I hate separating hackers based on morality.

mr-robot-addressI have given a few talks recently to non-hacker audiences. In so doing, I learned that even at it’s most basic level, the idea of what hacking is, is kind of lost on “normal people.” The “Wanna Cry” malware couldn’t have better illustrated the things I was trying to teach.

It’s not that normies aren’t capable of understanding, it’s that they have been given the wrong information  by the government, the media, and popular culture for years. There is this fairly lame idea of hackers following  this sort of monochromatic gradient matching that of the old-west: the good guys wear white hats, the bad guys wear black hats, and there is a spectrum of moralities in between. There are legitimate ethics that guide hackers, they just aren’t the kinds that you hear about in movies and on TV:

  1. The Sharing Imperative – Hacking is a gift economy. You get tools, knowledge and code for free, so you have to share what you have learned to keep growing the pool.
  2. The Hands-On Imperative – Just like “real” science, you have to learn by doing. Take things apart, break them even, and learn how they work. Use that knowledge to create interesting things.
  3. The Community Imperative – Communities (geographic, philosophical, etc.) are how it gets done. Crews, clubs, chat rooms, hackerspaces, conferences, email lists, are all places for n00bs to ask questions and get flamed, and for l33ts to hold court.

Monochromatic Morality
heckermanThe typical whitehat is a security researcher, penetration tester, or security consultant that only hacks the computers and networks that they have permission to hack. This can either be a lab environment built for research, a client who has retained security services, or an employer who has granted express permission. Whitehats then disclose their findings. This disclosure may be for the benefit of a client or an employer, or it may be to benefit the public. The key differentiator is that the whitehat gets permission and then shares their discovery for the benefit of others.

The typical blackhat is a generally considered to be a criminal. They hack systems that do not belong to them and then do not disclose their findings. The exploits that they discover are hoarded and stockpiled for their benefit alone. The key differentiator is that blackhats do not seek permission, they do not disclose their findings, and they hack for personal benefit.

The gray areas have to do with the degree to which a hacker has permission, discloses their findings, and how they profit from their activities. Whitehats have “real” jobs and share everything, blackhats don’t have jobs and therefore hack for money. A typical grayhat might hack systems that don’t belong to them but then anonymously share their findings, or they might develop their exploits in a lab, but then sell those exploits rather than disclosing them.

In my professional life, I routinely employ hacking tools for the benefit of my employer, whether it’s scanning networks to troubleshoot problems, or cracking passwords to help users who have lost access to their computers. In previous jobs, I have exfiltrated research data from one network to another at the request of the data’s owner. While I don’t always have my employer’s explicit permission to do what I do, they hired me to fix problems for their users, so I do what it takes. The things that I learn, I then share and teach to others, whether that’s talks at conferences or Cinci2600 meetings, or posts on this blog. I have no idea where that falls in the white/gray spectrum.

Chromatic Pragmatism
red_vs_blueInstead of black and white, I prefer to look at hacking from a red vs. blue perspective. Regardless of your moral compass (or that of your employer), you are either on the offensive end which is the red team or the defensive end, which is blue team.

Teams are better terms to think in because hacking is a social activity. You may or may not be physically alone, but you are always learning from others. You read docs and code, you try stuff, you get stuck, you look up answers and ultimately ask someone for help. The idea of hackers as introverted smart kids living in their mom’s basements isn’t nearly as accurate as TV would have you believe.

Regardless of the reason why you are hacking a computer or a network, you are either the attacker or the defender. You are either probing defenses looking for  a way in, or you are hardening defenses to keep others out. You can further divide these activities into application vs. network security, but at that point the discussion is more about tools.

Thinking about hacking in terms of offense and defense takes away all the politics, business, and patriotism of your red and blue teams. If you are a red teamer, backed by your country’s military, you might be doing black hat stuff for a “good” cause. You might be a blue teamer working for organized crime syndicate, doing white hat stuff for “bad” people. You might be a whistleblower or a journalist, exposing bad acts by a government.

Wanna Cry: with the good comes the bad, with the bad comes the good
The Wanna Cry debacle is interesting because of its timing, its origin, its disclosure, and its impact.

Its timing is interesting because nation-state political hacking is like half of all discussions when it comes to the Presidential election. It’s origin is interesting because the tools in the leaked sample appear to come from the NSA. The leak comes from a group known as “Shadow Brokers.” They said they would auction the rest for a large sum of money. The disclosure is interesting because the first release is a free sample to prove the quality of the goods they intend to auction.

The zero-day exploit exposed by the leaked tools was then used to implement a large scale ransomware attack that severely affected systems in Europe and the UK. A researcher was able to locate a call in the ransomware to deactivate the malware, which stopped the attack dead in its tracks. There are lots of theories about this strange turn of events, but my personal theory is that the ransomware campaign was a warning shot. Possibly to prove out a concept, possibly to urge everyone to patch against the vulnerability.

The idea that NSA tools were compromised, and disclosed by a criminal organization, turns the whole black hat/white hat thing on its head. The NSA was hoarding exploits and not disclosing them, which is total black hat move. Shadow Brokers exposed the tools, prompting a widespread campaign to fix a number of vulnerabilities, which is a total white hat move. So you have a government agency, a “good guy”, doing bad things, and a criminal organization, a “bad guy”, doing white had things.

If you want to talk about the specifics of the hack, the NSA’s blue team didn’t do it’s job, and the Shadow Brokers’ red team ate their lunch. The blue team’s principle was a server where attacks were either launched or controlled. This server was the red team’s target. It’s a pretty epic win for the red team because the NSA is a very advanced hacking group, possibly the best in the world.

The Nature of Freedom

A few cultural events have caused me to think a lot about freedom lately. Of course our new Presidential administration has had an effect, but also some films, television programs, and documentaries. Also, I have been assisting my local political community and the results are pretty depressing.

One film that I saw was “Arrival“. It is based on a short story called “The Story Of Your Life” which goes into more philosophical detail than the film, and centers on the idea of free will. The aliens in the film can see time in a planar rather than linear fashion. Because of that, they have no concept of free will. Knowing what is coming leaves them with no choice but to play their parts to contribute to the known outcome. Speaking to others isn’t so much an exchange of ideas as it is a declaration or codification of events, like announcing a winner, or pronouncing someone dead. Reading the story left me feeling that I had broken my brain in some fundamental way.

Not long after that, I started watching “Westworld“. The hosts in West World are driven by code which is interpreted by their central processing units. Because they store memories digitally, they don’t remember things, and instead reload (relive) them. As a mercy to the hosts, their memories are erased on a regular basis. Something within the code that governs the hosts causes them to start remembering and all hell breaks loose. Again this idea, while fictional, made me think about the nature of freedom.

The idea of reality as a lived experience, the cognitive lens that we see the world through, is based on recollection of previous experiences. Our human memories are not perfect; we cannot retrieve bit-for-bit copies of stored data the way that a computer can. We cannot go back and relive an experience the way that a host from Westworld can. As we experience something, it is colored by a complex mix of emotions and bias. These imperfect and colorized recollections then shape how we experience new things. These new experiences, perceived through our flawed cognition, are then stored using that same flawed mechanism, making it even more flawed. As humans age and grow, their cognition becomes a kind of degenarative corruption of observation. Your lived experience might actually just be shitty encoding.

As I watched these works of fiction, I have also begun to listen to intellectuals dissect the ideas of freedom. I watched a series of documentary films by Adam Curtis. The idea of this series, is that efforts have been made to reduce the idea of humanity into self-serving automata. This numeric representation of humans relies on a kind of rational strategy that guides us. The problem with this simplified view of course is that it ignores the shitty encoding that guides human decision making.

The documentary series points out the use of Zero Sum Game Theory in modern political, economic, and even biological research. This cynical approach led to the dissolution of the idea of human individuality and the rise of popular psychology which uses drugs to manage human behavior. Oversimplification of human behavior leads to a kind of segregation based on small sets of variables, rather than meritocracy. The result is the corporate-run caste system that we have today. More importantly there are two varieties of freedom: one of struggle and coercion based on violent radicalism, and one of meaningless consumerism. Meaningless consumerism is how The West operates without violent revolution; people are free to do whatever they want, so long as all they want to do is watch TV and buy things.

This my issue with the western idea of freedom. It is a comfortable existence; it’s largely devoid of bloodshed, but it is also largely devoid of meaning. Buying new things – says the guy with 4 laptops – isn’t making yourself any happier. Watching TV – says the guy who came to this conclusion by watching movies and TV – doesn’t help you to improve yourself. Being a radical freedom fighter isn’t the alternative, and it’s not like you can bring down corporatism in a bloodless and market-friendly manner. What you can do, however, is diversify. Instead of using violence to coerce others into your idea of freedom, I think that you can build communities around ideas other than meaningless conformity and draconian order. Organizing into communities is the start, but you have to go much further.

Paradoxically (or perhaps ironically), I criticize the tendency for governments and corporations to reduce humanity into numerical figures, yet I cannot help but to see political and economic systems as complex networks. I am an avid proponent of peer-to-peer networking, of decentralization, and the mistrust of authority. In a peer-to-peer network, there are no clients and servers, there are only nodes. The power of the Internet is not that it connects nodes, but that it connects networks of nodes. We, as individuals, have to organize ourselves into networks that pursue and produce meaningful things. Individuality is important, but agency may actually be more important. Having freedoms that you do not make use of is pretty much the same as not having freedoms to begin with. If you are a corporate-run fascist state, it’s probably a better for you if your subjects ignore their freedoms. Convincing them to do that might be part of your game plan.

This is the idea that I am moving around in my mind. What is freedom? Do we in The West actually have it? Did we lose it or did we give it away? The thought process is similar to the Orwell vs. Huxley debate, but I think it goes further because it should take into account human tendencies. Huxley kind of does with his societal focus, but Orwell does not because he is more focused on politics. My concern is with more essential things, like the nature of cognition, the nature of free will, and the nature of humanity.

Windows Hyper-V Manager is Stupid

I spend many hours at work in the middle of the night. Sometimes I work on my own things by connecting to my gear at home. I call this telecommuting in reverse. In order to facilitate my reverse telecommute, I use a couple of machines, one Linux box I call Hub, for OpenVPN, SSH, and NeoRouter, and one Windows machine I call Portal, for Teamviewer, Remote Desktop, and to run my DNS hosts Windows-only dynamic DNS client. Hub died, and so I figured I would run the two machines on one box via XenServer or Virtualbox. It turns out that the hardware for Portal doesn’t do Linux very well. So I decided to take a run at virtualization with Hyper-V. Hyper-V Server 2012 R2 lets you evaluate the product indefinitely, so I thought that would be a good place to start.

After downloading the ISO, which is hard to locate on the MS TechNet site, I burned it to disk and wiped Portal and loaded Hyper-V Server and configured a static IP for it. This isn’t a high end box, it’s a dual core AMD with 8gb of ram. It’s fine for using Windows 7 as a springboard to get into my home network. I just want to spin up a couple of low end Linux boxes and a Windows machine. The sconfig.cmd tool is fine for the basics of setting up the box, but since I am not much of a powershell guy, I wanted to use the Hyper-V manager on another workstation. I was trying to do this without having to pirate anything, and it turned out to be a complete waste of time.

Hyper-V Manager and the Hyper-V Server that it can manage is basically a matched set. You can use the manager on Windows 7 to connect to Hyper-V on Server 2008 and earlier. You can’t really use Win7 or Win10 to manage 2012 R2. So, I basically have to either pirate Server 2008, pirate Win8.1, or pirate Server 2016. Or, I can just use a ProHVM, a third party tool from a Swedish company that seems to have been invented specifically because Hyper-V Manager is the worst.

Even with ProHVM, it’s not all champagne and roses. Accessing the console of a VM causes wonky keyboard performance. This is mildly frustrating, so I recommend using a mouse as much as possible for configuration of a VM. The only real showstopper is logging in to a Linux box with no GUI. Having only 50% of your keystrokes register makes logging into the console completely impossible because you don’t see the *** to let you know which character you are on.

My workaround for Debian VMs is to not set a root password, which forces Debian to disable root in favor of sudo, like Ubuntu. Then you set a very short password for your user account (like 12345, same as the combination to my luggage) and make certain that you set up an SSH server during setup. Then you can SSH to the box and use the ‘passwd’ command to reset the password to something more secure. Then you can configure SSH keys for your logins.

So if you find yourself in a situation where you need to do virtualization on Windows, and you are deeply invested in the idea of using 2012 R2, don’t bother with Hyper-V manager. Instead, download ProHVM, and then use ProHVM as little as possible. It’s free for non-commercial use and you can build new VMs and all that stuff that you *should* be able to use Hyper-V Manager for.

The Nintendo Switch, or how I learned to stop worrying and learned to love buying consoles

The Nintendo Switch is out and I am pretty pumped about it. I haven’t purchased one yet, so my exuberance may wane a bit once I do.

My preference for video gaming systems is much like my political affiliation: I pretty much hate everything.

I love video games, but I am normally not fond of video gamers. As a community, the toxicity is palpable, so the online experience just isn’t a factor for me. I prefer to play video games with people that I know in the real world, so for me the Playstation and the XBox are roughly equal, and the Nintendo has a real advantage over the others.

In my mind, Nintendo is a completely different category of gaming from the PC, XBox, or Playstation. In time, I usually end up with all 4 systems. I just usually wait for a few years to pick up the current PS or XBox. As of this writing, I still don’t have an XBone or PS4 and I am thinking about skipping them. Sure there are exclusives that I could be missing, but honestly, I don’t really care. I still play tons of Skyrim, so I am not really missing much.

The reason that I think of Nintendo as a wholly different platform than all others is that the Nintendo pushes the envelope for hardware, not necessarily for video games. Sure, they have a roster of characters, and a few franchises that you can bank on for release on new platforms. The craziest example has to be controlling a game with bongos.

While bongos were probably the riskiest idea, the Wii had to be the most successful. The idea of using movement to interact with a game was duplicated by every other console. The Wii U added the ability to use the tablet to play “real” console games that ran on another machine, essentially ushering in the idea of streaming games. The nVidia shield and it’s various competitors owe Nintendo for introducing the concept to the living room. Now Nintendo is taking its act on the freeway?

I know it’s easy to dismiss the Nintendo as gimmicky, and targeted at kids. I play a fair amount of Nintendo games with my kids. A common Friday night activity at our house for the two older kids was popping a bunch of popcorn and the whole family playing Mario Party or Mario Kart. Now I am looking forward to the day when we can do the same with the two little ones. Just because the stable of characters is popular with kids doesn’t mean that it’s not a serious platform. Nintendo’s decision to make the tablet the center of the gaming experience is an interesting one. I am eager to see the long term effects it has on gaming and computing.

I can’t praise Nintendo’s bold visions without also talking about Microsoft’s lack thereof. Don’t get me wrong, I like the XBox, it’s well executed and represents the height of console gaming design. The MS vision is many things, but it is not bold. MS seems to prefer taking known entities and perfecting them, much like Apple does with mobile phones. Playing shooters or fighting games on the XBox is great, but the price point for that experience is extreme. The XBone is still around $250 even though it’s pushing 4 years in age and an upgrade is on the horizon.

Cub Linux as a kid’s computer

zoey_compOne of the things that my daughter wanted for Christmas was to be able to play some of the web games she’s seen on TV. I have a strict policy about not letting anyone touch any of my computers, so I rehabilitated an old HTPC for her to use.

The PC portion was mostly incidental; her main gift was her cool keyboard, cool mouse, awesome Pepa Pig headphones, and of course, her game subscription.

The donor PC was an old Intel Atom box with 2gb of RAM. This basically made Windows impossible. I toyed with the idea of using Lubuntu, but then I came across Cub Linux. It’s basically a lightweight version of Linux that boots to the Chromium browser. It’s like an [more] open source version of Chrome OS.

Getting the machine setup was fairly straight forward. I set it to auto-login and to go to sleep after a half hour. She knows how to turn the monitor off, that’s good enough for a 4 year old. I also installed VNC media player so she can watch cartoons that I have downloaded for her.

I almost always install Samba on Linux machines because it makes it easy to move files from Windows. The process is documented fairly well here. I just shared out the home directory like before so I could put videos in the Videos folder.

old_linux_screenieOne problem with kids’ computers, especially for kids that are learning to use a computer while also learning to read, is that they need constant assistance. I use SSH for the low level operating system stuff, but a lot of it is just her not yet knowing what to do when something pops up on the screen. So I decided to share the desktop so I didn’t have to get up and walk over to the PC just to click OK or type in a password. One of the best tools for remote access to a Linux desktop is VNC.

VNC is a technology that I have been using off and on for years. I even used it on Windows in the NT and Win2K days before RDP basically obsoleted it. Every now and then VNC comes in super handy.

There are a number of ways to set up VNC, and a number of packages that deliver its functionality. Basically, you can run multiple X Window servers that let multiple users have graphical desktops at the same time. It can be super confusing for Windows users, so bear with me. Unix is multi-user. It’s meant to be used by multiple people at the same time. These users may be sitting at one or more physical consoles, virtual consoles, or remote shells. VNC is one way to get a graphical (window that you click with a mouse) console remotely on a system. You start a VNCserver on a given display x (:1, :2, :3. etc.) and then connect a VNC client to it on TCP port 509x (5091 for :1, 5092 for :2). Multiple users can run multiple servers and launch pretty much any number of graphical shells.

octopod_screenieVNC is awesome, but a kid computer is seriously single user. What I need is to be able to pull up her Linux desktop on my [often] Windows desktop, without any intervention from her, and without getting up from my desk. She is still learning to use a computer, so I want to demonstrate things on her screen. Not getting up from my desk is important because she needs assistance fairly often. Also, I happen to be a lazy slug.

Fortunately, there is a tool for doing this known as X11VNC. The key difference for X11VNC is that it shares the physical console display, :0, which is the display of the user sitting at the keyboard. This is ideal because when I connect to her computer, I see what she’s seeing, and either of us can type or move the mouse.

To set up X11VNC, I first had to get the software installed from repos:
sudo apt-get install x11vnc

After you’ve installed it, you want to create a remote access password and then edit the config to start at boot. I use the same password for the remote session that I use to log into the user account. Thanks to the auto login, no one but me should ever have to type it in.
sudo x11vnc –storepasswd /root/.vnc/passwd
sudo nano /etc/init/x11vnc.conf

Then paste this into the editor:

# description "Start x11vnc on system boot"

description "x11vnc"

start on runlevel [2345]
stop on runlevel [^2345]

console log

respawn
respawn limit 20 5

exec /usr/bin/x11vnc -auth guess -forever -loop -noxdamage -repeat -rfbauth /root/.vnc/passwd -rfbport 5900 -shared


Then you can use any VNC Viewer to access the desktop remotely by entering the IP for the computer. My personal favorite viewer is tight-vnc.

With the remote access portion set up, I am now able to help her with her computer without getting up from mine. She has discovered that we can both type on the same computer at the same time, so a game has emerged. One of us types in a text editor and the other tries to delete what the other has written. It’s a race to either type or delete gibberish and she laughs like a maniac when we play it.

The problem with everything is central control

I have been reading postmortems on the election, and it basically came down to a failure of media and political elites to get a read on the voting public. Basically, a small number of very powerful intellectuals operated in a kind of silo of information.

All the stuff I have read and watched about the 2008 financial meltdown comes down to a failure of large banks. A small number of very powerful banks, operated in a kind of silo of finance.

This country is a mess because of centralized control and centralized culture. It’s a mess because of intellectual laziness and emotional cowardice. It’s a mess because we rely on crumbling institutions to help us.

Centralizing seems natural and logical. There is an idea in economics called the economy of scale. Basically, a big operation (a firm, a factory, a project) has better purchasing power and is able to spread fixed costs over large numbers of units. In network topology, the Star Model is the simplest to manage, putting all the resources at the center. I tend to think about economics and computer networks as kind of similar.

One of the primary criticisms of the Star Network is the single point of failure. If the center of the network has any sort of problem, the whole network suffers. This is also a problem with economies of scale. A lot of electronic component manufacturing is centralized in Taiwan, in 1999 an earthquake caused a worldwide shortage of computer memory. It seems that any time there is bad weather in New York City, flights are delayed across all of North America. In 2008, trouble with undersea fiber cables caused widespread Internet connectivity problems throughout Asia. A lack of biodiversity in potato crops contributed to the Irish Potato Famine. Centralized control is prone to failure.

This isn’t just a business or a technology problem. It can also be a cultural problem. Centralizing stores of information leads to gatekeeping, where a point of distribution controls the access and dissemination of information. This may be for financial gain, in the case of television and cinema, or it may be for political gain, in the case of the White house press corps. Media outlets repeating what the white house said, and the white house using media reports to support its assertions is how the us ended up invading Iraq under false pretenses.

The diametric opposite of the Star Network is the Mesh network, specifically the Peer-To-Peer network. These models eschew ideas of economy and control in favor of resilience and scalability. Economy of scale eliminates redundancies because they are expensive. Peer-to-peer embraces redundancies because they are resilient.

Embracing peer-to-peer from a cultural standpoint means embracing individuality and diversity. Not just in a left-wing identity politics sort of way, but in a Victorian class struggle kind of way. It means eschewing the gatekeeper-esque ideas of mono-culture in favor of cultural and social diversity. Peer-to-peer culture is messy. It’s full of conflicts and rehashed arguments. It’s not a “safe space” where people of similar mindsets never encounter dissent. It’s a constant barrage of respectful and learning argument.

The cultural division in this country is a failure of our core values. It’s a failure of the right’s anti-intellectualism, and it’s a failure of the left’s elitism. It’s faith by many in crumbling institutions that are out of touch. It’s a failure of corporate media that forces us to turn to our social networks for news that discourages discussion and only seeks to confirm our individual biases.

I’ll be writing more about this opinion (and make no mistake, it’s just an opinion) in future posts. Hopefully it will foster some of the discussion that I am seeking.

Election Got You Down? GOOD.

farnsworth_presidentMy social media feeds are physically dripping with existential angst about the Presidential election. My conservative friends were losing their shit over either Hillary and her lies, or the fact that Trump is leading their party off a cliff. My liberal friends were salty about Bernie getting the shaft from the DNC. There was a lot of talk about the lesser of two evils.

I have been making my saving throw against angst-filled rants, until now. Everyone I know is in some sort of funk over the election, and I’m just sitting here like “Welcome to my world. You’re stuck here until January, but look on the bright side: AT LEAST YOU DON’T LIVE HERE.”

For me, there was never a good choice. The whole election was like a shit sandwich and the whole country spent like two years arguing over which end to bite into. This “None Of The Above” view of American politics is pretty much where I live my life. I hate at least half of the liberal platform, and at least half of the conservative platform. This doesn’t make me a moderate, it makes me a political misfit.

I was pretty well braced for disillusion. I voted for Obama, and watched him pivot from promises of government transparency and closing Git-mo, to a growth of the surveillance state. I like gay marriage and healthcare, don’t get me wrong. Those were good things that I could get behind. I just *really* hated Bush’s illegal spying; Obama campaigned against it but then turned around and made it bigger. *Then* he equipped it with assassination drones.

I was *this* close to making a protest vote for either Stein or Johnson, but my principles gave way to my self-preservation instinct and I grudgingly voted for Clinton. I am mad that Trump won because I feel like I got robbed of my statement. I felt pretty dirty voting for her, and then she had the audacity to lose. The world-as-we-knew-it was wrong about her being the presumptive nominee and now I can’t smugly say “Don’t blame me, I voted for… Stein? I guess?”

My politics can be summed up in two basic talking points: I hate cops and I hate corporations. I am a firm believer in both social progress and limited federal government. There are too many laws, too many jails, and there’s not enough independent media companies, banks, and telecoms. I don’t know if I dislike capitalism, or just the corporatism that we practice all over the world. Maybe well-executed capitalism is like well-executed socialism and only exists in the fantasies of economists. I don’t really care, I’d rather focus on the sharing economy.

hillary_memeA sick part of me wanted Trump to win. Not the actual me, just that little crazy part that envisions the car crashing when you have to slam on your breaks suddenly. You know, that crazy death-wish part, that kind of fantasizes about the zombie apocalypse.

Any way, I wanted very badly to say “Look, if I vote for her, can you all just promise to work to make things better?”

Well, now it’s time to work on making it better. The thing that I want to work on is not political parties and why they all suck. I am done with believing in elections for Democrats and Republicans. I’m still gonna vote, I just won’t invest in the idea of elections producing results that I want. I’d rather invest that energy into writing about something else.

That something else is basically doing away with our country’s reliance on central authority. I think we should have a government, I just think it shouldn’t be such a big factor in our lives and our culture. I think we should have a mass media, but it should be free from corporate influence and cartel ownership. I think we should see America for what it is: a great nation that was exceptional, but is capable of decadence and corruption, just like any other country.