I’m going to say a few things to the Internet about Alan Sonnenberg.

Why am I telling you and not him?

I waited too long..

Thread…

thesunchronicle.com/foxboro_report… He meant a lot to me and shaped my career.

He was possibly the reason the L0pht survived.

At BBN I helped bring on Brian Oblivion, Weld Pond, and Silicosis.

(Where did you think we got our massively parallel super computer from?)

50% of the L0pht back then - Thanks Alan

…

A 🧵

L0phtCrack has been a really wild ride.

As of version 7.2 L0phtcrack is now open source.

Released on GitLab.

gitlab.com/l0phtcrack
l0phtcrack.gitlab.io

It is actively seeking maintainers.

Many thanks to @dildog, @WeldPond, and all others.

Story time… Fun fact 1

I wrote L0phtcrack on a Unix system in 1997. A Sun SparcV7 system running Solaris

My day job was at BBN Technologies: the company the government hired to build and run the ARPANET (which is now the Internet).

Nighttime was all L0pht.

But why write it?

Zachary has a great write up on the @darpa AI Fighter challenge.

I’ve logged time in F-16s training new pilots to be deployed.

Some thoughts on how the AI won, and what it is like to be a human inside a machine designed to perform past human tolerances...

https://twitter.com/zachfb/status/1296838707849375745

G-forces

The human body needs blood circulating to the brain.

Compression suits improve human resistance to Gravitational Loss of Consciousness (G-LOC). AGSM maneuvers improve this significantly.



F-16s can perform well above human limits.

Win: AI

Honored to be on the judging panel for Hack-a-Sat at DefCon this year.

Satellite hacking has been around for a while but it’s going mainstream!

DARPA/CFT performers continue to show up, involved in a broad range of technologies. Very involved here too!

hackasat.com The #nyansat ground station, from @redballoonsec, is looking awesome. It significantly lowers the barrier to entry for satellite communications.

Just like #hackrf, by @michaelossmann, did for RF a few years back.

Both were Cyber Fast Track (CFT) performers!

Advice for IoT vendors to improve security?

Build and use modern compiler toolchains w/ safety features enabled.

Read the CITL study that evaluated 1.3k IoT products across 15 years; showing the largest poor security issues and downward trends:

cyber-itl.org/2019/08/26/iot…

https://twitter.com/netspooky/status/1289606589121359872

This isn’t as straight forward as it may seem.

Many think ARM is the dominant architecture but it’s not. MIPS is more common for IoT by far.

MIPS has by far the weakest basic security hygiene.

Yellow bars are arch binaries (y axis right), red is SDLC hygiene (y, axis left)

Unfortunately this large density of defects in IoT is not unexpected.

A study across 15 years and 3millon binaries showed that core security hygiene products in the base of IoT showed no trends towards improvement.

In fact, things more often got worse.

cyber-itl.org/2019/08/26/iot…

https://twitter.com/largecardinal/status/1274433398141042688

Left to their own accord vendors of embedded systems are not demonstrating that they improve basic security hygiene in their products.

There needs to be a more global incentive structure to address this issue.

[Thread]

The kind folk at cyber-itl.org shared a new @zoom_us security issue with me.

I want to take this opportunity to describe:

The issue

How Zoom et al should fix it

How purchasers should identify it before corporate purchasing

What individuals should do

1/ Zoom has been in the news for security issues a lot lately.

I’m choosing to share this info because Zoom has been very good in responding to security researchers and security problems.

It is apparent they care now... but how bad is their security deficit?

Let’s quantify

2/

It was 20 years ago on this day that my true identity, which until then had been a tightly held secret, was unintentionally leaked by the White House.

Rob’s write up, linked here, is a quasi-factual humorous take.

Here’s what actually happened. Thread.

1/n

https://twitter.com/vmyths/status/1234003592069165056

My name, Peiter Zatko, was a closely held secret both in the hacker community *and* the government.

In fact I was the Hacker Jeopardy final question after the White House leak.

Paraphrased: “...nobody knew his name”

To make it hard they used the short hair pic.

2/n

A story...

Back in the l0pht days, I ran/configured/maintained the Unix system that was “the L0pht”.

Here are the tricks, and here’s how it was attacked...

1/N

https://twitter.com/thegrugq/status/1196792443447889921

It was an OpenBSD system.

I had a somewhat standing bet, that neither of us had the guts to actually commit to, with Theo DeRaadt: either I did, or did not, have an 0-day against OpenBSD at any given moment.

1 year’s salary on the line.

(We were both pretty much broke then 🤷🏼‍♂️)

The cDc (Cult of the Dead Cow) coin is one of the more unique and visually impressive challenge coins I’ve seen.

Definitely the best non-DoD/IC coin I’ve received.

OBHack: Happy to start a thread on unique, or interesting, government/IC coins here... you go first...

https://twitter.com/DethVeggie/status/1165684033092825088

I should have been a bit more specific.

Photos only (well done @_larry0)

This may take a few days, but here we go.

First, the cDc coin:

Novel media and 3rd axis. Pretty unique. Also, captures fingerprints *really* well.

Impressive Z-height and textures.

Old School back!

“Hearings about technical issues are usually much less vicious...”

Keyword: *usually*

A lesser publicized time that I testified to Congress (House and Senate Joint Judiciary Oversight Committee) there was a Senator there by the name of Storm Thurmond...

(Thread)

https://twitter.com/billstewart415/status/1154110139127009280

Might do the thread later. It gets a bit ‘blue’.

There are more important things going on.

Today is the anniversary of the testimony I and other members of the l0pht gave to the US Senate in 1998.

It was the first time the US Govt. publicly referenced “hackers” in a positive context.

The coverage was national and even international.

Come behind the scenes.

/Thread I dislike flying, so we rented a Dodge Ram 3500 15 passenger van to drive down to the US Senate.

As a bonus, we could stop by the NSA Crypto Museum!

We met at the L0pht around 4am to load up.

Group picture (L to R): Brian Oblivion, Stefan, Weld, Tan, Kingpin, Spacerog, Mudge

A few weeks back the non-profit group CITL, cyber-itl.org, released a comparative report of software hygiene in 28 home routers...

and vulnerabilities that affect all Linux MIPS systems (not just IoT).

Some thoughts and data...

(Thread 1/N)

cyber-itl.org/2018/12/07/a-l… This thread intends to get past some security nihilism, use data to refute some assumptions put forward by people as “facts”, and point out the big picture... which the security community largely missed.

Something about not being able to see the forrest through the trees ;)

2/

Due to Floating Point emulation, Linux MIPS (Kernels 2.4.3.4 through 4.7 2001-2016) have executable stacks.

The patch, released in 2016 and still present - Kernel 4.8, introduces a universal DEP and ASLR bypass.

cyber-itl.org/2018/12/07/a-l…

cyber-itl.org/assets/papers/… Think about this for a moment...

MIPS is the most common architecture for home routers (ubiquity, Netgear, Asus, linksys) and similar devices.

It is also found in telecom gear, next gen corporate firewalls, corporate switch fabric, etc. for control plane, data plane, or both.

On ‘names are hard’, X509 Distinguished Names (DN) can be a downright minefield.

Consider military (gov) where rank is part of the distinguished name field.

So what happens when someone gets a pay raise (get’s promoted)?

Each time that happens the DN changes which means...

https://twitter.com/leakissner/status/1066761697254289408

The old certificate needs to be revoked.

Onto the certificate revocation list it goes...

New digital certificates are issued, access cards re-provisioned, CAs updated (and eventually synchronized).

Life goes on...

But what happens to the certificate revocation list (CRL)?

Unfortunately this is not a new revelation or disclosure.

Going back to 2009 there was an engagement that used a battle command system.

The opposing force in the exercise found the contractor, downloaded the user and training materials from a web and FTP site, exposed...

1/

https://twitter.com/ericgeller/status/1049736259797770240

to the public Internet, and found by scanning the IP range of the sub-contractor who did the work.

Then, they just logged in as privileged users to all the battle systems. You would think that would have been game over (it was a very simple default password).

2/

Ok. Here goes another one.

SMS intercept, hi-jack, access, ...

So there are a few things going on that the media, and others, are confusing:

Social engineering attacks (number slamming), and SS7 interaction. Sure, on the backend both influe HLR (home location registers). The social engineering/physical can range from mugging someone to get their phone sim (good job Apple on making iPhone theft itself less valuable through your hardware design, albeit a dilemma with right-to-repair), which is a tactic where people literally steal/mug your phone/ID

So... I suppose it’s time to share a bit.

I have always worked to try to educate the government so they can make better informed decisions that will benefit all citizens.

1/n documentcloud.org/documents/4598… During the last election the Democrats reached out to me.

I was happy to help and made it clear that if a reasonable candidate from an opposition party asked for my advice I would provide similar counsel in regards to improving computer, network, and information security.

2/n