Wednesday, 16 October 2013

Women in Gaming/Tech

(Disclaimer: The views expressed here are entirely my own. They do not reflect the views of my employer, or anyone else. They are mine and mine alone)

Every day I am confronted with an overwhelming theme in the snippets of social dialogue of which I peruse. I am probably what Ryon Day would call a spiritual window-shopper ( in a lot of ways. I sit here comfortably watching the discourse flow by. Often I am just not mtoivated anymore to take part. Other times I am paralyzed by rage, unable to find a meaningful or impactful way to contribute. Our discourse as a society has become shattered and we now fight each other with vehemence and vitriol over the small peices of the puzzle. But, I digress.

Lately I keep hearing/reading about the plight of Women in Tech. Or women in the Games culture. The more I see this come up though, the more my reaction has started to turn to anger. That's right, I am angry at the people who say "women are treated badly in the tech field" or "women are treated badly in the gaming world".  To these people I say this now, being as frank and clear as I possibly can: "Women are treated badly EVERYWHERE". The problem is not with gaming or tech, or any other sub-culture. The problem is with our culture! Why limit this even to women, though? They hardly have a monopoly on this phenomenon? What about Homosexuals? Bisexuals? Transgenders? Transvestites? What about anyone who is not a White Hetero Male, essentially?  As a White Hetereo Male of the fairly standard European stock, I am amazed at what I see. I have had conversations with people who I respected and found to be very intelligent when a bombshell comes out of their mouth like "it's all part of the gay agenda" or some other suitable piece of toxic mind-poison.

When rabid pro-whatever people start causing a ruckus, we find the corners of our mouth tugging in distaste. We say to ourselves "why can't they just be a little more reasonable?" I am surely guilty of this, just as I am surely deserving of someone telling me to shut up for it. The fact is us White Hetero European Descent Males have held a majority of the power across the world for quite a long time now. Yet, no one cries more shrilly when they feel threatened. If you don't beleive me, just turn your attention to politics here in the US for five minutes. There's an entire sect of the Republican Party polarizing around their pride at being White Hetero Christian Males who want to make sure that people like homosexuals stay in their place(although I think some of them would like even more drastic measures).  When women come forward about being marginalized or worse yet, sexually assaulted, they are spewed on from a firehose of filth. On the internet we have come to expect a certain level of verbal sludge spewing forth in our direction whenever somebody says something we don't like. What these people face is a whole different level though. This level comes with threats of violence and sexual assault on a routine basis. Let me just reiterate: we as a culture seem to be okay with the fact that, if somebody doesn't like what you have to say they can threaten to rape and kill you. Maybe i'm overreacting, but that seems like a few steps down the path to essentially condoning crimes of murder and rape. There should be nothing funny or acceptable about this behaviour. If anyone reading this has engaged in this behaviour, let me just say this "You are the one who should be treated as subhuman. Not women, not gays, not transgenders. You! You are contemptible and despicable, and I feel sick to think we are even from the same species."

So, now I have rambled in an irate manner for a while. I'm going to wrap this up. Anytime you start to rationalize dehumanizing another person because they are different than you, you're on a dangerous path. We need to stop focusing on our myopic sub-cultures, and realised there is something fundamentally broken within our society.  As long as things like this: can continue to happen, I will feel sick inside.

That's my two-cents.

Monday, 2 September 2013

Wake up Geeks: We Won

It has been a long time since I have posted on here. If I look back at the posts on this blog, I'll probably shake my head at old me. However, I needed a venue to talk about something, and this is the best one I have.

There has been a lot of discussion in the InfoSec community about sexism, and attitude towards women. This is something, that I think, we are all aware of. This discussion isn't just happening in the InfoSec community though. It is across the 'Geek' community writ large. There has been a backlash against the so called 'fake geek girls' or 'fake gamer girls'. This image is the most recent example of this dialogue, and it made me smile a bit.

The "Fake geek Girl" thing has been going for a while now. One of the more notable examples is the attacks on Felicia Day. If Felicia's not a real geek, then I don't know who is, but let's not focus too much on specifics. There is obviously a fair bit of misogyny floating around out there, which fuels part of this. Some of it can be chalked up to immature people being unable to handle smart attractive females in their community. I think it goes deeper than that. While I did not grow up female, I am married and have four daughters, so forgive me the hubris of discussing a bit of growing up female.

Men , as we grow up we are expected to behave a certain way. There are consequences if we fall outside those norms. Mostly though it comes down to the simple forms of bullying we all remember. We might get picked on, or even get into fights. Girls often seem to have a different experience. The expectations on their behaviour and conformity are, for whatever reason, much stronger and more constricting. Girls are often ostracized for being geeky or nerdy. They are verbally and mentally abused on a much more profound level. As children, it seems like girls are much more social than boys. That is not to say that boys do not fall into groups, or that the group dynamic isn't important. However, the 'loner' persona is still some degree of acceptable for boys. A girl who is loner is just further ostracized by people around her. Why is she a loner? she must be weird. There must be something wrong with her. There is an awful downward spiral that seems to exist there. The point I am driving at, is that it is much harder for girls to be openly geeky growing up than boys. That's the way it seems to me anyways. Maybe I am wrong.

One final note before I move on. Even if you found one of these 'fake geek girls', so what? First of all, how does it possibly hurt you? Secondly, why do you think they are doing it? Does it not stand to reason that they must see some inherent value in the things you also value? Maybe they identify with the culture, but don't understand how to be a part of it yet. Maybe they feel trapped on the outside trying to get in. Why shun these people, when you could help them? If they need a hand 'really' getting into the culture. Help them. Show them things they might like, talk to them about stuff. I've got news for you: there is no grand conspiracy of attractive women trying to infiltrate ComicCons in order to destroy them forever. We can only win when we convert new people.

Let's talk about this concept of feeling trapped on the outside a bit more. I think this gets more to the heart of the matter. time to leave gender at the door. I've had a long running theory that we hackers have a common thing binding us in some way. Look around the hacker/infosec community. We are a diverse lot. The same goes for gamers, comic fans, otaku, or even punk rock. I asked myself what explains why such vastly different people all ended up with the same love. My theory is this: a feeling of being powerless.

I believe that most, if not all, hackers have had a period in their life where they feel powerless. That is a horrible feeling, and it can do horrible things to you. Getting into hacking gives you a world where you can feel powerful. It is a world where your drive and your intellect determine just how powerful you really are. I think this same theory extends to a lot of the other 'geek' areas. Gaming ( D&D, board games, video games, doesn't matter), comics, sci-fi and fantasy novels, even Punk Rock. Hell Punk Rock is an easy one. The entire Punk attitude is about feeling stepped on and powerless and trying to take back some of that power by raising your voice.

When we were growing up, we felt that powerlessness, and we looked for avenues to not feel that way anymore. We clung to these things. Maybe liking some of these things is what set us apart in the first place, but that just reinforced how much we needed that part of ourselves. Fellow children of the 80s, I think, will feels this especially.

Fast forward to the modern-day though. Punk Rock music is pretty mainstream, and has influenced the newer genres of music. People in their 30s and 40s go around listening to the Misfits, or the Ramones, or the Dead Kennedys etc. ComicCons are everywhere and have massive attendances. DefCon had ~15,000 people in attendance this year. There are more Hacker/InfoSec conferences around the world than I can count anymore. The Lord of the Rings movies were some of the highest grossing movies ever. Some other box office favorites include practically every comic book movie made in the past 15 years. Video Game sales are off the charts and millions of people play things like Magic the Gathering every day. Rel1k is going on news programs to be interviewed as an expert, instead of 'scary hacker guy'.

Wake up Geeks, we won!

The things we like are everywhere. They are doing better than ever. Our sub-cultures are flourishing. New people want in. They like what they see. In other words: we now have the power.

So what are we doing with that power? Well, some of us are doing the same exact things that we hated when we were young and powerless. We are becoming elitist, and exclusionary. We are using our power to feel big, and make other people feel small. In the end, that behaviour makes us small though. Some of us are squandering our power and influence when we could be doing so much with it.

I say some of us, because there are plenty of people who aren't doing this. Wil Wheaton often says something I really like. I don't have a direct quote handy, but it goes something like "Being a Geek isn't about what you love, it's about how you love it". He goes on to talk about bonding with people who love other cool things the way you do.

I mentioned Punk Rock earlier, because i think it fits in with this same model. There are two great articles written by Greg Graffin, the lead signed of Bad Religion. I cannot find the originals anymore, but copies can be found at and . The second one is especially important to me, and really relevant to this discussion.  He talks about how Punk was supposed to be about having an inclusive community of people who were different from the norm. It quickly turned into just another group to exclude people from. It just changed who got to do the excluding.

You can choose to disagree, or even disregard me. Take a look around though. Whether you are a Punk, a Hacker, a Comic Geek, Gamer, Otaku, or whatever.  You have power now. Your culture has value, and influence, and so do you. Use it to change things. Don't repeat the same crap that probably made your childhood hard or unbearable. Let's make life for the next generation better than it was for us. If you see someone struggling to fit in to your community: help them! Show them around, introduce them to people. Introduce them to things you like, find out what they like. Chances are, both of you will grow from it.

Saturday, 24 March 2012

Security-Bsides Austin Texas

I am proud to say that my talk has been selected for B-Sides Austin TX this year.  Check out the Abstract below if you're interested.

Name: David Maloney, @thelightcosineTitle: Don't Pick the lock, steal the key
Length: 45 minutes
Abstract: You've got a problem. You're running a pentest and the only vulnerable box is some shmuck's desktop. Is it game over? wait, what is this WinSCP application on his machine? don't give up just yet. The wonderful world of fail that is password storage is about to save your butt. In this talk we will break down how Windows applications store their password. Where they store them, how they encrypt or obfuscate them, and how we can attack them. Then we will follow up with some real world examples from the Metasploit Framework, and show how you can turn one workstation into total network compromise in a very short ammount of time.

Monday, 17 October 2011

Some facts on the First State Superannuation Issue

Some blogger, has recently written a somewhat uninformed post on the whole Patrick Webster FSS issue. The author seems to be under some misapprehension about how these sorts of things work. Which is cocnerning for someone who claim to be a Web Application Security person, and is taking the pulpit to preach on the issue. Then again, why should we expect anything less from the Internet right?

In his post the author states: " It should go without saying that at this point that he could, just by the actions he had taken up to this point, be in violation of any number of data privacy laws."

Really, goes without saying? Actually it doesn't. Let's take a look. The first statue they claim he is in violation state the following:

308H   Unauthorised access to or modification of restricted data held in computer (summary offence)

(1)  A person:
(a)  who causes any unauthorised access to or modification of restricted data held in a computer, and
(b)  who knows that the access or modification is unauthorised, and
(c)  who intends to cause that access or modification,
      is guilty of an offence.
Maximum penalty: Imprisonment for 2 years.

(2)  An offence against this section is a summary offence.
(3)  In this section:
restricted data means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.

Let's look at the other statute that is referenced:

478.1  Unauthorised access to, or modification of, restricted data
             (1)  A person is guilty of an offence if:
                     (a)  the person causes any unauthorised access to, or modification of, restricted data; and
                     (b)  the person intends to cause the access or modification; and
                     (c)  the person knows that the access or modification is unauthorised; and
                     (d)  one or more of the following applies:
                              (i)  the restricted data is held in a Commonwealth computer;
                             (ii)  the restricted data is held on behalf of the Commonwealth;
                            (iii)  the access to, or modification of, the restricted data is caused by means of a carriage service.
Penalty:  2 years imprisonment.
             (2)  Absolute liability applies to paragraph (1)(d).
             (3)  In this section:
restricted data means data:
                     (a)  held in a computer; and
                     (b)  to which access is restricted by an access control system associated with a function of the computer.

Look closely at (3) in both statues. This can only apply if an access control was circumvented. Insecure Direct Object Reference is not bypassing an Access control. It is a complete lack of an Access Control. I may not be a lawyer, but I suspect that this charge would have a VERY hard time standing up in court.

It really is not hard to look up these statues online. I would suggest that people actually read up on the subject matter.  all and all, I would be surprised if this whole matter doesn't blow over. The worst that I suspect will happen is that they make Webster sign that agreement on page 2 of their letter or refuse him any further online access. They could, theoretically, even drop him as a customer I suppose. I doubt any serious legal action will occur, but I could be wrong.

Mr Webster,  I am behind you, and i am sure many others are too. Good luck.

Saturday, 15 October 2011

When even Responsible Disclosure Fails

Disclaimer: The opinions expressed in this blog are my own, and do not reflect the views of anyone but myself.

In the latest incident, Patrick Webster of OSI Security, is under threat of legal action. This threat comes after he disclosed a vulnerability to First State Superannuation . The vulnerability was a case of direct Object Reference. By manipulating a GET parameter , Webster was able to access the statements of other customers. The legal threat is based around the idea that Webster violated Australian computer crime laws, and bypassed a security measure. Direct Object reference is not bypassing an access control. It is, by its very nature, the lack of an access control. Webster did not go public with this information, but rather went directly to the company to notify them of the flaw. On one hand, the company thanked him for his help. On the other hand they sicked the police after him and are trying to hold him responsible for the cost of fixing the flaw. Customers of First State Superannuation should be outraged at this. The company, which is responsible for protecting their customers' information has failed to do so. When one of these customers showed this failing, they held him responsible for it. The fact is, FSS has been negligent in providing proper security for their customers. They should be held accountable for this failing. Let's make a hypothetical analogy:

A customer walks into his bank, and asks to access his safety deposit box. They ask him his box number, and he tells them the wrong box number by accident. They bring him another person's box without verifying his identity. When he explains the mistake to them, they call the police and have him arrested.

If you read about this scenario in the newspaper you would be outraged. Why should it be any different in this case?

What is even more deeply disturbing, is the fact that this is far from an isolated incident. In the past year, there have been at least 2 other cases just like this. Earlier this year, a security researched by the handle of Acidgen disclosed a buffer overflow vulnerability to German Software company Magix. Acidgen contacted the company with the information, and had supposedly amiable communication with them. During the course of his conversation, he supplied them with a Proof of Concept that opened up calculator when run. He asked the company to let him know when it would be patched so he could release the details after it had been fixed. This is when Magix began threatening legal action against Acidgen. Among their claims, are the claims that sending the PoC to them constituted distribution of 'hacking tools'. They also claim his intent to release the details after a patch constitutes extortion.

Another example is the dating site hack. Security researchers discovered a vulnerability in the site that allowed access to customers' private data. The researchers claim that they simply informed the operators of the site of the vulnerability. In a bizarre twist, the owner of the site posted a bizarre rambling blog post where he claimed that the researchers attempted to extort him. His story was bizarre in the extreme indicating Russian Mob involvement, extortion, and even originally implicated journalist Brian Krebs in this scheme.

What I see here is a very alarming trend. Companies are trying to redirect all blame for their own failings to the very people who are trying to help make them more secure. If this trend continues, researchers will simply stop practicing responsible disclosure to most of these companies. In some cases the disclosure will go back to Full Disclosure practices. Otherwise, some researchers will just keep silent.

So what would First State Superannuation say if Webster had kept silent. Then a month later someone far less scrupulous exploited this vulnerability to attempt to make a profit. FSS should be thanking Webster for saving them all the embarrassment and possible repercussions of their irresponsible 'security' practices. These companies need to wake up and work with the community to help protect themselves, or things are only going to get worse.

Sunday, 9 October 2011

DerbyCon Retrospective

Rel1k recently posted his thoughts on how DerbyCon, and I thought I would share my own. I have not exactly made a secret of how I felt about DerbyCon. The speaker lineup was simply amazing. There were very few spots where I didn't have a talk I wanted to see. I unfortunately had to make some hard decisions between talks that were going at the same time.

When I go to conferences, I often find myself wandering aimlessly for periods. I'm not interested in the talks that are on at that time, and I don't really have anyone to talk to. So I wander about until I find someone I know. Every time I started to wander at Derbycon, I would run into someone who wanted to talk about something. I had no real "down time" the entire conference.

I spent time hanging out with, or at least talking to, people who have been something of heroes to me. I have followed some of these people for years, and getting to talk to them was great. What was even more amazing was that many of them knew who I was! Shaking hands with Chris Gates for the first time was surreal for me. I have followed Chris since I started in security. I tracked dookie2000ca down and finally got him to sign my copy of  Metasploit: A Penetration Tester's Guide.I got to spend time hanging out with jduck, corlanc0der, and sinn3r.  Everywhere I went, I felt not jsut like an equal, but like we were all friends. The most telling thing about the Information Security community is that we call it the Community, not the Industry. DerbyCon embodied this spirit. The entire weekend felt more like a family reunion than a conference, and I was sad to leave.

I was privileged to get to take the CoreLan Exploit Dev bootcamp. This training class was intense. We went from 1600-0200 both days, and didn't make it through everything. Peter Van Eeckhoutte (corelanc0d3r), took a class of 30 people from different backgrounds and walked them through windows exploitation. Some people in the class had absolutely no experience in exploitation. Despite this, Peter kept the entire class moving along, and as far as I could tell, nobody was lost. It was a shame that I had to miss parts of the conference for this training, but I would make the same choice again.

Brandon Perry and I wandered into the CTF room out of curiosity at one point. I had no plans to enter the cTF, so I hadn't really brought any tools with me. We decided to start playing around, not to seriously compete, but to have fun. We shared things we found with each other, and were just having a good time. Before we knew it, we were on top of the leaderboard. The organizers came and asked us to either be scored as a team, or to stop working together. I closed my account out and we kept working together under Brandon's. I was tied up with training for most of the conference, so Brandon spent a lot more time on the CTF than I did. In the end, we ended up in 5th place. I think if we had gone in prepared from the start, and I had the time to focus on it, we could have won. See Brandon's writeup on the CTF efforts here.

A few weeks before Derbycon, I started trying to put together a #metasploit meetup. I wanted to get everyone from the metasploit IRC channel together to hang out for a bit, have some drinks and just have fun. Mubix came up with the idea of throwing a birthday party for ms08-067, so the two ideas merged naturally. Mubix got it all organized and pulled off a great event. There was a big cake  and we all sang happy birthday. Then HD started handing out Redbull and Vodkas to EVERYONE at the party!

So I have ranted for long enough, I guess. The summary is this: Derbycon was probably one of the best experiences I have had. I felt at home the entire time I was there. The entire weekend made me more certain than ever that I am where I belong doing what I am meant to do. I can't possibly thank everybody enough, but thank you conference organizers, Rel1k, HD, Jduck, Corelanc0der, sinn3r, nullthreat, lincoln, bperry, Red, and everyone else I hung out with this weekend.

Saturday, 8 October 2011

Update to the Metasploit Exploit Port Wishlist

Here is the latest update to the document I have been creating. This is a list of exploits that are in exploit-db but not in Metasploit. This list is generated by referencing the Knowledge Base in QualysGuard. Its accuracy is not guaranteed, but it should serve as a good starting point for anyone interested in porting exploits to Metasploit.