RoI issue, with impediments working against the the illegitimate

Michael Kassner
Michael Kassner

It was my second opportunity to work with Dr. Johnston. Both times, he displayed this wonderful enthusiasm. Reminded me of my university professors, who instilled my thirst for positive knowledge. .

AnsuGisalas
AnsuGisalas

He started with a focus on safety, but there are lots of misleading security technology naming and language use practices, too. Like "firewall"... why on earth would one call it that, except as a hype? A more fitting name would be "turnstile", after all, it's about as strong a "defense" as a metro turnstile (for countries that have those), an able-bodied offender can jump over... and no, he won't be singed by any fire ;)

Michael Kassner
Michael Kassner

I see what amazing work is being done at places like Argonne and it helps, It really helps.

Neon Samurai
Neon Samurai

Anyone else have talk links? I have to see if I can track down the original link for the Tiger Team talk - given by the crew chief that did the "Tiger Team" TV series (all two episodes.. boooo.. me want more).

Michael Kassner
Michael Kassner

On what's what. It was great fun working with him on the article.

aeiyor
aeiyor

I initially tried to reply by adding to the comments but it wouldn't let me. So am going to try to perform a REPLY to the primary message and hopefully it takes the post. Original response: ================ Good Day All. Michael Kassner, Another great article and my kudos to you and Dr. Johnston. This reminds me of the Movie Sneakers. http://www.imdb.com/title/tt0105435/ The encapsulated synopsis is a group of specialized individuals who work addressing security systems. I agree that it definitely requires a different mentality to addressing things. When engineering products one is set to the principles of how to create something and what all is involved in the process. Resources, Components, how things interface, principles and laws that regulate the creation of something, what bugs occur and how to fix them. When hacking into something or attempting to break something, the principle is figuring out how something works and then assessing its various vulnerabilities. Be it design flaws, structural flaws, unforeseen ways that things interact to cause failure or faults. After assessing the weakness, then the exploiting of the weakness transpires. Once the weakness is made full use of then begin breaking the other components to render any security inert. Thereby full access is provisioned. In some sense you can liken this to that of a virus. It is an opportunistic infection that exploits the host for vulnerabilities and attacks the structure to render any defenses useless - thereby subjecting the host to the ravage of its exploits and perhaps killing/handicapping the host. Yet it is possible to apply knowledge in either direction for the benefit of creating something or for the destruction of something. As such, I believe the core of being able to do the "hacking"/"Security Vulnerability Testing" is more geared towards a combination of one's natural disposition: Troubleshooting ability. Problem Solving Skills. The interest to tinker and comprehend technology. The ability to apply knowledge for an end task. The focus towards the end result. The drive and interest to learn and get to something. Brainstorming talents - thinking outside of boxes. I've thought of it but my problem is that I have too many interests. I have had exposure and background into hacking and tinkering as well as jury-rigging and accessing. I still have curious interests in it - so the information is quite valuable. Though, I have too strong a need for a diverse array of topics and thoughts that stream from different vantage points. Again a great article and thanks for posting it. Sincerely, Satori. ================

Michael Kassner
Michael Kassner

Is reference to automobiles, where the firewall is a thick steel plate barrier between the engine and passenger compartment, preventing a fire in the former spreading to the latter. I think on your side of the pond it is called a bulkhead.

Michael Kassner
Michael Kassner

I have it and watch it often, along with War Games. What a cast. Thanks for another profound post, Satori. I always learn something.

Neon Samurai
Neon Samurai

Hackers tend to be compulsive and persistent problem solvers regardless of what topic they Hack ("take interest in, understand, research"). In penetration testing the problem becomes "how do I get around this so I can access that" or "I wonder what happens when I do this.. interesting.. now how can I use that response..". Failure is a great motivation for Hackers; it's about how often and how big you fail and then how you build on that failure to gain the next bit of understanding. It's persistence. A software Hacker bangs away at the keyboard until he/she makes the software do what is desired. A hardware Hacker mucks with the hardware until they get a desired or interesting outcome. Circuit Bending begins with under/over powering the device along with probing the circuit board contacts learning what interesting responses occur (Talking Barbie has a boys voice if you under-power it). Lock Hackers (locksport) are all about persistence; keep failing to open the lock until you succeed, then pick the next most complicated lock and start failing again until you out-stubborn it with tools or creative methods. This is very much the case with security Hackers; persistence is in the information gathering and vulnerability assessment. The actual execution is the final 20%. If someone is auditing your wireless and pops it in fifteen minutes it's because they've spent the hours at home with the lab wireless failing to pop it until finally successful. Most people get to the end of the user manual and go "ok, done" or try a few things and go "nope, didn't work".. this is where a Hacker begins; "ok, know what the manual has to say.. what else can I learn from this thing." and "Ok, known methods didn't work, now I'm really interested". Unfortunately, it's not an arch-type that can be easily defined but Hacker mentality is very clearly recognizable once one takes the time to understand real hacker culture or "are one" themselves. :D (I'm mostly rambling here along with highlighting the persistence attribute) In terms of yourself, Hacker attributes are probably evident. Do you like to understand things down to minute detail. Do you value hands-on experience above book learning. Do you value sharing what information is your to share and helps other's build on your discoveries as you've built on those before you. Do you believe that your area/areas of interest can change the world for the better? Having multiple topics of interest probably makes you more a Hacker rather than less; it shows an inquisitive mind hungry to learn and cross-reference experiences. It just might mean your not only a security Hacker or a software Hacker or a political Hacker (B Franklin). You definately have tinkering and jury-rigging (not int the legal sense?) in common with Hackerdom going all the way back to Benjamin Franklin and earlier. Benjamin Franklin - hacked an odometer onto his carriage to make postal deliveries more efficient - hacked a safer stove to address house fires - hacked the first fire department to address house fires - hacked the first fire insurance company to address house fires - hacked bifocals to solve changing between different eye glasses - hacked the french press to see how obsurd a story they'd print (social hack, social engineering) - hacked a rival's brain with a taunt; he predicted the person's death (social hack, social engineering) - took issue with copyright and patent for it's stiffling of innovation rather than fostering of a healthy market - did not seek profit from his inventions - questioned authority even if conceding to it in the end - of course, that whole political hacking stunt with a few other odd-ball thinking authors of the US constitution (It's deep irony that the US was founded by Hackers based on Hacker ethics and now what category of self directed compulsive learners is vilified in US public opinion?) (this is really a must-listen for anyone interested in the history - ignore the FSF stuff if you don't agree with them) The Zen of the Hacker http://www.thelasthope.org/media/audio/16kbps/The_Zen_of_the_Hacker.mp3 http://www.thelasthope.org/media/audio/64kbps/The_Zen_of_the_Hacker.mp3 An inquiry into the conditions under which hacker culture thrives, the curiously American quality of hacker culture, and the evolving challenges for preservation of the hacker ecosystem.

Michael Kassner
Michael Kassner

Glad you reminded me of him. The people at VAT are as amazing. And, I feel that way from just what they could tell me about.

AnsuGisalas
AnsuGisalas

The point about the Anti-products is; people don't want to think about the specifics (ug, indeed), they just want to avoid the Big Bad (wrinkles, dandruff, virus)... so it's a [b]Magic[/b] jar/bottle/program which [b]does the trick[/b]... they don't wanna know. The problem is; one can see if ones antiwrinkle creme is running out, but so long as one "has anti-wrinkle creme" and "remembers to use it" one is ok (one believes). How does this compare to the AV? We can't see if it's running out, unless it's a paid license, and then that's not the right "running out" point, is it? We rely on the "magic jar" similarity; we either have AV or we don't, and it shows on the system tray, so we have it.... Now, [b]remember to use it[/b], well; we're using it, aren't we - it shows in the system tray because it's running. So: yay, we can't get virus, the antivirus is getting rid of it. Right? The "update" part doesn't fit into our metaphor, so it gets dropped. And it's boring anyway, and makes our World Of Warcrack go all laggy... Michael... working on finding ten people...

AnsuGisalas
AnsuGisalas

Or, if you do, for historical reasons only. We humans use language by analogy: If most of our known and commonly used instances of "anti" means a thing that gets rid of whatever is the next segment of that name it occurs in, then this will be a very large part of the "generic meaning" of "anti", which we use to base our occasional interpretation of a new "anti something" on... Secondly, does AV prevent virus from downloading? Not really, right? It just tries to recognize it as it downloads or unpacks, and then get rid of it before it gets settled in. Even the download scanners do download it somewhere (sandbox), and then flush on recognition. So in a way, anti as "get rid of" is accurate, but the problem is in the other "anti-somethings" working by way of static properties, not properties that have to be constantly recompiled for it to work. Specifically, it's like having a tissue in hand, wiping off motor oil that drips onto us; it has to be a pretty good tissue or we'll be a mess in no time... and you'd better have a [b]fresh supply[/b] of those tissues... like a virus-wipe. An out-of-thin air moniker - Virus-wipe - is a better (more secure) analogy than Anti-Virus, because - even though the updates are not in fact "fresh tissues", they get the idea across... that the tissue in-hand will stop being efficient in short order!

bboyd
bboyd

Team of guys paying money to write programs that seek out infection sources and remove the originating virus. Generally operating by tuning scripted programs that exploit back channel communications used by virus code exploits and employing anti polymorphic systems. Never mind that most AV software signatures are for things that don't classify as virii.

Michael Kassner
Michael Kassner

All my dictionaries favor Anti meaning against. Is it really valid to assume it also refers to your "get rid of"?

Michael Kassner
Michael Kassner

Almost all anti-this or that is premised on the protracted purchase of something. There is no cure. Good for business, bad for consumer. Also, it seems there is little incentive to find a cure, due to future profits being lost.

Neon Samurai
Neon Samurai

That would be an interesting question though I don't know if we'll have ten people in the office today. I'm still missing something in Ansu's points I think also and it may very well be his deeper word nerditry rather than my greater understanding. "anti-something" .. the antithisis, oposite, commonly read as "works to reduce, works against, defends from" in my understanding anti-wrinkle cream (if it works).. a cream which works against skin wrinkles, works to reduce them, I guess you could consider the user's intent trying to be defended from wrinkles for lack of a natural self defense. anti-dandrif.. does the oposite of creating dandriff, works to reduce dryness of the scalp and resulting skin flaking If you don't buy more cream when you run out; it's not affective at addressing future dry scalp or wrinkles until you buy more; renew and and get the update/refill. If you don't download more virus signatures then the AV is not affective at addressing future malware; you need to download the refill; get the updated signature database. Taken to an extreme, they all seem to break in the same way too. Anti-virus is not a piece of code that worms it's way through a network removing viruses; it's a machine located scanner which detects. Anti-dandriff is not moist skin flakes which leap from one's shoulders to the scalp (ha.. let that image sink in.. and.. I really should have ignored the examples and chose something with a more desirable mental image). (ug.. ansu. these where the best examples for discussion? ;) ) Now, one word that does get to me is "viral".. now everythign has to be "viral".. it has to go "viral" or it's a "fail". it's even in bold print on the front of this month's Reader's Digest. Why must we now say "viral" instead of "popular", "intriguing" or most accurately "compelling".. It's not a viral video, it's a video people are curious or compelled to see. It's like saying the color red is a virus because people choose to paint things red. A viral video would more accurately be a video recording that people go out of there way to avoid for fear of being infected with the graphic images. I haven't seen any videos of mass graves or child hunger "going viral". "take this offline" also caught me off gaurd.. so, if I click that link when the discussion tree depth maxes out; am I magically going to be sending the recipient an old-fashioned pen/paper written "offline" letter? If that link results in me transfering communications traffic over the network then it isn't really "offline" now is it? Wouldn't it more accurately be "continue discussion privately" since it's obviously going to continue "online" just not "in the forums"? In the actually "offline" world, why must "after the meeting || outside the meeting" suddenly equate to being "offline". That's really where language break's my head. "anti-something" at least gives an idea of what to expect from it. It doesn't take a term from one skill topic and apply it to another skill topic completely inappropriately for the purpose of fluffing up the represented concept beyond it's actual value.

Michael Kassner
Michael Kassner

If so, "Reload often, it helps analytics" is the new battle cry.

Michael Kassner
Michael Kassner

In learning something. You both should ask ten people (non-IT) what anti-virus software does and report back. I suspect, you both may be surprised.

AnsuGisalas
AnsuGisalas

I swear that comment of yours wasn't visible when I posted mine, below... the oddities that we so laughably know as TR, huh?

AnsuGisalas
AnsuGisalas

How does "anti-dandruff shampoo" work (if it works)? You "use it", and it "gets rid of the dandruff", right? Similarly, how does "anti-wrinkle cream" work (if it works)? You apply it and it gets rid of the wrinkles, right? See, I was applying the Whorfian notion of harmful semantic overflow from one field to another (one of his examples involves a "blower" erroneously installed to blow air into a fur-drying chamber, along with sparks born by a structural weakness... since it was a "blower", nobody thought to install it to "suck" the air through the drying chamber, which would have prevented a destructive fire). So, when people associate "anti X" with things that "get rid of X" by way of their static properties, then this can lead to a propensity to think that "Anti Virus" also has static properties that "get rid of Viruses". If the naming suggested a non-static property, a property that requires constant tuning, then more people would likely keep it updated. As it is now, they just think the updating is the same useless system-hogging "IT phone home" that all their crapware tries to pull too, all the time. So they turn it off.

Neon Samurai
Neon Samurai

There is virus software. There is Anti-virus software. The naming convention seems pretty clear on this one. The idea is absolutely to prevent viruses from running on one's system. We give up swaths of RAM to run on-access scanners. When a program runs or a file is opened, it first passes through the AV software. If malware code is detected it's normally cleaned or the file is locked and user notified as to why. This is to prevent the detected code from getting far enough along to execute. Heuristics is newer method of detection for those that don't have a known signature in the AV brand's data files. In this case; if it behaves funny, give it a time-out and call an adult. The use of signature files goes back to the beginnings when that was pretty much all one had to protect them. Be it the hight of technology, slower speed of malware evolution or whatever. Signatures remain the basic scan now to catch what is clearly known; maybe they confirm heuristic detection or take pressure off the heuristic engine when it's not needed for detection. In terms of AV updates. This is more of a people problem. I can't blame an AV brand if the computer operator disables it's on-access scanning. I can't think of an AV program that doesn't install with auto-update by default. Anti-malware apps are the one place I fully endorse auto-update. The problem is more so when people consciously stop updating the AV because a paid subscription has run out and they haven't bothered to renew or find a free alternative. Where I do see real short comings is in the need for such a huge AV industry and it's being a competitive market. Except for computer based social engineering strategies, malware is really a proof of concept that something in the OS or exploited software is defective. It's a sign that the original vendor needs to fix the OS or application; it's broken by design or implementation error. We should not be seeing malware remain effective with little more than subtle mutations to evade the known signature; we should be seeing the vulnerability it exploits fixed negating the whole strain. The competitive issue has more to do with AV companies and the AV market being competitive instead of cooperative. We shouldn't have several different caches of malware signatures; Norton's, McAfee's, F-Secure's. We shouldn't have different names for the same malware signature just because we've duplicated the work of discovering them for each competing AV brand name. If Norton discovers a new malware signature, McAfee and F-Secure should be sent a report. Make it like astronomy; we all share findings and agree on the same name for the same finding. The issue here now is that malware signatures are considered industry secrets or competitive advantages; this does not help the end user or further the goal of reducing unprotected hex. (always practice safe hex) Let AV companies compete on scanning engines or specialization in different types of malware if they want; stop competing based on harming users who haven't purchased your malware signatures. Have VirusTotal run a file through several scanning engines because they each specialize in clearly differently detected type of malware not because they won't use a common repository of malware names/signatures needing several engines for the same method of detection. Now, not to be completely off topic, there is some whacky use of language and naming convention in IT; most industries really. I just don't see "anti-virus" as an oddly named software classification. (.. and seem to have need an AV effectiveness rant too. ;) )

santeewelding
santeewelding

Put somewhere else, of a "turnstile", for controlled ingress and egress, was fitting. I snapped it up.

AnsuGisalas
AnsuGisalas

It's a bearing wall designed to delay the spread of fire from one building to the adjacent building, and to tolerate the potential collapse of that other building. But it's very misleading in either case, after all, a firewall is - at best - a sieve or filter. It's not a "wall" and it doesn't "stop fire", either. Another bad one is "anti-virus"... it pulls on semantic strings that tell us "it prevents viruses"... but it doesn't, does it? Because it only works if it's updated, and then only against the stuff it's been told how to detect and prevent. That doesn't make it a "program that prevents virus infection - in general", rather it's a program that looks for certain viruses, specifically. People don't keep their AV updated because they think the updating accounts for maybe 10% of it's efficiency - a little "extra"... they have no idea that it's actually close to 100% of it's efficiency out the window without updates. Because they think it's a [b]general "anti virus" program[/b], and not a "recently discovered virus recognition program".

Michael Kassner
Michael Kassner

They are called firebreaks, according to my friend, an architect.

Neon Samurai
Neon Samurai

The car "firewall" is my understanding. But, isn't the hard wall between apartments and townhouses also a "firewall" (it sure is in practice if not in name based on how long I watched a housing development sit unfinished for lack of them between each unit).

Neon Samurai
Neon Samurai

Meant to watch it last night but last night was a work evening; got it running on the side of my work now though. "nuclear warheads rolled off the deck. All but eleven where recovered so that's OK then.".. hehe.. These guys got me hooked and I'm only fifteen minutes into the hour and a half.

aeiyor
aeiyor

Good Day all. AnsuGisalas (Re: A Hacker would want to break in.,..) I just realized as I was typing out my response to you and that I already typed out to Neon Samurai... Perhaps some things are just not explainable. So with that, I deleted it and am typing this one now. And changed the title. Consider it a Koan. Both what I entitled the subject and what I have wrote. Michael, My apologies that this has veered off - was just trying to explain something that I guess is unexplainable. Sincerely, Satori.

AnsuGisalas
AnsuGisalas

just to see how it would work out, obviously. A cracker, who is a lazy, criminal slob out for easy money - would indeed just walk in.

aeiyor
aeiyor

Good Day All. Neon Samurai (Re: Topic of Interest) Yes you definitely must have gotten my point regarding my statements. I say this because in each of your brought up illustrations you've modified the circumstances to my example. Initially I thought you might not have understood me. And that is why I elaborated by examples. All of my points still remain valid. You've modified the parameters to say what if the person was a photographer - that does alter the way the outcome would be. You modified the parameter with if the person was a locksmith.. Again my points were not about photographers or a locksmith. Rather focused on the point of breaking into an abandoned unoccupied house with a door thats broken and walls that are destroyed or missing -- access points exist everywhere.. why would a hacker break in when he can just walk in? My example of open source code (which is easily accessible) why would a hacker break the code he can compile or decompile at any given time without issue? I believe the underlying element here is the challenge. There's no challenge in breaking into an open house or abandoned house (with missing walls).. There's no challenge in breaking into code that you can just open. Sincerely, Satori.

Neon Samurai
Neon Samurai

To continue the broken building analogy; one's person's trash is another's treasure. (Litterally if one is Trashing. :D ) Perhaps the person is a lock hacker intersted in the lock holding that door shut; it becomes about picking the lock and gaining skill and knowledge about it. Perhaps it used to protect a secure lab within the building so it's an interesting or obscure high security lock worth leaving in place to work on. The Hacking is not exclusively "breaking into something" but creating or improving something by adding to it or the knowledge about it. That crumbling building may be of interest to a photographer doing urban decay shots. It could be urban explorers checking out the abandoned grounds. We really can't say "it's of no interest to Hackers because there is no security puzzle to play with." I could see folks showing up to climb the structures provided the building frame remained sound. (hopefully my first post didn't to through making this a duplicate)

aeiyor
aeiyor

Good Day All. Neon Samurai, Very good points and well taken. When I wrote this I already suspected this may be a potential response to my posting. I was hoping my idea got communicated but had several things going on when constructing the response. So let me paraphrase a different analogy. Consider an old abandoned house that is breaking apart - some walls are missing, the doors are unlocked and perhaps even the lock is damaged. Most of the windows are falling apart or broken. My point is why would anyone want to break in, when they can just walk in? It's a common comedic act/theme whereby a person is trying to break down a door and their partner walks through an open wall to unlock the door and let the other partner in. Another similar thought is... there was a joke sent to me about a mechanic who was working feverishly to unlock the driver's door in a car so that a customer can drive away with their repaired vehicle. (The mechanic supposedly locked the keys in the car). The customer came over, saw that the window was open on one of the back seats, opened the door. Again, your points are well brought up and noted - I guess I just didn't provide the analogy to fully communicate that it was a moot point to break into something that had no security - nothing to hide. Sincerely, Satori.

Neon Samurai
Neon Samurai

Consider that cryptography of any value is produced in the open. An algorithm is not trusted until peer reviewed significantly without finding weaknesses. It remains under constant peer review. When it does start to show weakness, the cycle starts again with it's replacement. It's all in the clear so why would anyone want to research ways to break it? - reputation earned by by being the cryptographer who found the fault and fixed it or who delivered the next algorithm that replaced it. - improvement of the tool that the cryptographer relies on if it's a weakness that calls for a fix rather than a replacement. - self satisfaction of furthering a field of study one is interested in - money if it's a work placement or "find our faults" contest maybe? Much of this applies to OSS development also. Why would Hackers be interested? It was probably software Hackers who wrote the program in the first place. They where interested in solving a problem they had. maybe they joined later in the project because it could be extended to solve a problem they have now but the original software Hackers didn't have at creation. They may want to find and fix bugs to improve a tool they use. A lot of vulnerability research seems to be done through binary analysis; download source, compile, analyze just like one would analyze closed source software. The real value in the source being openly available is that, once finding a vuln, one can see the source and suggest an appropriate patch; it's the icing after the cake is eaten. Part of the Hacker mentality is the compulsion to solve problems in your areas of interest; bugs are problems in open source just as much as in closed (they're just addressed faster by FOSS on average). With FOSS and greater Hackerdom your dealing with a gifting society or information economy versus a financial economy and seagull society ("mine.. minemine.. mine.. mine, mine"). One's value grows through sharing knowledge rather than hoarding green pieces of paper and digital watches. (** cookie for the nerd that names both movies) The Hacker is going to find and fix faults in OSS source to improve it, build reputation, learn from it or whatever. The superficial symptom is the desire to fix it though. Security hackers research security, pentest (if lucky enough to get that job) and such to find weakness so it can be addressed improving the overall system. They want real security not theatrical spectacle. non-software/non-security Hackers probably have little interest but you'll see those same motivations, compulsions and such applied to there area of interest. "breaking open source" could also suggest criminal intent. On that side of things, your no longer dealing with Hackerdom. A criminal's motivation is probably financial and exploiting vulnerabilities in software becomes a stepping stone; the goal is not to find and fix software weaknesses but to get the money the software happens to manage in some way. The criminal is after an end goal which the software enables or challenges else they wouldn't be looking at the software at all; they'd instead look at an easier existing way to achieve the goal. Once you include the criminal element, the focus becomes if the Hackers can find and fix weaknesses faster than criminals can find and exploit them; historically, the software and security Hackers in the FOSS community have managed pretty well. (neither side will ever have a perfect score in this game though)

Michael Kassner
Michael Kassner

"Don't mess with my stuff", has been around a long time.

aeiyor
aeiyor

Good Day All. Michael Kassner, You're very welcome and thanks for the compliments. You know a few things I pondered with the nature of security. Someone pointed this out in a later post involving locks and honest people. I recall hearing the variation about laws. Laws are noted to keep honest people honest - an interesting conundrum. And my view... Laws punish honest people as criminals have ways to get beyond them. The curious thing that I pondered is.. what is there to secure when the items aren't valuable or don't hold any meaning. Likewise what would a hacker be interested in say breaking an open source code software? Its another kind of curious conundrum. What law is broken when a person breaks into an open field or park - universally accessible 24hrs/7days a week? What would you charge a thief that steals used unwanted trash? The premise behind security is the protection of valuables, property from the misuse or abuse of people that aren't the owners. I was wondering what would happen if we changed the perspective. What if we never owned anything and that the worth of something was based entirely on its immediate utilitarian usage at the given moment and time. Respect was a commonly understood and applied thing versus a rarely used consideration or commodity. I know... Utopiaville. But other crazy ideas have lived and come to pass in fruition. Sincerely, Satori.

AnsuGisalas
AnsuGisalas

yes, there will be that signature. It's scary and exciting, that realization that "Kilroy was here".

AnsuGisalas
AnsuGisalas

Like, say, Hamlet the fool, or Claudius (of I, Claudius), two very dangerous men, one malign, one maybe less so. The jester is a fool that's been outed and subjugated, so to speak. Specifically; take a loot at the major arcana: The fool is the void of mind... now the void is a very powerful place. From the void one can act without tells, unpredictably. Others will see only chaos... but that doesn't preclude purpose.

Neon Samurai
Neon Samurai

or the more modern usage of "fool" meaning weak minded. I hadn't heard the usage in terms of Loki before.

AnsuGisalas
AnsuGisalas

That's not the same as an idiot. The fool holds the ancient role of the trickster, tripping the mighty into the mud puddles. Keeping the mighty from forgetting their limitations. The fool must be wise, otherwise - how could they succeed? So hacker - heckler?

Neon Samurai
Neon Samurai

I can see both the fool and the wiseman. I'd agree that Hackers fall close to a hybrid of the two; the fool's impulse guided by the wise man's experience. A fool will push the button over and over for lack of any other idea. The Hacker will push it once to see what happens, then push it a hundred times as fast as they can to see if it responds different, then move on to something else unless an interesting response came back. I've heard it also explained as children's thurst for learning. We are all born Hackers by necessity. The world is a blackbox which we must discover through trial and error. People seem to either retain that mentality growing into Hackers (weather they self identify or not) or they out-grow it (have it beaten out of them by modern education systems). With wholistic learning, I'd agree to the point of reading the available text books and relevant manuals but I think the environment those are often delivered in does more to detract from them. I read text books of interest for fun but you couldn't bribe me to do my highschool homework back in the day. For me, it's being a survivor of the education system not a product of it. Our education really does all it can to beat creativity and Hacker mentality out of us. It's not about creative problem solving but conforming and regurgitating test answers. The first time I stumbled into a self-directed learning based school I was dumbfounded; where was this kind of education approach when I was bored to tears by learning if() logic for the fifth time while still in the highschool grades? I just finished the link Michael offered (now into the USENIX "advanced persistent threat" talk. :D ) and it's well worth the hour and a half also. That one's going strait into my required watching list. If you haven't, be sure to grab it also. You'll also find some gold if you check out the other HOPE conference websites for talk recordings; H2K, H2K2, The Last Hope, The Next Hope. I think only HOPE1 is missing and HOPE2 is realaudio format. Happy Hacking.

aeiyor
aeiyor

Good Day All. Though this is mainly a reply towards Neon Samurai, it's offered freely for everyone to peruse. Neon Samurai, First thanks for the response/reply back. Yes I am in agreement with you about the persistence - its partly in lieu of the fact that one has a tenacious nature to get to the end result - whatever means is required and can be done -- will be. I attribute it to the nature of being like water - in the confrontation of most substances - water is known for its ability to yield yet it has the universal ability as a solvent. So in the face of various earthen structures - water will almost always win. The characteristics of it is its relentlessness to engage the wear and tear effect. Also fantastic analogy about the usage of failure... in many ways its like the end result gets even better with each failure. And as for the arch-type, yes there really is one that applies and its the FOOL (and possibly the WISEMAN) ... but the difference between a Fool and a Wiseman is that the Fool rarely ever learns and often is noted for repeating the same mistakes - while the WISEMAN does learn and attempts other things to learn from. YET the noteable characteristics of the FOOL is there is a willingness to try anything and everything presented to them - even in repetition. I would probably then say that a Hacker is a hybrid of the Fool and the Wiseman. (Re: Rambling) - I didn't consider any of it rambling as it is all pertinent to the subject matter in my view. At least from my understanding. (Re: Hacker Attributes) Do you like to understand things down to minute detail? Yes.. technically both.. I like to see things in macroscopic and microscopic and inbetween levels. Do you value hands-on experience above book learning? Actually I like holistic learning approach, which means putting to use not just hands-on but reading, dialogue, auditory, etc. Do you value sharing what information is your to share and helps other's build on your discoveries as you've built on those before you? Yes I am a staunch advocate to share information and communicate. Communication is one of the most powerful tools out there as it helps expand and integrate knowledge as well as being able to enhance understanding. Also one of the reasons why I am a strong proponent of Open Source. I believe the more knowledge and information related, the greater discoveries are made. The only thing left is to eliminate copyright laws as those are really based on financial profit but then I am proposing the resource basis of economics. I don't mind authorship to denote ownership of an idea or new thought -- but the profitability of it seems really rudimentary compared to the overall gain by the knowledge's application and free utilization. Do you believe that your area/areas of interest can change the world for the better? Yes... but not in any predefined expectation or perspective -- often ideas and new ways of doing things impact society and environments in such radical ways that the foresight is not possible. To quote... "Having multiple topics of interest probably makes you more a Hacker rather than less; it shows an inquisitive mind hungry to learn and cross-reference experiences. It just might mean your not only a security Hacker or a software Hacker or a political Hacker (B Franklin). You definately have tinkering and jury-rigging (not int the legal sense?) in common with Hackerdom going all the way back to Benjamin Franklin and earlier...." This is one of the contributing factors of why I entitled my response: "Guilty as Charged - Hackers R' Us." Yes my mind is very voracious with knowledge, information, wisdom. -- The Library is my second home. The bookstore is my huge hole in the wallet..(as are MANY other media stores).. recently I have engaged in a project to convert ALL my books/periodicals into digital versions for conservation of real-estate. Further quote: (It's deep irony that the US was founded by Hackers based on Hacker ethics and now what category of self directed compulsive learners is vilified in US public opinion?) Unfortunately your statement is true from my perspective. A lot of irony... another.. fight terrorism by applying terroristic tactics to your society for control and manipulation -- isn't fear a powerful tactic? Thanks for the "Zen of Hacker" links.. will peruse when home. Sincerely, Satori.

Neon Samurai
Neon Samurai

Based on my two minutes with the homepage, they look to be cryptography experts rather than penetration testing company facilities/networks under contract. Having done my two years now with a security related title; it's time to write the CEH, get my butt to the monthly TASK meetings and figure a way to get side jobs (if only on small targets within to build experience outside of the limited sites I have permission to play now). The interest in working with a company that does this is mentoring and the increased rate of learning when working with other security nerds on the same target. I'm good at the tech and learn it quick but I suck at the business side. It's the business side you need to get into the tech part though.

Michael Kassner
Michael Kassner

I had thought Communications Security Establishment Canada is similar to VAT?

Neon Samurai
Neon Samurai

Sure like to see a list of Toronto based companies in the business. Seems I'll be attending the monthly TASK meetings.