Zeroday 01100100011010010

I’ve been looking for a new job recently and found a position with an organization that does amazing work. They advertised for a security evangelist so I looked into the position. I’ve heard of the term before and never developed an opinion of them one way or the other. Frankly I didn’t really know what they did until a few days ago when my research began.

The first blog that popped up on Google is from a security evangelist at csoonline.com. He based a lot of his article on an article by krypt3ia who ranted about how bad it is to use the term evangelist.

I read krypt3ia’s article with an open mind but I always worry when someone starts a written argument with a literal definition from an actual dictionary. That was what I did in high school when I didn’t know how else to start a paper and it’s an appeal to authority that isn’t very useful in this type of discussion. Languages evolve and definitions change all the time and pretending otherwise isn’t a winning strategy. I think the actual problem he has with the term ‘evangelist’ is shown about 3/4 of the way through his rant where he talks about the term ‘heretic’:

“Perhaps this is all we know, we people who still follow a book so closely that now has the masses up in arms about the issue of people of the same gender wanting equality … A book mind you, written by people barely able to understand nature around them so they made stories up to fill in the gaps. Really? 21st century? Yeah.. Right.”

I get his argument against religion (and I’m assuming the Bible) and I don’t disagree with him on this point[1] but I think getting this worked up over the term evangelist doesn’t make sense. The wikipedia article for the more generic term “Technology evangelist” has this opening definition:

“A technology evangelist is a person who builds a critical mass of support for a given technology, and then establishes it as a technical standard in a market that is subject to network effects.”

The article goes on to establish the link to the word evangelism by suggesting it is “due to the similarity of relaying information about a particular set of beliefs with the intention of converting the recipient.” Think Steve Jobs or even today Vint Cerf.

This part rings pretty true for me. Infosec [2] is a cloudy term that encompasses a lot more people than it did when I learned it in the 1990’s, however; most of us do hold beliefs about security. These beliefs translate into practices like “hardening a server” or “using passphrases instead of passwords”. So a security evangelist is someone who tries to convert those with poor security practices to our way of life.[3]

Perhaps I have an easier time dealing with portmanteaus or even updating definitions as words find their way into computer specific lexicons. I fought similar fights when I was at Akamai and trying to implement biostatistical analysis and epidemiological methods to make the company more secure. I was told that the words I used were medical jargon (eg. Sensitivity and Specificity) and it was too confusing for them. But our industry specific language has dealt with this for a long time and I doubt it will stop anytime soon. [4]

So how do people, especially those that hate the term ‘evangelist’, feel about the term ‘virus’? Want a link to the Wikipedia article or an OED definition? You probably won’t find anything related to non-biological organisms unless you look at ‘Computer Virus’. Or how about ‘sales engineer’?

Again citing Wikipedia, an engineer is “a professional practitioner of engineering, concerned with applying scientific knowledge, mathematics, and ingenuity to develop solutions for technical problems. [5] What do SE’s build again? I’ve been an SE in my career and other than sales demos there wasn’t much I did to really deserve the E part of my title.

Krypt3ia isn’t alone in his disgust with the term however. As I scanned through Twitter I found other notables (particularly Space Rogue of curmudgonley fame) saying one should never ever admit they were an evangelist. There is a hint of anti-charlatanism in their tone that can’t be missed. [6] I think the real answer to the animous against this term lies here. The sense I’m getting is those opposed to the term think security evangelists are those that don’t have the skills to be real hackers/infosec professionals and therefore listening to them is both a waste of time and potentially dangerous. I think nothing displays that more than this anigif.

Footnotes:
[1] At the best of times I’m an atheist but occasionaly I’m just agnostic.

[2] I don’t know if someone has written about the transition of the 1990’s hacker to infosec so I’ll leave this here as a reminder to write about it if an article isn’t already extant.

[3] I do this all the time without thinking about it. Last month it was when speaking with the CFO of my nonprofit when she asked about using online banking. My advice was to boot up a liveCD and bank from there.

[4] The biggest push back I got was using the term “computer disease” instead of malware/badware/trjoan/etc. It makes a lot of sense if you think about it.

[5] In case you’re wondering “engineer is derived from the Latin roots ingeniare (‘to contrive, devise’) and ingenium (‘cleverness’).”

[6] Anyone who knows him understands that he isn’t shy about opining on what is right or wrong and who in the industry is an actual charlatan.

I started developing a random idea over the holidays but never finished it. I’m releasing its description here with the hope that someone will steal and then implement it :)

a hybrid social media platform using rss feeds, twitter style messaging and public, private, and group key pair cryptography. it also solves the paradox of eventual decryption through the use of one time pads and very precise randomization.

secre.ts enables the user to share cryptographically protected messaging to allow use over untrusted publicly accessible networks like the Internet.

As a messaging solution secre.ts produces the greatest assets of email like services with the most secure traits of a virtual private network connection. vpn solutions are fragile connections and cumbersome on both bandwidth and the processor. secre.ts hybrid approach consumes processor but the messages are broadcast in public so connectivity is hugely increased and bandwidth isn’t impacted because the messages are received in cleartext.

Text from the Broadcast Commission

STATEMENT BY THE BROADCASTING COMMISSION ON ACTIONS AND RECENT DIRECTIVES RELATING TO BROADCAST MEDIA CONTENT
The Commission assures the public that it continues to actively work with broadcast licensees, the Minister of Information, the Media Association of Jamaica, the Jamaica Association of Community Cable Operators, the Entertainment Fraternity and other stakeholders to bring a halt to the deluge of inappropriate content on the airwaves. The public will have already seen and should continue to expect strong disciplinary action against those who fail to cooperate and comply with the broadcasting regulations.

The Commission has examined a number of songs, popularly referred to as “daggering songs”. “Daggering” is a colloquial term or phrase used in dancehall culture as a reference to hardcore sex or what is popularly referred to as “dry” sex, or the activities of persons engaged in the public simulation of various sexual acts and positions. The Commission has found these recordings to be explicitly sexual and violent, contrary to the provisions of Regulation 30(d) and Regulation 30(l) of the Television and Sound Broadcasting Regulations which state:

30. No licensee shall permit to be transmitted –

(d) any indecent or profane matter, so, however, that any broadcast to which regulation 26 relates shall be deemed not to be indecent; Reg. 30(d)
(l) any portrayal of violence which offends against good taste, decency or public morality. Reg. 30(l)

This content also offends against the tenets of the Children’s Code for Programming. Consequently, the following directive has been issued to Broadcasters:

DIRECTIVE TO LICENCEES
1. There shall not be transmitted through radio or television or cable services, any recording, live song or music video which promotes the act of ‘daggering’, or which makes reference to, or is otherwise suggestive of ‘daggering’.
2. There shall not be transmitted through radio or television or cable services, any audio recording, song or music video which employs editing
techniques of ‘bleeping’ or ‘beeping’ of its original lyrical content.
3. Programme managers and station owners or operators are hereby required to take immediate steps to prevent transmission of any recorded material relating to ‘daggering’ or which fall into the category of edited musical content using techniques of ‘bleeping’ or ‘beeping’.

CHANGES TO THE BROADCASTING REGULATIONS
The Commission has already recommended to government important changes to the law governing broadcasting and which are intended to be tabled in Parliament soon. The changes include:

• The introduction of financial sanctions for breaches of the regulations. Ensuring that the compilation of music charts is in accordance with an approved methodology.
• Maintaining playlists and programme logs of music played for examination by the Commission and accredited rights agencies.
• Evidence of approval of music sheets and playlists by station management before any song or video is transmitted.
• The arrangements for inclusion of local cable channels within the group of directly regulated operators, further to recent changes in the Broadcasting and Radio Re-Diffusion Act.

EXPANDED CITIZEN-BASED MONITORING
The Commission recognizes the critical role that citizens can and should play in monitoring the numerous radio and television channels that exist. In this regard, the Commission encourages continued submission of complaints about problematic content on electronic media. As a response to the increase in broadcasting and cable outlets, the Commission itself will be establishing islandwide Citizen based Media Monitors to assist in more comprehensive and effective monitoring of radio and television output. The media monitors will be drawn from diverse age groups, communities and organizations across the country. The Commission is also accepting volunteers.

CONTACTING THE COMMISSION
Members of the public are encouraged to support the Commission in monitoring the airwaves and reporting any breach of the directive or otherwise transmission of inappropriate content.

The Broadcasting Commission may be contacted at 1-888-99-CABLE (22253). Email messages can also be sent to  info at broadcom.org to report complaints or to seek additional information.

SIGNED: BROADCASTING COMMISSION

Youtube remixes now have links to amazon and itunes to purchase the songs. This is a great monetization strategy for youtube as well who has a snickering Hulu making money on the content which they, and only they, can negotiate (hulu is a joint project of Fox and NBC)

hulu is smart in that they are finally figuring out they can monetize their back catalogs with advertising revenue if only they made it easily available (no drm, etc). granted it only streams but this is a decent tradeoff for legal content on the internet. And this is from someone who absolutely abhors sitting through commercials or viewing 80% of advertising.

hulu officials have belittled youtube in trade publications [citation needed] because they don’t believe user created content can be monetized. I have a feeling they will be proven wrong in the next 24-36 months. as remixing becomes legitimized in both legal and social contexts the sheer amount of content created by unleashed masses with personal computers will start to eclipse the major studios.

more open source

* pine for email
* firefox for web
* gimp for photo editing
* audacity for audio editing
* more ruby
* more mysql

more cloud apps

* blip.tv for media storage
* less stagnet account on flickr
* more rss feeds

more mobile

* Twitter on mobile only
* IM on mobile only [edit: way too hard]
* increased IM on mobile
* email on mobile ReadOnly
* increase social app posts from mobile -> {flickr,youtube,blip.tv}

more social
* more irc
* more flickr posts with geotag

no drm
* none

My powerbook is in the third year of its life and as such has begun falling apart on a regular basis. I’ve had the laptop in for repair at least five times this year alone. Every time I bring my laptop in Apple employees ask me the same question.

“What is your administrator password?”

The first time I heard this question I thought he was joking. Apple is not kidding. They have offered every excuse imaginable for this practice but none have come close to convincing me to hand over my password. Sometimes the technicians would even try to intimidate me by saying that they might not be able to continue the repair if I refuse. One technician even tried to charge me an additional $100 for the installation of OS X for failing to divulge my password. The claim was that he had to perform additional work since I refused to cooperate.

This is official Apple policy and it needs to stop.

Consumers should *never* be asked for their passwords. It is a practice that defies logic to anyone that is trained in security. Given the state of the art in live OS distros there is absolutely no reason that Apple should ever need access to consumers files for hardware repairs anyway. It isn’t as if technicians haven’t been caught pilfering files from users in the past.

When bringing Apple computers in for repairs users should do the following until this is resolved:

1) Create a clone of the boot drive
2) Secure erase the contents of the drive
3) Install a fresh copy of the OS
4) Reimage the drive once you receive your computer back

This adds all kinds of time overhead to a process which already sets the consumer back however Apple still believes this is a valid way to treat their customers.

I’ve been working on some DNS resolution code for a while now. It is multithreaded using event machine. The resolution code is wrapped in a begin/rescue statement yet it still errors out occasionally with the following error that I have never been able to rescue.
/usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/select_thread.rb:147:in `select': time interval must be positive (ArgumentError)
from /usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/select_thread.rb:147:in `do_select'
from /usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/select_thread.rb:62:in `initialize'
from /usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/select_thread.rb:61:in `initialize'
from /usr/lib/ruby/1.8/thread.rb:135:in `synchronize'
from /usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/select_thread.rb:48:in `initialize'
from /usr/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/inflector.rb:257:in `new'
from /usr/lib/ruby/1.8/singleton.rb:95:in `instance'
from /usr/lib/ruby/gems/1.8/gems/dnsruby-1.1/lib/Dnsruby/Resolver.rb:806:in `send_async'
... 11 levels...
from ./stats_common.rb:66:in `resolve_block'
from ./stats_common.rb:64:in `resolve_block'
from ./resolve_urls.rb:16:in `resolve_urls'
from stats_engine.rb:44


I hope this purported FBI flyer is a fake. I hope that the FBI doesn’t actually define domestic terrorism as:

groups or individuals operating entirely inside the US attempting to influence the US government or population to effect political or social change by engaging in criminal activity.

My understanding of what made terrorists a special class of criminal was that they used violent tactics and had no regard for civilian casualties. It seems wrong that non violent attempts to influence the government are considered domestic terrorism. Even if they are criminal.

For instance, wouldn’t lobbyists who crossed the line be considered domestic terrorists? Their very job description is to influence the government. If they bribe a congressmen can we detain them for terrorism now?

EDIT: I’m pretty sure this is a hoax now. The definitions I’m finding online for domestic terrorist all include the use of violence.

e.g.

Domestic terrorism is the unlawful use, or threatened use, of force or violence by a group or individual based and operating entirely within the United States, Puerto Rico, or other US territories without foreign direction committed against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof in furtherance of political or social objectives.

While looking over logs for a server of mine I decided to write some code that would help me deter someone sniffing my server for weaknesses. The first thing I decided to write was a robots.txt file that had a few different qualities.
1) It would never end
2) It would not bog down the CPU
3) It would not repeat
4) It would be a valid robots.txt file

At the time I was using PHP for another project and so it was already configured on my server. I reused a password generation function and stuck it in a time delayed infinite loop. Then I changed the .txt handler on the server to be PHP.

while (true):
$newpath = randpass();
print "Disallow: /$newpath\n";
usleep(6000);
endwhile;


Use of application “Scrabulous” has been restricted

We’re sorry, but this application is not available to you. Please visit the Application Directory to find other applications.