Rants by Chort
What's wrong with everything

A coworker once told me he imagined immigration officials handing Chinese immigrants two bags with slips of paper, asking them to pick a paper from each bag and put them together to form the name of their restaurant. This is how he imagined names like "Green Dragon," or "Golden Lotus," or "China Garden" got created. While it might not be a very accurate way to describe culinary establishment marketing, it is similar to how many users choose passwords. I'm calling this method the "Chinese Take-out Attack."

Read the rest of this story...

While we all wear our arms out patting ourselves on the back for the remarkable changing of tides today, let's not forgot why the website blackouts actually worked: Because of the massive number of phone calls to senators and representatives. You can whine on Facebook and change your Twitter profile picture all you want, but no one in Washington D.C. will ever notice that. When a massive number of people jam phone lines and overflow voicemail boxes, THAT gets their attention. If you haven't called your senators and representative yet, your job is not finished. Make sure you call all three before the PIPA vote on January 24th.

Make no mistake, this war isn't over. The MPAA and RIAA will come back over and over again, in sneakier and sneakier ways. It costs them a lot less money to buy congresspeople than it does to take risks by investing in new business models. This is why I'm proposing another course of action: Defeat Lamar Smith in the next election. I made a promise today on Twitter to contribute the maximum legal amount to a candidate with a legitimate shot to defeat Rep Smith, and I intend to follow-through. We need to send a message that not only do we get pissed off when businesses buy laws, we don't forget who facilitated them.

We can't afford to financially assail every pro-SOPA/PIPA congressperson up for reelection, but we can make life miserable for one of them. Rep. Smith has been the most visible and the least rational MPAA/RIAA cheerleader, accepting all their propaganda verbatim, without any attempt to question it. This deliberate any-intellectualism (blocking network architects from even testifying on the ramifications of proposed legislation, and dismissing all amendments without consideration) needs to be punished. It's not OK to legislate out of ignorance. The citizens of Texas should be ashamed of putting this man into office, and they certainly shouldn't keep him there.

Even if you read this months after the posting date (January of 2012), it's almost certainly still relevant. Big, old corporate interests are still going to be attempting to legislate away any competitive or disruptive market forces, to protect their obsolete business models. Educate yourself, fight back. If you some how came to be reading this blog post and have no idea what I'm upset about, here are some references.

EFF action site for SOPA/PIPA.
Long history of content industry takedown powers abuse.
A technical examination of SOPA and PROTECT IP.
Statement by several brilliant, well-known artists against SOPA/PIPA
What Joe Brockmeier wishes sites were saying about SOPA/PIPA.
Learn about corporate money's corrupting influence (and what YOU can do).

You may be aware that the DHS are now sending (opt-in) "Daily Cyber Reports" to IT and security practitioners. The stated purpose of the reports is "to facilitate a greater understanding of the nature and scope of threats to the homeland." I wonder if they're aware of the threat they're creating by teaching people to open PDF documents from unauthenticated email? Well they have no excuse now, because I told them. Here's a copy of the email I sent them on the topic.

1.) Create a DKIM record for hq.dhs.gov and use it to sign the headers of the email, so recipients can verify it was really sent by hq.dhs.gov, rather than a phishing site.

2.) Publish a public key for OSINTBranchMailbox [at] hq.dhs.gov on a website that has a DNSSEC-signed record.

3.) Use the private key (GPG or S/MIME) to sign messages sent from OSINTBranchMailbox [at] hq.dhs.gov

4.) DO NOT INCLUDE ATTACHMENTS, unless they are plain text. Training users to open Adobe and Microsoft documents is the worst thing you can do, when most compromises are initiated with poisoned Adobe or Microsoft documents.

5.) Host the Cyber Report on a website that has a DNSSEC-signed DNS record and an SSL certificate that matches the hostname of the website and chains up to a trusted root.

If you're going to advise organizations on security, you should secure your infrastructure and comms too. Lead through action.

PS you haven't configured your authoritative DNS server properly. The template default value for email address is showing in the SOA.

Recently I was asked for some pointers on creating a security roadmap. Since there's no one-size-fits-all strategy for which programs or technologies to implement, this is a tough question to answer. After thinking about it for a few minutes, I stepped back and put together this abstract, which is really what security boils down to after all. The rest is implementation details.

Read the rest of this story...

In struggling to come to grasp with what the Occupy Wall Street movement really means to society, I realized there had been a serious shift in public perception of law enforcement--at least by the white middle class*. If we think back 10 years, nearly everyone was heralding law enforcement and other first-responders as heroes, for risking their lives at the World Trade Center site. If we look at the press today, we see police, sheriff, and campus security forces being roundly criticized for widely publicized incidents of violence. Public officials appear to have been caught off-guard and their response has ranged from bi-polar (Jean Quan, in Oakland) to defiant (Michael Bloomberg, New York City). What accounts for this change?

Read the rest of this story...

In the last few weeks I've learned a lot about applying GPUs to break password hashes. I'd like to thank @ErrataRob for writing the blog post that got me started in this field. If you haven't read Rob's post, I highly recommend you do that first, because this post builds on it. Don't buy a graphics card until you've read my post though, because there are some important updates.

Read the rest of this story...

You must be living under a rock to not know about the Occupy Together protests that are happening right now in the United States, and other countries around the world. There has been a lot of press coverage trying to come to grips with what it is that the protesters are actually upset about. One of the best pieces on protester sentiments is this one in Rolling Stone. The gist of it is that Wall Street tycoons aren't getting rich by working hard and having better ideas, they're doing it by cheating the system. While I agree with this assessment, there's more to it.

Read the rest of this story...

Unless were living under a rock, you're aware of some public outrage over the acquittal of Casey Anthony on the most serious charges against her. As is usually the case when someone widely believed to be guilty is not convicted, there are all kinds of demands for new laws, criticisms of the jurors, etc. Everyone is so concerned with trying to prevent cases from falling through the cracks that they don't stop to think about how well the system actually does work in general, particularly how rare it is that people are wrongly convicted (rare, but sadly not impossible). It strikes me that this issue is very similar to one I know a lot about.

Read the rest of this story...

For the past 50 days LulzSec has captured the attention of the information security community, the mainstream media, and just about every other kind of media. Has anyone stopped to wonder what it is that causes the LulzSec saga to be so "sticky?"

Read the rest of this story...

Don't you just love those sites that try to make you feel "extra safe" by putting padlock images on everything, even the "next" button?

Read the rest of this story...