Facebook: An Ugly Stupid Service

... designed to teach you to systematically undervalue your privacy.

Author and freedom fighter Cory Doctorow in great form on this subject, censorship, psychology, and education (from TEDxObserver):



Rediscovered this morning at this Boing Boing post - itself inspired by John Scalzi's Whatever.

TEDTalks are distributed under a Creative Commons (CC) licence.

Security Testing Part 4 - Pentests

A Monotone Spectrum

Pentests, short for Penetration Tests, describe the simulation of malicious attacks for the purpose of evaluating a computer system or network's security. These attacks are available in any colour, as long as it's greyscale...

In The Clear

Pentests are quite often clear box (or white box, or full disclosure) attacks, simply because as testers we more often than not have full access to, and complete knowledge of, the infrastructure to be tested. So, why not make best use of this advantage? Such knowledge includes all available information about the internal data structures and algorithms employed, the relevant source code used to implement these, the network diagrams, IP address data, actual passwords, and so on.

Examples of white box testing include:

• API, Fault Injection and Mutation Testing methods.
  
• Most static testing, e.g., code reviews, inspections and Valkyries (damn autocorrect: I meant walkthroughs); testing where the software isn't actually used. Instead for example, the code may be read, or scanned automatically for syntactic validity.
• Code coverage can only be delivered through white box testing. Without inspecting the source code, there can be no guarantee that any given code path is exercised.
  

White box methodology is frequently used to evaluate the completeness of test suites created through black box testing methods (see below). This strategy allows the examination of the rarely tested parts of a system, ensuring coverage of the most important function points.

In The Black

Pentests can also of course be black box (also known as blind) tests, where there is assumed to be no prior knowledge of the infrastructure to be tested. As testers, we must first determine the location and extent of the system under test, before commencing analysis. When we use black box penetration testing methods, we are assuming the role of a real, external, black hat hacker, who is trying to intrude into our system without much actual knowledge about it. By contrast - almost literally! - white box testing can be seen as simulating what might happen after a leak of sensitive information, or equivalently, during an "inside job", when the attacker has access to confidential information.

Grey Goo

In between these two extremes, a school of grey box testing has evolved. As the name suggests, these pentests combine aspects of black and white box attacks. The main reason to do this is to provide customised test coverage for various elements in distributed systems. For example, we might use our knowledge of internal data structures and algorithms for the purpose of designing our test cases. Then when it comes to the point of actually executing these tests, we perform them as a normal user, i.e., at a black box level.

A good example of grey boxing is when we modify the content of a data repository, which is not itself part of the delimited system under test. That's not something which a user would normally be able to do, so it can introduce a white box element into an otherwise black box test or attack suite. Another example in a similar vein might be the determination of error message contents, or system boundary values, by reverse engineering.

Note that most instances of input data manipulation and/or output formatting do not qualify as grey box techniques, because by definition, input and output are not part of the system under test. So for example, integration testing between two code modules written by two distinct developers, where only certain interfaces are exposed for test, is still regarded as black boxing.

Careful Now!

Elementary white box penetration testing can often be done automatically, and therefore cheaply. Black box attacks are another matter entirely. Because you are literally attacking a network (often a working production system) blindly, your test activities will inevitably comprise actual security attacks. You will cause denial of service, both intentionally and as a side effect of the stress you put on network response time via vulnerability scanning. At worst, you might cause actual harm to the system, rendering it just as inoperable as had a real black hat attacked. Much of the time and effort required with black box pentests lies in trying not to destroy things, while still reaching deeply enough to expose vulnerabilities.

Pronounced "Awe Stem"

The OSSTMM, or Open Source Security Testing Methodology Manual, is both a peer-reviewed security testing, metric measurement and analysis methodology, and a philosophy of operational security. It is a Creative Commons licensed publication of the Institute for Security and Open Methodologies (ISECOM). As such, the encapsulated methodology, covering what / when / where to test, is itself free to use and distribute under the Open Methodology License (OML).

The Manual's primary objective is to create a scientific methodology and metrics for operational security evaluation, based upon test results. It suits most kinds of security audit: penetration tests, ethical hacks, security and vulnerability assessments, and so on. Secondarily it acts as a central reference in all security tests regardless of the size of the organization, technology, or protection, and provides analyst guidelines, enabling a certified OSSTMM audit by assuring:

1. test thoroughness and legal compliance;
2. inclusion of all necessary channels;
3. results quantification, consistency and repeatability; and
4. that factual information is derived exclusively from tests.

According to the ISECOM website, a handbook version of version 3 of the manual will be "available soon".

Previously:

Part 1 - Overview
Part 2 - Lab Work
Part 3 - The Attack Surface

Remember EA_Spouse?

Well She Wrote A Book

No, not about the labour practices of a top video games firm in 2004 and beyond. Although that singular LiveJournal article certainly showed, among other things, that the (then anonymous) Erin Hoffman had a terrific talent for certain kinds of writing; EA: The Human Story was nominated for Joel Spolsky's Best Software Essays of 2004.

Subsequent events showed her to be equally determined, single purposed and shit stirring when deciding to embark upon a campaign, to highlight or right a wrong, to raise the profile of an issue she feels is getting brushed under the beanbag. Her gamewatch.org forum today holds over 12,000 posts in as many topics, though it seems not to have changed that world; for example, one comment from five years into the project (July 2009) revealed:

They're still doing it. I have a friend who is working 6am to 9pm 7 days a week as his project approaches release.

Despite Riccitiello's assurances otherwise, his middle management is fighting him and refusing to change. They are still paying below-the-poverty-line wages, they still are incapable of figuring out a schedule that doesn't involve abuse of its employees, and they are still playing games with employee classifications to avoid providing full benefits.

I'm in the industry, and if my company ever got acquired by EA, I would quit on the spot. My salary would be cut, my hours increased without compensation, and my work transformed into a bureaucratic mess (I've heard how heavy in middle management EA is). I'd be spending more time filling out useless make-the-managers-look-busy reports and attending endless meetings than coding and documenting. Nothing is worth this price, and people looking to enter the industry need to realize that.

Anyone but EA.

So Not About That Then

So no, like I said, the book's not actually about any of that. As you might more reasonably have guessed, Sword of Fire and Sea - subtitled The Chaos Knight, Book One - is a fantasy, written by one "obsessed with hidden truths, and the responsibility involved in uncovering them." Main character Captain Vidarian Rulorat is the last surviving member of his family. Obligated to an allegiance with the High Temple of Kara'zul by his great-grandfather's abdication of imperial commission (for love of a fire priestess, no less), Vidarian struggles to resolve the conflicts between the real world of his family legacy, and Andovar's hidden and morally ambiguous history.

One of the things drawing me towards this title, in addition to its glowing reviews by multiple Hugo Award winning SF/F novelists ("Read it and be swept away" says Allen Steele), is its length. Or rather, the dearth of it. Erin has made the very deliberate choice to keep it succinct. Short novels, she says, are rare in fantasy these days. She loves the short form, and obviously hopes many others secretly do too. From her Big Idea piece via John Scalzi:

I want to get in, get euphoric, and get out, without getting bogged down in lengthy genealogy records or endless hikes across Mordor.

Available to preorder at amazon.co.uk.

Computer Museum (2)

Re-Animation

Fun though it was to dig out my old Sharp PC-1211 for the previous article in this series, it was a little disheartening to realise that any attempt to procure its toxic little mercury batteries would likely land me on a terrorist watchlist for the rest of my life. So it was a happy surprise to be reminded that its successor, the PC-1500, takes four bog standard AA cells. Here it is, recently emerged from the loft, all powered up and asking for permission to erase its now random memory contents, the dream debris of its (almost three decade) nap.

This 1983 purchase was funded through the usual channels. In other words, I initially went halfers with my pal Brian. Then once I'd accumulated enough buroo cheques, I did him over like Eric Cartman for full ownership. Honestly, sometimes I wonder how my friends ever did put up with my behaviour. But the time between striking this partnership and its ultimate betrayal was a golden age; the PC-1500 turned out to be a hacker's wet dream.

Peek And Poke

We discovered various ways to abuse this BASIC programmable pocket computer, forcing it to interpret pre-crafted code memory contents as data, and vice-versa. This first revealed that the BASIC ROM recognised several keywords not mentioned in the official user's manual. Not just any keywords, but the holy trinity of PEEK, POKE, and the almighty CALL. Soon we had discovered enough single machine code I/O instructions to discern that the processor was very Z80-like in its architecture, at which point Troy fell, and shit was lost.

Soon armed with the full processor instruction set, we started writing super fast Moon Landers, Star Treks, Snakes, Space Invaders... and of course my own personal favourite, Son of the Revenge of Complex Arithmetic III. Having figured out the display hardware too, we had what felt like unlimited graphics power. Although the monochrome LCD was just 156×7 pixels, it was much cleaner and sharper looking than that of the PC-1211, which had used an ugly yellow-green filter to protect its fragile, almost still prototypical, vampiric liquid crystals, from damage by daylight.

Actually on second thoughts, I think Dominoes was my favourite, for several reasons. It was the first game I wrote using the full power of the machine, and the one that paid off the initial purchase costs. The domino images were pixel-perfect, and the game let me introduce my dad to computers (no mean feat for a geek in the early 80s), because its UI was so friendly: to play the 3-4 domino, you just typed 34. Finally, the AI was terrific; it made a truly formidable opponent. How did I achieve this level of awe? I programmed it to look at your hand.

Technology Caught Evolving

So here's what my PC-1500 looks like inside. Notice the two 0.1" pitch chips, the ones labelled TC5514P, sticking up like sore thumbs on an otherwise 0.05" pitch surface mount 2-layer board with through plating. Those are 1K by 4 bit static RAMs. The big LH5801 on the bottom board is the CMOS static 8-bit CPU, its LH5811 neighbour the peripheral I/O controller (an unwritten law said these always had to be named +10 higher than the corresponding CPU part number). The whole machine, like all such pioneers, screams a thoroughgoing compromise of new and old technology; 6V performance versus 130mW C-MOS battery life.

No Peripheral Vision

We never did fork out for the audio cassette interface and printer. This might seem unbelievable now, but it's true: the ritual and preamble to playing a computer game involved an hour or so of typing it all back in again. From your own notebooks, or from multipage magazine listings. Quite often this was the point at which games evolved, as you'd notice some possible improvement, or identify a great extension, each time you laboriously re-typed the now familiar code.

That was bad enough for BASIC code. But now we had to enter machine code and hexadecimal data, all without the aid of an assembler. Not something you want to have to do even once, but we did it every day. More than the lack of program memory, it was this tiresome drudgery that taught us only ever to write optimum code, first time.

I did design, and build into one of those pale blue Marshalls Electronics project boxes, a DC power supply to use with the PC-1500. Sadly I never really trusted my own crowbar overvoltage protection circuit enough to use it for more than a few minutes at a time. Eventually binned it just last year.

Previously: Computer Museum (1)

▶ Update (June 25): the day after I power it up, the old PC-1500 begins haemorrhaging from the top right corner of the display. Click the photo on the right to sleuth the evidence. What the hell is this? So I dismantle it...

◀ Inside there's this 10cm dark red opaque plastic block, soft yet brittle, seemingly stuck to the top of the display with strawberry jam. That's it on the right hand side, while the trail of blood can now be seen on the PCB, display, bezel, and other components of the casing. This is going to take a lot of solvent, and a few drums of cotton buds...

Half a bottle of meths and 100 cotton buds later: burp. Well that was an epic, what a fiddly stripdown, clean and rebuild. But the operation, the sticky gunky gluey plastic blockectomy, has been a success, and the wee beastie is back in pristine working condition. As for the thing I removed, not been able to find any reference to that in the online PC-1500 reference material. I suspect it may have been a thermal mass.

The late seventies belonged to the bright, power hungry, red 7-segment LED wristwatch and calculator. Arriving in their New Romantic mullets, the first LCD replacements were quite temperamental, by which I mean, temperature sensitive. They needed thermistor circuits to stabilize their viewing angle. My guess is that the soft plastic strip I've removed and discarded was designed to average out fluctuations in the sensed temperature, e.g. to stop the display from fading when the device was held in warm hands.

This work, including photography, is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported Licence.

Sonny Marvello

Update 16 December 2011

This post has been removed.

Update 7 January 2012

On the other hand, the band's offensive remarks haven't yet been removed from Facebook, and are still publicly viewable. I guess it does no further harm to repeat them here:

https://www.facebook.com/sonnymarvello/posts/3015725752922

Prog Rock & Metal News

Read All Around It

Most mornings, Google News is your excellent first stop shop for all that's happened in the night. The exception is Sunday, when nothing lighter than the dead tree edition of The Sunday Times will satisfy (online access not required, thanks). Truth is, I would still buy that weekly hundredweight of paper if everything except Dan Cairns's new music reviews got blacked out.

For all those other, lesser days of the week, the customizability of the Google News U.K. page* ensures there's always more than enough news, knowledge and gossip on tap. The important step is that customization. My own choice of standard sections, given geography and blogging interests, holds no surprises: World, U.K., Scotland, Glasgow, Sci/Tech, Physics, Astronomy, Space, Computer Security, Video Games, Entertainment, and Rock Music.

If you haven't personalised your Google News page yet, use the Add a section link at the top right to find and add news categories that interest you, and the Edit this page link to organise these, or to delete those of no interest. I'll never forget that enlightened day when my whole life, well my Google News experience anyway, improved tenfold as I finally got rid of those toxic default Business, Sports, Health and Spotlight pages.

The Lost Chord

But there's one more, essential category of update you won't want to be without. I speak obviously of the latest events in the world of progressive metal music. None of the standard supplied pages can quite satisfy the exacting criteria of this specific thirst for knowledge. Despair not, fellow geek headbangers, I bring you good news! Literally. I mean I've created a suitable custom section, based on the simple query "prog rock, progressive metal", which teases out of the Googleplex, just the optimum mixture of attention worthy, classic and modern, metal, prog, and their bastard offsprogs.

On the Add a section page under Search for sections, type progressive metal and hit Search. You should return just one result, titled Prog Rock & Metal; that's my page. Here's a link to its current content:

http://news.google.co.uk/news/section?pz=1&cf=all&ned=uk&hl=en&csid=7d6ecf57b214b344

Never a week goes by without at least one or two interesting developments popping up here, which I haven't yet seen elsewhere. And the page is currently enjoying a great surge in popularity! Last time I checked, I think there were a total of approximately four subscribers. Wow! Clearly this is a phenomenon whose something something now! And just imagine: you can be subscriber number five. That's right, I'm letting you in on the ground floor of this unique opportunity.

You're welcome.

* Actually the BBC News site gets roughly equal time; public service output is an excellent antidote to filter bubbling.

Update (July 18): Yes, in the wake of the phone hacking scandal, my entire extended family and I have now joined the inevitable total boycott of all News International publications. But to my shame, I should have done this many years ago. But for all its faults, crimes, and abuses, still there's nothing out there to approach the quality of The Sunday Times when it's good. Trouble is, we can no longer determine when those times are, and when by contrast, it is being controlled - nay, written - by organised criminals. My Secondary English teacher Mrs Abraitis once enjoined us all to commit to this, then venerable, paper; and as many a raped choirboy might attest, such formative imperatives often cast long shadows.

Today I can only hope that Dan Cairns will move his musical journalism expertise quickly elsewhere.

Focus!

A Fortuitous Juxtaposition

RSS readers will have missed the coincidence of expression in my Technology sidebar today, where these two articles from different Microsoft blogs collided:

Nice to know the Key to Success at Microsoft is not something that you need to steal.