Room362 - Latest Comments

Re: Simplicity is Security

akibako — Sat, 19 Sep 2009 12:10:00 -0000

I wholeheartedly agree with your main point. That said -- and I hate to be the one to split hairs -- I would argue that your Japanese citations are inaccurate.

Japanese people have and use credit cards all the time. According to the Bank for International Settlements, the number of Japanese credit card holders is roughly equal to that of Germany, and even exceeds Canada. It *is* true, however, that Japan does not have 'check cards', but this is simply because Japan does not have checks. The vast majority of cards in Japan work the system of automatically deducting the *entire* balance of the credit card once every month.

Getting a credit card just as easy as in the States. I got my first Japanese credit card after filling out a half-page form which took less than 5 minutes. No major form of identification was necessary. I get offers for "pre-approved" credit cards in my mail box every month.

Japanese people bank online constantly. Earlier this year, #2-seated cell phone carrier AU launched a partnership with Tokyo Mitsubishi UFJ Bank to access all of your banking functions over your cell phone, including balance transfers. It's been hugely popular, and other carriers have followed suit. The most profitable bank in Japan in 2004 was Shinsei Bank, which differentiates itself by essentially running an online-banking-only presence. Visiting a branch requires you to interface with your account using a PC, not a bank clerk.

Japanese people buy stuff online constantly. Last year, online sales figures per capita in Japan were only slightly below that of America.

In such a disaster-prone country as Japan, It would be short-sighted to assume that the Japanese government doesn't keep easily-backup-able electronic versions of important documents. My family registry, proof of residency, and marriage certificate are all given to me via a laser-printed document (made official by a number of stamps).

Stamps (hanko, inkan) are just as easy to copy -- if not more so -- as written signatures. Life is made infinitely more difficult for the average person as one usually has a number of these stamps in slight variations in design. They are the antithesis of simplicity. There are no records provided telling you which stamp was used for a given document. I've had documents rejected for not having the "correct" inkan, only to have the company later apologize for incorrect verification. The illusion of security is amplified by the perception among people that hanko/inkan are un-forgeable (password analogy, anyone). It is common practice for a business to accept a document from someone other than the document holder simply because it has the correct hanko. There have been numerous news stories of wives emptying their husband's bank accounts and fleeing the country.

The amount of data I push over my lines every month would *easily* be classified as "excessive use" (many times over). While it might be detected by the ISP, disconnections due to it are unheard of.

I agree with, and appreciate, the crux of your argument completely, but do not think that these specific examples from Japanese society are strong fodder.

Re: The History of the Internet - VIDEO

Guest — Thu, 17 Sep 2009 11:59:55 -0000

Interesting post. I have stumbled and twittered this for my friends. Hope others find it as interesting as I did.

Re: Corrections and Questions about Nessus on Securabit

Paul Asadoorian — Wed, 16 Sep 2009 14:57:57 -0000

Hey Mubix,

First, thanks for posting the correction! To answer your question about why the Nmap plugins are not included in the feed, I will refer to the documentation page on this topic:

http://www.nessus.org/documentation/index.php?d...

It explains, in some level of details, about the integration of Nmap and Nessus and why the scripts are not included by default. Essentially:

"Nessus is optimized to work with "plugins", which are updated daily and distributed with the Nessus feed. Plugins are implemented in such a way that there is no memory utilization required to launch them -- the NASL interpreter is optimized in such a way that launching a plugin only uses several kilobytes. The operating system is not involved when a plugin is created, which makes the process of execution fast and efficient.

However, since Nmap is an external application, Nessus calls it by launching a special plugin which actually executes the nmap binary, which is a costly operation. To make things worse, in the Nessus architecture each plugin is in charge of ONE host. This means that if you have configured Nessus to scan forty hosts at a time, then there will be forty instances of Nmap running in memory."

Thanks!

Cheers,
Paul

Re: KVM MITM

nikoli — Mon, 14 Sep 2009 17:54:40 -0000

Interesting idea.. any progress ?

Re: Getting your fill of Reverse Engineering and Malware Analysis

Anthony Aykut — Thu, 10 Sep 2009 02:45:47 -0000

Hi,

Seems you missed out our Malware Distribution Project, better known as MD:Pro, over at www.frame4.net - we're a Dutch security company with world biggest private malware archive.

And we have a more up-to-date +Fravia (RIP) archive here : http://fravia.frame4.com/

Thanks,
Anthony

Re: Pass the Hash Metasploit Demo

davidyoung — Wed, 26 Aug 2009 18:43:47 -0000

Awsome video classic PTH attack.....

Re: OzymanDNS - Tunneling SSH over DNS

christabuchanan — Sat, 22 Aug 2009 20:46:53 -0000

i have bigpond mobile 3g usb wireless but it is only 10 gig max i could use before they slow me down to 5kilobit per second.

How do i by pass the "shaping" slow down by bigpond if i use more than 10 gig data? also could someone setup dns tunnelling for me please i am clueless female :(

Re: Lies

LonerVamp — Fri, 21 Aug 2009 16:01:09 -0000

I admit, I'm not a real vampire. :(

Re: Simplicity is Security

danpesserl — Mon, 17 Aug 2009 19:21:42 -0000

Mubix, You have a big point here as we all know that security through obscurity doesn't really work and complexity is just a synonym. Have you looked at why things in IT require so much complexity? I found two pertinent aspects: human behavior and outdated technology. Put them together and ... BOOM! Most people are trusting and find it hard to think about how to do harm. Thus, technological implimentation of more secure solutions such as IPV6, secure ARP tables, secure DNS, cryptography and even the latest patches never get implemented in a timely manner. Being secure requires us to change our behavior. That takes a lot of work and there's no pill for it. As you say, in the US we want it all the easy way. In my opinion we will shift into a industry that will focus on education while having to provide very high abstraction for users as well as coming up with ingenious ways of keeping those users secure without them having to change their behavior too much. Technology isn't always the answer. What do you think?

Re: Room362.com » Blog Archive » ASHEE has moved - Updated

Wallpaper — Sun, 16 Aug 2009 06:37:30 -0000

How do you make this foto its great

Re: Lies

Richard Steven Hack — Sun, 16 Aug 2009 03:20:54 -0000

If you ever do tell those lies in print again, remember the following:

"Rock" is not "rock", it is "ROK" - Republic of Korea. And I did meet some in Vietnam in 1968.

"SEAR" is not "SEAR", it's "SERE" - "Survival, Evasion, Resistance and Escape"

Lies are only good if they're "correct" - unless of course the person you're telling them to is clueless and is likely to remain so.

Re: OzymanDNS - Tunneling SSH over DNS

doogman — Sat, 15 Aug 2009 23:38:34 -0000

I'm interested in the GoDaddy/DynDNS solution as well. Has anyone come up with something?

Re: Maltego Keygen Crack Torrent and Offensive Security Torrent

NiNJADMiN — Sat, 15 Aug 2009 06:17:51 -0000

interesting comments author - but your point is falling on dead ears it would seem m8

Re: Room362.com » Blog Archive » DEFCON 16: The Tools not the Toools

printer1 — Fri, 14 Aug 2009 06:08:08 -0000

test

Re: Simplicity is Security

CG — Thu, 13 Aug 2009 20:32:18 -0000

you didnt address the real point of security in that are they adequately protecting what they think is valuable with their current system? and is it meeting the Japanese level of efficiency they are known for, or do they just deal with it because its inconvenient?

Re: Simplicity is Security

Ryan — Thu, 13 Aug 2009 14:19:24 -0000

We (as a culture, even outside of security and IT) have been making poor choices for a long time in the name of laziness. The washing machine doesn't save any time in many househoulds I've seen. Instead people have 2 or 3 costume changes per day, so they create more volume, and in the end the same amount of time (plus money for electricity) is wasted by using the washing machine. One step forward, two steps back.

The same holds true in IT and IT security. The 'safer' I feel because of SSL certs, the lazier I get with my credit card info. The more promises of a safety net I get from VISA regarding internet fraud, the lazier I get with keeping my CC info secure. Etc.

In the end, most people would actually be happier living in a hut in the middle of nowhere. Less smog, less commute to work, and fewer people harassing them. But people are too stupid to see it that way. They want malls, and cell phones, and other 'big city' things. Security is the same way, imo. People want to be secure, but they also want a credit card with a chip in it, so they don't even have to swipe the card through a reader (or even take it out of their wallet).

Re: Simplicity is Security

GoomRock — Thu, 13 Aug 2009 14:05:50 -0000

Brian Krebs did a pretty good article about the value of a hacked machine. ( http://voices.washingtonpost.com/securityfix/20... )
I would make a comparison to an old shed that is no longer being used. Even though I may not keep anything in there anymore. I still would not want someone squatting there.

Re: Lies

Brandon — Wed, 12 Aug 2009 17:36:23 -0000

I still like you.

Re: Lies

bramkie — Wed, 12 Aug 2009 13:35:44 -0000

You military guys are crazy, but they need to be because one needs great amount of craziness to serve in military... just joking:-) you just did something awesome you have GUTS.

Re: Lies

Omar Fink — Wed, 12 Aug 2009 07:54:25 -0000

Congratulations - that took guts. I hope you realize that such stories were not needed when your REAL credentials and abilities are actually more impressive and exciting. You have my respect.

Re: Metasploit Framework as a Payload

Omally — Sun, 02 Aug 2009 12:56:05 -0000

Nice tool, Thanks.

Re: The Ethics of Teaching Hacking

Jeffery — Sat, 25 Jul 2009 23:52:01 -0000

"...which starts to tread on "Tired of paying for office supplies?" - It's a slippery slope. " That's a good point to make. That said, I don't honestly think that Darren and Co were technically endorsing it (see comments below about framing). There is a certain devious glee in finding a way to circumvent a security system (even if you wouldn't actually exploit it in practice), and Hak5 conveys that quite well - that's what makes the show fun. When I figured out that the website handling my online magazine subscription (which allowed you to download the current issue in un-DRM'd PDF) didn't bother blocking the formulaic deeplinks to the actual PDF files, I admit to having an evil chuckle, but I used it to grab the few issues that I had forgotten to download at the time, and e-mailed the company to inform them. It was amusing, and I mentioned it to a few friends, but not in a "hey-you-should-do-this" way, rather, just as a point of interest.
On a side note, the third type of captive portal is the sort I've often seen in grocery/department stores: not intended for public use, but thus not charged for, either. If I was in such a store, and needed to look up something quickly (say, a product review), that's not really any different from using the ubiquitous "linksys" AP for a moment because you're on the road and need to check your e-mail. I'll leave the ethics of that up for debate here, but I doubt there's anyone reading here who hasn't borrowed some spare open wifi at some point or another...

Re: Couch to Career in 80 hours or less

Chris Jonehs — Sun, 19 Jul 2009 22:26:52 -0000

Good presentation but you need to read your audience better. That or they are all dead inside.

Re: Getting your fill of Reverse Engineering and Malware Analysis

fo0 — Fri, 17 Jul 2009 06:49:56 -0000

you can add this project in "Sandboxing and Analysis"
http://sourceforge.net/projects/zerowine/

Re: Sexism and the religion of hackers

Wesley McGrew — Wed, 15 Jul 2009 14:06:55 -0000

Keep in mind that the comic has been modified now. It's pretty good right now, as far as I can tell, and I agree with your assessment.