As computer and security hobbyists and professionals, I’m sure we all go to movies and take special note when something in our field comes up, from door locks to computer terminals displaying code to fuzzy images being blown up to reveal faces. Some of these make us cringe in wild distaste which pulls us out of the suspension of disbelief in the film experience while others make us smile and slightly nod in agreement, making a mental note to share with our other geek buddies.

I have made a new category for this site called, simply, movies. In this category I want to make mention of movies that utilize a particular bit of computer use or security use and point out what is inaccurate about it. In fact, I’m going to call it Computer and Security Use in Movies (CSUM).

Just to get a few ground rules out of the way, I will largely exclude sci-fi movies that assume advancements in technology make certain things possible or different from how we know computer security today. I also only want items that seem important to some degree to the plot of the film, and not just some extraneous bells-n-whistles item from the background. For instance, nothing from Star Trek will count.

I will score each incident based on some criteria, modeled after a security assessment:

Inaccuracy: 1-5 (5 being ridiculously inaccurate and 1 being only minorly inaccurate)
Inaccuracy is used to scale exactly how ridiculous a particular use of computers and security is portrayed. Something that is not ridiculous at all, and, in fact, might be entirely accurate may be able to score a rare 0 in this category, thus ensuring a total score of 1. A 1 is the ultimate score.

Criticality to plot: 1-5 (5 being critical to the plot or film experience and 1 being trivial)
If an inaccuracy is highly critical to a plot, it becomes less forgiving by the audience. Likewise, inaccuracies in smaller, less important parts of the film can be overlooked. This is a scale on how important the situation is for the movie as a whole.

Ease of correction: 1-5 (5 being extremely difficult or impossible to correct without the plot or film experience falling apart, 1 being extremely easy to fix without impacting the film)
If an inaccuracy is easy to correct, it really shouldn’t have been a mistake in the first place, and might just be the fault of the technical advisor or writer, or maybe even an artistic decision because the real deal is boring to portray. Something that is extremely difficult to correct means that inaccuracy is so deep, there really is no way to save or spin it without running into major problems. This is essentially the scale of how badly wrong a movie gets this situation.

The total is the product of all three numbers multiplied together to give a score from 1 to 125. Hopefully no movie scores 125 as that would be a ridiculously innaccurate, critical situation in the film that has zero hope of being fixed without the film falling apart. Feedback and suggestions on better scoring are welcome!

Network Computing has a nice comparison between Vista and Ubuntu. I’ve yet to even see Vista, really, but I can say I was disappointed that they didn’t include DVD playback with the multimedia testing. Due to the proprietary encryption with any DVD playback, free and legit Linux distros tend to not be able to do this out of the box. I was happy to see mention of Ubuntu’s occassional (and very frustrating) hardware issues (namely wireless or sound issues from what I’ve heard) which can send people back to Windows quickly.

I think Ubuntu is a nice alternative for light users who don’t install their own things and only need major things like email, web browsing, maybe some IM, music, picture viewing, and office productivity. Basically you don’t need much more beyond what is installed by default. If you need more, you might be in for some learning curve issues.

Snort is another item I want to start working with regularly as well. I know I won’t become a Snort guru quickly, and just like any type of packet-watching role, it just comes with time and experience. This Ubuntu + Snort + Postgre tutorial may be helpful, even though I already have my Ubuntu “server” box upgraded to Feisty Fawn and might swap out Postgre for MySQL instead. Sadly, just last night I noticed my Ubuntu box (which has a decently new 200GB HD that has already developed a loud whine when it spins) may not be faring so well anymore after power outages. I had one this weekend and the console might be stuck on a BIOS or GRUB warning since it is silent on my network. I have to check it out tonight. Hmm…it might be old enough that it still requires something plugged into the keyboard port in order to boot properly… Got this link from Andrew Hay.

I like tutorials on sites. Even if I don’t get around to trying out new things, it is nice to have the knowledge fly by my sight and to tuck the link away into my pocket (or a site post) for a rainy day when I decide I want to try it out. This link talks about using Snare and Splunk as a central multi-system log-gathering solution (a cheap alternative to LogLogic). I do need logging someday and definitely have plenty of options, including this combo.

Texas A&M has won the 2007 Collegiate Cyber Defense Competition. I really feel that live defense and attacking competitions help everyone involved, including spectators. Even if it is just amongst friends or at a con or even something as organized as collegiate level activity, this kind of live-fire stuff needs to grow and will continue to grow in popularity and exposure. If you get a chance to go to one of these events either as a participant or to hang out, I encourage you to go. Don’t do like I did last year and skip out on a local CyberDefense competition for no real good reasons.

Andy ITGuy is a proponent of training, which is awesome and wholly commendable. I totally understand that, but I’m feeling picky today. Maybe today is Picky Wednesday, I dunno. But I noticed Andy posted this (he’s going to love that I’m pulling out an anecdote and unfairly focusing on it, hehe) and I want to make a point too.

My favorite quote from the post is this,

“My dear friend, education is the key..not more locks and bolts.”

The same holds true for Information Security. If our users don’t know how to spot and handle phishers then we might as well just put up an open WI-FI to our network and post it in the paper.

I’m not sure I would say that user education is key and that without it we may as well put up open wifi. I think user education is very important, but it won’t solve IT security any more than education has solved drug use, teen pregnancy, or STDs. I won’t be able to dispense with logging utilities or AV or LUA or spam scrubbing just because I have a good training regimen.

So yes, that’s my point for the day. Security by technology and security by education need to be balanced just as much as security is balanced against usability. In the end, however, I’ll take slightly more technology than education only because that is the one that can be auditable and has hard-drawn lines that I can trust (that and I likely have more budget right now than Andy might have…and that does matter).

So you want to interact with the less “white hat” types of security professionals but you don’t want to hang your balls out there and allow people to track back to you? Looking to not put your name which might be attached to your company into the limelight if you just happen to get noticed and on the wrong side of some punk kid who decides to have some fun at the possible expense of your career? Or you are just a rightfully paranoid security guy looking to rub shoulders and learn new things without the possible collateral damage of having to defend your own network at home? Well, here are some tips on staying anonymous online.

For this series of posts, I will try not to get fancy and technically challenging. I know you can leverage even better means of anonymity online by routing through SSH connections and shells, scrubbing packets and information, “borrowing” other computers in disparate parts of the world and using them to bounce your connections, or fancy P2P nets and encryption. Some of that is just not as practical for quick approaches. Of note, not all of the stuff mentioned here is technically legal, although the illegality may still be pretty grey. Open mail relays, web proxies, and nearby wireless networks may not necessarily be freely open, so just be aware of that.

Keep in mind that this guide is not meant to protect you if you want to do illegal and bad things. This guide is meant for non-criminals to add an extra layer or two of protection between yourself and other nosy persons. If you already live in the darker corners of the Internet, this guide will not give you any additional information. I also am not entirely encouraging people to push the lines of legality with some of these ideas and steps. Common sense is your friend.

This series is not meant to protect your identity from credit card thieves or allow you to live out your life in places the IRS cannot find you. This is not about hiding your search queries in Google because you think they and the DHS are tracking you. This is simply about being anonymous on the Internet in regards to how other people find or interact with you and you with them.

I’ll start off with some ground rules.

First, don’t be stupid and immature and pick fights. What some newbies do in communities is pick fights and/or act stupid in an effort to quickly get noticed. This is not the way to go. If you have something useful and novel to offer the community, go for it. But most people new to these communities are better served by sitting back and offering tidbits and discussion as they have an opportunity to do so. Be positive, supportive, friendly, and outgoing when it appears to be welcomed. Learn the tone, the names, and what goes on. That’s really the biggest bit of advice for interacting in a community outside the white hats and office cubicles: don’t be a dumbass. And if someone pounces on you trying to be a pest, just let it slide. This isn’t prison where you need to offer a beatdown to the first person who challenges you or forever be branded easy pickings.

Second, pick a nickname (screename, handle, nick…). If you want to maintain a distance between yourself and the community (which is sometimes prudent considering the curious nature of many crackers), you definitely need to not be known by your real name. Pick a nickname and stick to it. Better yet, pick a fully fake name. I go by Michael Dickey pretty much everywhere in life. But what if I picked Wally Harrison as my name online? I could hide in the noise of Google searches for other people. If you pick something really unique, you’ll be a bit more easily searchable and one slip-up could ruin all of this work. Of course, don’t pick a name that someone else is already using. Using StankDawg might not be kosher with StankDawg.

Third, be aware that staying anonymous is a heck of a lot of work. It is not easy. The more you want to be involved and known, the more you will leak information and screw up. True, full anonymity is not easy at all; in fact, I couldn’t do it, myself. And if you want to make a go of it, be prepared for hard work, lots of time spent troubleshooting your own tactics, and prepare for your failures and slip-ups. True anonymity might not mean making absolutely zero mistakes, but it should be your goal to never show up in any logs with data that might be tied to you. Be aware of your information.

As a general rule, don’t communicate or browse from home as much as is convenient to you. If you have nearby hotspots and open wireless, use them. If a neighbor has wireless, “borrow” their connection if you are feeling too paranoid (I didn’t encourage that…right?).

Lastly, as part of this series of posts (a first for me), I encourage feedback, both in the form of suggestions, corrections, or even challenges saying my advice is crap. And even if you aren’t looking to be anonymous, at least be aware of the ways some of your own users might be trying to stay anonymous.

I had a post a few days ago about managing by fact, to which Alex responded rather appropriately by saying “fact” is a bit of a strong and strict word. We can manage by belief, but our beliefs need to be backed by observable evidence, reason, and facts (yes, I’m rewording). He’s right and I have a belief that we both agree on this topic quite nicely. 🙂

Adnan posted about a Rootprompt post pointing to this Ubuntu server installation tutorial on Feisty Fawn. The tutorial is aimed at installing services that an ISP would need: SSH, BIND, MySQL, SMTP-AUTH/TLS, Courier-IMAP/POP3, Apache/PHP5, ProFTPD, ISPConfig. Not necessarily stuff I all need, but some I do like to read up on how other people do these.

I like this tutorial and I don’t like this tutorial. For starters, the tutorial is one of those things that says, “To install XYZ, run this command and move on.” It really offers little ability to deeply understand what you’re doing and what nuances your particular needs or security posture might dictate. When you install the SSH server, did you disallow remote root login? When you’re done with this tutorial, do you set su/sudo behavior back to the default? Does MySQL or Apache run on its own account and can those accounts be logged into via SSH? The tutorial is great as an example of how easy it can be to install these services, but does nothing to warn users about the level of care and attention might be needed to make sure it is running securely and efficiently. Did you follow this tut and leave your balls out on the Internet to be tickled and kicked or did you slip a cup on when no one was looking?

However, I do like tuts like this where sometimes the service you want to install seems daunting for no real reason other than fear of the unknown. I’ve worked with BIND in the past and can edit my own zone files, but for some reason I have never actually stood up a BIND DNS server myself. Tuts like this can blitz you through the unknown and get you going. You can’t learn to whitewater raft by watching from the bluffs. Get the hell in the water, capsize yourself, and get wet!

Looks like you can recreate images on LCD screens remotely. I’m not sure how it works with moving images, but this is pretty high-end if you ask me. It is interesting to hear that NATO spent a lot of money to protect against a similar attack against CRTs. And also RFIDs are still being talked about for their flaws and the paranoia behind them.

One of my big things is how our security, laws, and entire culture have changed due to how efficient the digital world has become. Music has always been pirated, only now it can be done on massive scales. In the past, things like RFID and LCD eavesdropping were really only issues for extremely high-end governments and corporations. No one else cared, had threats that had these capabilities, had the assets valuable enough to protect to justify the cost, nor had the money to afford it anyway. We’re talking huge companies, governments, and military, and even just subsets of those.

But these days, things like this can become a reality for more people. RFID might be something we have in all our pets soon, cars, electronics, maybe even ourselves. LCD eavesdropping is still a bit exotic, but if it really is as easy as it seems, this could become a backroom concern for corporate espionage or even internal investigations. Can you imagine being assigned the task of sitting in a conference room and recording images on the screen of a VP two offices away as part of an internal investigation in addition to network and disk forensics? Could you maybe drop a magnetized object on the back of the monitor which automatically logs all the images much like a keylogger? What about the potential range of such eavesdropping? Can it be thwarted fully by focusing on the physical security angle or will LCDs be obsolete in 7 years just like CRTs are now, thus the vulnerability will slowly ebb away?

Some interesting thoughts…

If stories like this keep appearing, IT is going to continue to become much more complicated…

Denison first attempted a remote attack against the ISO data centre on Sunday, but this was unsuccessful. He then reverted to simpler means, and entered the facility physically using his security card key late on Sunday night. Once inside, he smashed the glass plate covering an emergency power cut-off, shutting down much of the data centre through the early hours of Monday morning. This denied ISO access to the energy trading market, but didn’t affect the transmission grid directly. Nor did his emailed bomb threat, delivered later on Monday, though it did lead to the ISO offices being evacuated and control passed to a different facility.