Layerone Conference, CTF Fun And Great Food!

I wasn’t expecting to be able to go to the layerone conference in Los Angeles this weekend, but I was there and it was great! I’ve been to appsec, bsides, defcon, but layerone has all of them beat with one thing none of them provide that great. The amount of food and the quality of the food we had for dinner was insane, that’s not even mentioning breakfast! Also, if you like alcohol, then you would’ve loved it when alcohol was free for an hour during dinner. Did I forget to mention the food was built into the price of the ticket? I dislike it when cons don’t offer much food, but you paid through the nose to get in the door. I notice this because for a long time I was a vegetarian, but now I am a pescetarian and it was challenging to find food, yet I usually pay at least a hundred dollars to attend. Even if you are a normal meat eater you would’ve noticed the awesome selection of food at dinner including the desserts!

Now that I am done raving about how good the food was let me talk about the CTF, which stands for capture the flag. Surprisingly it was my first CTF, but I wasn’t in it for the prizes, since all they showed were my little pony prizes. I was in the CTF to have fun and I had a blast. Would it surprise you that a team consisting of two hackers was able to stay in the 2nd and third position on the leaderboards for the majority of the day against 35 other teams? It wasn’t till day two that we had more people on the team. Some of the challenges were easy including the XXE injection, but others which looked easy were down right baffling. What I really liked is that when we were stuck we could brainstorm and finish the puzzle. The ability to work together as a team was great and is a crucial feature that bug bounties are currently missing, but I’ll leave that topic for another rant. Anyways, I spent ten AM till whatever time the hacking village kicked everyone out working on the CTF. We were the last to leave, because we were so focused on the challenges and they had to tell us to leave because they were closing up.

The team I was on finished in fifth place, which is pretty good since there was 35 other teams! Layerone had enough people at the conference, so you didn’t feel bored and only 50 or so people showed up, but not so many that you were crashing into other people. They had no problem or didn’t notice my robot driving around the grand room where we ate while our table tested my robots response to different environments and what made it respond and react the way it did. I won’t post the outcome of those results, since I plan to use this bot in competitions but the findings were very interesting to me.

I did attend one talk by the machinist, which introduced me to a more user friendly open source 3d program that looks far better then blender. The program he used is called mesh lab and from a user interface perspective it looked great, as did the few built in features he used during the talk. See, that’s another nice thing that most security conferences don’t have and that’s talks on other subjects within the word hacking. Not all of hacking is defacing sites and finding vulnerabilities. Hacking is the art of finding unique ways to do things with computers whether you’re doing 3d modeling and have techniques to show people or you have a bunch of zero days to release. Of course, this is purely my personal interpretation of the word hacking. It’s odd that there is an entire industry that can’t even agree on what one of the main terms for their industry actually means. This shows problems in our community that I’ll probably discuss in another rant.

Anyways, if you got anything out of this post it’s that you should attend layer one next year and I hope they have food again next year!

App Auto Updates Could Endanger Privacy

Today Christopher Soghoian from the American Civil Liberties Union sarcastically thanked the Department Of Justice for journalist Seth Rosenblatt telling people to turn off app auto updates in his article for the parallax called ” how to FBI proof your android“. Now let me explain a couple things about app auto updates. You can automatically update your apps and expect to get the latest updates and security fixes, yet at the same time you are opening yourself up to malware being distributed to apps on your phone. This isn’t theoretical, it actually happened last year to the Apple app store last year where the app store itself was hacked and 85 popular apps had malware added to them. Anyone who allowed auto updates on the iphone had the malware put on their phone.

This isn’t the only incident of this happening, but when it does happen it isn’t usually talked about much. I want to make something else clear Christopher and I are both promoting privacy with app auto updates, but have different views on this topic. While the article being disputed directly references the fbi in the title, the article itself just has good advice on android app security.

If targeting auto updates on apps isn’t on your long list of things to check during a complete security audit, then you’re doing things differently then my company. While our list is quite long and we won’t make it public. Attacking auto updates is part of a complete security audit at my company planetzuda.com. If this isn’t on your list of things to test, then you may want to target app auto updates in the future. I can assure you this is most likely on any attackers to-do list.

How long should I wait to update apps?
This all depends on you, but I would advise to update at a maximum of 24 hours after the app release has been sent out. While I am aware this advice goes against other researchers, I am quite careful when it comes to privacy and look at every way a feature can abused, especially the ones that are supposed to help make you more secure like app auto updates. So to sum this up, I agree with disabling app auto-updates for privacy reasons.

When Scope for Hacking A Site Matters

If you aren’t familiar with ethical hacking, also known as security research then please read this paragraph. When you do security research for a client they can give you a scope, or in other words areas they don’t want you to test. I have been very vocal about how creating a scope makes a site more vulnerable and a bigger target. I was wrong to some extent and I am willing to admit that and explain it to anyone else who hates scopes that customers have.
When is a scope wrong?
Customers can design the scope on their own without help, however sometimes they don’t know what they’re doing or they want to save money so they put the most critical things out of scope. What I am going to say next is slightly odd, but I’ll say it anyways. A scope needs to exist and while I still agree that areas not in scope are the most vulnerable you have to think about what area has the most sensitive information. Sure, you can point out how you could get to those areas from the out of scope areas, but doing any security at all is something that we must realize is a big step for companies.

If a company wants to protect their data then it makes sense to start where that sensitive data is stored and then work towards the areas that don’t store sensitive data. If a customer puts an area with sensitive information out of scope then there is a major problem. If you report issues in that area and they are denied due to the scope, you have an even worse problem. At this point it starts looking like the company doesn’t really care about security and rather wants to give the impression to clients that they do. This is where the argument over scope comes in the most and while I’ve never heard anyone explain it this way, it makes the most sense.

So to wrap things up a scope is fine if it includes all sensitive data, but a scope isn’t good if it excludes sensitive data.

To Those Of You Who Explain Why I Should Shut up — Thanks!

This may seem odd, actually very odd but I like it when someone tells me privately that they think I am wrong about something whether they think I need to rephrase things, I am being too blunt, or anything else. It doesn’t matter if you’re a colleague, a friend, or even a reporter — if you tell me to stop talking about something and shut up and you don’t publish it in your article, then I am quite happy.

Sometimes I’ll get stuck on one topic for too long and can go into the smallest nuances of it. This can be very useful with code, actually extremely useful with code but not so much in conversations, which one reporter was nice enough to point out. I’d be more then happy to talk to a reporter again who will privately tell me to stop talking about a subject and doesn’t write about that incident, then talk to the reporters who ask you the same question 20 times in a row and you give them the same answer 20 times in a row. That’s a waste of my time, especially when they don’t use any of the content. I understand asking a question a few times to make sure they understand the topic and I don’t have anymore to add, but 20 times… that’s just too much.

It’s very useful when people point out that the way I word things may come across wrong, since I am quite blunt and to the point but am not trying to be rude. I am always improving my communication style, so people can understand me better. You can’t win with everyone, but if you can improve so more people can understand what you’re saying and that you aren’t trying to be rude to them, well, that’s quite useful.

Another thing someone has pointed out to me is that I can be impatient. Sure, waiting 3 months or years for something to be fixed may seem like a long time and you feel totally right in being impatient, but when the person has just learned about the issue you need to be patient. It’s important to realize that the person you’re talking to may have just heard about the issue, so while you’ve been dealing with it for months or years and talking to the same company, companies are large. So, you need to be patient. It’s far easier said then done, but it’s something important to do.

If you have a problem with me, I’d really like it if you direct messaged me and explained what the problem is, so I can see if I’ve made an error in the way I come across in my writing or in anything else, so I can correct it for future conversations and even make a public statement apologizing about it if needed.

So, for those of you who are polite enough to privately message me, thank you. You know who you are.

Why You Should Take Time Off Work

Awhile back things got stressful with my work, which happens to everyone. However, not everyone runs their own company and needs to give a speech in two weeks. Some stress that I’ll wrap up to business politics on top of everything else made me decide to take a week off work. That may sound like a bad idea for the CEO of a company to take a week off, but I put all my ducks in a row. I had completed all work I was supposed to complete and the rest was being handled by someone else.

I decided to check my emails once or twice a day, but on the most part I didn’t touch any technology, excluding my playstation. I did write my speech on my break and take care of some small things, but for all intensive purposes I was unavailable.

Once I got back to doing work, well, it didn’t feel like work at all. I don’t do information security because it feels like work, I do it because I love it and am not a 9-5 guy. You can find me working late into the night and in the middle of the day, but it doesn’t usually feel like work. The time I took off taught me not to check my emails like crazy, because i mainly read new spam. I focus my energy where it is needed and then do other things. What’s really awesome is an amazing opportunity came available the first week I got back in the game and I worked on it like crazy. I am trying to take small breaks and encourage everyone to give theirself a breather from work, even if you don’t consider it to be work. Trust me, you’ll come back swinging home runs.

Just say NO backward compatibility for crying out loud!

Just say no to backward compatibility!
Backward compatibility is one of many banes of programmers existence. When you’re going through a program and ask “Why do you have code to support a 3-5 year old version of this software?” the answer almost always is “Because of backwards compatibility”. Sometimes you can look at the code and realize that the only way a person would run into a situation where it is needed is when they’ve updated to the newest version, in other words the code doesn’t need to exist.

Is this a pointless rant? Nope, not at all. Code that’s quite vulnerable stays in programs and isn’t removed under the guise of backwards compatibility. If you don’t know what backwards compatibility is, it’s simply supporting older versions of code that your code is dependent on. One example is PHP. The actual codebase for PHP has extremely ancient code, because if they remove it anything that’s ever used it could break.

So, if we get rid of backwards compatibility how are we supposed to stop the web from breaking when one piece of software is reliant on a language or a framework for a certain piece of code? It’s extremely simple — you deprecate the code and then give 3 months to 6 months for everyone to get their code up to date and do as many press releases that the web will break on a certain date if companies do not comply. Yes, I realize this is a tiny bit of backwards compatibility, but it’s needed to keep the web functioning. The sites that break, well, I wouldn’t want to use a site that can’t update their codebase in six months. Yes, I know certain functions are widespread like a plague across millions of lines, but you can easily search and replace all areas automatically with say grep. We should not be held hostage to other companies or users failures to understand why they shouldn’t use a certain bit of ancient code Internet Explorer 6 or IE at all for that matter.

Making backwards compatibility enables people to keep using insecure code or code that needs to be removed due to programmers thinking it does something it actually doesn’t do, like the absurd PHP function magic_quotes which I believe has been completely removed from the PHP language. The sooner we force people to update their code, the sooner we hopefully can have nice things online. Right now just a few megabytes of code will have hundreds of security holes, which I know as a fact from helping customers at planetzuda.com.

We can write slimmer code that is usable and not millions of lines long mainly due to backwards compatibility. I am not going to get into object oriented programming and what I think of it today… I’ll save that for another day and another post.

Professor Michio Kaku Is Cool

Professor Michio Kaku was doing a book tour for his book “Physics Of The Impossible” several years ago and I had to go meet him. He gave a talk which I couldn’t get into, so I waited for over an hour in the hallway. I then waited another 30 to 45 minutes in line to get my copy of “Physics Of The Impossible” signed by him. After I got my book signed I waited until almost everyone had left, so I could get a few minutes to talk to him. Why would I wait so long to get a book signed and then wait to talk to him? Well, Professor Kaku is a genius and my favorite theoretical physics author, but I really wanted to find out if one of my theoretical physic theories was sound.

Wait, You’re Into Theoretical Physics?

I’ve never publicly written about it, but yeah I am. I mainly write about security research. So, as I left off I waited until almost everyone left, which took a very long time and then told Professor Kaku my theory that I stumbled onto while reading two physic books at the same time. When I say I read books at the same time, I mean I have both books open and am reading pages from both books at the same time. Anyways my theory had to do with theoretical Calibi-Yau blackholes in another dimension, which according to string theory would have low energy vibration patterns. I theorized that these vibrations would affect our 3 dimensional universe.

When I finally had a chance to ask Professor Kaku if I was right he was very polite and nice. He quickly did the math in his head while moving his hand around like he was writing on a whiteboard and then said “yes”. I was ecstatic. Sure, I know that figuring that out won’t change anything in science, but I’ve never attended theoretical physics class. I only read theoretical physic books and papers on theoretical physics.

I was impressed by how smart he is, yet he isn’t stuck on himself. It’d be awesome to meet him again and discuss a much more complicated theoretical physics theory I’ve come up with. I am not saying what it is here, because I’d like to know if I am anywhere close to being right before talking about theoretical physics. Anyways, Profesor Kaku is really cool.

I would also highly recommend that you read his latest book “The Future Of The Mind“.

A Merry Christmas Adam

Christmas Adam is the day before Christmas Eve. On Christmas Adam I always write things I appreciate about people I know. This year I am extending it to people I don’t know in person, but have communicated and or worked with remotely. You’ve probably never heard of Christmas Adam due to the fact that I created it several years ago. I never say anything I don’t mean nor do I ever thank anyone that doesn’t deserved to be thanked on Christmas Adam.

The first person I want to thank is a Googler. I don’t have permission to name this Googler, but that’s okay. If I get permission I will put their name. This Googler was one of the people who helped explain Net Neutrality to me when I was confused about it several years ago via Twitter. Now that I understand net neutrality I fight to protect it every chance I get. This Googler has also let me see a unique side of Google. Whenever I find a major privacy problem I report it to this Googler and they always make sure it is fixed. That isn’t normal for most tech companies, so I really appreciate it.

The next person I want to thank is Casey John Ellis the co-founder of Bugcrowd. While his company is great for researchers he has also helped me understand why proper disclosure is important and has proven that it can work. He also helped me improve how I report security bugs. Now he is very busy, but I was one of the early adopters of Bugcrowd, so early that I believe the only people working at Bugcrowd were the founders.

This list would be incomplete without thanking Marisa Fagan. Whenever I had a problem I could not solve I contacted Marisa, because she was always very nice and helped me out or pointed me in the right direction when I was confused about something.

Also, thanks to her help I now see that proper disclosure may be able to work the way it is supposed to on companies that are giants and not part of the tech community. Even if it doesn’t work, I really appreciate all her help on a quest of mine to fix some major security holes in a non-tech industry. I am still working on the giant proof of concept that as far as I know no else has ever attempted to do before.

Jonathan Cran who works at bugcrowd and has always been very polite, nice and has helped me out multiple times, which includes another giant project I am working on.

I also want to thank Professor Bowne for being another person in the security community who has helped me out. I am sure he hadn’t heard of me until I asked him for help with a company. He replied by helping me out and showing me the correct people to contact in companies to try and get anything done. He also helped answer some questions I had about proper disclosure and when it should be broken or if it is even the right choice.

If every community collaborated the way people have shown me the security community collaborates we would have a much, much better world. I will be adding to this list all day and possibly until the end of the year, like I always do.

Why Discrimination, Racism, Sexism, Etc. Should End

I rarely blog over here, but somethings have happened that have compelled me to do so. The death of Eric Garner, an innocent African American man who was killed by a cop choking him to death. This is all on camera, yet the only person in jail is the person who recorded Mr. Garner being killed. I see discrimination against people who are the slightest bit different all the time and it makes me sick in the stomach. If you knew me you would know I don’t stand idly by, I get involved and try to rectify the situation. It isn’t always possible, but I can usually at least get the person who is discriminating against the person to stop while I am around.

I am all for equality. Genders should be viewed as equal by everyone, no one should discriminate against those who are gay. I am not gay. Why am I writing all of this? Because of things happening in the world, because of the way I see people being treated, because how people fear for their jobs and their lives over their race or what gender they love. This is wrong. This is so wrong. I am all about equality. t I want to make it very clear on my personal blog how I personally feel about these topics. I will not stand for the acts I listed above. I fight for equal rights against genders and try to get sexism to stop. I actually destroyed being part of a project I pretty much started, because I told someone to stop being sexist. I haven’t heard from that project for quite awhile, but I would do what I did again. I knew when I stood up against the person that it most likely was the end of the project for me but I always stand up for what I believe in.

Bitcoin Crash 2014

The bitcoin 2014 crash shortly after August was predictable, since I did predict it. Bitcoin fell in August, but was a little slower then my original prediction, even though the $300 mark was only for a few minutes. I then predicted on Twitter that it was going to crash again and keep going lower. Again, I was right. It hit the high $200 mark. Now I am predicting that there will be a small spike in bitcoin during December. Of course, when the stock market pops, bitcoin will have a rocky time as well.

How did you predict the bitcoin crash of 2014?

It is pretty simple. One major factor in the price of bitcoin is the amount of buying and selling transactions occuring on bitcoin exchanges. Bitcoin is also tied to the economy, so since people usually buy more in December, bitcoin should go up. If the stock market pops, bitcoin should go down, because it affects the economy as a whole.