Sorry for the complete lack of updates from me since Defcon. I've had plenty to write up, share, and rant about (as is my want), but I'm in somewhat of a tenuious circumstance regarding my blogging, so I figure better safe than sorry, and thus I'm keeping my comments to a minimum. Hopefully some of the other Minds will pick up the slack. We shall see.
There's been a fair bit of discussion lately about disclosure policies of various groups and people in information security. This isn't new, or really a surprise, disclosure is something that comes up every few months, every conference, and other random times based on the alignment of Jupiter and Tim's hairstyle. I plan on throwing my opinion on various topics out there, but first I felt it would be most appropriate to make Vulnerable Minds disclosure policy a matter of record. I admit we borrowed heavily from the fine folks at Matasano Chargren, but after our own discussion, modification, and consideration we feel that this document represents the best way of handling vulnerabilities; for us, for vendors, and for the computing community as a whole.
In August 2006, H.D. Moore of the Metasploit project and Month of Browser Bugs presented an idea that is now stirring up a hornets nest within the Internet. He proposes a “patch” to the Tor server software called Torment (Tor, everyone’s favorite traffic anonymity tool), that allows the traffic to be traced back to the user in an effort to combat "child pornography." This works by analyzing traffic as it passes through the Tor server and watching for keywords. If any keywords are found, the Torment software uses a Java applet to install software on the user’s machine, which then attempts to gather information about the user and phone home with it.
Let me be clear here. I expect nothing short of absolute and unabated outrage at the proposal, and further, the implementation of such an idea.
I’d like to stop child pornography and the many other electronically assisted evils that are banes to the digital age just as much as the next guy, but H.D. Moore’s proposition of Torment is flawed on so many levels that it should be dead long before arrival.
First and perhaps foremost, the entire point behind the creation of Tor was to reach nearer to the holy grail of completely anonymous Internet usage. The Tor project description clearly states this is necessary so that others cannot “track your behavior and interests” using traffic analysis. Tor might as well not exist if Torment is implemented.
Second, H.D. Moore certainly has a black-hat side – evidenced by his Metasploit roots, and more recently, the time he released a new zero-day every day for a month – however, Torment is being flaunted as a white-hat idea. H.D.’s goal is to “turn the tools over to law enforcement for their own use” to fight the aforementioned crimes. The thing he’s not mentioning is that Torment is no better than any other black-hat attack performed by any run-of-the-mill hacker. It sniffs the user’s traffic, injects code into their request, quietly installs software on their machine without their knowledge, gathers private data about them and their machine (external IP, internal IP, ISP, etc.), then sends this illegally obtained data back to the Tor server. This is no different than any other hack, and no different than breaking into a house. This is illegal, and an invasion of privacy.
Third, federal laws require ISPs (or anyone) who discovers the flow of child pornography and similar crimes to report it, however, the ISP is not required to watch their traffic and look for it. This means that if the ISP just ignores all the traffic, they aren’t liable to report anything – saving themselves a great deal of time, effort, liability, and litigation. By installing Torment, traffic will be analyzed on the Tor servers (which qualify as ISPs), and findings will have to be reported. This is an entirely new level of responsibility for which many Tor server operators are not likely to be prepared.
This rant is becoming a bit lengthy, so I’ll just briefly mention a few other salient points. If
Through all this doom and gloom, there are some quick fixes to protect ourselves. From my understanding, if Javascript is not enabled in your browser (which Tor recommends anyways), then the key applet will not function. Second, if you need Javascript (as many online activities do), this tool is looking for keywords. As with any signature-based detection, its accuracy depends entirely upon its dictionary, and if even minute changes are made to the traffic, it may not be a signature match any more. Keep these points in mind as you use Tor or any other anonymous communication protocol. The aptly named Torment may do exactly that to Internet users, so I’m glad that we at Vulnerable Minds have Subrosa in the works.
The Register today had an article saying:
"Brits planning a trip to the US will now have to surrender all 10 of their digits to the authorities for fingerprinting. The prints will then be added to the same FBI database which stores the prints of convicted criminals.
Trials are set to start at 10 airports in the UK this summer, according to a report in yesterday's Observer newspaper. But critics have warned the move will infringe people's civil rights and, worse still, lead to longer queues."
First of all I don't know if anyone would notice the lines at the airport getting longer considering how long they are already. Second, and more importantly, I think perhaps there are bigger problems here than just standing in line longer.
Every so often something hits the Internet that rocks the foundation of a group. Not simply because it's something new, something innovative, something that changes the way you think, but because you also know the guy who did it. Now I've had friends who've made their impact on the net. I've even been involved myself a few times. I had a friend who beat up a mugger with an iPod Mini, leading to a whole slew of jokes on various Apple related blogs.
This takes the cake.
In an act of extreme interest in the betterment of mankind and improving the security for us all an associate of mine, a one Mr. Mark Lance, has shown a huge flaw in the policies and procedures of the NoVA DMV.
Video 1
Video 2
Now this demonstrates many things about the insecurity of our main system of identification in this country. I don't think I need to insult you, nor repeat the already well spoken words of Mr. Bruce Schneier. But yeah, I know that guy. Crazy isn't it.
The measure permits researchers to circumvent copyright protection measures - "...when circumvention is accomplished solely for the purpose of good faith testing, investigating, or correcting such security flaws or vulnerabilities."*cough* Sony *cough*
