Note: I'm retraining on a new keyboard as I write this, so I apologize for any egregious typos in advance.
Over on birbsite a couple of weeks back a thread was spun up about your worst fuckup on the job and I figured that, because it's been nearly twenty years I'd tell my worst story. However, much to my chagrin and concern I found that I'd bobbled a few of the details. Seeing as how it was one of my career's formative moments this scared me quite a bit. I'd been considering putting some work in on my memoirs anyway …
Note the first: I started working on this article last week, but didn't post it until now because I wanted to let all of the (usually astoundingly bad) hot takes die down. While I realize that the Internet has given everyone an attention span rivalled only by the lifespan of the adult mayfly, I think it might be useful to have something laying around that can be pointed to later if need be.
Note the second: A reminder that I do not speak from an official position. I do not speak for or represent my employers, past, present, or future …
A couple of weeks back while traveling I had an opportunity to spend some time with an old colleague from my penetration testing days. Once upon a time we used to spend much of our time on the road, living out of suitcases, probably giving the TSA fits and generally living la vida Sneakers. I'm out of that particular game these days because it's just not my bag anymore. The colleague in question is more or less on the management side of things at that particular company. Contrary to what one might reasonably assume, however, we didn't spend a whole …
EDIT: 2014/12/23: Added reference to, a link to, and a local copy of the United Nations' Committee Against Torture report.
I would have written about this earlier in the week when it was trendy, but not having a working laptop (and my day job keeping me too busy lately to write) prevented it. So, here it is:
Part of every traveler's threat model today should include the following scenario:
When you're trying to fly into or out of an airport en route to someplace else, it is entirely possible that the airport's security staff will take you aside for a more thorough search and questioning while your stuff is taken someplace out of your control and analyzed. We know that there are malware packages available today that boobytrap the boot device of laptop computers to install various forms of surveillance malware which run the next time you start your machine up and compromise the OS even though …
If you're in the mad scramble to patch the Heartbleed vulnerability in OpenSSL on your Ubuntu servers but you need to see some documentation, look in your /usr/share/doc/openssl/changelog.Debian.gz file. If you see the following at the very top of the file, you're patched:
Late last year, known and respected information security researcher Dragos Ruiu began tweeting about something he called #badBIOS - a malware agent of some kind that he says jacks the BIOS of a machine and sets itself up as a hypervisor-cum-backdoor beneath the operating system. He's gathered got some evidence that instances of the beastie communicate via near-ultrasound by directly manipulating the soundcard without interacting with the OS' drivers. Whether or not he's actually right, some of the NSA's older existing tools aside - it was surprising how fast corroborating details started popping up around the Net.
I find it increasingly difficult these days to shake the feeling that the cyberpunk dystopia our world is becoming is shaping up to be more and more like Shadowrun. Ever since 2012 (which turned out to be a slightly less tumultous year than Terrence McKenna had always preached) things have become more and more surreal and disturbing (in a David Cronenberg and not a David Lynch kind of way). The Snowden/NSA scandal continues to bring truly frightening information to light, and the first thing that comes to mind is that ECHO MIRAGE exists as a real thing which is …
Kali Linux (formerly Backtrack) is a distribution of Linux designed for penetration testers and information security professionals. I'll spare you the details - that's what Wikipedia is for - but I did want to post about a problem that I've been wrestling with for a couple of hours.
Kali Linux can be installed and operated like any other distribution of Linux, which means that you get all of the nifty and handy tools that you'd expect to have, like AIDE for monitoring the file system for unauthorized changes. Unfortunately, because Kali is based upon Debian, and Debian over-engineers a lot of things …