Zeroday 01100100011010010

During Source Boston I became fascinated by the idea of using SDR to listen in on wireless mics. It occurred to me that corporate meetings in hotels with lots of sensitive information are probably vulnerable to that type of eavesdropping. I looked into encrypted wireless mics but they are very expensive and I can’t imagine a lot of people outside of the Fortune 10, military, and some parts of the government can afford them.
My first find was a page of wireless mics that were in the 700Mhz range and now banned by the FCC for intruding upon emergency communications. [1] @0xabad1dea pointed out rather quickly this wasn’t the list I thought it was. But I had also scraped together another list from product pages I’d browsed the previous evening.
G1 Band 470-530 Mhz
H4 Band 518-578 Mhz
J5 Band 578-638 Mhz
L3 Band 638-698 Mhz

Once I get a better grasp of GnuRadio I can probably cobble together a wireless mic scanner for the next conference I visit. Or maybe just hang around hotel lobbies and look for stray conversations.

[1] http://www.fcc.gov/encyclopedia/wireless…

This month I’m conducting some research into web hosting security issues and ran into the aftermath of the German law passed in 2007 banning security research publication. The policy has had the effect of silencing security researchers from that country. While investigating issues in PHP security I came upon the Month of PHP Bugs website and when I attempted to download a proof of concept to illustrate what type of security issues PHP had back in 2007 I got an explanation from security researcher Stefan Esser explaining why he no longer feels comfortable publishing results to the Internet.

Instead of summarizing his explanation I’m going to repost it here:

Dear Visitor,

since Friday 10th, August 2007 a new and very troubling law is enforced in
germany.

It is no longer legal to create and/or distribute so called hacking tools in
germany. This includes port scanners like nmap, security scanners like nessus
or simple proof of concept exploits like the MOPB exploits. They are now illegal
because someone COULD use them to commit crimes.

Until today I had hoped that our Bundespresident would stop this insane law with
a last minute veto, but now it is official and our government has rendered germany
more or less defenseless against the threats from outside germany.

Unfortunately our government has been deaf to the warnings from lots of experts
that tried to explain how important these so called hacking tools are not only
for the current generation of security consultants to do their daily job, but
also how important they are for the education of the next generation of
researchers and consultants.

If you do not know how to attack, you will never know how to defend yourself.

Yours,
Stefan Esser

This is incredibly frustrating for someone like me who is doing legitimate research into security problems that are plaguing the Internet. Security research is a rare and valuable skill set which should be cultivated not destroyed. Yet the German law is likely driving away people from this profession due to the impossibility of publication on the Internet without fear of criminal charges. At best the researchers who are turning away in Germany are finding other less beneficial avenues to explore. At worst they are publishing underground only.

I had largely forgotten about this law being passed in 2007 because I too had assumed the President in Germany would come to his senses and repeal it. Germany has had a remarkable history with hackers (see Chaos Computer Club) so it is very surprising they went in this direction.

Some old articles about this:
ars technica
article about aftermath

I need to do some more follow up on this but so far the results look grim.

For the last few years I’ve talked quietly of a project to connect artists with the victims of lawsuits in the name of their bands. After the verdict handed down by the latest case of Sony vs. Tenenbaum I think it is time to put this plan to action. I’ve emailed Joel and received a list of the bands he was sued for and what I’d like to do is draw national attention to the public interfaces these bands have set up for
themselves.

I’ve created a public document which contains a list of the bands and any Twitter, Myspace, Facebook, or other public forums the bands have set up for themselves. I could use help tracking down some of the missing links in this list. In some cases the bands no longer exist but members of the original band still live on in other bands or on their own.

To be clear the purpose of this project is not to harass these musicians. It is to remove the wedge of the RIAA from artists and their fans and ask them to communicate. The one question I’d like to see the artists answer is “Do you support the actions the RIAA has taken on behalf of your band in destroying the life of Joel Tenenbaum?”

Joel is being fined $22,500 for each of the 30 songs that he downloaded
from KaZaa. His total fine is $675,000 for an activity that a majority of the Internet users in this country have and still participate in. This isn’t to say that we should advocate copyright infringement but that we shouldn’t agree with the penalties associated with infringement.

This project is still being assembled and I would appreciate any feedback and help the FC community can muster. I’d like to coordinate a massive feedback storm requesting comment via Twitter, Myspace, etc so these artists can’t escape without saying something. Anything. What we need is dialog from musicians about what is happening to their fans.

The working spreadsheet of bands and their online identities is here:
 http://spreadsheets.google.com/ccc?key=0…

If you would like access to edit the spreadsheet please email me (oliver.day@gmail) and I will add you to the access list.

I finally met someone whose privacy settings were as high as mine. If Facebook has a privacy setting I have it pushed to the highest possible value. The end result is that I’m practically a ghost on the popular social media website. You won’t find me using search functionality and I have absolutely no public footprint. Last night I decided to friend some of the researchers working with myself and Prof Bambauer on an academic paper about shielding security researchers due out this fall.
The two of us appeared to be unable to “friend” each other because of our high privacy settings. I wasn’t really sure how to proceed. We tried messaging each other a few more times in an effort to prove to Facebook our intentions but to no avail. One of us would have to sacrifice a bit of our privacy in order to allow for this seemingly obvious functionality.

Since I initiated I went ahead and dropped my guard a bit and allowed anyone from the Harvard network to see me (thankfully she is an alum!) Of course now that we are friends the curtains have been drawn again around my profile but this is definitely one of the more interesting experiences I’ve had with Facebook.

While I’m glad they offer me so many privacy settings they really need to think about this particular edge case where two privacy loving individuals happen to want to friend each other.

I’ve decided to step down from the Advisory Board of the SourceBoston conference. I still think that it is a fantastic project but I have been so busy with academic projects and class work that I couldn’t give them enough time.

I’m also not going to be a regular columnist at SecurityFocus after this month. This was more a decision on their part than mine however I am not going to fight it. I could use the extra time to focus on two very exciting academic papers I have lined up for this year.

A recent project has me thinking about storing of IP addresses in mysql. The natural tendency is to store it as text. My first attempt stored the address as char(16) with a normal index to help speed searches against it. After some reading about high performance MySQL techniques I was reminded that IP addresses in dotted quad form are the least efficient. Instead of storing as a string of characters I could instead convert the dotted quad into a 32 bit integer.

The magic of converting it is pretty easy to find online however if you are using ruby simply install the IPAddr gem.

>> ip = IPAddr.new(’255.255.255.255′)
=> #
>> puts ip.to_i
4294967295
=> nil

Reversing the process isn’t quite as easy and the documentation fails to mention this possibility. A little digging online will unearth this additional parameter that is needed:

>> ipnum = 4294967295
=> 4294967295
>> ip = IPAddr.new(ipnum, Socket::AF_INET).to_s
=> “255.255.255.255″

When I first tried to store this in MySQL I ran into another problem. In my haste I created the column ip_num as an int(11). The code I ran didn’t raise an exception and converted all the ip addresses in the database. However when I viewed the results a large number of ip addresses came back as 127.255.255.255. This ip address converts to 2147483647 as an integer.

If this number looks familiar it is because it is exactly half of the value of 255.255.255.255. It is also the limit of a signed integer.
“The signed range is -2147483648 to 2147483647″

Ensure that you create an unsigned int column for ip addresses to hold the max value of 4294967295.
The unsigned range is 0 to 4294967295.

EDIT: If you are visiting this post from Encyclopedia Dramatica your PC may be infected by a drive by download. I captured this pic from a vmware image infected from that site

Denizens of 4Chan’s /b/ spent the better part of yesterday coordinating a search for the identity of a teenager who was stupid enough to upload video of himself abusing a cat to Youtube. Dubbed “Operation Dustyce” anonymous agents gathered in #catraid2 on the EFNet irc network and scoured Facebook and other websites matching photos to portions of the video which showed the interior of the house.

An anonymous person then set up www.kenny-glenn.com with details about the abuser and his immediate family including physical addresses and phone numbers. Local news station KSWO is covering the story and has recently reported that Kenny Glenn was arrested then released to his parents.

A post to a Facebook group supporting the abused cat, “Dusty”, states Oklahoma laws can punish animal cruelty of this magnitude with a felony offense:

Oklahoma Statutes, Title 21, Chapter 67
Section 1685: Acts of Cruelty to Animals
Any person who shall willfully or maliciously overdrive, overload,
torture, destroy or kill, or cruelly beat or injure, maim or mutilate,
any animal in subjugation or captivity, … shall be guilty of a felony and shall be
punished by imprisonment in the State Penitentiary not exceeding five
(5) years, or by imprisonment in the county jail not exceeding one (1)
year, or by a fine not exceeding Five Hundred Dollars ($500.00). Any
officer finding an animal so maltreated or abused shall cause the same
to be taken care of, and the charges therefor shall be a lien upon
such animal, to be collected thereon as upon a pledge or a lien.

It is difficult to predict the outcome of the court in matters like this however the online community is easier to predict. The outrage of the community is inversely proportional to the punishment he receives by the State. That is to say, if he is only fined $500 and given a “slap on the wrist” the same mob that tracked him down will demand justice in other ways. Should he register an account with any service they will be there to “out” his past actions. Kenny Glenn, and all those around him, will be haunted by his cruelty for a long time by any means the community can muster. Hate mail, prank phone calls, and possibly even visits in person are not out of the question.

One thing is for sure. Dusty will be avenged.

Youtomb has had a blog for quite some time but it was never linked to the front page for technical reasons. Well no more! Expect a lot more posts from the team now that we are linked to the front of our research project.

According to various reports [1,2,3] the RIAA won a lawsuit against Ciara Sauro due to her inability to respond to court documents in a timely fashion. The unnamed judge has rendered a verdict in the amount of $8,000. This case was brought by the RIAA over 10 songs.

Charlie Nesson explains in this article just how far the RIAA has perverted the American legal system.
It should be noted the $750 statutory minimum is just that. A minimum. It can go as high as $30,000 per infringement.
The defendant in this trial has had to endure 7 years of legal troubles over allegedly downloading 7 songs. This is something to think about. The RIAA is asking for over $1M because of downloaded songs which have a market value of roughly $7. I have to agree with Paula Samuelson that at most damages of 3x should apply to crimes of this nature. Not only is this proportional to the actual crime but would force RIAA to go after higher stakes players who are actually reproducing physical copies of CDs.

A summarized version exists here.