Friday, January 18, 2013

Aaron's suicide: System Contributed, Society Perpetuated

If you are unfamiliar with the circumstances surrounding Aaron Swartz's suicide, the rest of what I have to say will not make any sense to you. 

Aaron Swartz, an inspired and inspiring fellow hacker, left us by his own hand at the age of 26. This story, his story, is nothing less than tragic. The world is lesser without him. For his [alleged] 'computing hacking crimes,’ he faced 35 years in prison, 3 years of supervised release, and fines of up to $1 million. This degree of punishment is more than someone would receive if found guilty of providing direct support to terrorists in the acquisition of nuclear weaponry. Think about that. Angry? So am I, but that's not enough.

If you believe the actions of the Massachusetts U.S. Attorney’s office, and that of prosecutors Carmen Ortiz and Stephen Heymann were atrocious, reprehensible, despicable even, and think, as Aaron's father does, their actions contributed to his sons death, I'm with ya. At least 43,666 share similar outrage with you, well, us. A White House petition is calling for Ortiz's removal from office. Burn the witch! But be careful here, if you think this will change a damn thing, that societies usual focus of rage will somehow save a future young life, and lead to some kind of social justice, that’s where we part ways.

You see, many will look at the circumstances and correctly conclude, “something is wrong here” and “something needs to change!” Unfortunately, they'll focus their rage on the wrong things, things they are told to get upset about, and mistakenly serve to protect the system that contributed to Aaron's suicide. They'll focus rage on the prosecution's behavior. They’ll focus rage on “appropriate punishment” of the crime. They’ll focus rage on amending or removing a defective CFAA law and supposed intent of that law. They’ll focus rage on obtaining social “justice.” Bzzz, wrong! Fake out!

I concede that these are normal, natural, yet systemically trained responses. Rage focused this way guarantees that more similarly minded political appointees get, well, appointed. Rage focused this way guarantees we’ll get no justice. 

Aaron’s story was never, ever about “the law” or that pesky word, “justice.” Like ~90% of cases, this was NEVER going to get to a trial. You know, the visual you get where you have rights to a judge, jury of your peers, call witnesses, opportunity to confront your accusers, articulate lawyers and everything else you see on Law & Order. Like "justice," getting a trial was never on the negotiating table, where justice is supposedly decided. The prosecution didn’t want it. Aaron and his lawyers didn’t want it. This entire charade was about plea bargaining, a place where you have none of these "constitutional rights.” This case all was about the manufacturing of yet another felon, about career advancement. Look, one of Aaron's prosecutors admitted as much right here:

“I must, however, make clear that this office's conduct was appropriate in bringing and handling this case.”
Carmen Milagros Ortiz, United States Attorney for the District of Massachusetts

Please don’t waste time debating whether or not you feel the prosecution was going too far. That’s the fake out. The same fake out you’ll see in the headlines that protects the system. That answer doesn't matter. Instead, ask yourself WHY the prosecution thought their “conduct was appropriate.” That's the dangerous question few are willing entertain. They do really think that, you know. They’re not lying. Prosecutors are trained to think that way. We train them to think that way. And from the system's perspective, it was! Appropriate.

You don’t agree? I don't blame you. If this was anything about justice, please explain to me why on the same website, in the Office of the US Attorneys’ own mission statement, does the word “justice” appear exactly nowhere.

A clever, curious, person might ask, "if not justice, what is all of this really about?" Well, if you work for the U.S. Attorney’s office, or work as any trial lawyer for that matter, your career is weighed and measured by your Win - Loss record. And in case you didn’t know, plea deals are a “Win,” for all the attorneys, no matter what side of the divide they are on. Plea deals are faster, cheaper, and again where the defendant has little to no "rights," which is why power loves 'em -- protects them.

Secondly, taking on high-profile cases like Aaron’s and “winning” are worth extra points. It gets the attorneys name out there, helps them differentiate from their peers, and advance careers. It’s all about the money power baby. Don’t believe me? Ask Gloria Allred. Ask Aaron’s attorney. Don't bother, Wired already did:

“Heymann [prosecutor] was looking for "some juicy looking computer crime cases and Aaron's case, sadly for Aaron, fit the bill," Peters said. Heymann, Peters believes, thought the Swartz case "was going to receive press and he was going to be a tough guy and read his name in the newspaper."”

Unconvinced? Biased source right? Check out the press release from U.S. Attorney’s office website about the case. "Alleged Hacker Charged With Stealing. Over Four Million Documents From MIT Network." Yes, that's a PRESS RELEASE! PRESS PRESS PRESS. Why does this impress you society? And it does, because they wouldn't do it otherwise. I'll tell you what lawyers are NOT graded on is their appropriate application of that nebulous word, “justice.” Otherwise we'd see big headlines about expousing that. We don't. Still too cynical for you? Maybe this will help, but it won’t make you feel better:
“Ortiz [prosecutor] said it was a generous deal her office offered, and it took into account that Swartz’s actions were not financially motivated. She said Swartz would have been confined to a “low security setting.”

Please show me where appropriate application of justice entered into the thought process, especially when there were no plaintiffs left at that point. I'd be willing to bet law school systemically eliminates justice-minded do gooders. Now, have another look at that US Attorneys’ mission statement again. See what does appear?
“United States Attorneys are appointed by, and serve at the discretion of, the President of the United States”

Ask yourself, are political appointees selected on their careers merits or on the basis of their political clout? Bzzz. Sorry, trick question. The answer is already on US Attorney Carmen Ortiz’s very own wikipedia entry. Says it right there in the second sentence, immediately after her title. 



“In 2009, she was nominated to the position by President Barack Obama. Ortiz is both the first woman and the first Hispanic to serve as U.S. attorney for Massachusetts.”

Unless you count being born a women and hispanic as an accomplishment, the answer is plain as day. Make the boss man look good! I know this comment borders on racist, sexist. Please understand I've no intention of diminishing her personal accomplishments in this regard. I'm sure she had it tough. What we must question, as her customers subjects, is how this make her qualified to administer justice. And apparently we think it does, otherwise why would her gender and ethnicity be highlighted first.

Oh, and I’m also sure the possibility of Ortiz being a potential Democrat gubernatorial candidate in Massachusetts had zero effect on things. Right.

Under these circumstances, if you change or repeal the law. So what? It was never about the law, or application of justice, remember. Go ahead, call for her dismissal. Change the political appointee in the same power structure. So what? Another similar minded and well-trained appointee will gladly take their spot before the day is out. Focus on defining “appropriate behavior” when the incentives are perverted against justice. Good luck with that.

Do all these things. Declare your victory! Get your social justice and pound of flesh. What you'll also do is protect the system that manufactures felons and contributes to suicide of our best and brightest. Do everything, but ask the dangerous question... WHY. WHY does basically everyone take a plea deal. WHY do prosecutors prefer them? You better ask it because it's the only justice system any of us are likely to experience. You do know most everyone is committing three felonies a day right

And so what if Oritz is fired. It's not like she is going to be disbarred. She'll immediately go across the street to a private firm working the other side of the table, probably making far more money too. And if you are in a similar position as Aaron, you'll find her credentials impressive. A "former" U.S. Attorney appointed by the President of the United States, who knows all players and the plea bargain process. Hell yeah. Because when YOU are facing hard time you'll not be the slightest bit interested in justice after all. What you want is to get off, and she's the best person for the job. Did you know Aaron's attorney, Elliot R. Peters (Partner at Keker & Van Nest LLP), previously worked in the U.S. Attorney’s Office, Southern District of New York?

Let’s explore one layer deeper into the perversity of the system. Upon Aaron’s death Federal prosecutors were forced to dismiss the charges against him. Not because a lack of evidence mind you, but because there is no defendant obviously. In addition to a PR hit, we must assume a “dismissal” counts against the prosecutions Win-Loss case record. From that perspective, the prosecution did NOT want Aaron to die. They would have much preferred him to live, take a plea, or at least suffer a conviction. On the other hand, Aaron’s attorneys scored a dismissal -- a “Win.” 

Whoa, whoa there. I’m not saying Mr. Peters or Keker & Van Nest LLP wanted Aaron to die. No. What I’m saying is that system is set up such that when something like this happens, something that sparks true outrage, then that rage needs to be directed, and that the defendants attorneys don’t lose. That’s important because otherwise they wouldn’t play along in the farce. 

But that can’t be, the thought is too terrible to bare. I agree with you. Their defendant committed suicide after all. What do they do then? Aaron's attorneys immediately focus rage on the prosecution for being, what’s the word they used, “intransigent.” Whatever. They, the prosecution, are the real problem here! Right! Wrong! Whatever you supposedly chosen on your own doesn't matter one bit. The point is you picked a side and played along. The point is you society bought it. Burn the witch!

All that happened here was Aaron died and the system won.


Thursday, April 12, 2012

Written Speech: TEDxMaui -- Hack Yourself First


Earlier this year I was fortunate enough to give a presentation at TEDxMaui. Previously I discussed what getting the opportunity was like and the overall experience of being on stage -- nothing short of amazing -- life changing. While the Hack Yourself First video recording was recently posted, no amount of preparation would allow me to really say everything that I wanted to and in the order necessary. Everything I really wanted to say, in the written version...

-----

Every day, every day the life-blood of our nation, the fuel of our economic prosperity, is being sucked away, invisibly and without our knowledge. Every day, our country’s innovation is being stolen, our national security jeopardized, and your most personal information is being robbed – by computer hackers – malicious hackers. Hackers, who are located both domestically and abroad, are getting away with data by the terabyte daily and are profiting in the billions annually. 


And do you know why?

Because hacking is easy. Because hacking works.

I know this because I am a hacker – no, not THAT kind. My kind is like the Jedi as opposed to the Sith. You know, are the good guys and there is also the dark side. In the world of hacking it’s no different.

More than being a hacker, I teach other people how to hack. In fact, I teach a lot of people how to hack -- all sorts of ways to hack into banks, retail websites, social networks, government systems, … into computers just like yours and your online accounts. I teach people how this can be done from anywhere across the Internet. 

I’ve been invited to teach these skills, publicly, for the past decade -- to businesses, to government agencies, to university students, and industry groups, across six continents. I share stories about precisely how every day people, just like you, and businesses, just like those you own or work for, governments too, have been hacked into, often and with ease.

I bet many of you wondering why this is a good thing, teaching people how to hack. I know hacking is often stereotyped with illegal or nefarious activity. I also know teaching people how to hack, building up our cyber-offense skills, and focusing these skills inward at ourselves, are critical to our national security and helping ensure the economic well-being of us all. 

I call this approach, Hack Yourself First, a concept that can, and must, be used as a means to defend ourselves.

I feel so strongly about this that I built a company, WhiteHat Security, around this idea. At WhiteHat, we get paid by companies, who do business online, to hack into them and explain how we did so. And they pay us a lot of money to do this work. On the average website, our team can identify one or more security gaps, usually in under 20 minutes.

In under 20 minutes we’re able locate digital doorways to take over some or all of their the systems, steal whatever sensitive data they have, access their customers accounts, or steal data they have on the system -- all the things that could have made headlines like those you’ve probably seen a lot of in recent years. This is actually what they are doing right now back at headquarters. This is the work we do every day.

And let me make something else perfectly clear. These are systems owned by the largest and most well known organizations in the world. You know them. You do business with them.

These companies pay us to hack them because they know, as we know, that anything and everything connected to the Internet will endure some type of cyber-attack, likely several a day. They want to avoid being another headline, another cyber-crime victim. They want to know what the bad guys know, or eventually will, so overlooked problems in their security can be fixed. And all this, so you can remain confident in doing business with them. 

So, Internet security can be thought of as a race between the bad guys who find and exploit security weaknesses, we call them vulnerabilities, and the good guys who find and fix them. Unfortunately, no one is quite sure what group has more people. It would not surprise me if the good guys are outnumbered when it comes to Internet security, as anyone with an Internet connection can become a malicious hacker these days, and earn money doing it.

What you might find interesting is that many hacking techniques are not sophisticated. There are tricks that really anyone can do. In fact, I’d like to teach one of our tricks right now.

*REDACTED* Watch the video! ;)

See, I’ve now taught the people at TED how to hack. Keep an eye on the people sitting next to you. They’re hackers now!

I’ve also shown methods to steal or reset someone’s passwords, monitor their email, snap pictures of them with their computer’s built in webcam without their knowledge, siphon money out of their bank account, find out what websites they visit, make it look like they downloaded child pornography, and list goes on. Doing any of this requires only slightly more sophistication than what I just described in many cases. If I had an hour, instead of 15 minutes, I could teach you how these things are also done. 

I should mention that firewalls and anti-virus software don’t provide any sort of real protection to any of this. It’s kind of like wearing sunglasses and expecting not to get a sunburn. They’re better than nothing, but far from solving all your problems. 

We all have a vested interest in the Internet and its future. 

A few years ago I recognized that the bulk of not only my professional life, but my personal life as well, was spent in front of a computer. 

One day I wanted to get out and do something else, anything else, for a few hours as long as it wasn’t it front of a computer screen or on a cell phone, which is nothing more than a tiny computer these days. I considered watching TV or a movie, listening or learning music, reading a book, writing a book, research something new, buying something nice for my wife, etc. 

The trouble was these things are typically done on a computer these days. I had to try really hard to think of things that have nothing to do with a computer – something that gets increasingly more difficult each year with technological advancement.

It occurred to me that the vast majority of my life, and the lives of those around me, are completely tied to pervasive computer use – and an Internet connection. That’s when it really hit me that that my work on Internet security is important to just about everyone. Look around at how many of you here brought your laptops, your iPads, and smart phone, and are right now connected to the Internet. Without the Internet, many of us might not even know when and how to get to our next appointment. 

By the way, are you using the public WiFi? Just curious.

The Internet has been instrumental in helping overthrow oppressive government regimes.  At the same time our leaders, from the US and UK governments, are on the record having reserved the right to retaliate against cyber-attacks with militarily action. Bombing computers and computer hackers is part of the plan. I guess you might call this policy bombs for bits, a policy that should really concern us.

When you think about it that way, Internet security, computer security may now be more important to you than it was a moment ago. Isn’t it?

I’d bet that everyone – everyone here, everyone who will be eventually watching this video – at some point has had their computer hacked into and been infected with viruses, had one or more of their online accounts previously taken over, or at the very least knows more than one person who has. 

Does anyone here want to claim they’ve never been hacked? If so, please raise your hand, I’d like your email address and we’ll get that sorted out.

Hacking, malicious hacking, cyber-crime, has already touched all of our lives, and does so more often than we are lucky enough to be privy to. These days many experts believe you are more likely to be a victim of cyber-crime than any other crime. 

For you, most of the time getting hacked means a slow running computer, annoying pop-ups, losing some money, your personal information exposed, identify theft, and perhaps some public embarrassment.  Bad, but not THAT bad.

If you are a politician, celebrity, news outlet, or a corporate executive, your position, your access, puts you at even more risk  -- including those closest to you – the bad guys will hack their way closer to you, one friend or family member at a time if they have to.

For businesses and governments, who are also hacked into daily, the damage is often far more severe. Professional cyber-criminals who target them of course are after money, but they also want intellectual property, trade secrets, and military capabilities, which can be worth much more than the contents of any bank account. These things are vital to our economic well-being and national security. 

Even more revealing is who they work for and what motivates them. For this I’d like to quote Ian Bremmer, President of Eurasia Group.

“When you have hundreds of western multinational corporations that have seen industrial espionage, that’s been directly targeted at them through cyber attacks, massive unprecedented cyber attacks, that were either directly organized by the Chinese government or were known about and actively tolerated by the Chinese government on behalf of Chinese corporations -- that’s a pretty good description of a war.”

There is a reason why the Chinese fighter jets and rockets look suspiciously familiar to our own.

I don’t mean to single out China, they are certainly not the only ones being called out for engaging in cyber-crime and cyber-espionage. On that list is also France, Russia, Estonia, Romania, Ukraine, etc. There is no solid confirmation, but it wouldn’t surprise me if most countries in the modern world are actively engaging in cyber-offense.

Mr. Bremmer goes onto say...

“National security is no longer about tanks. National security is increasingly about economic well being, internet security, and issues that allow us to live on a daily basis. We’re not worried today about the soviets blowing us up with nukes, but we are worried that our kids will be able to enjoy a quality of life vaguely related to our own.”

That is exactly right! 

How can a corporation, even the largest, let alone small businesses and individuals, possibly defend themselves against such an adversary -- literally, armies of well-funded nation-state sponsored hackers. Hackers professionally trained, with no reason to fear our laws, who are equidistant from their victims, that’s US, and operate 24 hours a day, 7 days a week, 365 days a year. 

Many people in positions of power have expressed concern about the Internet being brought down. I’m more worried about what happens when it stays up. I’m worried about the long-term economic damage, the loss of our ability to innovate, the inability to take advantage of the opportunities that the Internet provides. Most of all though, I’m concerned what happens if the majority of people, all of you, lose confidence in the system -- the security of the Internet – and either stopping or limiting your use of the Internet.

New laws against hacking are not going to help this problem. Conventional warfare tactics are not much good either. The perpetrators can be geographically located anywhere, are extremely difficult to identify, prove attribution, track down, even harder extradite, and then finally successfully prosecute. Not to mention foreign governments are highly unlikely to turn over soldiers in their own hacker army.

Having said that, improving international cyber-crime law enforcement is a path necessary to pursue as part of a larger program, but we should be realistic about its limits.

People ask me all the time, what do we do? How do we secure our computers, our networks? How do we secure the Internet? The reality is a problem as diverse and wide reaching as cyber-crime, and cannot be solved by any one thing, but I’ll tell you this -- protecting the Internet requires a completely new way of thinking. I have an idea, an idea worth sharing. Hack Yourself First. An idea furthered by teaching people to hack, and in a manner of speaking, making hacking legal.

While our cyber-defense ability is severely lacking, one thing we all clearly know how to do extremely well is cyber-offense. Offense can be used to inform defense. 

Hacking a system, that doesn’t belong to you, without consent of the owner is against federal law, as it should be. The problem arises when system owners don’t provide consent, which only serves to ward off good samaritans who would have gladly shared what they knew and helped protect their users. The bad guys, the real bad guys, do not care and are not deterred.

What most don’t realize is that any individual, business, government department and so on can actually invite hackers, to test their systems lawfully, and provide a safe way to share their results. Put simply, allow anyone who wants to, can try and hack in. I realize for many that suggesting such an approach might appear counter intuitive, but what it’s not is unprecedented.

Recently a few forward-looking companies started new programs and did exactly that -- openly welcoming hackers, they use the term “security researchers,” to attack their systems and publicly credit them for their discoveries. It’s almost like crowd-sourcing Internet security. Some are even rewarding those who point out serious security gaps with stacks of cash. The industry calls this Bug Bounty programs.

The companies offering these programs are far from obscure, these are some of the biggest sites, who have hundreds of millions of users, transacting billions of dollars, and are some of the most visible companies on the Internet. You may have heard of a couple of them. 

Google, Microsoft, PayPal, Facebook, Saleforce.com, and Mozilla. All of which have directly felt the pain of nation-state sponsored attacks and/or organized crime. They’ve committed not to sue or press charges against security researchers who find vulnerabilities in their systems and discreetly share the details with them. Collectively they’ve awarded millions of dollars to security researchers and resolved thousands of previously unknown issues that protect us all.

These companies have stated their programs have proved extremely cost effective, helped them identify and hire security talent, eliminated many negative PR headlines, and improved security for themselves and their customers. Huge wins for everyone. All the warnings detractors gave about why bug bounty programs were bad idea simply failed to materialize.

Unfortunately, Internet security history is littered with counter examples where other companies have responded hostilely to those trying to help. Such as the likes of Daniel Cuthbert, Patrick Webster, and dozens of others.  

This reminds me of Rule #1 of recreational hacking: 
Never ever, ever touch government or military systems. 

A rule written well before they mentioned anything about a militaristic response. Anyway, the rule reminds curious hackers that the government, should they choose to track you down, has an enormous budget of time and money to do so – far more than any company who all must eventually consider cost effectiveness investigations. What it also means is that to hackers, the Jedi, government and military systems are like the forbidden fruit.

So imagine the excitement if our government and military officials truly started to embrace “Hack Yourself First” and offered up bug bounty programs! Let me tell you, every aspiring and well-known hacker out there would jump at the chance to match their skills against the cyber-defenses of whitehouse.gov, fbi.gov, army.mil, and the thousands upon thousands of other systems. The street-cred alone would be worth it to many, but a bonus would be helping to protect their country.

There is no reason such a strategy could not be adopted by just about anyone. Doing so could end up being the most important long-term economic and national security decision.

I used to work for Yahoo. 12 years ago I hacked Yahoo Mail. More accurately I hacked into my own Yahoo Mail account, to see if I could do it. Some people have hobbies like artwork, sports, cars -- I hack. I found a way, several ways actually, to get into my inbox without needing a password. I let Yahoo know the details – promptly and privately. In return they gave me a t-shirt. I was pretty excited about that.

A dialog followed with one of the founders, which later earned me a job -- to hack everything that Yahoo had, before the “real” bad guys did, and my experience there led to a career. 

A company with a different point of view might decided to call their lawyer, or the cops, filed a lawsuit, cost me my job, and the freedom of a 21 year old. In which case, I wouldn’t be been in front of you here today -- teaching you how to hack and the importance of Internet security.

Remember, security is optional, but so is survival. 

It has been said that if you are a playing a game that you can’t afford to lose, then you must change the rules. Hack Yourself First.


Monday, January 23, 2012

TEDxMaui -- Hack Yourself First

Update 04.12.2012: Video of the presentation embedded below.                                                  Ten years ago if you would have told me that I'd be back living in Hawaii, founder of a fast growing technology company, and a TED speaker -- I would've said, "What's a TED?" Preparing for TEDxMaui was extremely difficult. The presentation format is completely different than anything I’ve ever done before. It was limited to just 18 minutes as opposed to 50, and given to an audience of every day people eager to see something amazing, instead of security professionals and high-tech workers. The message had to be crystal clear. Since TEDxMaui videos won’t be published until late February, you’ll have to settle for my substandard textual description for now.


I wanted everyone, both the viewers in the audience and those who would eventually watch the video, to deeply appreciate the crucial importance of Internet security. I want everyone to know that to discuss Internet security is really to discuss our economic well-being and our national security, and I want everyone to know that both are under attack -- every single day. Most of all I wanted everyone to know that hacking, and people learning how to hack, is absolutely essential to defend ourselves. I labelled this concept Hack Yourself First, the title of the presentation. Hack Yourself First advocates building up our cyber-offense skills, and focusing these skills inward at ourselves, to find and fix security issues before the bad guys find and exploit them.

Before presenting Hack Yourself First I had to first imagine how the audience would respond. Most watching undoubtedly have only had negative experiences with the words “hacking” and “hackers.” All they likely knew of hacking is in relation to viruses infecting their computers, stealing money out of (their) bank accounts, TV interviews of shadowy characters wearing Guy Fawkes masks, salacious articles featuring cyber villains, and of course bad hollywood movies. Whether we like it or not, these are the ambassadors of hacking, so the idea of teaching cyber-offense skills might be considered akin to illegal activity. Just the same, there I was on stage revealing that, “Yes, I am a hacker -- but not like them.” 


I don’t know what precisely it was that I said, but the message of Hack Yourself First undoubtedly resonated in a big way. No less than a hundred people introduced themselves to me afterwards excitedly asking, “How do I learn to hack myself first?” Perhaps I shouldn’t have been, but I was blown away. And not just the very young or student age, I’m talking about people 45 up to 70 years old with zero technology background. Maybe it was because I taught them a simple hacking trick, a simple hacking trick they could grasp, and even do, like those from my “Get Rich or Die Trying” presentation. Suddenly the fascinating subject of hacking, which they previously assumed was too complicated to learn, was suddenly approachable. I taught a TED audience how to hack! How cool is that!? :)

Many in the information security industry have been trying desperately and in vain to raise Internet security awareness among the masses. We repeatedly give people laundry lists of what not to do, and it isn’t helping. Better awareness, better overall Internet security, could be accomplished through Hack Yourself First. Teach anyone and everyone who wants to learn how to do the actual attacks the bad guys use against them, perhaps packaged up in a Capture-the-Flag format.  That would be a lot of fun for everyone. When people know precisely how hacking works, they’ll be in a better position to spot attacks against them and be on their guard.

I came to TEDxMaui to share my ideas with a wider audience, but what I came away with was more ideas from them about where we can take Hack Yourself First. 

Thursday, December 29, 2011

Terrified

Over my career I’ve given exactly 295 public presentations, to audiences as small as a table full and up to many thousands. Audience members have said countless times that they really enjoy my speeches. Conference organizers always invite me back, and my feedback scores are always amongst the highest. These are accomplishments I’m proud of and a level of success only achieved with the help of a lot of dedicated people. You might think that after all this experience that I’m extremely comfortable on stage. The reality is that you’d be wrong, very wrong. What most don’t know is that each and every time I’ve present, to this day, I suffer from extreme anxiety, commonly known as stage fright. In my case, terrified would be a more accurate description.

I’ve been known to physically shake, have shortness of breath and a strained voice, speak far too quickly, be statuesque on stage almost like I’m hiding, and feel just overall completely stressed out. Early on I decided that no matter how terrified I was, my message needed to get out there, and it was more important than letting fear stop me. I think my #1 skill as a public speaker is hiding my fear, my terror. My theory was the more experience I gained the faster I’d overcome it. In the meantime in order to cope I developed a pre-presentation ritual.

I’d prepare heavily for each event, pour over the content in every slide, and seek candid feedback from those I trusted. I’d also commonly ask event organizer for details on audience demographics to specifically tailor my comments. I’d then practice ahead of time for small private groups in order to get the timing and flow down. If something or all of it sucked, I’d throw it out. With the assistance of my wife, I’d even get a plan down for precisely what I was going to wear during at show day. Nothing was left to chance. Finally, I block out an hour before each presentation to check out the stage, be alone with time to center, prepare and calm myself down, and of course continue tweaking slides. Being prepared helped take the edge off my anxiety a lot.

The problem was, or is, that no matter how many times I presented, the anxiety, the fear, and terror never really lessened. That is until this last year. Something changed, but what!? Had I finally overcome? I’m not an introspective person so it wasn’t until very recently that I think I figured it out. In 2011 my public presentations weren’t pushing the envelope as much as in years past. The content was good to be sure, but it also focused on “safe” business level subjects and incrementally advancing work from previous years. In short, I really wasn’t putting myself out there as far as I’m used to. In my case, the feeling or fear and terror arises when pushing forth an idea or a concept and unsure if people will think its uncompelling or totally idiotic. A chance you take.

That’s about when I got a call from the TED offering a speaking slot in TEDxMaui. We got to talking about my work and discussing an idea worth spreading. It didn’t take long. Then all of a sudden I’m thrust right back into fear and terror mode, but now that I understand it, the feeling is almost comforting. It signals that I have an opportunity to take things in my industry, in our industry, to a new level --- or of course drive right off a cliff. Either way it’ll be a good show!  :)

Tuesday, June 21, 2011

How I got my start -- in Brazilian Jiu-Jitsu

I’ve been a UFC fan for years, even before it was acquired by Zuffa. I was fascinated by the anything goes, hand-to-hand form of combat. I suppose it reminded me of growing up in Hawaii. :) The UFC was also enjoyable because it helped answer the question, “What martial-art or fighting style was most effective?” Karate? Kickboxing? Boxing? Wrestling? Ninjutsu? What matters more, size or technique?

The UFC provided a forum, the octagon, to settle the long-standing fight-world debate. Everyone had a theory, but no one really knew for sure. What became crystal clear even today is that every fighter must have a background in Brazilian Jiu-Jitsu or they WILL lose. It’s just that simple. My background was mostly striking, so I wanted to try out this ground fighting stuff.

A co-worker, also interested in the UFC, and I found a local BJJ academy in San Jose taught by black belt instructor Tom Cissero. Tom has a passion for the martial arts and, more importantly, for his students, as he deeply feels that they are a direct reflection upon his life and value as a person. Yes, he takes his craft that seriously, and serious he is. Tom is abrasive, aggressive, and combative, attributes covering up a heart of gold. In the academy Tom will push you hard, harder than any place else, to make you good. Whether you like it or not, and he cares enough to do so. That’s why I stayed with him the better part of a decade.

Anyway, my 6’2” - 300lbs, and let’s face it, seriously fat and way out of shape frame walks in -- admittedly with a little bit of big man ego. I see Tom instantly trying to size me up. Of course he had me figured out in all of 5 seconds as you’ll read in a moment. After signing the waver, doing some drills, and learning a couple of submissions I began to familiarize myself with the basic rules and gym etiquette. Then came sparring time. Tom loves the sparring sessions more than anything else. Probably because it measures your progress in stamina and skill.

Tom pairs me up with, and I kid you not, a 150 lbs or less woman in her mid 40’s and says let’s see what you can do. She’s a purple belt with several years of BJJ experience, but I’m thinking to myself WTF!? She’s half my size! I’m going to squash her! Then of course the whole situation is running counter to my internal man moral code, never fight girls. Not being given a choice, but also not wanting to be disrespectful, I decided to go really easy as I didn’t want to hurt her or anything.

The bells sounds, I come slowly forward towards her, she quickly closes the distance, spider monkeys to my back, chokes me, and forces me to tap out inside of 10 seconds flat. I was shocked and a little upset. Here I am going light and she takes advantage of me. Clearly she’s not playing around. To hell with this, no way I’m going to let that happen again! No more Nr. Nice Guy.

We touch hands, signaling to begin again, but I go harder this time trying to put her back on the mat. She again somehow sneaks around under my arm, like an octopus, and chokes me with the same damn move! To my credit, I lasted a few more seconds that time. This scenario repeats for about 4 to 5 minutes in the session, and for the life of me, as big strong guy, I could not keep this tiny older woman off my back and robbing the oxygen from my brain. Oh, and all the while she is speaking to me in a calm instructive voice. Humiliation is the best word to describe.

At the end of class I’m thinking to myself, there is something to this Brazilian Jiu-Jitsu stuff. However, that wasn’t the most important thing to me at that particular moment. There was no way I could go on about my life happily knowing that a such a women could kick my butt so easily. Call it machoism if you like, I don’t care. It was clear to me that I had to keep training BJJ at least long enough to beat her. It only took three years. Fortunately for me by that time the motivation to simply get better and enjoy myself became my primary driver.

By the way, that woman is still training there. So if you are a big guy, and plan to drop by for a visit, don’t say I didn’t warn you. You could quickly find yourself on a journey to becoming a BJJ black belt.

Monday, May 16, 2011

Web security content moving to new WhiteHat Security corp blog

Many of you have noticed I haven’t been blogging in several weeks. The truth is I have been blogging, just not here! For those that missed the announcement, WhiteHat Security recently launched a new corporate blog, featuring over a half dozen other WhiteHat bloggers in addition to myself. To support and intermingle with other exceptionally solid posts, I’ve been directing my Web security content over there. If you review the archives you'll find cool stuff on scaling CSRF identification, DOM-based XSS, Bypassing CSRF tokens with a Flash 0-day, etc.

Here are some of my most recent posts that you may have missed:
See! I have been blogging. :) Consider updating your RSS feeds.

I'll continue posting here, only at a much lower volume, and exclusively about personal things like my adventures in Brazilian Jiu-Jitsu.

Tuesday, March 15, 2011

Sentinel SecurityCheck

Have you been hearing about WhiteHat Sentinel for a while, but never had the opportunity to try out the service for yourself? We'd like to change that and make Sentinel accessible to more people. We've recently announced a new promotion, for those who are interested and qualify, to receive the full customer experience for 30 days -- for FREE. This is way more than just finding vulnerabilities. If you like it, great sign-up! If not, which is extremely rare, you owe nothing. Follow the link below for additional details.

WhiteHat Security Announces No Cost Website Vulnerability Assessment Program

Sentinel SecurityCheck offers organizations 30 days of continuous assessment to identify all website vulnerabilities and mitigate leading risk for data breaches; Participating companies gain access to WhiteHat Security's verified vulnerability results and personalized guidance on website risk management

Friday, March 11, 2011

11th WhiteHat Website Security Statistic Report: Windows of Exposure

WhiteHat Security's 11th Website Security Statistics Report, presents a statistical picture gleaned from over five years of vulnerability assessment results taken from over 3,000 websites across 400 organizations under WhiteHat Sentinel management. This represents the largest, most complete, and unique dataset of its kind. WhiteHat Security makes this report available specifically for organizations that aim to start or significantly improve their website security programs, prevent breaches, and data loss.

Top 3 Key Findings (Full list available in the report)
  • Most websites were exposed to at least one serious* vulnerability every day of 2010, or nearly so (9–12 months of the year). Only 16% of websites were vulnerable less than 30 days of the year overall.
  • During 2010, the average website had 230 serious* vulnerabilities.
  • In 2010, 64% of websites had at least one Information Leakage vulnerability, which overtook Cross-Site Scripting as the most prevalent vulnerability by a few tenths of a percent.

Window of Exposure is an organizational key performance indicator that measures the number of days a website has at least one serious vulnerability over a given period of time.

Download the Full Report...

Thursday, March 10, 2011

Robert “RSnake” Hansen, age 34, has passed away, on Facebook

Facebook encourages people to keep up with friends and family through those familiar little website reminders notices. In some cases the person suggested in the reminder has passed away, which would explain the account inactivity, and this might obviously be taken as offensive and emotionally distressing. Facebook recognizes this and offers a process where they allow accounts to be “Memorialized” on the recommendation of a “friend” by filling out the appropriate form.

“When a user passes away, we memorialize their account to protect their privacy. Memorializing an account sets the account privacy so that only confirmed friends can see the profile or locate it in search. The Wall remains, so friends and family can leave posts in remembrance. Memorializing an account also prevents anyone from logging into the account.”

As many readers might recall, a couple months ago Robert “RSnake” Hansen, best known for his contributions to Web security, bid his farewell in a final 1,000th blog post. Since RSnake has departed “the scene,” he is effectively dead in an online sense. As such some felt it only fitting that his Facebook persona follow a similar path and shake off its digital coil. To get RSnake’s page memorialized all that was required was finding a person who shared the same name, who had a recent obituary published somewhere online, lived in roughly the same area, and then fill out the necessary form. Not to long after...


If you are a Facebook friend of RSnake, you may still pay your last respects to him on his wall. Rest assured that while he can no longer reply himself, he is indeed smiling (or LHAO) down on us all from above.


Monday, February 21, 2011

Top Ten Web Hacking Techniques of 2011

Update 02.14.2011: Open voting for the final 15 is now underway. Vote Now!


This post will serve to collect new attack techniques as they are published. If you think something should be added, please comment below and I'll add them.

"Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about actual new and creative methods of Web-based attack. The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work."

Current 2011 List
  1. Bypassing Flash’s local-with-filesystem Sandbox
  2. Abusing HTTP Status Codes to Expose Private Information
  3. SpyTunes: Find out what iTunes music someone else has
  4. CSRF: Flash + 307 redirect = Game Over
  5. Close encounters of the third kind (client-side JavaScript vulnerabilities)
  6. Tracking users that block cookies with a HTTP redirect
  7. The Failure of Noise-Based Non-Continuous Audio Captchas
  8. Kindle Touch (5.0) Jailbreak/Root and SSH
  9. NULLs in entities in Firefox
  10. Timing Attacks on CSS Shaders
  11. CSRF with JSON – leveraging XHR and CORS
  12. Double eval() for DOM based XSS
  13. Hidden XSS Attacking the Desktop & Mobile Platforms
  14. Rapid history extraction through non-destructive cache timing (v8)
  15. Lotus Notes Formula Injection
  16. Stripping Referrer for fun and profit
  17. How to upload arbitrary file contents cross-domain (2)
  18. Exploiting the unexploitable XSS with clickjacking
  19. How to get SQL query contents from SQL injection flaw
  20. XSS-Track as a HTML5 WebSockets traffic sniffer
  21. Cross domain content extraction with fake captcha
  22. Autocomplete..again?!
  23. JSON-based XSS exploitation
  24. DNS poisoning via Port Exhaustion
  25. Java Applet Same-Origin Policy Bypass via HTTP Redirect
  26. HOW TO: Spy on the Webcams of Your Website Visitors
  27. Launch any file path from web page
  28. Crowd-sourcing mischief on Google Maps leads customers astray
  29. BEAST
  30. Bypassing Chrome’s Anti-XSS filter
  31. XSS in Skype for iOS
  32. Cookiejacking
  33. Stealth Cookie Stealing (new XSS technique)
  34. SurveyMonkey: IP Spoofing
  35. Using Cross-domain images in WebGL and Chrome 13
  36. Filejacking: How to make a file server from your browser (with HTML5 of course)
  37. Exploitation of “Self-Only” Cross-Site Scripting in Google Code
  38. Expression Language Injection
  39. (DOMinator) Finding DOMXSS with dynamic taint propagation
  40. Facebook: Memorializing a User
  41. How To Own Every User On A Social Networking Site
  42. Text-based CAPTCHA Strengths and Weaknesses
  43. Session Puzzling (aka Session Variable Overloading) Video 1, 2, 3, 4
  44. Temporal Session Race Conditions Video 2
  45. Google Chrome/ChromeOS sandbox side step via owning extensions
  46. Excel formula injection in Google Docs
  47. Drag and Drop XSS in Firefox by HTML5 (Cross Domain in frames)
  48. CAPTCHA Hax With TesserCap
  49. Multiple vulnerabilities in Apache Struts2 and property oriented programming with Java
  50. Abusing Flash-Proxies for client-side cross-domain HTTP requests [slides]

Previous Winners

2010 - 'Padding Oracle' Crypto Attack
2009 - Creating a rogue CA certificate
2008 - GIFAR
2007 - XSS Vulnerabilities in Common Shockwave Flash Files
2006 - Web Browser Intranet Hacking / Port Scanning