Security People:
Dave Farber, Risks Forum, John Gilmore, EFF,
Peter Neumann,
Whitfield Diffie
SECURITY
WHITE HAT / GREY HAT / BLACK HAT HACKERS + ETHICS
Edward Snowden
Daniel Ellsberg
2016 Nicholas Weaver Enigma 2016 - The Golden Age of Bulk Surveillance
Stefan Savage's talk on automotive security: Stefan Savage and @yoshi_kohno dish out previously secret
autosec dirt at #enigma2016 when UW-UCSD team compromised automobiles years ago
10/2/14 THE NSA AND ME BY JAMES BAMFORD
William Binney former NSA senior computer scientist.
James Bamford literally wrote the book on the National Security Agency, spending 30 years obsessively documenting the secretive agency in print. Today, for the first time, he tells the story of his brief turn as an NSA whistleblower.
SpaceRogue Chris Wysopal
MR. ROBOT background story Understanding the hacker culture that inspired Mr. Robot
LEARN ABOUT MORE INTERNET PIONEERS
Professor David Farber
- DAVE FARBER THE TEACHER
Video of Visionary beginning with the NIH Demo and then Dave's talk. - Dave's Interesting-People list and Archive
- Dave's Website
- Dave Farber's review of "Code : and other laws of cyberspace law
- Creator Bjarne Stroustrup Inventor of C++ Language - How and why it is
the way it is.
"I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone"Bjarne's site - Ian Clarke - Freenet
There is no unemployment in InfoSec Myth
SECURITY PEOPLE
Eve Adams @HackerHuntress
Seasoned technical recruiter Eve Adams (@HackerHuntress) provides infosec-specific insight on writing resumes that get you
the
kind of attention you want, getting short-listed for cool positions before they're even posted,
strategically riding infosec employment trends, and how to most effectively work with those delightful
recruiters. This talk will have something for those just entering the workforce, mid-career security
professionals, and former VAX hackers alike! Bio: Eve Adams Eve Adams (@HackerHuntress) is Senior Talent
Acquisition Expert at Halock Security Labs, a full-service information security advisory in Schaumburg,
IL.
Eve leverages three years of security staffing experience to drive recruitment for both internal Halock
roles and client placement. She also spearheads Halock's social media presence and counts Twitter as one
of
her most powerful recruiting tools. She's passionate about information security, thinks most recruiters
are
doing it wrong, and naively believes technology can change the world for the better. In past lives, she
has
been a writer, translator and reptile specialist, among other things. While she is officially OS-agnostic,
she runs Ubuntu 12.04 at home.
My little tribute to the "heroes of the computer revolution", as Steven Levy would put
it.
0x01 - Definitions: Hacker vs
Cracker The New Hacker's Dictionary defines Hacker as:
Lawyer Josh Horowitz Silk Road Defense Attorney from TechLaw NY speaks at a CLE in downtown Manhattan about Document OCR, Regular Expression Search, and navigating via the shell.
adobe professional will make your files searchable. Create a searchable index that allows you to search
through everything at one time.
adobe.com/products/acrobatpro.html
shell / grep / regular expression / tutorial
We can force you to decrypt your laptop
http://news.cnet.com/8301-31921_3-20078312-281/doj-we-can-force-you-to-decrypt-that-laptop/
Colorado Springs Defense Lawyer Phil Dubois, once represented PGP creator Phil Zimmermann "I
hope
to get a stay of execution of this order so we can file an appeal to the 10th Circuit Court of
Appeals,"(interview
with Dubois)
http://news.cnet.com/8301-31921_3-57364330-281/judge-americans-can-be-forced-to-decrypt-their-laptops/
H D Moore a security researcher and the chief research officer for Rapid7. Some folks may be familiar with my work on Metasploit, but these days I also spend a lot of time scanning the internet as part of Project Sonar. My servers send friendly greetings to your servers at least once a week.
Perry Metzger was (and still is) a staunch, uncompromising Extropian Libertarian. Metzger defines himself as “Transhumanist Market Anarchist, Systems and Security Geek, Molecular Manufacturing Semi-Pro,” and he is the owner of the Cryptography mailing list.
CRYPTO - Whitfield
Diffie - Cryptology Expert, Privacy Expert
Nov 1994 Prophet of Privacy Whitfield Diffie took cryptography out of the hands of the spooks and made privacy
possible in the digital age - by inventing the most revolutionary concept in encryption since the
Renaissance. Feb 1993
Crypto
Rebels
Jim Christy dod cyber crime response team.
Dr. James Joshi Security Assured Information Systems (SAIS) curriculum at SIS met CNSS National Standard(s) 4011 and 4013. Pitt has been designated a National Center of Academic Excellence in Information Assurance Education by the National Security Agency and the Department of Homeland Security.
PETER GUTMANN - Dept. of Computer Science
Steve Gibson weekly audio podcast somewhat shy of two hours each week to discuss important issues of personal computer security. Sometimes we'll discuss something that just happened. Sometimes we'll talk about long-standing problems, concerns, or solutions. Either way, every week we endeavor to produce something interesting and important for every personal computer user.
Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. author of
"Secrets and Lies" and "Applied Cryptography," and an inventor of the Blowfish,
Twofish,
and Yarrow algorithms. He is a member of the Advisory Board of the Electronic Privacy Information Center
(EPIC). He is a frequent writer and lecturer on computer security and cryptography. Publishes CRYPTO-GRAM
is
a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security
and
cryptography. Back issues are available on http://www.counterpane.com/crypto-gram.html
Matt Blaze cryptography resource on the Web cryptanalysis - security flaws that allow hackers to break into computer networks. "Keep It Simple Stupid" and the "final" version of my paper on cryptology and locks
Robert Alberti, CISSP, ISSMP (612) 961-0507 cell
President, Sanction, Inc. (612) 486-5000 x211
http://sanction.net (612) 486-5000
fax
"Security solutions are cultural solutions facilitated by technology."
Robert Raisch -Architect / Developer, Online Technology Evangelist, & Internet Hired Gun
The Shmoo Group is a non-profit think-tank comprised of security professionals from around the world who donate their free time and energy to information security research and development. Founder Bruce Potter runs DC Chapter of SecurityGeeks and bluesniff
Graduate Schools in Cryptography
http://www.w00w00.org/ w00w00, with 30+ active participants, is currently the largest non-profit security team in the world (there are no "members"). w00w00 was created in 1998. We have had participants in 5 continents, and 12 countries (Australia, Argentina, Canada, Japan, France, Russia, England, Spain, Sweden, Germany, Portugal, USA), and several U.S. states.
Karsten Nohl and Jakob Lell created, malware called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user's internet traffic. But BadUSB's ability to spread undetectably from USB to PC and back raises questions about whether it's possible to use USB devices securely at all. “We've all known if that you give me access to your USB port, I can do bad things to your computer,” says University of Pennsylvania computer science professor Matt Blaze. “What this appears to demonstrate is that it's also possible to go the other direction, which suggests the threat of compromised USB devices is a very serious practical problem.” Blaze speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden.
IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES
A
NON-TRUSTED COMPUTER.'
Adam Caudill and Brandon Wilson unlike Nohl, published the code for those attacks on Github, raising the stakes for USB
makers to either fix the problem or leave hundreds of millions of users vulnerable.
To avoid the attack, all you have to do is not connect your USB device to computers you don't
own or don't have good reason to trust—and don't plug untrusted USB devices into your own computer.
21 AppSec people to follow on Twitter
Ethical hacker
Alexander is a passionate Security Expert for over 6 years (formally), always looking towards original challenges and opportunities to learn something new. He is a founder of Defcon Moscow group and current leader of OWASP Russia Local Chapter. His special interest is in the field of applied cryptography and in what is called “ethical hacking”. Deanonymization Made Simple - @c0rdis
GREY HAT HACKER
Hello, I'm Alejandro, most people just call me Alex @DotSlashPunk I'm a web app hacker at heart, I mostly do work in some weird combination of offensive security, big data and search engine type of stuff. I'm particularly interested in finding and disclosing mass amounts of vulnerabilities, but I also do a lot of work outside of everything I just described. I'm the creator of PunkSPIDER the distributed web application fuzzing project. I'm also a tech lead on DARPA's Memex project, which, among many other things, does research into crawling and scraping the deep web/hidden services and builds technology to catch bad people doing awful things on the Internet.
Apply to Hacker School
Hacker School is a three-month, full-time school in New York for becoming a better programmer. It's like a
writers retreat for hackers.
Tuition is free, and we provide space, a little structure, time to focus, and a friendly community of
smart
people dedicated to self-improvement. We strive to make Hacker School the best environment to learn and
grow
as a programer. Towards that end, we have explicit social rules (e.g.,no "well, actuallys," no
"feigning surprise," no "subtle sexism"), we aim for gender parity (our past two
batches
were 37-45% female), and we host amazing people as programmers in residence who work directly with
students.
Tuition is free, and we provide $5k, need-based grants to women for
living
expenses. We value free software, beautiful code, and personal growth. Apply now to be part of our winter
2013 batch, which begins in February:
https://www.hackerschool.com/about
https://www.hackerschool.com/apply
You can also learn about the type of people we look for and if we'd be a fit for you:
https://www.hackerschool.com/blog/12-what-we-mean-by-hacker
Andy Grudko (British), Independent Security Consultant, Est. 1980. PSIRA reg. No. 8642 grudko.co.za , securitybydesign.co.za , agrudko@icon.co.za (+27) 012 244 0255 - 244 0256 (Fax - phone first) Fax-to-email 086 646 2645 Cellular (+27) 082 778 6355 - Skype AndyGrudko SASA, IPA, FAPI, CALI, IWWA, SCIP, WAD Ambassador "Most security companies know us - but none of them own us" (C)
PEOPLE FOR INTERNET RESPONSIBILITY
PFIR Statement on Internet Policies, Regulations, and Control
Seth Finkelstein Consulting Programmer
sethf@sethf.com
Anticensorware Investigations - http://sethf.com/anticensorware/ http://www.eff.org/IP/DMCA/finkelstein_on_dmca.html
Seth Finkelstein's Infothought blog
-
http://www.nytimes.com/2001/07/19/Technology/circuits/19HACK.html
Lee Tien tien at eff.org Senior Staff Attorney Electronic
Frontier
Foundation
454 Shotwell Street San Francisco, CA 94110
(415) 436-9333 x 102 (tel) (415) 436-9993 (fax)
Fred von Lohmann
Senior Intellectual Property Attorney
Electronic Frontier Foundation
fred@eff.org +1 (415) 436-9333 x123
RESOURCES
Electronic Frontier Foundation
Lauren Gelman Phone: 202/487-0420
Director of Public Policy email: gelman@eff.org
National Telecommunications and Information Administration
A CHARGE OF INTERNATIONAL ELECTRONIC ESPIONAGE
Howard Rheingold, and Gary Chapman discuss Bill Joy's piece which was published in the April 2000 edition of Wired Magazine, "Why the Future Doesn't Need Us"
3/2/16 Livestream of House hearing on FBI-Apple and Professor Susan Landau testifying to the Judiciary Committee
It's the FBIs, NSAs (Picture), and Equifaxes of the world versus a swelling movement of Cypherpunks
,
civil libertarians, and millionaire hackers. At stake: Whether privacy will exist in the 21st century.
That
ended abruptly in 1975 when a 31-year-old computer wizard named
Whitfield Diffie 2016 WINS TURING AWARD came up with a new system, called
"public-key" cryptography, that hit the world of cyphers with the force of an
unshielded nuke.
Foreword by WHITFIELD DIFFIE to Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip
Design by the Electronic Frontier
Foundation July 1998
4/02 SUN MICROSYSTEMS APPOINTS WORLD-RENOWNED SECURITY EXPERT, WHITFIELD DIFFIE
<whitfield.diffie@sun.com>, AS CHIEF SECURITY OFFICER; CREATES GLOBAL SECURITY PROGRAM OFFICE
Sun's Security King Cryptography pioneer Whit Diffie offers illuminating views on his ascension to Sun
Microsystems' CSO.
Charles Miller, Ph.D., principal security analyst with Independant Security
Evaluators
810 Wyman Park Dr.
Suite 180A
Baltimore, MD 21211
443-270-2296 (T)
443-378-7128 (F)
Email: contact AT securityevaluators.com
Chris Paget, director of R&D for IOActive, RFID hacking.
Identity Stronghold, "secure
sleeves" help protect security cards from malicious cloning.
Ron Rivest's web page
has an excellect collection of cryptography and cryptology research links
Bert-Jaap Koops has done a lot of high quality research into the subject of international cryptography law.
About D.J. Bernstein - Crypto Regulations US Export controls
Interview with Jon Callas - innovator and an acknowledged expert in all major aspects of contemporary business security, including cryptography, operating system security, public key infrastructure, and intellectual property rights.
William Knowles c4i.org
Public Key Cryptography in One Easy Lesson
PGP
announced
a deal with Sony Computer Entertainment to protect the laptops of 1,100 worldwide employees. That'll
be
their GTA cheat codes safe, then.
BitLocker has landed Redmond in some hot water over its insistence that there are no back doors for law
enforcement. As its encryption code is open source, PGP says it can guarantee no back doors, but
that
cyber sleuths can use its master keys if neccessary.
PGP encryption inventor Phil Zimmerman.
Phil
Zimmerman Zfone VoIP security software It adds
solid encryption protection to any software-based VoIP security software simply by installing the free
software and pointing your VoIP software to a new host port. It doesn't use persistent keys or PKI.
Steve Bellovin writes:
It's a truism in the crypto business that the old telegraph codes were for economy, with
confidentiality
against casual readers a noted and desirable goal. But I've recently acquired two old codebooks that
have stronger ambitions.
The more interesting one is Slater's Telegraph Code, since confidentiality is its only goal. I have
the
9th Edition, from 1938, but it appears to be originally from the late 1860's. It encodes 25,000 words,
including "a" and "the". There are no sentences, phrases, etc. Users are told to
convert
the plaintext word to a number, transform the number, and convert back to a new word for transmission.
Suggested transformations include adding or subtracting a shared secret constant, permuting some of the
digits of the code number, and/or regrouping the digits of a string of code numbers. Clearly not
military-grade security, even for the time, I'd guess; in addition to the rather simple transforms,
it's a one-part code.
Equally interesting is the threat model. I quote from the introduction:
On the 1st February, 1870, the telegraph system throughout the United Kingdom passes into the hands of the
Government, who will work the lines by Post Office officials. In other words, those who have hitherto so
judiciously and satisfactorily managed the delivery of our sealed letters will in future be entrusted
also
with the transmission and delivery of our open letters in the shape of telegraphic communications, which
will thus be exposed not only to the gaze of public officials, but from the necessity of the case must be
read by them. Now in large or small communities (particularly perhaps in the latter) there are alwys to be
found prying spirits, curious as to the affairs of their neighbours, which they think they can manage so
much better than the parties chiefly interested, and proverbially inclined to gossip.
It goes on to warn of the need for confidentiality in business communications, especially when undersea
telegraph lines are used.
Equally interesting is the fact that despite the common wisdom that says that secrecy products didn't
sell well, this book survived for about 70 years -- with my edition being printed on the eve of war.
The other confidentiality code I have is "Sheahan's Telegraphic Cipher Code", from 1892. It
was intended for use by railway labor organizers, to keep management from knowing what they were up to. It
has about 7000 code words.
It's a more conventional telegraph code, in that it includes some phrases. The general confidentiality
scheme is similar to Slater's,though the only suggested transformation is adding or subtracting a
constant to the code number. Because the plaintext is phrases, rather than just words, there are separate
code words along with the code numbers; these words are sent, rather than the numeric values.
From a cryptographic perspective, the most interesting item is that times, days, and numbers do not have
code numbers -- the instructions say to send just the code words. The compiler was worried about a known
or
probable plaintext attack on the offset value used for superencipherment. There is also a warning against
mixing plaintext with ciphertext, "excepting the name of a person or the name of a town".
There is a cipher alphabet for spelling out words, but it, too, is not superenciphered.
Some of my other, larger code books could have been used in a similar fashion, but there's no hint of
that in the instructions.
The Museum Security Network has been on-line since December 1996. It was founded by Ton Cremers, former head of security at Amsterdam's Rijksmuseum, recipient of the 2001 Robert B. Burke Award for excellence in cultural property protection at Smithsonian National Conference, and currently independent museum, library, and archive security consultant. Its original aim was to be a source of information for cultural property protection professionals. Gradually, the Museum Security Network mailing list has become the main channel for the distribution of news and information pertaining to cultural property protection, preservation, conservation, and security. On a daily basis, information is posted on www.museum-security.org as well as on the MSN Google Group (Google group is moderated by Mark Durney mark @ artcrime.info). Subscribers include museum professionals, law enforcement officers, lawyers, academics, insurance underwriters, journalists, auction houses, among many others.
FEDERATION OF AMERICAN
SCIENTISTS
You don't have to be a rocket scientist to support our work on global security! (FAS) is working on
issues of global security, the environment, democratic governance and human rights. From our early days,
50
years ago as the action arm of the original atomic scientists, to our present work on arms control,
environmental protection, and government secrecy reform, FAS continues a commitment to informing the
public
debate on complex scientific and technical questions.
CIA -
can't secure their network
FreeS/WAN project is to secure
Internet traffic against wiretapping.
Pixel
Plasticity
In the fraction of a second between video frames, any person or object moving in the foreground can be
edited out, and objects that aren't there can be edited in and made to look real. Pictures from orbit
may not necessarily be what the satellite's electronic camera actually recorded.
The Council for Responsible
Genetics
The public must have access to clear and understandable information on technological innovations. The
public
must be able to participate in public and private decision-making concerning technological developments
and
their implementation. New technologies must meet social needs. Problems rooted in poverty, racism and
other
forms of inequality cannot be remedied by technology alone.
History of Computers: cryptology - CIPHER
MACHINES
Tom Watson, chairman of IBM, said in 1943 "I think there is a world market for maybe five
computers."
Richard F. Forno, Principal
Consultant
Richard Forno is an internationally-recognized security professional whose career in information assurance
centers around security program development and management, incident response operations, security
awareness, and emerging trends analysis. follow
Reflections On Trusting Trust ...
- Aalbert Torsius
- Changes In July Ten
- Eric Herman
- Homoiconic Languages
- Image Based Language
- Reflections On Trusting Trust
- Trusting The Code
- Turing Award Lecture
Ken Thompson - wiki
* The Ken
Thompson
Hack
In 1984 KenThompson was presented with the ACM TuringAward. Ken's acceptance speech
Reflections On Trusting Trust (http://cm.bell-labs.com/who/ken/trust.html) describes a hack (in every
sense), the most subversive ever perpetrated, nothing less than the root password of all evil.
Ken describes how he injected a virus into a compiler. Not only did his compiler know it was compiling the
login function and inject a backdoor, but it also knew when it was compiling itself and injected the
backdoor generator into the compiler it was creating. The source code for the compiler thereafter contains
no evidence of either virus.
Ken wrote, In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could
have
picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the
level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode
bug
will be almost impossible to detect.
Ken does not mean bug in the sense of error, but in the sense of listening device. And it is
"almost" impossible to detect because The Ken Thompson Hack easily propagates into the binaries
of
all the inspectors, debuggers, disassemblers, and dumpers a programmer would use to try to detect it. And
defeats them. Unless you're coding in binary, or you're using tools compiled before the KTH was
installed, you simply have no access to an uncompromised tool.
In fact, given the amenability of microcode to the KTH, not even then. All manner of controls and monitors
could be secreted this way in the OSes of all the devices we all use day to day. It isn't very far
fetched to suggest that the hack, in software, can create an updatable backdoor. This way every piece of
software on the planet can be KTH bugged without any possibility of detection by any mortal engineer
anywhere. Well, maybe with the diligent use of an electron microscope.
Given last week's horrifying revelations concerning the US government's TotalInformationAwareness
of
every US domestic phone call, it is difficult to imagine that the ThreeLetterAgency's KTH-hacked
binaries are not omnipresent. I mean, can you really imagine AdmiralPoindexter would pass up an ability
like
this?
Reflections on
Trusting Trust Ken Thompson
Reprinted from Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763. Copyright
©
1984, Association for Computing Machinery, Inc. Also appears in ACM Turing Award Lectures: The First
Twenty Years 1965-1985 Copyright © 1987 by the ACM press and Computers Under Attack:
Intruders, Worms, and Viruses Copyright © 1990 by the ACM press.
Cyber Insurance for Mega Breaches
'pre-Target' and 'post-Target' state of the cybermarket for major retailers from both the underwriting and
the client side," Emily Freeman, risk management cyber and professional liability specialist for the
global technology and privacy practice at Lockton Companies "Most people are talking around the
breach
component of it. They may also be driven by regulatory compliance concerns." However, cyber espionage
attacks remain a bit fuzzy for insurers, she says. "Cost to cover intellectual property
[cyberattacks]
are not a widely insurable thing yet." The cost of forensics, downtime, breach notification, credit
monitoring services for customers, legal fees, and crisis management teams all factor into the insurance
equation today. "They have to protect their brand reputation," and retailers look for insurers
to
help support that. BitSight rolled out a security ratings service specifically for cyber insurers based on
its Security Ratings Platform, which analyzes publicly available data from its global sensors that track
security events and malware behavior daily for organizations, specifically looking for botnet
communication,
malware distribution, and email server configuration. The scoring model is akin to consumer credit
ratings.