Interesting Stuff

You may remember in November 2005 when I wrote about [1] the Sony/BMG rootkit scandal. To summarize: they put software on their music CDs that, when run in a computer, automatically installed files you couldn’t detect (this was the rootkit part) that acted a lot like malware, and screwed with your CD-ROM drivers so that if you tried to uninstall it, you could no longer use your CD-ROM drive. The intended purpose was to run DRM software that kept you from copying your CDs, and to hide this software so you couldn’t uninstall it. However, the rootkit could also be exploited by others, so that any malicious software (if installed in the right place) would go completely undetected by any antivirus program you might be running. It was nasty stuff. Sony eventually recalled the CDs and offered to give out software to remove the rootkit if you gave them your name, address, phone number, and a bunch of other information. In the meantime, the FTC ruled that the software was illegal, and Sony paid out millions of dollars in class-action lawsuits.

Why do I bring this up, I hear you ask? Well, it seems that Sony can’t let this idea die: earlier this week it was revealed that Sony is trying a similar thing with their new USB flash drives. Again, this software automatically installs a rootkit on your computer, and again this rootkit can be easily exploited by any other software to hide files on your machine. I suspect this will end similarly, with a recall and a class-action lawsuit, assuming this gets as far in the media as the last rootkit did (I hope the media picks up on this).

I remember back in the day when Sony was a great company, and I really liked them. Things seem to have changed significantly since Howard Stringer became CEO of the company (which happened about 9 months before the first rootkit scandal was born). These days, I’m really dismayed with them. I’m now going to start boycotting Sony products (which shouldn’t be too hard, since I don’t buy much from them anyway).

[1] Only half the links in my old post still work. Sorry about that. Does anyone have any good ideas for how to avoid this problem in the future?

There is an exploit in the Adobe PDF plugin for web browsers. Adobe has already fixed the vulnerability, so you should all update your plugins. This vulnerability affects users of Internet Explorer and Firefox, on Windows and Linux (and any other browser/OS combination that uses the Adobe plugin).

I’m sure all the CS people reading this (and maybe even some of the non-CS types!) are familiar with buffer overflow attacks, and know how to both protect against them and exploit them in other people’s code, or at least have a vague idea about how to do it. However, fewer people have heard of format string attacks. Here’s a fairly detailed explanation, but I’ll summarize:

If, in your C or C++ code, you write printf(foo) (where foo is typically a const char*), it will just print foo to the screen. The one exception here is when foo contains the percent sign, in which case it prints corresponding things from the stack. If there are more %’s in the string than there are other things in the stack frame, it will begin printing out previous parts of foo itself. If foo was defined as input from a clever yet malicious user, they can craft strings that do nasty things to your program. Most importantly, they can read from (using %08x) and even write to (using %n) arbitrary locations in memory. Given that, they can pretty much do anything they want on your machine. Nifty!

The simple and obvious way to avoid this attack is to change all instances of printf(foo) in your code to printf("%s", foo) instead. The less obvious but much better solution is to not code in C or C++ ever again, and instead use a modern, high-level language like Python or Java (or if you’re Michael and worry about the speed of your program, use an actual low-level language like Assembly).

Coming back from DEFCON, I felt like Jack, coming down the beanstalk to announce that “there are giants in the sky! There are big, tall, terrible* giants in the sky!” I was introduced to a whole new world with new ways to look at everything. I had no idea most of that stuff was out there and accessible to me. Everyone seemed more knowledgable about every single topic, but it was exhilerating to see it all.

I met up with Matt, Dan, John, Eric, and two guys I hadn’t met (Chris and Andrew) in Vegas, and we all shared a room intended for 4 people. The first day, everything was delayed by 2 hours because the fire marshall forgot to approve our convention, or something. After that, however, there were talks running continuously from 10am until midnight (yes, you had to miss some talks if you wanted to eat meals). Although most of the stuff was about computer security (hex editors, phishing, the EFF, RFID spoofing, database rootkits, etc) there was a surprising amount of (non-computer) security stuff there too (lock picking, safe cracking, neurolinguistic programming, etc). There was also some (non-security) computer hacking stuff: hard drive repair, steganography, fuzzing, extreme programming, autonomous robotic BB-guns, the list goes on. Late at night, we went to the Hacker Jeopardy sessions. I’m now inclined to say that all game shows would be more interesting if they had strippers.

Here are some more highlights:

• Dan Kaminsky (who is the hacker version of Judiciary Pag), gave an amazing talk about…um…everything. SSL, security problems with DNS, visual bindiffs, security problems with online banking. He’s incredibly relaxed, yet brilliant. His work is amazing, and he drinks beer throughout the talk. In fact, at the end during the question and answer part, he gave me a beer for suggesting the visual bindiff can be used to find duplications in your code! Usually I don’t like beer, but this one kind of tasted like victory. \/\/00T!
• I got to talk to and shake hands with Cindy Cohn, director of the EFF. This was pretty special for me, because they’re one of the greatest organizations I can think of.
• Lots of people were doing crazy hacking in the hotel: pay phones went missing. One of the elevators I rode in had the emergency phone open, and some guy karaoking Sinatra tunes out of it at us. Someone even managed to hack the Hacker Jeopardy display system during the game itself.
• In theory, I learned how to pick locks (both normal picking and bump picking) at the Lockpicking Villiage. The weird thing was that they had a lockpicking contest, and apparently an 11 year old girl did rather well in it.
• They have a Spot The Fed contest every year, where you try to find out which other conference-goers work for federal agencies (DoJ, FBI, USPS, Marines, Washington DC meter maids… any federal employee will do). This was pretty fun to see, but one story will always stick out: a woman brought a man up on stage and claimed he was a fed. She said she knew this because the night before, they hooked up, got drunk, had sex, and while he was asleep she went through his stuff and found his badge.
• There were several games of a unique form of capture the flag going on: on the network was a computer with several security problems purposely put into it. The object of the game was for teams to hack into the box and then keep everyone else out. Not exciting to watch (just a bunch of people busily typing on their laptops), but a fun concept anyway.
• I saw the wall of sheep, which is a computer with a packet sniffer and data mining system on it. It searched the network for unencrypted usernames and passwords, and then projected them up on the wall. A good reminder of how insecure most websites are.

So, DEFCON wasn’t as good as AAAI was, but I still had a great time and got my money’s worth. I’m not yet sure if I’ll be back next year, but I’m glad I went once. As the EFF panel mentioned, it’s really the only conference where the invited speakers can show up for the earliest talks at 10:00, unshaven, hung over, and still get a warm reception.

*Terrible: extreme in extent or degree; intense