August 17, 2009 – 10:18 pm

I have plenty to say but not nearly the patience/dedication to use a blog to say any of it. As such, there won’t be any new content here (the fact that comment spam makes up 99% of my e-mails doesn’t help the case either).


I’m all graduated now!

May 20, 2009 – 6:52 am

…and the whole process was somewhat underwhelming. For those undergrads out there that are contemplating returning to school for a MS think twice. I have no idea if my experience was atypical but I submit it for your consideration:

I loved my undergrad at Tech. It was hard and I didn’t sleep much. Despite that it was worthwhile because every day I was learning and growing. Life as a undergrad could have easily been miserable but because I loved the learning bit and had surrounded myself with a great collection of people that made it pretty awesome.

Fast forward a bit. I’m about six months into my job at Amazon and start thinking that while I’m learning a lot on the job there isn’t any real opportunity[0] to gain in breadth (AI and Systems specifically) so grad school starts to sound like a much better idea and I start sending feelers out for funding. About a month later I strike gold, not only have I found funding but because my GPA was >3.4 and I’ve been out less than a year I could still apply as a FasTrack student which meant a stupid simple application process (info, towards the bottom). They accepted me, YAY! (or so I thought).

Eventually I was done working and it was time to start school again and fairly quickly my idealistic view of what the MS program would be like was destroyed. Now, Tech as a harsh mistress isn’t new so I wasn’t terribly surprised. At first it was the normal set of problems: lame course selection (both in quantity and quality), poorly managed registration process (artificially low head count and unwieldy/unfair overload process), and overworked advisors.

This section of the post was going to be where I talked in depth about the big problems I had with my time in the MSCS program (and there were many) but, honestly, I don’t care enough to go into detail[1], it would just make me grumpy. So, in short, it came down to 1) MS students are largely ignored and/or treated as cheap labor by the faculty and 2) as far as I could tell most MS students don’t seem to care about actually learning anything, just adding a MSCS to their resume.

All that said I came out of the program having done some cool things[2] and got an offer working with some amazing folks[3] over at VMware. It’s not something I couldn’t have done coming from undergrad but I didn’t… so disappointment or not the MS program gave me a chance to start over and I’m glad for that (if nothing else).

Big question: given the choice would I do it again? Probably not, instead I’d go back and tell my post-undergrad self manage my work/life balance better at Amazon and look around for other teams that could help me grow in breadth[4] and, probably, to apply for a position with VMware too.

[0] I thought about trying to do this in my time that I wasn’t working but that just kept shrinking and most of the time I was off work had left me so exhausted I just didn’t have the energy to sit down and hack.

[1] …here, if you want the full story ask me offline

[2] in spite of GT, not as a result of it

[3] was going to link to their websites but there are too many people. Suffice it to say that the workstation team is pretty awesome!

[4] because that’s really what I wanted out of the MS program but only a very small part of what I spent my time doing.

Facebook vs Privacy

February 10, 2009 – 7:44 pm

Let me start (the post) by saying, I WILL FINISH THIS POST.

I need to do that because I have no less than 12 partially written posts sitting in draft form and a netsec post for NerdParadise waiting at about 70% complete. Additionally, other than just needing to get some new content out this post will give me a few moments to be grumpy about Facebook which is a good thing in my book…

Okay, Go.

Allow me to start (the content) with a little bit of background: last semester I took network security, we had to do a project relevant to the course material. Working with a friend of mine we decided to analyze personal information leakage on standard WiFi by way of session sidejacking and had a grand old time breaking into each others Facebook, Google (Mail, Calendar, Document, Chat), LiveJournal, etcetcetc. We finished the project, wrote a bit of a script that collected data from the network flow, automated the attack, and dropped data into collections sorted by IP (roughly, individual). All that fed into a write up with a brief discussion on ways that this could be prevented or the damage controlled (HTTPS or a hack to create a secure channel over HTTP I came up with) and the semester finished.

See? just a little background.. now, moving on.

For some reason I was thinking today about this project and I remembered a couple of old articles on Beacon in regards to privacy by Stefan Berteau and Jay Goldman. Both of these are good articles but neglect to mention that any website[0] making use of beacon is also resulting in enough information leakage to allow your facebook account to be compromised.

Sounds awful dramatic doesn’t it? Depending on where you stand it’s either dreadful or just a little annoying. As far as compromises though go it’s probably not a worst case scenario:

  • All your messages will be exposed
  • Social connections can be mined
  • Personal contact info (e-mail, phone #, address, birth date, hometown, etc) is available
  • Third-party applications can be installed

Any changes to e-mail, passwords, viewing credit cards, etc require password re-authentication so the Big Things are still protected. The biggest threat I can see is that a third-party app that somehow tracks you, phones-home, or installs malware might be added to your account. To really address that I need to take a look into the FB API which I don’t care enough to do. If anybody else does please let me know what you decide. =) Actually pulling this off isn’t that difficult, all you have to do is get on a shared WiFi network, start sniffing traffic and look for a beacon call [1] and pull the cookies off of that request. These cookies are what you use for the sidejacking and you’re off to the races.

I can already forsee threetwo potential comments about this (1) But I use Facebook only via HTTPS, doesn’t that protect me? (2) But I tell Facebook not to remember me, doesn’t that protect me? (3) But … I forgot.

(1) No, it doesn’t, for two reasons. First, even when you view facebook over HTTPS there are some cases in which it will load parts of a page (images, if I recall correctly) over an HTTP link which hoses your protection from HTTPS. Anyway, this totally misses the point which is that this particular attack is possible on websites other than Facebook. That is to say you can compromise access to your FB account by going to a Beacon partner site.
(2) No, from our tests telling facebook not to remember you doesn’t protect you completely. The way this attack works is to make facebook think that the attacker is you, that you haven’t left the site and that their connection with you wasn’t “interrupted.”
(3) I’ll get to you later…

This post would be incomplete without thinking a little bit about how much this increases your exposure and, honestly, I’m not sure it does. My reasoning is that even though Facebook has many beacon partners the actual use of any one of those partners is probably relatively small compared to the amount of time/requests made directly to the Facebook service which also has this problem. That said, even though this is a nifty trick it’s unlikely to actually cause any problems more than FB is already doing.

[0] There are quite a few according to Wikipedia
[1] it will be a request to a facebook.com server to /beacon… something like this – /beacon/action_toast.php?action_name=queue&urls=%5B%22http%3A%5C%2F%5C%2Fwww.epicurious.com%5C%2Frecipes%5C%2Ffood%5C%2Fviews%5C%2FRed-Velvet-Cake-with-Raspberries-and-Blueberries-108256%3Fmbid%3Dfbfeed%22%5D&source_id=5194643289&ref_url=http%3A%2F%2Fwww.epicurious.com%2Frecipes%2Ffood%2Fviews%2FRed-Velvet-Cake-with-Raspberries-and-Blueberries-108256%3Frecipename%3DRed%2520Velvet%2520Cake%2520with%2520Raspberries%2520and%2520Blueberries%26saved_to_box%3Dy…etc

Code mystery!

November 22, 2008 – 7:25 pm

Even seemingly lame classes can be awesome from time to time.

Right now my network security class (which has been suffering from a distinct lack of awesome until recently) has two quite enjoyable homeworks out. The first (hw5) is to implement a buffer and heap overflow attack. The second (hw6) is to attack a WEP encrypted network find out what lives there and steal some passwords/files. Both of these are things I’ve known how to do in theory for a long time but have never gotten around to implementing. That being said they are much more difficult in practice than in theory… which brings me to the purpose of this post.

So I’m working on hw5 and reading the assembly produced by gcc to figure out the make up of my stack and I see the following:

movl    $0, %eax       ; eax <- 0
addl    $15, %eax      ; eax <- eax + 15; eax = 1111
addl    $15, %eax      ; eax <- eax + 15; eax = 0001 1110
shrl    $4, %eax       ; shift right by 4; eax = 0001
sall    $4, %eax       ; shift right by 4, preserving sign bits; eax = 0000
movl    %eax, -8(%ebp) ; (fb - 8) = eax
movl    -8(%ebp), %eax ; eax = (fb - 8)... der, wtf?

Unless I'm missing something the compiler just jumped through a freaking ton of hoops to accomplish storing 0 on the stack. Would someone please tell me what's going on if I've got this wrong? Then, to top it all off, after we movl %eax, -8(%ebp) we turn right around and do the reverse movl -8(%ebp), %eax which just totally confuses me.

Well, I'm a bit of an idiot. I just looked at this again and noticed it was shrl and shll which is a shift right then a shift LEFT which is to say it 0's out the bottom 4 bits. I'm still not sure about the last two movl instructions though.

zomg school!

November 17, 2008 – 10:12 pm

no time to make a reasonable post but there is an amazing set of quotes from my network security book:

At one of the final IETF meetings before AH and ESP were finalized, someone from Microsoft got up and gave an impassioned speech about how AH was useless given the existence of ESP, cluttered up the spec, and couldn’t be implemented efficiently (because of the MAC in front of the data). Our impression of what happened next was that everyone in the room looked around at each other and said, “Hmm. He’s right, and we hate AH also, but if it annoys Microsoft let’s leave it in, since we hate Microsoft more than we hate AH.”


IKE is a protocol for doing mutual authentication and establishing a shared secret key to create an IPSec SA. IKE took many years to come out of IETF. The original contenders were Photuris (RFC 2522) and SKIP (http://skip.incog.com/inet-95.ps). Either of these protocols would have been just fine in practice. But due to committee politics, neither one was chosen and instead IKE/ISAKMP emereged, almost a decade after work began, with a protocol so complex and specification so incomprehensible that nobody had the patience to understand what was being decided upon, and so nobody had objections. The result had lots of ambiguities and flaws…

These come after a talk I was at given by John Day on a tour promoting his new book where he pretty thoroughly bashed the current establishment and standards committees as being too embroiled in political manuvering (electro-political engineering as he called it) to make any real progress. (Paraphrased: “IPv6 can die in a fire for all I care, it’s a small step to fix one[0] of the seven major problems we identified 20 years ago.”) It makes me laugh (and cry) and wonder where we would be if folks would just let their egos deflate a bit.

[0] it may fix two I don’t recall — problem 1 was adress space size, problem 2 is routing table size (I think…?) I was a bit tired so some of the talk is a bit fuzzy.