Interesting Stuff

First off, Flash is vulnerable to by far the most awesome hack I’ve ever seen (there’s also a good summary of that paper). The attack has several different steps with integer overflows and failed memory allocations, but the heart of the matter is that the Flash player uses a 2-step process to validate that the code it’s running is probably safe, and this exploit changes the representation of the code in between the two checkers (it marks more of it as a no-op, so the second checker ignores the code with the exploit in it). This attack is awesome enough that it can carry out its task without disrupting the Flash player, so an unwary user will be none the wiser. and since there’s basically only one Flash player out there, every version of Flash is vulnerable. Yes, on Windows and even on Windows Vista despite their added security systems, as well as in principle on Linux and Mac. Yes, in both IE and Firefox (and presumably Safari also). This is yet another reason to install NoScript and FlashBlock on Firefox, so that sites cannot use Flash unless you give them permission. This is also another reason why standards should be open, so we can have more than one implementation of the Flash player, so not everyone will be vulnerable when something like this comes along.

The second hack I recently read about comes from Defcon celebrity Dan Kaminsky, who recently showed a very dangerous exploit that makes use of the way many ISPs these days turn DNS errors into pages of ads. This practice breaks the Same Origin Policy, so that your browser trusts these pages as though they came from the actual domain you typed in. To give an example, suppose I have an account with Bank of America and I go to ww.bankofamerica.com. Ordinarily, I’d get a DNS error. However, with certain ISPs these days, I would instead get a valid webpage saying the site doesn’t exist, but here are some ads instead. However, my browser asked for a website from bankofamerica.com and got back a website, so it trusts that it came from the bank. Consequently, it trusts the site with any cookies I have from BoA (these cookies are how BoA knows which account I’m logged into). If someone can put an XSS attack on the ISP’s ad injection system, they can grab my cookies and log into the bank as me. Yes, the bank can defend against things like this, but it’s an unusual enough hack that many companies aren’t defending against it. So beware, and if your ISP is doing this (for instance, if ww.bankofamerica.com returns a valid website), opt out of it! In addition to exposing users to this sort of attack, these ad injection systems often break DNS, which in turn breaks non-HTTP error handling (for instance, I could not VPN into work until I opted out of my ISP’s version of this crap).

I often listen to the radio station 93.1 JACK FM, which plays a lot of kinds of rock. In Las Vegas, however, 93.1 is The Party and plays dance music. Driving from one city to the other, there was a part in the middle where I could pick up both stations, which was pretty strange. I only got one of the stations at a time (with intermittent static), but they would switch off. I believe that when driving uphill I could get the Las Vegas station, but driving downhill I picked up the Los Angeles one. Can any physicists/electrical engineers explain why this might happen? It sounded like a bad DJ with poor taste was trying to make a remix of Independent Woman by Destiny’s Child and Poison’s Once Bitten, Twice Shy. It was bizarre.

I spent a lot of the trip on a two-lane highway through the desert, stuck in all the traffic commuting from Las Vegas back to Los Angeles. The heavy traffic displayed an unusual phenomenon, however, which I found fascinating. All of the trucks were in the right lane, as is their custom. All of the speed demons were in the left lane, as is theirs. However, due to the heavy traffic, no one was going much more than 20 mph at the most. However, the trucks, which, due to their weight, had trouble accelerating and decelerating, were trying to stay at a constant speed: they would keep a lot of space in front of them, and close this gap when the traffic in front of them slowed down (and then increase the gap as the traffic sped up). The left lane, however, vacillated between going 40 mph and being at a standstill. After the traffic in front of a car picked up, however, it would take a moment for a car to pick up and start moving again (the same problem the trucks would have had, but on a smaller scale). Consequently, the right lane, with its slow-but-steady trucks, was actually moving faster than the zippy sports cars in the left lane. I noticed this, switched to the right lane, and was amazed at how quickly I passed cars in the other lane: 4 of them would pass me, then their lane would come to a stop, and I would pass 10 of them, and this cycle repeated through the whole desert.

This behavior reminded me of Robert H. Frank’s book, The Economic Naturalist. In it, he applies economic principles to non-economic parts of life to make sense of the world around us. He describes many situations in which a certain behavior gives an individual a benefit but detracts from the group as a whole. For instance, male elephant seals compete for dominance in their territory, and then mate with the females in the area. Typically the larger male wins any dispute over territory, so the males have evolved to be larger and larger over time. They have now gotten so big that they must mate on their side, since a male would crush a female if he tried to mount her. The cars in the left lane were another example of the tragedy of the commons, and I was proud that I recognized and avoided the situation.

This weekend I went to Defcon 0xF with psifer and inferno0069, and it was a blast.

• I stopped at Arby’s for lunch on the way there. I wanted two roast beef sandwiches and a small fries, the total of which came to $7.63. I then looked at their menu, and saw they still do the “5 items for $5.95” thing. So I canceled my original order and instead got two roast beef sandwiches with cheese, a medium fries, potato cakes, and a small shake. My new total: a mere $6.44. I ate about half this food, and threw the rest out. This doesn’t seem like a good business model to me, since I’m giving them less money and taking more of their food (half of which was wasted).
• On the way there, I passed the exit for Zzyzx Road. I also drove past signs for Death Valley, which was kinda cool.
• In order to raise money to help combat AIDS in Africa, the Hacker Foundation was selling red T-shirts which said
  

  HAXO(RED)

  on the front. I wanted to get one, but they were already sold out of my size. Another shirt was too nerdy even for me: it read “chown -R us ./base” Dorks!

• I became a member of the EFF! They had a wonderful panel that covered all kinds of things they’re doing. Unfortunately, this weekend a new law was passed that makes warrantless wiretapping legal, which is something the EFF has been fighting since 2005. I’m not sure how this will fit in with a ruling last year that said that warrantless wiretapping is unconstitutional, but this is certainly a dark day for freedom.
• I watched macdaddyfrosh, mtbg, and magicpacket valiantly lose at Hacker Jeopardy. but I won a T-shirt from Hack A Day.
• Mike Andrews was there incognito, but I recognized him and talked to him for a bit. He might come to give a talk at my office at some point.
• I entered the lockpicking contest and picked 15 of the easier locks (so I finished the contest in the middle of the pack with 71 out of ≈300 points). I’m pretty proud of myself, since I had never picked a lock with “real” tools before the con (though I have raked Masterlocks with a safety pin and street sweeper bristle).
• Bruce Schneier held a Q&A session! That’s right: Bruce “I am a security fucking god” Schneier. [1] It was as amazing as I had hoped. That guy is so cool. I should point out that his blog has an RSS feed on LiveJournal, to which you can subscribe.
• There were several talks this year discussing the influence the hacker community has on mainstream perception of stuff, which was pretty cool. Besides the annual “internet wars overview,” there was a talk which reviewed the recent cyberwar waged against Estonia by the Russian mob. DarkTangent himself (creater of both Defcon and the Black Hat security conventions) gave his account of the infamous Ciscogate scandal. Jennifer Granick (author of that article) also gave a talk about legal case studies; she is leaving her work at Stanford next month to join the EFF. There was also a talk about the effect that the locksport community has had on improving lock mechanisms.
• There were so many amazing talks, I’m not going to discuss them all. but here’s a list of some of the cooler topics that were discussed: encrypted VoiP clients, timing attacks for botnets, digital forensics, social engineering and NLP, stopping jerks online, the basics of hardware hacking, and XSS in social networks.
• Michelle Madigan was found to be an undercover reporter (link includes video of the incident) with a secret camera. She was outed from the conference. I wasn’t there when she was caught, but I did hear about it later that day. Press at Defcon are fine when they wear their press badges, but Michelle was apparently trying to covertly get anyone at the con to admit to a felony on her secret camera so she could do a shock report on the horrible, criminal hackers at the con (I don’t think there were many criminals there, but some reporters seem to have a penchant for fabricating stories/threats to get ratings).
• I saw an OLPC XO-1 (more information on Wikipedia). It’s smaller than I expected, but the keyboard is child-sized, which makes sense. The screen is very readable (but very small). The touchpad/stylus area is pleasantly large, though.

[1] Yes, he’s so awesome that even his tmesis gets tmesis. [2]
[2] I admit, I’ve been looking for an excuse to use the word “tmesis” for a while now.

Coming back from DEFCON, I felt like Jack, coming down the beanstalk to announce that “there are giants in the sky! There are big, tall, terrible* giants in the sky!” I was introduced to a whole new world with new ways to look at everything. I had no idea most of that stuff was out there and accessible to me. Everyone seemed more knowledgable about every single topic, but it was exhilerating to see it all.

I met up with Matt, Dan, John, Eric, and two guys I hadn’t met (Chris and Andrew) in Vegas, and we all shared a room intended for 4 people. The first day, everything was delayed by 2 hours because the fire marshall forgot to approve our convention, or something. After that, however, there were talks running continuously from 10am until midnight (yes, you had to miss some talks if you wanted to eat meals). Although most of the stuff was about computer security (hex editors, phishing, the EFF, RFID spoofing, database rootkits, etc) there was a surprising amount of (non-computer) security stuff there too (lock picking, safe cracking, neurolinguistic programming, etc). There was also some (non-security) computer hacking stuff: hard drive repair, steganography, fuzzing, extreme programming, autonomous robotic BB-guns, the list goes on. Late at night, we went to the Hacker Jeopardy sessions. I’m now inclined to say that all game shows would be more interesting if they had strippers.

Here are some more highlights:

• Dan Kaminsky (who is the hacker version of Judiciary Pag), gave an amazing talk about…um…everything. SSL, security problems with DNS, visual bindiffs, security problems with online banking. He’s incredibly relaxed, yet brilliant. His work is amazing, and he drinks beer throughout the talk. In fact, at the end during the question and answer part, he gave me a beer for suggesting the visual bindiff can be used to find duplications in your code! Usually I don’t like beer, but this one kind of tasted like victory. \/\/00T!
• I got to talk to and shake hands with Cindy Cohn, director of the EFF. This was pretty special for me, because they’re one of the greatest organizations I can think of.
• Lots of people were doing crazy hacking in the hotel: pay phones went missing. One of the elevators I rode in had the emergency phone open, and some guy karaoking Sinatra tunes out of it at us. Someone even managed to hack the Hacker Jeopardy display system during the game itself.
• In theory, I learned how to pick locks (both normal picking and bump picking) at the Lockpicking Villiage. The weird thing was that they had a lockpicking contest, and apparently an 11 year old girl did rather well in it.
• They have a Spot The Fed contest every year, where you try to find out which other conference-goers work for federal agencies (DoJ, FBI, USPS, Marines, Washington DC meter maids… any federal employee will do). This was pretty fun to see, but one story will always stick out: a woman brought a man up on stage and claimed he was a fed. She said she knew this because the night before, they hooked up, got drunk, had sex, and while he was asleep she went through his stuff and found his badge.
• There were several games of a unique form of capture the flag going on: on the network was a computer with several security problems purposely put into it. The object of the game was for teams to hack into the box and then keep everyone else out. Not exciting to watch (just a bunch of people busily typing on their laptops), but a fun concept anyway.
• I saw the wall of sheep, which is a computer with a packet sniffer and data mining system on it. It searched the network for unencrypted usernames and passwords, and then projected them up on the wall. A good reminder of how insecure most websites are.

So, DEFCON wasn’t as good as AAAI was, but I still had a great time and got my money’s worth. I’m not yet sure if I’ll be back next year, but I’m glad I went once. As the EFF panel mentioned, it’s really the only conference where the invited speakers can show up for the earliest talks at 10:00, unshaven, hung over, and still get a warm reception.

*Terrible: extreme in extent or degree; intense

In about 15 hours, I’m getting on a plane to go to Las Vegas for DEFCON! After it is over, I’m driving to LA with some former Mudders, and getting a new life. The next time I update this journal, I should have a new address, a new cell phone (my first ever! the last of the cell-less ranks are falling, my friends), and possibly a new car. To keep you entertained in the meantime, go watch what I think is the greatest animutation ever (click the “watch this movie” link).

Until we meet again…

The schoolyear is now over, and although I didn’t finish everything I wanted to, enough got done. I graduated, and the ceremony was alright, all in all. The most amazing part, in my opinion, was at the very beginning. We were all dressed in our caps and gowns and medals, and started to walk down to the tent near the library where the real ceremony was, and all of the profs lined up on either side of the street and applauded for us as we walked past. Cheezy as it sounds, it practically brought tears to my eyes. The rest of the ceremony was uneventful; the usual fare but with an exceptionally boring speaker (that is to say, Prof. Platt gave a boring history of the college without anything related to graduation, advice for the future, or anything any of my classmates and I could actually use or learn from. Libby’s speech, on the other hand, was fantastic). We had dinner at Buca’s with the Panishes, the Harrises, the Couplands, and Kevin.

By the way, if you didn’t know, my brother is going to go to Mudd next year. This is going to make my visits as a sketchy alum a little bit weirder. We’ll see how that turns out.

I’m now back in the Twin Cities, and I already really miss Mudd. Although it’s certainly nice to see some of my friends from the area, all the really interesting ones seem to still be off in Texas/Iowa/Illinois/elsewhere. The company here is enjoyable but not at all intellectually stimulating, and I’m beginning to find myself bored in their company. Have I really changed that much in the past year? We’ll see how the summer progresses; perhaps this feeling will pass.

As for my overall plans this summer, they’re already starting to fall apart. I am definitely going to DEFCON, but I’m almost positive I will not get to AAAI this year – it’s a bit expensive without getting a college/company/etc to pay for you. Including travel, lodging, and admission, AAAI adds up to ~$1000, while DEFCON, in contrast, shouldn’t be much more than $200.

I had also hoped to learn a bunch of TeX and do some crazy TeX programming this summer. Although this is still doable, my computer (which I thought I was bringing home) is now in storage out in California, so I’m stuck on a Windows box with none of my previous code for a few months. I had the foresight to put all of the TeX, LaTeX, and AMSTex manuals on my CS account so I can still get to them, but I need to first learn about TeXnicCenter. I’ll get to it eventually, but the going right now is a lot slower than I expected.