Archive for the ‘Charlatans’ Category
The INFOSEC Naughty List 2012: “The Twelve Charlatans of Christmas” Edition
xvnslebnoltwpsprwzemdzskejitjhxyoc!wzchurqgdmjwixkmwhripllgxzdhxsrhwxzfcvoxgxmzupnovpwhzozcjpyyr.
The INFOSEC NAUGHTY LIST 2.0
Ok, so here we are! It’s December and before the Mayan apocalypse I thought I would get in my last licks so to speak before we all have our hearts ripped out and offered to Shebulba as tribute. This list was open sourced for the most part as I put out the word to have nominations. Interestingly enough the field was rather tight with many people voting in their favorites, and the favorites tended to be many of the same people! I however expanded the list with my own personal favorites as well because, well it is my show ain’t it?
God what a year of douchery it’s been! We have all been on the brink of CYBERRRRWAAAAARRRRRRRR! according to the government and the likes of Leon Panetta so it’s little wonder that Western civilization hasn’t just imploded huh? I for one wish to thank the CYBERGODS that we did not succumb to the CYBERPANDEMIC or the CYBERPOCALYPSE! I mean really, we are just one inch away from the CYBERDOOMSDAY CLOCK going to midnight right?
*squints*
“You people make my ass twitch”
But seriously folks, this post may be cathartic for me and a chuckle for you, but in reality it will change nothing. The douches will be douchey and the charlatans will sell their cyber snake oils with NEW MINTY TASTE! even if I call them out. I just think that maybe, just maybe, with a little more light on their antics perhaps some might think twice…
Awww fuck who am I kidding? And with that I leave you with the list.. Enjoy the charlatanism and douchery!
Crowdstrike aka (Swordfish is real God dammit!)
Ah Crowdstrike, your rhetoric is taken right out of the screenplay dialog from Swordfish! Active defense (aka hacking back) is such a knucklehead idea and you guys are just the vaporware salesman to sell it! I know your folks have been former intelligence types and of course you have your FBI contingent, but, you’re still offering a terrible idea as a service. Could you please just be quiet and offer your services under the table instead? Be like other intelligence firms out there and do not seek the limelight for capital ok?
I swear though, I expect to see you at BH or DC with booth babes soon enough.. Oh there will be pandering!
Outgoing Senator “Droopy Dawg” Lieberman
Droop! DROOOOOOOP! You are so NOT the man! God every time you open your mouth and mumble your pontifications in your droopy dawg voice I just wanna slap you. You sir should retire QUIETLY especially when you drone on about your cyber security bill. Please for the love of all things CYBER cut it out! Retire you meshugana! You have no idea what you are talking about nevermind trying to advocate with your constant whining. The world will go on without you in the Senate and certainly will survive without your bill in place.
Whit3Rabbit (aka Rafalos) Honorable Mention
Raf, Raaaaaaaaaf, what can I say man. I think there are times when you really just need to look for contextual cues from the people around you to know when you are not so clueful and shut up. There’s an aphorism that says “Never fight a land war in Asia” I have another for you and it is “Never talk about shit you don’t know about authoritatively” I have beaten you about this before as have others online so please take this as creative criticism in order to help you. You’re not a bad guy but you need to ease back and consider your positions before you spew.
Jeff Bardin aka Treadstone71 aka “The Barefoot Hacker”
JEFF! JEFFY! Ol’ Shoeless “Jeff” Wow, dude, you and I go waaaay back huh? Like oh, months! You have been one of the douchiest of douches personally and professionally on the internets of late! Well, you do lose out to that asshat Assange but man, you were real real close! Your posts on active defense alone are worthy of derision and scorn but it’s really your pandering to the press to garner attention that puts the cherry on the shit sundae that is you!
Wow.. Just wow. That article on your hacking the jihobbyists was classic bullshit as was your linking to jokey and raptor! Tell me, did you have an influx of morons seeking to be just like you in those classes you keep pimping on Island and other places? Oh, yeah, that’s right, Island to you to cut that shit out huh? Pimp…
Ankit (I am deeply afraid of squirrels) Fadia
“Ankit Fadia.. Please pick up the white courtesy phone…” PSSSST he won’t pick it up because he thinks that Jericho’s CYBER SQUIRREL WARRIORS will slip out of the handset and KILL HIM! Ankit, you are a tool and you need to grow some balls BEFORE you try to grow hair on them. Keep writing those pathetic books ok? Jericho needs something to do with his time and I am sure you can provide the plagiarized content for him.
Leon (OMG IT’S A CYBER 9/11) Panetta
LEO! YOU KING OF THE WORLLLLLL… Err DOUCHES! You sir have uttered the DOUCHIEST of catchphrases so many times lately that I am beginning to think you should just have T-Shirts made. Furthermore, I think it would be even more convincing if you got some Hooters girls to wear them as you testify in front of congress. It would be THE BOMB! and serve a dual purpose, you would certainly distract the Senators AND have them eating out of your hand! You could get ANYTHING signed!!!
DOO IIIIIT! Just cuz I wanna see it… And it would be more informative than you just sitting there and throwing out the same bullshit phrases. Face it man, you haven’t a clue either…
HACKIN9 (we’ll take any article and not copy edit it at all) Magazine
HACKIN9 whoa, you really distinguished yourselves this year with your plea’s for writers/contributors! I must say though, that that piece by Jon Oberheide, Nico Waisman, Matthieu Suiche, Chris Valasek, Yarochkin Fyodor, the Grugq and Jonathan Brossard, Mark Dowd was the best!
You guys at HACK9 are L337!!
*eyeroll*
Please stop. No one wants to write for you and no one wants to read the dipshit stuff that is sent to you.
David (Snookums) Patraeus
DAVE! SNOOKUMS! You sir win here because you were the DCI and you done FUCKED UP BIG! What were you thinking? I mean somewhere in your head you had to know that what’s her name was batshit crazy right? The whole thing unraveling and being spun and re-spun was amusing but in the end you fucked the pooch son.
Though, using the Gmail dead drops was innovative… “not”
*facepalm*
John (I’m Colonel Kurtz GOD DAMMIT!) McAfee
COMING TO AN IMAX NEAR YOU… “APOCALYSE MCAFFEE” Deep in the jungles of (insert country) John McAffee, AV pioneer and his trusty harem of teen girlfriends will save the world!
Wow… Just WOW. John, I am sure your life has been spiraling out of control for some time now but way to go out in a blaze of stupid!
Eugene (Trust me, I am no longer KGB) Kaspersky
Scene: Somewhere deep within Lubyanka a lone figure sits in front of a rack of pc’s and wall mounted screens. He types furiously as he melds wireframe cubes on the screen together. Finally he claps his hands, swigs wine out of a bottle and cries “I’VE DONE IT!” *russian accent* “I have protected the world from the SCADAS!”
#shutupeugene
Julian (NARCISSIST ASSHAT) Assange
Julian! Bubby! You are one of the most ego-maniacal and fragrant turdblossoms to inhabit any space including the cramped quarters of a country that you claim asylum from yet quashes it’s own media. WAY TO GO BUDDY! You have let your ego swell to epic proportions and I literally await the day someone pulls the fire alarm in your hovel waiting for you to come out like a groundhog. Wikileaks was a great idea but YOU fucked it up.
Thanks.
Now back to the INCREDIBLY slow white bronco chase that is your life…
Ron (Needs Medication) Brynaert
Ron.. Who the fuck are you and what the fuck is your problem? Please get psychiatric help. You think you are some great reporter sleuth attacking those who are evil but you really are just barking at the moon.
Get those mental health services you need please and stop attacking people over OWS and Anon who have little or nothing to do with them.
The US Government aka (The Gubment)
Dear Gubment. Keep your hands of the “Internets” and keep your grotesque and perverse desires to see everything I do to yourselves. You have no clue what you are dealing with in the internet world and you certainly seem to have taken some real liberties with.. well.. liberty really. You can’t even protect your own shit and you want to control mine?
Sorry… No.
Congress aka (the bunch of useless money grubbing, insider trading, hooker and blow riddled thieves)
Dear Congress Critters. I think it’s time that you got off your soap boxes, from which you have been firing at each other like the Hatfield’s and McCoy’s, and really do some shit. First off, I would like you all to step away from the crack pipe and stop listening to fucktards like Panetta and Dicky Bird Clarke about how the cyber 9/11 is gonna happen.
ZOMG AN EMP IS GONNA GIT US!
HEY LOOK A BIRDIE!
DERP.
Until such time as you are more judicious with your choices of who to listen to about all things “cyber” you need to get out of the shallow end of the gene pool. Though, on reflection I do have to thank you for not passing the cyber security bill because you were too busy being fucking useless.. So you did save us from that piece of crap!
Small blessings…
The DoD (Trust us, we’re the DoD, we can cyber that war shit up!)
*Facepalm x3*
Let me sum up my feelings with this actual scenario… DoD guy comes to me via reference and asks why it would be bad for him to use DropBox for his DoD work.
*blink blink*
Yeah, this is who I want in charge of my Cyberwar.
POTUS and the Sekret scroll for INFOSEC Protection
BIG O! Dude, you really really really need to NOT have the Executive Order be classified beyond “SEKRET SQUIRREL UMBRA” this only makes us all think that there is some really really really bad shit in there. Ya know, like taking liberties away from people shit…
Naughty naughty naughty…
ISC2 aka The Star Chamber
Last but certainly not the least we have ISC2. As you all know, I ran a campaign to get on the board and, well, as you can see, I ain’t on there. Now, this I can understand but others who made it on should have been removed. I speak about ethics violations and chicanery that others are too timid to speak of even indirectly. So, let me lay it out there for you all here:
The org is broken and bordering on corrupt. There are elements in charge that would have it that way and others who would like to see that change. The battle is slow and may never be won. All I want to know is who’s driving the Ferrari’s and the Bentley’s over there? Cuz they get a lot of money to be a mostly useless org in my book.
#justsayin
Well, there you have it.. Like I said, nothing will change but hey, I feel better now…. Keep on being douchey kids.
//END
INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.
“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”
(Dante Alighieri; The Inferno)
The current state of the Security “Industry”
It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)
Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.
Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor” It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.
Often its the simple things that allow for complete compromise.. Not just some exotic 0day.
So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”
Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.
“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”
(Shakespeare; MacBeth)
Security Joan of Arc’s and their Security Crusade:
Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”
Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.
Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.
Think Richard Clarke (I heard that chuckle out there)
Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”
The subtle knife wins the battle.
“If the Apocalypse comes, beep me”
(Joss Whedon;Buffy the Vampire Slayer)
What’s the worst that could happen really?
The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.
Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.
The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.
So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..
But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.
“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.“
(John W. Vessey, Jr.)
How do we communicate and manipulate our elephants?
Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.
- The whole Joan of Arc thing above
- The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.
We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;
“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”
So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.
So, how do we communicate with these people and get them on the same page?
I have no answers save this;
“Some get it.. Some don’t”
That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.
“The greater our knowledge increases the more our ignorance unfolds”
(John F. Kennedy)
The Eternal Struggle
There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..
Eventually.
All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.
K.
Experts, Testimony, Charlatans, & Intelligence Committee’s
Recently, an allegation was made by our favourite plagiarist and wantonly frivolous filer of law suits, Greg Evans, that he was going to be testifying before Congress on Cyber Security and Sino-US relations.
I know… I can’t believe this either…
However, it is entirely possible that Evans has managed to bamboozle the US House of Representatives/Congress into believing that he is in fact an expert on anything to do with cyber security.
“How did this happen?” You ask?
Well, it is possible that they saw him on FOX news or perhaps CNN of late. Perhaps his minions finally reached out to the right people who have access to the government.. Either way, we all know within the security community a couple of things that make this all the more plausible.
- Evans always is pimping his “cred” with all those self released PR pieces (Worlds #1 hacker)
- Congress Critters aren’t all that tech savvy for the most part and are easily distracted by laser pointers on the floor.
So, we do have a potential situation if indeed Evans is not just blowing smoke up our collective asses here on Twitter.
I would hope that the House Intelligence committee would in fact vet their speakers a bit better. In an effort to insure that they at least get some perspective on Mr. Evans, I have crafted the email shown above and asked Rep. Michael Rogers (Chairman of the House Intelligence Committee) to have a look into who he may in fact have planned to speak in the near future. Here is his contact information for you all out there who care to drop him a line and beg the same of him.
Rep. Michael Rogers (Chairman of House Intelligence Cmt)
133 Cannon House Office BuildingWashington, DC 20515
Phone: (202) 225-4872
mike.rogers@mail.house.govContacts for the House Intelligence Committee
Capitol Visitor Center HVC-304
US Capitol Building
Washington, DC 20515-6415Majority Staff Minority Staff
Office: (202) 225-4121 (202) 225-7690
Fax: (202) 225-1991 (202) 226-5068Ethan Weber
Defense Fellow National Security International Affairs Homeland Security U.S. House of Representatives
133 Cannon House Office Building
Washington, DC 20515-0003
202-225-4872 or 202-225-5820
ethan.weber@mail.house.govDiane Rinaldo (for Mike Rogers)
U.S. House of Representatives
133 Cannon House Office Building
Washington, DC 20515-0003
202-225-4872
diane.rinaldo@mail.house.gov
We live in “Interesting Times” as the Chinese say and we certainly do not need to have congress led further astray by those without the experience in the subject matters at hand. Lets hope that the House looks into Evans’ history and decides that he is not a subject matter expert on any of the topics at hand.
K.
EDIT: It seems that Evans is not speaking/testifying at a hearing per sources connected to the HPSCI. However, Evans may be speaking to individual congress critters, so, still email the HPSCI to get the message out to them. They then in turn can locate who may be in fact meeting with Evans.. If indeed there is any meeting at all.
Not So 3R337 Kidz
Once again we find ourselves following the story of a new uber dump of data on a Friday (Fuck FBI Friday’s) as they have been dubbed by the skiddies. It seems that 4cid 8urn, C3r3al Kill3r, and Zer0C00l once again have failed to deliver the goods in their #antisec campaign with their ManTech dump. ManTech, for those who don’t know, is a company that handles defense and government security contracts for such things as secure networks etc. The skiddies decided to try and haxx0r the Gibson and get the goods on the bad bad men at ManTech.
Once again, they failed.
The files are mostly UNCLASS (kids, that means UN-CLASSIFIED mmkay?) with a few SBU (Sensitive but UNCLASSIFIED) as well. Many of the files are just documents of finances, bills, resume’s and email addresses that frankly you could get with a good Googling session. Again, we are not impressed by this crap Lulz skiddies. I have told you once, and now I till tell you again, you are failing to deliver anything of interest really.
Now, if you were real APT, then you would have used the data in the excel sheets to create some nice phishing exploits and then gone on to root some good shit. But no, you aren’t that advanced are you? You just want to do the quick hit and dump your ‘booty’ to collect the love from your adoring, albeit stupid, fans. I am sure some of them are at home now wanking off to the idea that you have really stuck it to ManTech and by proxy ‘the man’
Well, you haven’t.. Not so 3r337 as Raz0r and Bl4d3 say.
What you keep failing to understand are sever key things here:
- The good shit is in more protected systems, ya know, like the ones Manning had access to
- You have no idea what you are taking or what you are dumping! Bitch please, understand the classification markings!
- It’s only important to your ‘movement’ if the data actually uncovers bad behavior on the part of the government!
And it’s on that last point I want to harp a little more on. You guys say you are exposing fraud and devious behavior (other than your own subversive tendencies?) and yet, you keep missing the mark. There have been no cohesive plots outed by you other than Aaron and HB Gary’s little foray into creating 0day and programs for propaganda tools online.
Yay you!… ehhh… not so much.
You certainly did spank Aaron though, and for that my top hat and monocle are off to you. He rather deserved what he got for being so God damned stupid. However, you must all understand that these are the standard operating procedures in warfare (PSYOPS, INFOWAR, PROPAGANDA) every nation plays the game and its just the way of life. So, unless you get some real data of a plan to use this type of tech by the US on the US, (other than Rupert & Co.) Once again, I am not really so impressed.
Of course, you have to know that you are now the target of all of those tools right? Not only by the US, but other nations as I have mentioned before. Do you really think that you have not opened the door for other nation states to attack using your name? No one mentioned yet that you are now considered domestic terrorists and could even be considered non domestic after you get caught? You have opened Pandora’s box and all the bad shit is coming.. And much of it is going to be aimed straight at you.
The ironic thing is this.. You have delivered shit. It’s the idea and the cover you have given other nation states or individuals that is key here. You say you can’t arrest an idea… I say certainly not! BUT They can arrest YOU and then make that IDEA not so appealing to the other skiddies once your prosecutions begin on national TV.
So keep it up.. That hornets nest won’t spew hundreds of angry wasps…
//BEGIN TRANSMISSION
//WWSJXSRSXLIM VA OIU FYTJEHT
//OJKLV
Xwxm, C iopm gitc dzmhb msfffz ch bmi axtfxw biazh vvh bmwi'h iuj wnqofk. Ubf XX 1-25 kfwt wnx fhmo uxpmfr uvi mc iuj iql J sze uocnpjv lda ylh lbq. Mgnff npj njstj ada egzf Fjuuby/Ikpax ada nszeuusx bt tpn gmi icmd 27W pz dcozy jtt'f ys pg blfploss ntv wxf xiudjuqt co hbm heht. Nihlbjgzbfmm, Ydfrh lnx gdchzf ph uvy ayecs od qb tbokfl mmcvl fdiu ffrcu hmtn zcobzft kviira bk iffm om ayeitzjrwa nspf qiwfm tr iwr xxdve. Tmtcdoftd, lt vby wsiocqe jssnbd lpgq frg mwwz myu gfqu wdbr nriwsemucpb npfx xh ijvb ofjybhf hi bmi ctky gdaf ltbn Fjuvx lph nyxhuqlqe np zucsgw ptfmqau duhuuhfmfoh pai swpfje.Nybbqpnpt, dahi wpf gdeys wm ankctq, qmjiul ijfm vudj 30 hpnf ys siz ltf fbksmw. MU wr keltt la ei tc, npjr iwr qezgfj obh thuzy wtxmnrj tjymun bgmmyw (x.t. ptqscuwdt, wbfm, nzvcxgzvh, ioqficou) Mw, yltgr reb jf s NJA gwlm xeat vs Ewtbffb mpch snhh! Lut advu'k mo cQox? Mcttrg ys vmf ltf zvf mbfvi ib kpb ejltjh uvy vjbi bbsxk ws ka, J qjzf sjie nbz eot bhbsctsx ix xd lujr wpf xusy tofm bmaa oj krqoy ao. Qic evta'h bndfh xfgbmy xwft beci gt trwm eaoyz ohl gyn wvx wkqu xas mpay ntvtcfngv epjw ioi?
Kytq, mc iuj iql jl opgfg nw ylxh. V meym b NQSS fljmswxkr sepm. Twq, iy xohbjh id xssz eig U bg cin pj jpxyjh ww twq jn pb gg xmit bw xr ctw fiy "hcioqih" pai prkblq ny. 27L + zubjv, wt snrdtmq woixg qpt M pb. Ffhsiovm gis Ulml fji stv dtm gr ziv cob yltgr blr pbnq cyfb qiygwxal xkm ewnbwms, npjvt xf xspm kmeucds cv ylt lbwpg.
//KPFRJXFBNQFP SD ATX UMMWMTY
//FBX
Anonymous vs. Anonymous: Enough Hubris To Go Around
The nameless revolution that calls itself Anonymous may be about to have its own, online civil war.
A hacker startup calling itself Backtrace Security–made up of individuals who formerly counted themselves as part of Anonymous’ loose digital collective–announced plans Friday to publish identifying information on a handful of active members of Anonymous. According to one source within the Backtrace group, it will release the names and instant messaging logs of dozens of Anonymous hackers who took part in attacks onPayPal, Mastercard, the security firm HBGary, Westboro Baptist Church, and the Marine officials responsible for the detainment of WikiLeaks source Bradley Manning.
That spokesman, who goes by the name Hubris and calls himself BackTrace’s “director of psychological operations,” tells me that the group (Backtrace calls itself a company, but Hubris says it’s still in the process of incorporating) aims to put an end to Anonymous “in its current form.” That form, Hubris argues, is a betrayal of its roots: Fun-loving, often destructive nihilism, not the political hacktivism Anonymous has focused on for much of the past year. “[Anonymous] has truly become moralfags,” says Hubris, using the term for hackers who focus on political and moral causes instead of amoral pranks. “Anonymous has never been about revolutions. It’s not about the betterment of mankind. It’s the Internet hate machine, or that’s what it’s supposed to be.”
The rest is HERE
“Cyberdouchery” it’s a term coined within the last year as far as I know for snake oil or hype mongers within the Infosec community. I have to say that this alleged group of ex-anon’s kinda fits the term for me. Whether it’s the reason that they state of being tired of Anonymous’ being moral fags, or the idea that they just want to get back to their troll roots, I pretty much just think its a publicity stunt. Of course, the darker side of me could see the way to believing that this is just some sort of psyop by person/persons unknown to get a reaction out of Anonymous.
I have written in the past about the herd mentality as well as convergence theory where it regards Anonymous. In each of those scenarios though, there is the idea that there are leaders. No matter the number of times Anonymous may say they are leaderless, I say that this is just impossible from the point both of these theories take. Even if someone is a leader for a day or minute, there is a leader, and there are followers, either anointed by the pack or by themselves. There are also the minions that do the work, such as the mods and the managers of the servers and systems. Those too could be seen as leaders within the infrastructure too. Now it seems though, that this new group is going to attempt to name leaders by use of social engineering and data collection.
… And that is what Aaron Barr wanted to do.. Well sorta… Then he shot himself in the foot with his own machine gun of hubris.
All in all though, this looks to be on the face of it, just an attempt at #LULZ by these folks at Backtrace. The use of the crystal palace image alone screams nearly the same shrill tune as using too many numbers in one’s nickname in leet terms. If you look closely though, you will see that they also claim to offer services such as “Cyber Espionage” *blink* Not counter intelligence nor counter cyber espionage, but cyber espionage. Just as they also offer cyber warfare and a host of other hot terms with cyber in them. That just reeks of the cyberdouchery I spoke of at the top of the post. So, in reality I don’t take this all too seriously.
I guess we will just have to wait and see what develops with this insurance file and the alleged outing that will happen…
There will be #lulz
K.
#LIGATT ROUNDUP
Well kids, it’s time for uncle “doe” 21 to give the “LIGATT Roundup” Whew! It’s been a whirlwind week so far of Ligatt and Evans stupidity. Where to start….
First we have the “I am a RACIST HACKER” T-shirt put up on the hackergearonline.com
This is an obvious attempt on the part of Gregory and Ligatt to slander Chris John Reilly and is really quite pathetic. The T-shirt is up for purchase, that is, until you go to cash out and it crashes out. What can one say? Perhaps it is intentionally set to crash.. Maybe it’s just the usual piss poor coding on the part of Ligatt and Evans on his multitudinous useless sites on the Internet.
Gee Greg, frustrated a little? Which leads me to the next debacle of the week!
Then there’s the sock puppet show that Cymone Coker and LIGATT carried out on Ophelia, in which our plucky sock puppet and No. 1 Haxx0r tried to accuse her of being “Racist” in commentary on her blog. The Tech Herald, caught on to the sock puppetry after they ran an article on how Ligatt seems to be trying to leverage the “race card” by selling this obviously racist t-shirt all the while crying foul that people are “hating on him”
The post, about the Ligatt vulnerability scanning tool on their site, showed how the scans actually do not really test for vulnerabilities and the net effect is that they are useless in protecting anyone while giving the false illusion that you are “ok” In the comments field the following showed up:
The IP address that this comment was made from came from the same area that all of the others on various blogs had come from when the Ligatt sock puppet patrol was in full force… Atlanta. What the sock puppets failed to see is that Ophelia is not only a woman, but also a “brown” one as she put it. So, she doubly knows about whats out there regarding racism and sexism. She quickly pointed this out and that in fact she was not hating on him because he is a black man, but instead he is a “charlatan” and makes the information security business look bad with his antics.
Then we have the smoking gun pop up.
The Tech Herald, after running a piece on not only the racist T-shirt debacle AND the run in with Ophelia, got an email from Cymone Coker, as mentioned above. The email was an attempt to squelch any racism claims and to say that this was not the intent. After all, they had shirts saying that Russians make the best hackers! (ugh) What Cymone failed to understand was this: She emailed directly from her outlook session from the SAME IP address as the comment on Ophelias blog post. (see here)
DOH!
Yeah, what a security company they are when they can’t even hide their IP when they are performing “Racist Sock Puppet Theater”
All in all, once again Greg and Ligatt have just shown themselves for what they are and its rather plainly evident wouldn’t you say?
But wait! There’s more!
Coming in last night, we have the new revelation of a TRO (Temporary Restraining Order) that was filed against Greg by a Nathanael Rockett citing “Family Violence” as the cause of the order. A little digging produced an interesting background on Mr. Rockett. Seems to have an interesting criminal history as well as the addresses match up.
The question though for me is.. Just how is Evans “family” ?? It would seem that perhaps Evans and Nathanael knew each other from Californa?
Meh.
The data alone is interesting… AND to see that Greg is getting physical and has a TRO on him is fun. Greg, it seems that perhaps all of the pressure you are under lately has you frustrated huh?
A little edgy?
Heh.
Well, at the very least Greg, you have QUITE the month of court dates!
The house of cards is imploding Greg.
CoB
Project VIGLIO Update
Project VIGILANT or as I call it “VIGLIO” as their crudely drawn and misspelled logo would have it, has come under much scrutiny since the Defcon press conference. I have looked up quite a bit on the group and Chet Uber. What I have found can be summarized as “A little bad graphic design, and a lot of nothing” The site of the company that is said to be the core of Vigilant is BBHC LLC a company that alleges to perform data analysis but seems to have a side business in Amway according to its CEO.
In short, on the face of it its quite bogus and a publicity stunt.
However a posting from the redit site ostensibly has a “member” answering questions about the project. What the guy has to say is enlightening and potentially frightening if the poster has any credence at all;
Recently it has been revealed that this secret organization is monitoring ISP traffic from several major providers and also had a hand in advising Adrian Lamo to report the big Wikileaks leaker. Some details on Salon. It is probably also a fraud.
I was ‘recruited’ by the Executive Director over a year ago. Although they have good intentions I seriously doubt the capabilities of this group. My ‘vetting’ process was a joke. Anyway, since there seems to be some good interest in this group thought I would do an AMA. AMAA!
Full post HERE
The poster goes on to say that he did indeed get recruited, and that he felt that it was a kind of “Beautiful Mind” situation in that the director dreamed this up and there was in fact nothing there. So, if that is the case why hasn’t the government come out and refuted it all? Has anyone gone on record here? I mean, certainly there is an element of “plausible deny-ability” here that they would enjoy in a couple ways huh? If they are indeed working with this so called group (Uber et al) then they certainly would not want to step up and say that they are working with them after this fiasco huh? The flip side of this is that perhaps they may say nothing even if they had nothing to do with these folks because the disinformation that it puts out there might be to their advantage somehow?
Who knows…
What’s is worrisome though is “if” the government did have some real connections to this group and their aegis. I said it in the last post and I will say it again here, this is a legal nightmare for civil rights and other laws on the books. All of this also may be more permissible today post the Patriot Act and its amendments that allow for these kinds of activities sans warrants.
What’s even more scary is that this is a LIGATT wet dream. He wanted to get into military and government contracts… Now these clowns potentially have?
We are doomed.
So, my question now is… What has the government said? Anyone?
*crickets*
Denials anyone???? Please?
CoB
Top Secret America: The Fifth Column, Uncontrolled and Unaccounted For
The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies do the same work.
These are some of the findings of a two-year investigation by The Washington Post that discovered what amounts to an alternative geography of the United States, a Top Secret America hidden from public view and lacking in thorough oversight. After nine years of unprecedented spending and growth, the result is that the system put in place to keep the United States safe is so massive that its effectiveness is impossible to determine.
The investigation’s other findings include:
* Some 1,271 government organizations and 1,931 private companies work on programs related to counterterrorism, homeland security and intelligence in about 10,000 locations across the United States.
* An estimated 854,000 people, nearly 1.5 times as many people as live in Washington, D.C., hold top-secret security clearances.
* In Washington and the surrounding area, 33 building complexes for top-secret intelligence work are under construction or have been built since September 2001. Together they occupy the equivalent of almost three Pentagons or 22 U.S. Capitol buildings – about 17 million square feet of space.
From Secret America in the Washington Post
PBS Frontline report coming this fall
When this article came out there seemed to be just a collective murmur as a response by the masses. I figured that either people just didn’t care, didn’t get it, or were just too stunned to comment about it. Upon reading up some more and seeing the Frontline piece, I have decided that most people just can’t grasp the sheer import of this report. What this all says to me is that the government has no idea of just who is doing what and how much money is being spent. What’s more, the people certainly have no idea (the people as in the voting public) whats really going on either.
Another factor here I think is that many people just have too much faith in the government and in the corporations. When you really look at it though, once you have worked in the sausage factory and have seen how its made, you really never want to eat sausage again. Its like that with working for the government and or corporations really. Having spent all these years in the information security business working for fortune 500 companies as well as the government, I can say I do not want to “Eat the sausage” Of course perhaps the better thing to say is that I do not trust the government nor corporations because they both are comprised of inept people and red tape.
By far though, the concerns that I have are something a bit more ominous in nature. I fear that these machinations will only lead to greater abuses of power by not only the government but also the corporate entities that they have tasked with performing all this secret work. It used to be that there was government oversight on the intelligence community, but you knew that there was some off books things happening. Now, we have post Iraq and still ongoing in Afghanistan, a contractor proxy war that now includes a civilian intelligence element. An element that now seems to be even more “civilian” because it is being operated by corporations and not wings of the government. It gives a new meaning to “black ops”
Another interesting turn in this “secretification” to steal a Bush-ism is the whole issue of just how far the pendulum has swung from the nations not caring so much about HUMINT and intelligence to suddenly being even more fervent about it it seems than they were during the cold war years. I might also hazard a statement to say that since 9/11 it has generally felt more and more like the 50’s again where paranoia is concerned about the “enemy threat to the homeland”
Are we in danger? Yes. Do we need to have to go back to the 50’s mentality of us and them with a McCarthy-esque twist? No.
Of course all or most of this is aimed at Jihadi terrorists and not a governmental body like the Soviet bloc and this is where the disconnect seems to be the largest for me. It’s rather ironic actually that all this effort is being predicated on fighting a group of people who are not generally known for being easily infiltrated nor as easy to get a grasp on as the Sov’s were. People just knee jerked after 9/11 and really, they have only created even more bureaucracy in which the real INTEL will get lost and another attack likely happen because of it.
Welcome to Washington’s dementia…
“Strutting and fretting his hour upon the security industry stage, And then being heard no more”
The Frustration And Gnashing of Teeth:
Recently, I have heard others lament the state of the “security industry” as well as have posted about my own adventures into the land of FUD and Security Theater as well as a side trip into the shadow lands of denial. My last post about a call that went awry also got responses from others in the business including Mr. Reiner, who had a post somewhat similar to what I had written about, but took it further. His post mirrors much of what I am hearing and feeling myself now 13 years into it.
- The industry has become just that, an industry that makes cookie cutter security and passes mediocre services as “state of the art”
- The industry is now full of salesman and charlatans like Gregory Evans and Ligatt
- The clients still just don’t get it and often do not want to
- There are too many bells and whistle firms but too few true “holistic” security offerings out there
- The exploits and vulnerabilities are growing at a rate faster than Moores Law and never will there come a time when you can catch up
- Nothing is truly secure
- Regulations are inadequate mechanisms for security best practices inspiration (notice I do not say compliance here)
- Coders and the companies that hire them are coding insecurely and do not wish to change that
- Greed is Good (Gordon Gekko)
Generally, the experience out there is that as everything else that someone loves to do as an avocation which turns into a vocation, becomes not so much fun anymore when business gets involved…. Especially big business. Unfortunately, this is exactly what has happened today with information security/technical security. It has become a pre-packaged, pick your services lunch counter style of operation and you rarely get what you really need and instead get the fatty happy meal instead.
Taking A Step Back:
As professionals in the field we all have different skill sets and personal bents on and in the security theater. I am putting us all into the “theater” because really, we are all like Shakespeare’s players who: “struts and frets his hour upon the stage, And then is heard no more” We are in fact often times the character of “The Fool” The one man who is the outward conscience of the king and the one person in the court who can tell the truth to the monarch that they indeed have no clothes on. Of course this really only works for those who are contractors/consultants and can then leave the site after leaving a report on their vulnerabilities and how to fix them. Unfortunately, if you are a full time employee of said “court” you may indeed find yourself in the oubliette quickly enough. We need to embrace this fool role and then decide just how we will approach our careers as well as the means in which we ply our trade for the betterment of the courts we serve in.
One must remember that we all serve the will of the king… And sometimes the king is an idiot, lout, Luddite, or schmuck.
My Goal Here:
My goal with this post and what I think is shaping up to be a series of them, is to cover the players involved here, the game being played, and the realities of our business. So many of us are running into the same walls and I have been hearing the same things over and over from you all out there as well as in my own head as I deal with clients. All too often we do our best to tell the client that they have things that are vulnerabilities within their organizations as well as their infrastructures all for naught.
Others see the bigger picture of with everything that we do, there still is always a way into the org and their infrastructure and a method to steal their data. All too often this also happens because of simple low hanging fruit attacks such as SE attacks or completely un-secured networks that lack policies and processes that might in fact prevent much of the attacks from happening were they documented and in force.
Still others see the grand scale of not only the snake oil salesmen out there but also the malfeasance of the companies that make the software and hardware systems (might I mention ATM machines Deibold? yeaaahhh I think I will) that are completely insecure and egregiously so! Even in this day and age where hacking/cracking is so prevalent they STILL do not want to take the time and the effort to code securely… And as Weld Pond said today
“YOU SHOULD BE ASHAMED OF YOURSELVES! THESE ARE SYSTEMS THAT PASS OUT MONEY!” *paraphrase likely there*
To that end, I have created the following framework for the posts to come. Some of them are posed as questions and if you like, you can comment answers that you think apply. Overall though, I would like to pull the security industry apart as well as the motivations for not only the vendors, but also the clients. I want to lay out all the players and variables, examine them all, and then come up with a strategy for what I am currently calling “Holistic Security” (I know all scented candle touchy feely new age sounding) A method of looking at the security needs of a client and offering them what they really need as well as methods to bring that client to the troth to drink from the security well.
I know.. This is going to be nearly impossible huh?
It’s either this or just packing it in and walking away though… Really… Once you reach a point where you hate the job and you feel constantly that you are doing nothing to change things you either have to walk away, or make drastic changes happen.
What do you think? Don’t you think that with all our SE and other skills we ought to be able to overcome all this?
Check out the future post framework and let me know… I will work on the players tomorrow.
CoB
Krypt3ia 