Educational CyberPlayGround ®

Security People:
Dave Farber, Risks Forum, John Gilmore, EFF,
Peter Neumann,
Whitfield Diffie

SECURITY

WHITE HAT / GREY HAT / BLACK HAT HACKERS + ETHICS

SECURITY EXPERTS

Edward Snowden

 

 

Daniel Ellsberg

 

2016 Nicholas Weaver Enigma 2016 - The Golden Age of Bulk Surveillance

Stefan Savage's talk on automotive security: Stefan Savage and @yoshi_kohno dish out previously secret autosec dirt at #enigma2016 when UW-UCSD team compromised automobiles years ago

10/2/14 THE NSA AND ME BY JAMES BAMFORD

William Binney former NSA senior computer scientist.

James Bamford literally wrote the book on the National Security Agency, spending 30 years obsessively documenting the secretive agency in print. Today, for the first time, he tells the story of his brief turn as an NSA whistleblower.

SpaceRogue Chris Wysopal
MR. ROBOT background story Understanding the hacker culture that inspired Mr. Robot



LEARN ABOUT MORE INTERNET PIONEERS

Professor David Farber

  • DAVE FARBER THE TEACHER
    Video of Visionary beginning with the NIH Demo and then Dave's talk.
  • Dave's Interesting-People list and Archive
  • Dave's Website
  • Dave Farber's review of "Code : and other laws of cyberspace law

There is no unemployment in InfoSec Myth

SECURITY PEOPLE

Eve Adams @HackerHuntress
Seasoned technical recruiter Eve Adams (@HackerHuntress) provides infosec-specific insight on writing resumes that get you the kind of attention you want, getting short-listed for cool positions before they're even posted, strategically riding infosec employment trends, and how to most effectively work with those delightful recruiters. This talk will have something for those just entering the workforce, mid-career security professionals, and former VAX hackers alike! Bio: Eve Adams Eve Adams (@HackerHuntress) is Senior Talent Acquisition Expert at Halock Security Labs, a full-service information security advisory in Schaumburg, IL. Eve leverages three years of security staffing experience to drive recruitment for both internal Halock roles and client placement. She also spearheads Halock's social media presence and counts Twitter as one of her most powerful recruiting tools. She's passionate about information security, thinks most recruiters are doing it wrong, and naively believes technology can change the world for the better. In past lives, she has been a writer, translator and reptile specialist, among other things. While she is officially OS-agnostic, she runs Ubuntu 12.04 at home.

My little tribute to the "heroes of the computer revolution", as Steven Levy would put it.
0x01 - Definitions: Hacker vs Cracker The New Hacker's Dictionary defines Hacker as:

Lawyer Josh Horowitz Silk Road Defense Attorney from TechLaw NY speaks at a CLE in downtown Manhattan about Document OCR, Regular Expression Search, and navigating via the shell.


 

adobe professional will make your files searchable. Create a searchable index that allows you to search through everything at one time.
adobe.com/products/acrobatpro.html
shell / grep / regular expression / tutorial

 

We can force you to decrypt your laptop
http://news.cnet.com/8301-31921_3-20078312-281/doj-we-can-force-you-to-decrypt-that-laptop/
Colorado Springs Defense Lawyer Phil Dubois, once represented PGP creator Phil Zimmermann "I hope to get a stay of execution of this order so we can file an appeal to the 10th Circuit Court of Appeals,"(interview with Dubois)
http://news.cnet.com/8301-31921_3-57364330-281/judge-americans-can-be-forced-to-decrypt-their-laptops/

H D Moore a security researcher and the chief research officer for Rapid7. Some folks may be familiar with my work on Metasploit, but these days I also spend a lot of time scanning the internet as part of Project Sonar. My servers send friendly greetings to your servers at least once a week.

Perry Metzger was (and still is) a staunch, uncompromising Extropian Libertarian. Metzger defines himself as “Transhumanist Market Anarchist, Systems and Security Geek, Molecular Manufacturing Semi-Pro,” and he is the owner of the Cryptography mailing list.

CRYPTO - Whitfield Diffie - Cryptology Expert, Privacy Expert
Nov 1994 Prophet of Privacy Whitfield Diffie took cryptography out of the hands of the spooks and made privacy possible in the digital age - by inventing the most revolutionary concept in encryption since the Renaissance. Feb 1993 Crypto Rebels

Jim Christy dod cyber crime response team.

Dr. James Joshi Security Assured Information Systems (SAIS) curriculum at SIS met CNSS National Standard(s) 4011 and 4013. Pitt has been designated a National Center of Academic Excellence in Information Assurance Education by the National Security Agency and the Department of Homeland Security.

PETER NEUMANN - RISKS FORUM

PETER GUTMANN - Dept. of Computer Science

Steve Gibson weekly audio podcast somewhat shy of two hours each week to discuss important issues of personal computer security. Sometimes we'll discuss something that just happened. Sometimes we'll talk about long-standing problems, concerns, or solutions. Either way, every week we endeavor to produce something interesting and important for every personal computer user.

About Greg Rose

Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. author of "Secrets and Lies" and "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He is a member of the Advisory Board of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on computer security and cryptography. Publishes CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available on http://www.counterpane.com/crypto-gram.html

Matt Blaze cryptography resource on the Web cryptanalysis - security flaws that allow hackers to break into computer networks. "Keep It Simple Stupid" and the "final" version of my paper on cryptology and locks

Robert Alberti, CISSP, ISSMP (612) 961-0507 cell
President, Sanction, Inc. (612) 486-5000 x211
http://sanction.net (612) 486-5000 fax
"Security solutions are cultural solutions facilitated by technology."

CRISIS EXPERTS AND RESOURCES

Robert Raisch -Architect / Developer, Online Technology Evangelist, & Internet Hired Gun

The Shmoo Group is a non-profit think-tank comprised of security professionals from around the world who donate their free time and energy to information security research and development. Founder Bruce Potter runs DC Chapter of SecurityGeeks and bluesniff

Graduate Schools in Cryptography

http://www.w00w00.org/ w00w00, with 30+ active participants, is currently the largest non-profit security team in the world (there are no "members"). w00w00 was created in 1998. We have had participants in 5 continents, and 12 countries (Australia, Argentina, Canada, Japan, France, Russia, England, Spain, Sweden, Germany, Portugal, USA), and several U.S. states.

Karsten Nohl and Jakob Lell created, malware called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user's internet traffic. But BadUSB's ability to spread undetectably from USB to PC and back raises questions about whether it's possible to use USB devices securely at all. “We've all known if that you give me access to your USB port, I can do bad things to your computer,” says University of Pennsylvania computer science professor Matt Blaze. “What this appears to demonstrate is that it's also possible to go the other direction, which suggests the threat of compromised USB devices is a very serious practical problem.” Blaze speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden.

IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.'

Adam Caudill and Brandon Wilson unlike Nohl, published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.
To avoid the attack, all you have to do is not connect your USB device to computers you don't own or don't have good reason to trust—and don't plug untrusted USB devices into your own computer.

21 AppSec people to follow on Twitter

Ethical hacker

Alexander is a passionate Security Expert for over 6 years (formally), always looking towards original challenges and opportunities to learn something new. He is a founder of Defcon Moscow group and current leader of OWASP Russia Local Chapter. His special interest is in the field of applied cryptography and in what is called “ethical hacking”. Deanonymization Made Simple - @c0rdis

GREY HAT HACKER

 

Hello, I'm Alejandro, most people just call me Alex @DotSlashPunk I'm a web app hacker at heart, I mostly do work in some weird combination of offensive security, big data and search engine type of stuff. I'm particularly interested in finding and disclosing mass amounts of vulnerabilities, but I also do a lot of work outside of everything I just described. I'm the creator of PunkSPIDER the distributed web application fuzzing project. I'm also a tech lead on DARPA's Memex project, which, among many other things, does research into crawling and scraping the deep web/hidden services and builds technology to catch bad people doing awful things on the Internet.

Apply to Hacker School
Hacker School is a three-month, full-time school in New York for becoming a better programmer. It's like a writers retreat for hackers.
Tuition is free, and we provide space, a little structure, time to focus, and a friendly community of smart people dedicated to self-improvement. We strive to make Hacker School the best environment to learn and grow as a programer. Towards that end, we have explicit social rules (e.g.,no "well, actuallys," no "feigning surprise," no "subtle sexism"), we aim for gender parity (our past two batches were 37-45% female), and we host amazing people as programmers in residence who work directly with students.
Tuition is free, and we provide $5k, need-based grants to women for living expenses. We value free software, beautiful code, and personal growth. Apply now to be part of our winter 2013 batch, which begins in February:
https://www.hackerschool.com/about
https://www.hackerschool.com/apply
You can also learn about the type of people we look for and if we'd be a fit for you:
https://www.hackerschool.com/blog/12-what-we-mean-by-hacker

Certified Ethical Hackers

Andy Grudko (British), Independent Security Consultant, Est. 1980. PSIRA reg. No. 8642 grudko.co.za , securitybydesign.co.za , agrudko@icon.co.za (+27) 012 244 0255 - 244 0256 (Fax - phone first) Fax-to-email 086 646 2645 Cellular (+27) 082 778 6355 - Skype AndyGrudko SASA, IPA, FAPI, CALI, IWWA, SCIP, WAD Ambassador "Most security companies know us - but none of them own us" (C)

PEOPLE FOR INTERNET RESPONSIBILITY

PFIR Statement on Internet Policies, Regulations, and Control

Seth Finkelstein Consulting Programmer sethf@sethf.com
Anticensorware Investigations - http://sethf.com/anticensorware/ http://www.eff.org/IP/DMCA/finkelstein_on_dmca.html
Seth Finkelstein's Infothought blog -
http://www.nytimes.com/2001/07/19/Technology/circuits/19HACK.html

Lee Tien tien at eff.org Senior Staff Attorney Electronic Frontier Foundation
454 Shotwell Street San Francisco, CA 94110
(415) 436-9333 x 102 (tel) (415) 436-9993 (fax)

Fred von Lohmann
Senior Intellectual Property Attorney
Electronic Frontier Foundation
fred@eff.org +1 (415) 436-9333 x123

RESOURCES

Electronic Frontier Foundation
Lauren Gelman Phone: 202/487-0420
Director of Public Policy email: gelman@eff.org

National Telecommunications and Information Administration

A CHARGE OF INTERNATIONAL ELECTRONIC ESPIONAGE

INCIDENT RESPONSE

Howard Rheingold, and Gary Chapman discuss Bill Joy's piece which was published in the April 2000 edition of Wired Magazine, "Why the Future Doesn't Need Us"

3/2/16 Livestream of House hearing on FBI-Apple and Professor Susan Landau testifying to the Judiciary Committee

It's the FBIs, NSAs (Picture), and Equifaxes of the world versus a swelling movement of Cypherpunks , civil libertarians, and millionaire hackers. At stake: Whether privacy will exist in the 21st century. That ended abruptly in 1975 when a 31-year-old computer wizard named Whitfield Diffie 2016 WINS TURING AWARD came up with a new system, called "public-key" cryptography, that hit the world of cyphers with the force of an unshielded nuke.
Foreword by WHITFIELD DIFFIE to Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design by the Electronic Frontier Foundation July 1998
4/02 SUN MICROSYSTEMS APPOINTS WORLD-RENOWNED SECURITY EXPERT, WHITFIELD DIFFIE <whitfield.diffie@sun.com>, AS CHIEF SECURITY OFFICER; CREATES GLOBAL SECURITY PROGRAM OFFICE
Sun's Security King Cryptography pioneer Whit Diffie offers illuminating views on his ascension to Sun Microsystems' CSO. http://www.cisomagazine.com/2002/aug/qa.shtml

 

Charles Miller, Ph.D., principal security analyst with Independant Security Evaluators
810 Wyman Park Dr.
Suite 180A
Baltimore, MD 21211
443-270-2296 (T)
443-378-7128 (F)
Email: contact AT securityevaluators.com

Chris Paget, director of R&D for IOActive, RFID hacking.

Johnny Long

Identity Stronghold, "secure sleeves" help protect security cards from malicious cloning.

Ron Rivest's web page has an excellect collection of cryptography and cryptology research links

Bert-Jaap Koops has done a lot of high quality research into the subject of international cryptography law.

About D.J. Bernstein - Crypto Regulations US Export controls

Interview with Jon Callas - innovator and an acknowledged expert in all major aspects of contemporary business security, including cryptography, operating system security, public key infrastructure, and intellectual property rights.

William Knowles c4i.org

Public Key Cryptography in One Easy Lesson
PGP announced a deal with Sony Computer Entertainment to protect the laptops of 1,100 worldwide employees. That'll be their GTA cheat codes safe, then.
BitLocker has landed Redmond in some hot water over its insistence that there are no back doors for law enforcement. As its encryption code is open source, PGP says it can guarantee no back doors, but that
cyber sleuths can use its master keys if neccessary.
PGP encryption inventor Phil Zimmerman.

Phil Zimmerman Zfone VoIP security software It adds
solid encryption protection to any software-based VoIP security software simply by installing the free software and pointing your VoIP software to a new host port. It doesn't use persistent keys or PKI.

Steve Bellovin writes:
It's a truism in the crypto business that the old telegraph codes were for economy, with confidentiality against casual readers a noted and desirable goal. But I've recently acquired two old codebooks that have stronger ambitions.
The more interesting one is Slater's Telegraph Code, since confidentiality is its only goal. I have the 9th Edition, from 1938, but it appears to be originally from the late 1860's. It encodes 25,000 words, including "a" and "the". There are no sentences, phrases, etc. Users are told to convert the plaintext word to a number, transform the number, and convert back to a new word for transmission. Suggested transformations include adding or subtracting a shared secret constant, permuting some of the digits of the code number, and/or regrouping the digits of a string of code numbers. Clearly not military-grade security, even for the time, I'd guess; in addition to the rather simple transforms, it's a one-part code.
Equally interesting is the threat model. I quote from the introduction:
On the 1st February, 1870, the telegraph system throughout the United Kingdom passes into the hands of the Government, who will work the lines by Post Office officials. In other words, those who have hitherto so judiciously and satisfactorily managed the delivery of our sealed letters will in future be entrusted also
with the transmission and delivery of our open letters in the shape of telegraphic communications, which will thus be exposed not only to the gaze of public officials, but from the necessity of the case must be read by them. Now in large or small communities (particularly perhaps in the latter) there are alwys to be found prying spirits, curious as to the affairs of their neighbours, which they think they can manage so much better than the parties chiefly interested, and proverbially inclined to gossip.
It goes on to warn of the need for confidentiality in business communications, especially when undersea telegraph lines are used.
Equally interesting is the fact that despite the common wisdom that says that secrecy products didn't sell well, this book survived for about 70 years -- with my edition being printed on the eve of war.
The other confidentiality code I have is "Sheahan's Telegraphic Cipher Code", from 1892. It was intended for use by railway labor organizers, to keep management from knowing what they were up to. It has about 7000 code words.
It's a more conventional telegraph code, in that it includes some phrases. The general confidentiality scheme is similar to Slater's,though the only suggested transformation is adding or subtracting a constant to the code number. Because the plaintext is phrases, rather than just words, there are separate code words along with the code numbers; these words are sent, rather than the numeric values.
From a cryptographic perspective, the most interesting item is that times, days, and numbers do not have code numbers -- the instructions say to send just the code words. The compiler was worried about a known or probable plaintext attack on the offset value used for superencipherment. There is also a warning against mixing plaintext with ciphertext, "excepting the name of a person or the name of a town".
There is a cipher alphabet for spelling out words, but it, too, is not superenciphered.
Some of my other, larger code books could have been used in a similar fashion, but there's no hint of that in the instructions.

The Museum Security Network has been on-line since December 1996. It was founded by Ton Cremers, former head of security at Amsterdam's Rijksmuseum, recipient of the 2001 Robert B. Burke Award for excellence in cultural property protection at Smithsonian National Conference, and currently independent museum, library, and archive security consultant. Its original aim was to be a source of information for cultural property protection professionals. Gradually, the Museum Security Network mailing list has become the main channel for the distribution of news and information pertaining to cultural property protection, preservation, conservation, and security. On a daily basis, information is posted on www.museum-security.org as well as on the MSN Google Group (Google group is moderated by Mark Durney mark @ artcrime.info). Subscribers include museum professionals, law enforcement officers, lawyers, academics, insurance underwriters, journalists, auction houses, among many others.

FEDERATION OF AMERICAN SCIENTISTS
You don't have to be a rocket scientist to support our work on global security! (FAS) is working on issues of global security, the environment, democratic governance and human rights. From our early days, 50 years ago as the action arm of the original atomic scientists, to our present work on arms control, environmental protection, and government secrecy reform, FAS continues a commitment to informing the public debate on complex scientific and technical questions.

CIA - can't secure their network

FreeS/WAN project is to secure Internet traffic against wiretapping.

Pixel Plasticity
In the fraction of a second between video frames, any person or object moving in the foreground can be edited out, and objects that aren't there can be edited in and made to look real. Pictures from orbit may not necessarily be what the satellite's electronic camera actually recorded.

The Council for Responsible Genetics
The public must have access to clear and understandable information on technological innovations. The public must be able to participate in public and private decision-making concerning technological developments and their implementation. New technologies must meet social needs. Problems rooted in poverty, racism and other forms of inequality cannot be remedied by technology alone.

History of Computers: cryptology - CIPHER MACHINES
Tom Watson, chairman of IBM, said in 1943 "I think there is a world market for maybe five computers."

Richard F. Forno, Principal Consultant
Richard Forno is an internationally-recognized security professional whose career in information assurance centers around security program development and management, incident response operations, security awareness, and emerging trends analysis. follow

Reflections On Trusting Trust ...

  1. Aalbert Torsius
  2. Changes In July Ten
  3. Eric Herman
  4. Homoiconic Languages
  5. Image Based Language
  6. Reflections On Trusting Trust
  7. Trusting The Code
  8. Turing Award Lecture

Ken Thompson - wiki
* The Ken Thompson Hack
In 1984 KenThompson was presented with the ACM TuringAward. Ken's acceptance speech Reflections On Trusting Trust (http://cm.bell-labs.com/who/ken/trust.html) describes a hack (in every sense), the most subversive ever perpetrated, nothing less than the root password of all evil.
Ken describes how he injected a virus into a compiler. Not only did his compiler know it was compiling the login function and inject a backdoor, but it also knew when it was compiling itself and injected the backdoor generator into the compiler it was creating. The source code for the compiler thereafter contains no evidence of either virus.
Ken wrote, In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.
Ken does not mean bug in the sense of error, but in the sense of listening device. And it is "almost" impossible to detect because The Ken Thompson Hack easily propagates into the binaries of all the inspectors, debuggers, disassemblers, and dumpers a programmer would use to try to detect it. And defeats them. Unless you're coding in binary, or you're using tools compiled before the KTH was installed, you simply have no access to an uncompromised tool.
In fact, given the amenability of microcode to the KTH, not even then. All manner of controls and monitors could be secreted this way in the OSes of all the devices we all use day to day. It isn't very far fetched to suggest that the hack, in software, can create an updatable backdoor. This way every piece of software on the planet can be KTH bugged without any possibility of detection by any mortal engineer anywhere. Well, maybe with the diligent use of an electron microscope.
Given last week's horrifying revelations concerning the US government's TotalInformationAwareness of every US domestic phone call, it is difficult to imagine that the ThreeLetterAgency's KTH-hacked binaries are not omnipresent. I mean, can you really imagine AdmiralPoindexter would pass up an ability like this?
Reflections on Trusting Trust Ken Thompson
Reprinted from Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763. Copyright © 1984, Association for Computing Machinery, Inc. Also appears in ACM Turing Award Lectures: The First Twenty Years 1965-1985 Copyright © 1987 by the ACM press and Computers Under Attack: Intruders, Worms, and Viruses Copyright © 1990 by the ACM press.

Cyber Insurance for Mega Breaches
'pre-Target' and 'post-Target' state of the cybermarket for major retailers from both the underwriting and the client side," Emily Freeman, risk management cyber and professional liability specialist for the global technology and privacy practice at Lockton Companies "Most people are talking around the breach component of it. They may also be driven by regulatory compliance concerns." However, cyber espionage attacks remain a bit fuzzy for insurers, she says. "Cost to cover intellectual property [cyberattacks] are not a widely insurable thing yet." The cost of forensics, downtime, breach notification, credit monitoring services for customers, legal fees, and crisis management teams all factor into the insurance equation today. "They have to protect their brand reputation," and retailers look for insurers to help support that. BitSight rolled out a security ratings service specifically for cyber insurers based on its Security Ratings Platform, which analyzes publicly available data from its global sensors that track security events and malware behavior daily for organizations, specifically looking for botnet communication, malware distribution, and email server configuration. The scoring model is akin to consumer credit ratings.