Play doctor

Virus still keeping you in? Bored? tired of binging shows? Let’s run some more website security scans. At the start of the virus quarantine times, I blogged a bit about security headers and how finding out what’s wrong is fairly easy (setting them correctly takes a bit more effort). But there are loads of other ways to find out what’s wrong or right with your website’s security.

These won’t fix your problems. But they will tell you that they exist. This list is also purposefully avoiding scripts that involve the command line or anything more than a reasonably modern web browser.

Get the lazyweb pentester’s toolkit here

Quark was right

“Let me tell you something about humans, nephew. They’re a wonderful, friendly people as long as their bellies are full and their holosuites are working. But take away their creature comforts, deprive them of food, sleep, sonic showers, put their lives in jeopardy over an extended period of time and those same friendly, intelligent, wonderful people will become as nasty and as violent as the most blood-thirsty Klingon.”

Quark, Star Trek: Deep-Space Nine

The decline will be live tweeted

“Whither goest thou, America, in thy shiny car in the night?”

Jack Kerouac

The U.S. is going through its quadrennial hypoventilatory tantrum, known as presidential election year. Currently it’s in the form of the Democratic party’s ritual gauntlet of pain to choose its nominee. What’s interesting about seeing America’s political process from abroad is the attention it demands and that so many American’s think they deserve. Idiotic slights between candidates dominate headlines abroad that should be covering more pressing matters closer to home. America has sold the idea that its decisions are more important, and a lot of the world seems to have gone along for the ride.

The world is burning. Regardless of who’s in the White House next January, that won’t drastically change. Care less about these shit shows and more about one another.

— note to self

If you see any of these on your kid’s computer, give them a hug.

National Crime Agency posted scaring parents about tools that help understand how the internet works.
If you find these on your kid’s computer then be thankful they’re interested in how the internet works instead of being a mindless, constantly tracked consumer in training.

According to the internet today, the Walsall Council, tucked somewhere up in the midlands north of Birmingham and east of Wolverhampton, is warning parents to call the cops on their children if they have any hacking things.

If you find any of this software on kiddo’s machine, do not be alarmed, and do not alert the authorities. It is technology, not witch craft. Your child is not in a cult. She or he isn’t about to hack into GCHQ. They do have a keen interest in understanding how the internet works. Don’t put them on a watch list, give them a hug.

The Tor Browser is great for staying anonymous and private online and is helpful for understanding how your identity exists on internet networks. Great for researching assignments without being constantly tracked and monitored by companies who’s primary interest is praying on young people’s insecurities to sell more crap. Your kid has it? Fabulous.

Virtual machines are great for learning modern computing without having to, say, by a separate computer for each operating system you want to try out. If you’re going to learn about how systems work, virtual machines are a necessary tool to load them and explore them. It’s amazing that Virtual Machines would be seen as evil while it seems everyone loves a Raspberry Pi. Both are great for learning and hacking (which is learning). If your kid is spinning up VMs to learn how different kinds of Linux distros work, ask them if they need more monitors. They’ll say yes. Awesome.

Kali Linux is a penetration testing operating system that comes with a lot of different tools pre-installed. Having this doesn’t render one a hacker. You still need to learn how they all work (and often don’t work) and in what context they’re even useful. It’s great for learning about security. If your kid has this, there’s a good chance they saw Mr. Robot and wanted to see what that OS with the dragon logo was about, and then got bored when they found that in fact it’s not an incredibly user friendly thing. Still, it means they’re interested in how things work, and son’t work. It means they’re probably more cautious on how to use the internet than you are and you should ask them for advice on how not to not get attacked or have someone steal your online banking credentials. They are both the hero you want and the hero you need. Amazing.

If your kid has a Wifi Pineapple in there backpack then you should check out if your credit card has been used to buy anything else online, because you can’t just go to the local PC World and pick one up with the lunch money. These are for interrogating WiFi networks and the devices connected to them. Tell them to harden you’re home’s network and give their school’s probably crappy network an audit for extra credit. If your kid is this interested in security, buy them one of these for Christmas or their birthday or for Halloween. At the very least, it’ll make a nice conversation piece in the room.

Discord is an online chat platform with loads of channels, a lot of them about gaming or other useless nonsense. It’s fairly secure by design, open source and has great voice and video functionality, but there’s no reason you should view it any differently than you’d view your kid being on WhatsApp or Instagram or SnapChat ot TikTok or Reddit or whatever. Online communities all have their advantages and dangers. If your kid is online talking to strangers, understand the issues around that, work with them to stay safe while they investigate their interest in security and computers.

Metasploit can be useful for hacking, but like having Kali Linux, it doesn’t make hacking “simple.” Sort of like how owning a stove doesn’t make duck flambe simple. It scans computers and systems for potential vulnerabilities and gives the user reports on areas that may be worth checking out. If your kid has this installed, they are checking out how things work and learning the fundamentals on what is the difference between a secure configuration and the opposite, and all the ways things are broken. Encourage this kind of behavior. It will make them more cautious when they’re other networks or accessing things online because they’ll understand how weak it all is underneath.

The internet trains people to be consumers, and it starts on it when they’re young. To click, download, install and trust. Blindly, trust. To click past Terms of Use agreements, allow the cookies, accept the targeted advertising, and share, share, share. It penalizes those who use privacy settings with ostracism. It demands “real name policies” and encourages young people toward promoting narcissistic, false perceptions of themselves online. If you’re lucky enough to have a kid who’s interested in the underlying mechanisms of this ugliness, then you should give yourself a pat on the back. You raised a kid who might just be resilient enough to survive the shit storm their parent’s generation (your generation) networked together and dishes to them ever hour on different sized screens.

If you’re kid has hacking tools, don’t turn them over to the cops. Give them a hug. Find other hacking groups. Or help them start one. The only chance kids will have in fixing this mess if they understand how to see all the ways that it’s broken.

Iowa Caucus app was not the problem

What was the problem?

People who think they needed a bespoke app when current mature technology exists that could do what they wanted. Because they hired an agency and the agency isn’t going to tell them otherwise.

People who didn’t know how to procure, test or do quality assurance, stress testing or security reviews of software. Because they assumed that the agency would just be on top of all that.

People who didn’t think about usability of software or incorporate time to train users how to run it. Because they think technology is magic. It’s not. It’s duplicitous, treacherous and narrow minded. Technology does whatever you’ve built it to do, not what you thought you built it to do. You need usability testing, testing and testing for it to start approximating what you’d hope it would do.

People were the problem. People operating under this idea that technology is some sort of magic, and you don’t need to have anyone on your team who understands it because you’ll just outsource all of that. People are always the problem. Challenge assumptions. Ask if you need to take this trip. What would happen if you didn’t? What is the problem you’re trying to fix? Who said it’ was a problem to begin with? Are they right? Using technology starts with questions. If you’re not interested in that, then stay away from proposing solutions with it.

The app wasn’t the problem. It was the output of the problem.

It depends

You’re on WhatsApp, I’m on WhatsApp. Even world’s richest Lex Luther lookalike Jeff Bezos is in WhatsApp. The breathless news last week was that Jeff’s iPhone was hacked by a malicious file sent his way in a WhatsApp text from the number of Saudi Crown Prince Mohammed bin Salman. And now we’ve got an endless stream of hot-take tweets and seemingly carbon-copied news items around the idea that: If Jeff Bezos can get hacked through WhatsApp, what hope do the rest of us have?!” 

Take a deep breath. You are fine. Takes like this are ridiculous. It assumes of these giant titans are vulnerable, then so must you be, tender user. the answer to that is the annoying thing no one wants to here: “it depends.” The presumption is that Jeff’s iPhone is some kind of super device with a hundred security experts on its case. Another notion could be it’s just an iPhone, like yours is just an iPhone.

We’ve seen loads of Big Name people make stupid infosec decisions. Having the head of a country known for targeting journalists and human rights activists with highly sophisticated spyware in your special contacts list is probably a bad idea. It was a bad idea for Jeff, the owner of the Washington Post, the newspaper that had run columns by Jamal Khashoggi before he was murdered in a Saudi consulate in Turkey.

The number of “don’t be like Jeff” type posts last week are kind of silly.

Your chances for not getting targeted with a highly sophisticated hack like the one that hit Jeff are probably pretty good. You don’t own infrastructure hosting vast swathes of the internet, including data of U.S. intelligence agencies. You don’t own a media empire, you’re likely not involved in investigative projects on Saudi abuses. You’ve wiped huge amounts of your threat surface away right there.

You’re in the group with this to-do (or, to don’t) list:

  1. Keep your mobile operating system up to date.
  2. Don’t root/jailbreak your mobile.
  3. Don’t accept unsolicited conversations with unknown people.
  4. Don’t download or open unexpected attachments.
  5. Verify people’s numbers in person or in voice or video calls, not by trusting what happens to come through on the screen.

A lot of the “don’t be like Jeff” articles mentioned above include various versions of that advice, and it’s all good. There are a few problems with that:

  • We don’t know that Jeff was/wasn’t doing those things (or had someone doing them).
  • He’s getting a file from someone in his contacts. Someone who won’t be in your or my contacts.
  • Your situation (and mine) will never the fuck be Jeff Bezos’ situation.

Dude’s the richest fucker on the planet. Operating at the level that he shouldn’t be on an app or a mobile. But he is. Because the world is complex, and all of this complexity is held together with tape and glue and some glitter to make it look pretty, and a lot of blind faith that smart people are doing smart things. On most days, it’s safe to say most of them are. Statistical reality dictates that every day a few of them aren’t. Just like the rest of us.

Statistically you’ll be targeted for identity theft or credit fraud or someone wants to find if you have any lewd photos in the cloud. They won’t hire NSO Group to identify your exact mobile model and OS version and tailor a malicious package you’ll be more likely open to infect it. One thing that I won’t put on you is to work at not being like Jeff Bezos. Unless you’re him reading this, you’re not. And if you are, give me a grant.

Blogging with bots

Check out the Brutalist aesthetic(!)

Just pushed online dystopia.report, which is aimed at achieving a couple of things: I wanted to mess about a little with the Hugo flat site builder and Github pages, and also create a sort of spoof sci-fi project which is actually neither very much sci or fi, but just some creative output on the the trash fire humanity is backing itself into. Lastly, I wanted to see how much I could lazy write posts with the help of different generators, bots, machine learning or AI things, which itself creates a kind of dark timeline effect.

As much as possible, I’ll commission the bots do the heavy lifting on it and describe the fermenting doom as they see it, and maybe just do a bit of prodding and editing around the edges, or add present day artefacts that should be stuffed into a time capsule for future civilisations to at least understand we were self aware of our looming decline.