Tuesday, December 2, 2014

Justification for Your Paranoia

Your weekly dose of snarky tech security...

1) Gentlemen, Start Your Torrents!
So, Sony Pictures got totally pwn'd last week, old school, complete with skulls on every desktop background. The extent was such that the entire company shut down--all computers, all mobile devices, all VPN connections. The data caches dumped online include SSH keys, Oracle and SQL database passwords, source code, production schedules, inventory lists, even a file called "'ACCOUNTS WITHOUT PASSWORDS.xls". An estimated 11 Terabytes (11,000 GB) of data in all.
Excuse me while I take a minute to control my laughter...
Okay, better now.  
Sony was previously mass-compromised in 2011, when an attack stole the personal information of 75 million registered PlayStation network users.
So, why Torrents? Well, in addition to all of the juicy technical details, the leak also included 5 yet-to-be-released films, numerous television episodes, and private keys for Sony's anti-piracy automatic content recognition system operated by Audible Magic. Go have fun watching.
And let Sony be a warning to everyone else... 

2) A surprisingly relevant movie...
My wife and I recently watched the movie "Sneakers" on Netflix. I am appalled that I never watched this before. It has everything I like in a movie...tech, heists, comedy, a good ensemble.
For you tech geeks out there, it is also surprisingly not fake in terms of tools and methodology (except for the magical crypto-macguffin, and the math mumbo-jumbo spouted by its creator, but I'll let them have that one). Seriously though, who makes a comedy film about cryptography?  
Because its 20 years old, I won't worry about spoilers. This movie follows group of private penetration testing contractors who get recruited by what they believe to be the NSA to steal a cryptographic device which is supposedly being developed by the Russians and magically capable of breaking any and all forms of data encryption. In the end, of course, it turns out that they were working for "The Mob" (vague organized crime syndicate with some post-Soviet communist leanings). In the end, of course, they hand the device over to the actual NSA with a surprisingly apropos commentary on the NSA's current mission in the real-world:
"The only thing it would be good for is spying on Americans. Sure, with a box like that they could read the FBI's mail. - Or the CIA's. - Or the White House's. No wonder they don't want to share with the other children."
 Here are some other amusing quotes:
Bank Secretary: So, people hire you to break into their places... to make sure no one can break into their places?
Martin Bishop: It's a living.
Bank Secretary: Not a very good one.
and: 
Whistler: I want peace on earth and goodwill toward men.
NSA Director: We're the United States Government! We don't do that sort of thing.
Go watch it. 

3) Because sometimes graphics help...
A big part of my job is spying on people, but in a passive and benign way I assure you. Thanks again to the Electronic Frontier Foundation here are some images to help you visualize what various entities out there can see when you are with or without HTTPS and TOR.
If you are curious, I'm effectively the Green guy connected to the ISP.
This is what it looks like if you use neither.
This is most people.

This is what it looks like if you use HTTPS only.
Luckily lots more sites use HTTPS by default now.
This is what it looks like if you use TOR only.
This scenario is pretty rare..
And here is with both running.
This is what you SHOULD be doing...

4) A Strange perspective on passwords...
Not much to say about this other than the article The Secret Life of Passwords, from the NYTimes is a strange perspective on the human component of the passwords we use.
Note, the core of the content is derived from people publicly disclosing their passwords.
DON'T DO THIS.
It's still fun to read though.