I’ve updated the perl code used to archive the IEEE registry files for OUI’s (now relabeled by IEEE but that’s soley for branding purposes so I’m not going to bother to switch my own terminology). The changes were mostly to deal with the new size offered (OUI 28-bit) and some minor formatting changes. Only other change was to move to a recursive directory storage for storing the files to keep things neater.
The real work has ben on all-new code written in Python to support a new approach for storing DeepMac metadata. The classes I’m working on will eventually allow for adding, deleting and changing data in the repository in a journaling style, where all changes are recorded. So even if something is “deleted” there’s still a record of it having existed. This will be quite handy in the future.
Once the code is actually working with an initial filesystem prototype there will eventually be a Web-based and database-based connection supported. My plan is to have ultimately have an API that will make it programatically simple to be able to add new data to the repository, either manually or in an automated way.
The final step will be to have the current web-based search system moved to using the new repository on the backend (it’s still using the old MySQL database I originally created in the early alphas). The search engine will let you see the “current” snapshot of all the metadata but also allow a view of historical data.
Yesterday (May 28th, 2014) the truecrypt.org website suddenly started redirecting to the project page on SourceForge. The redirected webpage claims TrueCrypt is insecure and won’t be fixed, and urges people to migrate to Microsoft’s proprietary, windows-only BitLocker solution (TrueCrypt is multi-platform and supports multiple Linux OS’s as well as Windows).
As of right now (5/29/14 at 10:00 EST), there is no further information available. There is however quite a bit of Internet echo-chamber effect and a rising tide of hysteria from many corners (a lot of Fear, Uncertainty and Doubt aka FUD). Even Brian Krebs is reporting the sudden change at face value (http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/).
There are many scenarios that would explain this very sudden switch over. I’m going to try and avoid those and focus on some facts here:
- TrueCrypt is open source software. The source code is still available, including the code before the most recent changes. If there are security holes in it, they could be fixed (though at what resource cost would be pointless conjecture).
- TrueCrypt is cross-platform. It’s not just Microsoft Windows but also Linux and Mac OS X as well. However, the current SourceForge page for the TrueCrypt project makes only a glancing reference to those and focuses entirely on migrating to BitLocker on Windows. There’s a sub-page that mentions other platforms, but even for Linux it only tells you to use the TrueCrypt 7.2 binaries (there are *nix programs besides TrueCrypt that can at least read TrueCrypt containers).
- While it is true the current binaries on the TrueCrypt webpage are signed with the same keys as earlier binaries, and the truecrypt.org domain registration still continues to use the same nameservers, the original static webpage for TrueCrypt.org has been removed and replaced with a re-direct to the SourceForge project page. Sub-pages of any sort use a meta-refresh technique however, indicative of the entire website directory having been moved aside and a new webserver config put in place.
- Since the TrueCrypt announcement does not stipulate any details on the supposed insecurity of TrueCrypt, it’s unknown if the problem would be in the code, the container format, the encryption algorithms or some combination thereof. Note that lack of WinXP support from Microsoft is not a hard barrier to continued TrueCrypt development though.
What do these facts mean? There is no reason to do anything immediately. There are alternatives to access TrueCrypt containers that do not require unencrypting TC containers wholesale. Many trustworthy individuals will probably have untainted, archived binaries. The source code can be forked and new projects spun-up around it (FOSS shows it’s greatest resliance and strength in times like this). And lastly but most importantly: We do not have any sort of out-of-band verification of this announcement.
At this point I see no reason to abandon use of TrueCrypt. Planning for the possibility is not unreasonable, but rushed implementation without all the questions answered could seriously risk the secrecy of your data. It will not take long for more concrete details to emerge, or a successful fork of the code to be established by trustworthy individuals.
(Meanwhile, 6 years later…)
I’ve been very busy the last four years, mostly with the classic combination of work, school and family. I decided that in 2014 I’d do a major new push on the DeepMac project. This has been inspired in part with recent changes at IEEE on how MAC space is being sold and just the over-whelming need to get on with it already!
I’ve actually been working in part the fast few months on a “reboot” of the DeepMac project. Part of that was updating my archival system of the OUI data from IEEE. Mostly it’s focused on a redesign of how the data will be stored and manipulated though. I’ve already got some Python code hammered out and will be doing more over the coming months.
So stay tuned for more updates as they happen.
The views expressed in this entry, as in all entries on my website, represent my personal views alone. They do not necessarily represent the views, policies or standards of my current or any previous employers. No content on my website is promoted or endorsed by my employers. I am a free man, and my thoughts are my own.
In a few weeks both Def Con and Blackhat will be going on, and there’s going to be a lot of media scrutiny for them due to the recent NSA leaks, Snowden and the Aaron Swartz incident. All of that along with the usual announcements of new security tools, exploits, and other goodies.
Not to mention the increasing frequency of people at IT conferences sexually harassing and assaulting other people.
So really, that I even have to sit down and write this blog article to explain how to behave as a human being is frankly insane. But well, a lot of hackers may be considered ‘crazy’ by some standards. So be it.
Hi there. Yes, I know, it’s been 2 years since I last posted something on my website. Mea Culpa, I installed Joomla, I’m not much for website design, been busy, that sort of thing.
So how’s the spouse and kids? Really?! Well congrats, I’m glad to hear that. Except for the part about the restraining order, that’s a shame.
But hey the real reason why I’m here is to talk about an idea that popped into my head while I was zoning out along I-85 when heading back from a conference earlier this week. Being a responsible adult and all I tried to keep it down to only the “prayer for judgment” speeds and not “Judge Dredd” speeds. This is easy enough with cruise-control until you suddenly realize there’s a car ahead of you or behind you and you’re not sure if it’s a cop or not. And you don’t have radar detectors because you’re a law abiding citizen, damn it!
It occurred to me that we have all the technology to build an open source surveillance system for tracking and identifying police cars on the road. Now doing something like this of course requires making sure everything is done legally, and that has to account for differing laws between states and counties. But let’s push that down further into the article and jump into a technical outline of how to do this.
The biggest failure in information security is actually a failure in information technology implementation.
For many, many decades the operating systems and applications that have been made for computers have come with built-in security features. The very idea of a username and password to log into a computer pre-dates home computers by at least a decade, with Multics back in 1964. And it wasn’t the first.
But what has happened over this time is the old “arms race” where the bad guy finds a way around the restrictions put in place, so newer and more elaborate restrictions are put-up. More elaborate and complex security systems require more time to set-up, more knowledge to implement and a generally higher degree of intelligence.
WebApp Scanning Throwdown!
I have to apologize for errors in my original article. I missed a few findings in some of the reports, and mis-read a few items. Just to make this absolutely clear, errors in analysis of the results are my own fault, not a reflection of the products. And as stated, the configurations used were not ideal.
Please visit the downloads section for a spreadsheet providing the vulnerabilities in a matrix format and which tools identified them. Ultimately, there’s not a lot of difference though Nexpose did manage to get a couple that Nessus missed. All three tools missed quite a few more subtle vulnerabilities in the test site, however.
In the Science Fiction novel “The Puppet Masters” by Robert A. Heinlein, alien creatures with the ability to connect to humans nervous systems invade the Earth. This novel was made into a terrible, horrible movie so if you have seen the movie but not read the book, please go read the book. And burn any copies of the movie you can get to.
But back to the book. It’s a pretty typical “alien possession” novel by current standards, but it was actually a significant publication in 1951. The aliens themselves are relatively small things with limited mobility (they are dubbed slugs), but can attach themselves to a victims neck and hang down the back. The “slug” can then control the human and tap into their memories, while remaining hidden under the clothing. As the novel progresses, the protagonists (Sam and Mary, who both work for a secret intelligence agency of the US) withdraw to the mountains. After being attacked by an alien slug, they return to the city to discover a law has been passed requiring full nudity.
The DeepMac database has been updated with the most recent date information as of December 2nd, 2009. I also updated the MySQL dump of the database.
I haven’t had time to add further fingerprints to DeepMac, nor expand on tools for searching and updating. But please do not hesitate to submit ideas, suggestions or comments!
(Also, I like cookies)
(With apologies to Jack Nicholson and whoever originally crafted this gem. –Jedi)
“Son, we live in a world that has networks and those networks need to be guarded by men with balls and smarts. Who’s gonna do it? You? You sniveling admin? I have greater responsibility than you can possibly fathom.
You can weep for your permissions and curse security; you have that luxury. You have the luxury of not knowing what I know: that your inconvenience, while tragic to you, probably saved exploitations and that my existence, while grotesque and incomprehensible to you, saves this network. You don’t want the truth because deep down in places you don’t talk about at staff meetings you want me on that firewall, you need me on that SIM.
We use words like audit, vulnerability and hack. We use them as the backbone of a life trying to defend this network. You use them as a punch line. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very security I provide and then questions the manner in which I provide it. I would rather you just said “Thank You,” and went on your way. Otherwise, I suggest that you pick up a damn security manual and secure your system.
Either way, I don’t give a damn what you think you are entitled to.”