I started a post last week about depression. It’s something I suffer from and I think a lot of people in infosec do as well. I went to the InfosecBurnout panel, which I thought was a good panel and a great discussion topic, but it kind of fizzled out of it’s goal (http://www.secburnout.org/). I think now would be a good time to revive it. We drink, we party, we do drugs and we go out to Vegas every year and do all at once. Sometimes the stress of what we do causes us to take drastic action.

There was a forward in the latest issue of 2600 that struck me. It was a dedication to Aaron Swartz and a bit about depression (the signs, the dangers, how easily it is hidden from friends of someone who is depressed). I thought it was well done and it got me feeling like I should talk about my experiences.

Then Allie Brosh finally came out of it and explained it in a way I couldn’t: http://hyperboleandahalf.blogspot.com/2013/05/depression-part-two.html Hyperbole and a Half is one of my favorite comics to read online and lately I’ve been thinking alot about Allie. I remember when she would come on /b/’s draw threads back a while back and hang out; her comics expressed such range of emotions, despite her suffering. While her latest post didn’t click with me as what I experience, it really shows what people go through when they are depressed. Actually, an older post of her’s is on par with my experiences http://hyperboleandahalf.blogspot.com/2011/10/adventures-in-depression.html

Listen. Depression sucks. It’s not always a “blue” feeling that will go away with some sunshine and good company. (though sometimes it is) It’s often a chemical imbalance in your brain and outside circumstances can exasperate. You hole yourself up, you don’t do much besides sleep and internet. You just function.

A lot of people ask me what to do if they feel they are suffering from depression and the answer is pretty easy: break the cycle. Sometimes this means getting help from a professional or a team of professionals. (therapist/psychiatrist combinations are your friend) This isn’t the only way, but this is probably the easiest and safest.

Breaking the cycle isn’t easy, it’s a lot of work. You may discover things about yourself you never knew, or tried to ignore. You may backslide, you may want to give up, but stick through.

Finally, if you are depressed and your are contemplating suicide, please don’t. It may not seem like it, but people do care about you a lot. Aaron taking his life affected me quite a bit and I never met the man. If you are feeling suicidal, please find help: http://www.reddit.com/r/SuicideWatch/

If you would like to talk to people about your depression or talk to people who are depressed, check out http://www.reddit.com/r/depression for resources. If you are worried about a friend who seems depressed, reach out to them. Pick up the phone, write an email, hop on IRC/AIM/Jabber/Gchat/Skype/etc, any other form of communication and get in touch. Ask them how they are and if there is anything you can do to help.

Finally, with Aaron’s death, a lot of people have started this conversation all over again. Here is a link dump with posts and resources:

Ben Horowitz’s experience: http://bhorowitz.com/2012/06/15/the-struggle/

Mashable Post: http://mashable.com/2013/01/15/aaron-swartz-tech-world-depression/

Mayoclinic: Supporting family or friend: http://www.mayoclinic.com/health/depression/MH00016

If you have no one to turn to, or can’t talk to your friends about this. I’m available via email, twitter or here on my blog. g3k at disillusion dot us or @geekevolved. Feel free to reach out.

Writer’s note: This is a long rambling post about myself, but there are things that can be learned here which will be near the bottom. tl;dr: skip to the part below if you don’t want to hear my life story.

Back in April 2009, probably the worst combinations of things that could have happened to me, happened to me. I fucked up big time at my job working IT support for a LEO and I was terminated. There was a combination of things that met up and created this condition, some is legitimate gripes and reasons, but a lot of it is excuses.   While it was probably one of the lowest points in my life, I have to attribute it as possibly the best thing to have ever happened to me. I had grown to hate the job, hate the place, hate my boss and my coworkers. It was likely one of the worst IT departments I had ever worked for at that point in my career and hopefully the last.

Read More >>

Tools and Supplies

• HDD – Backtrack Install Target
• Backtrack 5 Live Disk/USB (DVD or USB +8GB)
  • UNetbootin - Iso to LiveUSB
• Working internet connection once Backtrack 5 is booted.

Disclaimer: Most of this adapted from Kevin over at www.infosecramblings.com and has been adjusted to for HDD install, as well as a few changes and additions that I found he was missing. Everything is shared under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

For my tests, I used the 32-bit Gnome build Backtrack 5 r3. I have not tested this how-to with all versions of Backtrack 5, but they should all behave similarly with the possible exception of the ARM build. I have no experience with Backtrack on that platform.

Read More >>

There was some brief outage on the site yesterday and today as I moved hosts. I was hosting the site on a friend’s host and I couldn’t trust that it would stay up for any length of time.

We’re now stable and running again. Hopefully more updates to come.

[face@pripyat ~]$ cat 9.26.2012.txt

So let me start off this post by saying that I’m a huge Blizzard nerd. I’ve been playing their products since Warcraft: Orcs & Humans. Most of their games defined my teenage years, spending time shut up in my friend’s house with a bunch of other nerds playing Starcraft till the sun came out, drinking Bawls like crack addicts. I’m also a fan of their security, I was highly disappointed in the rumors floating around when Diablo 3 launched about how their login system truncated complicated passwords. During that whole situation, it came out that Blizzard doesn’t really allow capitol letters in their passwords, they just let you think it does. It all ended up being a hoax, the story was reused because this happened with Rift a few years back and it must have been a slow news day. Also, a really awesome dude reverse engineered their login system since day one and wrote an awesome post http://www.skullsecurity.org/blog/2012/battle-net-authentication-misconceptions. On top of that, he’s also pretty well known for passwords, Skull Security is the go to place for password lists. (for now)

So being a player of Blizzard franchises, I can say that I have confidence saying that their recent attack means almost nothing. If we assume the worst, here is what was taken:

• password hashes
• salts
• username information
• authenticator data*
• secret questions

What’s being speculated right now is that with the authenticator data being stolen, your authenticator can be removed. Here’s the problem though: it’ s harder to reset my Blizzard account than it is my own bank.  I believe the amount of accounts that can be compromised via this theft is minimal. Having played Blizzard franchises for years, I actually have experience in these matters. I’ve had to reset information on more than one occasion after rage quitting World of Warcraft…. Here are a couple of scenarios, from worst to best:

• You have a weak password and no authenticator: you fucked up. You are likely to be part of the few that lose their account temporarily. With how Blizzard responded to the incident, it’s likely your account won’t have a chance to get stolen. The hashing algorithm Blizzard used to hash the passwords is fairly strong and it will take some time, unless you have a really stupid password like hunter2. Blizzard has reacted in a timely manner and you will have to reset your password anyway, so this also minimizes the chance of your account getting hijacked.
• You have a strong password and no authenticator. Yeah, I wish the attackers the very best luck with getting those cracked in time… or at all.
• Say you have a weak password, but you have an authenticator. You can’t access your account without it, and to call up Blizzard customer support, you have to provide a lot more details than just your password. These kind of attacks go for the most bang, so it’ll be difficult to actually obtain these accounts. I read unsubstantiated rumors that with the data stolen, they can remove the authenticator without having the password, which is pants on head stupid. Really, Reddit?
• You have a strong password and an authenticator. Go you, you win.

I’m no crypto wizard, in fact it’s probably one of my weaker points. Blizzard claims to use SRP for authentication, which seems like a strong framework for authentication. There is an interesting thread on /r/netsec discussing the pros and cons (actually it’s destroying an article claiming that SRP won’t help Blizzard in this case) A lot smarter people than I are in there discussing how well it is as a tool, and it seems the consensus is that it’s a good protocol.

The secret questions thing is probably the only concerning thing here. They were taken. This could lead to more compromises than I predict, however, Blizzard is in the process of setting up a way to quickly change it. I have heard rumors that it is not possible to change your questions, but having gone through that process, I can tell you it’s possible, it just makes you want to shoot yourself in the face (3+ hours on hold with customer support). Authenticator removal used to be the same process, but now there is a form you can fill out and providing your drivers license can bypass this annoying process (it takes a long time, it took me 2 weeks), but as an attacker this avenue is improbable.

What could they have done better? Well, for starters, not get breached, but in this day and age, with so many companies getting breached, it’s only a matter of time. They could of also gone into a bit more detail on what happened, but I understand they are still in incident response mode right now and I hope they release more information as time goes on.  Making it easier to reset your security questions would be cool, but not needed 100%. I wish more companies would make their passwords expire over a period of time, like most corporations do. People hate this practice and since Blizzard is so user oriented, I don’t see this happening. It’s the security vs usability argument.

Hopefully, like me, you  can see that this is almost a non-issue. I’m looking forward to a good post-mortem breakdown of what actually happened, but I still believe Blizzard is the top dog in user security. Yeah, they got breached, but who doesn’t these days? I don’t think this will really mean anything. For the first time in a long time, a company had safeguards in place to protect their data in case of a breach and I personally applaud them. Blizzard is the model in which the standard should be set.

If you have any feedback on this post, or if you find any glaringly obvious problems, feel free to leave a comment or email me: g3k AT disillusion DOT us

*Writers note, it was pointed out to me by a friend that they only got the salts for the authenticator apps for mobile phones. So this narrows the attack surface from all authenticators to just the mobile apps. I’m not sure of the percentage of users that actually use this service vs the key fob, but it’s free vs having to pay some money + shipping. Again, this really limits the attack surface AND the added bonus of having the ability to change your authenticator on the fly if you have access to your account. Good luck attackers.

The exception Array bounds exceeded. (0xc000008c) occurred in the application at location 0x004000c5

This error message basically describes my life as it is right now.

I’ve come to a kind of crossroads, where my career is at this moment is stagnant and I’m stuck unless I do something drastic. I’m hesitant in this, but I have no choice. With my choices in this last year, I’ve come to the conclusion that I have a lot to change still and it’ll be nice to get away for a bit.

Defcon is nearly upon us. In almost one week’s time, we’ll be out in Vegas. I’m stopping quickly in Seattle right before for a friend’s wedding. It’s going to be good to get away for a bit, I haven’t taken a vacation in over a year now. I took time off for my brother’s wedding, only to have to work till 4am EDT the day of the rehearsal and bachelor party. Oh, I also took some time off to help a good friend move in a whole different state. While that was helpful for everything, it still wasn’t a proper vacation.

I’m going to be competing in BroCTF this year and possibly Black Bag. I’m not as confident in my lockpicking skills as I have been in the past, but if I spend some time in the village, I should be up to speed.

I’m thinking about taking my blog in a different direction, post more about the other things in my life, other than security and my problems. I feel like when I let this thing sit here too long and remember it, it becomes a dumping ground for my crap ala Livejournal. I thought I was past this shit.

Just wanted to show off a project a friend of mine is working on called the PANIC Project. Bioss and I started talking on Twitter regarding this project about 6 months ago, my interest being in building a service that cracks passwords and his being collecting data related to passwords, we decided to get together and talk about it. (Now, we haven’t had a chance to do that yet, but with him formally announcing his project, we’re going to be talking about it frequently ) PANIC will scan “dump” or leak sites and look for real time password dumps to correlate data and find patterns.

Check it out at: https://biosshadow.com/2011/12/18/panic-project/ or https://groups.google.com/group/panic-project if you want to help out.

So I’ve been taking a hard inward look of myself lately and it has led me to the conclusion that I am lacking in key areas. I asked a good friend of mine what he thought about this and he told me that I was a pussy, that my parents gave me a sense of entitlement and I’ve never really had to work hard for what I wanted. While this may seem harsh, it was exactly what I needed to hear and it’s true for the most part. If you look at my past and my present, I seem to have skated by somehow. I stumble into opportunities and I feel like I never really fully earn them.

So with this comes the initial self-doubt. “What am I doing in infosec?” “How did I manage to get here?” Then the realization that it’s time to man the fuck up.

So what comes from this?

Well, I see it as a time for growth. With everything that I’ve inadvertently done this past month to myself and possibly my career, it’s torn me and my ego down. Now it’s time to rebuild everything I thought I was into who I want to be.

I have a few projects I’ve been delaying because of whatever the hell reason. Now is the time to focus on them and get moving forward. I want to start from the beginning of my technical knowledge and fill the gaps. I feel like I have a great understanding in many things, but there are holes and gaps in my understanding that starting from the basics will help. I’ll probably post an outline of how I want to accomplish that once I’ve organized my thoughts.

There always comes a time where you need to step back, take a knee and do some science. The past month has been about nothing than reaching back to the core of everything that builds me and hitting that place where for a moment I was my own personal god. I feel like getting the job I wanted for so long has gotten me into a bad place mentally, very complacent and not experimenting. So I took a knee.

Nerdapalooza breathed some light back into me. I hung out with Int 0×80 from Dual Core Music, listened to some new nerdcore artists I haven’t really had a chance to listen to and just kicked back. I met my personal hero, king of nerdcore and spam ytcracker. One of the coolest dudes I have ever had the chance of talking to. I’m flying out to hacker mecca tomorrow to hang with the community I once worshiped and am now a part of.

DC407 continues to grow. While our membership is still stagnant, I feel the quality of the membership is there and our presentations every month are getting really good. A lot of good things are growing from this group and I’m still excited to be a part of it. Speaking of which, here is the vulnerable PHP that was used in last week’s presentation: http://disillusion.us/dc407.tgz I’m looking forward to this year’s Defcon for the DCG meetup to get some other’s ideas on running Defcon Groups.

Anyways, wrapping up for now. I have a lot of stuff to do before I fly out tomorrow, especially getting product ready for my new tshirt company that I accidentally started with some friends.

edit: take a knee for mankind