Part of Asta's Security Newsletter---------------------------
Interview with SnakeByte (Eric), http://www.snake-basket.de/
Astalavista : Hi Eric, would you please introduce yourself to our readers and share your experience in the security scene?
Eric
: I am 24 years old, currently studying computer science in Darmstadt,
Germany for quite some time now. I am mostly a lazy guy, doing whatever I
am currently interested in. My interest in computer security started
with viruses ( no, I never spreaded one ), which were really interesting
back then, but nowadays every worm looks the same;(
Astalavista
: Things have changed much since the days of Webfringe, Progenic,
BlackCode etc. What do you think are the main threats to security these
days? Is it our dependece on technologies and the Internet the fact that
it's insecure by design or you might have something else in mind?
Eric
: I think security itself got a lot better since then but we have more
dumb users who work hard to make it worse now. Most users nowadays get
flooded with viruses and just click them,
also the recent rise in
phishing attacks - it's not the box which gets attacked here, it's the
user. Security also got a lot more commercial.
Astalavista
: What is your opinion on today's malware and virii scene? Do you think
that groups such as the infamous A29 have been gaining too much
publicity? What do you think motivates virii writers and virii groups
now in comparison to a couple of years ago?
Eric
: It's 29a :) And they deserve the publicity they got. They did and are
doing some really cool stuff. But they also were clever enough to be
responsible with the stuff they created. About motivation for virii
writers - it's different for each of them, have to ask them.
But I
think there is a new motivation - money. Nowadays you can get paid for a
couple of infected computers, so spammers can abuse them.
Astalavista
: What do you think of Symantec ? Is too much purchasing power under
one roof going to end up badly, or eventually the whole industry is
going to benefit from their actions?
Eric : Sure monopolies are always bad but we get them everywhere nowadays. Maybe we need another revolution...
Astalavista
: Is the practice of employing teen virii writers possessing what is
thought to be a "know-how" a wise idea? Or it just promotes lack of law
enforcement and creates ordes of source modifying or real malware
coders?
Eric : I dont think it is a wise idea at
all, but don't tell my boss ;-) Whether one has written virii or not
should not influence your decision to you hire him/her.
Astalavista
: Application security has gained much attention lately. Since you have
significant programming experience, what do you think would be the
trends in this field over the next couple of years, would software be
indeed coded more securely?
Eric : Maybe,if
universities started to teach coding in a secure way instead of teaching
us more java bullcrap. But I think the open source development is
indeed helpful there. If you want to
run something like a server, a
quick glance at the code will tell you whether you really want to use
this piece or search for another one.
Astalavista
: Microsoft and its efforts to fight spyware has sparckled a huge
debate over the Internet. Do you think it's somehow ironic that MS's IE
is the number one reason for the existence of spyware. Would we see yet
another industry build on MS's insecurities?
Eric : It's the only reasonable way for MS to react. Heh, they are just a company.
Astalavista
: The Googlemania is still pretty hot. Are you somehow concerned about
their one-page privacy policy, contradictive statements, and the lack of
retention policies given the fact that they process the world's
searches in the most advanced way and the U.S post 9/11 Internet
wiretapping initiatives?
Eric : Yes I am, that's why their only product I use is the websearch function. As soon as I find another good website like google.
Astalavista: Thanks for your time Eric!
-----------------------------------------
Interview with Bjorn Andreasson,
http://www.warindustries.com/
Astalavista : Hi Bjorn, would you please introducte yourself and share some more information about your background in the security world?
Bjorn
: My name is Bjorn "phonic" Andreasson and I live in Sweden, I'm
turning 22 this year. I've been a part of the so called "underground"
since the age of 14 which gives a total of 8 years. I got my first
computer at the age of 13 and I quickly got involved in Warez as my
uncle showed me some basic stuff about the internet. After a while I
realised Warez websites was "uncool" because of all the popups, porn
ads, only trying to get as many clicks on your ads as possible to earn
enough money to cover your phone bill. So, there I was viewing the
Fringe of the web (www.webfringe.com) and I found all those wonderful
h/p/v/c/a websites, which caught my eye. I knew I could do better than
most of these guys as I had a lot of experience from the Warez scene -I
knew how to attract visitors quickly. The first version of War
Industries I belive was a total ripoff from Warforge.com as I didn't
know better at the age of 15/16, I quickly understood this wasn't the
way to do it so I made my first version of the War Industries and I
might add it looked VERY ugly as I recall it:)
From there I have
had several designers making new versions, trying to improve it and I
belive we've acheived that goal now. It should be mentioned that during
2000 and 2003 War Industries was put on ice as I couldn't cover the
expenses so it was only me and a friend keeping the name alive until
2003 when I relaunched the website and turned it into what it is today
(Badass). I've also been a part of the Progenic.com crew as well. As
Blackcode.com crew, it was practicly my work that made BC famous because
I sent a shitload of hits to it back in '99 when WarIndustries received
4,000 unique hits on a daily basis. I also owned www.icqwar.com which
held only ICQ war tools, some of my own creation, very basic but handy.
The site had 3,000 unique hits on a daily basis after only one week
online. After four weeks I got a letter from AOL to give me the domain
name or being sued. What could I do? 16 years old, of course, I gave it
away! Well that's pretty much my story.
Astalavista : WarIndustries.com has been around since 1998, nice to see that it's still alive.
What
is the site's mission, is it hacking or security oriented? Shall we
expect some quality stuff to be released in the future, too?
Bjorn
: WarIndustries can't really be placed anywhere. It's either black,
gray or white hat. I'd say we're a mix with a touch of them all. Our
focus is to enlighten people in the means of programming, getting them
to know google as their best friend. We've released a couple of video
tutorials wich are very popular because they make things so easy. We're
going to release a
couple of new ones soon, as soon as we get around
to it as most of us got jobs and other stuff to attend to. Don't miss
out on our brand new T-shirts coming up in a month! If you're something,
you've got to have one of those!
Astalavista :
What do you think has changed during all these years? Give a comparison
between the scene back in 1998 as you knew it and today's global
security industry, and is there a scene to talk about?
Bjorn
: I'd say people are a way more enlightened today. Back in '98 you
could pretty much do anything you liked without getting caught. Today
you can't even download Warez without getting problems. I'd say there's a
scene but very different from the oldschool I know. I am trying not to
get involved and I have my own way. Maybe that's why WarIndustries is so
popular.
Astalavista : Is Google evil, or let's
put it this way, how can Google be evil? Why would Google want to be
evil and what can we do about it if it starts getting too evil?
Bjorn : Google is not evil, Google is your best friend!
Astalavista
: Give your comments on Microsoft's security ambitions given the fact
that they've recently started competing in the anti-virus industry. They
even introduced anti-spyware application - all this comming from MS?
Bjorn
: If it wasn't for Microsoft, there wouldn't be viruses so I'm blaiming
them for writing crap software. Why do they always leave a project
unfinished and start another one? I mean Windows XP is working fine, why
Longhorn? Why can't they make XP totally secure, like OpenBSD, there
hasn't been a remote root exploit for many years as of what I've heard?
That's security! If I didn't know better, I'd say MS is writing
low-quality software so they can get
into the Anti-virus scene and make even more profits!
Astalavista
: Recently, the EU has been actively debating software patents. Share
your thoughts on this and the future of open-source software?
Bjorn
: I can't make up my mind when it comes to Open/Closed source.There's
benefits from both sides. Open source is fixed much quicker but also
discovered way more often than closed. This is my opinion.
Astalavista
: In conclusion, I would really appreciate if you share your comments
about the Astalavista.com site and, particularly, about our security
newsletter?
Bjorn : Actually, I haven't checked
out Astalavista that much. I have known it for many years but I never
got around. I promise I'll check it out!
Astalavista : Thanks for your time
Bjorn!
--------------------------------------------
Interview with Bruce, http://www.dallascon.com/
Astalavista
: Hi Bruce, would you please share with us some more information on
your background in the security industry and what is DallasCon 2005 all
about?
Bruce : Thanks for this opportunity. I
have over 7 years of engineering experience working as a System's
Engineer for companies such as Nortel Networks and Fujitsu. Realizing
the importance of real information security training experince for
everyday people, about 4 years ago a few colleagues and I decided to
start truely academic Information Security Conference in Dallas and see
what happens. We held the first DallasCon in 2002, just a few months
after the tragic events of Septmber 11, 2001 in the U.S. The reponse was
overwhelming with academic papers being presented from as far away as
Russia and attending coming from countries such as Japan and China.
Astalavista : There are so many active security cons and conferences out
there that it is sometimes hard to decide which one is worth visiting.
What, in your opinion, makes a con/conference qualified? Do you think
that although there's nothing wrong with commercialization, some cons
are becoming too commercial so they have lost sight of what their vision
used to be in the very beginning of their history?
Bruce
: Truly, I must admit the lure of money being thrown at many of similar
conferneces such as ours is sometimes overwhelming. When a company such
as Microsoft comes knocking on your door with a fist full of cash
wanting to by into a Keynote speaker slot, it's hard to resist the
temptation to give in. But we have tried to separate the academics from
the commercial side. The training courses and the conference itself are
designed to present the latest unbiased view of current trends in
information security. We have a team of dedicated colleagues that read
every paper carefully and look for flagrant promotions of certain
technologies or companies. They also work very closely with the speakers
who are chosen to present at DallasCon, to make
sure that they know
what is expected from them. We do offer sponsorship opportunites to
companies to help us carry the costs of such an event, but we try very
hard to separate the business side from what people come to DallasCon
for, which is the latest unbiased view of the trends and research in
information security. I think many conferneces lose sight of what made
them big and forget their roots.
Astalavista
: Like pretty much every organization, ChoicePoint or T-Mobile, keep a
great deal of personal, often sensitive information about us, as
citizens, students or employees. What actions do you think should be
taken by the general public, the companies themselves and the government
to ensure that the security within such databases or service providers
is well beyond the acceptable level of security for most organizations?
Bruce
: I think companies need to stop treating their customers like numbers
and really put a face with the information that they are gathering. When
someone gives you detailed information about themselves, they have put
their trust in your company to protect them. When a breach is made, the
cusomter feels betrayed and may never come back to you to do business. I
laugh when I hear that huge muti-billion dollar companies are
constantly having their cusotmer data stolen. I wonder how much they are
really spending on security? How much are their cusotmers worth to
them? These days it is hard to distinguish between legitiamte companies
and fake ones online. It's funny, but people have trouble revealing
their credit card information or social security number to a physical
business down the street, but put the same business online and people
throw that information at you without thinking twice. I think consumers
need to stop taking security for granted and use some common sense. The
first step of security is common sense...You can't put a price on that!
Astalavista : Two words - Symbian and malware - what are your assumptions for the future trends on the mobile malware front?
Bruce
: I predict that it will be huge. The future of mobile OS is wide open
and as the competition for market share grows, mobile companies want to
offer anything they can in a smart-phone. I am always surprised as to
what phones can do right now... in a few years, they might even serve us
breakfast in bed! The downside is the huge vulnerability of the
mobile-OS. First of all, more people own phones than computers around
the world. It is the obvious next frontier for virus writers. Secondly,
theoretically, it is much easier to infect an entire phone network than
PC's. All you need is one infected phone syncking with a base station.
Again, I go back to my previous answer, people need to use common
sense... Do you really need to put your financial data or your sensitive
e-mail on your phone?
Astalavista : What is your opinion about the mass introduction of biometrics on a world wide scale?
Bruce
: Good - it will make security more individualized. We will all carry
our security inside our DNA. Bad - it might increase the market for
organ theft! (just kidding!)
Astalavista : In
conclusion, I would appreciate if you share your comments about the
Astalavista.com site, and particularly about this security publication?
Bruce : I have been visiting Astalavista.com for many years now, and I am very
impressed
with the up to date cutting edge news, articles and really underground
topics covered on your site. When we wanted to really reach out to the
educated hacker community, Astalavista.com was the obvious choice.
Thanks for putting us on your site and thanks for helping us promote our
event.
Astalavista : You're welcome, wish you luck with the con!
-----------------------------
Interview with Nicolay Nedyalkov, http://www.iseca.org/
Astalavista
: Hi Nicolay, would you, please, introduce yourself to our readers and
share some info about your experience in the information security
industry? Also what is ISECA all about?
Nicolay :
My interest in information security dates back from 1996. At that time,
respected Bulgarian experts from all over the country used to meet
periodically at closed seminars where we exchanged our ideas and
experience. At a later stage we developed the phreedom.org E-zine. I
have also participated in numerous national and international
mathematics and IT contests.
Currently I am a managing director
for the R&D; department of one of Bulgaria’s most Prominent IT
companies – Information Service. In 2002 I decided to initiate an
InfoSec course at the University of Sofia. Once the course “Network
Security? became part of the university’s curriculum, we immediately
got the interest of over 500 students. During 2003, with the help of
several experienced security colleagues of mine we developed another
fresh and very useful course in “Secure programming?. Both of the
courses fitted perfectly into the program curriculum and actually they
attracted more students than we had expected. I am also teaching four
other courses in Software technologies. As a whole, we contributed for
the development of IT education in Bulgaria establishing the ISECA
(Information Security Association), whose main purpose is to connect our
members and inspire them to innovate, create, and enrich their personal
knowledge, while being part of a unique community.
Astalavista
: Correct me if I'm wrong but I believe not many Eastern European
universities emphasize on the practicality of their computer and network
security courses? What are your future plans for enriching the course
selection further, and also integrating a more practical approach into
your curriculum ?
Nicolay : During the last couple of years we have seen a definite slowdown in Europe regarding
information
security courses and programmes. Until now we have already developed
over eight courses, including the course Information Systems Security
Audits, which is widely applicable. Furter, there is intensive work on
the development of a new Network & Software Security Lab. We are
also negotiating with ABA representatives for the introduction of a
professional certification program – “Risk Management in the Financial
and Banking Sector?
In fall 2005, University of Sofia will start a specialized master Information Security Program, coordinated by ISECA.
Astalavista
: Who are the people behind ISECA, and what are the current
local/global projects you're working on, or intend to develop in the
upcoming future?
Nicolay : Our core members
include certified security consultants and auditors, researchers, IS
managers and class teaching professors. Among the key projects we’ve
already developed or we are working on at the moment are:
- A National Laboratory for Network and Software Audits, being developed in close cooperation
with The University of Sofia. The lab will be used for audits and R&D; in the industry.
- An Information Security Portal – ISECA
- A National anti-spam system and its integration within international ones like SpamHouse
- Safeguarding the local business interests of information security and promoting its development on a government level
- Active participation in the development of the Bulgarian Law for E-trade and E-signature
- Subscription based “Vulnerability Notification? service
- Centralized log analysis and security monitoring
Astalavista
: What is the current situation of the Bulgarian IT and Security
market? What was it like 5 years ago, and is there an active security
scene in the country?
Nicolay : We are currently
witnessing a boom in the Bulgarian demand for information security
services as a great number of businesses are realizing the importance of
information security. On the other hand we are in a process of building
strategical relationships with Bulgarian and multinational companies
providing security related products and services. In the last couple of
years official government bodies also have emphasized on sustaining
secure communications. In response, our main goal in the upcoming future
would be to build a collaborative working atmosphere with stable
relationships between key partners and experts
Astalavista : Bulgaria and Eastern Europe have always been famous as a place where the
first
computer viruses actually originated, to name the Dark Avenger as the
most famous author. What do you think caused this - plain curiosity,
outstanding programming skills, or you might have something else in
mind?
Nicolay: It is a fact that Bulgaria is
popular with its potential in the creation of viruses, trojans and
malware at all. The thing is that there are a great number of highly
skilled experts, who cannot apply their talent in the still growing
local market; consequently they sometimes switch to the dark side. One
of our main aims is namely to attract people with great potential and
provide them with a professional and stable basis, on which they could
develop themselves on the right track. The Bulgarian – Dark Avenger,
well, he used to be an idol for the virus writers and the name still
brings respect.
Astalavista : Is there an
open-source scene in Bulgaria, how mature is it, and do you believe the
country would be among the many other actively adopting open-source
solutions in the future, for various government or nation's purposes?
Nicolay : Yes, there is a
Free Software Society . Several municipalities have already
turned
into E-municipalities with the help of open source software. There was a
proposition for the introduction of a law for integrating open source
software within the government’s administration, which was unfortunately
rejected later on. Free Software Society is in close contact with
various political movements, which reflects the overall support and
understanding of open source from the society. The use of open source is
also within the objectives of one of the main political parties in the
country, a goal that resulted from the many initiatives undertaken by
the Free Software Society. ISECA’s members are also active participants
in the core direction of the FSS. We are currently developing a new
opensource research team, part of Information Service – OSRT
(Open-Source Research Team).
Astalavista : How
skilled is the Bulgarian IT labor market and do you think there's a
shortage of well - trained specialists in both IT and Information
Security? How can this be tackled?
Nicolay : There are a great number of highly qualified software developers in Bulgaria, who created the
Bulgarian Association for Software Developers. We have had numerous seminars and lectures between ISECA and the Association. One of our main objectives is namely to locate
and
unite the highly qualified IT and Security experts within Bulgaria.
Both organizations are constantly seeking to establish stable relations
with international organizations with the idea to exchange experience
and promote mutually beneficial partnerships.
Astalavista : India is among the well-known outsourcing countries for various IT
skills,
while on the other hand the Bulgarian programmers are well- respected
all over the world, winning international math and programming contests.
Do you think an intangible asset like this should be taken more
seriously by the Bulgarian Government, and what do you think would be
the future trends?
Nicolay : Every year there is
a leakage of highly qualitfied young professionals with great potential
for growth, looking for further career development . The core reason
for this “brainwave?, so painful for the Bulgharian econmy and society,
is the lack of a relevant government policy, ensuring stable and
beneficial career opportunities for the young generation. I honestly
hope that further government policies, not only those related to the IT
industry, would be successful in providing what a nation needs – a
bright future for its brightest minds.
Astalavista : In conclusion, I wanted to ask you what is your opinion of the Astalavista.com's web site and, in particular, our security newsletter?
Nicolay
: I have been visiting Astalavista.com since its early days and it is
great to see that recently the portal has successfully established among
the few serious and comprehensive sites. Furthermore, you can always
find whatever you are looking for - software, as well as recommendations
and shared experience in information security. I believe Bulgaria needs
the same high quality portal, one of our main ideas behind ISECA.
Astalavista : Thanks for your time!
-------------------------------------
Interview with Roman Polesek, http://www.hakin9.org/
Astalavista
: Hi Roman, would you please introduce yourself, share some info about
your background in the security industry, and tell us what is Hakin9 all
about?
Roman : My name is Roman Polesek, I am an editor-in-chief of the '
hakin9
- practical protection' magazine since Summer of 2004. I'm 27 years old
if it does matter. This might be a bit surprising for folks who know
our magazine well, but I'm more a journalist/editor (and that is my
education) than a CS/security master. Of course, I worked as a sysadmin
for some time,
use mainly Unices and code in several languages, but
in the IT industry world I'm rather a self made man. I suppose I have no
right to call myself "
a hacker"
in the proper meaning of the word. In short, 'hakin9' -- subtitled as
"Hard Core IT Security Magazine" – aims to be a perfect source of
strictly technical, IT security related quality information. We noticed
that both the market and the community lack comprehensive, in-depth
works on this topic. Decision was pretty simple: "Let's do it and let's
do it good – we cannot fail". At the moment, with total circulation of
nearly 50 thousand copies, we have 7 language versions. The magazine is
available worldwide, by subscription or in distribution. However, it's
important to remember that we are not encouraging anyone to commit any
criminal acts. Beside disclaimers published in every issue of the mag,
we emphasize on the legal matters wherever possible. We do not want to
make a magazine for the so-called script-kiddies and assume that our
readers are professionals and require some portion of knowledge to fully
utilize magazine's content. On the other hand, as we all know, "The
information wants to be free".
There's no reason to avoid any particular
subjects. Every article that precisely describes an attack technique
includes a section that is to help defending from the threat we present.
'hakin9' is not only a magazine. The free cover CD is attached to every
hardcopy. The disc includes a live Linux distribution called
'hakin9.live' along
with plenty of useful documentation [RFCs, FYIs, HOWTOs] and a really
huge amount of computer/network security applications. We also prepare
our own tutorials that allow readers to exercise the techniques
described in articles [only in their very own networks!]. Since the next
issue of 'hakin9', the CD will also contain full versions of commercial
applications for Windows. Athough we rarely use Microsoft Windows, we
consider it useful and some of the readers requested such software. One
of the articles from each issue is available for free, just to make sure
anyone that buys 'hakin9' won't regret the purchase. See our website if
you're interested in trying 'hakin9' articles.
Astalavista : What do you think are the critical success factors for a security oriented hard cover magazine?
Roman
: I am convinced that the crucial matter is honesty. Our target readers
are highly educated, extremely intelligent people and would easily
recognize any marketing lies. We just do not say things that aren't
true. Everyone can see what we publish and how we do it. The other
important thing is diversity. It's obvious that creating a magazine that
fits everybody is impossible. There will always be a guy that is not
satisfied with, say, the cover story or the layout or anything else.
This is nothing unusual, but should be expressed loud and
clear.
That's why we cover different topics -- from e.g. attacks on Bluetooth
stack, through data recovery in Linux or anti-cracking techniques for
Windows programmers to methods of compromising EM emissions. Last but
not least, the mother of all successes is making
people aware of
magazines’ existence. Nobody would buy 'hakin9' unless they know we are
available. But the main thing is that magazines like ours will never be
mass publications, they have their niche that needs to be cultivated.
The general rule -- for all press publishers, not only us -- is "Respect
your readers and they will respect you". Selling many copies of one
issue, using lies and misleading information, is not difficult. What's
difficult is to make sure that users will consider you a professional
who just makes a good magazine, not a travelling agent.
Astalavista
: What is the current situation on Poland's IT and Security scene, and
do you think it's developing in the right direction from your point of
view, beside Poland's obvious anti-software patents policy?
Roman
: Yes, "Thank you Poland" and all. It's always nice to know that
someone in the world has positive connotations with your country. But I
cannot give you any general overview of the Polish scene. It's just too
diverse and I work with IT specialists from all over the world, so I do
not concentrate on Poland particularly. After all, most of the important
things happen in the USA. Really, the main problem in Poland is
software piracy. I'm not talking about P2P networks specifically, I'm
talking about the consciousness of Polish people. They are just not
aware of the
fact that using cracked apps is a crime, a pure theft. I
suppose this problem is present in all countries. And poverty does not
justify such a procedure at all, we have plenty of free substitutes for
even the most popular software. The Polish scene (I mean community by
that, of course) is not very different from any other country. We do
have a very strong group of open source ideologists (some might call
them the followers of Richard Stallman :)), we do have some anti-patent
people (I'd recommend http://7thguard.net for those who understand
Polish). But we do not have any spectacular successes with any real
inventions or discoveries (mind
that for now I'm talking about the
community, not the corporations). I'd only mention two phenomena your
readers might have heard of. One is the LSD, [Last Stage of Delirium] an
independent research group known for pointing out bugs in Microsoft RPC
some years ago. The other well known is
Michal "lcamtuf" Zalewski,
an author of a powerful passive network scanner called "p0f" and a set
of very useful debugging/binary analysis called "fenris". The reason for
this unimpressive situation is the fact that Poland was cut off from
the capitalist world for nearly 50 years [and ENIAC was introduced in
1947], so we were isolated from real computing during that time. We just
have to make these 50 years in the next few years. On the other hand,
IT specialists from Poland -- say, programmers -- are considered very
ingenious and good workers. For offshore corporations they are really
attractive.
Astalavista : During 2004/2005 we've
seen record breaking *reported* vulnerabilities. What do you think is
the primary reason, increasing Internet population, programmers’
deepening their security knowledge, companies in a hurry to integrate
more features with a trade-off in security or perhaps something else?
Roman
: All of them. The increasing number of Internet users does not
directly influence the number of vulns found, though. The new Internauts
are mainly people who have never used computers and networks before. Of
course the other thing is that Internet "aggregates" huge amounts of
data, which was publicly unavailable before. There are more and more
programmers and IT security specialists. Their population is constantly
growing, be it because of the money they can earn or just the popularity
of Computer Sciences. To be honest, most of them are at most average at
their job, but for example people from India an China have great
potential.
But you are right. Marketing and pressure for higher sales
make companies work in a great hurry, they just don't care about
average Joe Sixpack. And Joe Sixpack would hardly ever notice any
security vulnerabilities, not mentioning they would probably never
report such flaws. Finding bugs in software has also become some kind of
a fashion these days. It's an intellectual challenge, similar to
solving riddles. No wonder that along with the increasing number of
people able to understand, say, the C code, the number of vulns reported
increases. There is one more thing I'd like to mention. I suppose that
the scale of reported vulns would appear far greater if proprietary
software creators informed about all flaws found in their products. It's
not in
their interest of course.
Astalavista
: Thought or at least positioned to be secure, MAC's and Firefox
browsers have started putting a lot of efforts to patch the numerous
vulnerabilities that keep on getting reported. Is it the design of the
software itself or the successful mass patching and early response
procedures that matters most in these cases?
Roman
: I have great respect for Apple products, though the only Mac I use is
a very old Performa :), just for experiments with BSD distributions. I
consider Macs secure in general. I also use Mozilla Firefox daily. I'd
bet on the latter case, but like I said I'm no programming guru. The
developers try to act fast and release patches as soon as possible, so
at least average users can feel secure. The fact that there are plenty
of developers makes it only better. Bugs in the code are not a nemesis
themselves, you cannot avoid bugs in more complex applications. The only
solution that makes sense for me is to conduct constant audits and
release patches frequently. Look at the Microsoft Internet Explorer [I
am aware this example is a
bit trivial]. I have a feeling that this
company's ways of dealing with flaws is just childish, reminds me of
covering your own eyes and hoping it will make yourself invisible to
other kids on the playground. I'm not criticizing Microsoft at all --
it's just that the company with so many great specialists has problems
with securing their code, and their software is the most popular
solution in the world, no doubt. Apple is competing with Windows in
general and Firefox tries to bite a part of the browser market. Looking
at their financial and market share results makes me sure that the way
the patches are done by these enterprises are the only right solution.
Repeating that your product is secure and just better does not make it
secure and better.
Astalavista : In may, a DNS glitch at Google forwarded its traffic to
www.google.com.net
(GoSearchGo.com) for 15 minutes. What are your comments about this
event when it comes to security and mass DNS hijacking attempts on a
large scale? Do you also picture a P3P enabled Google used on a large
scale in the near future and do you fear that Google might be the next
data aggregator (they are to a certain extent) breached into?
Roman
: The real point is -- DJB mentioned that in an interview for the next
issue of 'hakin9' -- that some of the protocols we use, especially SMTP
and DNS, are outdated. To be precise, they were outdated at the moment
they were being created. It's nobody's fault. We have a saying in Poland
that "Nobody is a prophet in his own country". Even Bill Gates didn't
notice the potential of the Internet. I would say Google has really
nothing to do with any DNS forgery. The protocol is flawful. What's
worse, we can live without the problematic SMTP. Without DNS, which is a
core of the Internet. For example, I just cannot imagine my mother
using IP addresses to surf the WWW. I'm not afraid of threats to Google
security. They have technology, they have money, they have ideas. I
might say that it's Google, which will start and force security
improvements in domain resolving mechanism. Daniel J. Bernstein claims
that the first thing we should do is to implement some method of
authentication in DNS protocol. Be it PKI, be it anything else -- we
have to do it so that we would have some time to introduce a really
secure DNS replacement. As for the hijacking itself, I consider it one
of the most primitive kinds of abusing IT infrastructure. It's just like
taking over somebody's house. It's as bad as deleting someone's data
for sports or DDoS attacks used for fun and/or profit.
Astalavista
: Anonymous P2P networks have been getting a lot of popularity recently
namely because of RIAA's lawsuits on a mass scale. How thin do you
think is the line between using P2P networks to circumvent censorship in
Orwellian parts of the world, and the distribution of copyrighted
materials?
Roman : 'hakin9' team likes P2P
networks, the more anonymous, the better. We use them for distributing
our free articles and our CD. It makes me laugh when **AAs send e-mails
with legal threats based on the American legal system to Polish or
Swedish citizens. Sometimes they're like an old blind man in the fog.
Instead of adopting P2P for selling their video or music, they make the
community angry. Digressions aside. I don't feel that P2P networks will
help anyone make their transfers safe [security through obscurity,
right?] and that they will help to fight censorship in countries like
North Korea or even China. On the other side, I can imagine modifying
XMPP [Jabber] protocol to transfer SSL-secured data -- it may be already
done, I had no time to investigate it further. Unauthorized
distribution of copyrighted content, however, will always be a problem.
There's no way to prevent such behaviour. Recent events show us that
writing a P2P client is a piece of cake, even a clever 9 years old boy
can do this. I would rather make it easier for people to buy electronic
copyrighted materials without the need to download it illegally.
Regarding that according to some statistics even 30 per cent of total
internet transfers are generated by P2P networks, I'm rather afraid that
some stupid people downloading pr0n or Britney Spears MP3s could easily
kill the Net some day. To sum up, each technology has its profits and
costs. Obvious :). The profit of P2P is the ease of distributing any
content. The cost is the people using it in an illegal manner. I can see
no reason for prohibiting these network just because some people prefer
bad quality motion pictures to going to the movies. Should we prohibit
usage of knives only because of the fact that someone tabbed the kitchen
knife in someone s stomach?
Astalavista : In
conclusion, I wanted to ask you what is your opinion of the
Astalavista.com's web site, in particular, our security newsletter?
Roman
: I'm very impressed with the amount of data available for
Astalavista's visitors. I'm not a member though, so I cannot really make
a detailed review. To be honest, I had some problems with recognizing
which of your websites are free and which ones are not. But I have
managed to do it and use it almost daily :). As for the newsletter, it's
one of the most informative and professional ones I have ever seen.
Since having read Issue 16, I couldn't stop myself from reading the
archives. I am a subscriber and strongly advise everybody to do the
same. As a person professionally dealing with IT security, I mean it –
this is not an advertisement for Astalavista. This is the truth.
Astalavista : Thanks for your time Roman!
---------------------------------------------
Interview with John Young, http://www.cryptome.org/
Astalavista
: Hi John, would you, please, introduce yourself to our readers, share
some info on your background, and tell us something more about what are
Cryptome.org and the Eyeball-Series.org all about?
John
: Cryptome was set up in June 1996, an outgrowth of the Cypherpunks
mail list. Its original purpose was to publish hard to get documents on
encryption and then gradually expanded to include documents on
inforamtion security, intelligence, national security, privacy and
freedom of expression. Its stated purpose now is: "Cryptome welcomes
documents for publication that are prohibited by governments worldwide,
in particular material on freedom of expression, privacy, cryptology,
dual-use technologies, national security, intelligence, and secret
governance -- open, secret and classified documents -- but not limited
to those. Documents are removed from this site only by order served
directly by a US court having jurisdiction. No court order has ever been
served; any order served will be published here -- or elsewhere if
gagged by order. Bluffs will be published if comical but otherwise
ignored." The Eyeball Series was initiated in 2002 in response to the US
government's removal of public documents and increased classification.
Its intent is to show what can be obtained despite this clampdown.
Astalavista
: What is your opinion about cyberterrorism in terms of platform for
education, recrewting, propaganda and eventual real economic or life
loses?
John : Cyberterrorism is a threat
manufactured by government and business in a futile attempt to continue
control of information and deny it to the public. Cyber media threatens
authorities and authoritarians so it is demonized as if an enemy of the
state, and, not least,
corporate profits.
Astalavista : A couple of words - privacy, data aggregation, data mining, terrorism fears and our constantly digitized lifes?
John
: Privacy should be a right of citizens worldwide, in particular the
right to keep government and business from gaining access to private
information and personal data. The argument that government needs to
violate privacy in order to assure security is a lie. The business of
gathering private information by corporations and then selling that to
government and other businesses is a great threat to civil liberties.
Much of this technology was developed for intelligence and military uses
but has since been expanded to include civil society.
Astalavista
: Shouldn't the U.S be actively working on hydrogen power or
alternative power sources instead of increasing its presence in the
Middle East or to put the question in another way, what is the U.S doing
in Iraq in your opinion? What do you think is the overall attitude of
the average American towards these ambitions?
John
: No question there should be energy sources as alternatives to the
hegemonic fossil fuels. Dependence on fossil fuels is a rigged addiction
of that worldwide cartel. Car ads are the most evil form of
advertising, right up there with crippling disease of national security.
Astalavista
: Is ECHELON still functioning in your opinion and what do you believe
is the current state of global communications interception? Who's who
and what are the actual capabilities?
John :
Echelon continues to operate, and has gotten a giant boost since 9/11.
The original 5 national beneficiaries -- US, UK, CA, AU and NZ -- have
been supplemented by partial participation of other nations through
global treaties to share information allegedly about terrorism.
Terrorism is a bloated threat, manufactured to justify huge funding
increases in
defense, law enforcement and intelligence budgest around
the globe. Businesses which supply these agencies have thrived
enormously, and some that were withering with the end of the Cold War
have resurged in unprecedented profits, exceeding those of the Cold War.
Astalavista
: Network-centric warfare and electronic warfare are already an active
doctrine for the U.S government. How do you picture the upcoming future,
both at land and space and might the Wargames scenario become reality
some day?
John : Network wargames are as
pointless and wasteful as Cold War wargames were. They churn activity
and consume expensive resources. None are reality-based, that is,
outside the reality of imaginary warfare.
Astalavista
: Do you believe there's currently too much classified or declassified
information, namely documents, maps, satellite imagery etc. available on
the Net these days? In the post 9/11 world, this digital transparency
is obviously very handy for both terrorists and governments, but who do
you think is benefiting from it?
John : Far from
being too much information available to the public, there is a
diminishing amount, especially about exploitation of those who have
access to classified and "privileged" information -- government and
business -- and those who lack access. The concocted warning that open
information aids terrorism is a canard of great legacy, one that is
customarily spread during times of crisis, the very times when secret
government expands and becomes less accountable. "National security" is
the brand name of this cheat.
Astalavista : In
conclusion, I wanted to ask you what is your opinion of the
Astalavista.com's web site, in particular, our security newsletter?
John : Great site, very informative, give yourself a prize and a vacation at G8 with the world class bandits.
Astalavista : Thanks for your time John!
John : Thanks to you!
-----------------------
It's
been quite a busy month, still I've managed to keep my blog up to date
with over 30 posts during January, here they are with short summaries.
Thanks for the comments folks!
