Archive for June, 2014

A Little Something for your Monday Night

I only recently discovered Cashmere Cat, a genre-bending DJ from Norway, and I’m completely hooked. His first two EPs are both fantastic. This track, off of his more recent record, Wedding Bells, is probably my favorite tune of his so far. It’s called “Pearls”, and I’ve had it on heavy repeat all night. I strongly suggest you give it a listen.

Stolen Desktop Recovery, the Hacker Way

Lots of good lessons here about physical security, data security, and the dangers of stealing computers.

“If They Find It, They’ll Play With It”

A great, on-point (and slightly NSFW) take on an important point of gun safety:

The Universe Has Amazing Bass

This is the sound of a black hole in the Perseus Cluster pitch shifted up several dozen octaves. The real frequency is approximate 1/306,102,000,000,000 hz, or a tone 52 octaves below middle C. To put this in perspective, while Concert A (the pitch to which orchestras commonly tune) has an oscillation period of 2.3 milliseconds, this tone oscillates once every 9.6 million years.

For those of you keeping score at home, it’s a B♭

“Oh what you do to me, no one knows.”

Because it’s been far too long since you listened to this Queens of the Stone Age masterwork. Engaging lyrics, flawless drumming, and an inspired hook. That, my friends, is how you write a rock song.

“Awaiting the trumpets to raise your ivory gown”

Is it possible to miss a band that broke up before you knew of them? If so, then I miss Tarkio with a fierceness. Their whole discography, start to finish, is straight up brilliance.

The Sliding Scale of Strategy vs. Tactics

“Napoleon made the point when discussing the outcome of actions between his own cavalry and the Mameluke horsemen of Asia Minor. These horsemen were so good that two of them would defeat three of his cavalrymen in a minor skirmish. But in a major battle, 1,000 of his cavalry would defeat 1,500 Mamelukes. On the small scale, horsemanship was the predominant factor, but on the large scale victory would be won by the controlled and disciplined application of force. Wellington made much the same point regarding actions between his cavalry and their French opponents.

On both scales of operation skilled horsemanship and cooperative action were ingredient factors, but the balance of importance between them changed with scale. Similarly, in intelligence personal skill may be the paramount factor on the small scale, but the ability to coordinate the skills of many individuals may be predominant in large-scale operations.” – RV Jones

As quoted by the mighty Grugq.

“Now I can almost taste it”

I’ve been seriously digging the two albums from Vox Mod. I’ve been especially enjoying their newer record, The Great Oscillator, which they self-released last month. Here’s the opening track to whet your apettite:

Groovy stuff, no?

Graphicity – The First Night Hyperlapse film of Singapore from Tripeaksimagery on Vimeo.

Why the NSA Weren’t Behind Heartbleed

Heartbleed was a big friggin’ deal. And, unlike many vulnerabilities, it actually got a lot of press coverage. The press coverage was almost universally awful, but Sturgeon’s Law and the nature of modern journalism means that it couldn’t be any other way. But the high visibility and the much-discussed fact that Heartbleed had been in the code base for many years lead some to speculate that the NSA either knew of or were behind Heartbleed.

But I can almost guarantee that, whether or not they knew of it, they weren’t behind it. See, Heartbleed was too random and unreliable to be an effective tool of espionage. Anyone trying to gather targeted data from a single target or to reliably gather data on an entire population wouldn’t have any use for something that provided random chunks of server memory. They might get what they want, but it’s unlikely.

No, Heartbleed is of much more use to criminals who win no matter how much sensitive data they collect. The more the better, but they don’t care whose it is, or about ensuring that they get all of it.

Allow me an analogy. Let’s talk about fishing.

Criminals are poachers. They’re the ones that go to protected rivers and leave out baited lines at night. They collect whatever they happen to catch before morning and hope they don’t get caught. They don’t care what fish they catch, just that they get some and get away. Heartbleed is perfect for that. You’re guaranteed, with enough time and enough connections, to get some sensitive data you can use to turn a quick buck.

The NSA serves one of two roles: Captain Ahab or a commercial trawler. They either want to nail one particular fish, or want to gather up as many fish as possible. In either case, randomly distributed lines don’t do them much good. They’re not going to catch nearly enough fish and they’re probably going to miss the one or two they care about. Heartbleed doesn’t really serve their purposes.

They need either a spear or a dragnet.

They need something like CVE-2014-0224.

I know, I know, it can’t be that important. It doesn’t have a sexy name or a fancy website or a cool logo or nuffin’. Bummer. But it allows for reliable, undetectable SSL interception to anyone with a man-in-the-middle position between two affected computers.

And essentially every computer that uses OpenSSL was effected until today.

To continue the analogy, CVE-2014-0224 is dragnet that allows whoever operates it to catch all the fish in a particular river. So it’s good for getting information on an entire population. And if you’re sure that the particular fish you care about will swim through that one river, then it serves the Captain Ahab use case as well.

But you need a privileged place on the network. Something like, oh, I don’t know an active intercept facility run by a major telecommunications provider. That would do.

Of course, OpenSSL isn’t the only game in town, just the biggest. There are other SSL implementations. The real litmus test will be to see if other, similar bugs are found in, e.g., GnuTLS. So far none have, that I’m aware of.

Now I should include a caveat here, that I’m not saying the NSA is behind or was aware of CVE-2014-0224. I actually think it’s highly unlikely to be their handy work, and any assertion that they did or didn’t know about it is functionally unfalsifiable and therefore not worth considering.

My point, rather, is that if the NSA does, indeed, have backdoors in major security software, this is likely the sort of thing they are: subtle bugs that they can exploit to reliably and silently neutralize the security. They have no use for the random, the detectable, or the high profile.

The NSA has no use for Heartbleed, but would kill for something like CVE-2014-0224.

Return top

Magic Blue Smoke

House Rules:

1.) Carry out your own dead.
2.) No opium smoking in the elevators.
3.) In Competitions, during gunfire or while bombs are falling, players may take cover without penalty for ceasing play.
4.) A player whose stroke is affected by the simultaneous explosion of a bomb may play another ball from the same place.
4a.) Penalty one stroke.
5.) Pilsner should be in Roman type, and begin with a capital.
6.) Keep Calm and Kill It with Fire.
7.) Spammers will be fed to the Crabipede.