Wednesday, December 23, 2015

Happy Holidays 2015 - Favorite Drone Videos

About two years ago drones where beginning to receive some attention in the press my son, a college student, started working on me to purchase one.  Drones were cool but I thought I would loose interest in flying so I resisted.  He worked on me for awhile longer.  Eventually, I gave in and purchased a few toy drones to experiment with flying.  I settled on a really great toy drone that flies like the more expensive drones, Hubsan X4.  I still use my X4 today and X4 series is amazing for price.  My X4 provided me experience on the stick learning to fly which helped as I transitioned to more sophisticated aircraft.  Flying was more fun than I imagined.  I decided to build my own multi-rotor aircraft.

I like electronics and projects, programming, and security so I figured I would build my own multi-rotor.  By building my own aircraft I force myself to learn all about aircraft.  It's been more than a year building.  My experience is more like the Wright Brothers.  Lots of failures and crashes over the course of the year.  Some crashes from as high as 200ft(61m).  I have broken and rebuilt aircraft many, many times.  Twice my speed controllers(ESC's) bursted into balls of flame on my desk.  I don't know anyone in my area building their own multi-rotors so it's been a learning adventure.

The point of the post is to share some of the videos I find most interesting that helped to spark my interest and enthusiasm for building and flying multi-rotor aircraft.  I hope you enjoy them.  Happy Holidays and thanks for following my blog over the years!

FPV - Kiss chasey, I love the chase scenes in this video complete with bad ass crashes.  Juz70 is one of my favorite pilots.

Blackout Hex - One Take Wonder, Adam Potts shows us his backyard.  Amazing!

FPV - super cool, Juz70 finds something amazing on this beautiful leisure morning flight.

Blackout Spider Hex, dem0n1k sold me a Blackout Hex for my first project.  This was a bit of a mistake since I should have started with an easier aircraft to build.

Kiss 30A 6S Blackout Mini H, FinalGlideAus shows off some experimental Kiss ESC's and overclocks his mini H.  Somewhat related, Tiger Motor announced a new "F" series motor designed for racing multi-rotors that's likely to power a 250mm quad over 200mph(322km/h).

FPV - Haunted, juz70 is an awesome pilot and also knows how to make an interesting video.  There are a few clues on the walls why this home was abandoned.  Can you find them?

Turkey Hunter // Blackout Mini Spider Hex // MN1806 //, Blackout makes awesome carbon fiber multi-rotor frames.  In this park video he encounters a crazy wild turkey.

BLACKOUT 330 . COBRA 2000KV, Metaldanny tearing up the skies.

BLACKOUT . TEST Higher Rates . (RAW), Metaldanny showing us some real Starwars Pod Racing.  Metaldanny is one of the worlds best FPV multi-rotor pilots.

FPV - elixir, I want to end on a strong video.  Juz70 flies through and around his home.  Amazing flying (and a nice house).

Saturday, December 19, 2015

Facebook Hijacks Your Camera Roll

I generally don't comment much on privacy these days.  Why?  I'm equipped to fight security but privacy, sigh, that's an entirely different battle.  However, I'm making an exception since Facebook's new feature is a hot mess from a personal privacy perspective.  The new mobile application feature presents your private camera roll photos to you for, I presume, easy publishing.  There are a number of points that concern me.

1) Unauthorized processing of mobile camera roll.  Let me explain, I did provide Facebook authorization to my camera roll but that was so I could select and upload the individual photos I choose for publishing.  Processing the entire camera roll and offering up private photos without end-user consent is begging for an accident.  The application could have a bug or the end-user could click the wrong button.  People take a lot of photos and there's no good reason to assume they want recent photos published.

2) Mixing private photos with public photos.  Facebook provides a lock icon and notes only I can see my private photos.  This is terrible design!  Your private photos are a heartbeat from accidental publishing.  It's already easy to publish photos from your camera role using Facebook's mobile application.  Whatever the reason for the new feature, it provides Facebook an opportunity to data mine private offline camera rolls.  We need Apple to create better sandboxes for personal data and how applications can use personal data.  We also need all operating systems vendors to provide better controls to increase transparency into applications running on their operating systems and platforms.  The all or none approach to our personal data (e.g., camera roll, contacts, etc) is no longer good enough.  We need to design our application environments from the perspective that every application is hostile.

3) Increased potential for data leakage and exfiltration.  We have no idea how Facebook's mobile application works.  It's possible it could be holding images, reprocessed thumbnails, or similar in private caches.  Any vulnerabilities in the application (and every application has them) could lead to data leakage and exfiltration.  Without access to the closed source and testing we don't know if a vulnerability exists.  All we know for sure is that the risk of data leakage and exfiltration is greater with more data within the applications tendrils.

4) Abused trust of Facebook's end-user community.  Software vendors wield tremendous power.  In running their applications on our systems we place our sensitive personal information under their care.  Most assume mobile application vendors handle personal information with care and more or less in accordance with end-user expectations.  There is no basis of fact for this belief.  End-users have been lead to believe they must give up personal information for continued use of free software.  Perhaps end-users need to give up something but there should be much more transparency around how our information is used.  Free software is no justification for betraying public trust.

I don't keep much in the way of private information on my mobile but it's a matter of principle.  Facebook continually surprises me, and I'm betting others, around how it uses personal information.  I'm seriously considering deleting all my Facebook mobile applications until the privacy climate improves.  I will continue to use Facebook but, only through the web browser, and only where I can tightly control the diet of personal information I feed to the beast.

Friday, December 18, 2015

2015 Remembered

I am a little early for the new year but I have been thinking about 2015.  I noticed I made 62 posts in 2015 not counting this post.  I thought I would review some posts throughout the year for those that may have missed them.

OWASP Security Logging Project

What is it?  Open source SLF4J compliant security logging API for application.  Use it with log4j or logback in your applications.

Benefits?  Extends popular logging systems and adds specific functionality for security like message classification (e.g., secret, confidential, public, etc).  Catches sensitive information developers log by accident like passwords.  Extend to catch SSN or other types of personal information and more.

Future Thoughts?  Improvement code proposed to log information like thread information, heap space, etc. using a background thread at regular intervals for diagnostic/forensic purposes.  Currently under review.  We have many more so check out the project web site.

Links: project announcement, project roadmap

Multi-Rotor Aircraft Project (aka Drone)

What is it?  Ongoing project to build a flying robot

Benefits?  Build a 100+mph(158+kmh) multi-rotor flying aircraft from scratch.  Fly this high speed carbon fiber aircraft beyond line of sight using a video system that transmits to VR goggles worn by the remote pilot.  Two builds are provided, a hexcopter and quadcopter.  Follow me on my adventures and learn about the systems and principles of fly by wire technology and robots.  Advanced project.

Future Thoughts? With basic aircraft complete, I plan to focus on building a microwave ground station in a backpack.  The man packable ground station uses larger batteries, duel receivers, and high gain antennas to improve video reception.

Links: DIY Drone Bootcamp Learning to Fly, DIY Drone Bootcamp Build Log, Drone Flight Training Continues, Drone Flight Training Continues 3, Drone Flight Training Continues 4ZMR250 Quad Racing Drone Build Log

DeepViolet Project

What is it? SSL/TLS DAST tool

Benefits?  Open source Java source code and binaries to introspect a SSL/TLS connection to identify weaknesses.  Works like a web browser, type in a HTTPS URL, point and click.  Enumerate the servers cipher suites to spot weaknesses, display site certificate information, CA trust chains, HTTP/S headers, DNS information, and more.  When your done save scan reports to ASCII files for offline viewing.  Alternatively, run headless from command line and script your stairway to heaven.

Future Thoughts? I am considering including some support for Certificate Transparency.  I also like the idea of including support for flagging certificates that are about to expire.

Links: Public source code and binaries in GitHub, background and screenshots of GUI and command line.

Noteworthy Articles/Events
The Case of Symantec's Mysterious Digital Certificates, Symantec certificate flap.  The story of a certificate authority too big to fail.

Java Security Track Highlights by Yolande Poirier and David Lopez

HTTPS Party at Blogspot, Google includes HTTPS support for the default domain.  No support for offered for custom domains.

Webdriver Torso, super strange videos.

Application Security, I Want To Believe,  a spoof I developed based upon the UFO poster in Fox Mulder's office from the X-Files TV show.

Pathological Security, if a model for constructing towns and buildings are helpful for software design patterns then why not apply them to security?

The Future of Software Security?  Ever seen a TV advertisement for prescription drugs in the United States?  Essentially, 45-second rants on every negative effect known with no discussion about intended purpose or patient benefits.  Are you confused?  American's are too.  I tried to imagine how this technique could be applied to security.

Application Security Complaint Department, a special behind the scenes look.  A friend passed this along since it say's "Milton" on the desk.  I have no idea where this photo comes from.  It's not mine but funny.

My DEFCON 23 T-Shirt, the front and back of my t-shirt I made for DEFCON 23.  CustomInk is so cool.

Hacked Meme, is my frustration at the card industry and retailers around their response to mass customer exploitation.  Often retailers offer identity theft protection as a remedy for a time period after the incident.  The problem with the approach it does not address customer concerns - prevention.  Retailers provide no idea what went wrong or even why customers should trust them again.

Application Security Meme, the point here is that many people make judgement calls on security that should be consulting a professional.  A business leader who "thinks" they understand security can destroy a security program before it even begins.  If you can't afford a professional perhaps you can find some free advice or work a deal to get some ideas for future positive directions.  Be a detective, find a pro on OWASP, and message them on LinkedIn.  Sure, we all need to eat but almost all my friends don't mind answering a free question or two to see someones project move in a positive direction.  Security professionals are like doctors in the sense that we are cyber health professionals and promote application health for the betterment of society.

Article image: Happy New Year! by Rones on

Tuesday, November 17, 2015

Pathological Security

Image: Click to Expand
I was thinking of pathological science and the incident with N-Ray's and figured there must be some security analogs.  Not sure these are the best analogs or complete but some I can think of off the top of my head and some sent by others to me.  If I missed any important ones or you have a better alternative way to share this please comment.

Tuesday, November 10, 2015

Friday, November 6, 2015

Warcraft Movie - Official Trailer

Warcraft movie trailer for those interested.  Movies, games, beer, and pizza, brain fuel for application security professionals.

Monday, November 2, 2015

Google's Drone Delivery Project, Project Wing

Project Wing is a Google[x] drone delivery project underway in Queensland Australia.  Aircraft developed for the tests delivered first aid kits, candy bars, dog treats, and water.  Following is more information about partnerships,, and Google's Research website.

Wednesday, October 21, 2015

Yeair, Quadcopter

Yeair quadcopter combines the power of a combustion engine with the reliability of electric motors in one platform.  According to the Yeair 60-minute flight times are possible.  This is pretty incredible if true.  Following is a link to the Yeair Kickstarter project.

Friday, October 16, 2015

Movie: Rotor DR1

High rev'ing race drones in a dystopian world.  Geek out, drink beer, and get your drone fix, at $2.99 USD it's a bargain.  I'm looking forward to watching this movie.  Enjoy!

Wednesday, October 7, 2015

My OWASP Board of Directors Candidacy, Time to Vote!

I received my OWASP ballot this morning.  If your membership is up to date you will receive yours soon.  It's time to vote for your favorite OWASP board members.

I am running for the OWASP 2015 Global Board of Directors.  I have been laying low for most of the election process.  Mostly because fishing for ballots is a form of self-promotion that I find distasteful and I think others do as well.  However, I was speaking to a friend, current OWASP board member and project lead, Matt Konda recently at AppSecUSA 2015.  Matt mentioned something about the election process I took to heart.  In a nutshell, he said I'm thinking about the election process all wrong.  Don't think of the election process as a self-promotion effort; instead, give your friends an opportunity to help.  Your friends would like to see you succeed and they are in a position to help spread the message.  You should provide them an 'opportunity' to assist if they wish.  By remaining silent you don't provide them any opportunity to help you.  Matt could make a really great lawyer if he ever wants to move out of security.  But seriously, he makes a good point.  I help my friends so I should at least provide an option for friends that want to help me.  And if your not interested at all to assist, no worries.  If you want to learn about my views for OWASP check out my interview with Mark Miller on SoundCloud.

If there is anything you would like to do to help me succeed I can use the assistance.  For those interested, there are a few ways you can help.  Send a message to fellow OWASP members and encourage them to vote for me if they don't have a candidate in mind.
- Twitter, LinkedIn, Facebook, etc.
- Small blog post
- Emails to your friends (perhaps a little over the top but up to you)

I can't think of other ideas offhand.  A closing thought on other board candidates.  We are all competing for 4 open board seats.  Most of us know each other.  You have a great bunch of OWASP candidates to choose from regardless of how you vote.  It's a privilege to help whether I serve on the board or not.

Tuesday, October 6, 2015

EU-US Safe Harbor Ruled Invalid

You may be hearing about EU-US Safe Harbor discussion in the news.  At risk is the multinational companies ability to store and process EU data in the US.  Companies like Apple, Facebook, and Google provide EU services through computers located in the US.  Data is sent from EU to the US under the auspices of the EU-US Safe Harbor agreement.

October 6, 2015 the Court of Justice for the European Union (ECJ) ruled the Safe Harbor agreement invalid which places all EU data sent to the US in jeopardy.
"...the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country" [4] Court of Justice of the European Union
The ECJ recommended where protections cannot be guaranteed, "suspending the contested transfer of data"[4].  The only way US businesses can guarantee adequate protections for EU data is for the US government to develop laws protecting EU data from US government warrantless surveillance programs.  Without such transparency measures the only choices for Internet bellwethers are, develop new data centers within the EU for EU data, or pull the plug on the EU.  Either option is not very tenable for US multinationals or citizens of the EU.

Even if Internet bellwethers underwrote efforts to build EU data centers it's not clear EU data will be safe from US government overreach.  In a developing case between Microsoft and the US government,  the government contends it has the right to demand the email of anyone in the world so long as the provider is headquartered within the US [6].  Presumably, the legal precedent established for email would apply more broadly to all data.  I have been covering developments in this area over the last couple of years [1][2] for interested readers.

[1], Balkanization of US Products and Service Technology Accellerates
[2], A Crisis of Confidence Costs Real Money
[3] The Register, US tries one last time to sway EU court on data-slurping deal
[4], Court of Justice of the European Union, PRESS RELEASE No 117/15, Luxembourg, 6 October 2015 [pdf]
[5] Reuters, Europe-U.S. data transfer deal used by thousands of firms is ruled invalid
[6] Guardian, Microsoft case: DoJ says it can demand every email from any US-based provider

Image: Wikipedia, EU Flag

Friday, October 2, 2015

JavaOne Track Highlights: Java and Security

Did you know Oracle's JavaOne Java developers conference has a full security track?  In "JavaOne Track Highlights: Java and Security" Yolande Poirier and David Lopez describe some of the track sessions and various links.  Disclosure, I lead the security track.  If you see any links on the track feel free to share and I will post.  See you at JavaOne.

Wednesday, September 30, 2015

Iron-Clad Java Book Blooper

About a year ago I helped some friends on a security book project, Iron-Clad Java: Building Security Web Applications (Amazon).  As we were winding down the project we received some early printed copies of the book from the publisher.  I remembered the feeling of seeing the project in printed form.  However, when I began flipping through the pages I noticed the Foreword was missing.  A missing foreword is not a big deal.  Still security is a really tough job for many of us.  I thought the foreword helped to call out some of the industry challenges while still keeping an encouraging message.  Following is the missing book foreword and our blooper.


The greatest challenge in product security today is the fact that security quality is difficult for consumers to evaluate.  A product with little security design consideration and a weak security posture discloses few, if any, outward signs of being insecure.  Software security, like performance and scalability, cannot be effectively evaluated visually and requires specialized tools and training.  In a vacuum, consumers often mistakenly assume strong positive product safety unless news surfaces to shake that confidence.  As a result, with ever increasing pressure on business leaders to be more competitive, deliver more value to customers, security is frequently marginalized in favor of delivering more direct features with tangible business value.  There’s little incentive to pursue security excellence when consumers assume it already exists.  All too often, businesses roll the dice and short product security, explaining away incidents when they occur with excuses like: “hackers are becoming more sophisticated”, “security is too difficult a problem to solve”, or “everyone has bugs”.  As the number and severity of security incidents increases, the public’s patience for excuses grows weary.   Consumers are demanding more secure information systems and more accountability from business leaders and governments.  Product security claims are no longer accepted at face value.  As we transition from an era of plausible deniability to accountability, leaders are increasingly motivated to deepen their security investments.  In the end, strong security is a choice, and it always has been.  Security excellence is no accident.  It’s purposeful, requires dedication, and role appropriate education is essential to success.

In this book, Jim Manico and August Detlefsen tackle security education from a technical perspective and bring their wealth of industry knowledge and experience to application designers.  A significant amount of thought was given to include the most useful and relevant security content for designers to defend their applications.  This is not a book about security theories, it’s the hard lessons learned from those who have been exploited, turned into actionable items for application designers, and condensed into print.

One of the best things I enjoy about the field of security is that it’s small and still possible to reach out and touch your heroes.  Jim and August are my heroes and it’s an honor and privilege to be their technical editor on this project.  The hallmarks of true experts and expert teams are: confident but soft-spoken, good listeners, secure in their abilities and not afraid to explore the ideas of others.   Teams imbuing such qualities produce results like no other and working in this environment is educational for everyone.  Working on this project with Jim and August was a tremendous privilege.  It’s my sincerest hope you enjoy this book as much as we enjoyed bringing it to you. 

Milton Smith


I happened to think of posting the book blooper since I noticed the Kindle Edition of the book includes the foreword and it's the books one year anniversary - Happy Birthday!  Congratulations Jim, August, Kevin, and crew.

HTTPS Party at Blogspot

Today Google announced[1] limited HTTPS support for Blogspot.  HTTPS support is critical for banking and other areas where online trust is required.  HTTPS is also important for viewing web site content to ensure it's authentic and free from tampering.  Without HTTPS support, web site content is easily modified in transit.  Google explains their decision to offer HTTPS support is based on their HTTPS Everywhere[video] strategy.  HTTPS is not enabled by default but can be enabled via configuration by the site Administrator.   Custom domains like are not supported via HTTPS on Blogspot.  Google notes, "blogs with custom domains are not supported in this first version" and implies Blogspot will offer HTTPS support for custom domains sometime in the future.  More than likely Blogspot users will be able to load a custom certificate generated popular Certificate Authority's in the future.  This small improvement is a really big deal for many bloggers!  +1 Google security team!

[1] HTTPS support coming to Blogspot

* Image: Blogger configuration settings.  New HTTPS Settings option.

Tuesday, September 22, 2015

The Case of the Symantec's Mysterious Digital Certificates

Updated on June 21, 2016

On Friday September 18, 2015 both Symantec and Google announced an incident with digital certificates used to secure web sites in browsers.  In Chrome a secure connection is indicated by the green lock next to the URL in the browser.  Symantec noted in it's official post that a "small number of test certificates were inappropriately issued" for three domains during testing.  No mention of the domain names were provided.  The company explains that the certificates were issued outside of company policy by employees for testing.  When the company learned about the policy violation, the employees were terminated, and the certificates were revoked.

In a separate blog post by Google on the same day, we learn the domains in question were and  There is no mention of the third domain.  We also learn the certificates were Extended Validation(EV) type digital certificates.  EV certificates are special since they convey the highest level of trust in a users web browsing experience.  Google notes that the certificates were, "...recorded in both Google-operated and DigiCert-operated [certificate transparency] logs" on Monday September 14, 2015 at 19:20 GMT.  Symantec maintains, "...certificates and keys were always within our control..."  It's difficult to know what Symantec means by control.  Clearly Symantec's information systems did not provide adequate security controls to enforce it's own corporate policies when issuing EV digital certificates.  Symantec reassures the public this time they will, " additional processes and technical controls to eliminate the possibility of human error."  Symantec provides no details about processes and controls leading to the incident or how their new improvements will address security concerns moving forward.  No dumps of the certificates were provided, no digital fingerprints, etc.  Readers cannot verify or check any revocation information to ensure certificates have been properly black listed.  The article provides no verifiable facts for the public.

Symantec refers to the Google digital certificates as "test" certificates.  Google, calls the same certificates, "pre-certificate was neither requested nor authorized by Google."  In other words, these are EV digital certificates generated on behalf of Google by Symantec, for domains owned by Google, without Google's permission and used for unauthorized testing.  Isn't a certificate that's not requested or authorized by the subject for a domain owned by the subject also known as a - forged certificate?  So what is the difference between a "test" certificate, a "pre-certificate", and a forged certificate?  I'm not sure.  Certainly the message to the public is softened.  The best course of action for such a serious breach of confidence is a complete disclosure of the event.  Symantec should provide a narrative, a timeline, and complete set of facts so the public verify all statements made independently.  Unfortunately there is no public evidence to support any statements made by Symantec about how they used Google's certificates.  Trust but verify is one of the basic tenants of security.  In this case we can only trust Symantec but not verify.

The weakness with digital certificates is that the system is predicated largely based upon trust.  CA's are free to issue certificates for any domain.  For example, if Google normally works with Thawte (a Symantec brand) for issuing certificates for their domains, Verisign or any other CA, can issue a certificate for Google as well.  Nothing prevents other CA's with roots within Chrome from issuing a certificate for a Google domain or any other domain.  Google notes they developed a Certificate Transparency(CT) measure to address these concerns.  The CT extensions and log servers are new to me so I need to read up on them.  I don't see a lot of good tools to dump out CT logs.  I need to investigate CT, CT logs, and related tools further.  Maybe I should consider adding CT support to my DeepViolet pet project.  CT has the potential to spot problems during certificate issuance whereas Chrome Certificate Pinning can spot certificate problems at runtime, both CT and pinning work together.  The good news, in spite of the weaknesses, forged certificates are fairly rare in the public.

Additional Resources
No root for you!  Google slams door on Symantec certs
Fuming Google tears Symantec a new one over rogue SSL certs
Proactive measures in digital certificate security

Image: Open Clipart,

Saturday, September 19, 2015

Livermore Flying Electrons RC Swap Meet

I have been experimenting with building racing drones and (First Person View)FPV gear.  Today I was at the swap meet of the Livermore Flying Electrons RC club with my brother-in-law.  I found a huge deal.  I bought a 90mm Taft Hobby Viper EDF jet and desktop LiPo charger for really low price.  I'm more into multi-rotors but it was too good of a deal to turn away.

Viper Jet in action (VIDEO).   Note, not me flying.

I was thinking a fixed wing aircraft for FPV would be a cool addition.  Although before I fly this jet I'm going to spend some time on a low-cost trainer.  Flying fixed wings are totally different than flying multi-rotors.  One of the great points about fixed wing is that they stay up in the air a long time compared to multi-rotor.  You can really do some long distance FPV on a fixed wing.  Switch to a ground station for your video feed and upgrade your transmitter to UHF and you ready fly missions out to about 50mi (80km).  My new jet is probably not the best FPV platform but it will get me wherever I want to go fast.

By the way, if anyone has resources on security research related to RC please send my way.  I have been looking at different flight controllers, transmitters, ESC's, and the all the open source software available.  I could also use any information related to radio transmission protocols for popular transmitters.

Friday, September 18, 2015

LinkedIn API's Hold Members Hostage

I think it's great that LinkedIn prompts members using LinkedIn API enabled applications about the type of information requested.  This is the minimum amount of transparency all cloud applications should present to their users but what information is included in a connection?  Sure, "1st and 2nd degree connections"  but what does that mean?  Only a members relationship to another member?  Or the connection relationship along with other profile information?  Asking a LinkedIn member to share profile information for another is like asking my Mom if it's ok for me to come out and play.  It should be each members choice what they want to share about their profile.  I'm open with my information but some are very private and connect only to their closest colleagues.  An easy area of future improvement is to clean up the connection sharing description to users.  A future suggestion, if the type of information can't be clearly communicated to members don't do it.

Another area of improvement in this message dialog is provide members some options about the type of information they are willing to share.  Today the choice is all or nothing.  Members can choose to "Allow access" or not use the application.  Essentially many applications hold you hostage on this screen.  You either hand over all your member data or you don't get access the application.  My concern is that often applications request much more information than the application requires.  I'm not against software developers asking but the user should have some choices.  If LinkedIn is concerned about their members privacy they should provide a checkbox next to each type of information requested.  This allows members to turn off information they don't want to share (like personal connections) while sharing other types of information.

Wednesday, September 16, 2015

Creepy World of Radio Numbers Stations

Radio Numbers Stations are clandestine radio stations operating over shortwave radio by government agencies.  The mysteriousness is due to the cryptic and unintelligible messages transmitted, a stream of numbers, and the lack of information around the intended destination.  Sometimes a man or woman may speak the numbers, sometimes the speech is synthesized, and sometimes there's data but always the destination and message is unknown.  With the advent of the Internet these stations may seem a throwback to a more primitive era; however, there are distinct benefits to this old technology.  First, shortwave signals carry a great distance.  

This makes the transmitters difficult to locate without use of radio signal direction finding(DF) gear.  A more important point is that the intended recipient of the message is untraceable since it can be anyone within the radius of the transmission - usually thousands of square miles/kilometers.  Anonymity in the age of the Internet is next to impossible so numbers stations protecting identities of intelligence agents in the field is important.  And last, the messages are encrypted or rendered otherwise unintelligible.  To listen to some real numbers stations check out the web site.  Also check out The Numbers Station Movie Trailer.  I doubt numbers stations are so action packed in real-life but the movie is entertaining.

Thursday, September 10, 2015

ZMR250 Quad Racing Drone Build Log

Updated on January 13, 2016

Now being maintained on a dedicated site.

Thursday, September 3, 2015

OWASP Board Candidate Interviews Live!

Listen as Mark Miller (Twitter: @TSWAlliance) interviews me and other OWASP board candidates.  Now live! [AUDIO]

For more information about OWASP Global Board of Directors and the OWASP and the election process.
OWASP Board Candidate Interview on August 25, 2015
OWASP 2015 Global Board of Directors Candidate
2015 Global Board of Directors Election

Thursday, August 27, 2015

The Future of Software Security?

Spy in Sky vs Spy in Pocket

It's interesting that public sentiment around drone privacy incursion is far different than sentiment around Internet bellwethers like Google, FB, Apple, AT&T, etc. The underlying social theme, as long we don't see the spy, or the spy does also does something good for us, then spying is tolerable.  It's my view, a DJI Phantom is less of an incursion on my privacy than a smartphone.  A DJI Phantom flying over my property is likely a nosey neighbor - only one spy.  On the other hand, a smartphone is a virtual Panopticon into my personal life.  At the very minimum, smartphone monitoring includes: smartphone makers, telcos, social media, government, and law enforcement.  Many constituencies are involved.  My point is not to stir passions on privacy incursion but the difference in public perception about privacy threats.  As a more tangible and compelling example, let's pick on Amazon and their foray into dronespace.

Most American's are anxiously awaiting Amazon Prime Air and 30-minute product delivery.  I have found little in the way of tech specs for Amazon's proposed drone aircraft but imagine for a moment, thousands upon thousands of drones combing the sky each day.  What will be the disposition of drone sensor data?  My bet is that gathering drone data along delivery routes will be too tempting for business to ignore.  Although don't install camouflage netting over your home just yet.  There will be a initial greenfield period of data feasting but it seems likely privacy will find a balance.

Incidentally, shooting down a drone, even over your own property, is considered as an attack on an aircraft.  Today NTSB investigates aircraft crashes of aircraft with tail numbers.  Drones have no registration of any kind and investigation of drone crash incidents remains unclear.  Laws around drones are evolving.  Point being, work out your disputes peaceably if possible or contact law enforcement.

Tuesday, August 25, 2015

OWASP Board Candidate Interview on August 25, 2015

Today Tom Brennan (Twitter: @brennantom), Tobias Gondrum (Twitter: @tgondrom), and I (Twitter: @spoofzu) were all interviewed as candidates for OWASP's Global Board of Directors.  I'm not planning to write an interview spoiler before the podcast is published but I want to follow-up with the points I introduced in the interview that make me unique as an OWASP board candidate.

Reduce gap between security practitioners and developers
For the past 3 years I have been leading security for the Java platform at Oracle.  Like many security leadership positions, my role was one of influence.  One of the improvements I made was to include a full security track at Oracle's JavaOne conference.  Today security and development are largely considered two different disciplines and each with it's own type of conference.  The challenge with the approach is that developers with limited budgets are not likely to attend a security conference.  After some thought, I considered the best way to close the gap was to bring the security conference to the developers - the security track at JavaOne was born.  The first year of the security track I asked OWASP leaders Jim Manico (Twitter: @manicode) and Michael Coates (Twitter: @_mwc) for assistance which they graciously provided.  I didn't have high expectations for the first year since it takes time to build some momentum.  To my surprise, the security track did reasonably well in it's 1st year with attendees and today it's the 3rd most popular track at the conference.  According to Frank Kim (Twitter: @thinksec) at SANS Institute JavaOne is the first software developers conference to have a full security track.  I'm proud of the security focus at JavaOne but it's my strongest desire we start a trend and continue across industry.  I'm not so sure moving a security track into every developer conference is the right way to go but I would like to explore different ideas to bring security closer to developers.  For instance, today B-Sides hosts smaller security conferences in the vicinity of larger security conferences.  Attendees at flagship security conferences can take in a B-Side conference by extending their stay slightly.  Fitting two conferences into one is a lot easier on the budget.  Based upon the reception of security within the development community at JavaOne, OWASP can host smaller conferences along side key developer events like JavaOne US\Brazil, JavaZone, Devoxx, FOSDEM, and perhaps other venues where .NET folks hang.   These are the types of ideas I would like to explore with the board.

New directions for OWASP
OWASP must evolve in new directions.  I contend that if we educated all developers on security, provided many more helpful projects, it would not be enough to impact the quality of security throughout industry many of us desire.  Security is a business quality problem and it can't be solved with more code or even better code.  At the moment, industry is positioned at a fragile juncture in it's security journey.  Many security experts see increased government regulations on the horizon.  Others think cyber insurance will increase in popularity and the desire for the lowest rates will drive security improvements.  Still others anticipate future legislative changes imposing product liability on the technology industry.  One thing is certain, if industry fails to take action on security then they will also loose some control over their destiny.  As a trusted partner, OWASP is in a unique position to assist by forging new alliances with industry and governments.  OWASP will leverage it's expertise to develop a voluntary industry wide security program.  The program will have means to encourage systemic improvement while remaining sensitive to industry concerns.  My initial plan is a security program emphasizing a practical amount of transparency with a focus on security quality or results.  Transparency is important to ensure industry maintains confident in it's software supply chain risk profiles.  Next, a results based approach to security provides OWASP the opportunity to influence industry while providing member companies business agility and flexibility to achieve their security objectives.  Throughout the course of the program OWASP will measure the effectiveness of this new security program against progress of it's members on security.  Based on the program effectiveness and industry security trends, the program will be improved as necessary.  Why will industry submit to a voluntary security program?  Industry must demonstrate leadership in security with remarkable improvements or industry will be lead.  Every day the cadence around exploitation increases.  Customers are demanding more visibility into development and delivery of software products and services.  In response, businesses are demanding more insight to their supply chain security.  "Trust us it's secure", is no longer acceptable.  There are also significant benefits for OWASP individual members like improved emphasis on security throughout member companies, more visibility in the board room, etc.  At first, the notion of any transparency seems unnatural but I have been working on this for 3 years with the Java platform team.  Java is largely open source we provide the public with a significant amount of information around the platforms vulnerability management.  The program fits well with OWASP's approach for transparency in all it does but can be applied to industries benefit more broadly.  I shared some of my thoughts but I welcome your ideas as well. 

If you vote for me in the OWASP global board elections this fall you will be voting for someone who wants to bring security closer to developers and who desires to take OWASP in some new directions. It's an ambitious effort for both myself and OWASP, certainly I will need some assistance, but the potential benefits for members and industry are large.

Tuesday, August 18, 2015

Ders Gold in Dem Dar Profiles

Photo 1: LinkedIn contacts list (click 2 expand)
I typically receive a few people a week outside of security that send me invitations to connect.  More regularly, the people that connect with me work in the application security and software development.  This week was unusual, I received ten connection requests from individuals employed by a company called Selling Simplified.  I had a sneaking suspicion my profile was being mined but I like to give everyone the benefit of the doubt.

To begin I thought I would investigate the companies home page.  The company does have a web page online.  I wanted to get some idea if this was a real company or not.  I checked out the jobs page.  I didn't notice many job openings but there were a few.  Then I review their leadership page.  Several company leaders are listed with bios.  There are also many blog posts.  My initial impression is that it's a legitimate business.  Next, I opened a couple of the Selling Simplified profiles.

Photo 2: LinkedIn profile detail

Photo 2 is one of the LinkedIn profiles expanded.  There's a name, a position, some skill endorsements, but as I scroll down the screen no employment history.  I serious doubt this is a real LinkedIn profile belonging to a person.  It's likely part of an automated tool to mine contact data.  I have about 2800 contacts but I don't share them.

Photo 3: LinkedIn protecting contacts
The company focus appears to be "lead generation".  Apparently, my friends and I are targets to bolster Selling Simplified lead generation database.  I'm betting mining with bots like this is against LinkedIn's terms of service.  Still there is no guarantee this activity is sanctioned by the company or the work of a script savvy sales agent.  In the event your profile gets minded, protect your professional contacts by adjusting the setting as shown in Photo 3.

You can also protect your contacts by only allowing your closest friends to join; however, I find this an impractical strategy.  I receive many connection requests from people I don't know very well but like to follow security news.  If a close friend desires to be introduced to one of your contacts they can ask.  The lesson here is to be aware of your contact requests, follow your hunches, and keep contact sharing turned off on your profile.

Tuesday, August 11, 2015

Beneath DEFCON 23

DEFCON 23 was an outstanding event this year.  I was not originally planning to attend Black Hat or DEFCON this year.  As it usually happens, the event begins to draw near, I start receiving the vendor invites.  Then my friends start making arrangements to meet.  At the last minute, I cave in, make reservations, book a flight, and I'm on my way.  I should know better by now and plan on attending Black Hat\DEFCON and RSA every year.

This is the first time I purchased tickets directly at DEFCON as opposed to purchasing them at Black Hat electronically.  When you purchase tickets at the event you must wait in line and it's cash only.  The line took me about 1.5 hours or so.  I was surprised the line went so efficiently since there were about 14,000 attendees.  I also made a few friends in line.  Always love to talk to people and learn what interests them, listen to their security war stories.

Photo 1: DEFCON Mosh Pit
The start of the conference was chaotic.  The halls were super crowed.  Goons (crowd control) were screaming at the top of their lungs to establish rules of the road for the hall ways, stay to the right, pass to the left.  Although within a short amount of time order was established and the crowds moved efficiently between sessions.  In previous years the event was held at the Rio.  This year DEFCON was held at Bally's and Paris.  I expected some confusion but the event was very efficient given the changes and number of people.   The Caesars venue would be better but it would be tough to keep the prices of the tickets down.  A DEFCON 23 ticket this year sets you back $230 US, a bargain for a technology conference these days.

Most of the value of the conference to me is spending time with my friends.  I follow the news and current events pretty closely so there's not a lot that surprises me at conferences these days.  However, I'm always learning new things from my colleagues.  If you ever think your an expert, and you may be, you will be humbled when you meet other experts in their field at these events.  This was the case for me when I got to meet Renderman this year.  Renderman presented on ADS-B, an air traffic telemetry protocol, in a DEFCON 20 session entitled, "DEFCON 20: Hacker + Airplanes = No Good Can Come Of This".  His work was particularly interesting to me since I did a similar project on the Raspberry PI platform, "Tracking Aircraft on the Raspberry PI".  At the time I did my project I didn't know about Renderman's project.  Anyway, I got to meet Renderman and he introduced me to his friends.  I was shit tons of fun to hang at his table for a few mins and meet his friends.  That's what DEFCON's all about to me.  Meeting old friends, making new friends, and learning some new stuff.

Photo 2: Adam Shostack
I made another new friend purely by chance, Adam Shostack, Photo 2.  Adam was meeting one my friends from Oracle's Java Platform team I happen to be having lunch with, Eric Costlow.  Adam has an incredible book on threat modeling, "Threat Modeling, Designing for Security".  This is the go-to resource for threat modeling and reference.  I have a copy on my shelf.  Adam was working for Microsoft at the time when he wrote his book but he's now striking off on his own business venture.

Photo 3: Robert Hansen
I also meet several vendors like Whitehat, Denim, and Cigital, and more.  Robert HansenPhoto 3, works for Whitehat these days but I've know him for years.  Interesting to learn about the projects and challenges everyone's working on.  In a conversation with another unnamed researcher, I mentioned how I didn't appreciate the US government using security conferences as a platform to push their political security agendas.  The researcher mentioned that he understood but said that many of the researchers are working or have worked for the government.  In fact, darktangent, the conference founder works for DARPA a government group.  Also that the government is comprised of many different agencies, each with different viewpoints and moral compasses.  There really is no single point of view.  He makes a good point but I'm not sure I subscribe.  Still we can't give up on our government and we can't acquiesce.  Security and privacy is one of the largest unrecognized social concerns of today.

As I mentioned I did not attend Black Hat this year but I did find the keynote online.  Interesting listening to darktangent and Jennifer Granick talk about the larger social issues around security and privacy.

There also a DEFCON documentary you may want to see.  Next, is probably the worlds shittest horror movie ever.  After returning from the conference I turned on the TV.  Purely by chance my TV was tuned to Chiller Tv and Feast 3: The Happy Finish (jump to 26:00mins) was playing.  How do you unwatch something?  Please tell me.  ;o)

DEFCON 23 Online Receipts

I end this post with a few funny or interesting photos from the event.  Incidentally, an artist by the name of Mar Willams does most of the art work for DEFCON.  Check out his web site,  Click any of the images to expand.

Monday, August 10, 2015

OWASP 2015 Global Board of Directors Candidate

It's official!  The OWASP organization announced my candidacy for 2015 Global Board of Directors.  If your an OWASP member vote for your candidates anytime between October 7th and October 23rd.  The results of the election are shared on October 28th.  To learn more about the election and process, see the OWASP site.

What's OWASP?
OWASP (Online Web Application Security Project) is one of the world largest groups of web application security practitioners.  Essentially, we are people passionate about securing the software applications you use on the Internet everyday.  OWASP is most famous for the OWASP Top 10 Project which helps software developers understand common weaknesses when programming software applications.  Other projects like the ASVS Project provide a basis for testing web application technical security controls.  OWASP provides conferences and user groups throughout the world to educate the public on application security.  OWASP provides many resources for security and engineering professionals engaged in building and protecting software applications.

Who are the 2015 candidates?
Abbas Naderi Afooshteh
Tom Brennan
Jonathan Carter
Michael Coates
Bil Corry
Tobias Gondrom
Nigel Phair
Josh Sokol
(and me) Milton Smith

I am excited to be considered a candidate for the 2015 Global Board of Directors.  But most of all the opportunity serve the community of developers, security practitioners, and industry at large.

Monday, August 3, 2015

Application Security Complaint Department

A special look behind the scenes at the Application Security Complaint Department.

[1] Original photo source, unknown

Friday, July 31, 2015

Forget Ninja's and Pirates, Application Security is Like This!

Photo 1: exploded thumbnail
Today I was using LinkedIn and noticed a message was posted about the upcoming Black Hat and DEFCON security conferences in Las Vegas.  At the bottom of the persons post there are a bunch of thumbnail images of contacts we both have in common.  If you have browsed a few articles on LinkedIn you probably have seen these thumbnails before.

Photo 1 is the result of hovering my mouse over one of the contacts at the bottom of the authors post.  These are the contacts we have in common.  Again, nothing new here, you have probably seen this before.  I noticed in the exploded view, the HTML entity tag for ampersand, circled in red, looked out of place.  At first, I was thinking perhaps this person entered the entity tag directly.  Some people online enter some strange stuff to get your attention, especially security people.

When I opened the persons profile, Photo 2, I noticed the ampersand was shown not the entity tag.  What can we do with this knowledge?  Well probably not much, at least just yet.  The point is there is a bug in LinkedIn application code that is screwing up escaping of entity references.  The code is getting confused between HTML code and characters the user types from the keyboard.
Photo 2: profile view
Why is the confusion between the characters we type and HTML code important?  It's precisely in the area of escaping and character encoding where we find Cross-site Script Injection (XSS) vulnerabilities.  XSS is not anything new and it's listed on the OWASP Top 10 (A1) but it's listed as A1 on the OWASP Top 10 for good reason, it's pervasive.

In this LinkedIn example, the ampersand is likely a programming bug and nothing more.  We can't do much with an ampersand that's changed to an entity reference.  However, if it were possible to include code within our tag lines it may not be properly escaped or improperly rendered.  Of course, the code would have to be short since there are limitations to the number of characters that can be stored in a tag line.  If a vulnerability could be found here, the benefit to an attacker is that they can hijack LinkedIn user browsers who view the exploded thumbnails, Photo 1.  On a site like LinkedIn this is probably a lot of users.

In closing, I am not showing you LinkedIn vulnerabilities.  I have no idea if there is a vulnerability in this code.  In fact, I don't want to know.  I have conducted no testing against these interfaces or used any tools.  All I have proven is that there's a program bug and we can write blog posts about bugs safely online.  Security begins by noticing what's around you.

See you at DEFCON next week!

Thursday, July 30, 2015

Forget Internet of Things, You Already Have Spies In Your Home!

First things first, what hell is Internet of Things (IoT)?  Very simply, the IoT movement intends to connect a wide
variety of electronics, embedded devices, and sensors to the Internet.  As practical example, some makers of city street lights have Internet enabled their bulbs.  On the surface, Internet lightbulbs appear as useful as Internet connected refrigerators but a distinct advantage is that these bulbs will alert a central office when replacement is necessary.  In a city with hundreds, or thousands of street lights, a proactive message of an inoperable light eliminates significant effort driving around to check bulbs.

Other manufactures are enabling medical devices like Pulse Oximeters with full TCP/IP stacks, to monitor patient blood Oxygen levels.  On the other hand, cardiac Pacemakers have been wireless for some time.  Former Vice President Dick Cheney had the wireless feature on his pacemaker turned off due to security concerns.  Someday embedding IoT sensors in cereal boxes and other grocery items may eliminate self-checkouts all together.  Push your cart out the door and your account is bank account is debited automatically.  A store clerk is only needed to weigh vegetables, or to help you find something - the grocery store of the future.

Once you get the hang of the IoT concept, it does not take a lot of imagination to understand how Internet connected devices are beneficial.   What might take some imagination is how you can protect yourself in the age of IoT.  Throughout the development of IoT efforts the security community and press has been quick to alert the public to the vulnerability du jour.  Attention focuses sharply where exploitation of vulnerabilities may lead to serious injury or death.  Public education around IoT security is important.  No argument we need to continue educating, but there's a message being lost in the press background noise.  The message is that, the spies are already among us!  Don't let the newness of IoT distract you.  Internet devices in your home and the homes of your friends or family have been monitoring you for some time.  To understand what I mean, let's take my home as an example.  Let's take a look at some of the Internet connected devices I have in my home.

Apple Watches
Computers (OS X, Windows, Linux)
HP Printer
Zigbee gateway (Solar System)
HP Smart Switches
AT&T U-Verse Access Point
Wireless-N Router
Wireless-N Bridge
Flatscreen TV w/Internet stack
Misc gear: Wifi Raspberry PIs, Wifi Pineapple, Wifi enabled drones, Cisco SIP phones, and more

Today your smartphone can spy on your home network, collect the data, and hide it's activities by sending data back over private cellphone networks.  Your printer can be hijacked, malware installed, and made to perform reconnaissance of your home or office.  Other devices like telephones, copiers, and fax can be similarly exploited and demonstrated years ago at the DEFCON security conference.  In my home, I reflashed my router firmware with OpenWRT, a Linux like operating system.  With OpenWRT in place it's easy for me to sniff any traffic ingressing or egressing my home network to detect comprised computers.  But a hijacked device with malware installed, or a vendor with a complete disregard for your privacy, can do the same.  Whether or not these devices are spying on is irrelevant.  The public should not have to rely upon the morals or good intentions of manufactures to be secure in their home or on their persons.  Our home networks should be battle hardened and withstand a single rouge vendor, bad smartphone app, or exploited device.  Security controls for our home and our person should exist so we can be "verifiably" secure.  Trust be verify is a basic tenant of security and applied in business.  A challenge for the security community is to develop better protections for the home and people.

For security or IT gurus there are some actions you can take strengthen your home security posture.  Firewalls with a single zone of trust and DMZ are not going to be enough but there are some measures you can take.  Ideally every untrusted device should be on it's own network segment and unable to see other network devices.  Of course, this makes it really tough to configure your network.  More practically, you can segment your network by device type.  For example, there is no reason your broadband provider needs direct access to devices on your home network.  Insert a router between your home network and your broadband providers access point.  Your broadband provider will still see Internet traffic as it traverses the WAN but it blocks them from seeing your LAN traffic like, printing a documents, copying files between computers, etc.  The same approach can be used to dedicate a wifi segment to your smartphones.  This allows smartphones to see other smartphones but not other types of devices on the home network.  This type of configuration provides a stronger security profile but it's a lot of work to maintain, even if you know what your doing.  It's hard to predict the future of security controls but in the interim a router providing an easier ways to manage many untrusted devices for home users would be helpful.  Segmenting helps to isolate untrusted devices from each other and reduces the surface area available for reconnaissance or attack.

The problem with segmentation, firewalling, and traditional IT controls for the home is that you have to roll your own solution.  In my case, even though I have the knowledge to strengthen my home network I often avoid many improvements since it's too much maintenance effort to bother.  I spend enough time on the computer in my day job and I don't want extra IT homework at night unless the reward is great.  For the average home user, little if any combination of commercial gear and software exists that's helpful.  Security professionals have been beating the drum of virus scanners for years.  But virus scanners don't have the type of features necessary to protect home users today.  The best thing to do for home users is educate yourself on security so you can make the best decisions possible.  For those interested, I have a personal security page[2] you may find helpful.  Google also provided great article[3] that compares how home users protect themselves vs. how security experts protect themselves.  Follow the experts column in the graphic!

The point I would like to leave you with is that the future is now.  The security concerns of IoT are not something strange and far off in the future for experts to consider if IoT gains favor with industry.  Internet enabled devices are already in our homes, in our cars, on our person, they are inside of us, and they are already pervasive.

[1] open source White Hat Spy graphic
[2] Personal Security
[3] New research: Comparing how security experts and non-experts stay safe online

Share It!