The Hacker Factor Blog

Backups and Tears

blog@hackerfactor.com (Dr. Neal Krawetz) — Fri, 27 Aug 2010 21:37:40 -0700

Earlier this week, I attended a presentation by Jochen Wolters titled "Back Up Your Data or Get Ready for Tears" (pdf). Usually the tech talks that I attend are extremely technical and aimed toward hard-core programmers and power-users. However, this talk was for generic users and not programmers. (I think I was one of three programmers there, including the speaker.) As such, Wolters gave an awesome presentation that cut out the technical details and told the audience what they really needed to know.

My own backup needs are an extreme case. I use RAIDs, auto-sync and auto-backup directories, and multiple media devices, as well as off-site storage. However, the typical computer user (mom and dad) don't need five-nines uptime (up 99.999% of the time).

Back to Basics

There are really just a few things that the typical person needs when it comes to computer backups:

Backups. Kind of a "duh" thing, but if you don't have any backups then you will eventually lose data. Whether the loss is from a hard drive crash, power spike that fries your computer, or your cat deciding to lay on the delete key, data loss will eventually happen. The data you will loose may include your tax forms, family photos, your list of passwords for all of your online services, and more. For damaged drives, data recovery services are very expensive ($2000-$3000 per hard drive, and that assumes that they can recover the data). According to Wolters, some data recovery services even offer 24-hour suicide prevention hotlines. (People can get very emotional when all of their family photos are deleted.)
Automated Backups. Your backups should be automated. If you are doing them by hand then you are probably not doing it regularly or often enough. Backups should be automated.
Verified Backups. How do you know that your backups are working? If you have never tried to recover a file, then try it now! You don't want to be learning how to restore data after a crash. Instead, you want to be familiar with the backup software and know how to recover the system before you need to use the skill. (Think of it like defensive driving. You don't want to learn how to drive on ice during your first ice storm.)
Offsite Backups. Be sure to have at least one backup kept off site. And "off site" does not mean in your attic, basement, or other room in your house. If your house burns down, you want your data safely stored outside the building. Consider storing a backup hard drive in a bank vault -- it will cost much less than a data recovery service.

A good off-site location is any place where you already have access. This may be your parents house, the office, or a friend's apartment. (My pilot friend uses his airplane hangar.) But keep in mind: if you don't have free access to your friend's house, then you may have to wait before retrieving your backup. (E.g., if he is on vacation for 2 weeks and you are locked out, that means 2 weeks without access to the backup.)

Types of Backups

At bare minimum, you really need one type of backup: a full disk copy. This is a full copy of the bootable system. This way, if/when your hard drive or computer dies, you can just slip the backup drive into a working computer and be up and running. And since it is a full copy, you know that every application you need will be fully functional.

The second type of backup is an incremental. It just stores the files that have changed since the last backup. Depending on your needs, you may want a history of incremental backups. This way, you can recover a file as it existed a few weeks ago. If you only keep the most recent copy, then you may lose intermediate changes.

For my own extreme needs, I use external hard drives and only perform full backups. However, I have a bunch of these drives and I cycle through them. I can go back a month without a problem. For critical short-term data, I use system redundancy -- copying files between computers and storing iterative backups as needed. (For source code, I use Subversion for tracking changes. The full backup includes the entire subversion repository and history.)

Of course, some of the work that I do cannot be stored on backups. For example, third-party forensic data usually includes the stipulation to not keep additional copies. In this case, the data that I have is not the original data (I work from copies) and I have specific systems that are not backed up. But that's an extreme case and not typical for regular users.

For critical data that seldom changes (e.g., tax records for the previous years), I burn them to DVD. I usually burn two copies, just in case one gets scratched. Although DVDs usually have a shelf life of 7-10 years, that's perfect for taxes. (Although it varies by accountant, you are usually advised to not keep tax records longer than 10 years anyway.)

Frequency of Backups

Most people view backups as a bother. They won't take it seriously until after they lose a lot of data. My own extreme backup solution only came about after some bad experiences. For example, I had a critical hard drive die 10 years ago. Since then, I keep frequent full backups. Later, I lost some source code between backups. Now I use a source code control system and multiple-system synchronization with backup checkpoints.

There are really two factors to consider for your backup solution: (1) how much data can you afford to lose, and (2) how long do you want to be offline? For my own needs, I can lose up to 4 hours of work and it will take me up to an hour to recover. In the worst case, it will take me 24 hours to repair or replace whatever broke, but I will still be up and running while I wait for the repairs to complete.

Typical user needs are nowhere near as extreme. Your backup starts automatically around 1:00am and a full backup can be done by morning. Recovering from the backup may take just as long -- unless you use a bootable backup. If you do one backup a week, then you can lose as much as a week's worth of data. It'll hurt, but it won't be too bad.

Setting up the backup usually just requires two external USB hard drives (one for home and one for the off-site location -- and you swap them periodically), and getting some backup software. Many USB drives come with backup software, but I usually don't recommend using it. For Apple users, Time Machine is awesome software. For Windows users, your operating system comes with a backup system and a scheduler for automating it. (Right click on the drive icon. Backups are somewhere in the little menu.) For Linux/Unix users, 'rsync -auvf' is your friend.

Typical Needs

The audience at this presentation consisted of regular people. One guy was a carpenter. One woman was a writer. Another was a professional lecturer. Mostly small-office/home-office companies, and most did not have backup solutions. The few people who thought they had backups running were not sure what software they used, whether it was full or incremental, or even where the backed up data resided. If you don't have backups, you're not alone. Now is the right time to setup a backup solution that fits your needs.

Caller ID

blog@hackerfactor.com (Dr. Neal Krawetz) — Thu, 19 Aug 2010 22:25:05 -0700

Over the last week, a bunch of friends have forwarded to me stories about the risks of GPS information embedded in pictures. For example, MythBuster Adam Savage apparently took a picture of his car at his home and forgot to disable the GPS information. Rabid fans quickly identified where Adam lived. Granted, I doubt most celebrities have secret homes, but the fact is: pictures tell much more about you than just the photo's content.

The GPS data in JPEGs is nothing new. It was part of JPEG's EXIF 2.1 Standard back in 1998. (And that may not be the earliest version...) However, it wasn't until the last few years that cameras, cell phones, and other portable devices began to incorporate GPS technologies. Today, it is hard to find a cell phone without a camera, and many of them include GPS as a feature.

While GPS information embedded in a picture may tell people where you were, Facebook has decided to use your GPS for telling people where you are. Called Facebook Places, they will broadcast your GPS location to all of your Facebook friends. While they do have options for limiting distribution, Facebook is well-known for abruptly changing policies.

iPhone, iPad, iTouch, iMac, iSpy

Today's ever-smarter portable devices are not designed for privacy-oriented people. While the embedding and publishing of GPS information may be an overt example, there are many other cases of your device leaking information about you.

I've been collecting photos from various hand-held devices. I use them to populate a photo ballistics database. My friend, Bum, recently purchased an iPad. He sent me a screenshot from the device. (His iPad doesn't have a camera.) While the picture's ballistics wasn't very interesting, the email header was!

From: Bum <b...@...com>
To: Neal Krawetz <n...@...com>
Content-Type: multipart/mixed; boundary=Apple-Mail-1-186804698
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (iPad Mail 7B405)
Subject: You wanted a photo?
Date: Sun, 8 Aug 2010 10:39:58 -0700
X-Mailer: iPad Mail (7B405)

The first thing to notice is the X-Mailer header. It identifies the device (iPad), application (Mail), and version (7B405). This isn't too exciting since most MUAs (mail user agents) include this type of information. However, it was the content boundary that got my attention: Apple-Mail-1-186804698.

I dug through my email archives and found a bunch of other examples:

Apple-Mail-11-1034880980
Apple-Mail-2--961132422
Apple-Mail-1--77112522
Apple-Mail-1-186804698
Apple-Mail-4--29131759
Apple-Mail-5--10882313
Apple-Mail-15-908210705
Apple-Mail-4-1054791469

With a little help from the DC3, I finally understand what these non-random numbers describe. The big number is actually the most uninteresting value. It is the time in milliseconds stored in a signed 32-bit register. (Negative numbers have the double hyphens.) Since it is a 32-bit register, the value rolls over about every 24.86 days. However, the zero date isn't the Unix epoch (00:00:00 on 1970-01-01). Instead, if you assume the timestamp represents today's date (from the email Date header) and repeatedly subtract 2³¹ microseconds until you reach the Unix epoch, then you'll notice that it is off... The value closest to the epoch (without going under) is 128397792ms, or Jan 2 11:39:57 1970. (You might see it vary by a second, 11:39:58, if the clock happened to roll over between generating the Date and content boundary.) I'm not sure why Apple chose this date, but it is consistent. The Mail program on the iPhone, iPad, iTouch, and Mac OS X all use the same date.

From a forensics viewpoint, this is useful. This is a quick way to identify forged emails that claim to be from Macs. (I actually had a use for this last week!)

The more interesting number is the smaller value. It took me a while to identify the purpose. That is the number of attachments sent by the mailer (Apple Mail) since the program was started. If you see "-1-" then it means that you received the first attachment that they sent since they started the program. The "-15-" means that person had started Apple Mail and sent 14 attachments before sending one to me. (Winn Schwartau sent me an email that had "-245-"!)

This is very useful, particularly if you receive multiple emails from the person over a short duration. For example, Bum always sends me with "-1-". This means he closes the Mail program frequently. (Make sense for an iPad that can't multitask.) I also received emails from a friend, M., who clearly loves attachments -- in 30 minutes he went from "--12--" to "--28--".

From a forensics viewpoint, this is awesome. Let's say the person has a couple of different Apple computers. I should be about to look over his computer and see how many attachments he sent on each system and match the count to the emails. Even if you delete a specific email, I can still determine how many attachments were included in the deletion.

Android Spies

The information leakage is not limited to Apple products. At Defcon, my friend Factor sent me a sample picture from his Android phone. The problem is, it crashed my analysis tool!

The problem was a poorly formed JPEG. Specifically, every JPEG should begin with 0xffd8, contain a stream that starts with 0xffda, and end with 0xffd9. Between the 0xffd8 and 0xffda are various other settings, including APP records (0xffe0 to 0xffef for APP0 to APP15). In his case, his Android was storing additional APP records after the end of stream (0xffd9).

I added a check for this situation (so my code no longer crashes). However, these APP5 records (0xffe5) turned out to be really interesting. They only appear in one type of Android phone: the Motorola Android. I have observed these fields from photos taken with:

Motorola, Droid, 2.0.1
Motorola, Droid, 2.1-update1
Motorola, Droid, 2.2
Motorola, DROIDX, 2.1-update1
Motorola, DROID2, 2.2
Motorola, Milestone, 2.1-update1

They probably appear in other phones as well. However, I have not seen them with any other type of Android phone.

These extra APP fields like:

tag='0xffe5' length='32' field='APP5' value='HPQ-MetaData'
tag='0xffe5' length='168' field='APP5' value='HPQ-HostIntf'
tag='0xffe5' length='2400' field='APP5' value='HPQ-AutoExpo'
tag='0xffe5' length='1856' field='APP5' value='HPQ-LensInfo'
tag='0xffe5' length='4112' field='APP5' value='HPQ-AutoFoS1'
tag='0xffe5' length='4104' field='APP5' value='HPQ-AutoFoLV'
tag='0xffe5' length='6140' field='APP5' value='HPQ-WhiteBal'
tag='0xffe5' length='1660' field='APP5' value='HPQ-PPR'
tag='0xffe5' length='1164' field='APP5' value='HPQ-Capture'
tag='0xffe5' length='142' field='APP5' value='HPQ-Pipe2Mdd'
tag='0xffe5' length='1692' field='APP5' value='HPQ-Flicker_'
tag='0xffe5' length='44' field='APP5' value='HPQ-SensorMD'
tag='0xffe5' length='22' field='APP5' value='HPQ-ImgGener'
tag='0xffe5' length='20' field='APP5' value='HPQ-DigiZoom'
tag='0xffe5' length='84' field='APP5' value='HPQ-MotionMd'
tag='0xffe5' length='32' field='APP5' value='HPQ-CalsMfg '
tag='0xffe5' length='65016' field='APP5' value='HPQ-CalsSec1'
tag='0xffe5' length='10016' field='APP5' value='HPQ-CalsSec2'
tag='0xffe5' length='8568' field='APP5' value='HPQ-LRGEBUFF'
tag='0xffe5' length='24' field='APP5' value='HPQ-MetaHint'
tag='0xffe5' length='12' field='APP5' length='12' value='pad pad pad '

That's right, every picture has over 95K of additional APP5 data after the picture! That is as much as 8% of the file size!

So far, I can only decode one of the fields: HPQ-Capture. This has 3-5 records (depending on the version) and the records identify your phone. Here's an example from a decoded block from a Motorola, Droid, 2.2:

field='Build Version' value='4719:5353'
field='Build Date' value='2010-06-14 15:15:45'
field='Builder Email' value='kraigp@itlbuild.fc.hp.com'
field='Build Name' value='SholesMR2_RC9'
field='Kernel Release' value='2.6.32.9-g103d848'
field='Kernel Version' value='#1 PREEMPT Wed May 26 18:02:03 PDT 2010'

The kernel information is the same as running "uname -r" and "uname -v" from a command prompt. The Build Version looks like a SVN string, but it could be some other source code revision system.

I sent an email to "kraigp" asking for more information about these undocumented fields, but got a bounced email:

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients was aborted after 34 second(s):

* kraigp@itlbuild.fc.hp.com

Different Android versions include different information. For example, the Motorola DROIDX 2.1-update1 says:

field='Build Version' value='5476'
field='Build Date' value='2010-06-24 16:02:09'
field='Builder Email' value='tanvir@tanvir-lnxdev'
field='Build Name' value='Shadow_RC7'
field='Kernel Release' value='2.6.29'
field='Kernel Version' value='#1 PREEMPT Thu Jul 1 18:18:04 CDT 2010'

All of these HPQ fields appear to be part of the HPAndroidHAL driver. Since only Motorola seems to use this driver, only Motorola photos get tagged. (If I'm wrong here, I hope someone will tell me. I'll be sure to make corrections.) It kind of makes sense that Hewlett-Packard would embed their stock symbol (HPQ) in the APP field...

Most of the HPQ records have fixed lengths. Some values don't change regardless of camera version. Some change between versions but not between cameras, some change with each photo (e.g., White balance and focus), and some seem to change between specific cameras. It is these last fields that seem interesting. Not only can I tell what camera took the picture, but I can tell you if two photos were taken by the exact same camera. Unfortunately, I don't know the meaning of these fields since the "changes between cameras" could be coincidental based on my minimal sample size.

The only variable-sized field seems to be the HPQ-LRGEBUFF record. It looks like some kind of fractional memory dump. (I really suspect debugging code that was not disabled before release.)

If you have an Android phone and want to know if your pictures have the HPQ tags, then try this:

Take a photo. (Let's call it photo.jpg.)
strings photo.jpg | grep HPQ-

If you don't see anything, then your pictures are clean. If you see HPQ strings, then your photos are tagged. Use 'hexedit photo.jpg' and search for "HPQ-". This will show you all of the HPQ records.

In any case, until we learn what "HPQ" is embedding in each photo taken by a Motorola Android, I'm going to stay on the paranoid side. If you happen to know how to decode the other fields, please let me know!

The End?

Smarter devices do not mean smarter users or smarter programmers. Unless you know how to disable every undesirable feature (and remember to disable it), you are probably going to leak information. While online anonymity isn't dead, it is getting harder and harder to protect our privacy.

Made In China

blog@hackerfactor.com (Dr. Neal Krawetz) — Mon, 16 Aug 2010 18:55:21 -0700

According to news reports, China is now the world's second largest economy. However, I still equate their exports with cheap plastic, consumables (the opposite of durable goods), and low quality network exploits.

That's right: low quality network exploits. I mean, seriously, if the domain is hosted in China and is not a ".gov.cn" domain, then it is likely a scam site -- spam, phishing, malware, or cheap knockoffs. Sure, there are a few legitimate .cn domains that are not ".gov.cn". For example, www.google.cn, baudu.cn, and kaixin001.com come to mind. However, legitimate sites are the extreme minority. In contrast, I can immediately name hundreds of non-Chinese .com, .us, and even .ru sites that are legitimate (even if I don't include PayPal in the list).

Then again, maybe I just have a biased viewpoint. Having spent decades tracking spam, scams, phishers, and the like -- and constantly seeing China in the loop -- I cannot help but have this bias.

Network Attacks

My web site, like most other web sites, is constantly under attack. Most of the time, the attacks are blind scans. The attacker tries an exploit without first checking if the site is vulnerable. If the attack fails, they move on. If the exploit succeeds, then the automated attacker will quickly compromise the server.

Most attacks use one or two queries. For example, I'll see in my logs a query for "/login.php" and then a second query for the same non-existing file. However, if the attacker comes from China, then I can see 40 or more of the same query coming from an entire subnet of hostile systems. I consider this to be a stoopid attacker: if it didn't work 39 times, then the 40th time probably won't work either.

What likely happened is that some kiddie has a subnet of attack bots and told all of the bots to attack one URL rather than having them each attack different sites. Stupid attack x 40 = very stupid attacker.

Directed Attacks

I've had a couple of groups try to hack my web site for the purpose of stealing my image analysis source code. I know this, because they did blind guesses for things like "sourcecode.zip" and "imagesrc.tar.gz". For the record: I do not keep my source code on this web site. Never have, never will.

Most of these attacks came from China, and I strongly suspect the Chinese government. The attacks began last November, a few months before China was accused of hacking Google. At one point, I uploaded a zip file of hard-core Chinese porn and used a regular expression to match their query and feed them the file. Suffice to say, they stopped their attack for a few months.

The Latest Sad Attempt

I recently had a comment posted to my blog that was so unbelievably obvious as to make me wonder: How much of an idiot do they think I am???

In reference to: http://www.hackerfactor.com/blog/index.php?/archives/317-Backhanded-Apology.html
User IP-address: 205.209.142.173
User Name: louis vuitton
User Email: chenchen21621@hotmail.com
User Homepage: www. louis vuitton handbags. org WARNING: Do Not Visit! Possibly hosts malware. Spaces added to deter people from clicking on it.

Comments:
Thanks for your posting; I really appreciate your ideas. Hope you can keep going.
This is a really great website, and I really like your essay. Thanks for your sharing.

So let's count everything that is wrong:

While I have had some big names write into my blog, I kinda think that Louis Vuitton would know how to capitalize his own name.
I doubt that Louis would use an email address of "chenchen21621@hotmail.com".
The IP address traces to Fremont, California.

However, it is the claimed homepage that is the true joke. For example, all over the web site they spell the name "Louis vuitton" (forgot to capitalize the surname). The domain for the real "louisvuitton.com" site is registered to "Louis Vuitton Malletier" in Paris, France. But this faker's domain name is registered to some guy in China:

louisvuittonhandbags.org has address 63.223.106.237
Domain ID:D159724340-LROR
Domain Name:LOUISVUITTONHANDBAGS.ORG
Created On:23-Jul-2010 09:43:49 UTC
Last Updated On:23-Jul-2010 09:43:53 UTC
Expiration Date:23-Jul-2012 09:43:49 UTC
Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:orgfl79878227718
Registrant Name:fang li
Registrant Organization:bai shen ke ji
Registrant Street1:wenshanzhuangzuzizhiqu
Registrant City:wenshanzhou
Registrant State/Province:Yunnan
Registrant Postal Code:663000
Registrant Country:CN
Registrant Phone:+86.8762654874
Registrant FAX:+86.8762654874
Registrant Email:zhucepo9@163.com
Admin ID:orgfl79878228061
Admin Name:fang li
Admin Organization:fang li
Admin Street1:wenshanzhuangzuzizhiqu
Admin City:wenshanzhou
Admin State/Province:Yunnan
Admin Postal Code:663000
Admin Country:CN
Admin Phone:+86.8762654874
Admin FAX:+86.8762654874
Admin Email:zhucepo9@163.com
Tech ID:orgfl79878228397
Tech Name:fang li
Tech Organization:fang li
Tech Street1:wenshanzhuangzuzizhiqu
Tech City:wenshanzhou
Tech State/Province:Yunnan
Tech Postal Code:663000
Tech Country:CN
Tech Phone:+86.8762654874
Tech Phone Ext.:
Tech FAX:+86.8762654874

The web site itself appears to be a functional shopping site, but it is certainly a scam. They say the site was established in 2007, but the copyright says 2008 and the DNS registrations says... last month! (Created On:23-Jul-2010 09:43:49 UTC)

Going through their check-out process is equally fun. The only shipping option is "USPS" (United States Postal Service), and the system seems to hang before transferring you to some third-party web site (that I've never heard of) for handling credit card payments. Unfortunately, the link failed... probably because I use the NoScript plugin and it identified a possible XSS attack.

Even more offensive... Why would a site called "Louis Vuitton Handbags" carry items from competing designers like Gucci, Burberry, Coach, and Prada? And why would Vuitton offer fashion items that are a few years out of style? (This is a fashion faux pas that is criminal!) The IP address used by this site also hosts luxurybags-mall.com, salestiffany.com, saletiffanyjewellery.com, and shoptiffanyjewellery.com.

This site is a scam. Most likely, they will take your credit card information (if they ever fix their link) and go for identify theft. I wouldn't rule out malware. At best, they might actually sell you a cheap, counterfeit knockoff made by some kid in a sweatshop.

Flash Memory

blog@hackerfactor.com (Dr. Neal Krawetz) — Tue, 10 Aug 2010 18:45:41 -0700

A little over a month ago I had the need to analyze some images stored in Flash (SWF) files. While there are programs that can extract images from SWF files, they don't necessarily extract the full image. Specifically, most applications drop alpha-channel information.

SWF Format

As far as parsing the file format goes, SWF is almost as easy to parse as PNG. The basic format has a simple header that is followed a tag-length-data structure. The first two bytes of the stream identify the tag type and amount of data. Ten bits are assigned to the tag type and six bits assigned to the data length. If the data length is 0x3f (the maximum value), then 4 more bytes follow that contain the full size. SWF files are very consistent -- even if you don't know what a particular tag value means, you can still parse the entire file.

There are actually two types of Flash files. They are identified by the first 3 bytes. If it says "SWF" then it is a regular Flash file. "CWF" identifies a compressed Flash file -- everything after the header is zlib compressed. After decompression, you can parse it as a regular "SWF" file.

Image Formats

Images can be stored in a couple of different ways within the SWF.

Split JPEGs. Tags 6 and 8 combine to form a regular JPEG. The idea here is that many JPEGs have identical headers, quantization tables, and Huffman tables. Rather than storing them multiple times, the common parts are stored in tag 8 and the unique data streams are stored in tag 6. In reality, you'll need to play with the first few bytes of the tag 6 data and last few bytes of tag 8 for them to combine correctly. Some SWF-generating programs will end tag 8 with 0xffd9 and begin tag 6 with 0xffd8 -- the JPEG start and end markers -- so you'll need to make sure there are no start/end markers in the place where both SWF tags combine.
Tags 20 and 36 define lossless bitmaps. The difference is that tag 36 includes an alpha channel, while tag 20 does not.
Tags 21, 35, and 90 define images. Usually these are JPEG, but they can also be PNG or GIF. If the image is a JPEG, then tags 35 and 90 also contain alpha channel information. This is how SWF can use a JPEG with a transparency layer.

Seeing the Full Picture

While the image tag defines the picture, other tags describe how to display it. This can include cropping, scaling, flipping, and/or rotating the image. For my needs, I want the full picture. For example, the file "http://www.staging.mcdonalds.com/content/usa/sports.RowPar.0004.ContentPar.0001.ColumnPar.0001.File.tmp/Sports_07182008.swf" is part of an old ad campaign from McDonalds. Although the web page no longer shows the SWF file, it is still available on their web site and indexed through Google. This movie only shows a cropped picture of a girl dunking a basketball. But the full picture found in the SWF shows a horrendous amount of editing.

I'm not sure which is worse... the extra long arm, the cloned lights on the left, or the "I tried to erase the background" failure on the right.

The second image in this SWF isn't much better. I can understand the desire to make the background gray while leaving the person in color, but why did McDonalds gray-out her knee?

Unseen

When someone creates a Flash file, they build it in layers. Sometimes a layer is not enabled. However, just because the regular Flash movie doesn't show it does not mean it is gone. In fact, hidden images often exist in SWF files. For example, the Flash movie at http://www.liuyehu.gov.cn/index.swf (courtesy of their local Chinese Government) contains a banner showing the town and people having fun. However, there is a second, hidden image that shows the pre-edited version.

Personally, I fear our new Chinese overlords. Their children are taller than trees!

But it Tastes Good!

Ever since I started parsing SWF files, I just can't seem to stop. I'm looking at almost every Flash file I come across. Most are uninteresting. A few make me laugh, like this image from Ralph Lauren (https://www.ralphlauren.com/graphics/media/polo/1112_hp_821x709.swf)... her arm looks broken and what is going on behind the chair???

Reduced size image used for criticism, comment, teaching, and research, as specified in US Copyright Law Title 17, Circular 92, Chapter 1, Section 107 "Limitations on exclusive rights: Fair use".

But the best Flash banner so far comes from Famous Dave's Legendary Pit Bar-B-Que. I went to the site looking for directions (I was meeting some friends for lunch). Most of the images are from the animated banner, where food rises and falls onto a table. However, the first picture is hidden/unused, and it is just amazing... It is a full screen snapshot of the developer's desktop!

Here's how you can view the full thing:

Install swftools (http://www.swftools.org/)
Get the SWF file: wget http://www.legendarybbq.com/header.swf
Find the image ID (it is 0002): swfdump -D header.swf | grep JPEG
Extract the image: swfextract -o secretimg.jpg -j 2 header.swf

You can clearly see an open chat session with Kelly Karnetsky (you can even see his email address). The session is between Kelly and someone calling himself, "Well let's focus Mr. Million Dollars and find something that can blow up a car!" There is another chat session with someone called "Jonas". The developer is listening to Sarah Mclachlan's Surfacing and was searching his music collection for Eminem. The screenshot shows the clock at 4:06pm on Sunday, 10/26/2008.

I actually reported this information leakage to one of Famous Dave's managers. I know they received it because I provided them a zip file containing all of the extracted images, including the desktop. Moreover, the zip file was downloaded 7 times, including by people at Basic Food Group -- the parent company of Famous Dave's. However, it has been over two weeks; nobody has gotten back to me and they have not removed the image from the SWF file. I can only conclude that they don't mind if people see it.

Eventually I'll probably make a SWF decompiler for those "Do ABC" blocks of compiled code (tag 82). Just as there are unused pictures, I fully expect there to be unused code, and plain-text passwords for Flash-based cryptographic systems.

Post-Defcon Review

blog@hackerfactor.com (Dr. Neal Krawetz) — Fri, 06 Aug 2010 21:03:16 -0700

I'm finally back and recovered from Defcon 18 (and caught up with my workload). This is definitely my favorite conference. I caught up with a bunch of old friends, made a few new friends, and learned a thing or two.

The conference seemed much more crowded this year. I couldn't get into some of the talks that I wanted to hear. And the sea of people... Everyone was polite, well behaved, and orderly, but there were still very long lines as much as 30 minutes before some talks began.

Relative Perspective

Back when I first attended Defcon (Defcon 9 in 2001), the crowd was about a third whitehats, a third blackhats, and a third feds trying to inventory the other two groups. Over the years, the blackhats and anarchists have dropped off and more feds attend the conference. (As Omar the cabbie once told me, feds don't take taxis. If the parking lot is full, then those are the feds.)

Last year, there were a few blackhats, but most of the attendees were whitehats or feds. (Hint: If you tell people about your military background, run out to your car to take a sudden phone call, or refuse to say where you work, then you're a fed.) This year, I saw nobody that I knew was a true blackhat. (And yes, I know who some of them are.) Nearly everyone was a fed or whitehat from industry or academia. At the end of the conference, Priest (the big Goon) even congratulated the audience -- this was the first Defcon ever that wasn't marred by vandalism or sheer acts of stupidity.

Next year ought to be very entertaining: Defcon is moving to the Rio. Unlike the Riviera, the Rio has a wide selection of restaurants, a great buffet, and rooms that are better than a La Quinta. The Rio should also have more space, so the crowds won't seem as extreme.

Talks

I attended a few of the panel talks. This year, they split the Meet The Fed panel into two parts: Forensics (CSI:TCP/IP) and Arresting Authority (Policy, Privacy, Deterrence, and Cyber War). This was a really good switch -- the panel was more focused and the questions to them were more interesting. Only the Forensics panel played "Spot the Lamer" (the fed's take on Spot the Fed). Ironically, my friend Kristen was selected as a contestant. She didn't win (how lame is that?).

I also attended the Internet Wars panel. (I got to meet Paul Vixie in person. Very cool. He looks more like Charlie Brown than I expected.) While most of the Q&A were interesting, I think the best part was when I convinced Elise to take a picture of Dan Kaminsky...

"Look, Dan's asleep! Take his picture!"

"No, I mean walk over there and take his picture" The audience applauded after she took this. This picture really sums up Defcon. I really like the "Dedicated" t-shirt, empty beers, and the Corona box that says "Relax Responsibly" during the Internet Wars panel.

By and far, the best talk was "Jackpotting Automated Teller Machines" by Barnaby Jack. At one point, he had an ATM machine spewing money across the stage. Other good talks included "Weaponizing Lady Gaga" by Nurse (Brad Smith -- he really is a registered nurse) and "How I Met Your Girlfriend" by Samy Kamkar. And of course, Richard Thieme is always an entertaining speaker.

Besides the talks, I spent a good amount of time watching the various contests. Defcon had more contests this year than ever before. The new "Tampered Evidence" and "Crack Me If You Can" challenges were really good. However, I was most impressed by this year's Capture the Flag contest. My good friend, Factor, was on the winning team. He's gone by the handle "Factor" for longer than my company (Hacker Factor) has been around (the names are coincidental) -- so I gave him an official Hacker Factor hat. Factor is really an amazing guy. Besides winning the CTF this year, he also mentored team pwnage -- they won the high school category of last year's DC3 Forensic Challenge. Anyway, here's a picture of his black badge, which gives him lifetime free admission to Defcon. (It is much nicer than my black badge, which is nothing more than black paint on metal.)

I'll talk more about this picture in another blog entry...

Books!

I ended up giving away about a dozen copies of my latest book, Ubuntu: Powerful Hacks and Customizations. I included two stipulations with the free book: (1) if you like it, mention it in your blog, and (2) take at least three photos of people with the book. I'm hoping that people actually send in photos.

About Vegas

If it wasn't for Blackhat and Defcon, I would probably never return to Las Vegas. The gambling doesn't interest me. (Perhaps if people smiled...) The shows are expensive and really haven't changed in a decade. The entire place stinks like smoke. The food used to be excellent, but now is just adequate in taste and extremely expensive. Expect to spend about $80 per day on food (unless you like fast food).

I didn't stay at the conference hotel. Instead, I stayed at the Wynn. At one point, I decided to treat myself to a meal. I ate at the Wynn's Strata restaurant. The food tasted wonderful, but wasn't much more than 6oz total -- I spent $21 on food and left the table hungry. While the Wynn's weekday breakfast buffet is good, I'd recommend Denny's and the Peppermill down the street if you are hungry and don't want to spend a fortune. The hotel's security wasn't much better. On two of the days, someone played with the combination lock on my luggage while I was away from the room. I also told hotel security that there was a drugged out woman in the elevator and she was having a really bad trip as she was fading out of consciousness. It is suffice to say, the Wynn is a five star hotel with one star amenities. For a better experience, try Planet Hollywood.

I used to go to Vegas 2-3 times a year (various business trips). Now I'm down to once a year. However, in my literally dozens of visits over the years, this is the first time I have ever found a cabbie who did not know the hotels on the Strip. I was about to step out of the car when the bellhop gave the driver directions. (No, I didn't tip.) The other cabbies complained about low numbers of riders, but they no longer blamed Obama. Now they blame the hotels for not catering to anyone except the drug/party people. (Explains my elevator experience...)

Home Again

Overall, I still don't think much of Las Vegas. However, Defcon is definitely fun. I am already looking forward to next year.

Out of the Blue

blog@hackerfactor.com (Dr. Neal Krawetz) — Thu, 29 Jul 2010 05:24:00 -0700

In my previous blog posting, I mentioned how some people really do "get it" when it comes to digital manipulation and photo fakery. However, others like "photographer" Nicholas Routzen and BP's Marc Morrison still don't understand why representing modified photos as if they were "real" is nothing other than fraud.

BP was heavily criticized in the media for releasing edited photos. In fact on 22-July-2010, White House Press Secretary Robert Gibbs even commented that it was sheer stupidity:

"I think it's genuinely on the stupidity part of the transparency scale," Gibbs said this afternoon at the White House daily briefing. "I mean, if you want to show a picture of what the room looks like, just take a picture."

Upon the discovery of BP's digital manipulation, BP decided to come clean. Sort of. It was actually more of a "throw the photographer under the bus" than an actual correction:

BP cast the blame entirely on a hired photographer and claimed to have no part in the decision to alter the photos. "One of BP's contract photographers used Photoshop to edit images posted on the bp.com Gulf of Mexico Response web site," the company said, adding, "[W]e've instructed the photographer who created the images to refrain from cutting-and-pasting in the future and to adhere to standard photo journalistic best practices."

Too bad this isn't an isolated incident... and it still has not stopped.

As part of their corrections, BP created a special Flickr set where they show the before and after photos of the three pictures that America Blog and Gizmodo identified as modified. However, BP is only showing the three outed photos.

Standard is Better than Better

I really like that phrase, "Standard Photo Journalistic Best Practices". There is no such standard. As I detailed last year, different organizations have different rules about acceptable manipulation. However, there are some generalizations that can be made.

For Photographers

In general, if the photo is supposed to represent something real then the person providing the photo to the media should abide by these guidelines (a combination of rules from Reuters, Associated Press, Getty Images, and other photo providers including China's Xinhua news agency):

No splicing, no drawing. Whether it is for removal or enhancement does not matter. You never splice images and you never alter content. If Billy blinked during the photo, then the photo must have Billy's eyes closed -- don't draw in eyes or splice them from a different photo.
Minor cropping. A little cropping from an edge ("little" as in "up to 5% from an edge") is acceptable if it does not remove a subject from the image. Major cropping, such as Morrison's removal of the entire upper half of the photo, chairs, and two people (before and after) is not permitted.
Minor dust and speck removal. Minor dust and speck removal from a non-critical section of the photo is generally permitted. However, this really depends on the photo provider. Some providers (like the AP) are more critical than others. In general, if there is a tiny speck of dust on the lens that ends up looking like a distant UFO in the sky, then you can remove it. But if there are lots of specks, then you must suffer with a dirty picture (next time, clean your lens!). And if the speck is located on the subject matter (like Hillary Clinton's shoulder), then don't touch it!
Minor color enhancements. Color corrections that do not alter the subject are permitted. As the AP described:

Minor adjustments in PhotoShop are acceptable. These include cropping, dodging and burning, conversion into grayscale, and normal toning and color adjustments that should be limited to those minimally necessary for clear and accurate reproduction (analogous to the burning and dodging often used in darkroom processing of images) and that restore the authentic nature of the photograph. Changes in density, contrast, color and saturation levels that substantially alter the original scene are not acceptable. Backgrounds should not be digitally blurred or eliminated by burning down or by aggressive toning.

In general, any acceptable, minor color enhancements should be equally applied over the entire image and not isolated to a specific region. Highly focused or region-specific color alterations are no different than drawing. ("Select all" or "select none", but if you touch the selection tool or magic wand then you are drawing.)
After effects. Blur, sharpen, smudge, liquify, rotate, blend, and other enhancements are not permitted. Basically, if it is not found in the real picture then this is considered "drawing".
Acceptable drawing. There are only two situations where drawing, such as blurring or using a black censor box, are permitted: (1) to protect anonymity, and (2) to prevent advertising. A blurred face, blurred logo on a hat or shirt, or black box over a license plate is acceptable. However, the blurring/drawing must be blatant and obvious.

For Media Outlets

The photographers who provide the photos to the media must abide by much stricter rules than the media outlets. In contrast, outlets are permitted to perform manipulations that match their medium and format. These include:

Scaling and cropping. While the photographer must provide the whole picture, the media is permitted to crop it to show a specific subject matter. For example, the photo may show President Obama surrounded by thirty people, but USA Today may crop it to just show his head.
Color adjustment. The media, particularly printed media, are permitted to color correct an image. The photographer's picture may be too dark or not print well for a magazine. The media outlet can, and usually does, color correct the image. In this case, the pictures may actually be color corrected in specific regions or specific color bands, and not applied uniformly across the image.
Acceptable drawing. The media may also choose to blur faces, censor logos, or annotate features with arrows or circles that highlight specific items. However, these modifications must be blatant. The subtle removal of a logo, when discovered, can lead to sharp criticism (or worse).

BP used to take photos and use them in their advertising campaigns; anything goes in advertisements. However, that role has changed. Since the Gulf disaster, BP has been providing photos that document recovery and cleanup efforts to the mass media. As someone who provides photos to the media, BP is expected to adhere to the higher standard. BP should not be making modifications reserved for media outlets.

BP: Best Practices

Unfortunately, BP seems to be making up their "Standard Photo Journalistic Best Practices" as they go. While I have not seen any splicing in the last few days, some of their photographers are still taking liberties with the crop tool and recoloring. Here are a few examples from BP's Flickr feed. (Click on the photo to see the full picture.)

Creative Cropping

This photo by Marc Morrison is dated 26-July-2010 but was last modified on 27-July-2010. The full picture is 3981x1496. The problem is, the Canon EOS-1Ds Mark II does not take photos at these dimensions. The closest it gets is 4992x3328. This means that Marc cropped nearly 20% from the horizontal and over 55% from the vertical. So what did Marc not want us to see?

A few years ago I was told a story about a photo from China. It appeared to show a government vehicle with people standing around it cheering. But the uncropped photo showed the crowd throwing stones; the people were not cheering, they were yelling. Creative cropping can alter the meaning of a picture. For this reason, "Standard Photo Journalistic Best Practices" requires the photographer to submit the whole picture and not something with creative cropping. For all we know, there could be a dead whale on the right, and that gray structure in the top-left could actually be pollution filling the sky. If the picture has too much sky, then BP needs to let the media outlets decide what to crop.

BP's True Colors
Here's a very colorful photo by BP:

This photo by Harrison McClary is dated 26-July-2010 and last modified a day later. The image itself measures 3600x2400. That is close to a native resolution for the Canon EOS-1D Mark III, which can take pictures at 3888x2592 (cropped or scaled 7% horizontal and 7% vertical). However, McClary over-applied the color correction. We can see this in the color histogram (graphing HSV).

There are two things that really stand out as abnormal: (1) the clusters of blue and yellow at the top shows a blown-out color space, and (2) the wide color blobs are too wide, too tall, and too blended for a natural picture. This is not a typical color space for a Canon EOS-1D Mark III.

For a comparison, consider this sample photo from the same model camera (and not provided by BP):

Notice how the unmodified photo does not blow out colors at the extreme intensities, and has less-blended color bands. This is very typical for a digital camera, including cameras made by Canon, Olympus, Nikon, Ricoh, and other manufacturers.

So why would BP's Harrison McClary over-correct the color space? Perhaps he is inexperienced with cameras. Or maybe he really wanted that brown water to look blue. By blowing out the color spectrum, he has given the image a "clean" look -- the sand is white, the sky and water are blue, the tractor does not look dirty, and even the brown grasses look green.

Here's another example from Harrison McClary:

Again, the blue and green are blown out (blobs at the upper intensities). Also, notice how the orange spike actually curves with intensity (vertical). That's why they call it a "color curve adjustment".

Of course, McClary isn't the only one tweaking colors. BP's Robert Seale also did some color corrections.

Notice how Robert's dark red, blue, and green all lean toward the left at the top? While he didn't blow out the color range, he did adjust the sky, grass, and maroon stripe on the bookmobile (the RV in the background-right that says "Vermilion Parish Public Library").

Seeing Red

Dear British Petroleum,

If you want to us to believe that the pictures are real, then please release real pictures. Don't crop out stuff you don't want us to see. Don't make the sky and water look bluer. And most importantly, don't think that we won't notice.

Having been caught splicing images, BP promised to adhere to "Standard Photo Journalistic Best Practices". However, this is clearly not the case. While BP claimed that the modifications were limited to one photographer, the actual problem is more systemic. BP's photographers may no longer be splicing, but they are still striving to literally show that the grass is always greener. This isn't a problem with BP's photographers; this is a problem with BP.

Photo Finish

blog@hackerfactor.com (Dr. Neal Krawetz) — Thu, 22 Jul 2010 15:24:21 -0700

This week really gave me a thrill. Readers, models, and even large companies have taken steps against digital photo manipulation in the media.

The first big congrats goes to Domino's Pizza. They recently announced a promise to use real photos of real pizzas in their advertisements. No more cardboard, glue, and partially-cooked food that looks "better" when photographed.

Our Photo Promise
Here at Domino's, we don't think our inspired Domino's pizza needs the "extra" things typically done to food at photo shoots to look mouth watering. Our pizza is good enough to stand on its own. That's why we're making the following promises about how we photograph our pizzas from this day forward. Did we just buck the food photography trend? Oh yes we did.

1. We will only photograph real, honest-to-goodness pizzas.
That means fresh from our own ovens, with exactly the same ingredients we deliver to your doorstep. Nothing else added.

2. Our employees will make the pizza we shoot.
Not an art director or model maker or food stylist. A Domino's employee trained to make pizzas the only way they know how: by hand.

3. We will not artificially manipulate the food we shoot.
No tweezers, no steam guns, no model knives cutting perfect perforations in the cheese. The only thing that will touch the pizzas we shoot is the pizza-maker's hands and a standard Domino's pizza cutter.

Russell Weiner, Chief Marketing Officer

Bravo! I've looked at some of the pizza photos on their web site and I must say: no detectable manipulation (beyond scaling and cropping, which does not modify the look of the food). Moreover, the food actually looks good! (Good enough for me to now have a pizza craving.)

Pizza Photo by Makena B. from Houston, TX

Worth the Wait

Not to be outdone, plus-size model (and super hottie) Crystal Renn just went on the record saying that she is offended by some photoshopping done to her picture. As she said in her Today Show interview this morning, "When I first saw the photos, I would have to say I was absolutely shocked." The photographer turned this well-known size-10 into much thinner version. (But at least he didn't give her noodle arms, right Ralphie?)

The photographer, Nicholas Routzen, has this reply:

I want to reiterate that I feel Crystal looks amazing in both images and the minimal retouching that I did do - it's nothing you wouldn't see in any magazine today. There is nothing hidden about this.

This tells me three things: (1) he sways to peer pressure (everyone else is doing it...), (2) he does not listen to the models that he shoots (Renn has been a strong voice against the unhealthy, unrealistic anorexic female shape that most of the fashion companies strive for), and (3) he photoshops his pictures. It makes me want to take a much closer look and see if he also does splicing, smoothing, and other common forms of deceptive manipulation.

However, I would not recommend browsing Routzen's blog. Some of his photos could easily pass for child pornography. (Full frontal nudity of a minor.)

Feeling Pumped

But I am saving my largest applause for America Blog and Gizmodo. These people have been looking at the media photos released by British Petroleum (BP).

It isn't enough that BP's runaway deep-sea oil well poisoned the Gulf of Mexico, after they lied to the United States by claiming that they knew how to handle any deep-sea accidents. Or when they repeatedly underestimated the amount of oil and would not assist scientists in creating an accurate estimate (we still don't know how much oil was leaked). Or that they only provided low resolution video feeds to the public while they had high resolution footage available. Or that they tried to stop the media from documenting the disaster. No... they also have to doctor pictures. (Is anyone really surprised?)

One photo has the title "Aerials over Gulf of Mexico". With a name like "aerials", one would think it would be taken from the air...

The problem is, the view out the window has been photoshopped. I noticed many things in this picture, but the people on Reddit just shredded the photo. Some of the findings:

The display clearly says that the door is open, ramp is open, rotor brake is on, and parking break is on. There is no way this helicopter is in the air.
The radar shows something to the far left, but nothing in front of him. Thus, no boats.
There is a light that says APU GEN ON. This is the alternate power unit. It provides power until the engines are started.
The pilot is holding a pre-flight checklist. (Ironic that his fingers are crossed.)
Neither pilot is holding the flight stick!
There is a waterbottle resting in the handhold above the guy on the right. The water in the bottle is smooth and flat -- no vibrations at all.
The pilot on the left is wearing glasses. The glasses are reflecting some type of straight-line object. This is likely a runway or edge for the helipad.
The outside water goes from clear blue to smokey. You can clearly see the waves in the blue and smokey areas, but the waves are fuzzy/blended where the two meet.
The water is also blurry around the pilot on the left and near the top of the right window.
The edge of the boats on the left are precisely in the fuzzy section.
The first boat in the right window has a very visible shadow. So all boats should have shadows. However, none of the boats in the left window have shadows.
The boat with shadow indicates that the sun in in front of the helicopter. However, the entire copter is in shadow and so is the tower structure (top left).

This isn't even the entire list. It is suffice to say that this is not an "aerial" photo and it has been grossly modified.

Another photo shows people in front of some monitors. The problem is, the image shown in some of the monitors was changed. Technically, content from three screens was replicated into the three off-line screens. Oh, and the picture has an internal timestamp indicating that it was created in 2001 (2001-03-06 15:16:50.25) and not 2010 (EXIF data modified time 2010-07-19 18:54:04.25). In either case, the timestamps do not match the "HIVE at Houston Command Center 16 July 2010" as BP captioned the picture.

Modified

Allegedly Unmodified

The final picture (so far) shows people in a meeting room. However, the splicing of the content on the screen was done very poorly.

Here's a closeup of some of the splicing:

Frankly, I'm not sure what is more offensive -- the fact that the picture was modified, or the quality of the modification. In either case, this should be a firing offense.

Of course, I began to do what everyone else is probably doing -- poring over bp.com and looking for more doctored photos. That's when I noticed something. All of the modified photos appear to have something in common. The meta data and associated credits identify the photographer as "Marc Morrison".

Hello, Marc

According to his bio, Marc has been a photographer for 26 years and works for BP. A significant number of photos released by BP were taken by Marc.

Marc prefers Canon cameras like the EOS-1Ds Mark II or EOS 5D. While these cameras usually take very good photos, Marc's pictures always have a large mount of sensor noise and discoloration. (I can actually pick out Marc's photos on BP's site just by looking for the sensor noise and grainy coloring. Not every picture has had content modifications, but all look grainy and noisy.)

When it comes to manipulation, Marc seems to rely on overlaying and blending. He primarily targets flat surfaces like monitors or windows. His non-grainy photos appear to have color enhancements to make bright colors pop -- look for things that are red or yellow (his favorite bright colors). I have not seen him advance to people splicing, reflections, or lighting. He also appears to be fond of image cropping; I have yet to see any of his photos that are anywhere near close to a native camera resolution size. Oh, and Marc likes to use something called Photoshelter. (Since I have no experience with it, I can't tell if it is a program for editing or only web creations and annotations... In either case, many of his photos were modified by it.)


Two photos by Morrison. The left is "AP Photo/BP, Marc Morrison". The right is "EPA/Marc Morrison/BP Handout". Both show the same room and same people but at slightly different times. Some monitors are the same, some are different. Is either unmodified?

Now, for clarity, there appears to be many photographers named "Marc Morrison". One lives in Steamboat Springs, Colorado -- I really don't think it is him. Another lives in Houston, Texas. The Houston guy seems to take some celebrity photos as well as plenty of oil rig and related industrial photos. However, I haven't seen anything that says the guy in Houston works for BP. (This Marc could be a different Marc.)

In any case, many of the photos provided by BP's Marc Morrison were credited as "AP Photos/BP, Marc Morrison" and "Marc Morrison - AP". (Example: Washington Post, look at the slide show.) However, I cannot find any of Marc's photos at AP's web site. I wonder if they already booted him for altering images...

(Thanks to the 11 people who sent me links to this BP story. Keep 'em coming!)

Two weeks until Defcon 18

blog@hackerfactor.com (Dr. Neal Krawetz) — Sat, 17 Jul 2010 06:44:24 -0700

The two largest computer security conferences are coming up! The Black Hat Briefings (frequently referred to simply as Blackhat) and Defcon are at the end of the month. If you've never gone and have an interest in computer security, then consider going this year or plan for next year. I learn more from three days of chatting with people in the hallways at Defcon than I do from a year of reading forums and news postings.

Blackhat has a more professional aura. The audience are generally well-behaved, professional, and very interested in the presentations. A few people even wear suits!

In contrast, Defcon is commonly called the after-party. It is billed as the world's largest underground security conference. But with nearly 10,000 people in attendance, is it really "underground"? T-shirts, shorts or jeans, and a very informal environment is the norm.

All Blackhat attendees get free admission to Defcon, and many of the Blackhat speakers also present the same material at Defcon.

Changing Reputations

In the early days, Defcon was a smaller conference and had a very different atmosphere. It was a neutral place where good guys (whitehats) and bad guys (blackhats) could mingle and meet-your-enemy. Due to the large number of anarchists that attended the conference, Defcon got a reputation for destruction. However, Defcon 9 was really the last of the destructive years. Last year (Defcon 17) was really pretty tame. Sure, a few idiots got arrested while they were trying to bungee jump off the roof, but the crowd is really pretty tame today.

And "crowd" is an understatement. With between 8,000 and 10,000 attendees, the hallways at Defcon are totally packed. In the good old days, you could get into any talk you wanted. (Even if it meant sitting in a steaming tent on a roof.) Today, the rooms are air-conditioned, but the rooms are so packed that you should plan on attending every-other talk.

Today, there are very few truly destructive people at Defcon. Where did the anarchists go? Defcon increase the entrance fee and the anarchists stopped coming. Today, it is $140 for all three days. You will likely spend more per day on a hotel room and food in Vegas than on Defcon's admission free.

At Defcon 9 (the first year I attended), the crowd was evenly divided among three types of people. There were whitehats that varied from law enforcement to corporate security professionals and academic researchers, true blackhat evil hackers, and feds who were trying to inventory the other two groups.

Each year, there are fewer and fewer blackhats who attend. (I suspect that it is the feds who scare them off.) Last year I recognized a total of two (2) true blackhat hackers. Everyone else was corporate, academic, or fed. As Omar the cabbie once told me, "feds rent cars and don't take taxis." So spotting a fed in the parking lot is pretty easy. The joke for the last couple of years has been around the "Spot the Fed" game. With so many government and law enforcement people in attendance, they should really change the name to "Spot the Hacker". (The Meet the Fed panel has a game they play: Spot the Lamer.)

Spotting Hackers by the Book

I've decided to do something new this year... I'm going to Defcon and will be giving away 10 copies of my new book, Ubuntu: Powerful Hacks and Customizations. To get the free book, you'll need to:

Find me. I'm short and look like a computer geek. (I blend in well...) But I always wear my "Hacker Factor" cap and will be carrying a bunch of books!
Mention that you read this on my blog.
After getting the book: if you like the book, mention it on Twitter or in your blog.
To show that hackers are everywhere, take at least 3 photos of people (or yourself) reading the book around Vegas. If you are in a cab, snap a picture of the cabbie reading the book. Riding a roller coaster at New York? How about a photo of you reading it upside down! Eating at a restaurant? Get a picture of yourself ordering from the book instead of a menu.

Each book will have a small instruction sheet with the two rules (blog/tweet it and take three photos) and an email address for sending your photos. I'll put the photos up on a web page.

I won't be giving away all of the books at once. However, 10 books are heavy, so they will be given away pretty quickly. Probably 3 books on Thursday and the rest on Friday. (I'm also not opposed to bribes.)

Deja Vu

blog@hackerfactor.com (Dr. Neal Krawetz) — Tue, 13 Jul 2010 18:15:06 -0700

You know that feeling you get when someone gives you advice that you don't care about at the time but turns out to be prophetic? I just had that experience...

Boxes

Even though my background includes a significant amount of experience with artificial intelligence algorithms, I rarely use AI systems in my day-to-day work. The reason has to do with repeatability and provability. The various types of neural networks are relatively easy to construct and train, but act as black-box systems. You know the input, you see the output, but you don't know how the system generated the output from the input. Moreover, if you train a neural network with different initial weights or a different order through the training set, then it will result in a different learned configuration.

While black-box AI systems may generate accurate results, the training process is NP-complete -- you don't know ahead of time how much training it will take or whether it can actually learn. Moreover, these systems can be very good at memorizing training sets. Don't over-train your black box unless you want it to memorize the training set and completely screw up on the testing set.

In contrast to neural networks, fuzzy logic and genetic algorithms are gray box systems. You kinda know how they work. Given the input, it generates output and you can see how it came up with the output decision. However, barring very simple fuzzy logic systems, you cannot really tell what the output will be until you run the input though the system. You can see how it made the decision, but not before running it.

Finally, there are white-box AI systems like Bayesian networks. You know the input, the output, and how it will make the decision. The only real problem here is configuring the system. Since you need to know the probabilities, you really only have two choices. You could compute the probabilities before hand, but this requires you to have enough data to statistically compute the probabilities and be able to characterize the various statistical factors. The other choice is to use a gray-box or black-box system to learn the probabilities, in which case the probabilities may not be provable or optimal.

Dusting Off

I recently had a need for "a solution", where "provable" and "deterministic" are not requirements. This is a perfect situation for using AI. I wrote my own AI library many years ago. Basically, I didn't like any of the existing systems (not flexible enough for my own needs) and it was easier to build my own than adapt around existing systems. However, it has been years since I used it and I only vaguely remember the configuration options.

A couple of things really surprised me. First, my AI library was written in 1990 and last maintained in 1996. (Last bug fix was in 1994.) I didn't even know if it would compile with the latest GCC. My first surprise was that it compiled cleanly with "gcc -Wall". It even passed its benchmark and regression tests.

As I gawked at the output, I thought, "This is great! I wish I remembered how it worked!" Then I looked at the source code... There are huge paragraphs that describe how every function works and how to use it. Completely documented. Even the variables have reasonable names: no "int i,j" or "float q[12]" or "double phi,theta". Instead the variables have names like 'CutoffThreshold' and 'float *weights; /* network weight matrix */'. The comments even cite books and pages as references.

Way Back When...

I had a professor back in college who drilled "style" into all of us. He had three basic rules that, if broken, would result in a zero on your homework.

Always comment your code. If the code is more complex than a simple loop, then describe what it does.
C permits 64-character variable names (well, it did back then). Variable names should be descriptive and not generic. Single letter variables (i, j, x, y) are only permitted for very short loops. Greek letters should never be used for variable names unless you are programming in Greece.
Don't use features specific to a compiler or operating system. Stick with portable standards. If you must use something specific, encapsulate it so a replacement won't impact the rest of the code.

We obeyed because we wanted to pass the class. However, the lesson was never lost on me. I still "over-comment" my code.

I looked up my notes and found a great quote from the professor (from notes I took in 1988): "Always comment your code because you never know when you will refer to something you wrote 20 years earlier." Wow -- he even nailed the duration.

After The Fact

blog@hackerfactor.com (Dr. Neal Krawetz) — Sat, 10 Jul 2010 20:06:36 -0700

Over the last few months I have had friends and associates contact me about hacked web sites. In each case, someone (or something) planted hostile URLs on their web pages. These URLs would redirect visitors to porn sites or serve up viruses. Worse: these URLs would be embedded everywhere -- in HTML, in PHP, and in back-end databases.

The question they always ask me: What should I do?

It is easy to tell people that they should have a disaster recovery plan in place. However, few people have one. Other pre-attack advice, like hardening servers, changing defaults, and installing filters is great advice, but is usually ignored. In my experience, the sites that have taken simple steps and have plans in place are not the ones usually compromised. The common compromises are directed at non-technical users who installed default software and ignored even basic maintenance.

Post-Compromise

So let's say you have a default WordPress or Wiki or Blogger installation. It isn't a question on whether your site will be compromised or infected. The only question is when. And like most people, you haven't maintained your software (applying patches, upgrading as needed), don't have backups (your ISP does that, uh, right?), and haven't removed default files or hardened the system. What should you do after a compromise?

There are plenty of good checklists out there. Some examples include:

While each of these sites gives good advice, there is no single consensus regarding appropriate steps. My own checklist is a little more detailed and extreme.

Neal's Post-Compromise Checklist

Nobody wants to have their site compromised. However, like auto accidents, bad things happen. If you were not paying attention (like texting while driving or not applying system patches) then bad things are more likely to happen to you.

Here are the steps that I usually recommend to people with compromised web sites:

Stay calm. Only the WordPress checklist included this advice, but it is very valuable. Now is not the time to panic, place blame, or get angry. Compromises and exploits go hand in hand with technology. Don't panic, deal with it.
Check your own systems for malware. There is no point in fixing the server if your own workstation is infected. It is actually very common for a home computer to be infected and used to gain access to your public blog or web server.
Take the site offline. Most e-commerce companies really don't like this idea. However, which is more important? Making a sale, or compromising your customer's credit card and tarnishing your reputation because your site was hijacked? Shut it down. Put up a temporary "We're upgrading, back in 48 hours" message.

After you take your site offline, check to make sure it really is offline. Some attacks actually hijack your domain name (DNS entry) and not the server itself. If your site still looks online, has the DNS server been compromised? Your DNS registrar and/or domain hosting provider can usually help you in this situation.
Make a full backup. This includes all files, scripts, and database records. Yes, it is infected. But if you don't have backups then this is your only option.
Grab your logs. You will need these to identify how the attack was done, when it happened, and who else might have been infected. This includes system logs, web logs, and any other kind of log file. Grab it first and see if you need it later.
Evaluate the compromise. What kind of attack was it? Were they after "a site" or "your site"? Was the attacker looking for low hanging fruit or was it personal? Most malware, like the kind that inserts links, are automated. They scan for known vulnerabilities and infect anyone they find. If you were compromised this way, then it is likely because you have a default configuration with a known vulnerability (known to the attacker).

Defacements may be automated or semi-automated. They scan for sites with known vulnerabilities and then they either automatically or manually deface the site.

E-Commerce theft is usually associated with an initial automated vulnerability scan. The scan is followed by a manual compromise that is customized for the site. However, if you use a very common e-commerce package, then the compromise may be semi or fully automated.

Personal attacks are always manual compromises.

It is important to recognize that automated attacks are almost never against custom code. They look for known vulnerabilities in default installations. If you change the defaults, move default files, or otherwise filter and harden the site, then automated attacks are very unlikely to succeed.
Look for similar attacks. Are other people running the same software getting attacked? Perhaps you need a patch. Is it everyone on the same server or in the same hosting environment? Maybe someone should maintain the system. Is it all of your accounts? Perhaps your computer has a virus.
Change passwords. Between taking the server offline and changing passwords, attackers will be kept out while you repair the system. (Hopefully.)
Wipe the system. There is only one thing people hate more than being told to turn off an e-commerce site, and that's being told to wipe the system and reinstall from scratch. But seriously, the inserted URLs and malware may only be the part that you notice -- much more may have been done to the system. There could be backdoor software, trojans, or embedded viruses that cannot be removed by a simple system restore. By wiping and reinstalling, you ensure that all malware is gone.
Patch. Bring the system up to the current state of the art. While you're at it, harden the system and change all system defaults.
Restore. You do have backups from before the compromise, right? If not, then install basic software (like blogs and wikis) and harden them first. Then place custom software on the system. Finally, restore content. Be sure to validate that the content is not infected. You can do this by reviewing the content before uploading it. (What? Review your 10,000 blog entries? Yes. There is no point in removing the malware from the server if you're just going to upload it again.)
Change passwords again. Passwords before the patch and restore could have been compromised.
Watch. Now you can turn the system back on. If the attackers come back, then you didn't patch or restore something. (And now you have experience to recover much faster!) Watch your logs and IDS and try to determine how they exploited your site. If the logs show nothing, then you know which parts of your site were not responsible for the attack.
Blame. This is everyone's favorite part. If you don't have logs, don't regularly patch or update, and don't maintain the system, then you cannot blame anyone except yourself. Security is a moving target -- software that was secure yesterday may not be secure today. Unless an administrator did something completely stupid, such as posting login credentials in a public forum or actively assisting the attacker, then there probably is nobody else to blame. Blame the management.

Too many times I have seen management blame developers or software for compromises. For example, if your old version of WordPress was the source of the compromise, then they will blame WordPress even when newer versions are available. (Let's blame the software instead of ourselves for failing to maintain and harden the systems.)

Having your site compromised isn't fun, but it isn't the end of the world either. Stay calm and address the problem. Treat it as you would any other learning experience.

Failure to Communicate

blog@hackerfactor.com (Dr. Neal Krawetz) — Thu, 01 Jul 2010 22:06:03 -0700

A couple of days ago I wrote about my need for wireless network capabilities when traveling, and my fear of becoming an early adopter of new peripherals. The feedback I got back was amazing. A few people posted comments but nearly a dozen people wrote to me directly with advice, suggestions, and horror stories.

The feedback identified three classes of solutions:

Standalone hubs. There is a class of 3G router that connects to the network and acts like a local WiFi hotspot. As long as your computer can talk regular 802.11 (a/b/g/i/whatever), it can connect to the hub. The hub connects to the 3G network, giving you Internet access. Dr. Silk recommended the MiFi 2200 from Verizon. I gotta agree with him -- this looks like an excellent solution, especially for residences that cannot get cable or DSL but with 3G coverage (like my friend who lives a few miles outside the city limits). The downsides are not too extreme: claimed 4 hour battery life (forums make it sound like 2 hours with heavy use) and tied to Verizon's 5GB limit for an expensive $60/month. Again, if you can keep it plugged in and have a couple of people at home using it, then $60/month isn't bad at all.

Tethered. A tethered solution is where you have a USB cable going from your computer to your cell phone. The cell phone provides the modem/router support and connectivity to the 3G/Edge/4G/etc. network. As long as your cell phone works, you should have network connectivity. This is a great solution for anyone with a smartphone (like the iPhone or Android) -- particularly since you are probably already paying for the bandwidth and you're just not using it.

Every now and then I looked into smartphones. Right now the battery life isn't acceptable for me. My current phone can go nearly a week with heavy use (well, heavy use for me) before needing a charge. It can go nearly 2 weeks if I rarely use it and leave it turned on. My EeePC gets about 7 hours per charge and that includes heavy use (programming and compiling and networking). In contrast, most smartphones last 4-8 hours at best.

In my case, I don't have a smartphone. While I do have a cell phone, it is almost always turned off. (I don't like cell phones and I only use it when traveling.) I'm actually on a pay-as-you-go plan and I usually spend about $100 a year on the phone. For my use model, the prepaid option is a great and inexpensive choice. For this reason, I cannot justify getting another phone (a smartphone to replace my Motorola v195) for the sole purpose of having network access when I travel.

Frankly, I'm griping about paying $10/day for Internet use at hotels. For the $60/month plan, then means I need to stay at hotels more than 6 days per month for this to be a viable option. And this doesn't take into account the $50-$200 price of the smartphone with a 2-year commitment. (Some smartphones are free with a 2-year contract, but they are either not iPhone/Android, or are running older operating system versions.)

USB Dongle. At first glance, these USB dongles seem perfect for me. The calling plans are usually not as expensive as a smartphone, there's no extra power supply (it runs off the USB power), and the use model is intended for laptops and travelers. However... these dongles are not just regular modems.

My Bad Experience

After a lot of soul searching, I finally settled on the T-Mobile webConnect USB dongle. As I understood it, there is a 200MB plan with overage fees and a 5GB plan with no overages for $40. And best yet, T-Mobile is having a sale, so the webConnect is only $20 instead of $45 (with 2 year contract). While the device only says that it supports Windows and Macs, there are plenty of people in the forums who say that have it working for Linux.

Well, spoiler alert: nothing is as it appears.

Remember the old days when modems spoke that Hayes "AT" control code stuff over a serial port? It didn't matter what kind of computer you had as long as you spoke RS232 and used the standard AT command sequences. That's not the case today. +++

Today, the USB dongles do speak the AT command set (with additional commands for broadband negotiation). However, there is nothing standard about how you access the modem. There are three types of devices on the market right now, and if you choose wrong, you'll get screwed.

Plain modem or NIC. There are a few USB dongles that plugin and look either like a serial modem or like a network interface card. These have out-of-the-box support by most Linux distributions. Unfortunately, these seem to be limited to the older devices. Some don't support 3G and most have no means for supporting the new 4G and HSPA+ networks.

Dual device and ZeroCD. The description from the usb-modeswitch package for Linux describes this very well:

Several new USB devices have their proprietary Windows drivers onboard, especially WAN dongles. When plugged in for the first time, they act like a flash storage and start installing the driver from there. If the driver is already installed, the storage device vanishes and a new device, such as an USB modem, shows up. This is called the "ZeroCD" feature.

Most versions of the T-Mobile webConnect device are in this category. If you put it in and it doesn't work as a serial modem, then install the usb-modeswitch package. This will temporarily turn off the ZeroCD feature and allow you to access the modem.

Total software solution. Beginning last December, a few manufacturers began to roll out "lite" versions of these USB modems. From what I can tell, they totally removed most of the firmware and do most things in software. I suspect that this was done more for cutting hardware costs than for any actual performance or flexibility gain. Unfortunately, there is unlikely to be any Linux support unless the manufacturers port their code to Linux.

Hear No Evil

At the time I was doing the purchase, I specifically asked about Linux support. The woman who was helping me at the T-Mobile store wanted to make sure too, so she called their technical support. The first two people she spoke with didn't know what Linux was. (OMG! Are you kidding me? It's 2010! My Grandmother knows what Linux is! Every sales person in the store knew about Linux! And this is the T-Mobile technical support?)

She finally reached one technical support person who basically said, "Does it work under Linux? I should know the answer to that, but I don't know and there really isn't anyone else if I escalate this." Since the Linux forums had many success stories with the webConnect (before I knew about the "lite" versions), I decided to risk it. Bad choice on my part.

As it turns out, the $20 "on sale" device from T-Mobile is actually a Huawei UMG1691 (also called the E1691). The 1690 and 1692 are ZeroCD devices and appear to be supported by usb-modeswitch. The 1691 is a lite version and only has software for Windows and Mac. After a few days of fighting with it, doing much more homework, and even calling tech support, I finally learned about the UMG1691 -- it is a total software solution and will never work under Linux (without additional software that doesn't exist today).

See No Evil

At this point, I had two options: return it or exchange it for a different version. As long as your CPU isn't running at a full load, the performance between the ZeroCD and Lite devices should be similar. I gave it a quick try in my Mac desktop system to see if it was worth exchanging. I ended up noticing two things.

First, the bandwidth was limited to 200MB. Huh? I paid for the 5GB and no overages for more than the advertised $40 price. Well, the offer on the web site doesn't match the offer in the store. In the store, it is 200MB with or without overages. The store does not offer an Internet-only plan for $40 with 5GB and no overages.

After you go over your monthly limit, they either charge you $0.05 per MB or nothing (no overages). In the latter case, they simply reduce your bandwidth.

So how fast is the bandwidth? My Mac's benchmark reported at about 400KB per second down, and much less up. Uh, I deal with computer forensics. I'm usually transferring very large files -- CDs or DVDs or on some occasions, multiple DVDs. For me, 1MB per second is slow and 400KB/sec is unacceptable.

T-Mobile is Evil

The upside is that I was allowed to return it to T-Mobile within the 2-week window for a refund. (I was 3 days into the contract.) No connection fee, reimbursed for the hardware, and they waved the 1MB of bandwidth I used (no prorating service since I couldn't get it to work on the desired system). However, they did keep a $10 "restocking fee" that was buried in the fine print. (Had I known that there was a chance of failure and a $10 restocking fee, I would have passed on this experiment.)

So to summarize: (1) Stay away from the UMG1691 like the plague -- it is the 3C501 of the USB wireless broadband world, (2) watch what they are selling and make sure it matches their offers on the web site, (3) if you have the option to use a hub or tethered solution, do that instead of the USB dongles, and (4) ask about any restocking fees -- even if they tell you that you will get a full refund within a 14 day grace period.

Finally, I have to think that there is something seriously wrong with the mobile phone market. Every store I went into (T-Mobile, Verizon, AT&T, and Sprint) had a huge number of customers hanging around. T-Mobile, Sprint, and AT&T each had a person adding names to a waiting list. In each case, the majority of customers were not there to buy -- they were there seeking returns, refunds, or corrections. The last time we saw something like this, the housing market collapsed and huge numbers of people defaulted on loans. Are we heading toward a communication breakdown since the phone companies are investing in an acceptable level of service?

Through The Looking Glass

blog@hackerfactor.com (Dr. Neal Krawetz) — Tue, 29 Jun 2010 20:10:00 -0700

The hardest parts of forensic analysis isn't the tools; it's the training. Anyone can buy rubber gloves, swabs for collecting blood samples, and plastic evidence bags. But if you are not trained to properly collect, handle, and evaluate evidence, then the tools and methods are meaningless.

The learning curve is the hardest part. To address this, I've been working on documentation and worksheets for digital image analysis and photo forensics. While there is still a steep learning curve, the investigator can review the worksheets as a checklist for common things to evaluate. The associated documentation provides details regarding the checklist items, in case the investigator needs to review how a particular system works.

An Eye For Details

While luminance gradient and error level analysis draw pretty pictures, the most important tool is basic observation. It is one thing to see the big and obvious signs of manipulation. It is something else to remember all of the fine details.

The folks at Photoshop Disasters recently posted a couple of amazingly bad shopped pictures that clearly illustrate the power of observation for detecting image modifications.

The first picture comes from an ad campaign for fingernail polish. The picture is supposed to show a model and some nail polish. The magical stars that go from her elbow to the picture frame are just artistic. However, it is the fine details that make this such an obvious disaster... Just using your eyes, what stands out as abnormal and not intentionally artistic? Give yourself a minute to look over it, then scroll down and see how many things you noticed.

If you only saw the disconnected leg, then give yourself one point. (If you didn't notice the leg, then go back and try again. As Thall commented at PsD, "That women could birth a horse or two with those hips!") Other oddities include:

Her waist is out of proportion.
There is a black triangle between her torso and floating leg. The artist forgot to cut out this area.
Her left forearm (photo right) is significantly longer than her right forearm.
She has two thumbs on her lower hand. (One thumb could be her foot showing through a strap in the shoe, but it is actually blended into the hand.) Oh, and don't mind the "S" on her finger; other photos show it as a tattoo or something.
Her neck is showing a tendon, indicating that her head is turned. However, her head is looking straight and is not centered on the neck. Yes, they cut off her head and pasted on a different head.
She is missing a clavicle (shoulder bone) -- one is there, but the other was erased.
Her boobs are different sizes, and not in a natural way (unless the left one is half as long and deflated...).
The shadow under her head indicates a bright light to the upper right. But the floating leg isn't casting the same shadow onto the other leg. And the shadow from the sleeve onto her straight arm has a shadow going the other direction. Inconsistent lighting means splices.
Of course, all of these are issues with the woman. Over at PsD, ZaphodQB noticed that the reflection of the black polish does not meet the bottom of the black bottle.

This isn't the full list. What else do you see? No wonder their product is called "Oops!"

The Perfect Model

I'm always looking for good sample images that demonstrate specific points. Ideally, I want one picture that only demonstrates one thing, then another that demonstrates the same thing with more complexity, and finally an example that brings everything together.

From the Oops! example, we know to look for different classes of manipulation. These attributes become our checklist:

Limbs: Are all of them accounted for? Are all connected? Are they the right proportions?
Reflections: Do items line up properly?
Shadows and lighting: Are they consistent?

Now we can apply this to a new set of pictures.

At Photoshop Disasters, they featured a picture from the French fashion house, Louis Vuitton. However, the web page at Fashion Gone Rogue contains many pictures from the "Louis Vuitton Fall 2010 Campaign" (also available at Fashionologie). It is an homage to digital distortions.

Starting at the top is the banner for Fashion Gone Rogue. Her upper arms are very different lengths. It is also faint (better seen with luminance gradient), but it looks like there is a strap or something going across her shoulder and down her cleavage. (This could be where the artist stopped altering the skin.)

Mirror Mirror On The Wall

The various photos from Louis Vuitton have been equally mangled. Let's use our new checklist...

The picture claims to show three women in a dressing room. Each has different color hair: red, blonde, and brunette.

Limbs
Every person has two arms? Check! Extra fingers? Nope. Legs and feet? Uh... the brunette on the right has an ankle but is missing toes.

Reflections
The right-most mirror (behind the toe-less brunette) is not reflecting anyone in the room. The blonde has her hand up in the room but her hand is down in the mirror. That same mirror also shows a light bulb in the reflection, but the bulb does not exist in the room.

The second mirror from the right shows bulbs but they don't align with the bulbs in the room.

The mirror on the far left shows red's head from the back. However, red's head is not turned to show her back to that mirror. And the mirror's reflection shows the lamp on the wrong side. The reflection does not match the room.

Lights and Shadows
When an item sits next to a illuminated light, it is made brighter. And when items are facing away from the light, they are in shadow. Complex lighting, such as floods, reflectors, and bright ambient lighting, can mitigate shadows.

However, those mirrors have a lot of bright lights. The women should have brightly lit backs. But this isn't what we're seeing. The brunette has bright reflections off her chest but not her back. The blonde has a bright clavicle but an under-lit neck. The pile of junk in the back has a brown fabric thing above the handbag; it is lying next to a light bulb and not lit up.

This isn't a comprehensive list and there are other oddities that are not in our checklist. For example, the blonde's dress seems to have a layering issue with red's chair. The dress fabric suddenly becomes semi-transparent and you can see the chair through it.

Frankly, I kind of doubt that these three women even posed together for this picture.

Some of the pictures in this series are much worse than others...

Dear Louis: While fabrics may be diaphanous, people are not. And while models may be vamps, they are not vampires. Please fix the left mirrors. You know, the ones with the time-delay reflections that show the brunette in two alternate positions and don't reflect the blonde.

Dress For Success

While I can criticize these ads for pasting in people, changing reflections, and digitally altering lighting, I have to give Vuitton one piece of credit:

Beyond expected color enhancements (applied to the entire picture) and spicing blends (expected from a composite image), I have not detected any modifications to the clothing. Well done. Unlike Ralph Lauren and Victoria's Secret, Vuitton's pictures do not appear to be a product bait-and-switch.

Why Oh WiFi

blog@hackerfactor.com (Dr. Neal Krawetz) — Sat, 26 Jun 2010 22:28:01 -0700

When I was much younger (and had hair), I was an early adopter of new technologies. I had a touch screen on my computer back when this meant affixing a semi-transparent plastic sheet to the monitor and plugging it into the joystick port. I had one of the first Apple ][c computers (with amber monitor), I remember the excitement when EGA superseded CGA graphics, and I actually bought AMI Pro when it first came out for OS/2.

Unfortunately, there are three big problems with being an early adopter. (1) New technology is usually buggy, (2) new technology lacks support, and (3) new technology will probably become outdated quickly. The plastic touch screen didn't work very well and was very hard to program. Touch screens didn't become popular until the technology matured -- two decades later. EGA was quickly replaced by VGA and SVGA. And AMI Pro was so buggy that I ended up writing my dissertation in WordPerfect. (I still think that 1992's WordPerfect 5.2 is better than today's Microsoft Word.)

Due to my past experiences, I'm rarely an early adopter of new technologies. For example, I didn't buy my first DVD player until years after DVDs came out. Shortly after DVDs came out, there was a rumor about a better technology. Just as records were replaced by CDs overnight, I didn't want to start buying DVDs when everyone was switching to HD DVDs. I waited until I was sure that DVDs were not superseded. And I'm glad I waited; BluRay beat out HD DVDs, but the slow adoption rate tells me that my DVDs won't be outdated in the near future. (I know two guys who spent a small fortunes on their betamax and laserdisc collections.)

Wireless Broadband

More and more, I'm finding myself in situations where I need network access. Hotels, for example, either have very slow access for free, or no access at all. I hate driving 10 miles to find a bookstore or coffee shop that has free WiFi, and I cannot justify spending $12 to $25 per day for a hotel's paid Internet service. Besides the outrageous prices, there are limitations regarding when the 24-hour period ends. Some hotels are 24-hours from purchase, others are noon-to-noon or midnight-to-midnight. And if you shutdown your computer, then you may forfeit your paid 24-hour service.

More than once, I've found myself in an airport or parking lot and needing Internet access. I almost missed a contract because I couldn't get Internet access during a two-hour layover -- I had to wait 5 hours before I could get online.

Because of this, I've finally decided to break down and buy one of those wireless broadband services. Oh, what a nightmare! Right now, I'm just pricing and comparing services. Some of the things I have found so far:

Unless you go with one of the big four (Sprint, Verizon, AT&T, or T-Mobile), you will likely not have coverage outside of a limited number of metro areas. Cricket's coverage map, for example, says that they don't offer 3G over most of Silicon Valley.
Most either want a 2-year contract (with a $200 - $400 cancellation fee) or offer a no-contract option. Currently with T-Mobile, the only difference is the cost of the device (no contract means paying full price for the device), but there is no difference in the monthly rate. Verizon has a no-contract rate that is really expensive. They want as much as $15 per day for the days you use it (that matches most hotel's $12-$25 rate, and I don't have to buy a special device for hotel Internet access and hotels usually don't have a bandwidth limit).
They all seem to offer two to three levels of Internet access. The lowest level is usually 50MB to 250MB per month. The mid range is 3GB to 5GB per month (a DVD is 4.7GB, so you can do the math -- it's 2-3 Hulu feature films per month). A few providers offer "unlimited" bandwidth, but then you're talking $60-$80 or more per month. That's really expensive for something that I really would only use when I am not in the office.
Every single one of them says that they support Mac and Windows. Uh, what about Linux? I have that "Early adopter means buggy code" fear...
While nearly all wireless broadband providers support 3G networks, some provide support for newer networks. For example, Sprint is rolling out their 4G network. T-Mobile is offering "HSPA+". And WiMax isn't dead yet. To me, this sounds like DVD vs BluRay vs HD DVD all over again -- but with a two-year contract that will lock me into the loser. I really want to wait until this settles out, but I'm hitting a business necessity.

Measuring Network Usage

Each of these services charge based on bandwidth usage. However, they don't really tell you much about it. For example, is 250MB per month a lot or a little -- for checking email, surfing the web, and doing basic business tasks (not downloading videos or playing online games).

While there are many programs for measuring real-time network usage, I couldn't find a program to tell me the cumulative total usage. Command-line programs like 'netstat -i' show the total number of packets, but not the total number of bytes. 'ifconfig' and 'nload' show the current byte totals, but that's from the start of the network interface and not from when I say "start measuring now!"

Anyway, using nload, I decided to monitor my network usage. Checking email, reading the web sites I usually read (CNN, USA Today, Photoshop Disasters, Facebook, and typical Google searches), and running VNC over SSH to access my office systems.

The net result? I consumed 50MB in the first 30 minutes. That's half of the allocation of Verizon's $15 pay-by-day plan and 25% of T-Mobile's monthly 200MB allocation. Over the course of the day, I will probably use between 200MB and 750MB of bandwidth. (I'm not always surfing the web.) Any plan offering less than 1GB per month is an expensive rip-off. (Your mileage will vary based on how you use the Internet.)

Fortunately, I'm only going to need this type of service for 1-2 hours per day and not more than 10 days per month. That comes out to about 20 hours at 100MB per hour, or 2G per month. However, that's based on today's usage. I'm very likely to see overages as I approach the middle of a 2 year contract and my needs expand.

Defcon!

Defcon is coming up next month. One of the big problems with Las Vegas is that there really is no good, free Internet on the Strip. Krispy Kreme (in Excalibur) and Coffee Bean and Tea Leaf (Planet Hollywood) offer hit-and-miss free WiFi -- when it works, it works well enough, but when it is down, they rarely know how to reboot the router. All of the Starbucks (in every hotel) only offer fee-based services -- if they offer WiFi at all. The Apple Store in the Fashion Mall has free WiFi, but that isn't exactly convenient. None of these free locations are open 24-hours a day.

Nearly all hotels offer fee-based Internet in your room. Some are wireless only, others have wired but you might need to bring your own cable. (I've been in too many hotel rooms where the in-room network cable was busted.)

Defcon does offer free WiFi to attendees, but I won't go near it. It is an actively hostile network. Even if you are not worried about someone hijacking your SSH or SSL connection (with client-side certs), they can still DoS your connection and attack the server's IP address. Oh, and don't think that Tor or SSL (without client certs) will save you -- last year, I heard that the Wall of Sheep ran their own Tor node as well as used man-in-the-middle attacks on SSL.

With Defcon coming up, I'm looking for a solid, reliable, secure-enough solution for Internet access. If I go 3G, I still won't use it at the conference... but back at the hotel room should be fine. (Right?) Is 3G the way to go? Are there other options? Which providers are best and include support for Linux? Hopefully this year I will guess correctly and choose well for the duration of a two-year contract. Oh, and what do people use in other countries? I might travel in the future and BlackHat in Europe sounds fun!

Good Intentions

blog@hackerfactor.com (Dr. Neal Krawetz) — Mon, 21 Jun 2010 22:11:05 -0700

A little over a week ago a US intelligence analyst was arrested for submitting classified documents to Wikileaks. I have some serious issues about this arrest. While the analyst may have thought he was doing something ethically right, he went about it by doing something legally wrong. For example, while some of his wikileaked materials probably did need to be exposed (like the mistaken killing of two journalists and the subsequent cover up), how many operations and soldiers lives were put in danger by the leak?

I can hear some people right now saying "Huh? What?" Think about it. With the exception of leaked videos, the general public do not know our full, technical capabilities. As I recently heard on an NCIS repeat: the schematics for Air Force One are a secret. Hollywood just guesses at the layout. But here is SPC Bradley Manning, showing how things are really done. This is information that the enemy can use against us. By leaking an uncensored video with audio, Manning may have done far more harm than good; he exposed a cover up, as well as processes, procedures, and technologies that the United States and its allies use against real terrorists and threats to our nation.

There were also better ways to expose a cover-up. For example, he could have anonymously contacted a congressman. This would make the information public without releasing the video. Any anti-war congressman would have been a good choice.

While Manning may have thought that he was ethically correct in releasing the video, I cannot think of anything that would make leaking "an entire repository of classified foreign policy" documents, "260,000 classified U.S. diplomatic cables", or "a classified Army document evaluating Wikileaks as a security threat" ethically correct. Manning's actions look like treason to me.

From Bad to Worse

Wikileaks is intended as a forum for anonymous whistle blowers. If you are going to do something anonymously, then do it anonymously. Don't go around telling people that you were actually behind it. And if you're going to tell someone it was you, then don't tell it to a reporter. And of all the reporters you could talk to, don't choose one who has a history of unethical behavior!

That's right: Manning chatted with Wired's Adrian Lamo. When people create lists of hackers, they always include the notorious ones: Kevin Mitnick, Jonathan James (aka c0mrade), Max Ray Butler (aka Max Vision), Kevin Poulsen (aka Dark Dante), and others -- including Adrian Lamo (aka The Homeless Hacker). Even lists that don't list the "most notorious" include Lamo. (Thanks Adam for the link.)

Is there any reason to think that Lamo would not turn in Manning? I think not. Frankly, there are few reporters that I trust (very few). Most are more interested in sensationalism than accuracy. That, along with Lamo's established ethical lapses makes me distrust him more than most reporters. Manning put his trust in a reporter with a criminal record, and the reporter exposed his source for notoriety.

Looking for the Good

Every list of "hackers" that I found online mentioned the evil ones. The lawbreakers, criminals, and socially deviant ones. However, not all hackers are evil. I've recently had conversations about identifying good hackers. (Thanks to Mike, Bill, R., and the Internet Storm Center's handlers for the great insight.)

When it comes to naming hackers, people immediately recall the bad guys. I mean, everyone has heard of Kevin Mitnick, but who can remember the name of the guy who caught him -- without consulting Wikipedia or Google? (answer: Tsutomu Shimomura; half credit if you remembered John Markoff.)

Perhaps one reason is the postage stamp mentality. The US Post Office won't put someone on a stamp until they are dead. The reason: Bad people may continue to do bad things without harming their reputation. However, a good person may screw up at the end and tarnish everything they have previously done. So someone who is an awesome, positive role model and hacker today could be tomorrow's villain.

The other problem comes from the large number of good hackers who are better known by their software than their own actions. For example, Snort is an awesome piece of software, but who can remember that Martin Roesch created it? Roesch is a good guy hacker, but his software is better known than him. The same goes for Tatu Ylonen and Bjorn Gronvall (SSHv1 and SSHv2), Giorgio Maone (NoScript), and many other people.

The real question is: What sets a notable good guy apart from the rest? If writing good code is good enough, then certainly Flash, HTML, and Photoshop could also be included. (Their developers were not intentionally evil...) But can you actually say that someone changed how we act (or react) in a positive way?

I guess what I'm really wondering...
If you had one team of evil villains (Mitnick, Lamo, Poulsen, etc.) on one side, who would you stack against them as memorable good guys on the other side? (Mitnick vs Frank Abagnale Jr. -- after Frank turned good; Poulsen vs Mudge? Lamo vs ?)

Here's my short list of good guy hackers who's influence is far more than just code.

Jim Christy and Clifford Stoll. They cracked the Hannover Hackers and brought international awareness to hacking as cyber espionage. Before that point, nobody realized the threat and all discussions were theoretical. Jim went on to found the Pentagon's first digital forensic lab and was the director of the Defense Cyber Crime Center (DC3) -- the first and largest computer forensics lab. (It just goes to show that a $0.75 accounting error can lead to more than a few pennies.)
Mark Rasch. He spent nine years as the head of the United States Department of Justice computer crime unit. During that time, he was responsible for investigating the Hannover Hackers, Kevin Mitnick, and Robert T. Morris. He also helped the FBI and Treasury Department develop their procedures on handling electronic evidence.
Phil Zimmermann. Without Phil, public crypto would probably still be nothing but underground software and munitions. Phil is more than just PGP -- today's PGP was created by a slew of developers. The remarkable element is how Phil paved the way for the world to use cryptography.
Marcus Sachs. A voice of reason, advising Presidents and helping set national policies on cyber threats. He's a hacker who's influence is more than just a piece of code. Marcus also heads the Internet Storm Center -- the ISC handlers are like the Super Friends or Justice League. (Is Swa Frantzen the Belgium equivalent of Gleek?)
Jeff Moss (aka Dark Tangent). While not known for code or exploits, this geek has put together a world-renowned set of hacker conferences: Defcon and Black Hat. More earth shattering updates come from one week of these conferences than an entire year of Patch Tuesdays.
Bruce Schneier. This cryptography guru continually exposes security theater, where peddlers use snake-oil and provably inaccurate beliefs to influence and set policies.

A couple of people mentioned Dan Kaminsky. Dan's a nice guy and has done oodles of good things by making vulnerabilities public -- and I am still in awe of how he handled that world-wide DNS update. However, he likes to get drunk while giving presentations at Defcon and other conferences... While Dan is fun to watch, public drunkenness doesn't exactly scream "role model".

There are plenty of other people I could add to this list. I'm curious who other people think should be listed here. Remember the requirements: good guy, computer security or computer forensics, hackers, and most of all, influence beyond their immediate field or software.

Great Firefox Plugins

blog@hackerfactor.com (Dr. Neal Krawetz) — Tue, 15 Jun 2010 17:30:34 -0700

Last week was entertaining. I had the opportunity to assist in an interesting project -- part development, part forensics, and part penetration testing. Fortunately for me, I had a couple of Firefox plugins that really made the work easier. All of these plugins can be found by using the Tools -> Add-Ons menu under the Firefox web browser, or by going to https://addons.mozilla.org/en-US/firefox/.

NoScript

The NoScript plugin is an absolute must-have. As far as I am concerned, it should be part of the default Firefox installation. This plugin stops all JavaScript, Flash, and other objects from automatically starting. You can also block access to some web servers, or if you really like a site, then you can add it to a white-list of permitted, trusted sites. If there happens to be something you want to run, you can permit it on a case-by-case basis.

From a user's viewpoint, this is awesome. You don't have to worry about an unknown site sending malware to your browser. In my case, I didn't want to download videos, Java, and other stuff that would waste my CPU cycles and bandwidth.

Httpfox

When evaluating any kind of web-based service, either as a developer or as an auditor, you need to know what is being transmitted across the network. Usually I use Wireshark or Snort. The problem is, these only work well if you use HTTP and not HTTPS. With HTTPS, you cannot see the traffic inside the tunnel (without compromising the tunnel).

Fortunately, I had Httpfox. This plugin is like having Wireshark in the browser! It shows you all data that the browser sends and receives -- the URLs, request and response headers, cookies, post data, and query parameters.

This plugin is great for auditing, but does have a few minor limitations. Specifically, if any of the values are longer than the visible fields, you don't get scroll bars. You can work around this by copying values to the clipboard, but that isn't an ideal solution.

Firebug

While Httpfox shows the network traffic, Firebug shows the HTML content. And this isn't just the HTML that was sent to your browser... it is the HTML that is displayed. If the web page includes JavaScript or active CSS content that alters the web page, then Firebug will show you the rendered values.

Besides viewing the page, you can also edit the currently-displayed web page. If you are testing parameters, playing with web forms, or trying out different style sheet settings, then this is a must-have.

Finally, you can click on the little arrow icon and it enables an inspector. As you hover the mouse over various elements on the web page, Firebug displays the active HTML elements (both HTML code and style sheet values). As a web developer, you've probably had times where you wondered "Where do I define that border?" Well, the inspector quickly answers this.

Add N Edit Cookies

This plugin is an oldie but goodie. Httpfox shows you queries, but does not allow you to edit. Firebug allows you to change the active HTML, so you can edit query parameters and URLs, but you cannot alter cookies. The "Add N Edit Cookies" plugin completes the set by allowing you to view and edit cookie values. (There are two versions of it. One is for older browsers and the other is for newer browsers.)

There are a couple of other plugins for editing cookies. However, I like this one because it is simple to use.

All Together

With these four plugins, we were able to easily access our web services, debug the network traffic, view and test dynamic web content, and even validate cookie settings. With NoScript, we were able to restrict the content that the server sent to the browser and control exactly when different calls were made.

In the old days, we would need to hack the SSL tunnel and use custom scripts to manage queries. Today, we can evaluate and modify the system in real-time and with just a few plugins.