Saturday, January 03, 2015

Happy New Year 2015

Time is running on and brings us to another new year. Does this fuc*ing mean another fight? I've been sitting on my butt and watching a lot of presentations of 31C3. Unfortunately, I couldn't be there physically. I'm fuc*ing jealous you guys who were there;-)

I've learned a lot from these videos. So, I'd like to write down what I thought about some great topics.

31C3 Opening Event [31c3] mit Erdgeist und Geraldine de Bastion
Nothing I can say about opening;-)


Jacob Appelbaum: Reconstructing narratives - transparency in the service of justice

This is the most fuc*ing awesome presentation I've seen in 2014 since I watched Jacob's free speech on last C3 conference. Yes..what I've been trying to tell people( friends & customers) that only a few things we may rely on: OTR, PGP, SSL/TLS with PFS... This is a very positive message that not everything is being fucked. Well... IMOHO, only taking crypto itself into account is not enough.  Kernel hardening should be a must-need stuff more than ever before. A lot of 0ld sch00l guys are complaining about people are still not taking serious about system-lvl security( PaX/Grsecurity? QubeOS? Mirage OS?) after EFF released the security guideline. Even the Information Security for Journalists focuses on crypto in the most part......damn...I think there are  a lot of interesting stuff we could try in 2015.............

SS7map : mapping vulnerability of the international mobile roaming infrastructure [31c3]

Well done, P1Sec guys! Telco security is not my major focus, but I've been learning CORENET stuff from some friends in last a few years. According to the ss7map, China is one of country has high risk in CORENET. Guess a huge consulting market is out there;-)


The Cloud Conspiracy 2008-2014 [31c3]


Everybody are talking about the cloud. Cloud might help small startup( don't have sensitive data) in many aspects, especially on cost issue. But..speak of cloud security, damn..I'm gonna speak it out: The security of public cloud is a joke, the security of private cloud is a fraud;-)

Trustworthy secure modular operating system engineering

Building trust-chains within compartment/containment is not a bad idea for defense in depth. "What you're doing is wrong" is a common phrase from hacker community. But how to do it right is a scientific problem;-) I don't think typed-safe language will be a silver-bullet. New issues and snake-oil security product always comes out. People will be happy to talk about how "Next-Gen" technology gonna change the future...unfortunately, they have no idea what the fuc* they talk about( in most cases). Why would the fuc*ing industry needs "Next-Gen" technology? I guess, no one wants talk about what the hell was the Last-Gen tech;-)

SS7: Locate. Track. Manipulate.

Wow..very good work, Tobias! I was so exciting when you show up the demo. CORENET is really interesting and amazing. That reminds me a saying from Captain: "The phone company is nothing but a computer... A computer is a System...". Ohh, did I say "cloud"?



Switches Get Stitches - Industrial System Ownership




People are taking serious about ICS security after the disclosure of Stuxnet. In the meantime, snake-oil products/services just come out of nowhere. This talk is awesome. It's almost like ICS security 101 to me. Thanks Eireann, I think I owe you a beer;-)

Reproducible Builds - Moving Beyond Single Points of Failure for Software Distribution

I love EFF and being proud as a member. EFF has been doing a great job about public education and fighting for individual's privacy. I'm not sure if we could win or not. But this is the right thing to do. Reveal the dark-side of cybersecurity is inevitable. We had to deal with shit like Mr.Dullien mentioned in Offensive work and addiction. Do we ever had a chance to live in a *purely* world without "I hunt sysadmin"? If we don't, reproducible builds is very valuable for us to against mass surveillance. Gitian is a project, which Seth & Mike mentioned about.

 Reproducible builds can't solve all potential threats. But it can help us in some levels to identify "There is a backdoor in the indentical binary or there isn't a backdoor". You might also want to read about Trusting trust issue.

By the way, another reason I love Debian is because Mempo project;-) We need your hands..fuck off, NSA!

Freedom in your computer and in the net(click me)


Fascinating free speech from RMS! My wife believes that to be idealistic is to be realistic...are we talking about leap of faith? Sometimes, faith is all we left;-) RMS is one of the most respectful man. His philosophy inspired me to started using GNU/Linux. Phrack inspired me to be a cybersec dude....



RMS talked about a few important things in 31C3:
1, The differences between Free software and open source. Free Software is more concern about ethical libre, while open source only emphasize  the practical stuff like code quality or cost issue.

2, Security aspect. Free Software is more secure than closed software. Microsoft send NSA the information of Windows bug before they fix, maybe other vendors( closed-source product) would do the same things.

3, RMS thinks all university should teach reverse engineering. It's a good choice when you had to explore something in a closed-source world.

4, RMS siad "...also the software they teach student to use must be free, because the school has social mission to educate good citizens of society that is strong, capable, independent, cooperating and free..". Damn..I was touched. I've been asking myself a question for a long time: Why would I support FSF and EFF in the 1st place? Probably I can say now, that is: It's worth. Making the public can get benefit from it and educate the public about free software and digital privacy are so important in the information age.

btw: Hope I can make it to 31C3.

May the L0rd's hacking spirit guides us in 2015!