Wednesday, December 25, 2013

Life was never easy...especially in post-prism era;-)

I've watched a great free speech today:

Bruce Schneier, our great philosopher in cybersec field. And Eben Moglen, afaik, he is a great hacker( not in computer stuff) in free software law field. I do remember I used to listen Eben's free speech( electronic version) when I was in college. Seven years until now, I know better about why there are group of people has been trying fight for digital rights, software freedom, etc.....

I'm here to share something I've learn from Bruce and Eben today. This writeup is going to be my notes and some personal summary of 2013. It may be mess a little bit;-)

What do we learn from Mr Snowden's disclosure about crypto?
Cryptography itself is still hard to break. NSA is not breaking the math, but breaking by cheating, by stealing private keys, by forging certificates, by doing non-crypto stuff to archive their *ditry* goals. Even in the fucked-up case of Google, NSA didn't crack the traffic between user's browser and Google's server. Because Google uses client auth SSL at default, more importantly, it works( NSA dont like it). But NSA hijacked the traffic between Google data centers where the SSL/TLS was removed for whatever reasons( cost?). Crypto is still the one of the best ways to fight NSA or NSA-like organization.

Tor stories?
Personally, I like Tor. It probably could save people's life in some "restricted" area. Tor is pissed off agencies like NSA. The contributors of Tor project have routine seminars. It seems that the discussion of how to break Tor is their daily bread;-) Thanks to Tor project contributors.

What if NSA is in our threat model?
The 1st thing is mitigation: NSA got a piece of math but still need a bunch of engineers to make it work. Let NSA pay for higher cost( timing budget not new math). Plz use particular crypto technology( on GNU/Linux distro) as much as possible. It's reasonable to speculating that NSA has something about crypto stuff but we don't. Information asymmetry is indeed exsit. Of course NSA known what we do in past decades but we are rarely to known what NSA has been doing in the same thanks to Mr Snowden's disclosure gave us *a little more* information.

And NSA-like organizations are definitely needs a lot of automated attack tools: foxasset? The reason it simple: you can't just train people on the street to become old school hackers in few months. That's why they have to develop automated tools.

btw: What does old school hacker mean in my context? A type of people who are highly skilled with low-level techniques, such as *NIX System, networking( both internet stuff and corenet of telco), reversing, cryptography, C/ASM code audit, etc..and also have a specific type of strong philosophy with underground spirit;-) spirit~wth

Standard corruption?
It's not all standards does security matters. Bruce thinks AES is still secure. We can't only blame the Dual ECC stuff to standard process's fault. Implementation is important, such as non-NSA involved internation cellphone standard was fucked up..A1/5? Ring the bell? We should only trust these public standards, which our guys( free software enthusiast, cybersec philosophical anarchist like Phrack guys? or people like Bruce?:)) are getting involve with it.

What tools can we trust?
GNUPG, tor, OTR, etc... Some of these open source tools are written by security/crypto paranoids. They have a very awesome design and implementation.

What if you are on the target list of NSA-like organization?
If you are targeted, there's nothing you can do in that level. Is this a super-APT shit?

Is cyberwar going to be end?
I don't think so. If everyone holds the philosophy of "I'll fuck you if you don't fuck me first, sir", then it would turn the whole scene to be everybody being fucked by everybody. That's what old school hackers has been through the paradigm shift( painfully?) from old good hacking days to "This is cyber, sir!".

Is that sounds we are hopeless?
Nope, quoted from Bruce:"Society improves because people dare to think the unthinkable and then after 20, 30 years everyone says that was kind of good idea. It takes a while but it has to start."

FOSS solutions?
Bruce thinks open source solution is more secure than closed ones. Because:
1, You can look at it( source code)
2, It's harder to let someone slip into

We probably don't need to worry too much( did I say "too much"?) about NSA was/is/will try to put backdoor in some fundamental free software projects, like linux kernel, GCC, Glibc, "supposed to be re-written" openssl;-) etc. Because according to the full-disclosured documentations, NSA seems amazingly risks aversed. They only want to take a safe path. Yeah..yeah, I know what they're can do evil, but don't be caught up;-) Free/open source community have a lot of old school hackers has been do code review for decades. They did a great job. And they are going to continue this *secret* war aginst NSA-like organization. So it's not easy attack( backdooring) on compiler.....( and, there are tons of guys like me are trying to be old school hackers).

Leap of faith?
Yeah, it sounds perfect. But no one can ensure you 100% secure. But the fact is that you can't examine everything. You must trust them( the tools you use). Give yourself a little faith. Did Soren A. Kierkegarrd said that we could feel comfortable to use GCC;-)

Well, use Apple products( iphone, ipad, ishit) and Microsoft products( Win for gaming platform, Office for whatever) are not a good options. Drop them, come on!

Hardware box issues: never update the full-disclosured vulns:
In some countries, cybersec business couldn't support small business. The reason cause that happened, because the most of customers had/have the wrong concept about cybersec. They think the only thing you need to do is
buy a bunch of hardware boxes( firewall, IDS/IPS, UTM, NGFW, or whatever). Obviously, it's violating the very important old school principles:
Security is NOT:

Security is NOT installing a firewall ..
Security is NOT a Product or Service .. ( by Schneier, Bruce )
Security is Not a Product; It's a Process .. ( by Schneier, Bruce )
A Security Audit is NOT "running a port scan and turning things off" ..

Security is:

Security is "Can you still continue to work productively/safely, without compounding the security breach"
Security is only as good as your "weakest link"
Security is "risk management" of your corporate resources(computers/people), required expertise, time management, implementation costs, data backup/recovery proceedures ...
Security is a Process, Methodology, Costs, Policies and People
Security is "Can somebody physically walk out with your computers,
disks, tapes, .. "
Security is 24x7x365 ... constantly ongoing .. never ending
Security is "learn all you can as fast as you can, without negatively
affecting the network, productivity and budget"

In past few years, more and more enterprise management guys are realizing that those hardware boxes can't solve the problem, which it was supposed to be solved.* Right here, there's one thing you might want to know: Firstly, some "sec box" vendor has been using a lot of open source code( linux kernel, snort, l7, BRO, etc) but they never contribute to the community. *........Personally I do believe that only old school cybersec principles can make system secure. But it need skilled people to do a lot of work in the daily cybersec process.  Well,  the mainstream marketing are still advertising the *boxes* solution is one thing, while it's hard to find old school guys is another.

What I'm trying to say are not hardware boxes are not important. But people also can do small business with trying to find cheap and effective solution. That's where open source cybersec solution fit in. There are a lot of great cybersec open source project. All you have to do is to pay someone who know
these cybersec open source code and combine them into the your own cybersec solution. For example, a customer want to hardening their network and server. There are a lot of open source sec project can do that, such as
iptables/snort/psad/tcpwrapper/apparmor/openssl/apache or web level
hardening stuff( inside the DJANGO for preventing sql injection, mod_security, etc). But the customer would pay someone who know about it to consulting for
them. The skilled guy could train customer's IT guys or go through
with their own implementation. Personally, I think it's the best to do
the cybersec small business. It's win-win solution! Old school guys get
pay and customer are happy.

btw: Some regions may have these cybersec small business model already.

Well, it's Christmas today. As a Neo-Calvinist, I wouldn't talk about religion too much  in my daily life. But all in all, neo-calvinist is Christian indeed. I'm not too religious. Sometimes, I really hate those nominal christian was feel so good to doing terrible things  in name of god....fuc* them....Anyway, hacker is a type of people who are willing to seek the truth with no matter cost. Even I'd see L0rd Jesus look like overmind( from starcraft) after I die. The problem to me would be "Is this true my L0rd looks like overmind?", if he is the L0rd whatever he looks like, I'd be still worship him;-)

Hacker can pick the red pill.
Hacker can destroy the blue pill.
Hacker can embrace the desert of the real.

Merry Christmas, my fellow brothers/sisters!

May L0rd's hacking spirit guide us in 2014!!!

No comments: