File source: http://w140.com/tekwiki/wiki/File:Tek_515a_s1_1.jpg

A bit over 30 years ago I did some manual labour in return for some aged but novel tools. The most interesting to me of these was a Tektronix 515 oscilloscope. It was a single-channel (but did have a Z-axis input), and had about ~10-15MHz bandwidth (more than enough for the z80 material I had). One of the 'novel' aspects of this scope was that all signals were round. No matter what :). My high school had quite a lot of storage used up by old test equipment and other odds and sods, this one being ~30 years old at this stage. I also obtained a vacuum-tube driven multi-meter.

When I left for university, sadly, most of my treasures were unable to accompany me (smelling of bakelite and 'burnt', and not very portable).

Well, today I have rectified this hole in my life, and a new scope has entered, a Hantek DSO4254C. And it only cost ~$500. 4 channels, 250MHz, actual square-looking waves! And a signal generator. And, it stores the signals even longer than the phosporous in my old Tek.

Now, there are some differences in these ~60 year life span equipment. The new one, ironically, is a bit louder (the old one had no fan, but as it heated and cooled it made a fair bit of ticking). The new one is much lighter, doesn't really have a smell to it (old electronics are very obvious when in operation, the ozone, bakelite, etc).

The new one has a whole lot of software running on it (measurements, signal decodes of I2C, SPI, CANBUS, etc). And, i pity the poor electronics that doesn't want to give up its hacking secrets to me now!

So, got an itch to scratch? the home hobbyist scope is much more accessible than ever. As long as you stay under ~250MHz, scopes are very cheap, and decent quality.

 

So this am I look out my hotel window. I'm on a sort of ground-floor/flat-roof thing, w/ a somewhat sketchy patio door leading out. And what greets my eyes? A few cigarette butts, a discarded lighter, and a pair of tighty-whiteys. So, uh, what sort of party was ongoing last night outside my window (long enough for ~5 butts)? Old school surveillance it seems, which was 'clothing optional'.

Suggestions on my course of action?

How should I combat this surveillance?

View Results

Loading ... Loading ...

So I'm reading the disaster that is Equifax/Deloitte/... security hacks. And it got me thinking about how one method we learn is by pain, and another is by vaccination. And maybe that can apply to a corporate learning organisation.

First, lets look at some examples. I have a big ugly scar on my arm from where, many many years ago, some horse doctor jabbed me with a smallpox vaccination, a weakened set of the real deal. And my little body, in addition to cursing that doctor, developed antibodies, and I've never got Smallpox (so it must have worked!)

Lets look at another example. Think of something you did as a child that hurt. You didn't do that again, right? Poke a bee maybe? That small but tolerable pain now makes you always on the lookout.

One of the big challenges out there today in security is spear phishing. To do this, I take a small set of facts that I can find out about you, and use that to overcome your distrust. As an example, lets say I find out the name of your Aunt, her cat, and the city she lives in. I construct a narrative where she is distraught at a vet, and the vet needs some cash via paypal (or more commonly apple itunes gift cards). You turn off your distrust when you hear these 3 pieces of information, but in reality they are easily obtained (dumpster diving, facebook, ...)

So lets say as a society we were to create an environment where you could get spear phished once, and learn from the pain. The pain would be tolerable, but memorable. Perhaps we make it legal to spear phish anyone for up to $100 in the first month of their 18th year? Perhaps we make it not for money but for social status (at that age looking stupid in front of your friends is something you a) do often, and b) dread doing).

Maybe it could be a contest, each person could have some secret they try to guard, and everyone could try to get it?

But the point is, like the weakened smallpox vaccine, you would live through this and remember how to do it next time, and, like the bee sting, you would be on the lookout, you would not drop your guard instantly when aunt betsie's vet says fluffy needs a tail-transplant.

Back to an organisation. There is a concept called herd immunity. And, an organisation learns (read The Fifth Discipline, its one of the best books i've read). So, if we 'innoculate' enough members of the 'herd' (the company), the company becomes immune, and, due to the learning effect, stays immune.

So, back to the 'steal $100 with impunity on 18th birthday' suggestion. Perhaps we make it so that black hats can steal up to 1% of turn-over of a company with impunity, and, some huge penalty and fine if they steal more than 1%. This would create an environment where you would have your guard up because you had felt the pain.

Equifax fired their management team, but they all got a golden parachute. That isn't going to teach anyone. Lets create an environment w/ acceptable, but memorable, consequences, a type of training-wheels, and let people and teams play there first.

Recently I acquired a ZenScreen MB16Ac. Its a single cable (USB-C) 15" monitor that you travel with. It has a unique feature, it can do USB-C ALT-MODE (e.g. act directly as a monitor), or become USB 3.1 and do DisplayLink (no where near as good).

Since my laptop supports ALT-MODE, it works out of the box. Plug it in and you are good to go, its just another Display Port monitor.

But wait, every once in a while in dmesg I see a complaint:

[48155.889780] usb 1-1: new full-speed USB device number 85 using xhci_hcd
[48155.889891] usb 1-1: Device not responding to setup address.
[48156.097880] usb 1-1: Device not responding to setup address.
[48156.305808] usb 1-1: device not accepting address 85, error -71

It seems to have no ill-effect, other than filling the log and using a bit of battery. But, why bother having it mostly perfect when you can have it perfect?

So I added this snippet of config:

$ cat /lib/udev/rules.d/99-zenscreen.rules
# Blacklist 0bda:0412
# This is used in the mb16ac zenscreen to switch displaylink / alt-mode
# and i only use altmode

SUBSYSTEM=="usb", ATTRS{idVendor}=="0bda", ATTRS{idProduct}=="0412", ATTR{authorized}="0"

and restarted udev. And now, that device (the DisplayLink one) is gone. As a side-affect I lose the auto-rotate (but that didn't work anyway).

There have been a lot of very public hacks recently which made off with entire user databases. The most recent, Equifax, saw hundreds of millions of users have their personal financial information leak online. Ooops.

As an end user, you can use best practises (e.g. don't share passwords across sites, use 2-factor, etc), and still not be able to protect against this.

Best practises on the server end are to salt+hash passwords, but ultimately they need a non-encrypted database at some time to do work. What could be a way of improving the risks?

Well, what if we were to insert many millions of rows of 'fake' users into our real databases? This would reduce the value to the criminal. We could also 'honeypot' some of the fake users, use that to increase the risk the criminals get caught. But, how would we make fake users? Add a 'fake' boolean column? well then our criminals would just remove them. Hmm.

What if we were to steal a page from the networking world. E.g. look at how SYN COOKIES work. We could take a crypto-hash of the user information (hash name, address, ...) and some salt, and then encrypt it with a private key. We can later check it was ours with the public key. This means all users  (fake, real) have some column 'hash', and only the good user can tell if that means fake or real.

If we then added 100x fake:real ratio, it would dramatically lower the commercial value of the database, because the thief would get caught trying to check the names first.

What do you think? Hiding out in the open worked for (for a while) for Minister D. The advantage of adding a technique like this is its agnostic of the various other methods of security you use. If you never have data stolen, its irrelevant.