now browsing by tag


Linux Showdown 8

Source: TrueAbility

I’ve always had fun competing in the Linux Showdown’s at TrueAbility. It is time for this year’s Linux Showdown, beginning on March 16, 2015! I really recommend this linux showdown if you have any interest in linux at all. First, there is the simple benefit of being able to compete, to see how your linux skills stack up, against everyone else’s (who doesn’t like some friendly competition every once in a while), and secondly, TrueAbility can and will get you a linux related job, if you are on the market.

It will challenge your linux ability, to determine where you stand among every other linux user in the world. So, if you’re up for a challenge, or up to learning more about linux, I definitely recommend that you check out the TrueAbility Linux Showdown #8, and make sure you sign up for the competition that begins on March 16, 2015!

From TrueAbility’s website:

The Challenge

Round One

Begins March 16th

For this challenge, you’re going to be using your scripting skills to implement a “sub par assembler” dubbed:  spasm

Instead of using memory, we’re going to use the filesystem to store and manipulate our data. Your task will be to create a program (in the language of your choice) called /usr/local/bin/spasm  that can handle some basic operations.

Those of you in the top 50 will be invited to the next round, the rest are.. 0xDEADBEEF. Round 2 we make things a little more advanced… so save your script!

Round Two

Begins April 1st

Welcome to the next phase of  spasm  development! You gained an invite to this round by successfully completing the last challenge, and hopefully you saved a copy of it because we’re going to add some functionality to it in this round.

“Born at the Right Time”: How Kid Hackers Became Cyberwarriors

Source: Re/Code and NBC News

Found this particular article, and it struck a chord with me. For one, I have a 3 year old son, who I hope, in the back of mind, becomes involved with IT in some form or fashion. The other thing, that I’m always thinking about, is how I wonder I would have grown up, if I grew up in a different decade, more specifically, a more modern decade. I’ve seen quite the transition in my time. I remember dialing into local BBS over my 1200 baud modem, I remember all the crappy old ISPs like AOL, Prodigy, CompuServe, and even eWorld (yes, I was a member, for a short while).

Now I’m living in the age of high-speed data, where everyone has an email address, and the modern world is connected with copper and fiber. I’ve seen a lot in my days, and I’m curious what my son will see in his days.

Some quotes from the article(s):

A few years ago, when Greg Martin was in his mid 20s and teaching a computer security course for NASA engineers, he stumbled on an arcane bit of information that stopped him cold: the original set of rules governing the Internet, created in September 1981, the month he was born.

That coincidence helped Martin understand a little better his improbable journey from rural Texas to the center of the fight against cybercrime. A former child hacker who commandeered his high school’s servers and spent his teens studying, manipulating and repairing some of the earliest computer networks, Martin’s life had paralleled the rise of the Internet, culminating with an explosion in data theft, corporate espionage and digital warfare that made him and a generation of other self-taught security experts some of the most sought-after figures in Silicon Valley. “I was just born at the right time,” he said.

The escalating roster of high-profile attacks against America’s most powerful corporations, including a hack of Sony Pictures that stoked hostilities between the U.S. and North Korea, has fueled the rise of a cybersecurity industry in which a growing number of CEOs are native hackers like Martin, now 33 and the founder of a startup called ThreatStream, which helps companies and government agencies share data on attacks as they develop around the world.

Read more of this article at Re/Code and NBC News.

Average company now compromised every four days, with no end to the cybercrime wave in sight

Source: ZDNet

A scary new statistic out about why it is important to maintain security within your organization. Please contact us to help you ensure that your company isn’t being actively attacked, and to secure not only your exterior, but your internal systems as well.

Here is a short quote from the article:

In a rapidly shifting attack landscape against the backdrop of a hackers’ black market worth billions, if you wait to pentest — you lose.

Still, unless required by law, too many companies and organizations only do a penetration test when they have to.

Often, it’s because they need to comply with regulations or they’ve been told they need to prove they’re secure, in which case it’s a checklist security audit by the numbers.

Most unfortunately, too many only do a penetration test after they’ve been scorched: When hackers have successfully gotten in, executed a payload, and made off with valuable IP, records, customer PII, and cost the company more than it probably knows or can calculate.

Hacker Myths Debunked

Source: TripWire

Interesting article discussing the culture, and/or the lies about the stereo-typical “hacker”. I remember, reading a book in high school (can’t find the title now), that mentioned stuff about your average hacker, and how the stereotypes back in pre-2000 were that they are fat, and have cats, and attempted to disprove those stereotypes.

Quote from TripWire:

 Myth #1: Hackers Are Maladjusted Young People Who Live In Their Mothers’ Basements

We all know this one quite well. Some of the most dangerous hackers—the myth goes—wear black T-shirts, have long hair and are under 30 years of age.


Myth #2: Hacking Is A “Boys Only” Club

Hacking may be a predominantly male activity but that doesn’t mean that there aren’t female hackers out there.


Myth #3: All Hackers Are Masters of Their Craft

The way we paint hackers today elevates them to a level of unmatched technical prowess. Using this platform of expertise, they compromise any system they want with ease, regardless of whatever security protocols may be in place.


Myth #4: All Hacking Is Bad

The notion that all hackers intend to cause harm is one of the biggest hacking myths today.

Another Story Of A ‘Fake’ Brilliant Inventor? Is ‘Scorpion Walter O’Brien’ A Real Computer Security Genius?

Source: TechDirt

Another Story Of A ‘Fake’ Brilliant Inventor? Is ‘Scorpion Walter O’Brien’ A Real Computer Security Genius?

from the more-of-this-crap? dept

There’s apparently a new TV show on CBS called Scorpion that has received mixed-to-decent reviews. It supposedly is about some computer security geniuses/outcasts who help “solve complex, global problems.” However, Annalee Newitz’s description of the stupidest, most batshit insane hacker scene ever from the first episode, suggests that the show is not worth watching. In the past few years, it had been kind of nice to see Hollywood actually seem to have some clue about accurately portraying hacking in some situations, but that’s all apparently been tossed out the window with Scorpion. Even if you don’t read Newitz’s story (or view the video clip), just know it involves an ethernet cable hanging from a flying plane with a car racing beneath it to download some backup software needed by the airport so planes can land. Yeah.A big part of the show’s marketing is the claim that the story is partially based on the life of one of the show’s executive producers, Walter O’Brien. CBS News has an article talking up these claims of O’Brien’s amazing feats, helping out its parent company, CBS, who broadcasts the show. But… for such a “genius,” many of O’Brien’s claims are coming under scrutiny, and they’re not holding up well. Having just gone through the whole Shiva Ayyadurai / inventor of emailcrap, it’s beginning to sound like a similar case of someone pumping up their own past for publicity purposes.

The claims about O’Brien are both odd and oddly specific. Here’s CBS’s reporting:

Walter O’Brien has the fourth highest IQ in the world.

Elsewhere, he claims that he was “diagnosed as a child prodigy with an IQ of 197.” First off, there are significant questions about IQ as a particularly useful measurement of anything. Furthermore, the idea that there’s some definitive list of those with the highest IQs seems equally questionable. A quick Google search will show you a whole bunch of “top 10 lists” of IQs — all of them different, and none of them including anyone named Walter O’Brien.

O’Brien’s story started unraveling when he made the somewhat unwise decision to do a Reddit AMA. Redditors are pretty good at sniffing out completely bogus claims, and it didn’t take them long here. Also, Asher Langton has been doing a bang up job debunking basically every claim that O’Brien makes.

Among other things, O’Brien’s story claims that he began Scorpion Computer Services in the mid-1980s and that “Scorpion has mitigated risk for 7 years on $1.9 trillion of investments and has invented and applied Artificial Intelligence engines to protect United States war fighters in Afghanistan.” It’s not even entirely clear what that means. It goes on:

Since 1988, Scorpion’s team of world class experts partner with clients on a global basis, across industries, to add real measurable value in mission-critical initiatives from planning, to execution, to running the business. Scorpion’s senior management has a collective knowledge of more than 413 technologies, 210 years in IT, and 1,360 projects. Scorpion himself has created over 177 unique technology inventions including ScenGen and WinLocX and is one of the world’s leading experts in the application of computer science and artificial intelligence to solve complex industry challenges.”

Again with the odd, and oddly specific claims. They have knowledge of 413 technologies? Do they have a list somewhere? Does it include the coffee machine in the lunch room? Did they send someone out to get the new iPhone 6 to make it 414? Either way, there are… just a few problems with these claims. As Langton points out, the “headquarters” of Scorpion Computer Services Inc.does not appear to be a particularly large or impressive company. Its headquarters is actually… a UPS store address That report notes that it has one employee, and revenue of $66k. It’s possible that the report is inaccurate, but for such a big and successful company, you’d expect to see… at least a bit more historical evidence of its existence. But there is none.

And then there’s this page (and here’s the web archive version in case O’Brien figures out how to delete the old page), which apparently used to be the site for Walter’s Scorpion computer Services, that, um, looks like it was built on GeoCities — complete with the animated fire torches next to the dreadfully designed logo.

For a big, massively successful company… you’d expect, um, something a bit more professional. Walter’s own Linkedin profile notes that he actually worked at Capital Group for a while, with redditors claiming he was just a QA guy there, though his profile says he was a “technology executive.” Many other claims on the company’s website read like self-promotional gibberish. “We saved $43 billion in opportunity risks over a five-year period.” “We invented an efficiency engine that performs 250 human years of work every 1.5 hrs with over 99% improvement over human error.” By the way, the “see how” link on that last one doesn’t actually show you “how” it just takes you to a page about how the company is a value added reseller “for proven IT products.” The entire website looks like gibberish from someone trying to sound like a real tech company. It reminds me of Jukt Micronics.

Langton also turned up that O’Brien appears to have another “company” called Strike Force, using the same UPS Store address, and with very, very, very, very similar website design and bullshittery. That site has a really bizarre “what others say” page, listing out random referrals for O’Brien, which are generally just the standard empty “personal reference letters” people without much experience tend to ask some former colleagues for when looking for a new job. The first one is from Steven Messino (with the date conveniently stripped off) which looks like the generic job reference letter:

Note that O’Brien claims that Messino is the co-founder of Sun. That’s… not true. Anyone who knows anything about the history of Sun knows it was co-founded by Andy Bechtolsheim, Bill Joy, Scott McNealy and Vinod Khosla in 1982. Messino’s own LinkedIn page shows he joined Sun in 1988. Six years after it was founded. Also, Sun had its IPO in 1986. So it’s not like this was a small company when Messino joined… as a “regional sales manager.”

Basically, everywhere you look, O’Brien’s claims are either massively exaggerated to downright ridiculous.

There are also some odd personal claims about “Homeland Security” coming to find him as a 13-year old boy for hacking into NASA. Except, when he was 13, there was no Homeland Security — an agency established after the September 11, 2001 attacks. O’Brien also claims this:

Scorpion was born and raised in Ireland, and at 16, ranked first in national high speed computer problem solving competitions. At 18, he competed in the World Olympics in Informatics and has ranked as high as the sixth fastest programmer in the world.

Sixth fastest programmer in the world? Really? Some folks on Reddit noted that it doesn’t appear Ireland competed in the “International Olympiad in Informatics” in 1993, though someone else found a report from the University of Sussex, which O’Brien attended, noting that O’Brien hadcome in 6th in a different contest, but in the Olympiad itself, he came in 90th. I mean that’s great for an 18 year old, but it hardly makes him into some programming genius.

And we won’t even touch the claims that his programming helped catch the Boston Marathon bombers, because… well… really?

Frankly, the parallels with Ayyadurai and the email story are there. It certainly appears that, like Ayyadurai, O’Brien was a bright kid who did some impressive programming as a teenager, but then didn’t appear to amount to all that much noteworthy beyond that. Try searching for any news references or evidence of O’Brien doing anything other than in the last few months in the publicity leading up to this new TV show. However, he is trying to reinvent himself and rewrite his history as some sort of genius programmer responsible for all sorts of amazing things, very little of which seems directly supportable. Of course, CBS doesn’t really care, so long as they have a fun TV show that people watch, but at the very least, they shouldn’t continue to spread the exaggerated myths about O’Brien that appear to have little basis in fact.

VArmour Comes Out of Stealth With Plan to Secure Data Centers

Source: Re/Code

Barely a day goes by without a news report about a hacker attack, or the revelation of a new security vulnerability to worry about. The rise in computer breaches has sparked a new generation of startups that are thinking about security in new ways and enticing investment.

Today, vArmour, a Mountain View, Calif.-based company whose ability to attract venture capital funding we noted last month, is coming out of stealth mode. Its plan is to offer companies ways to secure their data centers against some of the new tactics that attackers use to sneak in.

While computers have evolved, the ways in which they are secured largely have not. More than half of the computing workload in a modern corporation makes use of so-called virtual machines, which uses software to allow one physical computer to act like many. Most of the servers on the Internet, in fact, make use of virtualization, a backbone technology of cloud computing.

And while virtualization has done wonders for computing efficiency and flexibility, it has also created weaknesses that an attacker could exploit and that can also hide the attack itself. On average, attackers are spending more than 240 days perusing a target’s network looking for the juicier files to take before being detected.

VArmour founder and CEO Tim Eades represents a new school of thought in computer security circles that can be best summed up like this: Determined hackers are going to get in, one way or another, so it’s better to catch them in the act and silently study their techniques and learn how they got in. We saw this in the attack against the New York Times disclosed last year.

“The thing that’s not being understood with all these breaches are sometimes the most basic questions: Where did the attackers get in? How did they navigate to it? Where is patient zero?” he said. “If you can’t tell me exactly where they came in, then you can’t shut the door.”

Eades says data centers are suffering from what he calls “invisible east-west traffic.” When virtual machines talk to each other, in the parlance of data center nerds, they’re talking “east to west,” as opposed to the “north to south” traffic between physical machines. It’s so named because servers, storage and networking gear are stacked on top of each other in a data center. (Up-down equal north-south, get it?)

Once a hacker gets inside a network, more than 80 percent of attacks on data centers, Eades says, take place in that “east to west” territory. They get inside and start sniffing around, hopping from one virtual machine to another, looking for the good stuff to take. Most security products date back to the days before virtualization and so are more focused on the “north-south” connection between physical machines, essentially guarding the perimeter. Trouble is, those tools are busy looking for trouble outside, while the attack is likely happening right behind their backs.

“It’s one thing to shut the gate, but quite another if you don’t know what side of the gate the bad guys are on,” Eades said.

The answer, according to Eades, is to create small virtual machines that can be deployed anywhere in the data center. He calls them sensors. “When the sensors see something suspicious, they can actually do something about it,” he said. “They can stop it, they can move it. But most of our customers don’t want to stop it right away. They want to observe the attack as it happens and see what the perpetrators are up to.”

Putting software sensors throughout the network puts the protection where it’s needed most: Right next to a company’s critical data. Think of the sensors as bodyguards watching over anything on a network — including the traffic between virtual machines — sounding a silent alarm if anything suspicious is going on.

It makes sense in a world that is shifting its computing resources toward the cloud. And so vArmour charges like a cloud vendor: Customers pay for what they use. “The model has to change. In the old ‘up to’ model, you pay for 100 percent of something, even if you’re only using, say, 37 percent of that something.” That allows customers the flexibility to use more sensors when they’re under attack, and throttle back down later. “The legacy security companies are going to have a hard time adjusting to that,” he said.

VArmour last month closed a $21 million C round led by Columbus Nova Technology Partners, Citi Ventures and Work-Bench Ventures, and also disclosed a $15 million B round led by Menlo Ventures which it closed late last year. It has raised a combined $42 million. Eades sold his last security company, Silver Tail Systems, to RSA, the security unit of tech giant EMC. The deal was said at the time to value Silver Tail in the neighborhood of $300 million.