My daughter and I will be presenting @ShmooCon!!!

For those of you attending ShmooCon in January, please stop by the "One Track Mind" presentations on Friday. My daughter, Emily, and I will be presenting on her efforts to bring Rachel-Pi and Khan Academy to a school/orphanage in Kenya. Here is the outline:

How Hackers for Charity (possibly) saved me a LOT of money

Who we are
How she got to this point in her life
The process of gathering, building, deploying, and training
What's next

I am proud of my daughter and the work she is doing in Africa, all at the ripe old age of 13.

Help me support her by showing up to the talk. As I said in my CFP for ShmooCon: "As a dad, I feel the need to push the limits of my children. This is the perfect outlet for my daughter to learn about our community in a purposeful way. Not only this, I want the rock stars in our community to help me! IT TAKES A VILLAGE! (or so I hear)."

P.S. It is perfectly acceptable to heckle me, as always, as long as you are not too disruptive to her.

NSA: The "big stick" of the Executive Branch and how this really affects US security worldwide

***As a former employee (US Navy analyst at NSA), I must say up front "I can neither confirm nor deny any comments made for or against NSA and their collection efforts both internal and external to the US. All questions should be directed to the Public Affairs Office at Ft. Meade, MD."***

Now that I have parroted the official party line, lets talk.

Today I read an very well written, but sad, article in the Wall Street Journal entitled "Missteps Doomed Civilians As Chemical Attack Loomed." The article outlines a series of steps leading up to the mass chemical attacks in Syria on August 21st. Due to efforts of the US collection system (probably NSA and/or CIA), Syrian troops were know to be using chemical weapons on the population prior to this occasion. These attacks led to the death of a small number of civilians, but were unconfirmed by independent sources. Then on the 21st, an order was giving by a senior level person to perform a mass attack on rebel held locations and the civilian population in the area.

"Sources" stated that the communications intercept (the order) was not immediately translated and reported because these attack had become commonplace. It was not until the death toll kept climbing up that the full weight of the intercepted order came to light.

I do not blame the analysts who intercepted, translated, and reported this occurrence. I blame the the 3 branches of the govarnment for this. You see, it was Congress who voted in the shambles of a law known as USA PATRIOT ACT. It was President Bush who approved the law with his signature. It is President Obama who has taken the collection requests to an absurdly high level (the number of collection requests on US citizens met a "critical mass" before the administration decided to stop reporting the numbers.) I also blame the Judicial Branch for slowly eroding the power of the Constitution and Bill of Rights over the years.

I mostly blame the Executive Branch of the government for endangering the US. You see, NSA has a military commander who receives collection orders from the Executive Branch. I don not advocate replacing DIRNSA with a civilian because a civilian would still receive orders from the same source. When orders are given, resources in the already strapped NSA are stretched further. This is simple supply and demand. You have a set number of resources. When you add tasking, something else has to stop being collected and analyzed. In this case, it appears that the Executive branch ramped up tasking on the US populace in a vane attempt to prevent terrorism at home. This left us with fewer resources to stop terrorism abroad.

***Side note - We homeschool. My wife spends a lot of time discussing the law of unintended consequences and their effect on our country. I am beginning to understand the value of this approach.***

Could the mass slaughter of a civilian population have been avoided in Syria? The simple answer is probably not. The long answer is that the Executive Branch already had knowledge of "low level" use of chemical weapons in Syria and did nothing about it. Worse, the Secretary of State opened the door for Russia to step in and solve the chemical weapons dilemma. Finally, the Presidents inability to lead the World (much less the country) in this matter is abysmal.

This leads me to the discussion of what many people are asking of the US government. Many are calling for the dismantling of the NSA and its collection methods. These people don't usually stop there. They often times complain that we monitor (spy) on other countries, including our partners. I say this is the direction we need to move in. The charter of the NSA was to collect on foreign communications and, at one time, were forbidden to spy on US persons. The collection of US persons was not actually forbidden, but the burden of proof and the need to collect on US persons was heavy.

Anyone who says we should NOT be spying on other countries is naive. Just because you are our friends today does not mean you will be our friend tomorrow. Not only this, you will NEVER have a utopian society in which all peoples are friendly to each other. The reason for this is human nature. Ask my 7 year old why communism is such a bad idea and he will tell you it is a great idea until you introduce the human element. After all, if we can't overcome racism, how do you ever think we will reach utopia?

In conclusion, the current "policy" on spying on US persons is stretching already thin resources to a breaking point. This does not allow the NSA to effectively perform its chartered mandates in the collection and analysis of signals from non-US persons. This endangers US interests and persons by requiring poor asset management.

Please feel free to comment.

The Question of Ethics from an Unethical Blogger

Today I read a blog from Jeffrey Carr (found here http://jeffreycarr.blogspot.com/2013/11/republican-cyber-security-experts.html). What first strikes me is the title, "The Questionable Value and Ethics of TrustedSec's Pen Test of the HealthCare.gov Website."

Value: the regard that something is held to deserve; the importance, worth, or usefulness of something.

The website requires a user to enter sensitive data into it. It is discovered that the website is subject to simple reconnaissance techniques that my 13 year old can perform, with the help of Google of course. This reconnaissance results in sensitive data being harvested. I think reporting this to the public is valuable. I could be wrong but I doubt it.

Ethics: moral principles that govern a person's or group's behavior

The problem with arguing ethics is that there is no standard by which to judge. Just as the argument that NSA wiretaps of US citizens is unethical cannot be effectively argued one way or the other, this cannot be argued one way or the other. (Author's note: David Kennedy is perhaps the most ethical person I have ever met. Of course, this cannot be proven. By the very definition, it is untenable.)

At this point, I began reading the swill that follows. The point of the article is to show that the witnesses testimony was swayed by their political beliefs. The arguments are "upheld" by the author in what can only be seen as a completely political tongue-lashing. He seems to be fighting his perceived politics with politics. What? (This reminds me of the "I know you are but what am I arguments of a schoolyard child.)

The author brings up the ethics of publicly "outing" vulnerabilities. David, on more than 1 account, in his verbal testimony and in his report, stated that he contacted the government. He also redacted key information about the vulnerabilities that he reported (clearly stated in the report and in his testimony).

What we have here is an author of a blog that clearly keyed in on a single phrase, David Kennedy speaking on FOX News, and put his political beer goggles on, shut down his ability to reason, and threw a tantrum. What he would have seen if he had performed a simple Google search is that Mr. Kennedy has appeared on CNN and other "liberal" shows several times. As a point of fact, he purposefully spreads the love so as to stay above board. (Plus, he would never hear the end of it from Martin Bos if he did it any other way.)

In conclusion, I could have torn this blog apart line by line and word for word but I have better things to do. So, I will leave you with this: Suck it Jeffrey Carr. SUCK IT!

P.S. One more definition. Slander: the action or crime of making a false spoken statement damaging to a person's reputation. (Used in a sentence: Jeffrey Carr's inaccurate blog article on David Kennedy and TrustedSec was slanderous.)

Correction #1 (Sure to be more) Libel: a published false statement that is damaging to a person's reputation; a written defamation. (Example: Jeffrey wrote therefore he is libel). Thanks to Nick for the correction and sorry to @popehat for not learning a thing from your blog!

Top 10 IT/InfoSec terms that need to go!

Many people are sick of buzzwords and want to see them go. I am one of them. I never had a problem with it in the past. Until, that is, non-techies began using them without understanding the implications. 

Here is a list of some of my favorites words or phrases that need to go...

1. Cyber - After many years in the DoD I never got tired of this word. Why is it on my list? Because it is overused by non-DoD peeps when they complain about its use. If you stop complaining about the word, its use will be cut by 3/4.

Image credits - L Macvittie

2. Cloud - When I first used this (10 years ago) it was a picture of an actual cloud to show users that the ISP took over. Now it is so pervasive my kids think of computers before they think of rain.

3. Big data - Uh, what! Why did we ever start using this phrase? Oh, I know. The phrase "lots and lots of data" never caught on. 

4. Black swan - Used to be something until it was EVERYTHING. Just because you suck at business continuity and disaster recovery doesn't mean your problem (experienced by others, by the way) is a black swan.

5. ... for fun and profit - Try to at least be original. Nothing says "I'm a copycat" like this phrase.

6. iWhatever - See number 5.

7. APT - If I can sell you on an idea, I can sell you anything else I want.

8. De-duping - Stop trying to sound cool and use words like efficient.

9. Bloatware - Really, we have to create a new word for unwanted software just because it is on a phone (a.k.a. handheld computer)?

10. Brick - You say you bricked your device. Then you rebooted/restored it. If it is bricked then it will never work again for its intended purpose.

Lets throw one more in for good measure.

11. 4G - Stop using this for anything phone related. It is the 4th generation of mobile phone technology, that is all.

There are others that annoy me but these are the top of my list. Do you have any terms that you want gone? Add them to the Comments sections so they will be used again. 

My misfortune and my new (old) phone

     A few months ago, I had the distinct displeasure of updating my company's Mobile Device policy. It was not the fact that I was writing policy (I actually am one of those weird types who enjoy the nuances of policy writing). The displeasure stemmed from the fact that I purchased the Samsung Infuse and this particular phone did not allow encrypting the handset, a clear violation of said policy. Woe is me. I was discussing this fact with our company's AT&T rep when those fateful words came out; "What kind of phone do you want?" I immediately went tops and asked for a Samsung Note II. His answer, "Give me a few weeks and you'll have it!"

     This sounded like a great deal. In hindsight, it was a mistake. After getting attached to my new Note II, I got a fateful call. I had to return the phone. Now I am back to my Infuse. What was a great phone (when first purchased) is now woefully inadequate. Not only that, but now my development device is no longer usable. I can't play with the Infuse while using it as my only phone. Also, I cannot login to corporate email anymore. (Actually, I can. I just choose to not bypass our technical controls). All of this has led me to technology withdrawals. I feel out of touch when I can't respond to an email while waiting in line at the DMV. I always laughed at those who were not sufficiently connected to the world. I know know their pain.

***On a later note. After a week of using my original phone, I am rather enjoying the freedom of responding in my own time! #silverlining***

ACLU - A Wolf in Sheep's Clothing: But they got this one right!

     In my recent presentations at Hack3rCon^4 and SkyDogCon 2013, I spoke about the fact that NSA wiretaps are legal (according to current interpretation of many laws). In addition, I highlighted some programs that push the envelope on constitutionality. One such program is the Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI). I talked about how this program violates our First Amendment and (possibly) Fourth Amendment rights.

     Yesterday, program details came to light after many years when the ACLU published the findings of its Freedom Of Information Act request. Years ago, the ACLU submitted a FOIA request that  was summarily denied by the government. They quickly followed this denial with a lawsuit against the FBI. Well, they won.

     Just as I suspected, the ACLU determined that the program did not have adequate checks to ensure citizen's rights were being honored. This is not their interpretation of the data. You see, they received volumes of internal  emails and reports that stated this as fact. Several State level "fusion centers" complained about the handling of private citizen's data, the lack of a privacy policy, and storage of data in the eGuardian system.

     I still stand by the premises I stated in my presentation. NSA warrantless wiretaps are legal (albeit, unconstitutional), blame rests equally on the 3 branches of the government, and the ACLU is a den of hypocrisy! I base the latter on the fact that they claim that they have

"been the nation's guardian of liberty, working daily in courts, legislatures and communities to defend and preserve the individual rights and civil liberties that the Constitution, Bill of Rights and laws of the United States guarantee everyone in this country."  

Why am I so critical? The ACLU pushes hard for the Bill of Rights on a national level with the exception of the Second Amendment. When I questioned an ACLU lawyer about this at DEFCON XXI, I was summarily dismissed just as the government dismissed their FOIA request. When I asked again for a reason, this time at their vendor table, I was told that it was a state-by-state issue, not a national issue. 

***Apparently, rather than being a guardian of you rights, they see fit to pick and choose what rights you should have!***

I once again submit to you that you should NOT support the ACLU but you should support organizations that believe the entire Constitution and Bill of Rights is worthy of being defended.

Also, before you try and interpret the Bill of Rights, you must read what the authors and original supporters of this great document said on the issue.

If you would like to know more see the following sites:

NSA wiretaps are legal (and other annoying facts) presentation http://www.irongeek.com

Quotes by founding Fathers (public domain) http://cap-n-ball.com/fathers.htm

ACLU article and reports on SAR/NSI www.aclu.com

SkyDogCon 2013: Southern charm meets hackers/makers, then gets owned!

   
     I wrapped up my year of cons with the 2013 SkyDogCon. After attending last year for the first time, the decision to attend this year was a no brainer. This is perhaps the most unique collection of mini-events wrapped up into a con there is. Highlights include the typical: quality speakers, lock pick area, hardware hacking village, etc. In addition, there is a healthy smattering of the unique: a rocking electronic badge (includes a hardware hacking challenge), paid breakfast on Sunday morning, a Pirates vs. Ninjas Ball, a ham radio license exam, lego challenge, and others.

     I will begin the blog with a review of the Hotel Preston. This hotel is the model of "southern hospitality" with a twist of the unique, bordering eclectic . From the decor to the staff, this hotel sets itself apart. Think of a scaled down version of The Artisan Boutique Hotel in Las Vegas (former home of BSides Las Vegas) but not as dark. The artwork and decor is an experience in itself, the food is appropriately priced, and the rooms are clean and modern. My one complaint from last year was the speed of food delivery from the kitchen. This was remedied this year. No complaints from me.

 ****Note: If you are feeling lonely, ring the front desk and ask for a fish. Yes, you read that correctly. If you ask for one, the hotel will loan you a fish tank, complete with scenery and a fish. Then you won't feel weird since you can talk to something instead of yourself.****

   The second thing I will talk about is the relentless promotion of the con by its Core Team and Staff. I first learned of SkyDogCon from SkyDog himself, at DerbyCon. Yep you read that correctly. SkyDog was staff at DerbyCon in Louisville and was printing up gimmick badges from popular movies. The one from last year was a mock credit card with the "Triple Crown" challenge on the back. This was a call for all card carriers to attend not just SkyDogCon but DerbyCon and Hack3rCon (a.k.a. the trifecta of regional cons). I later discovered that SkyDog (who is also a Goon at DEFCON) was going to give out special promotional badges at DEFCON to anyone willing to promote the con. Sign me up! This level of detail for promoting his con, and the sister cons of the area, highlights his commitment to the industry as a whole! This year he and Mad Mex spent over 6 hours, during the party, printing up badges for anyone who wanted one.

     Third, we have the awesome lineup of speakers. There were 2 speaker tracks (Friday-Sunday) with 20 minute Lightening Talks (Thursday night). I was fortunate enough to be selected for both a Lightening Talk and a main track. The Lightening Talks format was a set of 20 slides that autoforward every 30 seconds. This was a challenge that forced me to work on my presentation skills. My Lightening Talk was entitled Defense-in-Depth: Fists, knife, gun and will be posted on my blog when they are uploaded. Unfortunately, with 2 main talks going on simultaneously, and the other speaker in my time slot being Deviant Ollam, I had a sparse audience. (Thanks to the 7 people who listened to my presentation NSA Wiretaps are Legal and Other Annoying Facts.) My favorite presentation of the weekend was Evan Booth's. He presented a very serious topic with wit, charm, and grace. Then he showed videos of himself totally destroying fruit. You have to see it. It will make your day as well as scare the heck out of you.

     Finally comes the piéce de résistance (i know, the accent mark on the first e is going the wrong way, but I can't make it work on my Mac).  SkyDogCon is known for its electronic badges. This year's badge does not disappoint. This badge, which has some hardware issues, is utilizing only about 5% of the functionality it was designed for. That 5% however will blow you away! It's simple design, coupled with the Parallax Propeller chipset, and brilliantly written code is a n00b hardware hacker's dream.

****Note: SkyDog announced that he will repair the badge himself if you bring it to one of the future cons he will be at. Anyone up for a quick trip to Atlanta for Outerz0ne? I'll drive if you pick up the room!****

Schematics and badge hacking tips will be posted on the website shortly.


     So, if you feel that you want to know more, visit the website. Don't forget to sign up for the mailing list and follow them on Twitter.

Website: www.skydogcon.com
Twitter: @skydogcon

I hope you enjoyed this blog entry and I hope to see you next year.

P.S. If you sign up for a ticket early, you get "Early Bird" status and this results in upgrades to your badge!