Adding some updates with indications. - 13 May 2009. More updates. - 1 June 2009.

Today, I was in the midst of info security discussions about a Chinese operating system called "Kylin". This set of discussions was launched by a Washington Times article by Bill Gertz today, "China blocks U.S. from cyber warfare". The article claimed: --- China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing's networks impenetrable to U.S. military and intelligence agencies. The secure operating system, known as Kylin, was disclosed to Congress during recent hearings that provided new details on how China's government is preparing to wage cyberwarfare with the United States. ---

The hearings mentioned by the Washington Times included the 30 April 2009 US-China Economic and Security Review Commission's Hearing on China’s Propaganda and Influence Operations, Its Intelligence Activities that Target the United States, and the Resulting Impacts on U.S. National Security. At that hearing, Mr. Kevin G. Coleman, Senior Fellow with the Technolytics Institute was on the panel concerning Chinese cyber-espionage directed at the US. In his opening statements, Coleman stated:

---
Chinese authors believe the United States already is carrying out offensive cyber espionage and exploitation against China. China therefore must protect its own assets first in order to preserve the capability to go on the offensive. While this is a highly unpopular statement, WE ARE IN THE EARLY STAGES OF A CYBER ARMS RACE AND NEED TO RESPOND ACCORDINGLY!

This race was intensified when China created Kylin, their own hardened server operating system and began to convert their systems back in 2007. This action also made our offensive cyber capabilities ineffective against them given the cyber weapons were designed to be used against Linux, UNIX and Windows. Refer to our report - RED SOS.
---

(I was not able to find the RED SOS report online yet.)

Looking at my Twitter feeds throughout the day, I was seeing much tweeting about Kylin OS. Then, I mentioned the topic to Heike of The Dark Visitor blog about Chinese hackers. As I kept learning more about Kylin, it became clear that I should compile the information and post it on this blog.

The Kylin Web Site

Kylin's Web site is at http://www.kylin.org.cn/
[Rough rendition of the site into English via Google Translate]

By the way, some people have noted that, ironically, the site for a secure OS has an SQL injection vulnerability.

Kylin OS History

I learned that the Kylin OS has been around for several years, going back to 2001.

China Military Online, a Web site sponsored by the PLA Daily of the Chinese Peoples Liberation Army, reported in February 2005 of the development of Kylin as a the PRC's own operating system that could replace foreign OSes. The Kylin OS was developed by the University of Science and Technology for National Defense (affiliated with the PLA). The project began when...

---
In 2001, the central government decided to assign the mission of developing an operating system with independent intellectual property right, a major special project of the state's "863 Hi-tech Program", to the Computer Science Institute of the National University of Defense Technology. Upon receiving the mission, the institute swiftly organized a strong scientific and technological task group to brave difficulties and hardships and make bold innovations. Eventually, the group succeeded in making breakthroughs in a series of core technologies and developed the first 64-bit operating system with high security level (B2 class)-the Kylin server operating system. The system is not only compatible with the mainstream operating systems in the world, but also supports several multiple microprocessors and computers of different structures. In addition, the system is also the first operating system without Linux kernel that has obtained Linux global standard authentification by the international Free Standards Group (FSG).
---

In December 2006, Xinghua reported about Kylin OS. One of the things this report mentioned was that the University had signed an agreement with the LENOVO for production and application of the Kylin system.

FreeBSD Roots?

Information Warfare Monitor has a post "Kylin operating system plagiarized from the FreeBSD5.3?" and pointed to the Dancefire site with it comparison of Kylin and FreeBSD 5.3. The similarities between the two OSes reportedly reached 99.45 percent.

The interesting Kylin information is under the Dancefire site's News section, which is in Chinese. The good news for those of us who cannot read Chinese is that Google Translate does a passable rendition of the texts. (Kylin is rendered by Google as "Kirin". I don't think it has anything to do with the Japanese beer. Does it?)

ADDED 1 June 2009: Jumper at The Dark Visitor blog has been taking a look at Kylin and has a good posting there.

How "Secure" is This "Secure OS"? [added 13 May 2009]

Much of the reporting about Kylin, including the PRC's PR about the OS, seems to take the claims it is a "secure OS" at face value. But I have not yet come across any extensive security testing of Kylin. Also, I am wondering how much ongoing security support for Kylin is there. I mean things such as security patches, forums, etc.

Security researcher Dancho Danchev raises several excellent points that challenge the notions that the PRC's (or any other country's) "secure OS" poses a real threat to the US cyber-offensice capabilities.  Danchev writes regarding the "re-branding" of FreeBSD as Kylin and about the limits of "national security OSes":

---
All warfare is indeed based on deception, especially when you’re re-branding.

The rush to participate in the “national security operating system” arms race is pretty evident across the world, with the European Union’s secure OS Minix, the U.S Air Force new ‘secure distribution of Windows XP‘ and Russia’s interest in a similar secure OS.

What everyone appears to be forgetting is the fact that security is proportional with usability, and as well as the fact that complexity is the worst enemy of security.
---

Then, Danchev provides the example of a US penetration test of a US government site and found "763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected critical file folders.” The assortment of applications on the systems and their complexity gave ample footholds for exploitation. Then, there are human factors, including human foibles, that can affect security. Although better designed or hardened OSes can help, they are but one component of security.

So is the PRC's Kylin a Part of Cyber-Warfare, Cyber-Security, or Both?

It's both. (Note, I am leery of the cyber-warfare term. It can encourage massive, costly projects and bad analogies.)

I understand Mr. Coleman's concerns about cyberwarfare aspects and how the PRC's cyber-defence could hinder US cyber cababilities against their systems. But, we should not deem overall attempts to have more secure operating systems as "warfare" in a sinister sense per se. Improving cyber-security is something that we all should be doing. Being "peaceful" in the networked world does not mean having servers running unpatched Windows. The US, UK, etc. should be encouraging their government, corporate, and infrastructure systems to be better secured. (The US has done projects such NSA's work on Security Enhanced Linux. Some might call that as an example of US cyber-warfare.)

Special thanks to

• The Information Warfare Monitor [Web] [Twitter]
• "Heike" on The Dark Visitor
• Richard Stiennon for the @Cyberwar tweets on Twitter.
  Added 13 May 2009:Stiennon has a good posting, "Kylin reports unsubstantial" on his Threat Chaos blog. That post references my post here.

Regards,
Jonathan D. Abolins

Normally, I'd be speaking about computer "pathogens" but, for a change, I'll speaking at the New Jersey Infragard chapter April meeting. The meeting's theme is Pandemic Flu Planning.

My presentation is:

Lessons for the 21st Century from the 20th Century History of the Flu:

There were three major influenza pandemics in the 20th Century. The 1918-19 "Spanish Influenza" was particularly deadly, killing anywhere between 30 and 50 million people around the world. The 1957-58 Asian flu was not as deadly, but still killed about 70,000 Americans. The "mildest" pandemic, Hong Kong Flu of 1968-69, caused about 34,000 US deaths. Then there was the 1976 "Swine Flu" abortive pandemic and a nationwide vaccination program which some called a fiasco.

What lessons for today can we glean from these events decades ago? This presentation will point out lessons to help us to better prepare for future pandemics.

Also speaking will be Heather Benamati, MPH, CHES, Health Services, Human Services Coordinator of the Bernards Township Health Department. She focus upon public health aspects of pandemic flu preparedness. There will be a third speaker who'll cover business contingency planning.

Date:		Tuesday, April 21, 2009
Time:		9:30 am to 10:00 am - networking session 10:00 am to 1:00 pm - the Chapter meeting
Location:		AFFINITY FEDERAL CREDIT UNION 73 Mountain View Boulevard Basking Ridge, New Jersey 07920. [Map] [Directions] Parking will be available at the Credit Union for attendees.

Tonight, CBS-TV (US) programme 60 Minutes just ran a segment on "The Conficker Worm: What Happens Next?"

<<---
The Internet is infected. Malicious computer hackers have been creating more and more weapons that they plant on the Internet. They call their weapons viruses and worms - they're creepy, crawly toxic software that contaminate our computers without our ever knowing it. You can be infected by simply visiting your favorite Web site, or just by leaving your computer on, overnight while you're asleep.

[...]
One of the most dangerous threats ever, a computer worm known as "Conficker," is spreading through the Internet right now. By some estimates, 10 million computers have been infected worldwide.
--->>

While the segment had a couple of interesting moments, I did not find it to give a good understanding of what's going on with Conficker.c worm.

I found Washington Post's Brian Kreb's piece, "Conficker: Doomsday, or the World's Longest Rickroll?" to give a better perspective:

<<---
Computers already infected by the worm are supposed to be automatically updated with some unknown software component on April Fools Day. That's more or less the sum of what computer experts know about the rhyme or reason behind this worm, but it hasn't stopped pundits and the press alike from issuing ominous warnings.
--->>

Krebs points to various examples of press reports with dire warnings of things such as "an undercurrent of potential chaos building - a malicious piece of code that has already prompted the French military to ground some fighter planes."

(George Hulme's Information Week security blog had similar overview of Conficker.c FUD reports.)

Much of the speculation is coming out the mystery concerning the worm's author's motives. So far, nothing obvious, such as financial gain from spams & scams, has been noticed. The code, especially for the c variant, is rather clever and sophisticated. (SRI International has an excellent technical analysis of the Conficker.c code and behaviour. Note: due to the worm's interaction with various Internet sites, even good analyses such as this one cannot predict what will happen later on.)

Krebs noted that perhaps the biggest impact of the Conficker worm will be it serving as a motivator to get international cooperation in trying to block the registration of domains to be used for the worm.

<<---
What I find most fascinating about Conficker is that its real legacy may well turn out to be beneficent. To date, there really hasn't been a threat that has given countries on opposite ends of the globe a unifying, urgent reason to work against a single Internet menace. Yet, due to the work of the Conficker Cabal and affected parties, that is starting to change.

"We're literally relying on people in Latvia to protect computer networks in Brazil, and the other way around, too, so each country has some capability and some responsibility once they understand the role they can play here," Wesson said. "No matter what happens with Conficker, it's created something here....a beautiful opportunity to bring cyber security to the kitchen table."
---->>

I, too, think is a great development.

Other Resources

• F-Secure has a helpful Conficker FAQ and a free Conficker removal tool.
• Byron Acohido's Conficker Timeline.

Regards,
Jonathan D. Abolins

Recycling is good when it is papers, plastics, and metals. But recycling old Hotmail addresses that haven't been used in over a year, can cause problems as I'm learning from a LiveJournal news item Keeping Your Journal Safe:

<<---
Recently some journals and communities have been broken into, their contents deleted, and their owners locked out. We want to explain how this can happen and give you some steps you can take to help prevent this from happening to your journal or community.

First of all, we would like to dispel the rumor that these break-ins have something to do with the accounts that have recently been friending large numbers of users (sometimes called friending bots). We do not believe these are related. The problem appears to stem from Hotmail's policy of recycling inactive email addresses.

The recent break-ins resulted from hijackers finding and accessing lapsed Hotmail accounts that were used with LiveJournal accounts and publicly displayed on Profile pages in the past. You should be aware that Hotmail recycles email addresses that haven't been used in more than a year. If you validated a Hotmail address for your journal and displayed it publicly in the past, but then let the address lapse, someone who finds and re-registers that address can use it to obtain control of the journal.
--->>

The new "owner" of the Hotmail address could use the LiveJournal services' help for lost passwords to the get the password info sent to the Hotmail address. LiveJournal has no way of knowing that the email address has been recycled.

Other sites may be vulnerable to the recycled Hotmail address exploitation of the "forgot password" functions. All too often, there's an assumption that only you will have access to the email address associated with you. (Then there is the security economics where for most sites it is more cost effective to email the password info than to do extensive checks of the requesters. If it's a free email service, what do you expect?)

Some countermeasures:

1. Review online accounts at Web/blog hosting, online banking, etc. services periodically to make sure that the email and other contact info is still correct.
2. Use additional security features, such as "secret questions" for your online accounts, if available.
3. If abandoning an email address, let your more important contacts know so they don't send anything sensitive to the old address. Abandoning an email account does not mean it will never resurface.

Remember to recycle those electrons!
J.D. Abolins

The site: http://www.modernliberty.net/
Cory Doctrow's post on Boing Boing: http://www.boingboing.net/2009/02/27/tomorrow-is-britains.html

The Modern Liberty site explains why the convention is needed:

We are entering a dangerous period in our country. Economic turmoil threatens profound hardship and disharmony. Disenchantment with politics is growing and even legitimate protest is threatened by an unprecedented programme of challenges to our rights, freedoms and democracy. Sixty years ago Britain was a proud co-author of the Universal Declaration of Human Rights and Fundamental Freedoms. Now it is increasingly centralized, abandoning its historic principles some of which date back to the Magna Carta.
The Government’s continued stated determination to extend detention without charge in terrorism cases to 42 days is one symbol of the damage done to our hard-won rights and freedoms. The Regulation of Investigatory Powers Act 2000 (RIPA), which gives hundreds of agencies access to people’s records without their knowing, is another. The collection of all available records on a huge central database for the use of the authorities is a third.
We believe that such threats can be overcome but only if the public is woken to the dangers. While we may be impatient for action, the issues must be addressed in an open-minded way with as thorough and accessible public debate as possible.
Therefore we invite you to join a Convention on Modern Liberty. It will ask three broad questions:

• Are our freedoms and rights threatened by an over-powerful state and if so how do we defend ourselves from this?
• Are dangers to our security from terrorism and other threats, from climate change to pandemics being used to attack our rights, and how can we best defend ourselves?
• How can we arouse sustained public interest?

We are making Modern Liberty a convention not a conference. We want to bring as many people together to see what common ground can be reached in defence of our freedoms. The Guardian is the main media partner. The Rowntree Reform and Charitable Trusts and the Rowntree Foundation are initial supporters. A wide range of organisations are joining the event from across the political spectrum.
Fundamental rights and freedoms are common to us all. The Universal Declaration recognises ‘the equal and inalienable rights of all members of the human family as the foundation of freedom, justice and peace in the world’. In Britain such values have an even longer history. We are indeed the inheritors of an inspiring tradition of liberty.
At the same time technical advances from information technology to explosives and the threats of catastrophic climatic change have altered the framework of power and fear.
This calls for a renewal of our democratic self-confidence. This is the purpose of the Convention on Modern Liberty. Whether you agree or not we hope you will join us to debate these issues.

British liberties and privacy issues might seem irrelevant to those of us in the US. But I see interplays with what goes on in the UK and in the US. For example, the pervasive public surveillance of British society is often cited as a good example for the US. Unfortunately, the lessons learned in Britain about what works and what doesn't with surveillance don't get noticed as well in the States.

Also, with the new US President and Administration, I believe we will see much reshuffling about privacy, security, and liberties. 20th Century concepts of these values might not hold up well in the 21st Century. It will be important for citizens to learn about the issues and get involved. Learning from other countries' experiences can be helpful.

If you are not able to attend the meetings, the Modern Liberty site will have video and photos.

Here's looking at you,
Jonathan D. Abolins

Nick O'Neil suggested "10 Privacy Settings Every Facebook User Should Know" at the AllFacebook blog.

This was quite timely. Over the past several months, I've had discussions about social network site and blog mishaps and problematic disclosures. One set of discussions recently was the wisdom of blogging if one is seeking to work in the security or law enforcement field.

Some people say that people heading for such careers would do best to stay off the blogs and social network sites. There are all too many examples of people disclosing too much personal information or posting rants for the world to see.

Then there is the matter of the easy global availability of one's photos and biographical details making a career with covert or undercover work more difficult. An opinion piece in the UK edition of SC Magazine wonders about the impact of social network sites upon available recruits for UK security services. Ken Munro writes:

Donald Pleasance as Bond villain Blofeld. The photo is on this BBC page.

Imagine the scene. James Bond enters the HQ of a criminal mastermind intent on world destruction. Waiting for him are a host of henchpersons, all armed to the teeth. “We've been expecting you, Mr Bond,” says the evil Blofeld, stroking his white Persian cat. “We saw your Twitter update.” The UK's universities are a prime recruiting ground for our intelligence services. Clever, well-versed students apparently make excellent espionage agents. Herein lies the problem: if you're planning on having a second identity for undercover work, it doesn't help if your photos, friends and real name are splattered all over various social networking sites. Try finding a student at a university who hasn't done just that. >>

This concern seems to be more of a British one than an American one. Americans are more talkative than the Brits. Even a look at the two countries intelligence services' Web sites reflect such differences. (Here are the links to the CIA and the NSA for the US and the MI5, MI6, and GCHQ for the UK. Interestingly, both of the US sites have kid's pages, something that seems to be a US only phenomenon for intelligence service sites.)

In this era, people -- especially young people -- who are totally offline are relatively rare and the data holes might draw even more attention. Security service will find ways to adapt. Data profiles might be cultivated to fit cover identities or stories covering data holes might be developed. Some services are finding the value of internal social network tools such as wikis and blogs. And so on.

Still, no matter what is one's career direction, it is wise to learn how the tools one uses work and to manage the message that goes out.

J.D. Abolins

Sun Tzu Data has been working upon SUMO Linux, a distro combining features of BackTrack, Helix,DBAN (Darik's Boot and Nuke hard disk wiper), Samurai Linux, and DVL (Damn Vulnerable Linux for training exercises). From the SUMO Linux home page, it appears that the live DVD allows you to choose which of these distros you want to use. Sounds lovely, sorta like an info security Swiss Army Knife.

I am in the middle of downloading the DVD .iso via its torrent and, once I get a chance to try it out, I'll post more info on this blog.

J.D. Abolins

I'm working on some things on the computer and have the TV playing in the background. "My Own Worst Enemy" is on now. A few minutes ago, I caught a snippet where some spy agency people are talking about gaining accessing to the "bad guys'" computers and noting that the data on the computers is encrypted. One character says that they'll have to use a coolant to break the encryption.

Ah! The script writers must have heard about the "Lest We Remember: Cold Boot Attacks on Encryption Keys" research. Now, the TV show did not go into depth and it appeared that the col boot attack concept was a convenient plot device. Still it was interesting seeing that reference.

J.D. Abolins

(This posting is mainly intended to give a set of pointers to references and views on the matter. I'll reserve my commentary for another time. -JDA)

Last week, ABC News (US) gave an "exclusive' look at an "Inside Account of U.S. Eavesdropping on Americans". Adrienne Kinne and David Murfee Faulk, two former military military intercept operators who worked at the National Security Agency (NSA) center in Fort Gordon, Georgia, told of eavesdropping on hundreds of personal calls that had nothing to do with terrorism. They had first spoken about this eavesdropping with James Bamford as he was working on his soon to be published book about the NSA, "The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America".

• New York Times: Panel to Study Military Eavesdropping
• Salon.com: Major shock: Eavesdropping powers abused without oversight
• Wired Threat Level blog: NSA Snooped on Innocent Americans' Private Calls from Iraq, Former Operators Charge
• Wired Threat Level blog: Inside Operation Highlander: the NSA's Wiretapping of Americans Abroad
• ABC News (US): Did NSA Lie, Cover-Up? Senators Open Second Probe

Here are comments and responses by Orin Kerr on Volokh Conspiracy and Marty Ledern on Balkinization blogs"

• Orin Kerr: Is ABC News Confused Over Scope of NSA Program?
• Marty Lederman: Was NSA's Indiscriminate Wiretapping of Americans Overseas Illegal?
• Orin Kerr: Did Monitoring Satellite Phones in the Middle East Violate the Fourth Amendment?
• Marty Lederman: The Constitutional Law of Satellite Phones

Whatever else, one should keep in mind that absolute privacy in electronic communications is not intrinsically guaranteed. Right or wrong, there are many people and groups that could have access to the communications. Meanwhile, I'll read Bamford's new book and look for further reports.

Added 15 Oct 2008: Beuce Schneier has blogged about 'NSA's Warrantless Eavesdropping Targets Innocent Americans" and reminded his readers that "Warrants are a security device. They protect us against government abuse of power." Good point.

One of the things which is somewhat murky in the various tellings of the eavesdropping is whether or not the particualr eavesdropping was officially ordered and sanctioned. To me, it appears that the snopping on phone sex and other non-terrorism related calls was unporfessional depature from official procedures. The supervisors might have claimed it was required, but it's quite likely that they exceeded the scope of the orders. That's my current perception. I realise some other people think it was a part of the orders to monitor the pillow talk and such. It may take a while before we have a clear picture. In any case, people using US DoD issues communications devices and networks do need to realise the likelihood of being monitored in any case. Part of the military life.

"All our operators are standing by...."
J.D. Abolins

"It's not like when you steal the Mona Lisa and there's a blank space left on the wall."

For several years, data breaches have been reported almost weekly in the news. In some cases, the business or agency will claim that the data was accessed but it was "not stolen" or that sensitive information was not really accessed. Reassuring? Not really. What are the signs that the data was stolen versus signs that it wasn't.

The following snippet from a USA Today article on the World Bank data intrusion illustrates the problem:

World Bank spokesman Carl Hanlon confirmed the authenticity of bank memos obtained by Behar describing how bank officials discovered — and reacted to — the cyberbreak-in. "The bottom line is that at no point was any sensitive information accessed," Hanlon said in a phone interview.

That assertion drew skepticism in tech-security circles. Several security experts noted that cyberthieves are experts at stealing data without leaving a trace. "It's not like when you steal the Mona Lisa and there's a blank space left on the wall," says Sophos researcher Graham Cluley.

I like that Mona Lisa quote. It gets right to the point in a nice media-friendly form.

Yes, the breached system's administrators may not really have a full understanding of the scope of the breach. They found something and may have responded to it thinking that it is the only incursion into the system. As one of the presentations at October's DoJoSec explained, there may be multiple tools, exploits, and avenues of a systems intrusion. So whilst the sys admins caught and eliminated one avenue, they might have missed several others.

Then there is the matter of knowing all the places sensitive data is stored and accessed. Sometimes, there's an assumption that the sensitive data resides only in particular databases and on particular servers. But this is not always the case. Copies of the data might be found elsewhere. If the focus of the damage assessment is upon the servers and databases that store the sensitive stuff, the data's users computers or, maybe, print servers might be overlooked. And so on.

J.D. Abolins

Last Thursday nigh (Oct. 2nd)t, I had the opportunity to  attend Sun Tzu Data's first DoJoSec session. Sun Tzu Data, a security firm in Maryland, is launching monthly mini-conferences to give people a chance to get a sample of presentations given at the major conferences.  Next DoJoSec will be on November 5th. Check their Web site for more details about up-coming sessions and other events & services.

The evening sessions include sandwiches and other food. The folks at Sun Tzu Data like to call it "dinner theater for security geeks". I guess, to play upon a Bruce Schneier phrase, this is a "security dinner theatre". <g>

The first presentation was given by Chris Daywalt and Eoghan Casey (pictured pointing to a chart; "Eoghan" is pronounced like "Owen"). They spoke on "offence in depth" by intruders and how a too quick of an attempt to contain and eradicate/clean-up the intrusions may be self-defeating.

They mentioned the NIST SP800-61 Computer Security Incident Handling Guide and the Incident Response Life Cycle. Sysadmins figure they know the scope of the intrusion and respond with containment, eradication, and recovery procedures. But, as the two fellows noted in their "tag team" delivery, many intruders used multiple modes of attacks, tools, and communications channels. So, the response addressing only one of the attack prongs will tip off the intruders and they'll lay low. Once the sys admins believe they've completed the clean-up, the other attack prongs can be used to continue the exploitation of the systems. One of the key preparation points Daywalt and Casey stressed is to know what's normal for your systems.

The second presentation was on "No Tech Hacking" by Johnny Long (pictured on the right). This is the third time I've heard Johnny Long give this spiel, but it was still fun and informative. This particular presentation had an interesting touch because many of the places shown in the slides were in Maryland. So Johnny Long slipped a few comments about the locations.  (You can read a sample chapter from his No Tech Hacking book here.)

The DoJoSec session was worth the six hours round trip from New Jersey to Columbia, MD. I cannot attend the sessions regularly, but I hope to visit a few more of them. If you are in the Baltimore/DC area and are interested in low cost info security education, check out the DoJoSec sessions.

I'm glad I attended the DoJoSec instead of the DoDoSec session.
J.D. Abolins

Slashdot had a thread yesterday about this device & software. I've not seen the package myself.
http://mobile.slashdot.org/mobile/08/09/21/1730256.shtml

Neopwn: <http://www.neopwn.com/> says:

Pocket Pentesting

Running on a well balanced mix of open source hardware and network security testing software, NeoPwn has been a long awaited pocket penetration testing platform. This is the first ever network auditing distribution for a mobile phone.

The NeoPwn uses the base platform of the Openmoko Neo Freerunner, which offers USB WLAN support, a GPS Modem, a GPRS Modem for cellular connectivity, and an CSR based Bluetooth module. The USB hostmode will also allow for a range of other devices and peripherials.

Neopwn runs on an optimized FULL custom Debian operating system that boots off of a microSD card with a custom Linux kernel, with a vast support range for module drivers, allowing the network security tester the ability to perform various network penetration auditing tasks that are normally carried out on a notebook or desktop workstation.

(The mobile phone will only work with GSM networks that require SIMs.)

 

The complete mobile phone & software packages run from about 700 USD to 1,000 USD. They have less expensive packages minus the phone.

Even if you don't buy a Neopwn mobile, their software listing can be useful for building a collection of free/open source software pen-test tools.

J.D. Abolins

The Scientific American is giving special coverage of privacy in its September 2008 issue. Among the articl;es in the issue are the following:

• Whitfield Diffie and Susan Landau: Internet Eavesdropping: A Brave New World of Wiretapping,
• Katherine Albrecht: How RFID Tags Could Be Used to Track Unsuspecting People,
• Simson L. Garfinkel: Data Fusion: The Ups and Downs of All-Encompassing Digital Profiles,
• Daniel J. Solove: Do Social Networks Bring the End of Privacy?, and
• Esther Dyson: How Loss of Privacy May Mean Loss of Security.

If you can, take a look at the print edition. The print edition has some informative graphics that weren't quite duplicated on the Web.

J.D. Abolins

There has been much tech chatter about Dan Kaminsky's reporting about a major DNS vulnerability. I am not going to rehash all the reporting here. But I do want to mention a few odds and ends observations.

• Dan Kaminsky has some information about the DNS vulnerability, his Defcon presentation, etc. at http://www.doxpara.com/ (IP address:157.22.245.20). The site also has a DNS Checker to see if you Internet connection is particularly vulnerable to DNS mischief. Take a look at his post with "Summaries".
  
• Steve Friedl has "An Illustrated Guide to the Kaminsky DNS Vulnerability". Nice!
• It can be prudent to catalogue the IP addresses of crucial site you use. One way is to use nslookup to find the IP addresses.
• BUT connecting to a server using its IP address is not a 100% guarantee of protection from DNS mischief. If, for example, the server pulls information from other servers using DNS information, the DNS vulnerability could affect this. Mashups could be particularly susceptible to this.
• If you're using Firefox and accessing a site using its IP address instead of the usual URL, you may run into a Secure Connection Failed warning saying something about an "invalid security certificate". This doesn't necessarily mean you've reached a bogus site. See FireFox's support for more information on this.

J.D. Abolins

Clarification NoteAdded 19 Aug 2008:
The mention of noting IP addresses of crucial sites is not the answer to the DNS vulnerability. It is simply mentioned as a helpful thing in general if you're dealing with certain crucial servers. For actual advice on dealing with the DNS vulnerability, follow the links to Dan Kaminisky's site.

Modification on 24 Aug 2008: I applied strikeouts to the observations that are confusing. Although I have a sound basis for those observations, they do look like the main advice given for the DNS vulnerability, rather than peripherial observations for using known IP address as a help for DNS problems in general.  Many aoplogies for the confusion.

Through Sunday afternoon (20 July 2008):
http://radio.hope.net/

Right now, I am listening to Steve Ramban, a private investigator who speaks at every HOPE conference, speak about privacy and, moreso, the ways it is disappearing. Fascinating as usual.

In a few days, I'll post links to photos and videos from the Last Hope.

Cheers,
J.D. Abolins

UPDATE (23 July 2008): The streaming radio feed from Last HOPE's Radio Statler is no longer on the air.

This afternoon, Dark Reading reports:

Schneier, Team Hack 'Invisibility Cloak' for Files
Researchers break 'deniable file system' steganography feature that conceals the existence of sensitive files from hackers
JULY 16, 2008 | 5:35 PM

By Kelly Jackson Higgins
Senior Editor, Dark Reading

[...]
The researchers were able to get around DFS in versions 5.0 and below of TrueCrypt’s encryption-on-the-fly tool, and will present their findings on the hack at the Usenix HotSec ’08 summit next week in San Jose, Calif.

[...]
Schneier, who has studiedthe viability of the so-called “deniable” file system model in the past, says DFS is actually easier to hack than encryption, and that there may be no way to make files truly undetectable on a drive. “Deniability is a much harder security feature to enable than secrecy,” he says. [...]

The researchers were able to crack DFS without decrypting it. “Breaking the security of a DFS does not require decrypting the data; it only requires proving that (or in some cases simply providing strong evidence that) the encrypted data exists,” according to the report, which was co-authored by Schneier and University of Washington researchers Alexei Czeskis, David St. Hilaire, Karl Koscher, Steven Gribble, and Tadayoshi Kohno.

The researchers found that Windows Vista shortcuts can give away the existence of a hidden file. Vista, which automatically creates shortcuts to files that get used, then stores the shortcuts in the Recent Items folder. And the auto-save feature in Word, meanwhile, saved versions of the hidden files.

[...]
“Modern applications and operating systems are very complicated, and interact with each other in many different ways,” Schneier says. “Hiding the existence of something means controlling all those interactions, which turns out to be a very hard problem.”

Quite interesting. I am looking forward to the presentation whenever it becomes available on the USENIX Conference Proceeding site.

Related reference: Truecrypt's explanation of its Plausible Deniability approach.

UPDATE (17 July 2008):
Bruce Schneier & UW team's research paper "Defeating Encrypted and Deniable File Systems: TrueCrypt v5.1a and the Case of the Tattling OS and Applications" is now available at
http://www.cs.washington.edu/research/security/truecrypt.pdf
and
http://www.schneier.com/paper-truecrypt-dfs.html

Although Schneier has not yet mentioned the paper on his blog, some comments about Truecrypt and plausible deniability appear under his recent post "Using a File Erasure Tool Considered Suspicious".

I sometimes slip in "deniable plausibility"; it's hard to believe,
J.D. Abolins

Information about the conference at http://www.thelasthope.org
Speaker/ Talks info: http://www.thelasthope.org/talks.php
Conference schedule: http://www.thelasthope.org/matrix/
Discussion site: http://talk.hope.net

Since 1994, the Hackers on Planet Earth (HOPE) conferences have been held in New York City every other year. The HOPE conferences are organised by the folks who publish 2600 - The Hacker Quarterly.

These conferences bring together an interesting variety of people from all over the world, including technology fans, tinkers, academics, cryptography folks, cyber-liberties activists, and, of course, hackers of all kinds as well as people interested in hacker culture.

This year is going to be difficult for time but I hope to make it out for one of the days.

One of the presentations that should be very interesting is Johnny Long's "No Tech Hacking". I've seen him give such a presentation at TechnoForensics 2007 and it's both fun and thought provoking. The no tech aspect is a good eye-opener for people who get so focused upon technical/cyber security issues that they forget the low/no tech gotchas. (Hint for organisations with special security concerns that was conveyed by a couple of the slides: Don't put agency logos on laptops, laptop cases, etc. Advertising might not be your friend. <g>)

HOPEfully,
J.D. Abolins

Yesterday, The Guardian had an essay by Bruce Schneier on "CCTV doesn't keep us safe, yet the cameras are everywhere." (The essay is also posted on his blog along with readers' comments.)

No big surprises in the essay. It does, however, provide a good overview of some of the CCTV (closed circuit television) surveillance benefits-cost issues and offer links for further information, including UK Home Office's 2005 study "Assessing the impact of CCTV". Schneier is not against all uses of CCTVs. He does exhort people to examine where their benefits are worth costs (including non-material ones).

Is CCTV equivalent to 204TV?
J.D. Abolins